Ask Your Question
0

TCP SACK analysis best practice?

asked 2025-04-24 12:39:01 +0000

NJL gravatar image

Hi all,

I'm curious how others analyse captures with packet loss and subsequent SACKs.

What (tools) do you use to track the relationship between retransmissions and SACK LE / RE?

With repeated packet loss, retransmissions and SACKs in a capture with long'ish RTT I find it very very hard to keep track of what's been correctly received and what's still missing. It's an incredibly slow and painstaking process at best.

So far I haven't found any built-in way of doing this easily in Wireshark, but if such workflows exists, please enlighten me.

If other standalone tools are able to showcase this graphically or in some other more intuitive way, I'm also keen on hearing about it.

Thanks, Niels

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2025-04-24 14:26:11 +0000

SYN-bit gravatar image

Hi Niels, did you check the TCP streamgraph (tcptrace version)? It shows SACK blocks in red lines and they align to the missing packets and retransmitted packets. Indeed, long RTTs can make this process harder...

image description

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2025-04-24 12:39:01 +0000

Seen: 17 times

Last updated: 5 hours ago

Related questions

remove SLE SRE from pcap

Why this is not a "TCP previous segment not captured"

Does wireshark consider vlan ID before flagging a packet as TCP re-transmission

What kind of request most likely comes after this package?

TCP Retransmission - Delay with Windows 10!

Experimenting with No SACK

Why there is port mismatch in tcp and http header for port 51006. Also why the netstat in server do not shows connections under port 51006 even traffic is coming to this port.

Client is waiting for FIN flag from server for 30 sec

The follow tcp stream dialogue box contains gibberish

How to tell if TCP segment contains a data in Wireshark?