问题
I uploaded a txt file to a server and captured the upload with Wireshark. The issue is that there is a segment that is extreamly long and right after that i get ack's from the server for lower sequences than i should. on line 865 my PC sends a segment with the length of 12240. I should get an ack that is bigger than 12240 and yet this is not the case.
Wireshark capture image
回答1:
Look at frame 862. The host 128.119.245.12 is advertising an MSS of 1360 bytes. So, the maximum size of TCP segment sent by 10.0.0.12 will only contain at most 1360 bytes, despite what is being shown by Wireshark. The reason for the seemingly larger TCP segments - 12240 and 2720 bytes - is because the capture engine is receiving the packets before they are segmented by the NIC. If you were capturing the traffic on an external device, such as from a SPAN port or via a TAP, you wouldn't see that 12240 byte segment, but rather you'd see 9 1360 byte segments sent instead. So, this is the reason why the receiving host's ACK number doesn't match the 12240; it ACKs each 1360 byte segment it receives instead. It isn't until frame 930 that all 9 1360 byte segments comprising the apparent 12240 segment are all acknowledged, and you can easily calculate all of this with some SEQ/ACK analysis.
Here are the SEQ #'s for host 10.0.0.12 along with the ACK #'s from host 128.119.245.12, and I've included the breakdown of the 9 1360 byte segments in brackets, [], that would have actually been seen on the wire had Wireshark been run on an external machine instead of on the 10.0.0.12 host:
Frame # 10.0.0.12 128.119.245.12 Comments
SEQ Len ACK
------- ----------- -------------- -----------------------------
822 0 0
862 1 Next expected SEQ # is now 1
863 1 0
864 1 716
865 717 12240 SEQ: 1 + 716 = 717
[865-1 2077 1360 SEQ: 717 + 1360 = 2077]
[865-2 3437 1360 SEQ: 2077 + 1360 = 3437]
[865-3 4797 1360 SEQ: 3437 + 1360 = 4797]
[865-4 6157 1360 SEQ: 4797 + 1360 = 6157]
[865-5 7517 1360 SEQ: 6157 + 1360 = 7517]
[865-6 8877 1360 SEQ: 7517 + 1360 = 8877]
[865-7 10237 1360 SEQ: 8877 + 1360 = 10237]
[865-8 11597 1360 SEQ: 10237 + 1360 = 11597]
[865-9 12957 1360 SEQ: 11597 + 1360 = 12957]
905 717 ACK: The ACK to frame 864
906 12957 1360 SEQ: 717 + 12240 = 12957
907 2077 ACK: The ACK to "frame" 865-1
908 14317 2720 SEQ: 12957 + 1360 = 14317
912 3437 ACK: The ACK to "frame" 865-2
913 17037 2720 SEQ: 14317 + 2720 = 17037
915 4797 ACK: The ACK to "frame" 865-3
916 19757 2720 SEQ: 17037 + 2720 = 19757
917 6157 ACK: The ACK to "frame" 865-4
918 22477 2720 SEQ: 19757 + 2720 = 22477
919 7517 ACK: The ACK to "frame" 865-5
920 25197 2720 SEQ: 22477 + 2720 = 25197
923 8877 ACK: The ACK to "frame" 865-6
924 27917 2720 SEQ: 25197 + 2720 = 27917
925 10237 ACK: The ACK to "frame" 865-7
926 30637 2720 SEQ: 27917 + 2720 = 30637
927 11597 ACK: The ACK to "frame" 865-8
928 33357 2720 SEQ: 30637 + 2720 = 33357
930 12957 ACK: The ACK to "frame" 865-9
------- ----------- -------------- -----------------------------
For further reading regarding this topic, I'll refer you to an excellent article written by Jasper Bongertz titled, The drawbacks of local packet captures.
来源:https://stackoverflow.com/questions/65483120/what-happens-when-a-long-tcp-segment-is-sent