Menu
As far as I know pyshark is a Python wrapper to tshark which is the command line version of Wireshark. Since Wireshark and tshark allow to detect TCP retransmission, I was wondering how I could to that using pyshark. I haven't find any good documentation so I am not sure whether you can't just do that, or whether I just can't find the proper way. Thank you!
737
TCP Retransmissions This is indicated on the sequence number field of the TCP header. When the receiving socket detects an incoming segment of data, it uses the acknowledgement number in the TCP header to indicate receipt. After sending a packet of data, the sender will start a retransmission timer of variable length.
TCP (the Transmission Control Protocol) connects network devices to the internet. When an outbound segment is handed down to an IP and there's no acknowledgment for the data before TCP's automatic timer expires, the segment is retransmitted.
The retransmission rate of traffic from and to the Internet should not exceed 2%. If the rate is higher, the user experience of your service may be affected.
The code below detects TCP retransmissions in pyshark
import pyshark
###################################################
# these filters can be applied under LiveCapture
# display_filter: A display (wireshark) filter to apply on the cap before reading it.
# display_filter='tcp.analysis.fast_retransmission'
# display_filter='tcp.analysis.retransmission'
###################################################
capture = pyshark.LiveCapture(interface='en1', display_filter='tcp.analysis.fast_retransmission')
capture.sniff(timeout=50)
for packet in capture.sniff_continuously(packet_count=5):
print ('Just arrived:', packet)
It should display this in the packets:
# display_filter='tcp.analysis.retransmission'
TCP Analysis Flags
Expert Info (Note/Sequence): This frame is a (suspected) retransmission
This frame is a (suspected) retransmission
# display_filter='tcp.analysis.fast_retransmission'
TCP Analysis Flags
This frame is a (suspected) fast retransmission
This frame is a (suspected) retransmission
Expert Info (Note/Sequence): This frame is a (suspected) fast retransmission
Expert Info (Note/Sequence): This frame is a (suspected) retransmission
If you include the only_summaries=True in LiveCapture you would see something like this:
Just arrived: 223 71.890878 fe80::cabc:c8ff:feec:d46d fe80::1416:1ca1:307c:b0e6 TCP 86 [TCP Spurious Retransmission] 59005 \xe2\x86\x92 49373 [FIN, ACK] Seq=1855 Ack=2365 Win=4096 Len=0 TSval=930665353 TSecr=692710576
Just arrived: 371 121.293913 fe80::1416:1ca1:307c:b0e6 fe80::cabc:c8ff:feec:d46d TCP 98 [TCP Retransmission] 62078 \xe2\x86\x92 59012 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1440 WS=64 TSval=692717653 TSecr=930714614 SACK_PERM=1
You can also filter these packets more specifically by applying the bpf_filter in LiveCapture to filter the TCP retransmission.
import pyshark
capture = pyshark.LiveCapture(interface='en1', bpf_filter='ip and tcp port 443', display_filter='tcp.analysis.retransmission')
capture.sniff(timeout=50)
for packet in capture.sniff_continuously(packet_count=5):
print ('Just arrived:', packet)
Here is one way to read a pcap with pyshark:
capture = pyshark.FileCapture('test.pcap', display_filter='tcp.analysis.retransmission')
counter = 0
for packet in capture:
counter +=1
print ('*' * 10, f'Retransmission packet {counter}:', '*' * 10)
# output
********** Retransmission packet 1: **********
********** Retransmission packet 2: **********
********** Retransmission packet 3: **********
********** Retransmission packet 4: **********
********** Retransmission packet 5: **********
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
