This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I was looking at two traces one from the sending side where I saw the original packet and the retransmitted packet. I can understand how wireshark would flag the second packet as a retransmission in the expert info because it would simply need to look for two packet with the same sequence number. However, in second capture where the first packet is missing and I only see the retransmitted packet, I'm wondering how wireshark was able to detect that the packet was a retransmit? Can someone explain how it knows this?

asked 03 Oct '13, 14:02

a5snc's gravatar image

a5snc
11224
accept rate: 0%


Sure. If packets are in the correct order, the TCP sequence is either the same (if the previous packet had no content) or greater than the sequence number in the previous packet. So the current sequence number must always be greater or equal to the previous number, and if Wireshark sees a retransmission the sequence number is "old", thus less than the sequence number of the packet it has previously seen (mathematically "monotonically increasing").

Well, it's a little more complicated than this actually, because a packet arriving after another in the wrong order could also be a simple "Out-of-Order" situation. In Wireshark there is a hard coded limit of 3 milliseconds, after which an "out of order" packet is marked "retransmission" instead.

permanent link

answered 03 Oct '13, 14:13

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 03 Oct '13, 14:22

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×752
×56
×16

question asked: 03 Oct '13, 14:02

question was seen: 15,287 times

last updated: 03 Oct '13, 14:22

p​o​w​e​r​e​d by O​S​Q​A