I want to understand how wireshark detect retransmission, or in other words, how it implements the filter "tcp.analysis.retransmission".
I've found several related posts:
However, I'm still not sure about the details. The real cases seem to be more complex than just comparing SEQ. For example, I have found a retransmission packet has a different SEQ from the original packet (only +1 to the original SEQ though).
Therefore I'm looking for help - could anyone point out somewhere in the wireshark source code for me to better understand the mechanism?
asked 18 Oct '17, 20:07
You could start here looking at the sequence number analysis. What it comes down to is keeping track of the bytes already seen, and checking the new received TCP packet where the bytes fit into the stream.
answered 18 Oct '17, 23:17