Re: Accurate ECN support in tcpdump/libpcap

["Scheffenegger, Richard via tcpdump-workers" <tcpdump-workers () lists tcpdump org>]

> --- Begin Message ---
>
>
> From: "Scheffenegger, Richard" <Richard.Scheffenegger () netapp com>
>
> Date: Thu, 31 Aug 2023 15:37:26 +0000
>
>
>
> I've been using Tim Shepard xplot together with tcptrace (srtt plots) for years and I'm quite happy with it.
>
> Since xplot uses (modified) gnuplot language, I believe you meant to say that tcpdump2xplot was not updated?
> https://man.archlinux.org/man/tcpdump2xplot.1.en
>
> Since tcptrace uses libpcap, I don't see that particular thing as an issue, really; and when tcpdump2xplot was broken 
> before (but hardly ever used, since there are better workflows IMHO), is this really an issue.
>
> Implementing a full json dumper sounds like overkill to me - and those old tools don't parse json anyway...
>
>
> To reiterate: A number of other tools which have been improved to decode Accurate ECN (TCP header flags) from the full 
> set of 12 flag bits are already using a shorthand notation of "A" for the AE bit; and, if they decode tcp streams in a 
> stateful manner, decode the ACE field (comprised of the TCP header flags AE, CWR and ECE) into an octal / decimal 
> number 0..7.
>
> IMHO the main point to answer in this group is, if using "A" - like what packetdrill and wireshark are doing - would 
> confuse anyone to mistakenly think the "ACK" flag - typically abbreviated "." could be confused with the "AE" flag.
>
> I strongly believe that this is not the case, as the precedent with using "." for the ACK flag is in widespread use; 
> and people mistakenly thinking the "A" abbreviation stands for ACK would find out the misconception extremely rapidly 
> (and probably remember that much better than otherwise).
>
> Having tcpdump use a different abbreviation would IMHO much more likely contribute to confusion by people using a 
> diverse set of tools.
>
> And yes, I am very sorry to have dropped the ball on this with the tcpdump project approximately 2 years ago, when 
> updating the tooling was an area of very active development....
>
>
> Richard Scheffenegger
>
> -----Original Message-----
> From: Michael Richardson <mcr () sandelman ca>
>
> Scheffenegger, Richard <Richard.Scheffenegger () netapp com> wrote:
>     > Tcpdump - any every tool afterwards - has been using "." for ACKs.
>
> Hi, so there have been some tools which have parsed the tcpdump "TCP" output in the past, and there have been small 
> variations in the output, and often we've broken those tools.
> One such tool was Tim's https://man.archlinux.org/man/xplot.1.en which I think we broke and it never got quite fixed, 
> and I am forever sad.
>
> The best situation would be that you'd add a --tcp-json option and then dump TCP stuff in JSON, with a really long line 
> and minimal spaces.  That might be too much work... it's always that situation for small incremental changes.
>
> So I really don't have any good advice.
>
> --- End Message ---
_______________________________________________
tcpdump-workers mailing list -- tcpdump-workers () lists tcpdump org
To unsubscribe send an email to tcpdump-workers-leave () lists tcpdump org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s