How TCP Works - Duplicate Acknowledgments

Поділитися
Вставка
  • Опубліковано 22 лис 2024

КОМЕНТАРІ • 130

  • @ToddMagers
    @ToddMagers 4 роки тому +19

    Great video Chris!! SACK and dup acks can be hard to explain but you have done a tremendous job!

    • @ChrisGreer
      @ChrisGreer  4 роки тому +3

      thanks Todd! Agreed, it's hard to condense it down to a few minutes.

  • @xzwei
    @xzwei 3 роки тому

    Viewed twice, it helped me to understand the DupAcks clearly.

  • @olyachepizdrik8683
    @olyachepizdrik8683 2 місяці тому

    Damn best videos about TCP/IP and what's going on under the hoods during communications!!! Thank you Bro 👍 You're the best trainer and showman in this domain!

  • @purvivakani9408
    @purvivakani9408 4 роки тому +1

    I had knowledge of TCP Header. and now have been starting learn tcp by your each videos. Nice explanations. Thank you.

    • @ChrisGreer
      @ChrisGreer  4 роки тому +1

      Thank you for the comment Purvi! I will keep them coming.

  • @shaishankar8499
    @shaishankar8499 2 роки тому

    I just watched only once and i'm very clear... Kudos sir!

  • @anshul161987
    @anshul161987 4 роки тому +1

    So finally I have seen very crisp and clear understanding of SACK and DUP-ACK... well done and great job Chris.
    You have just earned a true subscriber, who will for sure watch all your videos.

    • @ChrisGreer
      @ChrisGreer  4 роки тому

      Thanks for the comment Anshul! Great to have you on the channel.

  • @ranjanadissanayaka5390
    @ranjanadissanayaka5390 2 роки тому +1

    amazing video...I always wondered what those packets highlighted in black. Thanks Chris.

  • @CharlesRMani
    @CharlesRMani 4 роки тому +2

    Ma man am so thankful for yu.. these lessons make me grow better as a fresher nd ur a master in wireshark..u the best 💛.god bless yu and ur family✝️.we would love u being active more on youtube and posting videos now and then.

    • @ChrisGreer
      @ChrisGreer  4 роки тому +2

      Thanks Charles for the comment! I'll keep working at posting more often. I appreciate the feedback and it definitely motivates me to keep on going.

  • @billstegman9785
    @billstegman9785 4 роки тому +3

    clear and concise explanation, thank you

    • @ChrisGreer
      @ChrisGreer  4 роки тому

      Thanks for the comment Bill, glad it helped.

  • @vipulv07
    @vipulv07 4 роки тому +3

    "Hundreds of Dup Acks" - I asked this question in last the streaming with Kary😀 although that explanation helped too, this video is well elaborated and really helpful for someone worried about it.
    Amazing work Chris!

    • @ChrisGreer
      @ChrisGreer  4 роки тому +2

      Glad it was helpful! Thank you!

  • @ericwf1
    @ericwf1 4 роки тому +4

    This answers some questions I had on a case at work. Great video Chris, thank you!

  • @sumitjha7841
    @sumitjha7841 2 роки тому

    East or West, Chris is the best.

  • @rameshnaidum
    @rameshnaidum 4 роки тому +4

    Thank you Chris. Clarity dawning

  • @jhc4090
    @jhc4090 6 місяців тому

    Super helpful! thanks for putting out this content.

  • @vikramodedra4351
    @vikramodedra4351 3 місяці тому

    Hi thanks for the great video Chris, where can I get this TCP analysis profile?

  • @moelmakrani7116
    @moelmakrani7116 3 роки тому

    Hi Chris, your videos are just a pleasure to watch and listen. Great job man!

  • @mautezsyria8480
    @mautezsyria8480 2 роки тому

    Thanks , Chris
    The LAst one , we see here many Dup ack before retransmission , but there is a rule that after 3 dup ack a fast retransmission will happen , so when this rule will be apply

    • @ChrisGreer
      @ChrisGreer  2 роки тому +1

      If both sides support fast retransmissions, yes, that will be triggered by 3 duplicate acks. Basically the higher the latency between two endpoints, the more duplicate acks you will see in data transfers. You can have hundreds of duplicate acks for only one lost packet in a stream of data. The duplicate acks will continue until the retransmission is sent and received by the target station.

