Happy to hear that it helped! This stuff can be a little dry on paper for sure.

Glad you like them! Thanks for the comment!

Thanks Nadlei! I appreciate the feedback and the comment. See you around the channel.

ACK. :-)

Thanks for the comment - glad to hear the videos are helping.

Thanks for the comment!

Sure! Here is the link to the trace in Cloudshark - www.cloudshark.org/captures/4e8ed77deb52 For my newer videos I am doing more of this, but I haven't done it yet for the older ones.

Glad it was helpful!

Hello! Have you checked out my video on FINs vs Resets? kzbin.info/www/bejne/Y6fKnGyGYpuXhrs That one goes into the four-way termination and reset behavior. Hope that helps.

what's missing in between is 46721 and 59861, that's what the SACK showed to the other side what was missing and what was received, 59861 to 62781.

Thanks for the comment Mohammad!

Glad it helped! I have more coming out about sequence number analysis, so stay tuned!

Hello Sivasakthi! If you have not had a chance to yet - you can check out my Wireshark courses on Pluralsight - www.bit.ly/wiresharktshoot www.bit.ly/wiresharktcp I cover a ton of ground about Wireshark and TCP in these two courses. Check them out!

Point of capture is important. If you are capturing from the perspective of the sender, you will see 3 duplicate acks followed by the retransmission. If you are capturing at the receiver, you may see many duplicate acks, since you are not aware of the retransmission yet.

@@ChrisGreer many thanks really appreciate

Yes, that is correct. If there was another gap in the sequence, the next ACK would indicate this by starting up another SACK block like you indicated. So the sender would need to fill in the space between 46721 and 59861, as well as 61321 and 62700. Nice work!

@@ChrisGreer Thank you!

That's a good idea for a video Abhay. Let me work on it.

@@ChrisGreer "just do it "~ Nike :)

@@ChrisGreer Looking forward to it.

Thank you very much for the comment Subham!

Glad you found the channel!

Thanks for the sub!

Yeah I feel the same. Seq number should be 1-200 and Ack would be 201.

Yes@@surenderkamboj

You are welcome! Thanks for the comment.

Hello! Great question. The answer is yes. I cover that in my SACK video, here is the link to it. kzbin.info/www/bejne/jHa1mHxuhsaMhrs In short, most TCP stacks can handle up to four "blocks" of data, with holes between each block. This informs the data sender about the missing sequence numbers so these can be retransmitted. This is also a topic I cover in detail in my Foundational TCP Analysis course on Pluralsight - bit.ly/wiresharktcp

@@ChrisGreer Thank you Chris. That is very helpful

@@foshan Sure thing. Let me know if you have any other questions or video suggestions.

Great ideas, thanks!

Thank you!

Hello Goblin, to boil it down to a simple statement - it gives the sender more feedback about what went missing and can trigger a fast retransmission quicker. Now the details - RFC 2581 mentions that after a point of loss or reordering a receiver will dup ack every segment until the gap is filled. As these fly back to the sender, three duplicate ACKs will trigger a fast retransmission, rather than waiting for the full retransmission timer to expire. So if we only "acked" every other packet, even when there was loss, this process would take longer to get the info back to the sender about the missing segment. This feedback also helps the sender to adjust its congestion window according to how much and how often data was lost. So as much info about the loss as quickly as possible will help TCP keep that congestion window high. I hope that helps.

@Chris Greer, thank you for your reply. Also, I appreciate you and others putting up videos to help educate people like us who are interested in learning about networking and packets analysis. Your videos have helped me with some of my own Ah-ha moments (even if I am learning it for fun).

Hello Anirudha - have you checked out my video on the TCP Trace graph? kzbin.info/www/bejne/r4bQcnabiNKHbdE That one goes into throughput a bit. But I plan to make a focused throughput video soon. Thanks!

You're welcome!

If I send 0-99 and you ack 100, that is a missing byte and TCP would freak out. So… gotta ACK every byte, no more.

The receiver will only be able to ACK the highest seq number before the point of loss. Any post-loss traffic that was received will not be ACKed without a SACK block. So those will need to be resent even though they were successfully received.

@@ChrisGreer got you, that makes sense. Many thanks.

Hey, great question! SACK can handle that. It just starts another SACK block. You will see a second one appearing in the TCP options that shows what has been successfully received. It is up to the sender to resend the gaps between the blocks. Some stacks can support up to four blocks, while some only support two or three.

@@ChrisGreer Wow, that's funky. Thanks for the answer! This helps me dig deeper into TCP. And thanks for the videos, it's unbelievable that you make this available for free, they are a fantastic resource! Very concise :)

@@ShadyNetworker Thanks for the comment. i will keep them coming!

@@ChrisGreer Following up to that question, what will happen if those SACK blocks have been exhausted?

Thank you! Cheers!