Ask Your Question
0

How to filter out TCP retransmissions

asked 2017-11-17 15:58:21 +0000

Zahra gravatar image

I have the tcp and ip header of some captured traffic as follow:

1510103571.963031 MAC1> MAC2, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 39321, offset 0, flags [DF], proto TCP (6), length 60)
    ip1.43020 > ip2.443: Flags [S], cksum 0x6d38 (incorrect -> 0x742d), seq 373163901, win 65535, options [mss 1460,sackOK,TS val 6528740 ecr 0,nop,wscale 6], length 0

How can I filter out tcp retransmissions packets?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
1

answered 2017-11-17 16:11:22 +0000

grahamb gravatar image

You can try the Wireshark (and tshark) display filter !(tcp.analysis.retransmission or tcp.analysis.fast_retransmission).

You can't use capture (BPF) filters as they have no knowledge of previous transmissions.

edit flag offensive delete link more

Comments

The captured traffic isn't in the readable format of the Wireshark. I have just the header of the captured traffic as the sample above. How can I filter out TCP retransmission myself using the header information?

Zahra gravatar imageZahra ( 2017-11-17 16:40:14 +0000 )edit

There is no direct flag transmitted on the wire in the tcp header saying it's a retransmission, it's inferred by sequence number analysis.

You'll have to do tcp reassembly and note when a sequence number is retransmitted.

grahamb gravatar imagegrahamb ( 2017-11-17 16:47:09 +0000 )edit

could you help me with it? how should I check them myself?

Zahra gravatar imageZahra ( 2017-11-17 20:54:25 +0000 )edit

Have a look at this SharkFest presentation from @Jasper on tcp analysis.

grahamb gravatar imagegrahamb ( 2017-11-17 22:33:51 +0000 )edit

Thanks @grahamb - but better use the PPT instead, because it has the animations: https://sharkfest.wireshark.org/asset...

Jasper gravatar imageJasper ( 2017-11-17 23:01:05 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2017-11-17 15:58:21 +0000

Seen: 41,780 times

Last updated: Nov 17 '17

Related questions

Capture incoming packets from remote web server

Localhost capturing

My UDP packets aren't showing

Using tshark filters to extract only interesting traffic from 12GB trace

Capture Filters - SSL Handshake or HEX

Is it possible to test a capture filter with already captured traffic?

How to capture UDP traffic and not NBNS traffic?

What is the udp.length display filter actually for?

How would I map this display filter to a capture filter?

Can't capture TLS certificate

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2