Download practical packet analysis practical packet analysis

This packet is a TCP PSH/ACK packet  containing 648 bytes of data 
that is sent from 10.3.30.1 to 10.3.71.7 . This is a typical data packet.
Under normal circumstances, you would expect to see a TCP ACK packet
in response fairly soon after the first packet is sent. In this case, however, the
next packet is a retransmission. You can tell this by looking at the packet in
the Packet List pane. The Info column clearly says [TCP Retransmission],
and the packet will appear with red text on a black background. Figure 9-3
shows examples of retransmissions listed in the Packet List pane.
Figure 9-3: Retransmissions in the Packet List pane
You can also determine if a packet is a retransmission by examining it in
the Packet Details and Packet Bytes panes, as shown in Figure 9-4.
Figure 9-4: An individual retransmission packet
Note that this packet is the same as the original packet (other than the IP
identification and Checksum fields). To verify this, compare the Packet Bytes
pane of this retransmitted packet with the original one .
In the Packet Details pane, notice that the retransmission packet has
some additional information included under the SEQ/ACK Analysis heading
. This useful information is provided by Wireshark and is not actually contained in the packet itself. The SEQ/ACK analysis tells us that this is indeed a
retransmission , that the RTO value is 0.206 seconds , and that the RTO
is based on the delta time from packet 1 .
Examination of the remaining packets should yield similar results, with
the only differences between the packets found in the IP identification and
Checksum fields, and the RTO value. To visualize the time lapse between
each packet, look at the Time column in the Packet List pane, as shown in
Figure 9-5. Here, you see exponential growth in time as the RTO value is
doubled after each retransmission.
168
Chapter 9