www.packetsafari.com Open in urlscan Pro
2600:9000:203f:a00:8:d16d:3800:93a1  Public Scan

Form analysis
0 forms found in the DOM

Text Content

AnalysesAnalysis SubscriptionDocsCourseBlog
v1.0alpha
Repository Changelog Issues Sharkd Patches


UNDERSTANDING TCP SPURIOUS RETRANSMISSIONS AND HOW TO DIAGNOSE THEM

Posted 23. October 2021 by PacketSafari - 3 min read

TCP spurious retransmissions occur when a packet is unnecessarily retransmitted,
even though the receiver has already acknowledged its receipt. This can lead to
performance issues in the network. Learn how to diagnose and troubleshoot these
issues using Wireshark and other analysis tools.


INTRODUCTION TO TCP SPURIOUS RETRANSMISSIONS

TCP (Transmission Control Protocol) is widely used in modern networking to
ensure the reliable and orderly delivery of data. One of its main features is
the ability to retransmit lost or unacknowledged packets. However, in some
cases, packets may be retransmitted even when they have been successfully
received, leading to what is known as a "spurious retransmission." This can have
a negative impact on network performance and overall user experience.

In this article, we will dive into the causes and consequences of TCP spurious
retransmissions, and how to diagnose and troubleshoot them using Wireshark and
other packet analysis tools.


REAL-WORLD EXAMPLE: IDENTIFYING TCP SPURIOUS RETRANSMISSIONS

When analyzing a network capture, you may encounter instances of spurious
retransmissions. To identify them, you can use the Wireshark display filter
tcp.analysis.spurious_retransmission. This filter highlights packets that have
been retransmitted despite having already been acknowledged.

Let's consider a real-world example where a file is being transferred between
two devices using a TCP connection. You notice that the transfer is slower than
expected and decide to investigate the issue with Wireshark. After capturing the
traffic and applying the display filter mentioned above, you observe several
spurious retransmissions.


EXPERT INSIGHTS: CAUSES AND CONSEQUENCES OF SPURIOUS RETRANSMISSIONS

There are several reasons why spurious retransmissions may occur:

 1. Network congestion: If packets are delayed or lost due to congestion, the
    sender may retransmit them before receiving the corresponding ACKs
    (acknowledgements). This can result in unnecessary data being sent over the
    network, exacerbating the congestion problem.
 2. Retransmission timeouts: If the sender's retransmission timer expires before
    an ACK is received, the packet may be retransmitted, even if it was already
    acknowledged.
 3. Misconfigured network devices: Devices such as firewalls or routers may be
    misconfigured, causing ACKs to be delayed or dropped.
 4. Faulty hardware: Hardware issues, such as damaged network cables or failing
    network interface cards, can also lead to spurious retransmissions.

Spurious retransmissions can cause several performance issues, including
increased latency, reduced throughput, and wasted bandwidth.


WIRESHARK TIPS AND TRICKS FOR TROUBLESHOOTING SPURIOUS RETRANSMISSIONS

To effectively diagnose and resolve spurious retransmissions, you can employ the
following Wireshark tips and tricks:

 1. Analyze Round-Trip Time (RTT): Investigate the RTT of the affected TCP
    connection by examining the time between the original packet and its
    corresponding ACK. High RTT values may indicate network congestion or other
    issues causing delays.
 2. Examine retransmission timers: Check if the sender's retransmission timer is
    set too low, which may lead to premature retransmissions. You can do this by
    analyzing the TCP handshake and looking for the TCP options that set the
    retransmission timer values.
 3. Analyze TCP SACK (Selective Acknowledgment) information: The TCP SACK option
    allows a receiver to acknowledge non-contiguous segments of data. If SACK is
    not being used or is not properly configured, it may contribute to spurious
    retransmissions. In Wireshark, you can check if SACK is enabled by looking
    for the SACK option in the TCP handshake (SYN and SYN-ACK packets).
 4. Check for packet loss or duplicate ACKs: Packet loss or duplicate ACKs may
    prompt the sender to retransmit packets. You can use the Wireshark display
    filters tcp.analysis.lost_segment and tcp.analysis.duplicate_ack to identify
    instances of packet loss or duplicate acknowledgments.
 5. Inspect network devices and hardware: If you suspect misconfigured devices
    or faulty hardware, review their settings and perform necessary tests to
    rule out these causes.


CONCLUSION

TCP spurious retransmissions can lead to significant performance issues in a
network. By leveraging Wireshark and applying expert knowledge, you can
identify, diagnose, and resolve these issues.

To further enhance your packet analysis skills and gain access to more advanced
techniques for troubleshooting network problems, consider enrolling in our WIRED
for Packet Analysis training course (https://oripka.de/en/wired/). Additionally,
to streamline your packet analysis process, try our online PCAP analyzer,
PacketSafari (https://app.packetsafari.com), which offers a user-friendly
interface and powerful analysis tools.

👋 Network Analysis Training

If you want to learn more about using Wireshark visit one of our Wireshark
courses or follow us on

Register for an online training



👋 Is it a network problem? Is it an endpoint problem? We will figure it out for
you! Subscribe to our packet analysis consulting subscription! Try it without
risk; the first PCAP analysis is free.

More info
We use Google Analytics to ensure you get the best experience on this website
Learn More...
OPT OUT
GOT IT!
Copyright © Ripka Technologies S.L. 2020-2022 - Terms of service - Terms of
service for courses - Privacy Policy - GDPR - Licenses - Contact