TCP Analyze Sequence Numbers

By default Wireshark and TShark will keep track of all TCP sessions and implement its own crude version of Sliding_Windows. This requires some extra state information and memory to be kept by the dissector but allows much better detection of interesting TCP events such as retransmissions. This allows much better and more accurate measurements of packet-loss and retransmissions than is available in any other protocol analyzer. (But it is still not perfect)

This feature should not impact too much on the run-time memory requirements of Wireshark but can be disabled if required.

When this feature is enabled the sliding window monitoring inside Wireshark will detect and trigger display of interesting events for TCP such as :

XXX add brief explanation to these events

These events will be prepended to the information column in the summary display to make them easy to spot. To make these events really stand out, add a coloring rule for "tcp.analysis.flags" with a red background and yellow text. These evens will also all result in a new synthetic expansion being created in the TCP protocol expansion containing information on why this TCP packet was interesting.

XXX add list of these expansion fields and their filter names

To disable this feature, go to the TCP preferences and uncheck the box for Analyze TCP sequence numbers. tcpanalyzesequencenumbers.png

Preference String

Analyze TCP sequence numbers.

TCP_Analyze_Sequence_Numbers (last edited 2011-05-10 14:07:06 by WenchaoWang)