  • @aashishkgoyal7600
    @aashishkgoyal7600 4 роки тому +1

    Great video Chris. Awesome explanation. Few things that I would still like to understand...
    1. Would server send that segment again once those 4 DUP ACKs are received?
    2. How is the ACK determined? Meaning, whether to ACK every 2, 4, 6, etc packets... How is that determined? And how long does server wait for ACK from client? Let's say ACK is lost in transit, then how things would work?

    • @ChrisGreer
      @ChrisGreer  4 роки тому +6

      Hello Aashish, thanks for stopping by the channel.
      1. Yes, if the server supports fast retransmission, which most stacks do these days.
      2. The ACK interval is determined by the stack settings. How long does the server wait for an ACK? That depends on a value that is set when a packet is transmitted called the retransmission timer. If the server hears nothing from the receiver by the time the timer expires, then it will retransmit the packet. This value is typically set by the stack once it sorts out the network roundtrip time. If an ACK is lost in transit on the way back to the server, then we would have to wait for the timer to expire and resend the packet.
      Hope these answers help!

  • @mautezsyria8480
    @mautezsyria8480 2 роки тому

    Thanks , really Great video Chris
    What if two ends don't support SACK, now will duplicate each packet till retransmission happens?

    • @ChrisGreer
      @ChrisGreer  2 роки тому

      Not sure on the exact question, but If the endpoints do not support SACK, retransmissions will occur after loss but the receiver will not be able to indicate successful reception of packets after the lost packet. So a sender will have to retransmit data that was already successfully received.

  • @sapnachaudhary9418
    @sapnachaudhary9418 3 роки тому +2

    Hey Chris,
    I really like all your videos, all are very informative.
    I just want to request you to make some more videos on QUIC about how QUIC different from TCP through Wireshark traces where we can understand how QUIC solves the retransmission ambiguity of TCP. Also what if I want to plot a Steven graph for QUIC just like we can have in TCP.

  • @ashishvishwakarma815
    @ashishvishwakarma815 4 роки тому +1

    @Chris Greer, thanks for this amazing videos. your explanation is really nice.

    • @ChrisGreer
      @ChrisGreer  4 роки тому

      Thanks Ashish! I appreciate the comment.

  • @rakeshkhannam1668
    @rakeshkhannam1668 3 роки тому

    Thanks Chris !!! Really Great Stuff. Learning more from your videos.

    • @ChrisGreer
      @ChrisGreer  3 роки тому

      Thanks for the comment Rakesh! I appreciate the positive vibes.

  • @dgharge
    @dgharge 4 роки тому +1

    Great Explanation , Thank you.

  • @llJoDall
    @llJoDall 4 роки тому +1

    Thx for this video! You explained it really well.

    • @ChrisGreer
      @ChrisGreer  4 роки тому +1

      Thanks for the comment - I'll keep it up. 👍

  • @baazshabaz
    @baazshabaz 3 роки тому

    Well explained...

  • @tolgayucel1442
    @tolgayucel1442 2 роки тому

    Hi Chris, Thanks for your efforts. My question is what if there is antother packet loss while client send dup ack, how would be situation?

  • @programacion3694
    @programacion3694 2 місяці тому

    buen contenido audiovisual.

  • @hemant_pande
    @hemant_pande 4 роки тому +1

    You are awesome Chris ❤️

    • @ChrisGreer
      @ChrisGreer  4 роки тому +1

      Thanks Hemant for the comment!

  • @cooki3cutt3r13
    @cooki3cutt3r13 Рік тому

    awesome video, great info.

  • @NorwayRaj
    @NorwayRaj 2 роки тому

    Grate video bro. Much appreciated

  • @RoboBeaver6
    @RoboBeaver6 3 роки тому

    Is the "TCP Analysis" profile available for download?

  • @punggukbulan8674
    @punggukbulan8674 2 роки тому

    Hi Chris, this is great video explanation. Maybe you need to add more clear illustration and picture from minutes 01:00 until 03:--. for example use separate and more line for data and ACK as illustration, so it will be easier to study for new people in TCP by giving more picture illustration. Sometimes brain of new people will be more understand if they see more clear illustration. Overall, good work and very helpful for us as beginner. I LIKE IT...

