Re: DUP ACK from the sender

From: shiran guez (shiranp3@gmail.com)
Date: Thu Mar 19 2009 - 05:54:10 ART

• Next message: Farrukh Haroon: "Re: PIX PROBLEM"
• Previous message: Nadeem Ansari: "Re: Passed my Lab on Mar 17"
• Maybe in reply to: Bit Gossip: "DUP ACK from the sender"
• Next in thread: Pavel Bykov: "Re: DUP ACK from the sender"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The Duplicate is what the wireshark / tcpdump / ethreal ... packet capture
interpeter engine is deciding to mark know issue, depanding on the why that
the packets are going in the system, as you know or dont know packet capture
is not a real snifer of the interface, it is a duplicate packet that done in
the kernel each packet that is proccessed by your kernel is duplicated to
your packet sniffer so depanding on how the packet travel in your system you
may see the same packet more then once and the siffer will say hey your
recived dup packet when actually you didnt recived one it was only packet
doing once more round in your kernel.

On Thu, Mar 19, 2009 at 10:21 AM, Bit Gossip <bit.gossip@chello.nl> wrote:

> Hi Shiran,
> this is true but doesn't change the behavior that the sender is sending
> DUP ACK of the ACKs of the receiver.
> This is what puzzles me and I can not explain.....
> Maybe the sender sending DUP ACK has a special semantic in TCPC?
> Regards,
> Luca.
>
>
> On Wed, 2009-03-18 at 18:57 +0200, shiran guez wrote:
> > the seq=1 and ACK=1 is a relative number not the real ACK or SEQ
> > number, if you use tcpdump then add the -S flag to get the real you
> > can see it also in your capture it is mentioning that it is a relative
> > number only.
> >
> > On Wed, Mar 18, 2009 at 6:46 PM, Bit Gossip <bit.gossip@chello.nl>
> > wrote:
> > This is a nasty one....
> > It is an excerpt from an ftp session from 100.100.183.204 to
> > 100.100.171.254 where 254 is downloading a big file from 204.
> > 204 sends chunks of data and 254 acks them.
> > All the acknowledgments from 254 have seq=1 because they dont
> > contains
> > data, and 204 apparently acknowledges them by setting ACK flag
> > and ACK=1
> > (=seq number) in its data packets. This is strange but still
> > ok.
> > Why then 204 (the data sender, not receiver) is sending
> > duplicate ack
> > for seq=1?
> >
> > Hope someone can help me.......
> >
> >
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > No. Time Source Destination
> > Protocol
> > Info
> > 136 20.816004 100.100.183.204 100.100.171.254
> > FTP-DATA FTP Data: 1448 bytes
> >
> > Frame 136 (1514 bytes on wire, 96 bytes captured)
> > Arrival Time: Mar 18, 2009 12:14:22.083304000
> > [Time delta from previous captured frame: 0.000004000
> > seconds]
> > [Time delta from previous displayed frame: 0.000004000
> > seconds]
> > [Time since reference or first frame: 20.816004000 seconds]
> > Frame Number: 136
> > Frame Length: 1514 bytes
> > Capture Length: 96 bytes
> > [Frame is marked: True]
> > [Protocols in frame: eth:ip:tcp:ftp-data]
> > [Coloring Rule Name: TCP]
> > [Coloring Rule String: tcp]
> > <...>
> > Internet Protocol, Src: 100.100.183.204 (100.100.183.204),
> > Dst:
