Compartir a través de


Finding Retransmits in Ethereal

With the full version of Netmon, it's relatively easy to find retransmitted packets with the expert; however, in Ethereal, it's not quite as clear...

Ethereal supports analysis of TCP sequence numbers to find retransmits & do other neat things; however, the default is to turn this off (because, I would guess, it will increase load times on captures).  To turn it on, go to Preferences, then find the TCP protocol & put a checkbox in the “Analyze TCP sequence numbers” box. 

After this is done, Ethereal will display [SEQ/ACK analysis] under TCP for frames where meaningful analysis is possible.  To filter for retransmits, use 'tcp.analysis.retransmission' for a filter.  There are some other nice attributes here -- for example, to find packets where the delta between the data & the ACK is 180ms or greater (possibly indicating a delayed ACK), try a filter of 'tcp.analysis.ack_rtt>.18'.  To find zero-window issues, filter on 'tcp.analysis.zero_window'.