OSQA is unmaintained. Help us figure out where to go from here.

Hi,

Finding retransmissions using tshark or wireshark seems to be quite simple, using the tcp.analysis.retransmission or tcp.analysis.fast_retransmission display filters. However, my question is with regard to the segments that are flagged by these filters. Do they flag both the initial transmission and the retransmission (and later ones) or do they tag only the first retransmitted segment (and later ones). I have not been able to find a reference for this.

Appreciate your help! /Jamie

asked 11 Feb '16, 01:05

Jamie_unix's gravatar image

Jamie_unix
11113
accept rate: 0%

My tests lead me to conclude that it tags only the retransmissions. So, was wondering if there is a filter with which I can flag both the originals and the retransmissions?

(11 Feb '16, 01:18) Jamie_unix

The original will not be tagged, only the retransmitted copies. You need to find the originals by searching for the sequence number found in the retransmitted packet.

For further reference about packet dependency filtering you might want to take a look at this:

https://blog.packet-foo.com/2015/03/advanced-display-filtering/

permanent link

answered 11 Feb '16, 01:43

Jasper's gravatar image

Jasper ♦♦
23.3k551281
accept rate: 18%

edited 11 Feb '16, 01:44

Thanks Jasper. I will look into that. Is there a quick way to get seq numbers of the retransmissions? By default it does not seem to show them.

(11 Feb '16, 01:52) Jamie_unix

Figuring that out was straight forward. just requires -T fields -e tcp.seq.

(11 Feb '16, 02:01) Jamie_unix
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×816
×735
×3

question asked: 11 Feb '16, 01:05

question was seen: 1,186 times

last updated: 20 Apr, 00:30

p​o​w​e​r​e​d by O​S​Q​A