Graphing Packet Retransmission Rates with Wireshark

Graphing Packet Retransmission Rates with Wireshark

As network engineers, our lives revolve around making sure data gets from point A to point B.  Fortunately for us, TCP does a great job of ensuring this happens for us without much intervention.  Unfortunately, we need to step in every once in a while to make sure things are going as we designed. That said, let's talk about TCP retransmissions. I'm going into this post with the assumption that we all understand what a retransmission is, and that TCP retransmissions could be a symptom of a problem - but not a cause.  With this post, I want to share how to provide a visual reference of the count of retransmissions over time.  The idea is that if the retransmissions are charted out, they are easier to compare to things like spikes in throughput, error count increments, or even server CPU/memory utilization. Identifying TCP Retransmissions in Wireshark The first step is to identify the retransmissions within the packet list with this filter: tcp.analysis.retransmission Once we have this filter applied, we can begin to see how many retransmissions we're seeing in the trace. It's important to note that there is no flag or unique identifier associated with a TCP retransmission.  Wireshark calculates TCP retransmissions based on SEQ/ACK number, IP ID, source and destination IP address, TCP Port, and the time the frame was received.  It's very easy for Wireshark to count a duplicate packet as a retransmission.  Make sure you haven't captured the same frame twice.  This is very common in data center capture architectures. If you open a trace file and see something that looks like the below screenshot, you'll want to review the process for removing duplicate frames here. 157

Read More