Menu
I'm sifting through some network traces and noticed on my own machine that when I connect over HTTP, packets look something like:
client --> server: GET
server --> client: tcp ack
server --> client: HTTP response
client --> server: tcp ack
However, I looked at some CIFS (SMB) traces I have saved from a few years back. I see things like:
client --> server: Create Request
server --> client: Create response (This packet also acks the request)
At a high level, I'm wondering why the difference - what is causing the different behaviors? What is controlling whether the application response is placed on the request ack or another packet: the application or OS?
880
FYI both a TCP SYN and SYN/ACK can carry a payload (which could be the GET and R... | Hacker News. The SYN packet can contain data, but the spec requires that it not be passed down to the application until the three-way handshake is complete (so a SYN-with-data from a spoofed source address won't elicit a response).
The payload of a TCP or UDP packet is the data portion of the packet. You can configure Advanced policy expressions to examine features of a TCP or UDP packet, including the following: Source and destination domains. Source and destination ports. The text in the payload.
The receiver is typically ACKing 480 bits of data. There are cases where a receiver ACKs every other received segment. This can be seen when there are two ACKs in a row.
ACK is short for "acknowledgement." An ACK packet is any TCP packet that acknowledges receiving a message or series of packets. The technical definition of an ACK packet is a TCP packet with the "ACK" flag set in the header.
This behavior is dependent on both the OS and the application. In linux, the kernel doesn't send an ACK directly, but instead waits a fixed number of milliseconds (around 200), hoping that is has some data to send back and can let the ACK piggyback the data.
If the timer goes off, then the ACK is sent immediately.
Example 1.
Client sends the GET request.
Server tries to create a http response, but before it does that 200ms are gone
and it must send the ACK before the http response.
Example 2.
Client sends the GET request.
Server creates a http response within the timer limit, and the ACK can piggyback
the data.
Meaning, if your application got slower at generating that response, the ACK will be send without piggybacking on the data. And also depending on the OS, the delay timer can be higher / lower and once again changing how ACK's are sent.
90
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
