This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark can not decode TCP retransmission messages

0

Hello

From wireshark version 2 and on, I could not decode diameter messages. Wireshark understand the packet as TCP Retransmission. Even with decode us it was not possible to decode it.

Thanks

Stavros

alt text

asked 21 Jul '16, 01:10

steve21's gravatar image

steve21
11557
accept rate: 0%

Are you saying that Wireshark marks even the first occurrence of a packet in the capture as a retransmission, or that it does not bother to dissect again a retransmitted packet if it has already dissected its first occurrence?

Can you post the capture at cloudshark or some file sharing service and edit your question with a link to it?

(21 Jul '16, 01:52) sindy

Hello

It is not a re-transmitted message. It's a CCR-U Diameter message.

https://www.cloudshark.org/captures/92e2092341f2

(21 Jul '16, 02:16) steve21

Is it a capture of real traffic or is part of the packets (the IP and TCP part in particular) handcrafted? Because the TCP sequence numbers are clearly wrong, having a constant value of 1 for all packets (which explains why Wireshark doesn't bother inspecting the packet in deeper detail because a TCP packet bearing an already used sequence number and non-zero payload size cannot be anything else but a retransmission), so I wonder how something like this could actually work in a real network. Something is also telling me that use of TCP port 0 is not legal, but I may be wrong.

If it is a real traffic, it only can work because both participants of the conversation use the same incorrect TCP implementation. So interworking with any other vendor's stack would be impossible.

(21 Jul '16, 02:28) sindy

One Answer:

0

Hi again

The cap was capture from trace tool which we are using in our Gateway. Problem solved. Unchecked the Analyse TCP sequences fro TCP Preferences.

Thanks for your effort

answered 21 Jul '16, 03:39

steve21's gravatar image

steve21
11557
accept rate: 0%