Wireshark · Ethereal-users: Re: [Ethereal-users] capturing retransmitted package from data-link layer

Ethereal-users: Re: [Ethereal-users] capturing retransmitted package from data-link layer

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Wed, 23 Nov 2005 18:49:09 -0800

vinh.pham@xxxxxx wrote:

Suppose I send data traffic through wireless interface (UDP package)from PC A to PC B.When there are collisions on the link, or the link is unstable, somepackage will be lost and need tobe restransmitted. As far as I know this will be taken care of by thedata link layer/ethernet layer.

The question is whether ethereal can capture these retransmitted packageas well?

If you're running Ethereal on PC A, it will be supplied with a copy of apacket sent from PC A to PC B *before* that packet handed to theadapter; that copy will be done in software, and, as it's done *before*the packet is handed to the adapter, you won't see any retransmissionsas the code that makes the copy doesn't know the retransmissions arebeing done.

If you're running Ethereal on PC B, PC B's wireless adapter is probablynot running in "monitor mode" or "rfmon mode", if "wireless" means802.11. At least on most OSes, if the adapter is in "monitor mode" itcan't act like a regular network adapter. Therefore, the adapter willonly supply to the host packets it successfully receives, and willprobably discard any retransmissions of successfully-received packets.If the packet *wasn't* successfully received, the *original*transmission won't be supplied to Ethereal by the wireless adapter; ifthe retransmission is successfully recieved, that will be supplied.

If you're running Ethereal on some other machine, its adapter ispresumably either in promiscuous mode or monitor mode. In that case,it'll supply to Ethereal whatever packets it accepts in that mode. Idon't know whether it'll successfully receive and accept the initialpacket that got the collision; the collision might cause it not to bereceived. If the retransmission is successfully received and accepted,it will be supplied to Ethereal.

In other words, on any machine *other* than PC A, Ethereal will probablycapture the retransmitted packet - but it won't capture it "as well", asit probably *won't* capture the *original* packet if it was damaged by acollision! On PC A (i.e., on the machine that transmitted the packet),you'll just get a software copy of the packet, before it's eventransmitted for the first time.

If not, is there any tool that can do that?

You can probably replace "Ethereal" with any other tool in the above,and it will still be true.

References:
- [Ethereal-users] capturing retransmitted package from data-link layer
  - From: vinh.pham

Prev by Date: Re: [Ethereal-users] HTTP capture question
Next by Date: [Ethereal-users] while sniffering, ethereal stops internet browsing if Proxim Orinoco 8420-WD wireless card is used???
Previous by thread: Re: [Ethereal-users] capturing retransmitted package from data-link layer
Next by thread: [Ethereal-users] RTP/RTCP real-time monitoring
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$