Re: DUP ACK from the sender

From: Pavel Bykov (slidersv@gmail.com)
Date: Thu Mar 19 2009 - 09:25:06 ART

• Next message: Nadeem Ansari: "Re: Passed my Lab on Mar 17"
• Previous message: Pavel Bykov: "Re: 60 Days left for the LAB"
• Maybe in reply to: Bit Gossip: "DUP ACK from the sender"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Seems normal to me, and I agree with Shiran, that it's wireshark's
interpretation of DUP. It is being too smart in this case.
There is simply no data particularly in that TCP session from 254 to 204.
Issue LIST command on 204, and then PUT a file, and then you'll see that
instead of SEQ 1 it'll be stuck at SEQ 800 for example.

On Wed, Mar 18, 2009 at 5:46 PM, Bit Gossip <bit.gossip@chello.nl> wrote:

> This is a nasty one....
> It is an excerpt from an ftp session from 100.100.183.204 to
> 100.100.171.254 where 254 is downloading a big file from 204.
> 204 sends chunks of data and 254 acks them.
> All the acknowledgments from 254 have seq=1 because they dont contains
> data, and 204 apparently acknowledges them by setting ACK flag and ACK=1
> (=seq number) in its data packets. This is strange but still ok.
> Why then 204 (the data sender, not receiver) is sending duplicate ack
> for seq=1?
>
> Hope someone can help me.......
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> No. Time Source Destination Protocol
> Info
> 136 20.816004 100.100.183.204 100.100.171.254
> FTP-DATA FTP Data: 1448 bytes
>
> Frame 136 (1514 bytes on wire, 96 bytes captured)
> Arrival Time: Mar 18, 2009 12:14:22.083304000
> [Time delta from previous captured frame: 0.000004000 seconds]
> [Time delta from previous displayed frame: 0.000004000 seconds]
> [Time since reference or first frame: 20.816004000 seconds]
> Frame Number: 136
> Frame Length: 1514 bytes
> Capture Length: 96 bytes
> [Frame is marked: True]
> [Protocols in frame: eth:ip:tcp:ftp-data]
> [Coloring Rule Name: TCP]
> [Coloring Rule String: tcp]
> <...>
> Internet Protocol, Src: 100.100.183.204 (100.100.183.204), Dst:
> 100.100.171.254 (100.100.171.254)
> Version: 4
> Header length: 20 bytes
> Differentiated Services Field: 0x08 (DSCP 0x02: Unknown DSCP; ECN:
> 0x00)
> 0000 10.. = Differentiated Services Codepoint: Unknown (0x02)
> .... ..0. = ECN-Capable Transport (ECT): 0
> .... ...0 = ECN-CE: 0
> Total Length: 1500
> Identification: 0x16e0 (5856)
> Flags: 0x04 (Don't Fragment)
> 0... = Reserved bit: Not set
> .1.. = Don't fragment: Set
> ..0. = More fragments: Not set
> Fragment offset: 0
> Time to live: 64
> Protocol: TCP (0x06)
> Header checksum: 0x100c [correct]
> [Good: True]
> [Bad : False]
> Source: 100.100.183.204 (100.100.183.204)
> Destination: 100.100.171.254 (100.100.171.254)
> Transmission Control Protocol, Src Port: ftp-data (20), Dst Port: 62304
> (62304), Seq: 110049, Ack: 1, Len: 1448
> Source port: ftp-data (20)
> Destination port: 62304 (62304)
> Sequence number: 110049 (relative sequence number)
> [Next sequence number: 111497 (relative sequence number)]
> Acknowledgement number: 1 (relative ack number)
> Header length: 32 bytes
> Flags: 0x10 (ACK)
> 0... .... = Congestion Window Reduced (CWR): Not set
> .0.. .... = ECN-Echo: Not set
> ..0. .... = Urgent: Not set
> ...1 .... = Acknowledgment: Set
> .... 0... = Push: Not set
> .... .0.. = Reset: Not set
> .... ..0. = Syn: Not set
> .... ...0 = Fin: Not set
> Window size: 5840 (scaled)
