Wireshark related tips, wireshark related

Wireshark related tips, wireshark related
The Packet size limited during capture prompt indicates that the marked packages are not fully captured. In some operating systems, only 96 bytes are captured by default, the "-s" parameter in tcpdump can be used to specify the number of bytes to be captured. "-s 1500" means that each packet can capture 1500 bytes, '-s 0' indicates the number of TCP Previous segment not captured packets in each package. The packet capture tool may be missing or missing. Check the ACK replied by the other party. If you confirm the uncaptured packets, the packet capture tool is missing. Otherwise, the TCP ACKed unseen segment ACK is lost, however, the ACK package is not caught, and wireshark is often overlooked. The TCP Out_of_Order packet is out of order. Under normal circumstances, the seq of a package is equal to the seq of the previous package plus len, that is, the seq of the package must be greater than or equal to the seq of the previous package, when wireshark finds that the seq of this package is smaller than the seq of the previous package, it will mark TCP Out_of_Order, that is, the package is out of order. If the span is small, the out-of-order is okay. If the span is large, the out-of-order may cause retransmission. When TCP Dup ACK is out of order or packet loss occurs, the receiver will receive packets with a higher seq number than the expected value. Each time the receiver receives such a packet, it will re-Send the ACK and tell the sender, your expected value. This ACK packet will be marked as TCP Dup ack tcp Fast Retransmission when the sender receives three or more TCP Dup ACK packets, it will realize that the previous packet is lost, this will trigger timeout Retransmission TCP Retransmission. If a packet is lost but no [TCP Dup ACK] occurs, it will not trigger fast Retransmission, and it will only wait for timeout Retransmission, the re-transmitted packet, that is, the win in the TCP Retransmission TCP zerowindow TCP packet, refers to the size of the Receiving Window of the sender. When win = 0, wireshark adds the TCP zerowindow to the packet, indicating that the buffer zone is full, data cannot be received. TCP window Full indicates that the sender has exhausted the size of the window declared by the Transport party. That is, win = 65535 declared by the shuttle, but now there are 65535 bytes in transit. The sender stops sending data.