Hi,
Started using WireShark recently and got a couple of questions that I was hoping someone on here could answer.
The purpose of using WireShark is to monitor communication between server \ client application developed by our company.
#1. When selecting a tcp packet and clicking on 'follow tcp stream' what constitute a tcp stream? It appears to me that if source and
destination port match = tcp stream. This comes out a bit odd on my system since the server port changes port between each transmission
hence it at some point in time the server will re-use a source\destination port. So When I do 'follow tcp stream' it appears Im getting several
stream with quite different timestamps on them . Have I understood the functionality of 'follow tcp stream', am I using it correctly?
#2. The communication between server and client uses a fixed pattern of send \recv with only small change in parts of the content. One
tcp transmission (from SYN to FIN) usually consists of roughly 110 packets and the sequence number on client reaches seq=141 and on
server seq=137. For some unknown reason (for me atleast) the tcp packets start using extremely high sequence numbers (they
dont slow increase in size, they just make a huge jump). So suddenly Im getting sequence numbers like 3367739430. Can anyone
explain why this is happening? Should I be worried about these high number or can I just ignore them?
#3. Viewing a tcp packet I noticed that it was stamped iwth 'TCP Retransmission'. Fair enough, just a lost packet being
retrasmitted (the packet was timestamped 16:17:00 btw). Then I looked at the SEQ\ACK analysis 'This fram is a (suspected)
retransmission. The RTO for this segment was 12460.784541000 seconds). RTO based on delta from frame 31 688. Frame 31688 was sent
12:49:19 - thats almost 4 hours difference in time. What does this mean? It can be retransmitting a packet 4 hours later? Thought this
was strange.
Appreciate any help.