Wireshark mailing list archives
Question about "bytes in flight"
From: "Stefaan Pouseele" <stefaan.pouseele () skynet be>
Date: Thu, 1 Jul 2010 14:02:41 +0200
Hi, when examining the field "tcp.analysis.bytes_in_flight" in Wireshark Version 1.2.9 (SVN Rev 33171) it seems Wireshark doesn't always calculate the correct value. As an example the following two consecutive frames: Frame 91 (60 bytes on wire, 60 bytes captured) Ethernet II, Src: NokiaInt_a5:60:b0 (00:a0:8e:a5:60:b0), Dst: Cisco_bd:9b:8a (00:25:45:bd:9b:8a) Internet Protocol, Src: 193.75.143.194 (193.75.143.194), Dst: 85.91.172.251 (85.91.172.251) Transmission Control Protocol, Src Port: 22862 (22862), Dst Port: exapt-lmgr (3759), Seq: 1, Ack: 18981, Len: 0 Source port: 22862 (22862) Destination port: exapt-lmgr (3759) [Stream index: 3] Sequence number: 1 (relative sequence number) Acknowledgement number: 18981 (relative ack number) Header length: 20 bytes Flags: 0x10 (ACK) Window size: 64240 Checksum: 0x2ac9 [validation disabled] Frame 92 (1514 bytes on wire, 1514 bytes captured) Ethernet II, Src: Cisco_bd:9b:8a (00:25:45:bd:9b:8a), Dst: NokiaInt_a5:60:b0 (00:a0:8e:a5:60:b0) Internet Protocol, Src: 85.91.172.251 (85.91.172.251), Dst: 193.75.143.194 (193.75.143.194) Transmission Control Protocol, Src Port: exapt-lmgr (3759), Dst Port: 22862 (22862), Seq: 21901, Ack: 1, Len: 1460 Source port: exapt-lmgr (3759) Destination port: 22862 (22862) [Stream index: 3] Sequence number: 21901 (relative sequence number) [Next sequence number: 23361 (relative sequence number)] Acknowledgement number: 1 (relative ack number) Header length: 20 bytes Flags: 0x10 (ACK) Window size: 64240 Checksum: 0x2a1e [validation disabled] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 91] [The RTT to ACK the segment was: 0.000121000 seconds] [Number of bytes in flight: 7300] Data (1460 bytes) To my knowledge the correct value for "Number of bytes in flight" should be 23361 - 18981 = 4380 in this case. That is "Next sequence number" from Frame 92 minus "Acknowledgement number" from frame 91. Is this an known issue or I'm missing something? Best Regards, Stefaan ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Question about "bytes in flight" Stefaan Pouseele (Jul 01)
- Re: Question about "bytes in flight" Bill Meier (Jul 01)