One of the important mechanisms in TCP is Retransmission, which is a way of TCP to retransmit packets, TCP segments in the language of TCP when we did not receive acknowledgment of them in time. The time we expect to receive the Acknowledge is called RTO – Retransmission Timer Timeout, and it is calculated (approximately) according to the average time of arrival of the Segments and their approval in the last 4 packets. In Wireshark, this time can be seen in the tcp.analysis.ack_rtt parameter under SEQ / ACK Analysis at the end of the TCP Segment.
This article is based on the course: Network Analysis using Wireshark.”
There are 3 types of Retransmissions that Wireshark gives an indication of:
- Standard retransmissions
- Fast retransmissions
- Spurious Retransmission
Retransmission – For normal mode, where the TCP Segment does not receive Acknowledge at the set time (RTO), then it is retransmitted. A simple example of this in packet number 5968 which is Retransmission, and if we look at the bottom of the picture it seems that Retransmission is based on the time elapsed from it number 5957.
Fast Retransmissions – In a situation where there are many Acknowledges (minimum 1 * ACK + 2 * Duplicate ACK) then this is the required dose. In the example we see that computer 10.0.52.164 sends many Duplicate Acks in which it requests from computer 184.108.40.206: Please send me the TCP Segment with Sequence Number 1731890. In Fast Retransmission, he gets what he asked for.
Spurious Retransmission (added in the latest versions of Wireshark), also referred to as “fake Retransmission”, are not real retransmissions. Usually this happens when TCP segments are sent to us, we sent back acknowledge back, these ack’s are lost, and since they are lost the other party sends us again what was already sent. You can see an example of this situation in the following image.
Here we see that packet 13 is a retransmission of packet 8, and packet 15 is a retransmission of packet 11, even though the original packets (8 and 11) have arrived. This situation can happen for example when we received the original package, we sent an ack on it that did not arrive, so the other party sends us these packets again.
What is the reason for this? We will see this in one of our next articles. We get to the details in the “Wireshark – Core Protocols” course.