This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to Display “Bound by PSH bit”?

0

Hi, A picture is worth a thousand words, so for explaining that actually the application is trying to steer TCP instead of leaving it to TCP, how can i: 1.graph or proof this phenomenon and 2.tell if it does a good job or not?

link:A brief explanation of Bound by Push Bit

All advice always highly appreciated!

regards, Marc

asked 15 Jun '11, 01:03

Marc's gravatar image

Marc
147101316
accept rate: 27%

Hi, maybe i should clarify: i'm searching for a way to prove that it's the application that uses the tcp function push (the tcp.flags.push == 1) to get more control. I'm thinking of recognizing a pattern, any idea's?

(20 Jun '11, 06:00) Marc

One Answer:

1

You can easily see this by using Stevens throughput graph. What you'll notice is clumps of transfers (sharp vertical slopes). At the end of the vertical jumps, you'll typically see the PSH bit in the packet. Another way to see it is to just watch how many bytes are being transferred from PSH to PSH bit. You can add the cumulative byte field as a column and use the "mark time reference" to see how many bytes are being transferred per push.

Many of my sharkfest presentations cover this scenario. Google for "sharkfest 2009" then grab "AU-4, AU-5 (Bae) Protocol Analysis in a Complex Enterprise" Look at case III.

If this doesn't make sense, let me know and I'll post some pics of what I'm talking about.

Good luck.

hsb

answered 22 Jun '11, 18:55

hansangb's gravatar image

hansangb
7912619
accept rate: 12%

First off: thak you verymuch for the answer! Hansang,

Saw the presentation for Sharkfest 2009, had a look at the ftp tracefile, worked out I had to look for sharp vertical slopes with a psh bit at the end, made a column for cumulative bytes, scrolled through the trace looking for pattern, I can see the rhythm in your trace [PSH,ACK],[ACK],[ACK],[ACK],[ACK],[PSH,ACK] but don’t see it in mine as clearly yet..,

I do need to zoom in quite a bit in the Stevens trace right?

(25 Jun '11, 06:04) Marc

Yes, if you keep zooming in, you'll see the "banks" of packets that make up the sharp vertical track. If you want, you can use editcap to chop the packet to its header and email it to me. I can check it out for you.

(27 Jun '11, 14:11) hansangb

allright, i'll work it down to the headers and mail it to you, thanks!

(28 Jun '11, 04:01) Marc

yup, I got it. I'll take a look.

(29 Jun '11, 16:38) hansangb

hansang, did you see the trace?

(18 Jul '11, 23:57) Marc