    • @ChrisGreer
      @ChrisGreer  2 роки тому +1

      Thanks for the suggestion! I'll try it on the next video.

  • @SnortDefence
    @SnortDefence 3 роки тому

    @chris is it possible to share your wireshark profiles also to try

  • @marimuthumanoj7206
    @marimuthumanoj7206 4 роки тому +1

    thanks buddy for help me to step up into network, for still
    keep it up (thumbs up)

    • @ChrisGreer
      @ChrisGreer  4 роки тому

      Glad I could help. Thanks for the comment.

  • @nidalfikri3445
    @nidalfikri3445 3 роки тому

    Great video Chris!

    • @ChrisGreer
      @ChrisGreer  3 роки тому +1

      thanks! Always appreciate a kind comment.

  • @williamalmeida5883
    @williamalmeida5883 3 роки тому

    Great video. How I create wireshark visual like yours ?

    • @ChrisGreer
      @ChrisGreer  3 роки тому

      Have you seen my latest video on setting up Wireshark? Go check it out!

  • @dominiquerossignol2212
    @dominiquerossignol2212 3 роки тому

    Hi Chris, thank you for your video.
    In your example there is only one SEQ missing, so DupACK is used with ACK=last SEQ received before the loss
    for ACKing every segment after the loss
    And option SACK in the TCP header is used to know what is ACKed after the loss
    But can TCP manage DupACKs and option SACK in the same way, if new loss of segments happen when older lost segments are not yet be retransmitted
    Can TCP manage multiple missed range of SEQ when ACKing regular other SEQ ?

    • @ChrisGreer
      @ChrisGreer  3 роки тому

      Yes, TCP can handle multiple SACK blocks. I've seen up to four, but most stacks can support up to three these days. It's not a big deal.

    • @dominiquerossignol2212
      @dominiquerossignol2212 3 роки тому

      @@ChrisGreer thanks Chris for your reply
      but how TCP handle this case ?
      does sender continue to send DupACK with the SEQ value of the first lost segment ?
      Doing so, in TCP header option SACK, there will be now a hole between the left edge and the right edge corresponding to the loss of others segments.
      Could you clarify ?
      Best regards

  • @lancelandrum6541
    @lancelandrum6541 4 роки тому +1

    Hey Chris,
    Thank you for these videos. I have a question about the 'options' tab in the packet details pane in wireshark. I am able to expand options for the syn and syn,ack packets but after that wireshark doesn't give me 'options' in the packet details pane for the remainder of the stream. I am wondering if it has something to do with the version of wireshark I am using. Have you seen this before? Thank you.

    • @ChrisGreer
      @ChrisGreer  4 роки тому

      Hello Lance - that is how TCP works. The options field is actually "optional"! Depending if options are in use for a given segment of data. You almost always see it in the SYN - SYN/ACK packets, since these advertise the options that each endpoint can support. After those two packets, you only will see the options field when the options are in use - for example, when a SACK block is present or maybe a TCP timestamp. You can usually find one of those if you search for a Duplicate ACK, then look for the optional SACK block in the options. You will only see this option however if both sides can support SACK. Hope this helps.

  • @nehalkapse1761
    @nehalkapse1761 5 місяців тому

    Great video

  • @jcarlosrivera4157
    @jcarlosrivera4157 4 роки тому

    Great video, Chris quick question is this related to jitter too?

    • @ChrisGreer
      @ChrisGreer  4 роки тому +1

      Hey @jCarlos Rivera usually when we are talking about jitter, we are referring to what happens during an RTP or SRTP stream, which is UDP based. That is the variation of inter-packet delta time, causing packets to arrive at varying intervals. UDP doesn't have the idea of connections and sequence numbers, so it has no acks like TCP does.

    • @jcarlosrivera4157
      @jcarlosrivera4157 4 роки тому +1

      @@ChrisGreer thank you very much, make sense, taking a note from this tip.

