I did some orginal captures on a computer sitting outside our firewall and saw alot of TCP DUP ACK/TCP Retransmission while web browsing. Thought I was having an ISP issue but their testing is indicating no trouble. I thought this message indicated dropped frames. Am I incorrect?

I did another capture between two computers on a 24 port switch, no Internet, no connection other than to each other. One computer coping data from the second and the third doing the capture. I still see this messages.

This capture is me going to Foxnews


Can someone explain is this normal? Thanks

asked 07 May '13, 10:46

dmcmasters's gravatar image

accept rate: 0%

TCP has this inherent mechanism of recovery. In tcp stream eq 8 of your trace there was a condition of retransmission generated due to timing but not because of drops. Here is the snippet of your trace.

Step-1)Server send a packet to client(Let us call it packet-A){Packet.no-150}

Step-2)Client acknowledged the packet (Let us call it ack-A){Packet.no-192}

Step-3)Somehow packet-A was retransmitted by Server.The reason might be the delay in receiving ack-A from client and ack timer got out and retransmission timer got kicked in.(Dup of Packet-A){Packet.no-194}

Step-4)Client generated a duplicate ack for the retransmitted packet.(Dup of ack-A){Packet.no-195}

It is not always implies to losses whenever you see these retransmissions and duplicate acks.How timers got implemented also plays a role. With that said leaving to expert opinions....


answered 07 May '13, 17:33

krishnayeddula's gravatar image

accept rate: 6%

edited 07 May '13, 20:13

You may filter out those DUPs from wireshark's display:

!expert.message == "Retransmission (suspected)" && !expert.message == "Duplicate ACK (#1)" && !expert.message == "Out-Of-Order segment"

Taken from http://thevisiblenetwork.com/2014/02/11/filter-duplicate-packets-from-a-capture-file/


answered 26 Sep '14, 01:22

cweiske's gravatar image

accept rate: 0%

Couldn't get your filter working. This one worked for me though:

!tcp.analysis.out_of_order && ((!tcp.analysis.duplicate_ack_num == 1) || (!tcp.analysis.duplicate_ack_num == 2))

(29 Sep '14, 13:33) DarrenWright

The latest release(s) changed the expert. field names to _ws.expert.. So the filter above will still work when it is corrected using the new syntax:

!_ws.expert.message == "Retransmission (suspected)" && !_ws.expert.message == "Duplicate ACK (#1)" && !_ws.expert.message == "Out-Of-Order segment"

(29 Sep '14, 14:00) mrEEde
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 07 May '13, 10:46

Seen: 89,642 times

Last updated: 29 Sep '14, 14:00

p​o​w​e​r​e​d by O​S​Q​A