Ask Your Question
0

TCP header length 20 bytes with Timestamps

asked 2024-01-21 10:01:57 +0000

Jedi gravatar image

I have Wireshark Version 4.2.2 on Windows 10.

It is my understanding that Timestamps go into the TCP options section of the header. According to what I have read TCP headers containing this option increase by 10 bytes (8 bytes for the two timestamp values and 2 bytes to indicate the option value and length). But Wireshark is saying the header length is only 20 bytes even though I can see the timestamp values? I tried to add a picture but don't have enough reputation. On my Ubuntu computer Wireshark Version 3.6.2 says the TCP header with timestamps is 32 bytes as it is padded out with two NOP bytes. Why is Wireshark saying the TCP header length is only 20 bytes with timestamps on the Windows computer?

edit retag flag offensive close merge delete

Comments

Can you share a capture file (stick it on a public file share and update question with a link to it)?

Looking at a sample from the Wireshark wiki (nfsv4.1_pnfs.cap NFSv4.1 trace containing pNFS.) with Version 4.2.2 (v4.2.2-0-g404592842786):

Frame 3: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: VMware_52:a6:57 (00:0c:29:52:a6:57), Dst: VMware_e9:13:b1 (00:0c:29:e9:13:b1)
Internet Protocol Version 4, Src: 192.168.0.26, Dst: 192.168.0.61
Transmission Control Protocol, Src Port: 880, Dst Port: 2049, Seq: 1, Ack: 1, Len: 0
    Source Port: 880
    Destination Port: 2049
    [Stream index: 0]
    [Conversation completeness: Complete, WITH_DATA (31)]
    [TCP Segment Len: 0]
    Sequence Number: 1    (relative sequence number)
    Sequence Number (raw): 2853242946
    [Next Sequence Number: 1    (relative sequence number)]
    Acknowledgment Number: 1    (relative ack number ...
(more)
Chuckc gravatar imageChuckc ( 2024-01-21 12:41:05 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
1

answered 2024-01-21 20:04:27 +0000

SYN-bit gravatar image

There is a TCP option called "Timestamps" which are indeed extra bytes in the TCP header. These are generated by the endpoints to keep track of round-trip-times and also a protection against wrapping sequence numbers. This type of timestamps will be listed under the Options: part of the TCP header.

Then there are timestamps relative to the conversation, which are calculated by WIreshark and are not created by the endpoints and are not part of the TCP header (so the header length can stay at 20). This type of timestamps can be recognized by the [] brackets around the word Timestamps (as can be seen in the example @Chuckc gave in his comment).

From your question, I believe you are seeing the second type of timestamps.

edit flag offensive delete link more

Comments

Both the Windows computer and the Ubuntu computer have [] brackets around the word timestamps but the Ubuntu computer has them under the Options section whereas the Windows computer does not. It seems Windows 10 has timestamps disabled by default. You can check with

netsh interface tcp show global

If you want to turn them on

netsh int tcp set global timestamps=enabled

If you want to turn them back off

netsh int tcp set global timestamps=disabled

According to here

Without TCP timestamps, the ACKs received by the sender cannot be known to have come from the original transmission or the retransmission. Therefore when retransmissions occur, RTT cannot be determined until an ACK is received with no retransmission. This can result in pathological behavior when many retransmissions are happening, as the sender may slow down to the minimum sending rate of one packet per 120 seconds.

Jedi gravatar imageJedi ( 2024-01-22 04:34:36 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-01-21 10:01:57 +0000

Seen: 616 times

Last updated: Jan 21