  • @MahananGogoi
    @MahananGogoi 4 роки тому +1

    Awesome Chris..Thanks a lot

    • @ChrisGreer
      @ChrisGreer  4 роки тому

      You bet @Maha. Glad that the video helped you. Thanks for stopping by and commenting.

  • @en4ble773
    @en4ble773 4 роки тому

    @Chris Greer Great video thank you. QQ how do you add these additional columns of yours? I.e sequence number etc..? Thank you in advance.

    • @ChrisGreer
      @ChrisGreer  4 роки тому

      Hello Bart, just find the field that you want to add as a column, right click it, and click Add as Column. It will add a column up in the summary view.

    • @en4ble773
      @en4ble773 4 роки тому +1

      @@ChrisGreer Awesome thank you. I appreciate you time explaining.

  • @luissantiago7294
    @luissantiago7294 4 роки тому +1

    Excelente!

  • @samitpiku
    @samitpiku 2 роки тому

    can you make video on TCP ut of order packets

  • @naveenjkumar9684
    @naveenjkumar9684 4 роки тому

    Hi Chris sir, can you kindly explain asymmetric issue traffic how to isolate in wireshark with any capture pls

    • @ChrisGreer
      @ChrisGreer  4 роки тому

      Hello Naveenj, I would be happy to help, but I would need a bit more detail. There are lots of things that can go into asymmetric traffic problems. If you want, you can send your capture to packetpioneer (at) gmail.com and I'll take a peek for you.

    • @naveenjkumar9684
      @naveenjkumar9684 4 роки тому

      @@ChrisGreer thanks Chris for reply to question ,sorry I dont have any capture with me right now . But would like to troubleshoot isolate any asymmetric routing issue ,like how traffic will look like in capture from sender ,receiver,intermediate devices. Can't we isolate/find asymmetric routing issue by checking at sender end packet capture only or we need to capture sender/receiver/intermediate device also.

    • @ChrisGreer
      @ChrisGreer  4 роки тому

      @@naveenjkumar9684 Ok I see the question. I always have the goal of as many capture points as possible. Otherwise it is easy to make assumptions about how the network paths and shapes the traffic. So at a minimum capture on both ends, then if possible, an intermediate device. Then we can follow packet streams as they flow and have a better idea of how they are being sent.

  • @gratengraten3716
    @gratengraten3716 4 роки тому +1

    I can't thank you enough my teacher if you don't mind can you make a video about the certs.

    • @ChrisGreer
      @ChrisGreer  4 роки тому +1

      Hello Graten, thanks for the comment! Can you be more specific? Do you mean a video about industry certifications? Or something else?

    • @gratengraten3716
      @gratengraten3716 4 роки тому +1

      @@ChrisGreer what I meant teacher is the certifications of wireshark it will be great if you make a playlist for it

    • @gratengraten3716
      @gratengraten3716 4 роки тому

      Sorry I forgot to add another question is the certificate of wireshark has a good value and if I take it can I find a good job. Thank you in advance ☺️

    • @ChrisGreer
      @ChrisGreer  4 роки тому +1

      @@gratengraten3716 Oh gotcha. I think that the Wireshark Certification is a nice way to cover the core skills most people need with the analyzer. As far as getting a good job with just that cert - you probably would need some of the other industry certs as well, but it definitely can't hurt. It would just depend on how much packet focus the role would have and if the employer really understands what Wireshark is.
      Hope that helps.

    • @gratengraten3716
      @gratengraten3716 4 роки тому +1

      @@ChrisGreer I do really appreciate what you said hopefully you'll make a playlist for this aim.

  • @lalatkoshy3418
    @lalatkoshy3418 2 роки тому

    Can you please do some video on snmp?

  • @badriyadav6056
    @badriyadav6056 4 роки тому +1

    you are awesome, thankyou so much for this insightfull information. Looking forward to more and more videos:)

    • @ChrisGreer
      @ChrisGreer  4 роки тому

      Thanks for the comment! More to come...

  • @mcgirishnetwork
    @mcgirishnetwork 3 роки тому

    Very helpful..

  • @nimaforoughi3008
    @nimaforoughi3008 2 роки тому

    Amazing!!!

