Hi, Finding retransmissions using tshark or wireshark seems to be quite simple, using the tcp.analysis.retransmission or tcp.analysis.fast_retransmission display filters. However, my question is with regard to the segments that are flagged by these filters. Do they flag both the initial transmission and the retransmission (and later ones) or do they tag only the first retransmitted segment (and later ones). I have not been able to find a reference for this. Appreciate your help! /Jamie asked 11 Feb '16, 01:05  Jamie_unix |
One Answer:
The original will not be tagged, only the retransmitted copies. You need to find the originals by searching for the sequence number found in the retransmitted packet. For further reference about packet dependency filtering you might want to take a look at this: https://blog.packet-foo.com/2015/03/advanced-display-filtering/ answered 11 Feb '16, 01:43  Jasper ♦♦ edited 11 Feb '16, 01:44 Thanks Jasper. I will look into that. Is there a quick way to get seq numbers of the retransmissions? By default it does not seem to show them. (11 Feb '16, 01:52) Jamie_unix Figuring that out was straight forward. just requires -T fields -e tcp.seq. (11 Feb '16, 02:01) Jamie_unix |
My tests lead me to conclude that it tags only the retransmissions. So, was wondering if there is a filter with which I can flag both the originals and the retransmissions?