Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2019-05-12 15:07:21 +0000

SYN-bit gravatar image

Some comments in the source code of the TCP dissector kind of explain it:

/* RETRANSMISSION/FAST RETRANSMISSION/OUT-OF-ORDER
 * If the segment contains data (or is a SYN or a FIN) and
 * if it does not advance the sequence number, it must be one
 * of these three.
 * Only test for this if we know what the seq number should be
 * (tcpd->fwd->nextseq)
 *
 * Note that a simple KeepAlive is not a retransmission
 */

So, first condition to match is that the received segment does not have a sequence number that is equal to (or higher than) the next expected sequence number.

Then later on (after checking if the packet was a fast-retransmission):

    /* If the segment came relatively close since the segment with the highest
     * seen sequence number and it doesn't look like a retransmission
     * then it is an OUT-OF-ORDER segment.
     */

And in the code below that, it compares the delta time between this frame and the time of the frame with the highest received sequence number. If that delta is less than the initial round-trip time (or less than 3 ms when the 3-way-handshake was not captured), it is considered an out-of-order packet.

So in the case above, the proper order for packets from X to arrive would have been:

11. 198.41.209.139 → 192.168.1.100: SEQ=8205 – ACK=661 [ACK]
14. 198.41.209.139 → 192.168.1.100: SEQ=9645 – ACK=661 [ACK]
15. 198.41.209.139 → 192.168.1.100: SEQ=11085 – ACK=661 [ACK]
12. 198.41.209.139 → 192.168.1.100: SEQ=12525 – ACK=661 [PSH, ACK]

You could say that only frame 12 was received out-of-order, the rest was fine.

However, Wireshark interprets the packets as they come in and only keeps little state of the session to base the analysis on. This means when the packets arrive in this order:

11. 198.41.209.139 → 192.168.1.100: SEQ=8205 – ACK=661 [ACK]
12. 198.41.209.139 → 192.168.1.100: SEQ=12525 – ACK=661 [PSH, ACK]
14. 198.41.209.139 → 192.168.1.100: SEQ=9645 – ACK=661 [ACK]
15. 198.41.209.139 → 192.168.1.100: SEQ=11085 – ACK=661 [ACK]

The only thing it knows when packet 12 arrives is that there is data missing, hence the "Previous Segment not captured". Then when it receives frame 14, the sequence number is not advancing (as frame 12 has a higher sequence number) and the frame was received quickly, so it could not have been a retransmission. Therefor it labels it as an out-of-order. The same goes for packet 15.

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2