I'm trying to understand how the transmission and ACK work in TCP. In this Figuure, when A retransmitt the seq 100 after he recive three duplikated ACK , B will answer with 121 ACK or 158 ACK ?
B would only be issuing the 100 ACK because it didn't receive the SEQ 121 packet. There's no evidence that it received the next packets either, but even if it did it isn't required to save them. So the answer depends on things that aren't specified in your question.
Related
I know that control bits in tcp define the flags of TCP connection like SYN, FIN, ACK. But from my network traffic sometimes for some packets control bits are 0 (not-set).
What does this behaviour mean?
Those are flags of a TCP segment, not connection.
When a flag bit isn't set that indicates the absence of the meaning and behavior defined for the corresponding flag.
It means ACK and only ACK flag is set. RFC says ACK is 16, however it's only 16 when used in combination with another flag e.g. SYN/ACK (18), FIN/ACK (17). Flags value 0 could also indicate a 'null' scan.
If you see a flow record with value 2 and there are 8 packets in it, that means there are both SYN packet(s) and ACK packets.
If you see 18 and there are more than 1 packet in the flow that means there is at least one SYN/ACK and the rest are ACK.
The below screenshot shows the relevant packets I am analysing, which are independent from the rest of the network traffic.
I know that this is malformed network traffic, however I am confused as to why the correct values should be [RST,ACK] Seq = 1 Ack = 1 ... in oppose to the values seen in the screen shot for packet 8.
Any help would be appreciated, as most of the online documentation and explanations I have read, have not given a concrete explanation.
According to RFC 793, page 37:
In the SYN-State (The sender sent a segment with SYN flag, packet 7), The received RST segment (packet 8) is acceptable if the ACK field acknowledges the SYN.
So, packet 8 is malformed and not acceptable for sender of SYN segment, because ACK field is here 0 (relative) instead of 1.
I am using tcpdump/wireshark to capture tcp packets while tcp client sending data to tcp server. The client simply sends 4096 bytes to server in one "send()" call. And I get different tcp packets on two sides, two packets on the sender side seem to be "compacted" on the receiver side, this conflicts with how i understand the tcp protocol and I stuck on this issue for a few days and really need some help.
Please notice the packet length in following packets:
client (sender) sends 2 packets 0Xbcac (4) and 0xbcae (5), sends 2896 + 1200 = 4096 bytes in all.
(0xbcac) 4 14:31:33.838305 192.168.91.194 192.168.91.193 TCP 2962 59750 > 9877 [ACK] Seq=1 Ack=1 Win=14720 **Len=2896** TSval=260728 TSecr=3464603 0
(0xbcae) 5 14:31:33.838427 192.168.91.194 192.168.91.193 TCP 1266 59750 > 9877 [PSH, ACK] Seq=2897 Ack=1 Win=14720 **Len=1200** TSval=260728 TSecr=3464603 0
However on the server (receiver) side, only one packet is presented, with ip.id=0xbcac and length = 4096 (receiver.packet.0xbcac = sender.packet.0xbcac + 0xbcae):
(0xbcac) 4 14:31:33.286296 192.168.91.194 192.168.91.193 TCP 4162 59750 > 9877 [PSH, ACK] Seq=1 Ack=1 Win=14720 **Len=4096** TSval=260728 TSecr=3464603 0
I'm aware that tcp is a stream protocol and data sent can be divided into packets according to MSS (or MTU), but i guess the division happens before packets are sent to NIC, thus before captured. I'm also aware that the PSH flag in packet 0xbcae lead to writing data from buffer to NIC, but that cannot explain the "compacted" packet. Also I tried in client to send 999999 bytes in one "send" call and the data are divided into small packets and sent, but still mismatch the packets captured on server side. At last I disable tcp nagle, get the same result, and ruled out that reason.
So my question is the mismatching i encountered normal? If it is, what caused this? If not, i'm using ubuntu 12.04 and ubuntu 13.10 in LAN, and what is the possible reason to this "compacted" packet?
Thanks in advance for any help!
two packets on the sender side seem to be "compacted" on the receiver
side
It looks like a case of generic receive offload or large receive offload. Long story short, the receiving network card does some smart stuff and coalesces segments before they hit the kernel, which improves performance.
To check if this is the case you can try to disable it using:
$ ethtool -K eth0 gro off
$ ethtool -K eth0 lro off
Something complementary happens on the sending side: tcp segmentation offload or generic segmentation offload.
After disabling these don't forget to reenable them: they seriously improve performance.
I use raw socket to create TCP packets, with focus on the sequence number and TCP flags(SYN, ACK)
I used one machine S to send a tcp ACK packet (flag ACK is set to 1) and another machine R to receive it these two machines are in different subnets, all in my school
meanwhile, I used tcpdump to capture the packets.
Strange things happens! On machine S, the captured packet is as expected, it is an ACK packet however, on the receiving machine R, the packet becomes a SYN packet, and the sequence number is changed, the seq no is 1 smaller the expected and the ack_seq become 0!
what are potential problems?
my guess is that the router/firewall modified the ACK packet to a SYN packet because it never sees a SYN SYN/ACK exchange ahead of the ACK?
is it possible or not?
the two captured packets are:
https://docs.google.com/file/d/0B09y_TWqTtwlVnpuUlNwUmM1YUE/edit?usp=sharing
https://docs.google.com/file/d/0B09y_TWqTtwlTXhjUms4ZnlkMVE/edit?usp=sharing
The biggest problem you will encounter will be that the receiving TCP stack in each case will receive the packet and possibly reply to it. What you are attempting is really not possible.
I am wondering how, in detail, a program like wireshark detects duplicates from retransmission in a TCP stream. I've looked at the RFCs regarding TCP but haven't quite been able to figure out how it works. I'd very much appreciate a clear explanation.
An example situation that confused me was the following:
*C: 1227 + len = 1687
C: 1847+ len = 2299
S: ACK 2299
*C: 2299+len = 2751
*C: 2751+len = 3203
S: ACK 2751
Where the * indicates packets with duplicate payloads. How does wireshark and or TCP function to detect and discard the duplicates?