From: Shawn Ostermann (sdo@picard.cs.ohiou.edu)
Date: 02/27/04
Subject: Re: tcptrace-bugs data extraction with missing tcp segments (silent failure) Date: Fri, 27 Feb 2004 11:53:11 -0500 From: Shawn Ostermann <sdo@picard.cs.ohiou.edu> Message-Id: <20040227165311.E5F7B107326@picard.cs.ohiou.edu>
<#part sign=pgpmime>
Well, it does tell you something, but not as a warning. Since it
happens so frequently, it didn't seem wise to generate hundreds of
warnings for it.
There's a 'missed data' column in the long output (-l) that tells you
how much data from segments wasn't seen.
There's also a 'truncated data' column that tells you how much data was
lost because the segments were truncated (short 'snap length').
I suppose that a final 'WARNING: some extracted files are incomplete'
message would be helpful, though.
maintainers:
could somebody please put in a check when extracting data from packets
to ensure that ALL of the files extracted are complete, otherwise print
a warning message at the top (or bottom?)
--sdo
mukesh agrawal <mukesh@cs.cmu.edu> wrote:
>
> I've got a capture file that has missing segments for some of the TCP
> connections.
>
> I ran "tcptrace -l -e <dumpfile> > <summary>" to extract the payload of
> the TCP sessions.
>
> In generating the TCP stream extracts, tcptrace filled in the
> missing data with NULLs. This is a reasonable implemention choice, but it
> would be nice if tcptrace emitted a warning in this case.
>
> (Before analyzing the data, I didn't know that the tcpdump was incomplete.
> So, when I looked at the extract file, I thought the application was
> sending corrupt data. It was only after looking at the long summary that I
> realized tcpdump must have missed some segments. Having a warning about
> the missing segments would have avoided the confusion.)
>
This archive was generated by hypermail 2.1.7 : 02/27/04 EST