ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-users: Re: [Wireshark-users] Retransmissions inconsstent btw. wireshark and netstat

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Jock Purnell <jock@xxxxxxxxxxxx>
Date: Sun, 17 Feb 2008 11:17:40 -0800 (PST)
Thanks for the input.  I know we've tried changing the duplex and speed settings for the NIC's, and it doesn't seem to make any difference.   I'm going to try again, though, in a more controlled environment.

To answer the question about the statistics.   It's under the "Statistics for IPv4".
Segments transmitted goes up by about 150, and segments retransmitted goes up by about 1,000.  By my calculation, it should take a bit more than 1,050 segments to send the 1.5Meg file.



Sake Blok <sake@xxxxxxxxxx> wrote:
On Sat, Feb 16, 2008 at 05:01:49PM -0800, Jock Purnell wrote:
>
> I'm running into a situation where netstat on a Windows XP PC
> and wireshark are not consistent.
>
> We've been running FTP tests between a Windows XP client
> workstation and various FTP Servers. When we look at netstat
> on the client PC, it looks like there are lots of retransmissions.
> For a 1.5Meg file, I get 1,000 retransmissions, and only about 150
> additional packets.

What exactly are you pointing to with the 1000 retransmissions and
the 150 additional packets. I assume with "1000 retransmissions"
you mean that under the "TCP Statistics for IPv4" there is a
value of 1000 at "Segments Retransmitted"? If that's the case,
where does the value 150 come from?

> I use Wireshark on another PC, connected
> to a hub that also has the workstation attached. Wireshark
> appears to capture all the packets, but sees no retransmissions.
> I've used the Analyze capability to look for retransmissions,
> fast retransmits, and Dup Ack's, but I get none. I've looked at
> the sequence #'s on the packets and the acks in the trace, and
> they all seem to be correct, and none are retransmitted or
> duplicated.

If the PC from which you collected the retransmission statistics
from is also connected to a hub, it means it's NIC is in half-
duplex mode. That means there can be collissions on that network.
Could it be that there are collissions on that NIC that are
counted as retransmissions as the packets need to be resend if
during sending a collission is detected?

Cheers,
Sake
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users

Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube