Ethereal-dev: [Ethereal-dev] False [TCP Dup ACK] indicators

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Donnie Hale" <lists-ethereal@xxxxxxxxxxxxxx>
Date: Wed, 1 Dec 2004 19:37:29 -0500
In reviewing some captures today, Ethereal reported some packets as [TCP Dup
ACK ...]. When I see that, I generally think there's some kind of loss in
the environment. However, in looking more closely at the frames, we were
able to determine that these weren't indicators of loss but instead of the
receive window being opened after previously being shrunk. As I understand
it, this is legal TCP behavior - resending a just-sent ACK with a different
window size to indicate that the receiver's window readiness has changed.

Ethereal wasn't the only tool that saw things that way, though tcptrace
seems to have understood what these packets were.

Assuming our interpretation is correct, would there be a way to improve
Ethereal's handling of those kind of packets so that they don't look on the
surface like loss indicators?

Thanks,

Donnie