The Ruby (anastm.rb) code sample contains the following function:

# attempt to 'discover MSS' by observing the SYN-ACK-ACK
def find_mss (hand2)
layer_tcp = hand2.FindLayer("TCP")
f_o = layer_tcp.FindField("MSS")
print "the mss is #{f_o.value}\n"
f_o.value.to_i
end

When I execute the script, I get:

in `find_mss': undefined method `value' for nil:NilClass (NoMethodError)

I tried this with an upper case “V” on “.value”, but I get the same error.

I printed the value of “f_o” and it comes out as empty.

I tried passing “mss”, “"Max Segment Size”, "Maximum Segment Size”, etc. into the FindField function…. Bu no luck.

If I remove the “.value”, then I get:
the mss is 0

But that is only because:
C:\ruby193>irb
irb(main):001:0> "".to_i
=> 0

Why am I not getting a value for “MSS” ?

Thanks,
Andy

Hi Andy,

The script assumes the 2nd packet in the TCP flow (stream) is the SYN-ACK packet. This packet contains the effective MSS.

If you look at the code line 556 we look for the 2nd packet in the stream, Item(1) to compute the MSS.




I suspect that your capture file is missing the SYN-ACK packet that is causing the script not to find the MSS TCP Option.


I've attached a sample file that works, observe how the 2nd packet has the MSS option!

Attached Packet Capture file USNF format www.unleashnetworks.com/lib/private/pcaps/tt.usnf

Thank you, Vivek.

I did some reading on the 3-way hand shaking, MSS, and Syn-Ack……

I did a test, and if I start the UnSniff capture before I start our application then the anastm.rb appears to work ok..
It then has the 2nd packet of the stream.

I had modified the code in the “find_mss” function to use 1460 as a default value if the “FindField” function did not find the “MSS” value.
With that, I had been starting the capture while our application was already up and running.

As a test I’ve opened some of those capture files with UnSniff, selected the Sessions tab, and then opened the stream(s) with the “TCP Congestion Analyzer” tool.
With that I can see the bandwith graphs ok.
From what I’ve read on your site, I think that tool was derived from the anastm.rb code.

How is with the “TCP Congestion Analyzer” tool working on these captures where anastm.rb does not?
Does the “TCP Congestion Analyzer” use a default if it can’t find the 2nd packet of the stream?
Is 1460 a safe default value to use? (I am primarily interested in bandwidth.)

Andy

If it is your internal network and you have knowledge of the link layers involved (ethernet/wireless/gige) than the MSS is unlikely to change for each connection. So if you've seen
1460 being used, its probably safe to assume that as a default.

The TCP Congestion Analyzer follows the exact same logic as the anastm.rb code (looks for advertised value in SYN-ACK). However unlike the ruby version it doesnt crash out, instead assumes a default of 1460 bytes.

Hope that helps,

THanks

It's difficult for me, but thank you. I love to read some informative posts. It develop my the different sides.
Usually I buy college papers online.