TCP Packets Retransmission

Filter: (tcp.analysis.retransmission || tcp.analysis.out_of_order)

If the original packet is in the capture and it's retransmitted for whatever reason, the retransmitted packet will be flagged as retransmission (fast, spurious or timer based retransmission).

[TCP Retransmission] → Sender resent a segment because ACK not received.

[TCP Fast Retransmission] → Triggered by 3 duplicate ACKs.

[TCP Spurious Retransmission] → Wireshark thinks it’s retransmitted, but it might just be reordering.

If the original packet is not in the capture the retransmitted packet will be flagged as "out-of-order".

Even if the original packet is missing, Wireshark will still try to distinguish between retransmissions and true out-of-order packets. If the TCP three-way handshake packets are in the capture file, Wireshark versions 1.12.0 and later will flag the packet as out-of-order if it shows up within the Initial Round Trip Time from the preceding packet, and as a retransmission if it takes more than the Initial Round Trip Time. If the handshake packets are not present, or if it's a version prior to 1.12.0, Wireshark will compare to a hard-coded value of 3 ms instead of to the Initial Round Trip Time.

Wireshark can mis-identify out-of-order packets as retransmission, and vice versa, but it will not automatically identify retransmissions as out-of-order just because the original packet is not in the capture file.