This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

[PSH,ACK] wireshark capture

0

I am capturing a https traffic from a PC to the web application and I am seeing an ACK follow by a PSH,ACK from the source to destination and vice versa:

PC [ACK] -> WebApp PC [PSH,ACK] -> WebApp WebApp [ACK] -> PC WebApp [PSH,ACK] -> PC

What does it mean? Thanks

asked 15 Apr '13, 09:04

character9's gravatar image

character9
16101012
accept rate: 0%


2 Answers:

2

ACK means that the machine sending the packet with ACK is acknowledging data that it had received from the other machine. In TCP, once the connection is established, all packets sent by either side will contain an ACK, even if it's just re-acknowledging data that it's already acknowledged.

PSH is an indication by the sender that, if the receiving machine's TCP implementation has not yet provided the data it's received to the code that's reading the data (program, or library used by a program), it should do so at that point. To quote RFC 793, the official specification for TCP:

The data that flows on a connection may be thought of as a stream of octets. The sending user indicates in each SEND call whether the data in that call (and any preceeding calls) should be immediately pushed through to the receiving user by the setting of the PUSH flag.

A sending TCP is allowed to collect data from the sending user and to send that data in segments at its own convenience, until the push function is signaled, then it must send all unsent data. When a receiving TCP sees the PUSH flag, it must not wait for more data from the sending TCP before passing the data to the receiving process.

There is no necessary relationship between push functions and segment boundaries. The data in any particular segment may be the result of a single SEND call, in whole or part, or of multiple SEND calls.

The purpose of push function and the PUSH flag is to push data through from the sending user to the receiving user. It does not provide a record service.

There is a coupling between the push function and the use of buffers of data that cross the TCP/user interface. Each time a PUSH flag is associated with data placed into the receiving user's buffer, the buffer is returned to the user for processing even if the buffer is not filled. If data arrives that fills the user's buffer before a PUSH is seen, the data is passed to the user in buffer size units.

There is no special significance to PSH and ACK both being set in the conversation; PSH being set has some significance, and, once the connection is established, ACK being set has very little significance.

RST, by itself, means that the sender of the RST believes an error occurred and that the connection should be "reset". It should be sent if, for example, a packet arrives on a connection that is "apparently not intended for the current connection", to quote RFC 793. So if the connection was closed, but a packet arrives for it anyway, that should provoke an RST.

answered 15 Apr '13, 15:05

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

0

This is basic TCP communications flow. The ACK indicates that a host is acknowledging having received some data, and the PSH,ACK indicates the host is acknowledging receipt of some previous data and also transmitting some more data.

Google will let you search for more info about basic TCP communication.

answered 15 Apr '13, 09:26

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

grahamb, How about [RST,ACK]? Does it mean that the connection was disconnected? Thx

(15 Apr '13, 10:31) character9