Link to home
Start Free TrialLog in
Avatar of mw-hosting
mw-hostingFlag for Afghanistan

asked on

TCP ACK packet to POST packet

I am using wireshark and I am trying to link XML POST packets to their ACK packet in a tcpdump.

Is this possible?  How?
Avatar of bbao
Flag of Australia image

mmm... are you saying you wanna dump specific TCP packets (ACK) into XML format??
Avatar of noci

No that is not possible.
TCP is a stream of bytes [ content can be anything ] the smallest lump being 1 byte.
So there can be an ACK for every character in P O S T  if you did mean that.

An ACK will be sent if a lump of bytes has been received, and of some time has elapsed.
If the KEEP alive options has been set every X seconds a 0 byte ACK will be sent as artificial traffic to keep a link alive, and test for it.

Because a pause happens after sending an XML it might be more than likely an ACK is sent back after the last byte of the POST is received by the other end.
There is no guarantee though.
TCP has frames - it can be misleading to refer to them as packets.
As others have pointed out, TCP Ack happens at a lower level than XML. You cannot expect TCP Ack frames to correspond with XML messages therefore.

IP/TCP is a sliding window protocol, so there is no fixed set of data.
the data in flight is still unack'ed. If the ACK is too late, a retransmit occurs, if the receiving end sees fit it will ACK the position in the stream it has received completely.

If you need the send/receive fixed sets of data the protocol of choice is SCTP which has a concept of data frames. of predetermined sized. SCTP ack's per data frame.
Multple dataframes can be packed in a transferunit [ or packet ].
Most of this is just restating what has already been said.

TCP has segments, not frames nor packets.  TCP segments are put into IP datagrams, which are then put into a layer 2 "message unit", which is normally called a frame.

TCP sends data in a "stream", which can be 1 byte of information or a "unlimited" amount.

The stream is broken down into segments, which can not be any bigger than the IP max segment size (MSS).  The MSS for TCP is 40 bytes less than the max transmission unit (MTU), which is based on the max frame size of the layer 2 protocol.  For Ethernet the MTU is normally 1500 bytes.

TCP level ACK's are an acknowledgement of a small group TCP segments, not of the whole stream.

Your application may have been written so that there is a "ACK" of the complete XML message, but that is something that you, or whomever wrote the application, would to know.
In addition to Giltjr:

For IPv4 a segment may be split by any forwarding equipment if that is needed to forward the packet onto the next hop with a smaller MSS then the previous hop.
Unless this splitting is prohibited by a header option, in that case a non-forward ICMP must be returned.
Avatar of Darr247
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Ditto Darr247.  Been using that tool since it was called Ethereal for that purpose.  Works great and is super easy to use.  Just follow what Darr247 posted and you'll have your information in no time.