Duplicate Packet or TCP retransimission?

On By insidepacketIn Packet

When you analyse the packet capture in wireshark, you sometimes see the similar/nearly same packets more than 1 time. It is maybe due to duplicate packet or TCP retransimission. If it is TCP retransmission, you have to pay more attention on it.

 

The difference between duplicate packet and TCP restransmission is IP ID. For duplicate packets, IP ID of two packets is same besides the TCP sequence number is same. (Why you can see the duplicate packets in the capture is not in the scope of this discussion. If you have interest, please google it. 🙂

 

Duplicate Packet example (same IP ID and same TCP sequence number)wKioL1OP4ZmjE6pcAAH8SGETuT8295

TCP Original packet

wKioL1OP5QOCghZ7AARaSvfdasI156

TCP retransmission packet

wKiom1OP5Vvz6xwOAAOy38Fp7JA403

Same TCP sequence number (2171548184)but different IP ID (frame 553 ID is 48058 and frame 578 ID is 48083) for orgianl packet and retransmission packet.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s