Re: holes in a time-sequence Graph, segments missing

From: Shawn Ostermann (ostermann@cs.ohiou.edu)
Date: 12/13/01

  • Next message: Andreas Hasenack: "Fatal, too many hosts to name (max length 8)" 

    Message-Id: <200112131629.fBDGTbq01971@picard.cs.ohiou.edu>
From: "Shawn Ostermann" <ostermann@cs.ohiou.edu>
Subject: Re: holes in a time-sequence Graph, segments missing 
Date: Thu, 13 Dec 2001 11:29:37 -0500

    > I see missing segments in the graphs generated by tcptrace.
    > I'm using the following versions:

    Here's what I see. When I look at the time sequence graph for the connection

    >>>> KSH:picard> tcptrace -o2 65.dmp
    >>>> 2: noc.rz.uni-ulm.de:64729 - www.rz.uni-ulm.de:80 (c2d) 561> 1204< (complete)

    I see several holes. I concentrated on the hole in the sequence space
    between 3641300000 and 3641500000. The graph shows several dozen
    missing segments in that range. When I ask tcpdump to find those
    packets:

    >>>> KSH:picard> tcpdump -S -r 65.dmp dst port 64729 | egrep 3641[34]
    >>>> 05:42:06.291252 www.rz.uni-ulm.de.80 > noc.rz.uni-ulm.de.64729: . 3641299403:3641300863(1460) ack 128974630 win 33580
    >>>> 05:42:06.291456 www.rz.uni-ulm.de.80 > noc.rz.uni-ulm.de.64729: . 3641300863:3641302323(1460) ack 128974630 win 33580
    >>>> 05:42:06.291523 www.rz.uni-ulm.de.80 > noc.rz.uni-ulm.de.64729: . 3641302323:3641303783(1460) ack 128974630 win 33580
    >>>> 05:42:06.291668 www.rz.uni-ulm.de.80 > noc.rz.uni-ulm.de.64729: . 3641303783:3641305243(1460) ack 128974630 win 33580
    >>>> 05:42:06.291757 www.rz.uni-ulm.de.80 > noc.rz.uni-ulm.de.64729: . 3641305243:3641306703(1460) ack 128974630 win 33580
    >>>> 05:42:06.291862 www.rz.uni-ulm.de.80 > noc.rz.uni-ulm.de.64729: . 3641306703:3641308163(1460) ack 128974630 win 33580
    >>>> 05:42:06.291976 www.rz.uni-ulm.de.80 > noc.rz.uni-ulm.de.64729: . 3641308163:3641309623(1460) ack 128974630 win 33580
    >>>> 05:42:06.292201 www.rz.uni-ulm.de.80 > noc.rz.uni-ulm.de.64729: . 3641309623:3641311083(1460) ack 128974630 win 33580
    >>>> 05:42:06.292629 www.rz.uni-ulm.de.80 > noc.rz.uni-ulm.de.64729: . 3641314003:3641315463(1460) ack 128974630 win 33580
    >>>>> [ sdo - here's the hole ]
    >>>> 05:42:06.306092 www.rz.uni-ulm.de.80 > noc.rz.uni-ulm.de.64729: . 3641474923:3641476383(1460) ack 128974630 win 33580
    >>>> 05:42:06.306184 www.rz.uni-ulm.de.80 > noc.rz.uni-ulm.de.64729: . 3641476383:3641477843(1460) ack 128974630 win 33580
    >>>> 05:42:06.306310 www.rz.uni-ulm.de.80 > noc.rz.uni-ulm.de.64729: . 3641477843:3641479303(1460) ack 128974630 win 33580
    >>>> 05:42:06.306422 www.rz.uni-ulm.de.80 > noc.rz.uni-ulm.de.64729: . 3641479303:3641480763(1460) ack 128974630 win 33580
    >>>> 05:42:06.307481 www.rz.uni-ulm.de.80 > noc.rz.uni-ulm.de.64729: . 3641491631:3641493091(1460) ack 128974630 win 33580
    >>>> 05:42:06.307627 www.rz.uni-ulm.de.80 > noc.rz.uni-ulm.de.64729: . 3641493091:3641494551(1460) ack 128974630 win 33580
    >>>> 05:42:06.307718 www.rz.uni-ulm.de.80 > noc.rz.uni-ulm.de.64729: . 3641494551:3641496011(1460) ack 128974630 win 33580
    >>>> 05:42:06.307836 www.rz.uni-ulm.de.80 > noc.rz.uni-ulm.de.64729: . 3641496011:3641497471(1460) ack 128974630 win 33580
    >>>> 05:42:06.307956 www.rz.uni-ulm.de.80 > noc.rz.uni-ulm.de.64729: . 3641497471:3641498931(1460) ack 128974630 win 33580
    >>>> 05:42:06.308081 www.rz.uni-ulm.de.80 > noc.rz.uni-ulm.de.64729: . 3641498931:3641500391(1460) ack 128974630 win 33580

    When I look at the file with Ethereal, I see exactly the same hole.
    I'd assume, therefore, that it's not a software bug at all. Those
    packets simply aren't in the dump file. That could happen for several
    reasons:

    1) The packets went over a different link for a while due to a routing
       change (not likely because it didn't last long)
    2) The machine grabbing the packets hickuped (got busy doing something
       else) and lost them
    3) The snooping machine is just too slow (which is possible, the
       packets appear to be coming very fast)
    4) any number of other harware errors

    In my experience, it's almost always #2. Make sure that the machine
    that you're grabbing the packets on isn't busy doing anything else and
    you should be able to get a better packet dump.

    If I've missed something, please write back!

    Shawn
    -------------------------------------------------------------------------
       Dr. Shawn Ostermann - Associate Professor - Ohio University
          322B Stocker Center, Ohio University, Athens, Ohio 45701-2979
     ostermann@cs.ohiou.edu -- FAX: (740)593-0007 -- Voice: (740)593-1234
        http://ace.cs.ohiou.edu/~osterman http://irg.cs.ohiou.edu

    This archive was generated by hypermail 2b30 : 12/13/01 EST