> > 100.100.171.254 (100.100.171.254)
> > Version: 4
> > Header length: 20 bytes
> > Differentiated Services Field: 0x08 (DSCP 0x02: Unknown
> > DSCP; ECN:
> > 0x00)
> > 0000 10.. = Differentiated Services Codepoint: Unknown
> > (0x02)
> > .... ..0. = ECN-Capable Transport (ECT): 0
> > .... ...0 = ECN-CE: 0
> > Total Length: 1500
> > Identification: 0x16e0 (5856)
> > Flags: 0x04 (Don't Fragment)
> > 0... = Reserved bit: Not set
> > .1.. = Don't fragment: Set
> > ..0. = More fragments: Not set
> > Fragment offset: 0
> > Time to live: 64
> > Protocol: TCP (0x06)
> > Header checksum: 0x100c [correct]
> > [Good: True]
> > [Bad : False]
> > Source: 100.100.183.204 (100.100.183.204)
> > Destination: 100.100.171.254 (100.100.171.254)
> > Transmission Control Protocol, Src Port: ftp-data (20), Dst
> > Port: 62304
> > (62304), Seq: 110049, Ack: 1, Len: 1448
> > Source port: ftp-data (20)
> > Destination port: 62304 (62304)
> > Sequence number: 110049 (relative sequence number)
> > [Next sequence number: 111497 (relative sequence
> > number)]
> > Acknowledgement number: 1 (relative ack number)
> > Header length: 32 bytes
> > Flags: 0x10 (ACK)
> > 0... .... = Congestion Window Reduced (CWR): Not set
> > .0.. .... = ECN-Echo: Not set
> > ..0. .... = Urgent: Not set
> > ...1 .... = Acknowledgment: Set
> > .... 0... = Push: Not set
> > .... .0.. = Reset: Not set
> > .... ..0. = Syn: Not set
> > .... ...0 = Fin: Not set
> > Window size: 5840 (scaled)
> > Checksum: 0x13f7 [unchecked, not all data available]
> > [Good Checksum: False]
> > [Bad Checksum: False]
> > Options: (12 bytes)
> > NOP
> > NOP
> > Timestamps: TSval 3203281847, TSecr 3574178296
> > FTP Data
> > FTP Data: .\325\020\326=#2j\021\000@~\005\000\000\000\000
> > \000\366
> > \375\356r\000\000\021\022\001\000\376D
> >
> > No. Time Source Destination
> > Protocol
> > Info
> > 137 20.816357 100.100.171.254 100.100.183.204
> > TCP
> > 62304 > ftp-data [ACK] Seq=1 Ack=63713 Win=65160 Len=0
> > TSV=3574178294
> > TSER=3203281821
> >
> > Frame 137 (66 bytes on wire, 66 bytes captured)
> > Arrival Time: Mar 18, 2009 12:14:22.083657000
> > [Time delta from previous captured frame: 0.000353000
> > seconds]
> > [Time delta from previous displayed frame: 0.000353000
> > seconds]
> > [Time since reference or first frame: 20.816357000 seconds]
> > Frame Number: 137
> > Frame Length: 66 bytes
> > Capture Length: 66 bytes
> > [Frame is marked: True]
> > [Protocols in frame: eth:ip:tcp]
> > [Coloring Rule Name: TCP]
> > [Coloring Rule String: tcp]
> > Internet Protocol, Src: 100.100.171.254 (100.100.171.254),
> > Dst:
> > 100.100.183.204 (100.100.183.204)
> > Version: 4
> > Header length: 20 bytes
> > Differentiated Services Field: 0x08 (DSCP 0x02: Unknown
> > DSCP; ECN:
> > 0x00)
> > 0000 10.. = Differentiated Services Codepoint: Unknown
> > (0x02)
> > .... ..0. = ECN-Capable Transport (ECT): 0
> > .... ...0 = ECN-CE: 0
> > Total Length: 52
> > Identification: 0x5a77 (23159)
> > Flags: 0x04 (Don't Fragment)
> > 0... = Reserved bit: Not set
> > .1.. = Don't fragment: Set
> > ..0. = More fragments: Not set
> > Fragment offset: 0
> > Time to live: 62
