How can we distingush duplication from transmission tcp plz ? I undestand that the retransmission is done after not receiving the ACK flag and the duplication is done after receiving the paquet two times but I want to know wht we have to check in wireshark to understand it. For duplication, the packet send with how many seq numbers and how many ACK plz ?
Not sure if I understood your question completly. I assume that you want to know how you can distinguish duplicate packets from retransmissions in your capture.
A retransmission should be flagged as "TCP Retransmission" in the info column in Wireshark. It has the same SEQ and ACK values as the lost packet, but a different IP ID (ip.id) in the IP header.
Duplicate packets should be flagged as "TCP Spurious Retransmission" or "TCP Out-of-Order" in the info column. It has the same SEQ and ACK values as the original packet, and also the same IP ID (ip.id).
You can remove the duplicated packets from your capture file with "editcap.exe -d"
Thanks for your response.
Is TCP Dup ACK considered as a duplicated packets also ?
and why I have the same ip.id for my retransmission packets plz ?
lost packet:
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 50
Identification: 0x551e (21790)
Transmission Control Protocol, Src Port: 53549, Dst Port: 502, Seq: 241, Ack: 329, Len: 10
Source Port: 53549
Destination Port: 502
[Stream index: 0]
[TCP Segment Len: 10]
Sequence number: 241 (relative sequence number)
Sequence number (raw): 3676632249
[Next sequence number: 251 (relative sequence number)]
Acknowledgment number: 329 (relative ack number)
Acknowledgment number (raw): 1343048155
0101 .... = Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
Window size value: 65372
[Calculated window size: 65372]
[Window size scaling factor: -1 (unknown)]
Checksum: 0xc82c [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
Retransmit packet
Internet Protocol Version 4, Src: 192.168.1.2, Dst: 192.168.1.24
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 50
Identification: 0x551e (21790)
Flags: 0x4000, Don't fragment
Fragment offset: 0
Time to live: 128
Protocol: TCP (6)
Header checksum: 0x223d [validation disabled]
[Header checksum status: Unverified]
Source: 192.168.1.2
Destination: 192.168.1.24
Transmission Control Protocol, Src Port: 53549, Dst Port: 502, Seq: 241, Ack: 329, Len: 10
Source Port: 53549
Destination Port: 502
[Stream index: 0]
[TCP Segment Len: 10]
Sequence number: 241 (relative sequence number)
Sequence number (raw): 3676632249
[Next sequence number: 251 (relative sequence number)]
Acknowledgment number: 329 (relative ack number)
Acknowledgment number (raw): 1343048155
0101 .... = Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
Window size value: 65372
[Calculated window size: 65372]
[Window size scaling factor: -1 (unknown)]
Checksum: 0xc82c [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
[SEQ/ACK analysis]
[Timestamps]
TCP payload (10 bytes)
Retransmitted TCP segment data (10 bytes)
If you're trying to distinguish:
vs
then: sending host will mark each packet with different ip.id, while packets duplicated in transit will have the same ip.id
Is TCP Dup ACK considered as a duplicated packets also ? TCP Duplicate ACK, the TCP segment is zero. In your upload, the TCP segment is 10.
Why I have the same ip.id for my retransmission packets plz ? This is not normal for a TCP retransmission, but there isn't a rule that the IP ID must be different. it appears the sniffer captured the same packet. It could be a loop, wiring, or mirror configuration
Comments