0

I was writting a java (jpcap) application that distinguishes which response packet was for which request packet. suddenly I encounter these two http packets that my browser sent exactly the same (seq number, ack number, ...) except one of them has push flag and different identification number. I was wondering why browser sent these two? is it Ajax?

1342824149:911270 /192.168.2.#->/174.143.213.# protocol(6) priority(0)  hop(128)  offset(0) ident(14123) TCP 11303 > 80 seq(2473817076) win(17040) ack 3940549542 

1342824149:911797 /192.168.2.#->/174.143.213.# protocol(6) priority(0)  hop(128)  offset(0) ident(14124) TCP 11303 > 80 seq(2473817076) win(17040) ack 3940549542  P

and more important question, are there separate responses for these two packets? or there is just one response? or same response? and what responses would looks like?

Alireza
  • 4,347
  • 3
  • 20
  • 31
  • It's your TCP stack sending the duplicate packet, not the browser. – Gabe Jul 22 '12 at 02:21
  • 1
    Your browser just says "connect to IP address X on port Y" and "send these bytes". It's the TCP/IP stack inside the kernel that's responsible for actually creating packets and making sure they get to their destination. In this case, the first packet didn't get acknowledged by the destination, so it was sent again. – Gabe Jul 22 '12 at 04:55
  • @Gabe could you write it as an answer so i can choose it as best answer? – Alireza Jul 22 '12 at 13:02

2 Answers2

1

Your browser just says "connect to IP address X on port Y" and "send these bytes". It's the TCP/IP stack inside the kernel that's responsible for actually creating packets and making sure they get to their destination. In this case, the first packet didn't get acknowledged by the destination, so the TCP code in the kernel sent it again.

Gabe
  • 84,912
  • 12
  • 139
  • 238
0

If they have the same TCP sequence number they are the same data: the second one is a retry due to non-acknowledgement. The PUSH flag doesn't really do anything except possibly in routers. The different Wireshark number is just because they are different actual receive events: it's not in the packet.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • OK, so you say when a response comes back it's for the second one, not the first one. because the first one is ignored due to not receiving ack! right? – Alireza Jul 22 '12 at 02:34
  • 1
    @Alireza I didn't say any such thing. If a response comes back, it is for either of them, it doesn't matter which, because they both contain the same data. And there is no way to tell. If the first one arrived, the second one will be dropped; if the first one didn't arrive, the second one will be accepted. In either case the behaviour of the receiving application is the same. – user207421 Jul 22 '12 at 03:44