> > Protocol: TCP (0x06)
> > Header checksum: 0xd41c [correct]
> > [Good: True]
> > [Bad : False]
> > Source: 100.100.171.254 (100.100.171.254)
> > Destination: 100.100.183.204 (100.100.183.204)
> > Transmission Control Protocol, Src Port: 62304 (62304), Dst
> > Port:
> > ftp-data (20), Seq: 1, Ack: 63713, Len: 0
> > Source port: 62304 (62304)
> > Destination port: ftp-data (20)
> > Sequence number: 1 (relative sequence number)
> > Acknowledgement number: 63713 (relative ack number)
> > Header length: 32 bytes
> > Flags: 0x10 (ACK)
> > 0... .... = Congestion Window Reduced (CWR): Not set
> > .0.. .... = ECN-Echo: Not set
> > ..0. .... = Urgent: Not set
> > ...1 .... = Acknowledgment: Set
> > .... 0... = Push: Not set
> > .... .0.. = Reset: Not set
> > .... ..0. = Syn: Not set
> > .... ...0 = Fin: Not set
> > Window size: 65160 (scaled)
> > Checksum: 0x1b67 [correct]
> > [Good Checksum: True]
> > [Bad Checksum: False]
> > Options: (12 bytes)
> > NOP
> > NOP
> > Timestamps: TSval 3574178294, TSecr 3203281821
> >
> > No. Time Source Destination
> > Protocol
> > Info
> > 138 20.816365 100.100.183.204 100.100.171.254
> > TCP
> > [TCP Dup ACK 136#1] ftp-data > 62304 [ACK] Seq=111497 Ack=1
> > Win=5840
> > Len=0 TSV=3203281847 TSER=3574178296
> >
> > Frame 138 (66 bytes on wire, 66 bytes captured)
> > Arrival Time: Mar 18, 2009 12:14:22.083665000
> > [Time delta from previous captured frame: 0.000008000
> > seconds]
> > [Time delta from previous displayed frame: 0.000008000
> > seconds]
> > [Time since reference or first frame: 20.816365000 seconds]
> > Frame Number: 138
> > Frame Length: 66 bytes
> > Capture Length: 66 bytes
> > [Frame is marked: True]
> > [Protocols in frame: eth:ip:tcp]
> > [Coloring Rule Name: Bad TCP]
> > [Coloring Rule String: tcp.analysis.flags]
> > Internet Protocol, Src: 100.100.183.204 (100.100.183.204),
> > Dst:
> > 100.100.171.254 (100.100.171.254)
> > Version: 4
> > Header length: 20 bytes
> > Differentiated Services Field: 0x08 (DSCP 0x02: Unknown
> > DSCP; ECN:
> > 0x00)
> > 0000 10.. = Differentiated Services Codepoint: Unknown
> > (0x02)
> > .... ..0. = ECN-Capable Transport (ECT): 0
> > .... ...0 = ECN-CE: 0
> > Total Length: 52
> > Identification: 0x16e2 (5858)
> > Flags: 0x04 (Don't Fragment)
> > 0... = Reserved bit: Not set
> > .1.. = Don't fragment: Set
> > ..0. = More fragments: Not set
> > Fragment offset: 0
> > Time to live: 64
> > Protocol: TCP (0x06)
> > Header checksum: 0x15b2 [correct]
> > [Good: True]
> > [Bad : False]
> > Source: 100.100.183.204 (100.100.183.204)
> > Destination: 100.100.171.254 (100.100.171.254)
> > Transmission Control Protocol, Src Port: ftp-data (20), Dst
> > Port: 62304
> > (62304), Seq: 111497, Ack: 1, Len: 0
> > Source port: ftp-data (20)
> > Destination port: 62304 (62304)
> > Sequence number: 111497 (relative sequence number)
> > Acknowledgement number: 1 (relative ack number)
> > Header length: 32 bytes
> > Flags: 0x10 (ACK)
> > 0... .... = Congestion Window Reduced (CWR): Not set
> > .0.. .... = ECN-Echo: Not set
> > ..0. .... = Urgent: Not set
> > ...1 .... = Acknowledgment: Set
> > .... 0... = Push: Not set
