First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

When i use websocket, why many ACK occurs in wireshark?

recently, i developed server-client program that use websocket.

when i send some byte just once and packet capture in wireshark, server send many ACK to client. (as same seq num and different ack num)

image description

[Img URL : https://drive.google.com/file/d/1-5k8...]

i wonder why this is happening in websocket packet.

thanks for reading.

p.s : in wireshark, above packets(ack) are represent by normal packets

dontcryme's avatar
5
dontcryme
asked 2023-02-15 04:42:13 +0000, updated 2023-02-15 22:10:29 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Note that the image shows: (as same seq num and different ack num)

Jaap's avatar Jaap (2023-02-15 08:48:59 +0000) edit
more
  • delete

sorry, i wrote it wrong. i modified it.

dontcryme's avatar dontcryme (2023-02-15 22:05:49 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

1

I assume from the IMG that you are capturing on or near the server.

The traversal of network packets over the network takes time. So while the client receives TCP segments and ACKs them, there are already new packets underway from the server. This means the ACKs you are seeing are ACKing packets earlier in the trace. You can see that with the SEQ numbers in the image. This first packet from the server has SEQ number 41099. All the ACK in the image are acking TCP segment before that first visible segment.

If you capture on the client side, you would see a different pattern. And it is more clear how the client ACKs the incoming TCP segments.

SYN-bit's avatar
18.5k
SYN-bit
answered 2023-02-16 11:34:29 +0000
edit flag offensive 0 remove flag delete link
more

Comments

thansk for reply, and above image is client side pakcet. but some differenct situation is that my client is located in DMZ zone(NAT) and server is located in AWS. and i think that black rectangle in addtional image's packet([ack] seq = 237) is red rectangle's (ack=237) response ack packet, right? becuase of seq=ack pair. if then, black rectangle's multiple same SEQ=237 packet(client's ACK=237 response) is just represented in wireshark by segmentation? because of server's status? [addtional image link : https://drive.google.com/file/d/1igyB... ]

dontcryme's avatar dontcryme (2023-02-17 00:09:13 +0000) edit
more
  • delete

My mistake, I mistakingly took the sending side as the server side. But is it the client that is sending the data in this case. So capture was on the sending (client) side :-)

As for the capture, thanks for the second image, this is a classic example of TCP segmentation offloading and also of TCP slowstart. If you look at the SYN and SYN/ACK packets, the MSS is 1460, which means TCP segment of 1460 bytes will be sent. When you look at the segments sent by the client, they are 14600 and then 2920 bytes in size. This is because you are capturing on the sending system and TCP segmentation offloading is enabled. So the segmentation into 1460 sized segments is done on the network card (while the capture is done before the outgoing packets have reached the network card).

The reason you see 14600 bytes sent first ... (more)

SYN-bit's avatar SYN-bit (2023-02-17 19:24:48 +0000) edit
more
  • delete

wow...thank you for your deatiled reply. have a nice day!!

dontcryme's avatar dontcryme (2023-02-19 22:47:50 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer