Understanding TCP Seq & Ack Numbers [Packet-by-Packet]


Wireshark

Author: Celal Dogan
Reviewer: Deepak Prasad

Getting started with TCP Sequence and Acknowledgement Numbers

TCP (Transmission Control Protocol) is a connection oriented and highly reliable protocol. Before data exchange between two parties, it requires to establish a connection, using TCP 3-way handshaking. The connection remains active until it gets terminated. During 3-way handshaking both sides synchronize (SYN) and acknowledge (ACK) each other. In another saying, they inform each other about what kind of settings they would like to use during the connection establishment. The settings include Sequence Number, Maximum Segment Size, if SACK is permitted or not, Window Scale, Window Size etc. See below for a SYN packet which contains an initiator (a client) settings.

Understanding TCP Seq & Ack Numbers [Packet-by-Packet]

 

Reliability is one of TCPs strong feature. TCP ensures that all packets one end sends will be delivered to the other end, keeping track of which packets have been received successfully, resending any packets that have been lost, and specifying the order for reassembling the data on the other end. In short, TCP provides this reliability mostly by Sequence Number and Acknowledgement Number. TCP sequence and acknowledgement numbers are counters used to keep track of every bytes sent and received during the connection.

In this article, we will closely examine Sequence Number and Acknowledgement Number with Wireshark. For better understanding, we will capture a TCP flow and analyse it. I will visit the first web page published on the internet, which is pretty simple. If you wonder to see what it is like, link is here: http://info.cern.ch/hypertext/WWW/TheProject.html

 

Capturing a TCP Flow

1) Open Wireshark and create a capture filter like below.

Understanding TCP Seq & Ack Numbers [Packet-by-Packet]

 

2) Navigate to http://info.cern.ch/hypertext/WWW/TheProject.html from your browser.

3) Stop capturing, now we should have the packets. See my captures below.

Understanding TCP Seq & Ack Numbers [Packet-by-Packet]

 

4) Go to StatisticsFlow Graph to see more details.

Understanding TCP Seq & Ack Numbers [Packet-by-Packet]

 

The figure above explains everything about the flow. First 3 packets --SYN, SYN/ACK and ACK-- are used to establish a connection before any data is exchanged. This step is called TCP 3-way handshaking. Next, the client sends a http GET request on the top of TCP and the server responds it back with a http 200 OK, which indicates that the request has succeeded. The last 4 packets are exchanged to tear down the connection.

 

 

Breaking down to Packet by Packet Analysis

Packet Number 1

We will analyse the flow packet by packet, starting from the first packet. For visualization, see screen shot below.

Understanding TCP Seq & Ack Numbers [Packet-by-Packet]

 

This is the first packet (it is also called SYN packet) from the client to the server with source and destination port of 62834, 80 respectively.

All data in a TCP connection are numbered, starting at a randomly chosen ISN (Initial Sequence Number).  Although the first packet (SYN) does not contain any data, it consumes one sequence number and as a result the actual data begins at ISN+1. For easy understanding, Wireshark starts ISN from zero which is called "relative sequence number" while in the screen shot above, we can clearly see the client has set its real sequence number to 332215980. Relative sequence number is just for easy analyzing. Since this is the first packet in the flow, acknowledgement number is set to zero. With these settings, the client informs the server that it will use some options and asks the server to send its options as well in the next packet (SYN/ACK).

 

Packet Number 2

Understanding TCP Seq & Ack Numbers [Packet-by-Packet]

The second packet (it is also called SYN/ACK packet) from the server to the client is pretty similar to the first packet, except ACK flag being set to 1 this time. Even though, this packet is not carrying any data but connection settings, the acknowledgement number is increased by 1 which tells the client it has received the SYN packet while it sets its sequence number to zero.

 

Packet Number 3

Understanding TCP Seq & Ack Numbers [Packet-by-Packet]

 

This is the last packet (it is also called ACK packet) for TCP 3-way handshaking. The client increases its sequence and acknowledgement number by 1, letting the server know it has received its SYN/ACK packet. From this point, the sequence and the ack numbers will increase only after one end has sent or received some data.

 

Packet Number 4

Understanding TCP Seq & Ack Numbers [Packet-by-Packet]

 

This is the first packet that contains some actual data (373 bytes of HTTP Get request), which is also called TCP payload. The sequence numbers are accumulated during the conversation. In another saying, the client let the server know how much data it has sent in total by sequence number. it also specifies amount of data in total it has received from the server by acknowledgement number. Since, it has not sent or received any data before, the sequence and the acknowledgement numbers remain 1.

  

Packet Number 5

Understanding TCP Seq & Ack Numbers [Packet-by-Packet]

This packet does not carry any data as you see from len: 0. Once the server receives 373 bytes of data, it needs to let the client know that it has received the data with ACK flag set. Since the server has not sent any data before, it sets its sequence number to 1 while the acknowledgement number increases by 373 to 374. In short, the server tells the client it got 373 bytes of data and it expects new data starting from number of 374. 

 

Packet Number 6

Understanding TCP Seq & Ack Numbers [Packet-by-Packet]

 

After receiving the http GET request, the server creates a http response and breaks it into 2 pieces, since total response size exceeds TCP maximum segment size (1452 bytes, it is present in the second packet) which both side agreed on during TCP 3-way handshaking. The length of the data is 1452 bytes. The server sends the packet with the same sequence and acknowledgement number.

 

Packet Number 7

Understanding TCP Seq & Ack Numbers [Packet-by-Packet]

This is the second piece of the http response from the server with size of 998 bytes. you can see the sequence number has increased by 1452, because it sent that amount of data to the client in the previous packet while the acknowledgement number still remains the same.

 

Packet Number 8

Understanding TCP Seq & Ack Numbers [Packet-by-Packet]

The server has no data to send and it wants to acknowledge the client that it would like to terminate the TCP connection with the fin flag set. The packet carries no data. The sequence number increases by 998 to 2451, which indicate that it has sent 2450 bytes until now. Since there has not been any change in amount of data receiving from the client, the acknowledgement number remains the same.

 

Packet Number 9

Understanding TCP Seq & Ack Numbers [Packet-by-Packet]

The client acknowledges the server that it has received its data by setting the acknowledgment number to 2452, which indicates that the server should send the data starting from 2452 next time (if it has any).

 

Packet Number 10

Understanding TCP Seq & Ack Numbers [Packet-by-Packet]

With this packet, the client informs the server that it also would like to terminate the connection with the fin flag set.

 

Packet Number 11

Understanding TCP Seq & Ack Numbers [Packet-by-Packet]

This is the last packet in the flow. The server receives the client's connection termination request and it informs the client that it has got its packet with fin flag.

 

Final Thoughts

TCP is working in the transport layer, providing connection oriented and reliable data transmission. First, it creates a connection then it transfers the data. With help of sequence and acknowledgment numbers, it keeps track of how much data it has sent and received. When there is packet loss, it uses acknowledgment number to recover it.

 

Celal Dogan

Celal Dogan

He is proficient in System Administration, Python, Computer Network, Network Engineering, PHP, Web Testing, Penetration Testing, Wireshark, RADIUS, Cisco Router, TCP/IP, Kali Linux, OSPF, NPS, and Multiprotocol BGP. You can connect with him on his LinkedIn Profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

1 thought on “Understanding TCP Seq & Ack Numbers [Packet-by-Packet]”

Leave a Comment