> Checksum: 0x13f7 [unchecked, not all data available]
> [Good Checksum: False]
> [Bad Checksum: False]
> Options: (12 bytes)
> NOP
> NOP
> Timestamps: TSval 3203281847, TSecr 3574178296
> FTP Data
> FTP Data: .\325\020\326=#2j\021\000@~\005\000\000\000\000\000\366
> \375\356r\000\000\021\022\001\000\376D
>
> No. Time Source Destination Protocol
> Info
> 137 20.816357 100.100.171.254 100.100.183.204 TCP
> 62304 > ftp-data [ACK] Seq=1 Ack=63713 Win=65160 Len=0 TSV=3574178294
> TSER=3203281821
>
> Frame 137 (66 bytes on wire, 66 bytes captured)
> Arrival Time: Mar 18, 2009 12:14:22.083657000
> [Time delta from previous captured frame: 0.000353000 seconds]
> [Time delta from previous displayed frame: 0.000353000 seconds]
> [Time since reference or first frame: 20.816357000 seconds]
> Frame Number: 137
> Frame Length: 66 bytes
> Capture Length: 66 bytes
> [Frame is marked: True]
> [Protocols in frame: eth:ip:tcp]
> [Coloring Rule Name: TCP]
> [Coloring Rule String: tcp]
> Internet Protocol, Src: 100.100.171.254 (100.100.171.254), Dst:
> 100.100.183.204 (100.100.183.204)
> Version: 4
> Header length: 20 bytes
> Differentiated Services Field: 0x08 (DSCP 0x02: Unknown DSCP; ECN:
> 0x00)
> 0000 10.. = Differentiated Services Codepoint: Unknown (0x02)
> .... ..0. = ECN-Capable Transport (ECT): 0
> .... ...0 = ECN-CE: 0
> Total Length: 52
> Identification: 0x5a77 (23159)
> Flags: 0x04 (Don't Fragment)
> 0... = Reserved bit: Not set
> .1.. = Don't fragment: Set
> ..0. = More fragments: Not set
> Fragment offset: 0
> Time to live: 62
> Protocol: TCP (0x06)
> Header checksum: 0xd41c [correct]
> [Good: True]
> [Bad : False]
> Source: 100.100.171.254 (100.100.171.254)
> Destination: 100.100.183.204 (100.100.183.204)
> Transmission Control Protocol, Src Port: 62304 (62304), Dst Port:
> ftp-data (20), Seq: 1, Ack: 63713, Len: 0
> Source port: 62304 (62304)
> Destination port: ftp-data (20)
> Sequence number: 1 (relative sequence number)
> Acknowledgement number: 63713 (relative ack number)
> Header length: 32 bytes
> Flags: 0x10 (ACK)
> 0... .... = Congestion Window Reduced (CWR): Not set
> .0.. .... = ECN-Echo: Not set
> ..0. .... = Urgent: Not set
> ...1 .... = Acknowledgment: Set
> .... 0... = Push: Not set
> .... .0.. = Reset: Not set
> .... ..0. = Syn: Not set
> .... ...0 = Fin: Not set
> Window size: 65160 (scaled)
> Checksum: 0x1b67 [correct]
> [Good Checksum: True]
> [Bad Checksum: False]
> Options: (12 bytes)
> NOP
> NOP
> Timestamps: TSval 3574178294, TSecr 3203281821
>
> No. Time Source Destination Protocol
> Info
> 138 20.816365 100.100.183.204 100.100.171.254 TCP
> [TCP Dup ACK 136#1] ftp-data > 62304 [ACK] Seq=111497 Ack=1 Win=5840
> Len=0 TSV=3203281847 TSER=3574178296
>
> Frame 138 (66 bytes on wire, 66 bytes captured)
> Arrival Time: Mar 18, 2009 12:14:22.083665000
> [Time delta from previous captured frame: 0.000008000 seconds]
> [Time delta from previous displayed frame: 0.000008000 seconds]
> [Time since reference or first frame: 20.816365000 seconds]
> Frame Number: 138
> Frame Length: 66 bytes
> Capture Length: 66 bytes
> [Frame is marked: True]
> [Protocols in frame: eth:ip:tcp]
> [Coloring Rule Name: Bad TCP]
> [Coloring Rule String: tcp.analysis.flags]
> Internet Protocol, Src: 100.100.183.204 (100.100.183.204), Dst:
> 100.100.171.254 (100.100.171.254)
> Version: 4
> Header length: 20 bytes
> Differentiated Services Field: 0x08 (DSCP 0x02: Unknown DSCP; ECN:
