Finding retransmissions using tshark or wireshark seems to be quite simple, using the tcp.analysis.retransmission or tcp.analysis.fast_retransmission display filters. However, my question is with regard to the segments that are flagged by these filters. Do they flag both the initial transmission and the retransmission (and later ones) or do they tag only the first retransmitted segment (and later ones). I have not been able to find a reference for this.
Appreciate your help! /Jamie
asked 11 Feb '16, 01:05
The original will not be tagged, only the retransmitted copies. You need to find the originals by searching for the sequence number found in the retransmitted packet.
For further reference about packet dependency filtering you might want to take a look at this: