Normally when looking through packet captures I link the packets by the ACK and SEQ numbers. However if Delayed ACK is enabled am I right in thinking that you might see every ACK from the sender as the sender my send an ACK that might acknowledge multiple packets ? In short my question is what considerations must be taking when dealing with packet captures containing traffic that use the delayed ACK technique. Thanks, asked 12 Aug '14, 01:30  bart80 |
One Answer:
Just keep in mind that acknowledgements are cumulative. An ACK number of 10,000, for example, means "I have received all data through byte 9,999, and I expect 10,000 next." You could add the field tcp.analysis.acks_frame as a custom column. Wireshark will then tell you exactly which data packet an ACK packet is acknowledging. Again, this is cumulative, so the ACK includes all previous data packets from that same host on the same TCP connection. answered 12 Aug '14, 09:50  Jim Aragon |
Thanks. So without delayed ACK I should see an ACK for each segment. With delayed ACK I will not and as you mentioned multiple segments can be acknowledged via a single (cumulative) ACK ?