This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do we start analyzing TCP Traffic.

0

Hi ,

I am often confused how do we start to analyze the TCP traffic, I have trace file attached.Can any one guide how do we start.I usually do .Analyze > Export Info Composite.

Here i See

  1. TCP Out of Order
  2. Previous Segment Lost
  3. Fast Re transmission suspected

So i do start.....Now IP : 10.45.56.8 is at our end....

I am very thankfull in advance for the Guidance given.

http://www.cloudshark.org/captures/58ef6d4b5ad3

This question is marked "community wiki".

asked 19 Aug '12, 08:53

creative's gravatar image

creative
6558
accept rate: 0%

edited 19 Aug '12, 09:26


One Answer:

0

You could start by filtering on "tcp.analysis.flags" which will show you packets that have some kind of expert message from Wireshark. With that you can get an overview over the type of TCP trouble you may have, because to be sure you'll have to verify them.

First step, if you have a lot of retransmissions and duplicate acks would be to verify that they're not actually duplicates (meaning, they're either totally identical to a former packet, or the same packet but after routing). If you can rule out duplicates you then need to find out if the problems you see are really hurting your transmisson. I usually do not care about a couple of retransmissions that create a delay of just a few milliseconds, but it is a total different story if I see the communication being slowed down in the half second range (or more).

Another thing you should look at is the TCP window size. Make sure it stays large enough to not slow down the sender. The window size can tell you if a system is too slow when processing incoming data, so this is your best tool to prove that a system is slow, not the network.

answered 20 Aug '12, 00:55

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%