Category Archives: tcp-ip

When to Send an ACK Segment

During one of my experimental studies I noticed a pattern in TCP ACK’s frequency.
ACK segments are sent after receiving every 2 TCP segment. I kept asking why not 3 or 1 but 2. Then I found the answer in RFC1122 “Requirements for Internet Hosts — Communication Layers” when I was trying to find some information about delayed ACK concept. I am also quoting the related section. If you have also asked yourself, this is possibly the reason behind this pattern!

TCP fast retransmission

During analysis of my ESX server, vsphere client communication I have encountered the following packet capture. My vsphere client keeps asking for a lost segment with ACK number 1583183 for 9 times after which according to wireshark analysis TCP Fast Retransmission which is one of the ways of handling congestion is engaged.

When I check RFC2581, it says  :

TCP doesn’t wait for the re-transmission timer but isn’t this quite long to engage fast re-transmit? It is 9 duplicate acks in total. Maybe some of my duplicate acks are also lost? It might be. Anyway, it was good to check RFC once again for this retransmit incident.

Analysis of HTTP message #1

I am going to analyse a simple HTTP request response at packet level from application layer down to data link layer in this post. I took a sample packet capture by connecting to my web page which displays only “Hello World!” on an Apache web server. There are 10 ethernet frames captured and I will try to examine each frame by referencing the time value in each row. Below is the list of each packet in order. Let’s start analyzing each:

1) 0.000000 TCP connection request (SYN segment)

a) Ethernet header

This the ethernet header of our first frame. My PC’s MAC address (a8:d0:e5:b3:99:c1) and web server’s MAC address ( 00:0c:29:c0:c6:df) are clearly shown. Header also contains an EtherType field which indicates the type of the payload in the upper layer. In our example 0x0800 stands for IPv4 protocol.

Continue reading

IP Fragmentation

In one of my previous posts ( , I wrote about IP fragmentation. This time I would like to show some wireshark screen shots showing a single IP packet consisting of 3 fragmentations to see the IP header fields used in fragmentation process. This IP packet is carrying an HTTP response:

List of packets in Wireshark

Fragmented IP packet #17: (first fragment)

Continue reading

Path MTU, IP Fragmentation and MSS

I would like to write about Path MTU discovery and IP Fragmentation in this post and the relation between them.


As per the topology above, if the host LINUX1 is sending a packet to LINUX3 device. Packet has to go through a path in which there are various MTU sizes involved. In the past I used to think that Path MTU discovery concept is something which is done before TCP communication starts and detects the the lowest link speed and according to which TCP segments are generated. It isn’t the way how it works. How it works is;

Continue reading