Ask Your Question
0

Proof if missing packets are present in capture

asked 2018-07-04 13:36:26 +0000

Werner gravatar image

updated 2018-07-04 13:47:56 +0000

Is there an easy way to proof if a packet, which was missed by the receiver and had to be retransmittet, is present in the capture? In my case I'm analyzing packet loss in a transfer and want to proof that the packet loss is not occuring at out network device, where I've captured the traffic.

Of course I can do this manually, but if I could check this for all 1800 retransmissions in my capture automatically it would be great.

Thanks, Werner

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2018-07-04 17:50:16 +0000

NJL gravatar image

updated 2018-07-04 17:52:04 +0000

If the original packet is in the capture and it's retransmitted for whatever reason, the retransmitted packet will be flagged as retransmission (fast, spurious or timer based retransmission).

If the original packet is not in the capture the retransmitted packet will be flagged as "out-of-order".

So yes, it should be relatively easy for you.

edit flag offensive delete link more

Comments

Provided we're talking about TCP here....

Jaap gravatar imageJaap ( 2018-07-04 19:03:07 +0000 )edit

I assumed that was the case yes, but you're absolutely correct.

NJL gravatar imageNJL ( 2018-07-04 19:20:39 +0000 )edit

If the original packet is not in the capture the retransmitted packet will be flagged as "out-of-order".

Even if the original packet is missing, Wireshark will still try to distinguish between retransmissions and true out-of-order packets. If the TCP three-way handshake packets are in the capture file, Wireshark versions 1.12.0 and later will flag the packet as out-of-order if it shows up within the Initial Round Trip Time from the preceding packet, and as a retransmission if it takes more than the Initial Round Trip Time. If the handshake packets are not present, or if it's a version prior to 1.12.0, Wireshark will compare to a hard-coded value of 3 ms instead of to the Initial Round Trip Time.

Wireshark can mis-identify out-of-order packets as retransmission, and vice versa, but it will not automatically identify retransmissions as out-of-order just because the original packet is not ...(more)

Jim Aragon gravatar imageJim Aragon ( 2018-07-05 03:31:07 +0000 )edit

Thanks for setting me straight, and thanks for the detailed explanation. Duly noted. :-)

NJL gravatar imageNJL ( 2018-07-05 04:49:35 +0000 )edit

Thanks for you quick replies! Of course, we are talking about TCP. After 10 years of using wireshark I didn't know, that the tag [retransmission] is only set, if the original packet is present in the capture. So if I filter on tcp.analysis.retransmission and tcp.analysis.outoforder, I will see in which cases the original packet was present and in which cases it wasn't. Given that the 3-way handshake is within the capture.

Thanks a lot!

Werner gravatar imageWerner ( 2018-07-05 07:49:04 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-07-04 13:36:26 +0000

Seen: 74 times

Last updated: Jul 04