![]() If you want to take a look at spurious retransmissions the guys at Cloudshark have put up a sample at. I’m not sure it is a good idea to mark repeated SYN packets as retransmissions since the TCP session isn’t technically open yet, and it leads to confusion (“I must have packet loss, because there are retransmissions”), but I’ll talk to Sake at Sharkfest and we’ll probably find a common point of view over a beer or two □ Now, in combination with the first code change, repeated SYN packets to a closed port will show up like in the screen shot. ![]() The question was now, why were repeated SYN packets marked as “spurious retransmissions”? The change Sake introduced to “packet-tcp.c” was to mark repeated SYN and FIN packets as retransmissions, which wasn’t the case before. Maybe the acknowledge packet got lost, so the sender could not know that the packet got through and assumed it was lost. To find out why it does that you would need a capture close to the sender to see what the situation is at that location. If you’re seeing spurious retransmissions it means that the sender thought packets were lost and sent them again, even though the receiver sent an acknowledge packet for it. There is a bug report where the patch was mentioned at “Needless” probably doesn’t sound technically weird enough, so in papers about those retransmissions they were labeled “spurious”. What does “Spurious Retransmission” mean?īasically “Spurious Retransmission” means that data was sent again that the receiver had already acknowledged, which is something that we used to call “needless retransmission” in our own expert system. The older change was to add an expert message when a segment was seen that was transmitting data older than the last segment that the receiver had requested. It turned out that two changes had been made that explained the screen shot above, one by the Joe from Cloudshark, and one by Sake: So I fired up my SVN tool to get the latest code revision and took a look at “packet-tcp.c” in the dissector directory. It turned out that Landi didn’t get those expert messages in his version of Wireshark, so I guessed that it had to be something that was changed pretty recently, since I was using the 1.11 developer version (for verifying some bug reports that had been closed) and he was on 1.10 stable. Well, my English is not so bad, but I had no clue what this kind of retransmission was supposed to be (or even what the word “spurious” meant :-)), especially in a SYN packet, which had never been marked as a retransmission before: Tracking the code change So I did, and while we were talking about what the SSL dissector was doing I saw a new TCP expert message I had never seen before: “TCP Spurious Retransmission”. Today, while doing a lot of testing of my trace handling code as well as in preparation for the upcoming Sharkfest 2013, I got a trace sample from Landi that he wanted me to take a look at because he wondered about some SSL decoding stuff. ![]() windows on wireless (same client) -> retransmission, no delay. linux on wireless -> retransmission and delay. Tried another ACP.Update: since Wireshark version 1.12 is out, lots of people look for the meaning of “tcp spurious retransmission” info message, so I changed the post a little to make it easier to find what you’re looking for. Wireshark tells me that the difference between cabled and wireless is a TCP retransmission. It looks like this is related to massive "TCP Retransmission" in Wireshark logs somehow. After two duplicate ACKs, a TCP sender begins. TCP Duplicate ACK: When a TCP receiver receives packets out of order, which it interprets as data loss, it sends an ACK indicating the expected sequence number. Is this normal on any wireless network? If not, how can I fix my laptop so it can surf the internet stably as my desktop PC?Įdit: I tried to capture the TCP packet again while the page failed to completely load. Wireshark differentiates several categories of TCP retransmission see the Wireshark TCP Analysis documentation for more information. I managed to capture network traffic on my laptop with Wireshark which results in the image below:įrom what I know, the black-background rows show that there are erros in TCP checksum / Bad TCP. Few of them are: Link Quality, it could be a bad Network cable, loose termination for LAN cable and noise in case of WiFi for layer 1 issues. There are many other reasons for this besides bandwidth. This is not happening to my desktop PC which is connected to the same D-Link AP as well. Re-transmission occurs when the Acknowledgment is never sent by receiver or is lost between receiver and sender. Sometimes it works, but most of the time it couldn't load the page completely or not loaded at all. If the percentage of broadcast traffic in your capture is above about 3 of the total traffic captured, then you definitely have congestion. Look for a large number of broadcast packets at the time the issue occurs. My Thinkpad X200 laptop which use Intel Wifi Link 5100 AGN is not able to surf the internet stably. TCP retransmissions are usually due to network congestion. I am troubleshooting wireless connectivity problem in my home network.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |