This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Broken TCP ACK in the SYN Packet

0

The SYN packet is reporting a broken TCP. Why does this being reported in the SYN and if there's any possible issue for the rest of the connections?

asked 23 Sep '12, 07:59

ws2006's gravatar image

ws2006
1121214
accept rate: 0%

You may be referring to the fact that ACK field is not set, and yet the ACK field is non-zero. Is that the error message you're getting?

(23 Sep '12, 17:05) hansangb

ACK field is not set, and yet the ACK field is non-zero

Presumably "ACK flag is not set"?

(23 Sep '12, 17:10) Guy Harris ♦♦

Yes. "Acknowledgement Number: 0xa300898e [should be 0x00000000 because Ack flag is not set." The acknowledge field is non-zero while the ACK flag is not set.

(23 Sep '12, 17:58) ws2006

One Answer:

2

"Broken TCP" Expert Infos messages refer to a packet that does not comply with some aspect of the TCP specification, but that doesn't necessarily mean that there will be a problem with the communication. If would be helpful if you gave the entire error message. Are you seeing this one:

"Acknowledgment number: Broken TCP. The acknowledge field is nonzero while the ACK flag is not set" ?

In a TCP packet, when the ACK bit is not set, the Acknowledgment Number field is supposed to be set to zero. This error message means that the packet violates that rule: The ACK bit is not set, but the Acknowledgment Number field is not zero.

The very first packet of a TCP three-way handshake will not have the ACK bit set because the system sending the SYN packet has not heard from the other system yet. It isn't acknowledging any data, and it doesn't know the other system's initial sequence number yet, so it can't calculate a valid ACK number.

In this circumstance, the Acknowledgment Number field SHOULD be set to zero, but I've captured some traces where that isn't the case. Although it's non-compliant, this doesn't necessarily cause a problem when it's in the SYN packet. Because the ACK bit is not set, the receiving system will usually ignore the contents of the Acknowledgment Number field, so it won't be aware of the error.

answered 23 Sep '12, 17:28

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Hmm. I don't see anything in RFC 793 or RFC 1122 about the acknowledgment number field having to be zero if the ACK flag isn't set, so this might be an indication of a TCP stack that forgot to set the ACK bit on a packet, but it's not an actual violation of the TCP specification. Perhaps the check we're doing should just check for non-initial-SYN packets without ACK.

(23 Sep '12, 19:04) Guy Harris ♦♦

Now that I look, I can't find anything in the RFCs either. I did find an Internet draft titled "Normalization in the unused header fields of TCP/IP" that says "When the ACK bit is not set, the value of the acknowledgement field MUST be normalized. It must be set to some predefined value." However, it looks like this draft expired without ever becoming an RFC.

(23 Sep '12, 19:44) Jim Aragon

Without any intention to start a discussion about RFC interpretation:

RFC793 states:

Acknowledgment Number:  32 bits

If the ACK control bit is set this field contains the value of the
next sequence number the sender of the segment is expecting to
receive.  Once a connection is established this is always sent.</code></pre><p>Does that mean, that the ACK number is unset (0) if the ACK bit is <strong>not</strong> set, if applying 'boolean logic' to that statement?</p></div><div id="comment-14483-info" class="comment-info"><span class="comment-age">(24 Sep '12, 11:57)</span> <span class="comment-user userinfo">Kurt Knochner ♦</span></div></div><span id="14484"></span><div id="comment-14484" class="comment"><div id="post-14484-score" class="comment-score"></div><div class="comment-text"><p>Not necessarily - it could also mean "this field's contents are only to be looked at if the ACK bit is set; its contents are meaningless if it's not set".</p></div><div id="comment-14484-info" class="comment-info"><span class="comment-age">(24 Sep '12, 12:05)</span> <span class="comment-user userinfo">Guy Harris ♦♦</span></div></div><span id="14490"></span><div id="comment-14490" class="comment"><div id="post-14490-score" class="comment-score"></div><div class="comment-text"><p>well, yes it could mean that. The RFC lacks a definition of how to handle the field if the ACK bit is not set. I guess that 'most implementations' set it to 0, following 'good programming style' by initializing variables at the start of the code.</p></div><div id="comment-14490-info" class="comment-info"><span class="comment-age">(24 Sep '12, 15:47)</span> <span class="comment-user userinfo">Kurt Knochner ♦</span></div></div><span id="14513"></span><div id="comment-14513" class="comment not_top_scorer"><div id="post-14513-score" class="comment-score"></div><div class="comment-text"><p>Thanks for the replies.</p></div><div id="comment-14513-info" class="comment-info"><span class="comment-age">(25 Sep '12, 08:23)</span> <span class="comment-user userinfo">ws2006</span></div></div></div><div id="comment-tools-14472" class="comment-tools"><span class="comments-showing"> showing 5 of 6 </span> <a href="#" class="show-all-comments-link">show 1 more comments</a></div><div class="clear"></div><div id="comment-14472-form-container" class="comment-form-container"></div><div class="clear"></div></div></td></tr></tbody></table>