This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP retransmission: identify both original and retransmission

0

Hi,

Finding retransmissions using tshark or wireshark seems to be quite simple, using the tcp.analysis.retransmission or tcp.analysis.fast_retransmission display filters. However, my question is with regard to the segments that are flagged by these filters. Do they flag both the initial transmission and the retransmission (and later ones) or do they tag only the first retransmitted segment (and later ones). I have not been able to find a reference for this.

Appreciate your help! /Jamie

asked 11 Feb '16, 01:05

Jamie_unix's gravatar image

Jamie_unix
11113
accept rate: 0%

My tests lead me to conclude that it tags only the retransmissions. So, was wondering if there is a filter with which I can flag both the originals and the retransmissions?

(11 Feb '16, 01:18) Jamie_unix

One Answer:

0

The original will not be tagged, only the retransmitted copies. You need to find the originals by searching for the sequence number found in the retransmitted packet.

For further reference about packet dependency filtering you might want to take a look at this:

https://blog.packet-foo.com/2015/03/advanced-display-filtering/

answered 11 Feb '16, 01:43

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 11 Feb '16, 01:44

Thanks Jasper. I will look into that. Is there a quick way to get seq numbers of the retransmissions? By default it does not seem to show them.

(11 Feb '16, 01:52) Jamie_unix

Figuring that out was straight forward. just requires -T fields -e tcp.seq.

(11 Feb '16, 02:01) Jamie_unix