This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why sar ETCP shows TCP retransmission but wireshark tcp.analysis.retransmission doesn't

0

I am trying to investigate the cause of TCP retransmission. When I use sadc and sar, it shows that there are tcp retransmissions, but when I use wireshark on all of the server's interfaces, it doesn't show any retransmissions and quits after 2 minutes with write to disk full. But sar shows that within the first minute, there are retransmissions.

sar shows retransmission

[[email protected] ~]# /usr/lib64/sa/sadc -S INT -S DISK -S XDISK -S SNMP -S IPV6 1 50 /tmp/sadc_stats.log

[[email protected] ~]# sar -f /tmp/sadc_stats.log -n ETCP
09:25:55 AM atmptf/s estres/s retrans/s isegerr/s orsts/s
Average: 2.07 0.04 1.38 0.00 2.71

wireshark doesn't show retransmission

tshark -i xsi1 -R tcp.analysis.retransmission

I tried all other interfaces in addition to xsi1.

Another thing is that I am using both of these commands within a VM on the host server.

Thank you!

Desong

asked 19 May '16, 05:32

desongyu's gravatar image

desongyu
6112
accept rate: 0%

edited 19 Jul '16, 08:48

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
One Answer:
active answersoldest answersnewest answerspopular answers
0

I've never used sadc or sar, so I'm not sure what to make of the output, but as for tshark ... what version of wireshark are you using? It must be fairly old; otherwise you would see a message such as follows when attempting to run it the way you are:

tshark: -R without -2 is deprecated. For single-pass filtering use -Y.

And if you attempted to use -2R, you would see:

tshark: Live captures do not support two-pass analysis.

I would suggest updating Wireshark, if possible and then retest, although you may be better off post-analyzing the data after saving the traffic to a capture file using the "-w file.pcapng" option.

permanent link

answered 19 Jul '16, 08:45

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Also consider using dumpcap rather than tshark to make the capturing process even lighter on resource usage.

(19 Jul '16, 09:08) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×16

question asked: 19 May '16, 05:32

question was seen: 1,691 times

last updated: 19 Jul '16, 09:08

Related questions

Duplicate ACKs + delayed retransmission

TCP Dup ACK and a TCP retransmission _large packet size

TCP Dup Ack. TCP Retransmission

Many TCP retransmission and tcp out-of-order found for slow connection

Searching the Info Field in 1k files

AP Forward Labeled As Retransmission

Systematic TCP retransmission

Remote Desktop not connecting

Lag network http/https?

ACK for FIN Re transmission errors on web service client.

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A