> 0x00)
> 0000 10.. = Differentiated Services Codepoint: Unknown (0x02)
> .... ..0. = ECN-Capable Transport (ECT): 0
> .... ...0 = ECN-CE: 0
> Total Length: 52
> Identification: 0x16e2 (5858)
> Flags: 0x04 (Don't Fragment)
> 0... = Reserved bit: Not set
> .1.. = Don't fragment: Set
> ..0. = More fragments: Not set
> Fragment offset: 0
> Time to live: 64
> Protocol: TCP (0x06)
> Header checksum: 0x15b2 [correct]
> [Good: True]
> [Bad : False]
> Source: 100.100.183.204 (100.100.183.204)
> Destination: 100.100.171.254 (100.100.171.254)
> Transmission Control Protocol, Src Port: ftp-data (20), Dst Port: 62304
> (62304), Seq: 111497, Ack: 1, Len: 0
> Source port: ftp-data (20)
> Destination port: 62304 (62304)
> Sequence number: 111497 (relative sequence number)
> Acknowledgement number: 1 (relative ack number)
> Header length: 32 bytes
> Flags: 0x10 (ACK)
> 0... .... = Congestion Window Reduced (CWR): Not set
> .0.. .... = ECN-Echo: Not set
> ..0. .... = Urgent: Not set
> ...1 .... = Acknowledgment: Set
> .... 0... = Push: Not set
> .... .0.. = Reset: Not set
> .... ..0. = Syn: Not set
> .... ...0 = Fin: Not set
> Window size: 5840 (scaled)
> Checksum: 0xda32 [correct]
> [Good Checksum: True]
> [Bad Checksum: False]
> Options: (12 bytes)
> NOP
> NOP
> Timestamps: TSval 3203281847, TSecr 3574178296
> [SEQ/ACK analysis]
> [This is an ACK to the segment in frame: 137]
> [The RTT to ACK the segment was: 0.000008000 seconds]
> [TCP Analysis Flags]
> [This is a TCP duplicate ack]
> [Duplicate ACK #: 1]
> [Duplicate to the ACK in frame: 136]
>
> No. Time Source Destination Protocol
> Info
> 139 20.816483 100.100.171.254 100.100.183.204 TCP
> 62304 > ftp-data [ACK] Seq=1 Ack=65161 Win=66608 Len=0 TSV=3574178294
> TSER=3203281825
>
> Frame 139 (66 bytes on wire, 66 bytes captured)
> Arrival Time: Mar 18, 2009 12:14:22.083783000
> [Time delta from previous captured frame: 0.000118000 seconds]
> [Time delta from previous displayed frame: 0.000118000 seconds]
> [Time since reference or first frame: 20.816483000 seconds]
> Frame Number: 139
> Frame Length: 66 bytes
> Capture Length: 66 bytes
> [Frame is marked: True]
> [Protocols in frame: eth:ip:tcp]
> [Coloring Rule Name: TCP]
> [Coloring Rule String: tcp]
> Internet Protocol, Src: 100.100.171.254 (100.100.171.254), Dst:
> 100.100.183.204 (100.100.183.204)
> Version: 4
> Header length: 20 bytes
> Differentiated Services Field: 0x08 (DSCP 0x02: Unknown DSCP; ECN:
> 0x00)
> 0000 10.. = Differentiated Services Codepoint: Unknown (0x02)
> .... ..0. = ECN-Capable Transport (ECT): 0
> .... ...0 = ECN-CE: 0
> Total Length: 52
> Identification: 0x5a78 (23160)
> Flags: 0x04 (Don't Fragment)
> 0... = Reserved bit: Not set
> .1.. = Don't fragment: Set
> ..0. = More fragments: Not set
> Fragment offset: 0
> Time to live: 62
> Protocol: TCP (0x06)
> Header checksum: 0xd41b [correct]
> [Good: True]
> [Bad : False]
> Source: 100.100.171.254 (100.100.171.254)
> Destination: 100.100.183.204 (100.100.183.204)
> Transmission Control Protocol, Src Port: 62304 (62304), Dst Port:
> ftp-data (20), Seq: 1, Ack: 65161, Len: 0
> Source port: 62304 (62304)
> Destination port: ftp-data (20)
> Sequence number: 1 (relative sequence number)
> Acknowledgement number: 65161 (relative ack number)
> Header length: 32 bytes
> Flags: 0x10 (ACK)
> 0... .... = Congestion Window Reduced (CWR): Not set
> .0.. .... = ECN-Echo: Not set
