Ask Your Question
0

detecting duplication and retransmission

asked 2020-06-25 10:24:42 +0000

salwa1215 gravatar image

How can we distingush duplication from transmission tcp plz ? I undestand that the retransmission is done after not receiving the ACK flag and the duplication is done after receiving the paquet two times but I want to know wht we have to check in wireshark to understand it. For duplication, the packet send with how many seq numbers and how many ACK plz ?

edit retag flag offensive close merge delete

4 Answers

Sort by ยป oldest newest most voted
0

answered 2021-04-24 11:45:16 +0000

BigFatCat gravatar image

Is TCP Dup ACK considered as a duplicated packets also ? TCP Duplicate ACK, the TCP segment is zero. In your upload, the TCP segment is 10.

Why I have the same ip.id for my retransmission packets plz ? This is not normal for a TCP retransmission, but there isn't a rule that the IP ID must be different. it appears the sniffer captured the same packet. It could be a loop, wiring, or mirror configuration

edit flag offensive delete link more
0

answered 2021-04-23 09:40:19 +0000

If you're trying to distinguish:

  • duplicate packets that were sent by host (because it didn't receive ACK)

vs

  • packets that were duplicated by some device in transit, you have

then: sending host will mark each packet with different ip.id, while packets duplicated in transit will have the same ip.id

edit flag offensive delete link more
0

answered 2020-07-06 09:50:47 +0000

salwa1215 gravatar image

Thanks for your response.

Is TCP Dup ACK considered as a duplicated packets also ?

and why I have the same ip.id for my retransmission packets plz ?

lost packet:

0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 50
Identification: 0x551e (21790)

Transmission Control Protocol, Src Port: 53549, Dst Port: 502, Seq: 241, Ack: 329, Len: 10
Source Port: 53549
Destination Port: 502
[Stream index: 0]
[TCP Segment Len: 10]
Sequence number: 241    (relative sequence number)
Sequence number (raw): 3676632249
[Next sequence number: 251    (relative sequence number)]
Acknowledgment number: 329    (relative ack number)
Acknowledgment number (raw): 1343048155
0101 .... = Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
Window size value: 65372
[Calculated window size: 65372]
[Window size scaling factor: -1 (unknown)]
Checksum: 0xc82c [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0

Retransmit packet

Internet Protocol Version 4, Src: 192.168.1.2, Dst: 192.168.1.24
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 50
Identification: 0x551e (21790)
Flags: 0x4000, Don't fragment
Fragment offset: 0
Time to live: 128
Protocol: TCP (6)
Header checksum: 0x223d [validation disabled]
[Header checksum status: Unverified]
Source: 192.168.1.2
Destination: 192.168.1.24
Transmission Control Protocol, Src Port: 53549, Dst Port: 502, Seq: 241, Ack: 329, Len: 10
Source Port: 53549
Destination Port: 502
[Stream index: 0]
[TCP Segment Len: 10]
Sequence number: 241    (relative sequence number)
Sequence number (raw): 3676632249
[Next sequence number: 251    (relative sequence number)]
Acknowledgment number: 329    (relative ack number)
Acknowledgment number (raw): 1343048155
0101 .... = Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
Window size value: 65372
[Calculated window size: 65372]
[Window size scaling factor: -1 (unknown)]
Checksum: 0xc82c [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
[SEQ/ACK analysis]
[Timestamps]
TCP payload (10 bytes)
Retransmitted TCP segment data (10 bytes)
edit flag offensive delete link more
0

answered 2020-06-26 14:55:09 +0000

JasMan gravatar image

Not sure if I understood your question completly. I assume that you want to know how you can distinguish duplicate packets from retransmissions in your capture.

A retransmission should be flagged as "TCP Retransmission" in the info column in Wireshark. It has the same SEQ and ACK values as the lost packet, but a different IP ID (ip.id) in the IP header.

Duplicate packets should be flagged as "TCP Spurious Retransmission" or "TCP Out-of-Order" in the info column. It has the same SEQ and ACK values as the original packet, and also the same IP ID (ip.id).

You can remove the duplicated packets from your capture file with "editcap.exe -d"

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-06-25 10:24:42 +0000

Seen: 10,037 times

Last updated: Apr 24 '21