Will WireShark assume packets are DUP or Retransmitted

packet-analysiswireshark

I have a SPAN on two different switch ports which are going to the same sniffer. Host A's connecting port is SPANed, and host B's connecting port is SPANed as well. Because it's a router on a stick type of configuration, I was hoping that during a time that communication failures are reported from application logs, I can look for a particular packet on both sides. I see in my trace that there are a massive amount of retransmissions, and I am curious if Wireshark's logic marks anything as a retransmission if it sees it twice?

Does anyone have any tips on when they are tracing something like this?

Thanks

Best Answer

Wireshark stores the sequence number for a given TCP flow. If the new packet does not advance the sequence number, then it marks it as a retransmission.

This is the actual Wireshark code in epan/dissectors/packet-tcp.c (included inline below).

Please look at the tcp_analyze_sequence_number() function, more specifically the block starting at line 822.

Line 822 of epan/dissectors/packet-tcp.c (Revision 33861):

/* RETRANSMISSION/FAST RETRANSMISSION/OUT-OF-ORDER
 * If the segments contains data and if it does not advance
 * sequence number it must be either of these three.
 * Only test for this if we know what the seq number should be
 * (tcpd->fwd->nextseq)
 *
 * Note that a simple KeepAlive is not a retransmission
 */
if( seglen>0
&&  tcpd->fwd->nextseq
&&  (LT_SEQ(seq, tcpd->fwd->nextseq)) ){
    guint64 t;

    if(tcpd->ta && (tcpd->ta->flags&TCP_A_KEEP_ALIVE) ){
        goto finished_checking_retransmission_type;
    }

    /* If there were >=2 duplicate ACKs in the reverse direction
     * (there might be duplicate acks missing from the trace)
     * and if this sequence number matches those ACKs
     * and if the packet occurs within 20ms of the last
     * duplicate ack
     * then this is a fast retransmission
     */
    t=(pinfo->fd->abs_ts.secs-tcpd->rev->lastacktime.secs)*1000000000;
    t=t+(pinfo->fd->abs_ts.nsecs)-tcpd->rev->lastacktime.nsecs;


    if( tcpd->rev->dupacknum>=2
    &&  tcpd->rev->lastack==seq
    &&  t<20000000 ){
        if(!tcpd->ta){
            tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd);
        }
        tcpd->ta->flags|=TCP_A_FAST_RETRANSMISSION;
        goto finished_checking_retransmission_type;
    }

    /* If the segment came <3ms since the segment with the highest
     * seen sequence number, then it is an OUT-OF-ORDER segment.
     *   (3ms is an arbitrary number)
     */
    t=(pinfo->fd->abs_ts.secs-tcpd->fwd->nextseqtime.secs)*1000000000;
    t=t+(pinfo->fd->abs_ts.nsecs)-tcpd->fwd->nextseqtime.nsecs;
    if( t<3000000 ){
        if(!tcpd->ta){
            tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd);
        }
        tcpd->ta->flags|=TCP_A_OUT_OF_ORDER;
        goto finished_checking_retransmission_type;
    }

    /* Then it has to be a generic retransmission */
    if(!tcpd->ta){
        tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd);
    }
    tcpd->ta->flags|=TCP_A_RETRANSMISSION;
    nstime_delta(&tcpd->ta->rto_ts, &pinfo->fd->abs_ts, &tcpd->fwd->nextseqtime);
    tcpd->ta->rto_frame=tcpd->fwd->nextseqframe;
}
Related Topic