LMTV LIVE | Performance Article and TribeLab - Tony Fortunato and Paul Offord
LMTV LIVE | What Can I Really Do With A Visibility Architecture? (with Keith Bromley of IXIA and Mike Canney of IXIA)

What Do TCP/IP Selective Acknowledgments (SACKs) Look Like? (by Phillip Storey)

Part 1: Investigating Simple Selective Acknowledgements (SACKs)

In this video, the aim is to help improve our understanding of TCP/IP Selective Acknowledgements (SACKs) and how they are different to “Normal” TCP/IP Acknowledgements (ACKs). 

How does Wireshark tell us about them and how should we interpret that information?


Wireshark SACKs view - Click on to enlarge image - 

Wireshark SACKs

SACKs are much easier to understand if we have a diagram. I’ll be using charts from a packet analysis application called NetData to help me explain.

 This is the first article of a proposed series that I have called:

Understanding Wireshark Outputs with NetData Charts


Wireshark can inform us of all kinds of TCP/IP, network and application behaviours. However, to get the most from it (and especially to solve complex problems), we must have a very good understanding of:

  • The various protocols of TCP as well as higher level applications.
  • Behaviours of different kinds of network devices (firewalls, load balancers, WAN accelerators, etc.).
  • How does Wireshark tell us various things?
  • How do we correctly interpret what Wireshark tells us?

 NetData charts can add a lot of clarity to TCP/IP behaviour, application behaviour and what Wireshark tells us about them.

In this series, I’ll use capture files already in the public domain so that you can examine the files yourself.

In this first video, I examine a capture file named, “TCP_SACK.cap” that comes from a blog on the PacketLife.net website by Jeremy Stretch.


The file is very small, containing an HTTP GET with one packet loss, four SACKS and one retransmission. It is rather surprising just how must content we can extract from just 39 packets.

I’d strongly encourage you to visit that site, read the blog and download the capture file before watching my video.  That way, you’ll likely be able to make better sense out of the NetData charts that I present.

Philip's video on SACKS - https://www.youtube.com/watch?v=dz-0uB03JsA

I’ve chosen a very simple example to keep this first video short and to the point.

You can also read and study my SACKs presentation here in .pdf -  Download SACK-P1-Simple

SACKs Facts - Click to enlarge image - 

SACK fun facts

Many more videos are planned to be on www.lovemytool.com in this awesome series,

the following topics will be explored with Phil:

  • Part 2: Investigating More Complex Selective Acknowledgements.
  • Application layer transaction timing details (e.g., TranSum and Wireshark “Expert”).
  • Path discovery, VPNs, ICMP and “MSS-Adjust”.
  • SMB/SMB2 Protocols and how sending and receiving look very different.
  • How Cisco ASA firewalls can hide packet losses from us.
  • Misleading terminology such as “Service Time” and “Latency”.

If you have a capture file that would make a good example for this series, please get in touch.

Philip2The author - Phil Storey is a freelance troubleshooter and performance analyst for both networks and applications. He has more than 35 years’ experience in IT and communications. Phil’s early years were as a technical expert for US companies NCR and AT&T and included connecting Unix systems into mainframe SNA networks, developing database applications and connecting PCs to the fledgling Internet (all with their attendant problem solving and troubleshooting components). Phil’s later career, as a Network and Infrastructure Architect at a major Australian bank, was less technically detailed, but far broader ranging. A hidden passion was unleashed in 2009 when he was introduced to the art of packet capture and analysis – moving his career back to the world of extremely detailed technical knowledge. After a stint at a major telco using NetScout, Phil’s analysis tool of choice is now NetData Pro from the Australian company, Measure IT, because it allows him to very quickly get to the bottom of very tough and very complex problems or behaviours.

Phil holds a Bachelor of Computer Science degree from the University of Sydney (as well as a Postgraduate Diploma in Applied Finance and Investment).

If you are having tough performance problems, if you want facts (not guesses) and if you want real answers (not finger pointing), or just to discuss anything - please find me at: www.networkdetective.com.au