Retransmissions Galore in Wireshark! Key Checks Before Suspecting Network Issues
*This article is an English translation of the Engineer Notes article as of Oct 24, 2023.
*Please note that the content may have been updated since then.
Have you ever been surprised by numerous alerts when opening a Pcap file? I've encountered this situation several times at customers' sites. Before suspecting network trouble, there are some things you should check first. In this post, I will explain the causes and solutions.
Table of Contents
How to Address Large Numbers of Retransmissions
When you open a Pcap file, you may notice retransmissions occurring.
In such cases, determine which packets are being retransmitted. If you find that all packets, or those in the same network direction, are being retransmitted, you should verify whether they are genuine retransmission packets. The key point to check is the Identification value in the IP header.
If the Identification value in the IP header is the same for both the initial packet and the retransmitted packet, they are identical packets, not retransmissions.
Generally, the Identification value is a unique number specific to the IP, which remains unique for each packet unless the source and destination addresses are the same, except for fragmented packets. Details about the behavior and handling of the Identification in the IP header are described in RFC6864 - 6.1. Updates to RFC791.
There are cases where incorrect default gateway settings can cause repeated retransmissions. However, such cases typically result in the retransmission of the same packet repeatedly, which leads to a different phenomenon than what is discussed here. If the same packet is continuously retransmitted and the TTL value keeps decreasing, review the default gateway settings.
Possible Causes and Solutions
If the packets are not retransmissions, you should review the packet capturing environment.
Packet capturing involves saving and displaying packets (frames) observed on the NIC of the capturing device in sequence. Therefore, if packets (frames) are duplicated on the network, the capturing device will naturally capture the same packet (frame) multiple times. In what situations does this occur?
The most likely cause is the SPAN/port mirroring configuration. SPAN/port mirroring is a feature that copies and forwards packets (frames) from the port you want to monitor. When monitoring traffic from multiple ports simultaneously via SPAN/port mirroring, packet (frame) duplication can occur. Common cases include monitoring both "in and out" on the same port or when there is traffic passing through multiple monitored ports.
The following solutions are effective in such cases:
- Review SPAN/mirroring settings to ensure there is no duplication.
- Use a TAP instead of SPAN/mirroring.
Solution #1 depends on the monitored traffic target and capture points.
Solution #2, as mentioned in TAP vs. SPAN: Choosing the Right Tool for Network Packet Capture, while TAP has its drawbacks, using a TAP is effective if the environment permits it.
Devices connected to SPAN are not limited to packet capture devices. For instance, duplicate packets (frames) can be counted by devices like flow probes or IDS. In such cases, similarly review the SPAN settings.
Duplicate Packet Removal Function of "SYNESIS"
Our packet capture product, "SYNESIS", includes a duplicate packet removal feature. This feature allows you to capture and analyze packets in the same environment without troublesome switch setting changes or adding TAPs.
When the duplicate packet removal function of SYNESIS is enabled, packets received within 100 microseconds, where data from the MAC header to excluding the FCS matches, are judged as duplicate packets (frames), and subsequent packets are not saved. This function can be enabled for each capture, depending on the environment.
If you are interested in the "SYNESIS" packet capture product, please contact us below.
Afterword
In this post, I explained the massive occurrence of retransmissions during packet capture. Packet capturing is often conducted as a troubleshooting measure when problems occur. Therefore, when many retransmissions are detected, some might assume that actual retransmissions are occurring. As mentioned in Key Insights to Know Before Starting Packet Capture, it is necessary to understand the capturing environment and how the packets were captured.
Especially when on-site work time is limited, or re-capturing is not possible, prepare thoroughly in advance to ensure appropriate and reliable packet capturing.
We hope this article is helpful for your packet capturing activities.