Ask Your Question
0

Two ACKs sent after client receives HTTP response

asked 2025-10-23 14:35:15 +0000

mdb-inf gravatar image

updated 2025-10-23 19:19:31 +0000

Hi, I made a packet capture of a simple HTTP request + response.

After receiving the GET request the server sends an ACK+PSH (frame 5), then it sends the remaining response (frame 6). Then the client sends a double ACK (frame 7 ack=248 and frame 8 ack=249); and the wireshark detail window says that the second ack=249 is in response to frame 6. Why does the client sends two ACKs?

The image of the trace can be seen here (not enough points to upload)
The .pcap file is here

The question is not directly related to Wireshark, but I'm using it to learn how TCP/IP works "under the hood". Thank you in advance.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2025-10-23 16:13:29 +0000

SYN-bit gravatar image

Frame 6 contains a data segment, but also has the FIN flag set. When the FIN flag is set, it counts as if there was one byte of data (the phantom byte), which will trigger an ACK. The ACKing of both the data segment and the phantom byte of the FIN could have been done in one ACK, but apparently this TCP/IP stack ACKs the data part of the response separately from the phantom byte of the FIN flag. This results in one ACK for the data (ACK=248) and one ACK acking the phantom byte (ACK=249).

Which OSes are used for the client and the server?

edit flag offensive delete link more

Comments

Thanks for the reply!!! The client and server are both implemented in Delphi using a "quite old" Indy library and are running on Windows (Win 2019 as client / Win 7 as server). Note that the Winshark [SEQ/ACK analysis] is empty on frame 7 ACK, and on frame 8 ACK says "[This is an ACK to the segment in frame: 6]"

mdb-inf gravatar imagemdb-inf ( 2025-10-23 16:25:38 +0000 )edit

Wireshark does not make a distinction between the data and the phantom byte for it's SEQ number analysis, so it does not know how to link the ACK in frame 7 to any packet from the server. Having the FIN in a data packet is a corner case and I believe so is ACKing them separately.

Thanks for mentioning which stack is used :-)

BTW it is not Winshark, but Wireshark. If your program is called Winshark, you might have been tricked into downloading some malware infected version ;-)

SYN-bit gravatar imageSYN-bit ( 2025-10-23 17:36:38 +0000 )edit

Thanks for the clarifications! BTW I've been using Wireshark for a long time (though I'm only now delving into the details of TCP/IP)... the fact that I've called it WINshark several times means only one thing: I'm old (and also very tired at the end of the day) :-)) Thanks again.

mdb-inf gravatar imagemdb-inf ( 2025-10-23 19:24:24 +0000 )edit

No worries, it at least gave me a smile.

Happy learning in your TCP/IP journey, if you run into any more questions, you know where to find us!

SYN-bit gravatar imageSYN-bit ( 2025-10-23 19:31:21 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2025-10-23 14:35:15 +0000

Seen: 70 times

Last updated: 2 days ago

Related questions

lots of Dup Acks, wondering if it's my capture tool

Can I filter out ack responses to packets otherwise filetered out?