> > .... .0.. = Reset: Not set
> > .... ..0. = Syn: Not set
> > .... ...0 = Fin: Not set
> > Window size: 5840 (scaled)
> > Checksum: 0xda32 [correct]
> > [Good Checksum: True]
> > [Bad Checksum: False]
> > Options: (12 bytes)
> > NOP
> > NOP
> > Timestamps: TSval 3203281847, TSecr 3574178296
> > [SEQ/ACK analysis]
> > [This is an ACK to the segment in frame: 137]
> > [The RTT to ACK the segment was: 0.000008000 seconds]
> > [TCP Analysis Flags]
> > [This is a TCP duplicate ack]
> > [Duplicate ACK #: 1]
> > [Duplicate to the ACK in frame: 136]
> >
> > No. Time Source Destination
> > Protocol
> > Info
> > 139 20.816483 100.100.171.254 100.100.183.204
> > TCP
> > 62304 > ftp-data [ACK] Seq=1 Ack=65161 Win=66608 Len=0
> > TSV=3574178294
> > TSER=3203281825
> >
> > Frame 139 (66 bytes on wire, 66 bytes captured)
> > Arrival Time: Mar 18, 2009 12:14:22.083783000
> > [Time delta from previous captured frame: 0.000118000
> > seconds]
> > [Time delta from previous displayed frame: 0.000118000
> > seconds]
> > [Time since reference or first frame: 20.816483000 seconds]
> > Frame Number: 139
> > Frame Length: 66 bytes
> > Capture Length: 66 bytes
> > [Frame is marked: True]
> > [Protocols in frame: eth:ip:tcp]
> > [Coloring Rule Name: TCP]
> > [Coloring Rule String: tcp]
> > Internet Protocol, Src: 100.100.171.254 (100.100.171.254),
> > Dst:
> > 100.100.183.204 (100.100.183.204)
> > Version: 4
> > Header length: 20 bytes
> > Differentiated Services Field: 0x08 (DSCP 0x02: Unknown
> > DSCP; ECN:
> > 0x00)
> > 0000 10.. = Differentiated Services Codepoint: Unknown
> > (0x02)
> > .... ..0. = ECN-Capable Transport (ECT): 0
> > .... ...0 = ECN-CE: 0
> > Total Length: 52
> > Identification: 0x5a78 (23160)
> > Flags: 0x04 (Don't Fragment)
> > 0... = Reserved bit: Not set
> > .1.. = Don't fragment: Set
> > ..0. = More fragments: Not set
> > Fragment offset: 0
> > Time to live: 62
> > Protocol: TCP (0x06)
> > Header checksum: 0xd41b [correct]
> > [Good: True]
> > [Bad : False]
> > Source: 100.100.171.254 (100.100.171.254)
> > Destination: 100.100.183.204 (100.100.183.204)
> > Transmission Control Protocol, Src Port: 62304 (62304), Dst
> > Port:
> > ftp-data (20), Seq: 1, Ack: 65161, Len: 0
> > Source port: 62304 (62304)
> > Destination port: ftp-data (20)
> > Sequence number: 1 (relative sequence number)
> > Acknowledgement number: 65161 (relative ack number)
> > Header length: 32 bytes
> > Flags: 0x10 (ACK)
> > 0... .... = Congestion Window Reduced (CWR): Not set
> > .0.. .... = ECN-Echo: Not set
> > ..0. .... = Urgent: Not set
> > ...1 .... = Acknowledgment: Set
> > .... 0... = Push: Not set
> > .... .0.. = Reset: Not set
> > .... ..0. = Syn: Not set
> > .... ...0 = Fin: Not set
> > Window size: 66608 (scaled)
> > Checksum: 0x12e7 [correct]
> > [Good Checksum: True]
> > [Bad Checksum: False]
> > Options: (12 bytes)
> > NOP
> > NOP
> > Timestamps: TSval 3574178294, TSecr 3203281825
> >
> > No. Time Source Destination
> > Protocol
> > Info
> > 140 20.816490 100.100.183.204 100.100.171.254
> > TCP
> > [TCP Dup ACK 136#2] ftp-data > 62304 [ACK] Seq=111497 Ack=1
> > Win=5840
