Hello world, I want to understand how wireshark detect retransmission, or in other words, how it implements the filter "tcp.analysis.retransmission". I've found several related posts: https://ask.wireshark.org/questions/25609/how-does-wireshark-detect-tcp-retransmissions https://ask.wireshark.org/questions/16771/tcpanalysisretransmission However, I'm still not sure about the details. The real cases seem to be more complex than just comparing SEQ. For example, I have found a retransmission packet has a different SEQ from the original packet (only +1 to the original SEQ though). Therefore I'm looking for help - could anyone point out somewhere in the wireshark source code for me to better understand the mechanism? Thanks! asked 18 Oct '17, 20:07  zzy |
One Answer:
You could start here looking at the sequence number analysis. What it comes down to is keeping track of the bytes already seen, and checking the new received TCP packet where the bytes fit into the stream. answered 18 Oct '17, 23:17  Jaap ♦ |
Thank you so much! That's exactly what I need!
A while back I tried to document TCP analysis behavior in the User's Guide. The retransmission check compares the current sequence number with the next expected sequence number, but it can be superseded by several other checks, e.g. fast retransmission or out-of-order.