Where is the client ACK in this tcpdump output?

by flyingL123   Last Updated January 12, 2018 21:00 PM

The third bullet on this page under "Connection Establishment" says:

The Client sends an ACK (which consists of the server's ISN + 1).

I used tcpdump to log the activity for a single http request from my Digital Ocean server to a 3rd party server. The request was made using a PHP library. The Digital Ocean server is running Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-32-generic x86_64).

In the output below my server (the client) is IP 104.131.123.147, and the server where the requests are being made is IP 158.69.226.30.

In the first line I see an ACK request from client to server with sequence 2506121414. In the second line I see the server acknowledging and responding with ack = the server sequence + 1 (2506121415), as well as it's own sequence of 935949442.

After that, shouldn't the client respond again with another ACK, which includes the server's sequence + 1 as per the bullet I mentioned above?

Why don't I see that in the logs? I was hoping someone could explain this output to me. I am trying to understand each step of the process. Again, this output is just for a single HTTP request/response between client and server.

15:16:05.531639 IP 104.131.123.147.46287 > 158.69.226.30.443: Flags [S], seq 2506121414, win 29200, options [mss 1460,sackOK,TS val 89338073 ecr 0,nop,wscale 8], length 0
15:16:05.542245 IP 158.69.226.30.443 > 104.131.123.147.46287: Flags [S.], seq 935949442, ack 2506121415, win 28960, options [mss 1460,sackOK,TS val 3124424955 ecr 89338073,nop,wscale 7], length 0
15:16:05.542357 IP 104.131.123.147.46287 > 158.69.226.30.443: Flags [.], ack 1, win 115, options [nop,nop,TS val 89338076 ecr 3124424955], length 0
15:16:05.544147 IP 104.131.123.147.46287 > 158.69.226.30.443: Flags [P.], seq 1:310, ack 1, win 115, options [nop,nop,TS val 89338076 ecr 3124424955], length 309
15:16:05.554029 IP 158.69.226.30.443 > 104.131.123.147.46287: Flags [.], ack 310, win 235, options [nop,nop,TS val 3124424958 ecr 89338076], length 0
15:16:05.554976 IP 158.69.226.30.443 > 104.131.123.147.46287: Flags [.], seq 1:1449, ack 310, win 235, options [nop,nop,TS val 3124424958 ecr 89338076], length 1448
15:16:05.554997 IP 104.131.123.147.46287 > 158.69.226.30.443: Flags [.], ack 1449, win 126, options [nop,nop,TS val 89338079 ecr 3124424958], length 0
15:16:05.555022 IP 158.69.226.30.443 > 104.131.123.147.46287: Flags [P.], seq 1449:3316, ack 310, win 235, options [nop,nop,TS val 3124424958 ecr 89338076], length 1867
15:16:05.555037 IP 104.131.123.147.46287 > 158.69.226.30.443: Flags [.], ack 3316, win 140, options [nop,nop,TS val 89338079 ecr 3124424958], length 0
15:16:05.558940 IP 104.131.123.147.46287 > 158.69.226.30.443: Flags [P.], seq 310:436, ack 3316, win 140, options [nop,nop,TS val 89338080 ecr 3124424958], length 126
15:16:05.569149 IP 158.69.226.30.443 > 104.131.123.147.46287: Flags [P.], seq 3316:3367, ack 436, win 235, options [nop,nop,TS val 3124424962 ecr 89338080], length 51
15:16:05.569782 IP 104.131.123.147.46287 > 158.69.226.30.443: Flags [P.], seq 436:1317, ack 3367, win 140, options [nop,nop,TS val 89338083 ecr 3124424962], length 881
15:16:05.616826 IP 158.69.226.30.443 > 104.131.123.147.46287: Flags [.], ack 1317, win 249, options [nop,nop,TS val 3124424974 ecr 89338083], length 0
15:16:05.656217 IP 158.69.226.30.443 > 104.131.123.147.46287: Flags [.], seq 3367:4815, ack 1317, win 249, options [nop,nop,TS val 3124424983 ecr 89338083], length 1448
15:16:05.656288 IP 158.69.226.30.443 > 104.131.123.147.46287: Flags [P.], seq 4815:11525, ack 1317, win 249, options [nop,nop,TS val 3124424983 ecr 89338083], length 6710
15:16:05.656353 IP 104.131.123.147.46287 > 158.69.226.30.443: Flags [.], ack 11525, win 204, options [nop,nop,TS val 89338104 ecr 3124424983], length 0
15:16:05.663350 IP 104.131.123.147.46287 > 158.69.226.30.443: Flags [P.], seq 1317:1348, ack 11525, win 204, options [nop,nop,TS val 89338106 ecr 3124424983], length 31
15:16:05.663709 IP 104.131.123.147.46287 > 158.69.226.30.443: Flags [F.], seq 1348, ack 11525, win 204, options [nop,nop,TS val 89338106 ecr 3124424983], length 0
15:16:05.673241 IP 158.69.226.30.443 > 104.131.123.147.46287: Flags [.], ack 1348, win 249, options [nop,nop,TS val 3124424988 ecr 89338106], length 0
15:16:05.673380 IP 158.69.226.30.443 > 104.131.123.147.46287: Flags [F.], seq 11525, ack 1348, win 249, options [nop,nop,TS val 3124424988 ecr 89338106], length 0
15:16:05.673404 IP 104.131.123.147.46287 > 158.69.226.30.443: Flags [.], ack 11526, win 204, options [nop,nop,TS val 89338109 ecr 3124424988], length 0
15:16:05.673688 IP 158.69.226.30.443 > 104.131.123.147.46287: Flags [.], ack 1349, win 249, options [nop,nop,TS val 3124424988 ecr 89338106], length 0
Tags : http tcp tcpdump


Related Questions


On-the-fly decoding HTTP bodies on Linux?

Updated October 05, 2015 07:00 AM

Human readable format for http headers with tcpdump

Updated September 12, 2015 04:00 AM


Broken page on only one server

Updated March 15, 2016 08:00 AM

How to capture http requests headers and body

Updated March 23, 2017 00:00 AM