ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-users: Re: [Wireshark-users] A simple question about the data captured by wireshark

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Zhenyu Zhao <zzhao@xxxxxxxxxxxxxxx>
Date: Wed, 21 May 2008 11:14:34 -0400 (EDT)
Each TCP session has a sliding window to control how much data is permitted to send by sender. The window is the span of data on the byte stream that receiver permits the sender to send. The window slides along the sender's outbound byte stream and the reciver's inbound stream. The ACK # indicates the next byte of data that receiver expects to receive. Both peers maintain buffers to track the window. The sender keeps track of sent/acked, sent/unacked, unsent/inside, and unsent/ouside data. The receiver keeps track of rcvd/acked/retr, rcvd/acked/notretr, rcvd/unacked, norecd/inside, and norcvd/outside data. So the receiver acknowledges data based on the sliding window, congestion, algorithm, performance factor... In a word, ACK segment is not one-to-one for PUSH segment 

Zhen

On Wed, 21 May 2008, Xu nanxuan wrote:



The following is a small part of net packets when I download a file from a FTP server(ip is IPS for short) to a client(ip is IPC for short):
===Begin=== NO.  SRC DST Info 1    IPC IPS [SYN] Seq=0 2    IPS IPC [SYN,ACK] Seq=0 Ack=1 3    IPC IPS [ACK] Seq=1 ACK=1       ... 2201 IPS IPC [PSH,ACK]  Seq=1952593 ACK=1 DataSize(1200bytes) 2202 IPC IPS [ACK]      Seq=1,Ack=1953793 DataSize(0)         "ACK TO seg2201 2203 IPS IPC [ACK]      Seq=1953793,ACK=1 DataSize(1448bytes) "ACK To Seg2202"  2204 IPS IPC [ACK]      Seq=1955241,ACK=1 DataSize(1448bytes) 2205 IPC IPS [ACK]      Seq=1,ACK=1956689 DataSize(0)         "ACK to Seg2204" 2206 IPS IPC [PSH,ACK]  Seq=1956689,ACK=1 DataSize(1200bytes) "ACK to Seg2205" 2207 IPS IPC [ACK]      Seq=1957889,ACK=1 DataSize(1448bytes)  ... ===End===
In fact, I am not very clear about packets from 2201 to 2207. To my own point of view:
(1) IPS sends data 2201 to IPC, and IPC sends ACK 2202 to IPS;
(2) IPS sends "two" data 2203 and 2204 to IPC, and IPC send ACK 2205 to IPS;
...
If my understanding is correct, then I have three questions:
1. Why every two from-server-side data packets ask one Client-side ACK packet, rather than one-to-one? Is it a solid thing?
2.Since 2203 is also a data packet, why it has "ACK To Seg2202" flag?
3.2203 and 2204 are two from-server-side packets,they both have [ACK] flag. But, 2206 and 2207 are also two from-server-side packets, they have [PSH, ACK] and [ACK] separately.What is the difference?

Thanks!


_________________________________________________________________
Connect to the next generation of MSN Messenger�
http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube