Ask Your Question

TCP same ack, different payload

asked 2024-06-04 05:49:26 +0000

aland gravatar image

updated 2024-06-04 06:46:40 +0000

SYN-bit gravatar image

I am receiving 2 following tcp packets:

9000 → 34967 [PSH, ACK] Seq=803864717 Ack=348117840 Win=28960 Len=28 TSval=863760043 TSecr=0
9000 → 34967 [ACK] Seq=803864717 Ack=348117840 Win=28960 Len=0 TSval=863760043 TSecr=0

Why does this happen? How can this not be considered a retransmission?

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted

answered 2024-06-04 06:52:17 +0000

SYN-bit gravatar image

Only data packets can be retransmissions and the second packet does not contain data, so it can't be a retransmission. But it is interesting to see why this packet was sent, as there is no reason for it to be sent. It ACKs the same data as the previous packet ACKed.

One possible explanation would be that the packets switched order underway. Then the second packet (which was sent first) was a bare ACK and the first packet (which was sent second) is new data. Could you check the of the packets? Or post a pcap of these packets with about 10 previous packets and the next 10 packets of these two packets somewhere to have a look at?

edit flag offensive delete link more


One possible explanation would be that the packets switched order underway.

yes, I was thinking the same thing

Could you check the of the packets?

there is a hit! first one has 51071, second one has 51070.

aland gravatar imagealand ( 2024-06-04 07:11:27 +0000 )edit

Also, I didn't find in wireshark such filter to show ip reorderings

aland gravatar imagealand ( 2024-06-04 07:28:32 +0000 )edit

You could add a column for (drag it from the packet details on top of the column header of the column you want to be in front off), that makes it easily visible.

SYN-bit gravatar imageSYN-bit ( 2024-06-04 08:02:56 +0000 )edit

Glad my hunch was right!

If possible, could you send me the pcap (anonimized, see the link in my answer) of the whole TCP session? I use these kind of examples in my trainings and they are hard to reproduce. My email is [email protected] :-)

SYN-bit gravatar imageSYN-bit ( 2024-06-04 13:18:26 +0000 )edit

Adding an expert info is complicated because RFC 6864 officially says not to analyze it that way "The IPv4 ID field MUST NOT be used for purposes other than fragmentation and reassembly." So performing sequence number analysis on it perhaps is not appropriate by default, even if in practice it can be helpful.

johnthacker gravatar imagejohnthacker ( 2024-06-04 19:31:06 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2024-06-04 05:49:26 +0000

Seen: 130 times

Last updated: Jun 04