thanks Todd! Agreed, it's hard to condense it down to a few minutes.

Thank you for the comment Purvi! I will keep them coming.

Thanks for the comment Anshul! Great to have you on the channel.

Thanks Charles for the comment! I'll keep working at posting more often. I appreciate the feedback and it definitely motivates me to keep on going.

Thanks for watching!

Glad you like them!

Glad it was helpful! Thank you!

Thank you!

Thanks for the comment Bill, glad it helped.

Thanks for the comment Rakesh! I appreciate the positive vibes.

Thanks Ashish! I appreciate the comment.

Thanks for the comment - I'll keep it up. 👍

Thanks for watching!

Thanks for the comment! More to come...

Glad I could help. Thanks for the comment.

You are welcome Raja

Thanks Hemant for the comment!

thanks! Always appreciate a kind comment.

You bet @Maha. Glad that the video helped you. Thanks for stopping by and commenting.

Thanks for the comment Emir - I will!

Hello Aashish, thanks for stopping by the channel. 1. Yes, if the server supports fast retransmission, which most stacks do these days. 2. The ACK interval is determined by the stack settings. How long does the server wait for an ACK? That depends on a value that is set when a packet is transmitted called the retransmission timer. If the server hears nothing from the receiver by the time the timer expires, then it will retransmit the packet. This value is typically set by the stack once it sorts out the network roundtrip time. If an ACK is lost in transit on the way back to the server, then we would have to wait for the timer to expire and resend the packet. Hope these answers help!

Thank you! Cheers!

Thanks for the suggestion! I'll try it on the next video.

Not sure on the exact question, but If the endpoints do not support SACK, retransmissions will occur after loss but the receiver will not be able to indicate successful reception of packets after the lost packet. So a sender will have to retransmit data that was already successfully received.

Hello Lance - that is how TCP works. The options field is actually "optional"! Depending if options are in use for a given segment of data. You almost always see it in the SYN - SYN/ACK packets, since these advertise the options that each endpoint can support. After those two packets, you only will see the options field when the options are in use - for example, when a SACK block is present or maybe a TCP timestamp. You can usually find one of those if you search for a Duplicate ACK, then look for the optional SACK block in the options. You will only see this option however if both sides can support SACK. Hope this helps.

Hello Bart, just find the field that you want to add as a column, right click it, and click Add as Column. It will add a column up in the summary view.

@@ChrisGreer Awesome thank you. I appreciate you time explaining.

Thank you!!

Hey @jCarlos Rivera usually when we are talking about jitter, we are referring to what happens during an RTP or SRTP stream, which is UDP based. That is the variation of inter-packet delta time, causing packets to arrive at varying intervals. UDP doesn't have the idea of connections and sequence numbers, so it has no acks like TCP does.

@@ChrisGreer thank you very much, make sense, taking a note from this tip.

If both sides support fast retransmissions, yes, that will be triggered by 3 duplicate acks. Basically the higher the latency between two endpoints, the more duplicate acks you will see in data transfers. You can have hundreds of duplicate acks for only one lost packet in a stream of data. The duplicate acks will continue until the retransmission is sent and received by the target station.

Have you seen my latest video on setting up Wireshark? Go check it out!

Thanks for the comment!

Thanks! I appreciate the feedback.

Hope you make more video like this :)

Yes, TCP can handle multiple SACK blocks. I've seen up to four, but most stacks can support up to three these days. It's not a big deal.

@@ChrisGreer thanks Chris for your reply but how TCP handle this case ? does sender continue to send DupACK with the SEQ value of the first lost segment ? Doing so, in TCP header option SACK, there will be now a hole between the left edge and the right edge corresponding to the loss of others segments. Could you clarify ? Best regards

Hello Mauricio - if SACK is not enabled, then the endpoints cannot use the option and will only be able to acknowledge complete sequences of data with no loss. So if you sent out sequence numbers for packets 1, 2, 3, 4, 5... 100 and packet 2 was lost, but all others were received, the receiver would only be able to ack the sequence numbers in packet 1, even if packets 3-100 were successfully received. The sender would have to retransmit the data in packets 2-100 and hope for no gaps on receipt. (I'm using packet numbers rather than sequence numbers to keep this description simple). So SACK makes things MUCH more efficient!

Hello Graten, thanks for the comment! Can you be more specific? Do you mean a video about industry certifications? Or something else?

@@ChrisGreer what I meant teacher is the certifications of wireshark it will be great if you make a playlist for it

Sorry I forgot to add another question is the certificate of wireshark has a good value and if I take it can I find a good job. Thank you in advance ☺️

@@gratengraten3716 Oh gotcha. I think that the Wireshark Certification is a nice way to cover the core skills most people need with the analyzer. As far as getting a good job with just that cert - you probably would need some of the other industry certs as well, but it definitely can't hurt. It would just depend on how much packet focus the role would have and if the employer really understands what Wireshark is. Hope that helps.

