Dissector doesn't see retransmission packets

my dissector is registered to decode a bunch of ports:

tcp_table = DissectorTable.get ("tcp.port")
tcp_table:add (9000, S8HR_proto)
tcp_table:add (9001, S8HR_proto)
tcp_table:add (9002, S8HR_proto)

Sometime wireshark marks traffic on port 9001 as [TCP Retransmissions] and in that case the LUA dissector is either ignored or packet decode gets overwritten so the expected content remains buried in the "TCP payload".

Is there a chance to still have LUA dissector working in case of TCP Retransmissions also ?


This has nothing to do with Lua; it has to do with the way the TCP dissector handles retransmissions.

If it's a retransmission, the original packet should have been dissected, so there should be no need to dissect the retransmission.

If it's not a retransmission, that's presumably an indication that TCP is mistakenly identifying it as a retransmission.

For some reason wireshark was mistakenly identifying port 9001 traffic as retransmission without showing the original packet first... maybe the far end server was doing fuzzy things on their ACK or there was some temporary different path selected... that would require a bit of analysis on the captured pcap.

Anyway it seems that wireshark either don't send retransmission packets through dissector or it does re-evaluate it internally overwriting the dissector script output.

So that is just out of my curiosity since I agree it was a corner case scenario and should not really happens.

