This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Systematic TCP retransmission

0

I have 5 same devices connected to the switch. The IPs are constant. Using Wireshark I see a systematic TCP retransmissions within 1 or 2 usec on ports 1 and 5 (only). After swapping Port 1 with 2 for example the retransmission remains the same. It is probably not due to the lose data. What can be the issue?

asked 28 Jan '16, 00:37

Alex_Oren's gravatar image

Alex_Oren
6112
accept rate: 0%

Maye it is a duplex mismatch. Have you checked that the port and the device have the same link setting ? e.g. Both are set to autoneg?

(28 Jan '16, 00:59) Christian_R

The devices are only half duplex. Initially, the PLC that is sending the commands was full duplex, I changed the setting in the switch for the PLC port to be half duplex as well. No influence on the problem behavior.

(28 Jan '16, 01:23) Alex_Oren

Also the retransmission is very fast within 2 microseconds, so it is not due to any data loss. The time - scale of other commands is milliseconds

(28 Jan '16, 01:27) Alex_Oren

where did you take the trace?

(28 Jan '16, 01:35) Christian_R

A port in the switch was configured for port mirroring of all other ports and Wireshark was connected to this port.

(28 Jan '16, 01:41) Alex_Oren

Thank you.

(28 Jan '16, 01:52) Alex_Oren
showing 5 of 6 show 1 more comments

One Answer:

0

Sounds like duplicate frames to me, caused by SPANning more than one port (all of them as far as you commented). This means that you'll see packets twice: once when it enters the switch on the source port (and gets copied to the monitor port) and again when it leaves the switch on the destination port.

You should try deduplicating your capture with editcap.

See this blog post for details: https://blog.packet-foo.com/2015/03/tcp-analysis-and-the-five-tuple/

answered 01 Feb '16, 04:18

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Jasper, In this case the behavior of ports 2,3 and 4 should be the same as 1 and 5? The retransmissions are only on ports 1 and 5

(01 Feb '16, 04:24) Alex_Oren

Depends on what packets are arriving on which ports. Maybe try deduplicating your trace to see if editcap thinks there are duplicates. If it doesn't remove any frames it's something else.

(01 Feb '16, 04:30) Jasper ♦♦
 A port in the switch was configured for port mirroring of all other ports

I think Jasper has pointed out the most probable cause of that behaviour.

(01 Feb '16, 06:10) Christian_R

@Alex_Oren, @Jasper's explanation seems to be the most likely one, but you need to perform additional tests to be sure.

The reason why the behaviour can only be seen on ports 1 and 5 but not 2, 3, 4 could be a misconfiguration or a bug of the switch, leading to different treatment of traffic on different ports. So to find out, I'd recommend to SPAN only a single port, one of the 1 or 5, and check whether the situation continues or not.

(01 Feb '16, 14:27) sindy