> > Len=0 TSV=3203281847 TSER=3574178296
> >
> > Frame 140 (66 bytes on wire, 66 bytes captured)
> > Arrival Time: Mar 18, 2009 12:14:22.083790000
> > [Time delta from previous captured frame: 0.000007000
> > seconds]
> > [Time delta from previous displayed frame: 0.000007000
> > seconds]
> > [Time since reference or first frame: 20.816490000 seconds]
> > Frame Number: 140
> > Frame Length: 66 bytes
> > Capture Length: 66 bytes
> > [Frame is marked: True]
> > [Protocols in frame: eth:ip:tcp]
> > [Coloring Rule Name: Bad TCP]
> > [Coloring Rule String: tcp.analysis.flags]
> > Internet Protocol, Src: 100.100.183.204 (100.100.183.204),
> > Dst:
> > 100.100.171.254 (100.100.171.254)
> > Version: 4
> > Header length: 20 bytes
> > Differentiated Services Field: 0x08 (DSCP 0x02: Unknown
> > DSCP; ECN:
> > 0x00)
> > 0000 10.. = Differentiated Services Codepoint: Unknown
> > (0x02)
> > .... ..0. = ECN-Capable Transport (ECT): 0
> > .... ...0 = ECN-CE: 0
> > Total Length: 52
> > Identification: 0x16e4 (5860)
> > Flags: 0x04 (Don't Fragment)
> > 0... = Reserved bit: Not set
> > .1.. = Don't fragment: Set
> > ..0. = More fragments: Not set
> > Fragment offset: 0
> > Time to live: 64
> > Protocol: TCP (0x06)
> > Header checksum: 0x15b0 [correct]
> > [Good: True]
> > [Bad : False]
> > Source: 100.100.183.204 (100.100.183.204)
> > Destination: 100.100.171.254 (100.100.171.254)
> > Transmission Control Protocol, Src Port: ftp-data (20), Dst
> > Port: 62304
> > (62304), Seq: 111497, Ack: 1, Len: 0
> > Source port: ftp-data (20)
> > Destination port: 62304 (62304)
> > Sequence number: 111497 (relative sequence number)
> > Acknowledgement number: 1 (relative ack number)
> > Header length: 32 bytes
> > Flags: 0x10 (ACK)
> > 0... .... = Congestion Window Reduced (CWR): Not set
> > .0.. .... = ECN-Echo: Not set
> > ..0. .... = Urgent: Not set
> > ...1 .... = Acknowledgment: Set
> > .... 0... = Push: Not set
> > .... .0.. = Reset: Not set
> > .... ..0. = Syn: Not set
> > .... ...0 = Fin: Not set
> > Window size: 5840 (scaled)
> > Checksum: 0xda32 [correct]
> > [Good Checksum: True]
> > [Bad Checksum: False]
> > Options: (12 bytes)
> > NOP
> > NOP
> > Timestamps: TSval 3203281847, TSecr 3574178296
> > [SEQ/ACK analysis]
> > [This is an ACK to the segment in frame: 139]
> > [The RTT to ACK the segment was: 0.000007000 seconds]
> > [TCP Analysis Flags]
> > [This is a TCP duplicate ack]
> > [Duplicate ACK #: 2]
> > [Duplicate to the ACK in frame: 136]
> > [ltosolini@nlws481253 SpeedTest]$
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > Shiran Guez
> > MCSE CCNP NCE1 JNCIA-ER CCIE #20572
> > http://cciep3.blogspot.com
> > http://www.linkedin.com/in/cciep3
> >
>
>

-- 
Shiran Guez
MCSE CCNP NCE1 JNCIA-ER CCIE #20572
http://cciep3.blogspot.com
http://www.linkedin.com/in/cciep3
Blogs and organic groups at http://www.ccie.net

• Next message: Farrukh Haroon: "Re: PIX PROBLEM"
• Previous message: Nadeem Ansari: "Re: Passed my Lab on Mar 17"
• Maybe in reply to: Bit Gossip: "DUP ACK from the sender"
• Next in thread: Pavel Bykov: "Re: DUP ACK from the sender"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:05 ART