HakTip 133 – Wireshark 101: TCP Retransmissions and Duplicates

Today on HakTip, Shannon explains TCP Retransmissions and TCP Duplicate Acknowledgments in reference to Wireshark.

Download HD | Download MP4

Oftentimes you’ll find yourself faced with a really slow network. You may have trouble connecting or a site takes WAY too long to load. When a network is running slow, the communication has something called “high latency”. If the communication is fast, it’s considered “low latency”. Whenever there is high latency and packet loss, it can happen because of a router under heavy load or a service outage, etc. TCP detects these things and resends the packets, hence TCP retransmission. TCP will judge the need for a retransmission based on the RTO or the retransmission timeout. If the packet never receives an ACK in the time frame set, it’s retransmitted. The time between the two packets is called the round-trip time. Every time a retransmit happens, the RTO for that packet doubles. Eventually, depending on the senders computer settings, it’ll just stop resending. Windows defaults to 5 attemps, some Linux PC’s to 15.

Check out a book called Practical Packet Analysis by Chris Sanders. It does crazy in depth on all this so I highly suggest checking it out.

The first one looks fine, but it never receives an ACK, so the second one is the retransmission. The second packet looks exactly the same except it shows an RTO time under the Expert Info down near the bottom. The RTO time changes for each packet after this too, because they are all retransmissions.

Moving on to TCP Duplicates… specifically duplicate acknowledgements. This happens when the destination received out of order packets. All TCP connections start with an initial sequence number or an ISN, and each packet after that will go up by the size of it’s data payload. So if my computer has an ISN of 1000, and I send a packet with 200 bytes of data, then my acknowledgement should be 1200. So my next ISN should be 1200 and so on so forth. So if my computer skips a packet and the ISN is off, the ACK packet sent back to me will be a duplicate of the last correct one. So if I have an ISN of 1000 and send a packet of 200, the ACK will be 1200. My new ISN will be 1200, but my computer skips a packet and sends a packet with an ISN of 1400. The destination says, ‘oh, thats not right. Let’s try that again’, and sends me a duplicate ACK for 1200. It’ll do this three times until I finally send my next ISN as 1200, not 1400, in a packet called a Fast Retransmission.

Let me know what you think. Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>