0

Device 1 Windows XP. 192.168.101.173, I have access to the application code, but it is massive.

Device 2 Embedded device. 192.168.101.205. I don’t have access to the code or even to logs from this device.

Device 1 and Device 2 are connected and apparently, the Device 2 doesn't support SACK. So I want to disable SACK on the first device to see if the issue that I am experiencing is solved.

Here is a little capture of what is happening on Wireshark. Please note that the image is for illustration purposes only and NOT to send data of the problem I am facing.

It can be seen that the first device sends a restart connection command after which SACKs are sent. The second device never recovers from this.

Update: the communication between the two devices is not heavy traffic rather it is a constant pinging on the second device and every now a then a big flow of data but something within the Kbytes range, other than that the communication is just the ping aforementioned so it is really annoying to see this amount of SACKs. I don't know if disabling the SACKs on the Windows side will solve anything but I want to see the behaviour of the system after deactivating them.

Update: Please find the Wireshark capture of what is happening on this link. A brief comment on the file: 11:35 I took a break. 11:53 I restarted capture. Until here everything is normal. At package 963 Something happened with the application on Device 2. Apparently, it freezes. You can see that Device 2 doesn't replay, it only sends an ACK (different from what it was doing ACK and then answer).

At package 969 Device 1 resets the connection.

From there you can see the SACK_PERM constantly. So I want to disable SACKs on the Windows XP machine to see if there is any improvement.

Please read the question again, before answering.

Improve this question
7
  • Please clarify your specific problem or provide additional details to highlight exactly what you need. As it's currently written, it's hard to tell exactly what you're asking.
    – Community Bot
    Commented Sep 13, 2023 at 16:27
  • So your hypothesis is that the second system not only doesn't support SACK, but is also so buggy that it chokes when it sees a SYN trying to negotiate SACK? I'm pretty sure TCP implementations are always required to ignore TCP options they don't recognize. It's a shame whoever built this TCP implementation ignored Postel's Law.
    – Spiff
    Commented Sep 13, 2023 at 20:19
  • @Spiff I updated the info in the ticket please let me know if you need to know something else.
    – Beto
    Commented Sep 14, 2023 at 14:17
  • 1
    Frankly, the image is worse than useless for illustration purposes, as the result is that I don't actually know whether any of it matches the real behavior that you're seeing – because what you're describing doesn't match the image at all. There is no "amount of SACKs" in it (only some offers to use SACK), there is no "constant pinging" (the image shows retransmissions on lack of response, which is entirely different), there is no "restart connection" command. Please either show your actual situation or don't show anything at all, but not made-up information.
    – grawity_u1686
    Commented Sep 14, 2023 at 14:43
  • @u1686_grawity Thank you for your comment. Please let me capture a better image over the weekend. I'll let you know when I do.
    – Beto
    Commented Sep 15, 2023 at 9:05

1 Answer 1

Reset to default
0

SACK support in Windows is controlled through Registry at:

  • Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  • Value: SackOpts
  • Type: REG_DWORD
  • Data: 0 to disable

SACK is not the only feature that uses TCP options; TCP1323Opts controls timestamping and window scaling, and I don't think there's any way to disable the "Max segment size" option.

Reference: https://www.fs-net.de/assets/download/docu/netdcu/en/NetDCU_TCPIP_ParametersConfigurableByUser.pdf

From there you can see the SACK_PERM constantly. So I want to disable SACKs on the Windows XP machine to see if there is any improvement.

Very unlikely.

First of all, 'SACK_PERM' is not the actual usage of SACK – 'SACK_PERM' is SACK capability negotiation, a TCP handshake option that indicates willingness to use SACK if the other peer agrees. A device that doesn't support SACK would just answer the handshake without including its own 'SACK_PERM' option and the connection would automatically proceed without SACK usage.

However, your device does include 'SACK_PERM' in its answer, indicating that it does support SACK – and not only that, but it also produces actual SACKs in the packets it sends (such as in packet 954 of your capture). So that disproves your initial guess that device 2 does not support SACK, and it means that disabling SACK on the client side is very unlikely to do anything useful.

(What you're describing as "constant SACK_PERM" is not what SACK usage looks like; it's more like "constant TCP handshake attempts" when device 1 keeps trying to establish a new connection, and even though Wireshark emphasizes it a lot in its GUI, the SACK offer is not the main content of these packets.)

Even if a device was so tight in memory space that it couldn't implement SACK, it would still be capable of accepting TCP SYN with options attached and just ignoring those options that it doesn't understand, because pretty much every OS in the last 35+ years has been adding those in every handshake – it's unrealistic that any manufacturer would produce a device that requires system-wide disabling SACK in each and every client.

Furthermore, it is not only SACK that uses TCP options; it is also TCP window size scaling; TCP MSS negotiation; TCP timestamping... all of which your device apparently supports just fine, judging from its SYN_ACK reply including all those options.

Second, in your description:

At package 963 Something happened with the application on Device 2. Apparently, it freezes. You can see that Device 2 doesn't replay, it only sends an ACK (different from what it was doing ACK and then answer).

At package 969 Device 1 resets the connection.

…is not the same connection. These packets are sent for different TCP port numbers.

  • The connection with packet 963 (tcp.stream eq 4) does not freeze at all, as far as I can see in the capture – the device actually answers in the next packet, and it continues working all the way until the end of capture.

  • The connection with packet 969 (tcp.stream eq 5) is a very short-lived connection that was established in packet 879, and it does freeze, but not due to the use of SACK; there is only one segment that needs ACKing at that point, and the device just doesn't ACK it.

  • The "SACK_PERM" packets (all of them tcp.stream eq 6) are a single attempt to establish a fresh connection after the reset (which is ignored as much as the client tries to retransmit the SYN); however, the SACK_PERM option in them is exactly the same as in the SYN packets of working TCP connections, so it's unlikely to be the cause of the connection attempt being ignored.

Improve this answer
1
  • Wow, that's a very professional answer. Let me process all of this and I'll return with some questions. Unfortunately, I am working on something else at the moment so probably I only will be able to review with proper dedication on the weekend. As I am a new member, I can’t vote for your answer, but I already selected it as the answer.
    – Beto
    Commented Sep 20, 2023 at 16:35

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .