Ask Your Question
0

How can I find out if I have too many TCP Retransmissions

asked 2022-08-11 14:58:27 +0000

moltra gravatar image

updated 2022-08-11 15:32:42 +0000

cmaynard gravatar image

I am seeing a lot of TCP Retransmissions in my capture. How do I determine if I am getting too many?

It will not let me upload the image.

[TCP Retransmission] [TCP Port numbers reused] 65040  >  995 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=4 SACK_PERM=1

Echo (ping) request  id=0x0001, seq=9897/43302, ttl=128 (reply in 1589)
Echo (ping) reply    id=0x0001, seq=9897/43302, ttl=64 (request in 1588)
995  >  65040 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
[TCP Keep-Alive] 443  >  64991 [ACK] Seq=0 Ack=125 Win=29216 Len=0
[TCP Keep-Alive ACK] 64991  >  443 [ACK] Seq=125 Ack=1 Win=262656 Len=0
[TCP Retransmission] 80  >  64431 [FIN, ACK] Seq=1 Ack=2 Win=501 Len=0
[TCP ZeroWindow] 64431  >  80 [ACK] Seq=2 Ack=2 Win=0 Len=0
[TCP Retransmission] [TCP Port numbers reused] 65042  >  465 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=4 SACK_PERM=1

465  >  65042 [RST, ACK] Seq=1 Ack=1 Win=5840 Len=0
[TCP Retransmission] [TCP Port numbers reused] 65029  >  993 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=4 SACK_PERM=1

993  >  65029 [RST, ACK] Seq=1 Ack=1 Win=48 Len=0
[TCP Keep-Alive] 443  >  64946 [ACK] Seq=0 Ack=125 Win=29216 Len=0
[TCP Keep-Alive ACK] 64946  >  443 [ACK] Seq=125 Ack=1 Win=2097920 Len=0
[TCP Retransmission] [TCP Port numbers reused] 65047  >  993 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=4 SACK_PERM=1

993  >  65047 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
[TCP Retransmission] [TCP Port numbers reused] 65049  >  995 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=4 SACK_PERM=1

[TCP Retransmission] [TCP Port numbers reused] 65050  >  993 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=4 SACK_PERM=1

[TCP Retransmission] [TCP Port numbers reused] 65048  >  465 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=4 SACK_PERM=1

995  >  65049 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
993  >  65050 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
[TCP Retransmission] [TCP Port numbers reused] 65036  >  995 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=4 SACK_PERM=1

[TCP Retransmission] [TCP Port numbers reused] 65034  >  993 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=4 SACK_PERM=1

[TCP Retransmission] [TCP Port numbers reused] 65035  >  995 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=4 SACK_PERM=1

995  >  65036 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
995  >  65035 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
993  >  65034 [RST, ACK] Seq=1 Ack=1 Win=48 Len=0
465  >  65048 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
[TCP Retransmission] [TCP Port numbers reused] 65054  > ...
(more)
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-08-11 17:22:57 +0000

ajaznawaz gravatar image

updated 2022-08-12 00:27:34 +0000

In my experience observing a significant number of retransmissions is hallmark for packet loss. It could also be a firewall for example somewhere along the path silently dropping if it is configured to do so.

Others, i'm certain, will have much more to add on this front keep a look out here for further responses.

If your pcap file is sprayed with retransmissions as if they came out from a pump action shotgun, then that is too many in my view, but a few here and there would not alarm me necessarily especially in the first instance.

The other way to measure if the retransmissions are 'too many' is to evaluate if the application or service are functioning much 'slower' than expected.

edit flag offensive delete link more

Comments

I am running a TP-Link M5 Deco with a gigabyte hard connection between the M5s. I do not get a lot of TCP_Retransmissions on WIFI only on the hard connections to my desktops. I am using a tp-link tl-sg105 coming out of the "Main" M5 and then running to the other M5s and the desktops.

moltra gravatar imagemoltra ( 2022-08-11 20:58:31 +0000 )edit

What is the performance if the device is hardwired? A problem with WI-FI is interference and congestion. Check which WI-FI standard the devices are connecting with, the number of active WI-FI users, and if there is a number AP with a strong signal using the same channel range. The older WI-FI standards are only half-duplex.

BigFatCat gravatar imageBigFatCat ( 2022-08-12 02:04:06 +0000 )edit

If I am hard connected, it usually kicks me to WIFI.

moltra gravatar imagemoltra ( 2022-08-12 03:03:44 +0000 )edit

There is a whole bunch of isses with WiFi in residential area's. Mainly because it's a matter of many boats with as many captains cruising at high speed in a small tub. Best practises often used in larger WiFi networks are totallly ignored leading towards problems you can only fix by sticking every one to channels 1, 6 and 11 on 2.4GHz for example.

However on a wired setup you should not have this. If it is managed then see if you can find something odd in the configuration. If not managed I would see if replacing cables solves the issue. Poor cabling can be a major pain.

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2022-08-12 06:56:34 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-08-11 14:58:27 +0000

Seen: 2,092 times

Last updated: Aug 12 '22