I'm a new user to wireshark. I've noticed that there are a lot of retransmissions being repoted. Just wondering if this is normal or not? asked 31 Aug '13, 06:13  Wolf147 |
One Answer:
Standard answer: "it depends" ;-) There are a lot of factors that need to be considered when dealing with retransmissions, e.g.:
There are more aspects than this, but these were the most important ones (maybe I even forgot some)... answered 31 Aug '13, 07:01  Jasper ♦♦ showing 5 of 11 show 6 more comments |
I can look into it myself as I learn more. On the last point, they are marked in parenthesize as [tcp retransmission]. They seem to follow every packet. Like there will be a packet sent, then a retransmission, or 5 packets sent, then 5 rt's. Is there any way I can give you a picture from the screen?
This sounds like duplicates to me if they're that frequent. You might want to try to deduplicate your trace - if there are duplicates in there, you'll get a clean(er) trace, depending on the deduplication settings. If not, you'll get the same result again.
Deduplication is done by using editcap, which comes with Wireshark (it is installed in the same directory). It is a command line tool, and you can use it like this (with a scan window of 20 packets):
editcap -D 20 yourfile.pcap deduplicatedfile.pcapIf your trace doesn't contain sensitive information you could post it on http://www.cloudshark.org
I've just found a security program and all the congestion has all but gone? Any help here?
Can you give some more details? What happened, and what "security program" are you talking about?
Oh sorry. I missed your reply, thanks for that, but as I stated- got security program that looks pretty good against 'cain' and the like, now all appears to be normal? Really weird!
All that happened is that I found a program called 'arp anti spoof' and the packets/traffic: retrans,badTCP...ect suddenly changed to be normal.
If this program changed the situation then there may have been ARP spoofing activity on your network. If you didn't do that kind of ARP spoofing yourself then you should keep an eye out for who could be doing it. If this would be my network, and someone is using spoofed ARP packets I'd get my baseball bat and fix the issue ;-) Well, maybe not that drastic, but there would be trouble for the guy...
I did really P/off a guy who is doing computer engineering. I've had conversations with him and he is completely nuts. I've got the feeling he's been stalking me computer-wise for some time, which is what lead me to Wireshark. He's got access to my public IP from the forum I met him on, I would say, which puts me at a great disadvantage; Plus the fact I'm barely intermediate with computers. I wouldn't need the baseball bat, trust me. You mentioned about posting a log file; would an expert be able to check that out?
I forgot to ask. I also found a program called Arpon but can't get it going. Any advise there?
If he's not on your local network he can't ARP spoof you. ARP spoofing requires to have a computer on the same local network like the target machine, so if you have problems with a guy out there on the internet (or even in a network other than your own) he can't do it.
An expert could check out if ARP spoofing is happening if the according packets were captured. Posting a trace like that can be problematic though, because you might expose sensitive information from your network.
No, he is not on the local network. I've been checking out the traffic on this for about a week and it really didn't look right, as I talked about in the beginning. Then when I got this program the traffic changed/looks fine. Is there any other forms of hacking that could be used to cause these bad packets? Sorry for all these questions and thanks for your help.