@@ChrisGreer I do really appreciate what you said hopefully you'll make a playlist for this aim.

Hello Naveenj, I would be happy to help, but I would need a bit more detail. There are lots of things that can go into asymmetric traffic problems. If you want, you can send your capture to packetpioneer (at) gmail.com and I'll take a peek for you.

@@ChrisGreer thanks Chris for reply to question ,sorry I dont have any capture with me right now . But would like to troubleshoot isolate any asymmetric routing issue ,like how traffic will look like in capture from sender ,receiver,intermediate devices. Can't we isolate/find asymmetric routing issue by checking at sender end packet capture only or we need to capture sender/receiver/intermediate device also.

@@naveenjkumar9684 Ok I see the question. I always have the goal of as many capture points as possible. Otherwise it is easy to make assumptions about how the network paths and shapes the traffic. So at a minimum capture on both ends, then if possible, an intermediate device. Then we can follow packet streams as they flow and have a better idea of how they are being sent.

Hey John Doe - interesting behavior for sure. Hmmm... is there a chance there was already a connection on that port from the server perspective? I'd also take a look at the server side TCP stack just to see if there are any updates needed/patches. I wonder if that socket was in a close-wait state or something like that from a previous connection? I would need more data to be sure but those are the things I would check.

Hello Mathieu, thanks for the comment and question. On the receiver side, if it is keeping up with the ingress data then the window will not fill, so the window size will either stay the same or grow, depending on the system. So with each ACK, the receiver informs the sender how much window size it has to work with, so the server will have constant feedback about how much data it can have outstanding on the wire unacknowledged. Hope this helps!

@@ChrisGreer thanks for the answer ! And awesome videos by the way !

@ Sure thing!

Nevermind. You addressed it later in the video. Still think you should have addressed it when the situation originally arose 😅

Greetings Te Bes. Thanks for asking the questions! So the server doesn't update its ack number because there was no new data sent in that direction to acknowledge. If you look at packets 55 and 56, they have no payload - so no new data to ack. The reason this packet has an ack flag is because there is a legit ack number. Every packet after the SYN has the ack flag set in most TCP connections, except in some resets. So the server has not seen any new data from the client since packet 27 - that is why it keeps repeating the ACK number, no new data. I hope that helps understand it better.

@@ChrisGreer Hi Chris, thank you very much for answering my question! In packet 27 the client has a (relative) sequence number of 1241 and sends 31 bytes of data to the server which leads to a sequence number of 1272 in the following packets by the client. My guess is that the server doesn't update its ack number until packet 58 because of the RTT. Is that right? I didn't consider that being a factor in my initial question. When almost every packet after SYN has the ack flag set, how can the receiver tell that those are not duplicate acks? That means that one packet can get ack'ed again and again and suddenly another packet that the sender gets multiple acks for is a duplicate ack? Does it take RTT into consideration? And why does Wireshark only show [ACK] in some Info texts when the ACK flag is always set? Now I'm even more confused. :D I'd really appreciate it if you could clear this up :)

@@tebes9265 Good questions. Here is the criteria for Wireshark to mark a packet as a duplicate ack in a packet trace: ------ The segment size is zero. The window size is non-zero and hasn’t changed. The next expected sequence number and last-seen acknowledgment number are non-zero (i.e. the connection has been established). SYN, FIN, and RST are not set. ------- So in this trace, in packets that have a payload, a duplicated ACK number just means no more data has been received in the opposite direction. No data was in flight. You are correct, packet 58 is ACKing the data in packet 27, this takes about 26mSec, which is close to the initial network roundtrip time. So yes, the RTT was in play. In the info column, Wireshark shows data that is most helpful in troubleshooting. For packets where the ACK number isn't really a factor in helping for analysis, it isn't shown in the Info column. Hope these answers help!

@@ChrisGreer Wow, thank you so much for taking the time answering my questions! I really appreciate what you do with your channel. You've resolved all of my questions! :)

@@tebes9265 Of course no problem. Thanks for the comments and for watching the channel Te.

Hello Andre - The client just starts to indicate another SACK block in the TCP options. Most TCP stacks can support between 2-4 unique SACK blocks. So this would indicate that there is a gap between the ack number in the TCP header and the left edge of the first block, then another gap between the right edge of the first block and the left edge of the second block.

@@ChrisGreer Understood. Thanks! Your videos are very good, congrats!

Great question - one that is asked quite a bit. I am working on doing a TLS series as well for the channel. I will definitely cover that topic as we get there. Thanks for the comment!

hello - sure I could take a peek. packetpioneer@gmail.com

@@ChrisGreer Thank you so much. I will send you very soon.