> ..0. .... = Urgent: Not set
> ...1 .... = Acknowledgment: Set
> .... 0... = Push: Not set
> .... .0.. = Reset: Not set
> .... ..0. = Syn: Not set
> .... ...0 = Fin: Not set
> Window size: 66608 (scaled)
> Checksum: 0x12e7 [correct]
> [Good Checksum: True]
> [Bad Checksum: False]
> Options: (12 bytes)
> NOP
> NOP
> Timestamps: TSval 3574178294, TSecr 3203281825
>
> No. Time Source Destination Protocol
> Info
> 140 20.816490 100.100.183.204 100.100.171.254 TCP
> [TCP Dup ACK 136#2] ftp-data > 62304 [ACK] Seq=111497 Ack=1 Win=5840
> Len=0 TSV=3203281847 TSER=3574178296
>
> Frame 140 (66 bytes on wire, 66 bytes captured)
> Arrival Time: Mar 18, 2009 12:14:22.083790000
> [Time delta from previous captured frame: 0.000007000 seconds]
> [Time delta from previous displayed frame: 0.000007000 seconds]
> [Time since reference or first frame: 20.816490000 seconds]
> Frame Number: 140
> Frame Length: 66 bytes
> Capture Length: 66 bytes
> [Frame is marked: True]
> [Protocols in frame: eth:ip:tcp]
> [Coloring Rule Name: Bad TCP]
> [Coloring Rule String: tcp.analysis.flags]
> Internet Protocol, Src: 100.100.183.204 (100.100.183.204), Dst:
> 100.100.171.254 (100.100.171.254)
> Version: 4
> Header length: 20 bytes
> Differentiated Services Field: 0x08 (DSCP 0x02: Unknown DSCP; ECN:
> 0x00)
> 0000 10.. = Differentiated Services Codepoint: Unknown (0x02)
> .... ..0. = ECN-Capable Transport (ECT): 0
> .... ...0 = ECN-CE: 0
> Total Length: 52
> Identification: 0x16e4 (5860)
> Flags: 0x04 (Don't Fragment)
> 0... = Reserved bit: Not set
> .1.. = Don't fragment: Set
> ..0. = More fragments: Not set
> Fragment offset: 0
> Time to live: 64
> Protocol: TCP (0x06)
> Header checksum: 0x15b0 [correct]
> [Good: True]
> [Bad : False]
> Source: 100.100.183.204 (100.100.183.204)
> Destination: 100.100.171.254 (100.100.171.254)
> Transmission Control Protocol, Src Port: ftp-data (20), Dst Port: 62304
> (62304), Seq: 111497, Ack: 1, Len: 0
> Source port: ftp-data (20)
> Destination port: 62304 (62304)
> Sequence number: 111497 (relative sequence number)
> Acknowledgement number: 1 (relative ack number)
> Header length: 32 bytes
> Flags: 0x10 (ACK)
> 0... .... = Congestion Window Reduced (CWR): Not set
> .0.. .... = ECN-Echo: Not set
> ..0. .... = Urgent: Not set
> ...1 .... = Acknowledgment: Set
> .... 0... = Push: Not set
> .... .0.. = Reset: Not set
> .... ..0. = Syn: Not set
> .... ...0 = Fin: Not set
> Window size: 5840 (scaled)
> Checksum: 0xda32 [correct]
> [Good Checksum: True]
> [Bad Checksum: False]
> Options: (12 bytes)
> NOP
> NOP
> Timestamps: TSval 3203281847, TSecr 3574178296
> [SEQ/ACK analysis]
> [This is an ACK to the segment in frame: 139]
> [The RTT to ACK the segment was: 0.000007000 seconds]
> [TCP Analysis Flags]
> [This is a TCP duplicate ack]
> [Duplicate ACK #: 2]
> [Duplicate to the ACK in frame: 136]
> [ltosolini@nlws481253 SpeedTest]$
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Pavel Bykov
----------------
Don't forget to help stopping the braindumps, use of which reduces value of
your certifications. Sign the petition at http://www.stopbraindumps.com/
Blogs and organic groups at http://www.ccie.net

• Next message: Nadeem Ansari: "Re: Passed my Lab on Mar 17"
• Previous message: Pavel Bykov: "Re: 60 Days left for the LAB"
• Maybe in reply to: Bit Gossip: "DUP ACK from the sender"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:06 ART