TCP Fundamentals Part 1 // TCP/IP Explained with Wireshark
Jun 04, 2021customer sequence number one. it is saying that this is a client request going to the server that is starting in sequence number one. I'm ascending the amount of data exactly fourteen sixty, that's what I'm sending to that server over there, okay, my next sequence number is the sequence number. I'm starting at more amount of data sent, this is my next sequence number since I'm not in that packet yet. I'm still on one, so as soon as Wireshark sees that I'm sending 1460 and suggests the next packet at this address it will start at 1461 unless there's a problem, okay, I don't have an ACK yet, it's just the next packet, now you can put all this in columns and so on.
I'm not doing that to you on purpose just because if unless you're used to my columns and created them yourself, it may be more confusing than useful sequence number, notice the one we're starting with 1461, okay, so we have 1460 bytes in this packet flow now I'm starting with 1461 I'm sending how much data see my length right there 61 that's how much data I'm actually sending or the length of the TCP segment okay so my next starting sequence number will be 15 22 that's what I'm doing when I start a new packets and any data like that, that will be my sequence number that I start from, however in this case the clients sent those two packets, one complete with some residue and that was the request you were sending to the The server client stops sending nothing else, it is not necessary.
I sent my get server. Come back, let's take a look. It's starting in sequence number one. We established that in the handshake sequence the next sequence number is also one. Why is it an empty AK look at my TCP segment length zero the server is not sending anything wait a second server I ask you a question tell me you are not sending anything we will arrive sequence number one next sequence number one ACK empty I am not sending anything but look at my number act acknowledgment number 15 22 I am acting what you sent this packet is a very important packet when it comes to application analysis why this packet tells me that the server received my request it got there he acts 15 22 if I don't receive this ACK, what am I going to do as a customer?
I'm going to wait a while and I'm going to retransmit what he didn't hear. This AK. I personally call it a silence package. Okay, the server. I have my stuff my stuff is there my microphone is being processed he goes and does what he has to do on his side and I'm just going to hang out now in this trace file how long should I wait? I wait 20 seconds, that's the next thing I heard that coming back from that server is that the network network client server what do you think the server now again I'm capturing client side I can't be one hundred percent sure I wouldn't bet on my firstborn if I had one put on that? side over there, if I had that catch, that's a number I'm going to look for, okay, so that first packet works fine, I've got your TCP stuff at that point, packet number six TCP can't do anything until mr. layer seven up there drops some data boom I got it here you already have server side TCP it's like it's hanging on you Oh boom right so server side TCP did all it could do this is application stuff let me show you that it was actually a quick process response from this server I'm going to show you if I have time oh I have two minutes, I have two full minutes, woo, look at this, that's how bad I got on this. specific case, what do you see? , people, okay, syn synack ACK, what's my round trip time? 97, actually taken from the same two stations, so I won't show you the IP.
TLS syn synack ACK, we receive our request where the first big packet comes from. client packet for a big request full packet residual stuff that comes in packet 5 server receives packet 6 106 milliseconds later server acts again with 1496 if I look at the sequence numbers, that's probably exactly what the client sent, we see the 1496 immediately from the server that number acts right there 1496 ooh then what's going on well we wait for the package 745 seconds the client says we are still there this is from the client true 190 168 enters ten dozens of servers 192 168 clients for me like this It's like I work seven okay so this is an empty packet it's called TCP keepalive which is a timer basically the clients say look I have to go I have things to do and resources to free up so are you still there when I sent you that request?
You said you have it. I've been waiting here for 45 seconds and you don't say anything. The client claims to fit 99 milliseconds later, which is pretty close to our network around the server's travel time. Rather it says keep ACK alive, yes I'm still here, no data, but I'm still here. TCP is still up, we're still talking, let's keep this alive. The client waits another 45 seconds. Check again. Hey, server, what's up? I sent you that request, you said you understood it. Should we keep talking or can I just kill this and where? It will just be done with it.
The server comes back 99 milliseconds later and 95 in this case, yeah, I'm still here, so the two layer four TCPs are fine, they're chatting, they're talking now. Wireshark in this case this one was sent to me because poor clients like to look at these black lines and red letters and say oh my god, oh the network is blowing up, wait a second here, TCP keeps the lives there, it just keeps them alive this connection, that's not a problem, the problem is that on the server side that TCP is just waiting, how long does it wait? Well, we see 18 seconds after that second, keep alive, let me, uh, I'm just going to upload the last packet of a request here.
I'm going to start our timer again. set time reference. I can actually pull this up in a different way in my HTTP profile, but basically you see there your little arrows that Wireshark helps you with. You see the arrow that went to the server and this is the response from the server in packet eleven. we ate it, we waited a hundred and eight seconds on that server to respond and these guys really waited that long they went to this tab, they hit the tab and then they went to get coffee, they came back, they grabbed their stuff and some people sat there and just walked around . for a long time and, of course, who is to blame?
So at work, let's move from one to ten gigs to the desk, it wouldn't have done much good, so the next step from here I'll go ahead and leave us in a break right now after staying at this point from the side of the customer, all I knew was that I had a hundred and eight second delay in the app to figure out what was going on. I would have had to go to the server and find out if this request arrives. What does that server do next? Does it legitimately wait and do nothing for 108 seconds or does it go and talk to some other server and get some other tertiary data?
Well, guys, these were the basics of TCP which we'll come back to in 15 minutes, let's get back to them. again with a little more on the congestion window, a little more on the receiving window and then some case files, so come back if you want.
If you have any copyright issue, please Contact