This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

confused about RTO value displayed by wireshark

0

Hello, at work we are analyzing captures due to a production enviroment problem. We are looking at a packet loss burst (3 consecutive lost packets) and their retransmission time. I added the tcp.analysis.rto value as column but i noted that for all retransmitted packets their rto value is not referred to the "original" packet time. also looking at the packet details, wireshark tells the frame number used to calculate the delta time, but it's a successive frame! Am i misunderstanding something about the RTO? shouldn't rto timer start when the packet is sent?

asked 18 Oct '15, 12:32

ryu80's gravatar image

ryu80
6113
accept rate: 0%

edited 19 Oct '15, 07:39

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572

Hello,

here the capture https://www.cloudshark.org/captures/ca907de31560

due to security reasons i had to remove the payload and i had to change the addresses .

looking at the trace the frames the server with 10.1.1.2 address sent 3 packets that are lost :

frame 90 is retransmitted with frame 112 (but rto is based on delta from frame 104)

frame 91 is retransmitted with frame 120 (but rto is based on delta from frame 104)

frame 92 is retransmitted with frame 128 (but rto is based on delta from frame 124)

can you help me to understand why sometimes rto isn't based on delta from the original frame? thank you very much

(24 Oct '15, 10:20) ryu80

One Answer:

0

The RTO timer starts when the packet is sent but it sounds like the TCP dissector is showing you the time between retransmissions--in other words the value of the connection's RTO timer when the packet was last sent (i.e., it's showing you what the RTO value was, not the total time since the original transmission--which isn't something the TCP stack tracks).

answered 19 Oct '15, 07:39

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Thanks for the answer, for example here a capture where the retrasmitted packet is the number 128 alt text

but wireshark calculate rto from frame 124 ... Anyway i still don't understand why wireshark shouldn't calculate it from the packet with the same seq number alt text in this case the rto should be around 1.6 seconds, am i right?

(19 Oct '15, 14:21) ryu80

Could you provide us an example trace. I think it would be easier to follow you.

(19 Oct '15, 15:33) Christian_R

I uploaded a dumpfile, below the cloudshark link

(26 Oct '15, 07:25) ryu80

Any suggestion? it seems that wireshark to calculate RTO considers the last received segment with some payload data. I find it hard to believe there is a bug related to rto calculation.

(19 Nov '15, 02:26) ryu80