How can you identify a TCP retransmission versus a normal out-of-order delivery in Wireshark?

The key idea is that Wireshark’s TCP analysis flags explicitly mark retransmissions, so you can filter and see exactly which segments were resent. When the TCP stack detects that data wasn’t acknowledged in time, it flags a packet as a retransmission, and it also flags fast retransmissions that occur due to duplicate ACKs. By filtering on tcp.analysis.retransmission and tcp.analysis.fast_retransmission, you can isolate retransmitted segments and distinguish them from packets that simply arrived out of order. Out-of-order deliveries are tracked separately (tcp.analysis.out_of_order), so you can tell apart a true retransmission from normal reordering. Other ideas like inspecting a sequence number gap or filtering on the SYN flag don’t reliably identify retransmissions, and TTL has no relation to retransmission behavior.