Why sar ETCP shows TCP retransmission but wireshark tcp.analysis.retransmission doesn’t

Question

I am trying to investigate the cause of TCP retransmission. When I use sadc and sar, it shows that there are tcp retransmissions, but when I use wireshark on all of the server's interfaces, it doesn't show any retransmissions and quits after 2 minutes with write to disk full. But sar shows that within the first minute, there are retransmissions.

sar shows retransmission

[[email protected] ~]# /usr/lib64/sa/sadc -S INT -S DISK -S XDISK -S SNMP -S IPV6 1 50 /tmp/sadc_stats.log
[[email protected] ~]# sar -f /tmp/sadc_stats.log -n ETCP
09:25:55 AM atmptf/s estres/s retrans/s isegerr/s orsts/s
Average: 2.07 0.04 1.38 0.00 2.71

wireshark doesn’t show retransmission

tshark -i xsi1 -R tcp.analysis.retransmission

I tried all other interfaces in addition to xsi1.

Another thing is that I am using both of these commands within a VM on the host server.

Thank you!

Desong

Answer 1

I've never used sadc or sar, so I'm not sure what to make of the output, but as for tshark ... what version of wireshark are you using? It must be fairly old; otherwise you would see a message such as follows when attempting to run it the way you are:

tshark: -R without -2 is deprecated. For single-pass filtering use -Y.

And if you attempted to use -2R, you would see:

tshark: Live captures do not support two-pass analysis.

I would suggest updating Wireshark, if possible and then retest, although you may be better off post-analyzing the data after saving the traffic to a capture file using the "-w file.pcapng" option.