First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to filter out TCP retransmissions

I have the tcp and ip header of some captured traffic as follow:

1510103571.963031 MAC1> MAC2, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 39321, offset 0, flags [DF], proto TCP (6), length 60)
    ip1.43020 > ip2.443: Flags [S], cksum 0x6d38 (incorrect -> 0x742d), seq 373163901, win 65535, options [mss 1460,sackOK,TS val 6528740 ecr 0,nop,wscale 6], length 0

How can I filter out tcp retransmissions packets?

Zahra's avatar
5
Zahra
asked 2017-11-17 15:58:21 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

1

You can try the Wireshark (and tshark) display filter !(tcp.analysis.retransmission or tcp.analysis.fast_retransmission).

You can't use capture (BPF) filters as they have no knowledge of previous transmissions.

grahamb's avatar
23.8k
grahamb
answered 2017-11-17 16:11:22 +0000
edit flag offensive 0 remove flag delete link
more

Comments

The captured traffic isn't in the readable format of the Wireshark. I have just the header of the captured traffic as the sample above. How can I filter out TCP retransmission myself using the header information?

Zahra's avatar Zahra (2017-11-17 16:40:14 +0000) edit
more
  • delete

There is no direct flag transmitted on the wire in the tcp header saying it's a retransmission, it's inferred by sequence number analysis.

You'll have to do tcp reassembly and note when a sequence number is retransmitted.

grahamb's avatar grahamb (2017-11-17 16:47:09 +0000) edit
more
  • delete

could you help me with it? how should I check them myself?

Zahra's avatar Zahra (2017-11-17 20:54:25 +0000) edit
more
  • delete

Have a look at this SharkFest presentation from @Jasper on tcp analysis.

grahamb's avatar grahamb (2017-11-17 22:33:51 +0000) edit
more
  • delete

Thanks @grahamb - but better use the PPT instead, because it has the animations: https://sharkfest.wireshark.org/asset...

Jasper's avatar Jasper (2017-11-17 23:01:05 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer