Ethereal-dev: Re: [Ethereal-dev] TCP/IP Retransmission

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Ian Schorr <ethereal@xxxxxxxxxxxxx>
Date: Mon, 22 Mar 2004 12:12:14 -0500
Sniffer Pro's Expert System feature is well-known for being faulty and misleading. 4.5 DID have quite a few problems "detecting" retransmissions properly - particularly if their Sniffer was placed at a point where the packet loss would have already occurred (so that the trace didn't contain the original segment AND the retransmitted segment) it wouldn't flag any retransmissions.
...Which is one of the dangers of relying on the tool to perform 100% of your analysis, 100% of the time. The tool may not be working (and you may have no idea). Did they do no analysis of their own to see if they could determine if packets were being lost/retransmitted? Especially in a case where there is finger-pointing going on, they should be double-checking the results - my guess is that they wouldn't know how.
Later versions of Sniffer, up through 4.75SP2 made some improvements in this area, though it still doesn't do a terribly good job.
I'd trust Ethereal on this one, though do some spot-checking to make sure it's not lying to you. Ethereal's TCP Analysis feature is very very good, but not perfect - it does occasionally (rarely) provide false positives or mis-diagnoses.
Use this technique to prove to them - try to arrange to have captures taken simultaneously on both sides of the link that you suspect is faulty. Find a retransmission event, and figure out what happened - was the packet actually "lost" on the link? If so, you should be able to find the original copy of a retransmitted segment sent out to the SP's link AS WELL as the retransmitted segment (and in such a trace even Sniffer *should* find the retransmission), but when you look at the trace on the other side of the link, that original segment should be gone. Ask them where the packet went? 

Ian

Chula Bandara wrote:
Hi i am using Etereal Version 0.10.0a and this was very useful to me solving connectivity issues with our Service Providers. Few days back i had a similar problem that i see TCP retransmission but one of my Service Provider did not those retransmissions. My SP was using Network Associates Sniffer Pro Version 4.50.04. and i got some of captured files from the Sniffer. Surprisingly when i open those files with Ethereal , it sees Retransmissions , Packet Losses , Duplicate ACks etc.. 

could this be a bug in Ethereal or the Sniffer
thanks you in advance.
cbandara