In Wireshark versions up to and including 1.10.x, Wireshark will identify the packet as an out-of-order packet if it appears within 3 ms of where it should have been, and will identify it as a retransmission if it appears more than 3 ms from where it should have been. Wireshark has to try to distinguish between out-of-order packets and retransmissions. Unfortunately, out-of-order packets look exactly the same as retransmissions where you are downstream from the point of packet loss: There is a gap in the sequence numbers and the packet shows up later than expected. In this case, you will see the expected sequence number only once. In this case, there will be a gap in the sequence numbers, Wireshark's expert will say "Previous segment not captured," and then the expected packet will show up later. If you are capturing downstream from the point of packet loss-packets are being dropped before they pass your capture point-then Wireshark will only see the retransmission. In this case, you will see the expected sequence number twice. If you are capturing upstream from the point of packet loss-packets are being dropped after they pass your capture point-then Wireshark will see both the original packet and the retranmission and it will be clear that the second one is a retransmission. It is normal to see the sequence number only once if you are capturing downstream from the point of packet loss. It depends on where you are capturing in relation to the point of packet loss (upstream or downstream).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |