How does ExtraHop calculate an RTO?


What is the “event” that ExtraHop uses to increment the RTO metric? How is an RTO “seen” on the wire?

Utilizing Trouble Groups for Virtual Packet Loss

I’m reposting a message from the old community forums about this very subject, courtesy of @coachk.

  • Dropped segments out = # packets dropped on the way from the current device to other devices
  • Retransmissions out = # of times data is resent by the current device to other devices

Notice the word “times” in the retransmissions description. the ExtraHop “retransmissions out” counter may be less than “dropped segments out” counter, because multiple consecutive dropped segments may be retransmitted together in one retransmission episode. The appliance counts retransmission episodes, not packets (see explanation below). Pretty slight difference, but significant and may account for a difference in how some other tools present the same information.

Explanation: The ExtraHop appliance records a retransmission per-episode to be consistent with TCP analysis papers. In other words, consider this:

  1. Packets A B C D transmitted
  2. B and C are dropped. That’s 2 drops.
  3. B and C are now retransmitted in one shot back-to-back. That’s one retransmission episode (i.e. one recovery.) So 1 retransmission episode comprising two segments.

Additionally, there’s a great article on the ExtraHop blog that goes into more details about RTOs and how ExtraHop simulates the TCP state machine to count the RTOs here: