How to filter out TCP retransmissions

2017-11-17 15:58:21 +0000

Zahra

I have the tcp and ip header of some captured traffic as follow:

1510103571.963031 MAC1> MAC2, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 39321, offset 0, flags [DF], proto TCP (6), length 60)
    ip1.43020 > ip2.443: Flags [S], cksum 0x6d38 (incorrect -> 0x742d), seq 373163901, win 65535, options [mss 1460,sackOK,TS val 6528740 ecr 0,nop,wscale 6], length 0

How can I filter out tcp retransmissions packets?

1 Answer

2017-11-17 16:11:22 +0000

grahamb

You can try the Wireshark (and tshark) display filter !(tcp.analysis.retransmission or tcp.analysis.fast_retransmission).

You can't use capture (BPF) filters as they have no knowledge of previous transmissions.

The captured traffic isn't in the readable format of the Wireshark. I have just the header of the captured traffic as the sample above. How can I filter out TCP retransmission myself using the header information?

Zahra ( 2017-11-17 16:40:14 +0000 )

There is no direct flag transmitted on the wire in the tcp header saying it's a retransmission, it's inferred by sequence number analysis.

You'll have to do tcp reassembly and note when a sequence number is retransmitted.

grahamb ( 2017-11-17 16:47:09 +0000 )

could you help me with it? how should I check them myself?

Zahra ( 2017-11-17 20:54:25 +0000 )

Have a look at this SharkFest presentation from @Jasper on tcp analysis.

grahamb ( 2017-11-17 22:33:51 +0000 )

Thanks @grahamb - but better use the PPT instead, because it has the animations:

Jasper ( 2017-11-17 23:01:05 +0000 )

Asked: 2017-11-17 15:58:21 +0000

Seen: 43,665 times

Last updated: Nov 17 '17