This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi guys, I just want to ask you what information that Wireshark needs to check before it recognize that packet is a retransmission packet. If it does based on IP Identification and Transport Layer Checksum value, Wireshark needs to compare the retransmission packet's data to previous packet's data, does it not?

asked 18 Jun '13, 08:41

quang20082008's gravatar image

quang20082008
6225
accept rate: 0%


it compares the sequence numbers to what it has determined to be the next expected sequence number from the last packet of the the conversation into the same direction, by packet order (not by timestamp). It does not care about checksum or ip id.

permanent link

answered 18 Jun '13, 08:52

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Hi Jasper, If wireshark found it is a retransmitted packet , then is there any blocking for ack packets with the same sequence number or wireshark will drop the packets with same sequence number ?

(25 Jun '13, 05:56) sachi
1

Wireshark does not drop or block packets, especially not based on sequence numbers. And careful about ACK packets: their sequence number has nothing to do with the acknowledge number. Wireshark will show/decode any packet that was captured, no matter what the sequence/acknowledge numbers are.

(25 Jun '13, 06:02) Jasper ♦♦

So, could it happen that it qualifies the packet as TCP Retransmission even though the MAC source and destination are different? This is what is happening in one of my clients network, and I just find something to point my finger at...

(19 Mar '15, 07:28) SNArchsCOM

Yes. The TCP dissector does not care about MAC addresses or VLAN tags. It just looks at IP addresses and ports to identify the conversation.

In case you have the same packet twice with different Ethernet addresses you have a packet before and after it being routed. What I recommend is to filter out either the ones not routed yet, or the ones after being routed. Usually, the TTL is a good thing to filter on for this. But you can of course also filter on the MAC address pairs.

(19 Mar '15, 17:21) Jasper ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×752
×56
×2

question asked: 18 Jun '13, 08:41

question was seen: 17,437 times

last updated: 19 Mar '15, 17:21

p​o​w​e​r​e​d by O​S​Q​A