Observer Analyzer : Observer Analyzer : Expert Analysis : Using Connection Dynamics : Tell me more about the Connection Dynamics tool
Tell me more about the Connection Dynamics tool
The Connection Dynamics display consists of the graphical display and a status bar that changes as you hover your mouse over a particular packet.
When no packet is under the mouse, the status bar displays the type of conversation in the display (TCP or UDP), the conversation’s duration (in seconds), and packet count. Connection Dynamics uses the TCP or UDP sequence and acknowledgment numbers to determine the packets color and type.
Color codes and packet types
The packet square under the cursor will always be blue. When a packet is not under the cursor, the color of the packet squares and accompanying packet frame gives information about the packet. Packets are colored according to the following rules.
Blue – The selected packet.
Green (Dark) – One of these:
Default – Expected packet data.
SCTP SACK Gap ACK – Indicates that gap ACK blocks were found.
Magenta - Application.
Magenta (Dark) - Skipped packet (shortened to “Skip pkt”). Observer sees a sequence number that is higher than the expected acknowledgment. The expected acknowledgment is a calculation that Observer does—it is not something that is in the actual packet. It is the sequence number plus the total data length to determine the expected acknowledgment.
Orange (Dark) – Keep alive packet. A keep alive packet is sent between stations to keep the TCP session open even though no actual data is being sent. This is very typical of an application which requires user input to continue, such as a Telnet session. Eventually the session may time out, but this is due to the application settings and not an issue within the network itself. Observer identifies a keep alive packet by seeing the sequence number from one packet to the next going backwards by 1. If the sequence number of one packet #1 was 938475892 and the second packet was 938475891, and the second packet contained no data, this would be a keep alive packet. If the second packet contained data, it would most likely be a resent packet, though you rarely would ever see a data packet with only one byte of data.
Red – One of these:
Retransmitted packet (shortened to “Retrans”). This is based on Observer seeing two packets with data having the same sequence number.
Reset. The RST flag is set and the conversation abruptly ended. It may have ended for any number of reasons, including the port not being open or the intended service is not running. Reset packets may also be considered part of an RST attack.
Red (Dark) – Zero window. The Window Size within the TCP header indicates a size of 0. This means no data can be received by the device sending the Zero Window TCP packet. This halts communication until another packet indicates it has a window size above zero.
Red (Medium) – Out of order packet. An out of order packet is exactly what it sounds like. It is a packet whose sequence number indicates that packets came into the NIC out of sequence, for example 1, 3, 2, 4 instead of 1, 2, 3, 4).
Yellow – One of these:
Rerouted packet. Rerouted packet. Observer sees a duplicate packet, but the MAC addresses (source and or destination – typically both – are different between the duplicate packets). This usually affects the TTL within the IP header when packets are routed, but Observer ignores this and pays attention only to the sequence numbers.
Warning packet. Observer sees a Re-ACK packet. A packet was sent saying that data was received, then another packet is sent again using the same acknowledgment number saying data was received and this new packet contains no data, so it is a duplicate of the previous packet.
SCTP SACK Dup TSN. Observer sees a duplicate TSN in the SACK chunk.