This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Ack Packet With No SEQ/ACK Analysis

0

Hi everyone, i am tracing some packets in wireshark and i have this problem that i found a packet that is an ack packet as the LEN = 0 and the only flag set is ack flag = 1, now usually while tracing i open an ack packet and in the TCP i select [Seq/Ack analysis] which tells me which packet this ack is for , now i did not find this [seq/ack analysis] and so i don't know what packet it is acknowledging even i tried to find the packet manually by calculating (seq no. + len) but i did not find it ...any help ?

asked 03 Jun '15, 04:12

yas1234's gravatar image

yas1234
16182023
accept rate: 0%

edited 03 Jun '15, 04:21

grahamb's gravatar image

grahamb ♦
19.8k330206

well, it's near to impossible to do "virtual" packet troubleshooting based on some problem descriptions ;-)

Can you please upload a small capture file somewhere (google drive, dropbox, cloudshark.org) and post the link here?

(03 Jun '15, 08:35) Kurt Knochner ♦

One Answer:

1

Your approach doesn't work when TCP Segmentation Offload is enabled. At a trace at the sender you see (too) large segments are leaving the host and acknowledgements are arriving that acknowledge bytes in the middle of the sent segment.
In the scenario below the first ack does not have tcp.analysis.acks_frame set. So your logic only works for ACKs that match the display filter
tcp.len==0 and tcp[13]==10 and tcp.analysis.acks_frame alt text

answered 03 Jun '15, 22:05

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

so if the packet is not divided into segments i will not get this type of ack right?so how do i disable segmentation?

(25 Jun '15, 06:45) yas1234

Depends on your operating system... http://lmgtfy.com/?q=disable+tcp+segmentation+offload

(25 Jun '15, 07:04) mrEEde

PERFECT THANK U!

(25 Jun '15, 08:06) yas1234

If this answers your question can you please 'accept' the answer by clicking the checkmark. Thanks Matthias

(25 Jun '15, 10:40) mrEEde

i have a small more question, now if i disable the tso ..is it a Must to disable the TX also or not? ..and what is best ? i googled that but seems like always when the tso is off the tx is off also and i do not really get what tx do .

(25 Jun '15, 11:12) yas1234

I don't know what TX means in this context but TSO has its purpose - to save CPU cycles on the Operating Systems - and many manufacturers have taken a lot of effort to make it work. The drawback is that trace analysis is a little more tricky. So if your main goal is to diagnose traffic then you may/must disable it. If your purpose is to run on an efficient TCPIP stack you leave it enabled... ;-)

(25 Jun '15, 14:50) mrEEde

actually i need to disable it but the problem now when i disabled it still my captures at the sender are not the same at the receiver, the sender is sending chunks of data and the receiver collects them into one packet then acknowledges it ,,i don't want that i want them both to match ...any help ? i attached the 2 captures https://www.dropbox.com/s/fu8zonho9wiqp9t/caps.zip?dl=0

(26 Jun '15, 02:39) yas1234

It looks like that you should try this command if you use Win2012 R2 or Win 8 netsh int tcp set global rsc=disabled Other wise you can provide the out put of the cmd: netsh int tcp show global

(26 Jun '15, 03:42) Christian_R

USING linux

(26 Jun '15, 04:29) yas1234

ethtool -K ethY lro off.
where ethy is your int

(26 Jun '15, 05:03) Christian_R
showing 5 of 10 show 5 more comments