Wireshark mailing list archives
Re: How WIRESHARK confirm the TCP OUT-OF-ORDER packet!
From: Jasper Bongertz <jasper () packet-foo com>
Date: Mon, 15 Sep 2014 20:37:38 +0200
Hello Jeff, Out-of-order is basically a packet that arrives just a little too late to be in-sequence, but is not a retransmission. It's the original packet, which somehow got rearranged on the way to the destination so that it arrives after a packet following it in sequence. WAN optimizers sometimes do this, squeezing in smaller packets that arrive earlier at the destination than the larger predecessors. It makes sense to call those packets out-of-order because they are not retransmissions (which would mean packet loss) to avoid misinterpretation. To get to the original question: I have seen another case where a retransmission was labeled out-of-order. It has probably to do with the recent change of including iRTT to determine out-of-order vs. retransmission (new in 1.12), and that may need some fine tuning. I'm investigating already to see if there really is a problem and how we can improve the algorithm if there is. Cheers, Jasper Monday, September 15, 2014, 7:19:34 PM, you wrote:
On 09/15/14 03:10, 李凌 wrote:Hello,everyone! It is my pleasure to write here for you. I've got some problems with the wireshark that how the software confirm if the tcp packet is out-of-order or not. I captured a pcap file named 'example.pcap',in this file No.507, No.508 ,No.509 make me confused: (because the pcap file is too large ,it is more than 7MB,so I have to export the right packets as plain text named No507-No509.txt ) 507 IP_ID:15689 TCP_SEQ:727452 508 IP_ID:15690 TCP_SEQ:669373------out of order 509 IP_ID:15691 TCP_SEQ:670825------TCP retransmission No.508 Packet has a IP header ID that is 15690 which is bigger than No.507.This means the server sended No.508 packet after No.507 packet,and wireshark captured them the same way .So,as I known ,No.508 may be a retransmission instead of out-of-order packet.However, wireshark tags a out-of-order flag on No.508 which makes me confused,Is there any rule I don't get? I got nothing on the Internet about this question ,could you please help me?
Yeah, I have never really understood what "out of order" really means. In my mind a packet would either be a retransmission (something which should have come before the last packet we've seen) or it's ahead of the last packet we've seen (indicating we've missed one or more packets).
The idea behind "out of order" is, I believe, to indicate when something is too far "out of order" to be a retransmission or a simple hole in the sequence (i.e., a couple of missed packets). Here's the logic Wireshark uses to determine if a TCP segment is out of order:
/* If the segment came relativly close since the segment with the highest * seen sequence number and it doesn't look like a retransmission * then it is an OUT-OF-ORDER segment. */ t=(pinfo->fd->abs_ts.secs-tcpd->fwd->nextseqtime.secs)*1000000000; t=t+(pinfo->fd->abs_ts.nsecs)-tcpd->fwd->nextseqtime.nsecs; if( t < ooo_thres && tcpd->fwd->nextseq != seq + seglen ) { if(!tcpd->ta) { tcp_analyze_get_acked_struct(pinfo->fd->num, seq, ack, TRUE, tcpd); } tcpd->ta->flags|=TCP_A_OUT_OF_ORDER; goto finished_checking_retransmission_type; }
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
jasper () packet-foo com
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- How WIRESHARK confirm the TCP OUT-OF-ORDER packet! 李凌 (Sep 15)
- Re: How WIRESHARK confirm the TCP OUT-OF-ORDER packet! Jeff Morriss (Sep 15)
- Re: How WIRESHARK confirm the TCP OUT-OF-ORDER packet! Jasper Bongertz (Sep 15)
- Re: How WIRESHARK confirm the TCP OUT-OF-ORDER packet! Jeff Morriss (Sep 15)