TCP Dup ACK detection bug?

asked 2018-03-28 06:30:06 +0000

updated 2018-03-28 06:34:12 +0000

Hi all!

In RFC 5681 it is stated that:

DUPLICATE ACKNOWLEDGMENT: An acknowledgment is considered a "duplicate" in the following algorithms when: .... (e) the advertised window in the incoming acknowledgment equals the advertised window in the last incoming acknowledgment.....

AND

    Alternatively, a TCP that utilizes selective acknowledgments
    (SACKs) [RFC2018, RFC2883] can leverage the SACK information to
    determine when an incoming ACK is a "duplicate" (e.g., if the ACK
    contains previously unknown SACK information).

But if you check the next PCAP it seems Wireshark ignores the last statement:

Frames 355,356,357 and a lot of subsequent ones have the same ACK number of 314254 (relative), they contain changing SACK blocks but at the same time Advertised window size also changes. Therefore they have been decoded (incorrectly?) as [TCP Window updates], whereas they should be decoded as Dup ACKs.

Frames 486-508 are Fast retransmissions whereas they have been decoded as [TCP Out-Of-Orders]. Is it a bug or I'm missing something?

edit retag flag offensive close merge delete