This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark doesn’t show TCP retransmit while applying SIP filters ?

1

Hey guys

I am troubleshooting a voice call and I applied a SIP CallID filter, the problem is that I don't see the TCP retransmit anymore in my capture for that specific call ...

I have a friend that has Wireshark 1.10.5 and it is working for him but I am on the newer version and it does not show the TCP retransmit .

Anyone has any hint to give me? :)

Thanks

vPackets

asked 21 Feb '17, 09:10

vPackets's gravatar image

vPackets
21114
accept rate: 0%


One Answer:

1

By default in recent versions of Wireshark the TCP dissector does not pass "error" packets (such as retransmissions) to upper layer dissectors. This is because these error packets tend to confuse the upper-layer protocol dissectors (because they see the same data more than once).

If you want the old functionality back you can disable the TCP preference Do not call subdissectors for error packets. But you may be better off simply adding something like || tcp.analysis.retransmission to your filter.

answered 21 Feb '17, 10:50

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Thanks a lot.

The problem with || tcp.analysis.retransmission is that it will add ALL the TCP retransmit I had during that capture ... not the specific ones for my SIP.CallID .

Nic

(21 Feb '17, 23:14) vPackets

True enough.

On a side note if my answer answers your question please be sure to Accept the answer (by clicking on the checkmark next to it). This is a Q&A site, not a forum--see the FAQ.

(22 Feb '17, 05:24) JeffMorriss ♦

So Is there a way to filter a call and the specific TCP retransmit I had for that call ?

I tried SIP Call ID AND TCP.analysis.retransmission but without any luck :(

Thanks to let me know

Nic

(24 Feb '17, 22:34) vPackets

I think for that you'll need to disable the Do not call subdissectors for error packets preference (and even that's not going to be perfect; if the retransmitted segment doesn't include the Call ID then it won't be caught). AFAIK that's about as good as it's going to get (unless you can filter on something else like the TCP stream number or something).

(27 Feb '17, 05:59) JeffMorriss ♦

Hey Jeff !

Looks like I got the same results using your advice :(

Do you think of something else or should I downgrade to Wireshark 1.x ?

Thanks !

(13 Mar '17, 21:09) vPackets

Sorry, which advice (we talked about a couple different options)? The one that should get you back to the old behavior is disabling the Do not call subdissectors for error packets option. It would be interesting to know if the behavior isn't the same.

Are there non-SIP fields you can filter on once you have the call isolated (e.g., IP addresses and ports)?

(17 Mar '17, 05:50) JeffMorriss ♦
showing 5 of 6 show 1 more comments