TCP重传十分影响网络性能,往往通过抓包之后,wireshark里打开pcap文件,然后过滤框里输入过滤条件tcp.analysis.retransmission,就能过滤出所有重传的数据包,然后可以通过Statistics里的Summary查看占比
但是其实对于TCP重传这样过滤是不全的!!!下面在命令行里通过tshark来解析
1:首先直接以包开解析
[lihui@localhost ~]$ tshark -r retransmission.pcap 1 0.000000 192.168.10.180 -> 180.97.66.49 TCP 66 53180 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 2 0.112157 180.97.66.49 -> 192.168.10.180 TCP 66 http > 53180 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1440 WS=4 SACK_PERM=1 3 0.112914 192.168.10.180 -> 180.97.66.49 TCP 60 53180 > http [ACK] Seq=1 Ack=1 Win=66240 Len=0 4 0.114455 192.168.10.180 -> 180.97.66.49 HTTP 996 GET /ps_default.gif?_t=1423632527913 HTTP/1.1 5 0.212294 180.97.66.49 -> 192.168.10.180 TCP 60 http > 53180 [ACK] Seq=1 Ack=943 Win=16484 Len=0 6 0.216694 180.97.66.49 -> 192.168.10.180 HTTP 382 HTTP/1.1 200 OK (GIF89a) (GIF89a) (image/gif) 7 0.263860 180.97.66.49 -> 192.168.10.180 HTTP 382 [TCP Retransmission] HTTP/1.1 200 OK (GIF89a) (GIF89a) (image/gif) 8 0.264872 192.168.10.180 -> 180.97.66.49 TCP 66 53180 > http [ACK] Seq=943 Ack=329 Win=65912 Len=0 SLE=1 SRE=329 9 0.324954 180.97.66.49 -> 192.168.10.180 HTTP 382 [TCP Retransmission] HTTP/1.1 200 OK (GIF89a) (GIF89a) (image/gif) 10 0.325544 192.168.10.180 -> 180.97.66.49 TCP 66 [TCP Dup ACK 8#1] 53180 > http [ACK] Seq=943 Ack=329 Win=65912 Len=0 SLE=1 SRE=329 11 20.817399 180.97.66.49 -> 192.168.10.180 TCP 60 http > 53180 [FIN, ACK] Seq=329 Ack=943 Win=16484 Len=0 12 20.817668 192.168.10.180 -> 180.97.66.49 TCP 60 53180 > http [ACK] Seq=943 Ack=330 Win=65912 Len=0 13 22.252741 192.168.10.180 -> 180.97.66.49 TCP 60 53180 > http [FIN, ACK] Seq=943 Ack=330 Win=65912 Len=0 14 22.562339 192.168.10.180 -> 180.97.66.49 TCP 60 [TCP Retransmission] 53180 > http [FIN, ACK] Seq=943 Ack=330 Win=65912 Len=0 15 23.187754 192.168.10.180 -> 180.97.66.49 TCP 60 [TCP Retransmission] 53180 > http [FIN, ACK] Seq=943 Ack=330 Win=65912 Len=0 16 24.426780 192.168.10.180 -> 180.97.66.49 TCP 60 [TCP Retransmission] 53180 > http [FIN, ACK] Seq=943 Ack=330 Win=65912 Len=0 17 26.911087 192.168.10.180 -> 180.97.66.49 TCP 60 [TCP Retransmission] 53180 > http [FIN, ACK] Seq=943 Ack=330 Win=65912 Len=0 18 31.876480 192.168.10.180 -> 180.97.66.49 TCP 60 [TCP Retransmission] 53180 > http [FIN, ACK] Seq=943 Ack=330 Win=65912 Len=0 19 41.801527 192.168.10.180 -> 180.97.66.49 TCP 60 53180 > http [RST, ACK] Seq=944 Ack=330 Win=0 Len=0
肉眼直接查看[TCP Retransmission]一共有7个包,编号为7,9,14,15,16,17,18;其中两个HTTP包重传的,Seq和Ack没有标注出来,其实他们是Server端的response进行了重传;最后5个包是TCP在四次结束的时候FIN进行了重传,可以看到Seq=943 Ack=330全部都一致
但是关键就在第10个包,有一个标记[TCP Dup ACK 8#1],Seq=943 Ack=329;再看看同向的第8个包,同样Seq=943 Ack=329,说明了第10个包是第8个包进行了重传,而此时并没有标注为[TCP Retransmission],容易被遗漏
2:仅仅解析TCP Retransmission,注意一点就是快速重传已经包含在重传里了
[lihui@localhost ~]$ tshark -r retransmission.pcap -T fields -e frame.number -e tcp.analysis.retransmission 1 2 3 4 5 6 7 1 8 9 1 10 11 12 13 14 1 15 1 16 1 17 1 18 1 19
可以发现刚说的7个包
3:解析TCP Dup ACK
[lihui@localhost ~]$ tshark -r retransmission.pcap -T fields -e frame.number -e tcp.analysis.duplicate_ack 1 2 3 4 5 6 7 8 9 10 1 11 12 13 14 15 16 17 18 19
只有一个包,但是的确是重传包,也就是实际上有8个TCP重传包
4:综合解析
[lihui@localhost ~]$ tshark -r retransmission.pcap -T fields -e frame.number -e tcp.analysis.duplicate_ack -e tcp.analysis.retransmission 1 2 3 4 5 6 7 1 8 9 1 10 1 11 12 13 14 1 15 1 16 1 17 1 18 1 19
这样就将所有重传包列出来了,想直接得到总数
[lihui@localhost ~]$ tshark -r retransmission.pcap -T fields -e frame.number -e tcp.analysis.duplicate_ack -e tcp.analysis.retransmission | awk '{if ($2) print $2}' | wc -l
8
