Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

I took a look at a few retransmissions in your capture. They are not retransmissions, but they are duplicate packets. Duplicate packets mess up the TCP analysis engine of Wireshark.

You can tell that they are duplicates instead of retransmissions by looking at the ip.id field of the packets. A true retransmission is a new IP packet, so it would have a new ip.id. The retransmissions have the same ip.id as the original packet, that means somehow they are either duplicated on the network or duplicated during the capturing process.

As the ip.ttl and the mac addresses of the first packet is different from the first "retransmission" you seem to be capturing before and after a routing hop, which also messes with Wireshark's TCP analysis engine.

So, please make sure you capture all packets only once.