Ethereal-dev: Re: [Ethereal-dev] TCP/IP Retransmission

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Ian Schorr <ethereal@xxxxxxxxxxxxx>
Date: Mon, 22 Mar 2004 12:12:14 -0500
Sniffer Pro's Expert System feature is well-known for being faulty and misleading. 4.5 DID have quite a few problems "detecting" retransmissions properly - particularly if their Sniffer was placed at a point where the packet loss would have already occurred (so that the trace didn't contain the original segment AND the retransmitted segment) it wouldn't flag any retransmissions.
...Which is one of the dangers of relying on the tool to perform 100% of 
your analysis, 100% of the time.   The tool may not be working (and you 
may have no idea).  Did they do no analysis of their own to see if they 
could determine if packets were being lost/retransmitted?  Especially in 
a case where there is finger-pointing going on, they should be 
double-checking the results - my guess is that they wouldn't know how.
Later versions of Sniffer, up through 4.75SP2 made some improvements in 
this area, though it still doesn't do a terribly good job.
I'd trust Ethereal on this one, though do some spot-checking to make 
sure it's not lying to you.  Ethereal's TCP Analysis feature is very 
very good, but not perfect - it does occasionally (rarely) provide false 
positives or mis-diagnoses.
Use this technique to prove to them - try to arrange to have captures 
taken simultaneously on both sides of the link that you suspect is 
faulty.  Find a retransmission event, and figure out what happened - was 
the packet actually "lost" on the link?  If so, you should be able to 
find the original copy of a retransmitted segment sent out to the SP's 
link AS WELL as the retransmitted segment (and in such a trace even 
Sniffer *should* find the retransmission), but when you look at the 
trace on the other side of the link, that original segment should be 
gone.  Ask them where the packet went?
Ian

Chula Bandara wrote:

Hi i am using Etereal Version 0.10.0a and this was very useful to me solving connectivity issues with our Service Providers. Few days back i had a similar problem that i see TCP retransmission but one of my Service Provider did not those retransmissions. My SP was using Network Associates Sniffer Pro Version 4.50.04. and i got some of captured files from the Sniffer. Surprisingly when i open those files with Ethereal , it sees Retransmissions , Packet Losses , Duplicate ACks etc..
could this be a bug in Ethereal or the Sniffer
thanks you in advance.
cbandara