Skip to content
gd_tcflag postdissector plugin
Lua
Branch: master
Clone or download
Pull request Compare This branch is 16 commits behind gr8drag1:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore
LICENSE
README.md
WHATSNEW.md
Wireshark.png
gd_tcflag.lua

README.md

gd_tcflag Wireshark Lua (wslua) post-dissector plug-in

A Wireshark Lua post-dissector for express analysis of TCP conversations performance
Allows display filters to include complete TCP streams which contained at some point Syn, Syn+Ack, Fin, Rst, payload, retransmissions, zero window and etc., as well as total duration, number of frames and payload bytes
The reverse also holds true: by examining any frame it is possible to see if the corresponding TCP stream had Syn, Syn+Ack, Fin, Rst, payload, retransmissions, zero window and etc., for how long the conversation lasted and how many frames and payload bytes from each endpoint were seen
Each conversation endpoint, A and B, is tracked individually. The decision which side is A or B is performed as follows:
  • If one TCP port is numerically less than the other, then the lesser port is A and the greater port is B
  • If the port values are identical, then A is the numerically lesser IP address

The post-dissector creates its own section with three subsections.

Protocol flags subsection, gd_tcflag.tcbm

Composed of the following boolean flags:

  • gd_tcflag.tcbm.Syn : either gd_tcflag.tcbm.SynA or gd_tcflag.tcbm.SynB
    [1] gd_tcflag.tcbm.SynA : peer A sent flag Syn
    [2] gd_tcflag.tcbm.SynB : peer B sent flag Syn
  • gd_tcflag.tcbm.SnA : either gd_tcflag.tcbm.SnAA or gd_tcflag.tcbm.SnAB
    [4] gd_tcflag.tcbm.SnAA : peer A sent flags Syn+Ack
    [8] gd_tcflag.tcbm.SnAB : peer B sent flags Syn+Ack
  • gd_tcflag.tcbm.Ack : either gd_tcflag.tcbm.AckA or gd_tcflag.tcbm.AckB
    [16] gd_tcflag.tcbm.AckA : peer A sent flag Ack (with no data payload)
    [32] gd_tcflag.tcbm.AckB : peer B sent flag Ack (with no data payload)
  • gd_tcflag.tcbm.Dat : either gd_tcflag.tcbm.DatA or gd_tcflag.tcbm.DatB
    [64] gd_tcflag.tcbm.DatA : peer A sent a TCP segment containing data payload
    [128] gd_tcflag.tcbm.DatB : peer B sent a TCP segment containing data payload
  • gd_tcflag.tcbm.MTUgt1500 : either gd_tcflag.tcbm.MTUgt1500A or gd_tcflag.tcbm.MTUgt1500B
    [256] gd_tcflag.tcbm.MTUgt1500A : peer A sent an IP packet longer than 1500 B
    [512] gd_tcflag.tcbm.MTUgt1500B : peer B sent an IP packet longer than 1500 B
  • gd_tcflag.tcbm.fragment : either gd_tcflag.tcbm.fragmentA or gd_tcflag.tcbm.fragmentB
    [1024] gd_tcflag.tcbm.fragmentA : peer A sent a IP packet with MF (more fragments) flag set
    [2048] gd_tcflag.tcbm.fragmentB : peer B sent a IP packet with MF (more fragments) flag set
  • gd_tcflag.tcbm.Fin : either gd_tcflag.tcbm.FinA or gd_tcflag.tcbm.FinB
    [4096] gd_tcflag.tcbm.FinA : peer A sent flag Fin
    [8192] gd_tcflag.tcbm.FinB : peer B sent flag Fin
  • gd_tcflag.tcbm.Rst : either gd_tcflag.tcbm.RstA or gd_tcflag.tcbm.RstB
    [16384] gd_tcflag.tcbm.RstA : peer A sent flag Rst
    [32768] gd_tcflag.tcbm.RstB : peer B sent flag Rst

Protocol analysis counters subsection, gd_tcflag.tcanflcn

TCP payload gone missing

  • gd_tcflag.tcanflcn.ooo : Number of frames flagged with tcp.analysis.out_of_order
  • gd_tcflag.tcanflcn.rtr : Number of frames flagged with tcp.analysis.retransmission
  • gd_tcflag.tcanflcn.frtr : Number of frames flagged with tcp.analysis.fast_retransmission
  • gd_tcflag.tcanflcn.srtr : Number of frames flagged with tcp.analysis.spurious_retransmission
  • gd_tcflag.tcanflcn.dack : Number of frames flagged with tcp.analysis.duplicate_ack_num
  • gd_tcflag.tcanflcn.losg : Number of frames flagged with tcp.analysis.lost_segment

TCP window flow control

  • gd_tcflag.tcanflcn.wful : Number of frames flagged with tcp.analysis.window_full
  • gd_tcflag.tcanflcn.wupd : Number of frames flagged with tcp.analysis.window_update
  • gd_tcflag.tcanflcn.zwin : Number of frames flagged with tcp.analysis.zero_window
  • gd_tcflag.tcanflcn.zwp : Number of frames flagged with tcp.analysis.zero_window_probe
  • gd_tcflag.tcanflcn.zwpa : Number of frames flagged with tcp.analysis.zero_window_probe_ack

TCP keep-alive

  • gd_tcflag.tcanflcn.ka : Number of frames flagged with tcp.analysis.keep_alive
  • gd_tcflag.tcanflcn.kaa : Number of frames flagged with tcp.analysis.keep_alive_ack

Miscellaneous

  • gd_tcflag.tcanflcn.rusp : Number of frames flagged with tcp.analysis.reused_ports

Protocol statistics counters subsection, gd_tcflag.tcstatfl

  • gd_tcflag.tcstatfl.duration : TCP stream duration
  • gd_tcflag.tcstatfl.begin : First frame of the TCP stream
  • gd_tcflag.tcstatfl.end : Last frame of the TCP stream

  • gd_tcflag.tcstatfl.framcount : Total number of frames
    • gd_tcflag.tcstatfl.framcount_A : Number of frames received from A
    • gd_tcflag.tcstatfl.framcount_B : Number of frames received from B

  • gd_tcflag.tcstatfl.bytecount : Total number of payload bytes
    • gd_tcflag.tcstatfl.bytecount_A : Number of payload bytes received from A
    • gd_tcflag.tcstatfl.bytecount_B : Number of payload bytes received from B
    • gd_tcflag.tcstatfl.byteratio : Ratio of payload bytes, dB (logarithmic, between 0 and 100)
      • If the actual ratio value is higher, it it capped at 100 dB still
      • Values close to 0 dB mean that each endpoint sent an approximately equal number of payload bytes
      • By the nature of the scale, each 3 dB approximately equals to two times the difference. Each 10 dB represents an order of magnitude difference

Known limitations

Believed fundamental to the architecture of the host code

  • TCP stream numbering. The decision between whether a frame belongs to an existing TCP stream or to a new one belongs to the TCP protocol dissector
  • Wireshark (GUI) parses the loaded packet trace digressing during the second pass [displaying the packets updated by these digressions], while tshark (CLI) performs the second pass [explicitly enforced with option -2] linearly. As a result:
    • In the GUI gd_tcflag values always covers the complete TCP stream and it is immediately possible to see whether the respective TCP stream contained any Syn, data payload, Fin or Rst by looking at any arbitrary TCP segment of the stream
    • In the CLI gd_tcflag values may be accumulating over the lifetime of the TCP stream registering new events with only the last TCP segment of the stream is guaranteed to contain the complete record
You can’t perform that action at this time.