This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How does Wireshark recognize TCP Retransmission packets?

0

Hi guys, I just want to ask you what information that Wireshark needs to check before it recognize that packet is a retransmission packet. If it does based on IP Identification and Transport Layer Checksum value, Wireshark needs to compare the retransmission packet's data to previous packet's data, does it not?

asked 18 Jun '13, 08:41

quang20082008's gravatar image

quang20082008
6225
accept rate: 0%


One Answer:

3

it compares the sequence numbers to what it has determined to be the next expected sequence number from the last packet of the the conversation into the same direction, by packet order (not by timestamp). It does not care about checksum or ip id.

answered 18 Jun '13, 08:52

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Hi Jasper, If wireshark found it is a retransmitted packet , then is there any blocking for ack packets with the same sequence number or wireshark will drop the packets with same sequence number ?

(25 Jun '13, 05:56) sachi
1

Wireshark does not drop or block packets, especially not based on sequence numbers. And careful about ACK packets: their sequence number has nothing to do with the acknowledge number. Wireshark will show/decode any packet that was captured, no matter what the sequence/acknowledge numbers are.

(25 Jun '13, 06:02) Jasper ♦♦

So, could it happen that it qualifies the packet as TCP Retransmission even though the MAC source and destination are different? This is what is happening in one of my clients network, and I just find something to point my finger at...

(19 Mar '15, 07:28) SNArchsCOM

Yes. The TCP dissector does not care about MAC addresses or VLAN tags. It just looks at IP addresses and ports to identify the conversation.

In case you have the same packet twice with different Ethernet addresses you have a packet before and after it being routed. What I recommend is to filter out either the ones not routed yet, or the ones after being routed. Usually, the TTL is a good thing to filter on for this. But you can of course also filter on the MAC address pairs.

(19 Mar '15, 17:21) Jasper ♦♦