Wireshark-users: Re: [Wireshark-users] non-piggy-backed ACK with total IP length = 52
On Feb 26, 2011, at 8:46 PM, Andrej van der Zee wrote:
> I am looking at a ACK-packet with total IP length of 52. Normally I
> find non-piggy-backed ACKs only 40 bytes. In this case the ACK comes
> after a retransmission. The extra 12 bytes are contained in the TCP
> options. In Wireshark, it sais:
>
> Options (12 bytes)
> NOP
> NOP
> SACK: 553-1130
> left edge: 533 (relative)
> right edge: 1130 (relative)
>
> It seems like it tries to indicate which of the duplicate packet it
> actually acknowledges by explicitly stating the byte range, in case
> the retransmitted packet is longer than the original packet because
> more send-data became available before the retransmission. Is my
> understand correct?
>
> What is actually contained in these extra 12 bytes?
http://tools.ietf.org/html/rfc2018
It's saying "I saw the bytes with sequence numbers from 533 through 1129" (i.e., in the half-open interval [533, 1130)), presumably because there are some bytes with sequence numbers preceding 553 that it hasn't yet acknowledged because it hasn't seen yet - it wants to have the other end re-transmit those bytes without having it also retransmit bytes 533-1129, which I suspect were the retransmitted bytes.
> What does NOP mean?
http://tools.ietf.org/html/rfc793#section-3.1
says:
...
Currently defined options include (kind indicated in octal):
Kind Length Meaning
---- ------ -------
0 - End of option list.
1 - No-Operation.
2 4 Maximum Segment Size.
Specific Option Definitions
...
No-Operation
+--------+
|00000001|
+--------+
Kind=1
This option code may be used between options, for example, to
align the beginning of a subsequent option on a word boundary.
There is no guarantee that senders will use this option, so
receivers must be prepared to process options even if they do
not begin on a word boundary.