  • @AzherQadirshah
    @AzherQadirshah 8 місяців тому

    Amazing! comment from palo alto guy

  • @thuglife896
    @thuglife896 4 роки тому

    Excellent 😊

  • @joeyp978
    @joeyp978 Рік тому

    Why would you maybe see one ack, but most of the time two? Seems like it’s important to know when trying to understand fundamentally how tcp works. Really wish I could find someone explaining tcp for smooth brains like me. Unluck

    • @joeyp978
      @joeyp978 Рік тому

      Nevermind. You addressed it later in the video. Still think you should have addressed it when the situation originally arose 😅

  • @titipene
    @titipene 3 роки тому

    Hi Chris, what happen if there is no SACK enable on client/server?

    • @ChrisGreer
      @ChrisGreer  3 роки тому +1

      Hello Mauricio - if SACK is not enabled, then the endpoints cannot use the option and will only be able to acknowledge complete sequences of data with no loss. So if you sent out sequence numbers for packets 1, 2, 3, 4, 5... 100 and packet 2 was lost, but all others were received, the receiver would only be able to ack the sequence numbers in packet 1, even if packets 3-100 were successfully received. The sender would have to retransmit the data in packets 2-100 and hope for no gaps on receipt. (I'm using packet numbers rather than sequence numbers to keep this description simple). So SACK makes things MUCH more efficient!

  •  4 роки тому

    So a DUP ACK is when the ack number and windows size stays the same, and we do see that in the capture. But if the receive window does not grow/shrink, how does the server know how much it can send to the client ? Isn't that window size supposed to change since the client is receiving more data, even during the dup ack transmissions ?

    • @ChrisGreer
      @ChrisGreer  4 роки тому +1

      Hello Mathieu, thanks for the comment and question. On the receiver side, if it is keeping up with the ingress data then the window will not fill, so the window size will either stay the same or grow, depending on the system. So with each ACK, the receiver informs the sender how much window size it has to work with, so the server will have constant feedback about how much data it can have outstanding on the wire unacknowledged. Hope this helps!

    •  4 роки тому +1

      @@ChrisGreer thanks for the answer ! And awesome videos by the way !

    • @ChrisGreer
      @ChrisGreer  4 роки тому

      @ Sure thing!

  • @emirh.9376
    @emirh.9376 4 роки тому +1

    Another great video, keep em coming! I have learned a lot from you and Kerry over at Packet Bomb.

    • @ChrisGreer
      @ChrisGreer  4 роки тому

      Thanks for the comment Emir - I will!

  • @vijay85cisco
    @vijay85cisco 4 роки тому +1

    thank u..

  • @niz11
    @niz11 3 роки тому

    Hi Chris...i'm getting a problem that is really baffling for me and i wonder if you can shed some lights. My client is sending TCP SYN to the server to initate a TCP connection, but the SYN-ACK received from the server contains a different acknowledgement number than what is went by client in the SYN packet. This then caused client to send RST. Why can something like this happen?

    • @ChrisGreer
      @ChrisGreer  3 роки тому

      Hey John Doe - interesting behavior for sure. Hmmm... is there a chance there was already a connection on that port from the server perspective? I'd also take a look at the server side TCP stack just to see if there are any updates needed/patches. I wonder if that socket was in a close-wait state or something like that from a previous connection? I would need more data to be sure but those are the things I would check.

  • @ThePumbaadk
    @ThePumbaadk 4 роки тому

    Thanks very good

    • @ChrisGreer
      @ChrisGreer  4 роки тому

      Thanks! I appreciate the feedback.

    • @ThePumbaadk
      @ThePumbaadk 4 роки тому

      Hope you make more video like this :)

  • @tebes9265
    @tebes9265 3 роки тому

    How come in packet no. 57 the server 10.0.0.1 didn't update its ack number to 1272 despite having the ack flag set? When you study the pcap-file you can see that the client 192.168.0.1 already had the squence number 1272 in packet no. 32. I'm a bit confused.

    • @ChrisGreer
      @ChrisGreer  3 роки тому

      Greetings Te Bes. Thanks for asking the questions! So the server doesn't update its ack number because there was no new data sent in that direction to acknowledge. If you look at packets 55 and 56, they have no payload - so no new data to ack. The reason this packet has an ack flag is because there is a legit ack number. Every packet after the SYN has the ack flag set in most TCP connections, except in some resets. So the server has not seen any new data from the client since packet 27 - that is why it keeps repeating the ACK number, no new data. I hope that helps understand it better.

