The Expert Infos in Wireshark are very helpful, but are they always right? You need to understand how TCP behaves to know if you can trust what Wireshark tells you. Let’s take Fast Retransmissions. Here’s what RFC 2581 says:
The TCP sender SHOULD use the "fast retransmit" algorithm to detect and repair loss, based on incoming duplicate ACKs. The fast retransmit algorithm uses the arrival of 3 duplicate ACKs (4 identical ACKs without the arrival of any other intervening packets) as an indication that a segment has been lost. After receiving 3 duplicate ACKs, TCP performs a retransmission of what appears to be the missing segment, without waiting for the retransmission timer to expire.
The devil is in the implementation and some TCP stacks will fast retransmit after the 3rd identical ACK (2nd duplicate ACK). After the fast retransmit, the sender will go into fast recovery mode instead of slow start.
So knowing that, have a look over this pcap and tell me in the comments if frame 24 is really a Fast Retransmission and why or why not. Be careful and pay attention to the details!
If you’d like to see the video of my explanation and walk through, just sign up for the email list below and you’ll get a link to the subscriber-only videos. This one is called “When is a Fast Retransmission not a Fast Retransmission?” Once you confirm your email address, you will get an email with the link within an hour.
BONUS QUESTION: TCP usually ACKs every other packet but you can see every packet is being ACKed. Why?