On Thu, Feb 27, 2003 at 02:01:30AM +0000, didier wrote: > It's retransmited frames 2828, 5034, 7050. Should be discarded, frame > 709 is ACKed, problem with keep alive?
Yeah, the TCP sequence is a bit bizarre there. If you turn on the "Analyze TCP sequence numbers" TCP preference, it reports 2828, 5034, and 7050 as retransmissions. Frame 709 is ACKed in frames 794 *and* 2829 *and* 5034 *and* 7051, according to "Analyze TCP sequence numbers"; the latter 3 are flagged as duplicate ACKs. Perhaps if that preference is enabled, the TCP dissector shouldn't supply retransmitted data to subdissectors and shouldn't use it for reassembly - it should just display the data as "Retransmitted data". (We could also add another option to do the checking without adding the SEQ/ACK analysis, but I'm not sure that'd be useful - the reason for an option is that we have to allocate a per-conversation data structure, and if, for example, we have a capture of a SYN flood, we could end up allocating a *lot* of memory - tcpdump, by default, allocates a data structure for each TCP connection it sees, so that it can display relative sequence numbers, and I seem to remember somebody complaining that it ran out of memory reading a SYN-flood capture - you'd use the "-S" flag, to make it print absolute sequence numbers, in that case.)
