This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why are some TCP ACK timestamps earlier in time than the corresponding TCP data frame?

0

Hi all,

I am running Wireshark 1.10.7 (v1.10.7-0-g6b931a1 from master-1.10) on a Windows 7 Professional computer. Since the network card of the computer supports offloading segmentation of large TCP/IP frames, frames with a size greater than the MTU are captured by Wireshark.

Now every time when the local computer sends a frame greater than the MTU, the TCP corresponding ackowledgement is received earlier in time than the sent TCP frame, e.g.

No. 1636 (16.996621000s): Transmission Control Protocol, Src Port: ctf (84), Dst Port: 55697 (55697), Seq: 36821, Ack: 10255, Len: 0, Flags: 0x010 (ACK)

No. 1657 (17.173938000s): Transmission Control Protocol, Src Port: 55697 (55697), Dst Port: ctf (84), Seq: 10255, Ack: 37161, Len: 1982, 0x0018

Of course, the IP addresses of these flows are matching each other (x->y and y->x).

So, how can it be that the timestamp of the ACK is earlier in time than the corresponding TCP data frame?

Thanks, Sven

asked 21 May ‘14, 07:13

johannes24's gravatar image

johannes24
21226
accept rate: 100%

edited 21 May ‘14, 08:48

grahamb's gravatar image

grahamb ♦
19.8k330206

One Answer:

1

The ACK: 10255 means that is the next expected SEQ number to be received from the other host.

answered 21 May '14, 07:41

Rooster_50's gravatar image

Rooster_50
23891218
accept rate: 15%

The ACK: 10255 means that is the next expected SEQ number to be received from the other host

i.e. the next sequence number to be transmitted after the ACK (if things are all running smoothly).

What you have shown is the ack for a previous packet then the next packet with the correct sequence number.

(21 May '14, 08:50) grahamb ♦

Damn right! Thanks Rooster_50 and grahamb for clarification! Have a nice day!

(22 May '14, 03:06) johannes24