Ask Your Question

Extra byte in received data after TCP Retransmission

asked 2017-11-24 18:13:36 +0000

ecm99 gravatar image

updated 2017-11-24 19:06:16 +0000

I'm hoping someone can help me anaylyze this trace. In the received socket stream there seems to be an extra byte (00) of data.

As best I can tell what is happening is that in packet 5 the receiver sent a zero window message, followed by a window update in #6 saying room was available.

The sender then sent one data byte (00) in packet 7 with Seq=4141. I don't see any ACK for that packet, then 50 milliseconds later the sender retries (packet 8) this time with 1380 bytes beginning at Seq 4141 again.
Packet #8 begins with the same 00 byte that was sent in packet 7. Because this is a retry at 4141 I would not expect both of those 00 bytes to end up in the socket stream of the receiver. Only one of them should have.

When I follow the TCP stream using wireshark, it shows two 00 bytes in the stream when I would expect only one. (See screenshot attached).

image description

The receiver then sends an ACK for 5521 with SLE=4141 SRE=4142. This is what I don't fully understand.

This PCAP was captured on the machine.

image description

edit retag flag offensive close merge delete


Also, when looking at the same PCAP file under an older wireshark version 2.0.5, the follow TCP stream does not show the extra 00 byte; even though the packets are identical (obviously since its the same PCAP file). At this point I am questioning whether or not the extra 00 actually made it into the socket or not.

ecm99 gravatar imageecm99 ( 2017-11-24 18:20:32 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2017-11-24 20:51:35 +0000

Yes I think you are right there is only one 00 Byte at 4141 and not on 4140 (102C).

The SEQ 4141 is transmitted the first and is not ACKed at that time. So the sender retransmit the segment but now inside a larger segment.

The packet 10 just says that that he received the Segment 4141 twice.

So I would suggest that you fill out a bug report:

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2017-11-24 18:13:36 +0000

Seen: 538 times

Last updated: Nov 24 '17