TCP重传分析

作者: LiHui 分类: TCP/IP 发布时间: 2015-02-11 16:34

TCP重传十分影响网络性能,往往通过抓包之后,wireshark里打开pcap文件,然后过滤框里输入过滤条件tcp.analysis.retransmission,就能过滤出所有重传的数据包,然后可以通过Statistics里的Summary查看占比

但是其实对于TCP重传这样过滤是不全的!!!下面在命令行里通过tshark来解析

1:首先直接以包开解析

[lihui@localhost ~]$ tshark -r retransmission.pcap 
  1   0.000000 192.168.10.180 -> 180.97.66.49 TCP 66 53180 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1
  2   0.112157 180.97.66.49 -> 192.168.10.180 TCP 66 http > 53180 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1440 WS=4 SACK_PERM=1
  3   0.112914 192.168.10.180 -> 180.97.66.49 TCP 60 53180 > http [ACK] Seq=1 Ack=1 Win=66240 Len=0
  4   0.114455 192.168.10.180 -> 180.97.66.49 HTTP 996 GET /ps_default.gif?_t=1423632527913 HTTP/1.1 
  5   0.212294 180.97.66.49 -> 192.168.10.180 TCP 60 http > 53180 [ACK] Seq=1 Ack=943 Win=16484 Len=0
  6   0.216694 180.97.66.49 -> 192.168.10.180 HTTP 382 HTTP/1.1 200 OK  (GIF89a) (GIF89a) (image/gif)
  7   0.263860 180.97.66.49 -> 192.168.10.180 HTTP 382 [TCP Retransmission] HTTP/1.1 200 OK  (GIF89a) (GIF89a) (image/gif)
  8   0.264872 192.168.10.180 -> 180.97.66.49 TCP 66 53180 > http [ACK] Seq=943 Ack=329 Win=65912 Len=0 SLE=1 SRE=329
  9   0.324954 180.97.66.49 -> 192.168.10.180 HTTP 382 [TCP Retransmission] HTTP/1.1 200 OK  (GIF89a) (GIF89a) (image/gif)
 10   0.325544 192.168.10.180 -> 180.97.66.49 TCP 66 [TCP Dup ACK 8#1] 53180 > http [ACK] Seq=943 Ack=329 Win=65912 Len=0 SLE=1 SRE=329
 11  20.817399 180.97.66.49 -> 192.168.10.180 TCP 60 http > 53180 [FIN, ACK] Seq=329 Ack=943 Win=16484 Len=0
 12  20.817668 192.168.10.180 -> 180.97.66.49 TCP 60 53180 > http [ACK] Seq=943 Ack=330 Win=65912 Len=0
 13  22.252741 192.168.10.180 -> 180.97.66.49 TCP 60 53180 > http [FIN, ACK] Seq=943 Ack=330 Win=65912 Len=0
 14  22.562339 192.168.10.180 -> 180.97.66.49 TCP 60 [TCP Retransmission] 53180 > http [FIN, ACK] Seq=943 Ack=330 Win=65912 Len=0
 15  23.187754 192.168.10.180 -> 180.97.66.49 TCP 60 [TCP Retransmission] 53180 > http [FIN, ACK] Seq=943 Ack=330 Win=65912 Len=0
 16  24.426780 192.168.10.180 -> 180.97.66.49 TCP 60 [TCP Retransmission] 53180 > http [FIN, ACK] Seq=943 Ack=330 Win=65912 Len=0
 17  26.911087 192.168.10.180 -> 180.97.66.49 TCP 60 [TCP Retransmission] 53180 > http [FIN, ACK] Seq=943 Ack=330 Win=65912 Len=0
 18  31.876480 192.168.10.180 -> 180.97.66.49 TCP 60 [TCP Retransmission] 53180 > http [FIN, ACK] Seq=943 Ack=330 Win=65912 Len=0
 19  41.801527 192.168.10.180 -> 180.97.66.49 TCP 60 53180 > http [RST, ACK] Seq=944 Ack=330 Win=0 Len=0

肉眼直接查看[TCP Retransmission]一共有7个包,编号为7,9,14,15,16,17,18;其中两个HTTP包重传的,Seq和Ack没有标注出来,其实他们是Server端的response进行了重传;最后5个包是TCP在四次结束的时候FIN进行了重传,可以看到Seq=943 Ack=330全部都一致

但是关键就在第10个包,有一个标记[TCP Dup ACK 8#1],Seq=943 Ack=329;再看看同向的第8个包,同样Seq=943 Ack=329,说明了第10个包是第8个包进行了重传,而此时并没有标注为[TCP Retransmission],容易被遗漏

2:仅仅解析TCP Retransmission,注意一点就是快速重传已经包含在重传里了

[lihui@localhost ~]$ tshark -r retransmission.pcap -T fields -e frame.number -e tcp.analysis.retransmission
1
2
3
4
5
6
7       1
8
9       1
10
11
12
13
14      1
15      1
16      1
17      1
18      1
19

可以发现刚说的7个包

3:解析TCP Dup ACK

[lihui@localhost ~]$ tshark -r retransmission.pcap -T fields -e frame.number -e tcp.analysis.duplicate_ack
1
2
3
4
5
6
7
8
9
10      1
11
12
13
14
15
16
17
18
19

只有一个包,但是的确是重传包,也就是实际上有8个TCP重传包

4:综合解析

[lihui@localhost ~]$ tshark -r retransmission.pcap -T fields -e frame.number -e tcp.analysis.duplicate_ack -e tcp.analysis.retransmission
1
2
3
4
5
6
7               1
8
9               1
10      1
11
12
13
14              1
15              1
16              1
17              1
18              1
19

这样就将所有重传包列出来了,想直接得到总数

[lihui@localhost ~]$ tshark -r retransmission.pcap -T fields -e frame.number -e tcp.analysis.duplicate_ack -e tcp.analysis.retransmission | awk '{if ($2) print $2}' | wc -l
8

纯属恶搞

浙ICP备16024533号

浙公网安备 33010802007459号