Hey I've read that wireshark had problems with the bytes in flight value, when retransmissions occur. This bug was fixed in version 1.4.1. Well, but I've got a trace, where the values does not seem to bee correct. The link to this .pcap file is: http://uploading.com/files/ce18d69a/bytes_in_flight_problem.pcap/ Thanks for your answer! Best regards, mario asked 06 Feb '12, 04:59  dranigl |
One Answer:
This is a bug. The retransmitted data in frame 12 spans more than the original transmitted segments (frames 4, 9 & 10 plus new data) and the ACK in frame 16 is only for part of the data in frame 12. The code that calculates the bytes in flight uses the whole of frame 12 in calculating the value, so in frame 17 is doing so from the sequence number 1359412875 up to the 'next' sequence number for frame 17 which is 1359414589 giving the displayed value (4589 - 2875 = 1714). The code works by keeping a linked list of unacked segments, but doesn't handle partially acked segments as in frame 12. Edit: Hopefully this is fixed in any rev later than 40929. answered 07 Feb '12, 16:34  grahamb ♦ edited 08 Feb '12, 04:50 |
It appears that the hosting service you have used for your capture is now demanding payment before I can download it.
Putting your capture on somewhere more accessible, e.g. CloudShark would be more helpful.
I have now uploaded the capture file to cloudshark, the link is
https://www.cloudshark.org/captures/01e4d4ac94cf
From what I see 1.6.5 has the same issue. I looked at the trace at the whole flow and cannot find a reason for that.
I could imagine, that wireshark has problems with that trace, because the way this 10.114.x.y machine sends out acknowledgements is totally different to every other TCP implementation I know especially by sending unneeded ACKs without any more incoming data to acknowledge. Maybe the bytes_in_flight algorithm simply does not expect such behaviour
Thank you for the answer. So do you think that this is a bug which should be posted at bugs.wireshark.org?