This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Retransmission on LAN

Hi All,

I am new with Wireshark. I did test via my LAN and get the result like the data below : ****************************************************************************************** 1 2013-03-20 03:55:50.803 172.17.3.41 172.17.3.61 TCP 66 51844 > ssh [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 2 2013-03-20 03:55:50.804 172.17.3.61 172.17.3.41 TCP 66 ssh > 51844 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=64 3 2013-03-20 03:55:50.804 172.17.3.41 172.17.3.61 TCP 54 51844 > ssh [ACK] Seq=1 Ack=1 Win=65536 Len=0 4 2013-03-20 03:55:50.871 172.17.3.61 172.17.3.41 SSH 75 Server Protocol: SSH-2.0-OpenSSH_5.3\r 5 2013-03-20 03:55:51.071 172.17.3.61 172.17.3.41 SSH 75 [TCP Retransmission] Encrypted response packet len=21 6 2013-03-20 03:55:51.072 172.17.3.41 172.17.3.61 TCP 66 51844 > ssh [ACK] Seq=1 Ack=22 Win=65536 Len=0 SLE=1 SRE=22 7 2013-03-20 03:55:54.564 172.17.3.41 172.17.3.61 TCP 54 51844 > ssh [FIN, ACK] Seq=1 Ack=22 Win=65536 Len=0 8 2013-03-20 03:55:54.565 172.17.3.61 172.17.3.41 TCP 60 ssh > 51844 [FIN, ACK] Seq=22 Ack=2 Win=14656 Len=0 9 2013-03-20 03:55:54.565 172.17.3.41 172.17.3.61 TCP 54 51844 > ssh [ACK] Seq=2 Ack=23 Win=65536 Len=0 *************************************************************************** As you seen on packet no.5 , there is TCP Retransmission. Could I know why this happen & what is the cause of ? and If I am not wrong the retransmission of packet no.5 is for packet no 4 , isn't it ?

Please your Advice..

Best Regards, Hadi

retransmissions

asked 19 Mar '13, 21:28

vazr84
11●1●1●2
accept rate: 0%

edited 20 Mar '13, 03:35

Jasper ♦♦
23.8k●5●51●284

One Answer:

Looks like packet no. 5 is a retransmission of no. 4 since there is nothing else that could that one be a retransmission for. The first three packets have 0 TCP payload bytes, and no. 5 has 21 bytes, so it needs to be a retransmission of no. 4.

Reason for the retransmission is probably that 172.17.3.61 didn't acknowledge the packet (either because it was lost, or because it was lazy), so 172.17.3.41 sent it again after 200ms. The round trip time between the two IPs is about 1ms, so there should have been an acknowledge from 172.17.3.61 way faster than 200ms, but there wasn't. Thus, retransmission.

answered 20 Mar '13, 03:43

Jasper ♦♦
23.8k●5●51●284
accept rate: 18%