I was looking at two traces one from the sending side where I saw the original packet and the retransmitted packet. I can understand how wireshark would flag the second packet as a retransmission in the expert info because it would simply need to look for two packet with the same sequence number. However, in second capture where the first packet is missing and I only see the retransmitted packet, I'm wondering how wireshark was able to detect that the packet was a retransmit? Can someone explain how it knows this? asked 03 Oct '13, 14:02  a5snc |
One Answer:
Sure. If packets are in the correct order, the TCP sequence is either the same (if the previous packet had no content) or greater than the sequence number in the previous packet. So the current sequence number must always be greater or equal to the previous number, and if Wireshark sees a retransmission the sequence number is "old", thus less than the sequence number of the packet it has previously seen (mathematically "monotonically increasing"). Well, it's a little more complicated than this actually, because a packet arriving after another in the wrong order could also be a simple "Out-of-Order" situation. In Wireshark there is a hard coded limit of 3 milliseconds, after which an "out of order" packet is marked "retransmission" instead. answered 03 Oct '13, 14:13  Jasper ♦♦ edited 03 Oct '13, 14:22 |
