First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Proof if missing packets are present in capture

Is there an easy way to proof if a packet, which was missed by the receiver and had to be retransmittet, is present in the capture? In my case I'm analyzing packet loss in a transfer and want to proof that the packet loss is not occuring at out network device, where I've captured the traffic.

Of course I can do this manually, but if I could check this for all 1800 retransmissions in my capture automatically it would be great.

Thanks, Werner

Werner's avatar
1
Werner
asked 2018-07-04 13:36:26 +0000, updated 2018-07-04 13:47:56 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

1

If the original packet is in the capture and it's retransmitted for whatever reason, the retransmitted packet will be flagged as retransmission (fast, spurious or timer based retransmission).

If the original packet is not in the capture the retransmitted packet will be flagged as "out-of-order".

So yes, it should be relatively easy for you.

NJL's avatar
120
NJL
answered 2018-07-04 17:50:16 +0000, updated 2018-07-04 17:52:04 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Provided we're talking about TCP here....

Jaap's avatar Jaap (2018-07-04 19:03:07 +0000) edit
more
  • delete

I assumed that was the case yes, but you're absolutely correct.

NJL's avatar NJL (2018-07-04 19:20:39 +0000) edit
more
  • delete

If the original packet is not in the capture the retransmitted packet will be flagged as "out-of-order".

Even if the original packet is missing, Wireshark will still try to distinguish between retransmissions and true out-of-order packets. If the TCP three-way handshake packets are in the capture file, Wireshark versions 1.12.0 and later will flag the packet as out-of-order if it shows up within the Initial Round Trip Time from the preceding packet, and as a retransmission if it takes more than the Initial Round Trip Time. If the handshake packets are not present, or if it's a version prior to 1.12.0, Wireshark will compare to a hard-coded value of 3 ms instead of to the Initial Round Trip Time.

Wireshark can mis-identify out-of-order packets as retransmission, and vice versa, but it will not automatically identify retransmissions as out-of-order just because the original packet is not ... (more)

Jim Aragon's avatar Jim Aragon (2018-07-05 03:31:07 +0000) edit
more
  • delete

Thanks for setting me straight, and thanks for the detailed explanation. Duly noted. :-)

NJL's avatar NJL (2018-07-05 04:49:35 +0000) edit
more
  • delete

Thanks for you quick replies! Of course, we are talking about TCP. After 10 years of using wireshark I didn't know, that the tag [retransmission] is only set, if the original packet is present in the capture. So if I filter on tcp.analysis.retransmission and tcp.analysis.outoforder, I will see in which cases the original packet was present and in which cases it wasn't. Given that the 3-way handshake is within the capture.

Thanks a lot!

Werner's avatar Werner (2018-07-05 07:49:04 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer