This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

matching tcp packets in wireshark

0

i am very troubled when tracing my wireshark packets so please help, i'm filtering TCP packets, assuming im capturing at the Sender side, now sender sends packet to the rcvr who replies with ack packet containing the new window size for example 5, so the sender sends a stream of 5 packets, after that he receives from the receiver the ack of the first packet in the stream with new window size..and so on ..now to match each of those data packets and it's acknowledgment, the ack number = the data packet's sequence number + length ..is that correct??? Also im trying to get the delays between all that, my problem is what happens when there's a lost packet in this stream of 5, for ex packet 3 is lost, how does the ACK for Packet 4 LOOK IN THIS CASE ? i mean do i just know there's a lost packet from the sack option OR the sequence number doesn't change until i get the lost packet or the ack number stays unchanged or what ?? sorry but i got troubled because i am looping on all packets and trying to match them and there's something wrong in my logic !

asked 22 Jun '15, 09:43

yas1234's gravatar image

yas1234
16182023
accept rate: 0%


One Answer:

0

Yes, the ACK number for a packet is the packet's sequence number plus the data length. (Number of TCP data bytes in the packet, not total packet bytes. The Ethernet header and trailer, the IP header, and the TCP header are not included.) If packet 2 is acknowledged and then packet 3 is lost, the ACK for packet 4 will be a Duplicate ACK and it will be the same as the ACK for packet 2. ACKs are cumulative, so the ACK number cannot be incremented until the lost packet is received.

An ACK of 10,000 means "I've received everything through 9,999, and I expect 10,000 next." If SACK is in use, receipt of packet 4 will be shown in the SACK blocks, but the ACK number will not change until the missing packet shows up.

To follow all this, I recommend adding these fields as columns:

  • TCP length (tcp.len)
  • Sequence number (tcp.seq)
  • Next expected sequence number (tcp.nxtseq)
  • Acknowledgment number (tcp.ack)

Let Wireshark match the data packets to acknowledgment packets for you. Also add:

  • Packet number being acknowledged (tcp.analysis.acks_frame)

Remember that there does not have to be an acknowledgment packet for every single data packet. If Delayed ACK is in use, there could be an ACK for every other data packet, or for every three data packets, or every four data packets, etc.

answered 22 Jun '15, 10:15

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

okay in the case of lost packet , by duplicate ack u mean they both have same sequence no. or same ack number ?, also if i want to match packet 4 and it's ack which actually doesn't carry the expected ack number bec of duplication , and sack is not in use ...is there anyway to match them ?

(22 Jun '15, 10:28) yas1234