This is our old Q&A Site. Please post any new questions and answers at

Hello world,

I want to understand how wireshark detect retransmission, or in other words, how it implements the filter "tcp.analysis.retransmission".

I've found several related posts:

However, I'm still not sure about the details. The real cases seem to be more complex than just comparing SEQ. For example, I have found a retransmission packet has a different SEQ from the original packet (only +1 to the original SEQ though).

Therefore I'm looking for help - could anyone point out somewhere in the wireshark source code for me to better understand the mechanism?


asked 18 Oct '17, 20:07

zzy's gravatar image

accept rate: 0%

You could start here looking at the sequence number analysis. What it comes down to is keeping track of the bytes already seen, and checking the new received TCP packet where the bytes fit into the stream.

permanent link

answered 18 Oct '17, 23:17

Jaap's gravatar image

Jaap ♦
accept rate: 14%

Thank you so much! That's exactly what I need!

(19 Oct '17, 08:14) zzy

A while back I tried to document TCP analysis behavior in the User's Guide. The retransmission check compares the current sequence number with the next expected sequence number, but it can be superseded by several other checks, e.g. fast retransmission or out-of-order.

(19 Oct '17, 08:24) Gerald Combs ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 18 Oct '17, 20:07

question was seen: 7,244 times

last updated: 19 Oct '17, 08:24

p​o​w​e​r​e​d by O​S​Q​A