Ask Your Question

When i use websocket, why many ACK occurs in wireshark?

asked 2023-02-15 04:42:13 +0000

dontcryme gravatar image

updated 2023-02-15 22:10:29 +0000

recently, i developed server-client program that use websocket.

when i send some byte just once and packet capture in wireshark, server send many ACK to client. (as same seq num and different ack num)

image description

[Img URL :]

i wonder why this is happening in websocket packet.

thanks for reading.

p.s : in wireshark, above packets(ack) are represent by normal packets

edit retag flag offensive close merge delete


Note that the image shows: (as same seq num and different ack num)

Jaap gravatar imageJaap ( 2023-02-15 08:48:59 +0000 )edit

sorry, i wrote it wrong. i modified it.

dontcryme gravatar imagedontcryme ( 2023-02-15 22:05:49 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2023-02-16 11:34:29 +0000

SYN-bit gravatar image

I assume from the IMG that you are capturing on or near the server.

The traversal of network packets over the network takes time. So while the client receives TCP segments and ACKs them, there are already new packets underway from the server. This means the ACKs you are seeing are ACKing packets earlier in the trace. You can see that with the SEQ numbers in the image. This first packet from the server has SEQ number 41099. All the ACK in the image are acking TCP segment before that first visible segment.

If you capture on the client side, you would see a different pattern. And it is more clear how the client ACKs the incoming TCP segments.

edit flag offensive delete link more


thansk for reply, and above image is client side pakcet. but some differenct situation is that my client is located in DMZ zone(NAT) and server is located in AWS. and i think that black rectangle in addtional image's packet([ack] seq = 237) is red rectangle's (ack=237) response ack packet, right? becuase of seq=ack pair. if then, black rectangle's multiple same SEQ=237 packet(client's ACK=237 response) is just represented in wireshark by segmentation? because of server's status? [addtional image link : ]

dontcryme gravatar imagedontcryme ( 2023-02-17 00:09:13 +0000 )edit

My mistake, I mistakingly took the sending side as the server side. But is it the client that is sending the data in this case. So capture was on the sending (client) side :-)

As for the capture, thanks for the second image, this is a classic example of TCP segmentation offloading and also of TCP slowstart. If you look at the SYN and SYN/ACK packets, the MSS is 1460, which means TCP segment of 1460 bytes will be sent. When you look at the segments sent by the client, they are 14600 and then 2920 bytes in size. This is because you are capturing on the sending system and TCP segmentation offloading is enabled. So the segmentation into 1460 sized segments is done on the network card (while the capture is done before the outgoing packets have reached the network card).

The reason you see 14600 bytes sent first ...(more)

SYN-bit gravatar imageSYN-bit ( 2023-02-17 19:24:48 +0000 )edit

wow...thank you for your deatiled reply. have a nice day!!

dontcryme gravatar imagedontcryme ( 2023-02-19 22:47:50 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2023-02-15 04:42:13 +0000

Seen: 318 times

Last updated: Feb 16 '23