[tcpdump-workers] sack data format on unix

[Stephen Owen]

I have the impression that the tcp sack message format put out by tcpdump3.4
on Solaris 5.8 is not correct.

15:29:13.962717 trial.silverplatter.com.8595 > 192.80.71.156.1400: S
1317983401:1317983401(0) ack 2899829613 win 33580 <nop,nop,sackOK,mss 1460>
(DF)
15:29:13.962915 192.80.71.156.1400 > trial.silverplatter.com.8595: . ack 1
win 17520 (DF)
15:29:13.963963 192.80.71.156.1400 > trial.silverplatter.com.8595: P
1:507(506) ack 1 win 17520 (DF)
15:29:13.964416 trial.silverplatter.com.8595 > 192.80.71.156.1400: . ack 507
win 33580 (DF)
15:29:13.975470 trial.silverplatter.com.8595 > 192.80.71.156.1400: P
1:275(274) ack 507 win 33580 (DF)
15:29:13.975906 trial.silverplatter.com.8595 > 192.80.71.156.1400: .
275:1735(1460) ack 507 win 33580 (DF)
15:29:13.975943 trial.silverplatter.com.8595 > 192.80.71.156.1400: P
1735:3195(1460) ack 507 win 33580 (DF)
15:29:13.976443 192.80.71.156.1400 > trial.silverplatter.com.8595: . ack
1735 win 17520 (DF)
15:29:13.976458 trial.silverplatter.com.8595 > 192.80.71.156.1400: .
3195:4655(1460) ack 507 win 33580 (DF)
15:29:13.976492 trial.silverplatter.com.8595 > 192.80.71.156.1400: .
4655:6115(1460) ack 507 win 33580 (DF)
15:29:13.976522 trial.silverplatter.com.8595 > 192.80.71.156.1400: P
6115:7575(1460) ack 507 win 33580 (DF)
15:29:13.977101 192.80.71.156.1400 > trial.silverplatter.com.8595: . ack
4655 win 17520 (DF)
15:29:13.977134 trial.silverplatter.com.8595 > 192.80.71.156.1400: P
7575:8467(892) ack 507 win 33580 (DF)
15:29:13.977460 192.80.71.156.1400 > trial.silverplatter.com.8595: . ack
6115 win 17520 <nop,nop,sack
62016@20110  62908@20110> (DF)

Accordin to the tcpdump code (print-tcp.c) the sack message "62016 at 20110"
refers to "block-size at relative origin".  However 20110 is too high to be
a relative offset in the window, and strangely 62908 - 62016 = 892 which
corresponds to the 892 bytes received in the last message, which sack is
presumably acknowledging. Now, the 20110 appears first in the TCP header, so
it's as though the data data specifies left-edge-of-recvd-block and
right-edge-of-recvd-data-block, where the 20110 is the higher order part of
the address.  This seems to correspond to the original RFC 2018 data format.
Am I mistaken?



-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe