If you've been capturing traffic for a while, you've likely encountered some Selective Acknowledgment blocks. Selective Acknowledgment (SACK) is used to acknowledge receipt of data packets after the point of packet loss.
SACK reduces the impact of packet loss by enabling a host to send only the missing packet(s) instead of resending the lost packet and every data packet that had been sent after the point of packet loss.
Left and Right Edges
A SACK block contains a SACK Left Edge (SLE) and SACK Right Edge (SRE) value that acknowledges received data.
Let's check out an example of SACK in use. Download and unzip sackexample.zip to follow along.
Click and drag the TCP Sequence Number and TCP Segment Length fields to make them columns, as shown below. I have hidden the default Length column at this time.
In Frame 30, Wireshark indicates "TCP Previous segment not captured" - a sign that the TCP Sequence Number has incremented beyond the next expected value.
In Frame 29, 151.101.20.157 sent TCP Sequence Number 14,467 with 1,456 bytes of data - add those two values together, and we expected to see Sequence Number 15,923 next.
Instead, we see Sequence Number 18,835 next in Frame 30, followed by Sequence Number 20,291 in Frame 31.
In Frame 32, 10.0.0.146 sends an ACK indicating it received everything up to, but not including Sequence Number 15,923 (the Acknowledgment Number field). This frame includes a SACK block (shown in the Info column).
SLE=18835 SRE=20291
This SACK block acknowledges receipt of the 1,456 bytes of data in Frame 30. "I got Sequence Number 18,835 up to - but not including - Sequence Number 20,291."
Increasing the Right Edge
Frame 33 contains different SACK block information.
SLE=18835 SRE=20353
This SACK block acknowledges receipt of the data in Frame 30 and Frame 31. "I got Sequence Number 18,835 up to - but not including - Sequence Number 20,353."
The SACK Right Edge can continue to increase to acknowledge data received after the point of packet loss.
In the next blog, we will take a look at a situation where we need multiple SACK blocks.
Enjoy!