    • @tebes9265
      @tebes9265 3 роки тому

      @@ChrisGreer Hi Chris, thank you very much for answering my question! In packet 27 the client has a (relative) sequence number of 1241 and sends 31 bytes of data to the server which leads to a sequence number of 1272 in the following packets by the client. My guess is that the server doesn't update its ack number until packet 58 because of the RTT. Is that right? I didn't consider that being a factor in my initial question.
      When almost every packet after SYN has the ack flag set, how can the receiver tell that those are not duplicate acks? That means that one packet can get ack'ed again and again and suddenly another packet that the sender gets multiple acks for is a duplicate ack? Does it take RTT into consideration? And why does Wireshark only show [ACK] in some Info texts when the ACK flag is always set? Now I'm even more confused. :D I'd really appreciate it if you could clear this up :)

    • @ChrisGreer
      @ChrisGreer  3 роки тому

      @@tebes9265 Good questions.
      Here is the criteria for Wireshark to mark a packet as a duplicate ack in a packet trace:
      ------
      The segment size is zero.
      The window size is non-zero and hasn’t changed.
      The next expected sequence number and last-seen acknowledgment number are non-zero (i.e. the connection has been established).
      SYN, FIN, and RST are not set.
      -------
      So in this trace, in packets that have a payload, a duplicated ACK number just means no more data has been received in the opposite direction. No data was in flight. You are correct, packet 58 is ACKing the data in packet 27, this takes about 26mSec, which is close to the initial network roundtrip time. So yes, the RTT was in play.
      In the info column, Wireshark shows data that is most helpful in troubleshooting. For packets where the ACK number isn't really a factor in helping for analysis, it isn't shown in the Info column.
      Hope these answers help!

    • @tebes9265
      @tebes9265 3 роки тому

      @@ChrisGreer Wow, thank you so much for taking the time answering my questions! I really appreciate what you do with your channel. You've resolved all of my questions! :)

    • @ChrisGreer
      @ChrisGreer  3 роки тому

      @@tebes9265 Of course no problem. Thanks for the comments and for watching the channel Te.

  • @andreostrufka69
    @andreostrufka69 3 роки тому

    What happens when the client detects a missing pkt, start to receive the other pkts and send ACKs with incrementing SACK, but before I receive the first missing pkt, another pkt is missing? For example:
    CLIENT

    • @ChrisGreer
      @ChrisGreer  3 роки тому +1

      Hello Andre - The client just starts to indicate another SACK block in the TCP options. Most TCP stacks can support between 2-4 unique SACK blocks. So this would indicate that there is a gap between the ack number in the TCP header and the left edge of the first block, then another gap between the right edge of the first block and the left edge of the second block.

    • @andreostrufka69
      @andreostrufka69 3 роки тому +1

      @@ChrisGreer Understood. Thanks! Your videos are very good, congrats!

  • @maulikkharecha8060
    @maulikkharecha8060 4 роки тому

    I have one different question which is not relevant to this video. How can we decrypt the HTTPS/TLS traffic in the Wireshark tool?

    • @ChrisGreer
      @ChrisGreer  4 роки тому

      Great question - one that is asked quite a bit. I am working on doing a TLS series as well for the channel. I will definitely cover that topic as we get there. Thanks for the comment!

  • @Akibkhan-l1m
    @Akibkhan-l1m Рік тому

    More

  • @martinencizo6513
    @martinencizo6513 2 роки тому

    Please traduction in spanish

  • @hariprasad-uw2yn
    @hariprasad-uw2yn 3 роки тому

    Dear Chris, could you help me to analyze the PCAP collected for replication slowness between HQ to DR for one of our customer. Please share your email.

    • @ChrisGreer
      @ChrisGreer  3 роки тому

      hello - sure I could take a peek. packetpioneer@gmail.com

    • @hariprasad-uw2yn
      @hariprasad-uw2yn 3 роки тому

      @@ChrisGreer Thank you so much. I will send you very soon.