Re: Bug in Stаtistics→TCP Stream graphs

[chuck c <bubbasnmp () gmail com>]

Can you extend the capture length (snaplen) to capture the full headers?
In the capture file, frame.cap_len = 64 bytes.

The header lengths (in bytes) are ethernet (14) + VLAN (4) + IP (20) + TCP
(20 + options).
The TCP header lengths (tcp.hdr_len) in the capture are all 32 bytes.

14 + 4 + 20 + 32 = 70 bytes (sum all header lengths)

On Sat, Oct 2, 2021 at 10:24 AM Minaev Andrey via Wireshark-dev <
wireshark-dev () wireshark org> wrote:

> Version 3.4.8 (v3.4.8-0-g3e1ffae201b8)
>
> Copyright 1998-2021 Gerald Combs <gerald () wireshark org> and contributors.
> License GPLv2+: GNU GPL version 2 or later <
> https://www.gnu.org/licenses/gpl-2.0.html> This is free software; see the
> source for copying conditions. There is NO warranty; not even for
> MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
>
> Compiled (64-bit) with Qt 5.15.2, with libpcap, with GLib 2.52.3, with
> zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with
> GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos,
> with MaxMind DB resolver, with nghttp2 1.39.2, with brotli, with LZ4, with
> Zstandard, with Snappy, with libxml2 2.9.9, with QtMultimedia, with
> automatic updates using WinSparkle 0.5.7, with AirPcap, with SpeexDSP
> (using bundled resampler), with Minizip.
>
> Running on 64-bit Windows 10 (1709), build 16299, with Intel(R) Core(TM)
> i7-7700 CPU @ 3.60GHz (with SSE4.2), with 16247 MB of physical memory, with
> locale C, with light display mode, without HiDPI, with Npcap version 1.31,
> based on libpcap version 1.10.1-PRE-GIT, with GnuTLS 3.6.3, with Gcrypt
> 1.8.3, with brotli 1.0.2, with AirPcap 4.1.1 build 1800, binary plugins
> supported (21 loaded). Built using Microsoft Visual Studio 2019 (VC++
> 14.29, build 30040).
>
>
>
> Hello, I think I found a bug. When you open a traffic dump, the net.cap
> file, and try to look at the Statistics → TCP Stream graphs, the error
> "Selected packet isnt a TCP segment or is truncated" is displayed. But
> why a complete tcp packet is needed is not clear. For example, the "Round
> trip time" report is based on the time the packet was sent and the ACK
> received, and this does not require the entire packet. Some networking
> equipment allows only the packet headers to be dumped, without the payload,
> as shown in the traffic dump in the net.cap file.
> ------------------------------
> УВЕДОМЛЕНИЕ О КОНФИДЕНЦИАЛЬНОСТИ OZON: Настоящее письмо и приложенные к
> нему документы содержат конфиденциальную информацию и предназначены
> адресату письма. Если Вы не являетесь адресатом письма или получили его по
> ошибке, пожалуйста, сообщите об этом отправителю и удалите письмо и
> приложения к нему со всех ваших устройств. Копирование, пересылка или
> распространение письма и приложений к нему лицами, которым письмо не
> предназначалось, нарушают закон и строго запрещены. OZON CONFIDENTIALITY
> NOTICE: This email and any documents attached to it contain confidential
> information addressed to the intended recipient. If you are not the
> intended recipient or have received this email in error, please notify the
> sender and delete this email and all attachments hereto from all your
> devices. Copying, distribution or dissemination of this email and its
> attachments by any persons whom the email has not been intended to, are
> unlawful and strictly prohibited.
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe