This is a static archive of our old Q&A Site. Please post any new questions and answers at

How does “tcp.analysis.retransmission” work?


Hello world,

I want to understand how wireshark detect retransmission, or in other words, how it implements the filter "tcp.analysis.retransmission".

I've found several related posts:

However, I'm still not sure about the details. The real cases seem to be more complex than just comparing SEQ. For example, I have found a retransmission packet has a different SEQ from the original packet (only +1 to the original SEQ though).

Therefore I'm looking for help - could anyone point out somewhere in the wireshark source code for me to better understand the mechanism?


asked 18 Oct '17, 20:07

zzy's gravatar image

accept rate: 0%

One Answer:


You could start here looking at the sequence number analysis. What it comes down to is keeping track of the bytes already seen, and checking the new received TCP packet where the bytes fit into the stream.

answered 18 Oct '17, 23:17

Jaap's gravatar image

Jaap ♦
accept rate: 14%

Thank you so much! That's exactly what I need!

(19 Oct '17, 08:14) zzy

A while back I tried to document TCP analysis behavior in the User's Guide. The retransmission check compares the current sequence number with the next expected sequence number, but it can be superseded by several other checks, e.g. fast retransmission or out-of-order.

(19 Oct '17, 08:24) Gerald Combs ♦♦