This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dup ACKs question

0
1

I have a capture of the beginning of a file transfer where there is a number of duplicate ACKs. This capture was taken between the client and server.

   1: 15:56:07.240527 172.16.1.1.51629 > 192.168.1.100.80: S 1044283510:1044283510(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
   2: 15:56:07.240740 192.168.1.100.80 > 172.16.1.1.51629: S 1864868747:1864868747(0) ack 1044283511 win 4140 <mss 1380,nop,wscale 0,sackOK,eol>
   3: 15:56:07.241290 172.16.1.1.51629 > 192.168.1.100.80: . ack 1864868748 win 16560
   4: 15:56:07.241991 172.16.1.1.51629 > 192.168.1.100.80: P 1044283511:1044283940(429) ack 1864868748 win 16560
   5: 15:56:07.242831 192.168.1.100.80 > 172.16.1.1.51629: . 1864868748:1864870128(1380) ack 1044283940 win 4569
   6: 15:56:07.242846 192.168.1.100.80 > 172.16.1.1.51629: P 1864870128:1864870267(139) ack 1044283940 win 4569
   7: 15:56:07.242861 192.168.1.100.80 > 172.16.1.1.51629: . 1864870267:1864871647(1380) ack 1044283940 win 4569
   8: 15:56:07.242876 192.168.1.100.80 > 172.16.1.1.51629: . 1864871647:1864873027(1380) ack 1044283940 win 4569
   9: 15:56:07.243273 172.16.1.1.51629 > 192.168.1.100.80: . ack 1864868748 win 16560 <nop,nop,sack sack 1 {1864870128:1864870267} >
   10: 15:56:07.243288 172.16.1.1.51629 > 192.168.1.100.80: . ack 1864868748 win 16560 <nop,nop,sack sack 1 {1864870128:1864871647} >
   11: 15:56:07.243288 172.16.1.1.51629 > 192.168.1.100.80: . ack 1864868748 win 16560 <nop,nop,sack sack 1 {1864870128:1864873027} >
   12: 15:56:07.243487 192.168.1.100.80 > 172.16.1.1.51629: P 1864873027:1864874407(1380) ack 1044283940 win 4569
   13: 15:56:07.243487 192.168.1.100.80 > 172.16.1.1.51629: P 1864874407:1864875787(1380) ack 1044283940 win 4569
   14: 15:56:07.243502 192.168.1.100.80 > 172.16.1.1.51629: . 1864868748:1864870128(1380) ack 1044283940 win 4569

Within this I am trying to locate the segment that was lost. My questions are :

  • Does the ACK number correspond to the previous SEQ number or the SEQ plus the data total ?
  • In this capture is it right that it appears that the segment with the SEQ # 1864868748 is lost and then retransmitted ?
  • Is there any reason that in this case the next SEQ number is not the previous ACK + 1 ?.

Thanks,

asked 10 Dec '12, 09:52

bart80's gravatar image

bart80
11121316
accept rate: 0%

edited 10 Dec '12, 09:54

One Answer:

3

ACK Number always tells "give me the following sequence number in your next packet" So if you have recieved Sequence Number 1,001 containing 500 Bytes you (as TCP) go and ACK 1,501 --> give me seq.nr. 1,501 in your next packet.

That's also the reason why the next SEQ is not previous ACK+1.

You correctly interpreted the packet with Seq. xyz68748 as being the one getting lost. That's also why the reciever keeps telling ACK xyz68748 - "give me that packet"

If you're unfamiliar with those TCP basics, I suggest you start with the WiKi Page about TCP because from there you can easily follow everything inside wireshark to get a better understanding of the protocol.

answered 10 Dec '12, 12:06

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

Many thanks. That all makes sense. I`ll check out the link. However can you confirm what the Segment SEQ 1044283511 is for. As the previous ACK is for 1864868748 so should the following packet be the 1864868748 SEQ #.

(10 Dec '12, 13:32) bart80
1

You mixed up the two stations SEQ and ACK numbers -> in frame 1 you have SEQ Nr. 1044283510 containing the SYN Bit inside TCP header, which counts as 1 Byte Payload. That's why the next packet from that station has SEQ 1044283510+1

(11 Dec '12, 02:59) Landi

That makes sense. Many Thanks,

(11 Dec '12, 05:53) bart80

You're welcome - if the answer solved your questions please respond to that by clicking the Accept Button right next to the answer to mark the question as answered and closed

(11 Dec '12, 07:08) Landi