print

Tip of the Month

June 2001

Mysteries Revealed through TCP Sequence Numbers!

Following the TCP sequence numbers between two end stations can be very revealing when attempting to troubleshoot a conversation. The easiest way to do this is in the one-line-per-packet summary display of your analyzer. Before you try this, however, there are two steps you must take:

1. filter on a pair of conversing IP addresses and the source and destination ports of that conversation; and
2. set up your analyzer to show only the TCP layer summary of each packet.

Step #1 is necessary since an application may be using more than one TCP connection (such as a Web browser) at a time. In this case, you will need to analyze each connection independently. Step #2 is required since you will typically see the highest layer of decode in the summary display.

Step #1 can be accomplished by combining IP address and custom port filtering on your analyzer. If you have an analyzer such as AiroPeek or EtherPeek, this step is made extremely easy by right clicking on a packet in the conversation and performing a "select related" filter. The analyzer then automatically does the complex packet filtering for you.

Step #2 is possible only on some analyzers usually via filtering on TCP combined with a "show highest layer" type of operation. With EtherPeek/TokenPeek/AiroPeek, you can ask the analyzer to summarize up to a certain level by selecting all of the packets and then performing a Tools>Apply Plug-in (select IP Details) operation. Alternatively, you can disable all but IP Details from the Tools>Plug-Ins menu.

At this point, you can easily start to troubleshoot the conversation by walking through the Sequence numbers of just one side. Sequence numbers are usually quite large, so you may want to only pay attention to the last 5 digits. As long as the numbers increment or stay the same (if the packet is a TCP acknowledgment packet with no data), the conversation should be progressing properly.

If the conversation is not progressing properly and you see retransmissions of previously sent packets (as indicated by the same sequence numbers in TCP packets containing data), you will want to investigate further. Many retransmissions may indicate dropped data packets at some point in the network, the end station, or dropped acknowledgement packets on the way back. Determining which of these may be the cause for the retransmissions is directly related to where you place the analyzer on your network.

One situation that you usually do not want to see is a Window size of zero or a very small size. If you do see this, the receiver may be struggling to keep up with the send rate.

NOTE! When doing this analysis, keep in mind that virtually all TCP packets will have the acknowledgment bit set to valid. Therefore, TCP acknowledgement-only packets are indicated by the TCP Length = 0 as calculated by the analyzer (the length is not inside of the packet.) If you really want to calculate the TCP payload length yourself, the formula is:

TCP payload length = IP length - IP header length - TCP header length.

FOR MORE SOLVED MYSTERIES, pick up a copy of the "Network Troubleshooting and Analysis" book, written by Scott Haugdahl, WildPackets' VP of Analysis Technology. To purchase your copy, or to read the raves, please follow the links from our home page at http://www.wildpackets.com.

-AND-

If you're interested in enhancing your packet analysis expertise, consider a WildPackets' Academy Training Class:

WILDPACKETS ACADEMY COURSES

• WP-100 Foundations Of Network Protocol Analysis
• WP-101 Network Troubleshooting Methods Using EtherPeek
• WP-102 Full-Duplex and Switched Ethernet Analysis
• WP-103 TCP/IP Protocol Analysis Methods
• WP-104 Advanced TCP/IP Protocol Analysis
• WP-105 AppleTalk and Mac OS/X Network Analysis
• WP-106 802.11 Wireless Network Analysis Using AiroPeek
• WP-107 LAN/WAN Special Topics

For more information on WildPackets Academy, to download a course catalogue, to peruse the training schedule or register for any of our courses, please visit http://www.wildpackets.com/services/academy/overview.