1

Wireshark's tcptrace time sequence graph shows a good deal of information, but I cannot find a document that spells out exactly what it all means. It's broadly similar to the original tcptrace except for the colour scheme and a few missing elements:

  • Blue I-beams indicate packets sent (cf. white and red arrows in tcptrace; Wireshark does not show retransmissions differently)
  • A green line indicating the calculated receive window (cf. a yellow line in tcptrace)
  • A brown line indicating the acked sequence number, with little ticks indicating a received ACK that didn't ack anything new (cf. a green line in tcptrace)
  • SACKs are shown as red or brown vertical lines (cf. purple lines in tcptrace)
  • Special packets (SYNs, FINs etc) are not shown specially.

Here is an example showing all of these features.

example Wireshark tcptrace graph

However, I cannot see any obvious difference between the red and brown SACKs; it seems that the highest SACK is coloured red and the lower ones are brown, but this doesn't seem to me to be something worth distinguishing with different colours so I think I am missing something. What is the real reason for the two different SACK colours?

Improve this question

1 Answer 1

Reset to default
1

Yes, it does seem to be simply that the first (highest-numbered) SACK range is plotted differently from the rest. From the source noting in particular the branch on i == 0:

 854 // add SACK segments to sack, sack2, and selectable packet graph 855 for (int i = 0; i < seg->num_sack_ranges; ++i) { 856 double half = seg->sack_right_edge[i] - seg->sack_left_edge[i]; 857 half = half/2.0; 858 double center = seg->sack_left_edge[i] - seq_offset_ + half; 859 if (i == 0) { 860 sack_time.append(ts); 861 sack_center.append(center); 862 sack_span.append(half); 863 if (allow_sack_select) { 864 pkt_time.append(ts); 865 pkt_seqnums.append(center); 866 } 867 } else { 868 sack2_time.append(ts); 869 sack2_center.append(center); 870 sack2_span.append(half); 871 } 872 }

Elsewhere in the same source file we see the sack2 data being plotted with a different colour from the sack data, tango_scarlet_red_6 vs tango_scarlet_red_4 respectively.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.