How does Wireshark calculate Bytes in Flight (BIF)? Do the BIF also consider the SACK left-edge and right-edge values? I have an 19MB file that I would like to share, but do not see a way to attach the file to this post. Here is a general formula that I am using to determine BIF assuming with SACK:
BIF = (Value #1) + (Value #2) Are the above equations correct? Please correct any of the above equations as needed. asked 11 Feb '15, 13:15 Amato_C |
2 Answers:
At the point you mention, there are 9 packets missing, forming a data gap between #264 and #270. It would appear that these really were missing from the flow, because SACKs #283-#293 report that missing data. #308-#316 are the TCP retransmissions that fill that gap. According to the bug report, this is why Wireshark doesn't count them in the BIF calculation. There are also 5 packets missing between #274 and #275. However, these are selectively acknowledged, very soon after, by those same SACKs mentioned above. This capture is a treasure trove of interesting behaviour. There are also many examples of:
I guess that your capturing WiFi device is closer to the access point than your real receiver (since we see packets that the receiver doesn't - at both the radio and TCP/IP level). Your capture device also drops some real packets that the receiver does see. answered 02 Mar '17, 23:59 Philst edited 05 Mar '17, 18:05 @Philst = thank you for the detailed analysis. By showing the flow analysis in NetData, it has become evident the complexity of the capture goes beyond a miscalculation in Bytes-in-Flight. (06 Mar '17, 19:05) Amato_C |
As I understand the code, Wireshark sums up the TCP length of all unACKed frames by walking throuh a list of those unACKed frames (ual). File: packet-tcp.c
SLE and SRE are not considered. You can see it pretty good in a SACK sample capture with packet loss. Add a column for bytes in flight to see it (Frames #30 - #39). Regards answered 11 Feb ‘15, 15:38 Kurt Knochner ♦ Hi Kurt, Thank you for the code and example. It is clear now that SACK is not used to determine the Bytes-in-Flight (BIF) calculation. However, I am still seeing a problem with the BIF calculation with my Wireshark trace. Now I will perform the same analysis using the file at: https://drive.google.com/file/d/0B3IDBN3nIwLzeVViaXhUVkFjVGc/view?usp=sharing Please download and view the file: “Stitcher-Only-TCP-Traffic-Stream3.pcap” Let’s look at packets #293-#294: (Sequence # of sender) + (TCP Length of sender) - (ACK of receiver) = 211914 + 1448 - 174266 = 39096 However, packet #294 is reporting BIF = 26064 That is a difference of 39096 - 26064 = 13032 bytes or (13032/1448) = 9 packets Why such the large discrepancy? (12 Feb ‘15, 08:06) Amato_C Wireshark reporting incorrect bytes-in-flight values is a known issue. Please reference Bug ID #7703. (16 Feb ‘15, 07:08) Amato_C yep, looks like there is ‘room for improvement’ ;-) (16 Feb ‘15, 12:48) Kurt Knochner ♦ |
Put it on http://www.cloudshark.org, and sanitize it with TraceWrangler first if necessary.