Wireshark-dev: Re: [Wireshark-dev] Proposed changes to make tcp.ack and tcp.seq relative
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Thu, 7 May 2020 23:40:19 +0200
On Tue, May 05, 2020 at 10:42:24AM +0200, Jasper Bongertz wrote:

> > On a related note, to address one of the use cases that prompted for the
> > new field, I added expert info to mark connections where the server
> > accepted TCP Fast Open (TFO) data. Is that useful to have?
> 
> Yes, that's useful to have, absolutely.
> 
> Would it be possible to mark TFO connections when they were NOT accepted as
> well? That could be helpful, because right now I am not sure how I would find
> failed TFO connections (except looking for SYN/ACK packets that fail). Or is
> there an expert info that tells me that a connection used TFO and I can use the
> field existence of the "accepted" TFO to check for it's absence to find failed
> connections?
> Unfortunately I have no example pcap for that scenario, so maybe this
> functionality has to come as a later patch?

I could not find a trace, so I generated one. A sample capture plus the
commands to generate the trace can be found in
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16559

In a patch for this feature, I noticed that the last case (TFO data that
gets ignored) is reported as suspected retransmission. Technically that
is true, but it could be misleading the analyst into believing that
packet loss has occurred. What do you think?
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl