First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Dissector doesn't see retransmission packets

Hello,

my dissector is registered to decode a bunch of ports:

tcp_table = DissectorTable.get ("tcp.port")
tcp_table:add (9000, S8HR_proto)
tcp_table:add (9001, S8HR_proto)
tcp_table:add (9002, S8HR_proto)

Sometime wireshark marks traffic on port 9001 as [TCP Retransmissions] and in that case the LUA dissector is either ignored or packet decode gets overwritten so the expected content remains buried in the "TCP payload".

Is there a chance to still have LUA dissector working in case of TCP Retransmissions also ?

Thx!

sezb51's avatar
9
sezb51
asked 2021-09-16 05:11:44 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2021-09-16 08:00:57 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

This has nothing to do with Lua; it has to do with the way the TCP dissector handles retransmissions.

If it's a retransmission, the original packet should have been dissected, so there should be no need to dissect the retransmission.

If it's not a retransmission, that's presumably an indication that TCP is mistakenly identifying it as a retransmission.

Guy Harris's avatar
19.9k
Guy Harris
answered 2021-09-16 08:03:07 +0000
edit flag offensive 0 remove flag delete link
more

Comments

For some reason wireshark was mistakenly identifying port 9001 traffic as retransmission without showing the original packet first... maybe the far end server was doing fuzzy things on their ACK or there was some temporary different path selected... that would require a bit of analysis on the captured pcap.

Anyway it seems that wireshark either don't send retransmission packets through dissector or it does re-evaluate it internally overwriting the dissector script output.

So that is just out of my curiosity since I agree it was a corner case scenario and should not really happens.

sezb51's avatar sezb51 (2021-09-16 12:33:15 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer