Re: tcptrace-bugs data extraction with missing tcp segments (silent failure)

From: Shawn Ostermann (
Date: 02/27/04

Subject: Re: tcptrace-bugs data extraction with missing tcp segments (silent failure) 
Date: Fri, 27 Feb 2004 11:53:11 -0500
From: Shawn Ostermann <>
Message-Id: <>

<#part sign=pgpmime>

Well, it does tell you something, but not as a warning. Since it
happens so frequently, it didn't seem wise to generate hundreds of
warnings for it.

There's a 'missed data' column in the long output (-l) that tells you
how much data from segments wasn't seen.

There's also a 'truncated data' column that tells you how much data was
lost because the segments were truncated (short 'snap length').

I suppose that a final 'WARNING: some extracted files are incomplete'
message would be helpful, though.

could somebody please put in a check when extracting data from packets
to ensure that ALL of the files extracted are complete, otherwise print
a warning message at the top (or bottom?)


mukesh agrawal <> wrote:

> I've got a capture file that has missing segments for some of the TCP
> connections.
> I ran "tcptrace -l -e <dumpfile> > <summary>" to extract the payload of
> the TCP sessions.
> In generating the TCP stream extracts, tcptrace filled in the
> missing data with NULLs. This is a reasonable implemention choice, but it
> would be nice if tcptrace emitted a warning in this case.
> (Before analyzing the data, I didn't know that the tcpdump was incomplete.
> So, when I looked at the extract file, I thought the application was
> sending corrupt data. It was only after looking at the long summary that I
> realized tcpdump must have missed some segments. Having a warning about
> the missing segments would have avoided the confusion.)

This archive was generated by hypermail 2.1.7 : 02/27/04 EST