Duplicate Packets and TCP Retransmissions

May 16, 2016

Have you ever looked at a Wireshark trace and thought, "There's an awful lot of retransmissions there"?  The problem is that the Info field in Wireshark marks a packet as a TCP Retransmission when it truly is one, when the packet is looping or even when a SPAN port has been misconfigured.



Luckily there are a few tell tale signs to help us figure out the true situation.


In this week's video we look at traces for three different scenarios.



What we discover is that three values (Sequence Number, IP ID and TTL) are the keys to enlightenment.

