Ethereal-users: Re: [Ethereal-users] Multiple retransmissions

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Hansang Bae <hbae@xxxxxxxxxx>
Date: Mon, 21 Nov 2005 23:22:15 -0500
At 04:12 PM 11/21/2005, Matt Pickering wrote:
>[snip]
>miliseconds later, a retransmission.  For instance, I have a packet
>capture that has approximately 80,000 packets, and 40,000 of those
>packets are marked as "retransmissions".  When I look at the TCP
>Analysis Flags, it indicates that "This frame is a (suspected)
>retransmission).[snip]


Give the above, I would first suspect that the way you captured the packets was incorrect.  Chances are, you are capturing the packets twice.  i.e. you are spanning two ports on the switch (port for the web server and the port for the DB server perhaps?)

If you truly had 40K retransmissions out of 80K packets, I doubt your program would even work.  Take a look at your IP ID field, you'll probably see that they are the same.  

So take one frame and look at the ID.  Say it's 14256.  Then type in "ip.id==14256"  You'll probably find two packets with the same ID.

hsb