Wireshark-bugs: [Wireshark-bugs] [Bug 10745] Wrong packet analysis observed after zero window pr
Date: Sun, 06 Sep 2015 19:54:30 +0000

changed bug 10745


What Removed Added
Status UNCONFIRMED IN_PROGRESS
See Also   https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8404, https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11506, https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6774
Ever confirmed   1

Comment # 2 on bug 10745 from
(In reply to Jasper Bongertz from comment #1)
> (In reply to dbk7 from comment #0)
> 
> Zero Window Probes can be performed in two ways:
> 
> 1. Sending the last already acknowledged byte

Wireshark doesn't recognize this case; This is a bug to be fixed

> 2. Sending the next byte after the last already acknowledged byte
> 
> in both cases, the Zero Window Probe ACK number must be the same as the ACK
> in the Zero Window packet. This is obvious, since the window is full and a
> new byte (as in 2.) cannot be accepted and must be discarded while sending
> back the ACK for the byte before. 
> 

For case 2, poking around the web a bit suggests that the receiver may accept
(consume) the "next byte" even though the window is full.
For example, see https://bugzilla.redhat.com/show_bug.cgi?id=537145

(I note that there are other traces which show this behavior.
E.G., See: Bug #8404: 2nd attached capture file: error.pcap)

Wireshark doesn't handle this case properly, either.

> In your trace, the receiver DOES acknowledge the new byte (which should be
> impossible, as it goes beyond the receive window), and my guess is that this
> breaks the Zero Window Probe / Zero Window Probe ACK detection code in
> Wireshark.

> You can also see "TCP ACKed unseen segment" messages that make no
> sense, because there's nothing missing - there is one byte too much instead.

I believe this is another Wireshark bug (since the byte was actually sent (and
seen) and accepted).

See Bug #8404: First attached capture


You are receiving this mail because:
  • You are watching all bug changes.