Network analysis is the process of capturing network traffic/packets and analyze it. Network analysis is mostly used by network administrators as it offers an insight into network communication that can help to troubleshoot network problems, monitor and control network communications, analyze application behaviour and also to detect network security threats and breaches.
“There will be times that you WILL have to manually evaluate the content of packets to identify what they are doing” William Zereneh
One of the projects that I was working on, I had to analyze network traffic using Wireshark in order to extract meaningful information from the header and/or the payload of the packets. However, while going through the packets and for some reasons, some packets’ payload was empty (i.e., these packets do not carry data) which made more curious to know more about the cases where the packet’s payload is empty. In this post, we will explore the types of network packets that are flowing through network not for the purpose of transmitting data. I am assuming that you are familiar with networking and network protocols.
Types Of Packets Where Payload Is Empty
Acknowledgment in data networking is a part of communication protocol. It is a signal that is sent from the a device (destination or receiver) to acknowledge the successful receipt of a message from another device (source or sender). Data/payload length is zero because the destination host is not sending any messages or data but only signifying the data acknowledgment.
Negative Acknowledgment (NAK)
For some reasons, packets can be corrupted. Packet corruption occurs when the the received data or bits cannot be matched to its state when it was sent (original), such errors can also cause packet loss. When the receiver fails to decode the transmitted bits, it sends a Negative Acknowledgment signal. The difference between ACK and NAK is clear, ACK indicates that the message is not received while NAK indicates that the received message is corrupted.
Normally, a connection is closed if it is not active for too long. It is also closed if a packet sender did not the acknowledgment after a certain number of unanswered probes. Keepalive packet is sent from one device to another to check if the link/connection between the two devices is operating and to maintain that connection. Keepalive packet can reduce the time needed to request and respond, it also reduces the number of TCP and SSL\TLS connection requests.
ACKed Unseen Segment
In some PCAP files, I have seen some events in the network trace indicating a TCP Analysis flag, the information of the packet that had this flag said “ TCP ACKed Unseen Segment”. This means that the sender of the ACK is reporting or acknowledging the delivery of a packet that is not present in the trace. According to an answer published in Wireshark Q&A Site, two common reasons can cause this problem: 1) Asymmetric routing where the data packets take different path or 2) The capturing tool was not able to keep up and did not write all the packets into the trace file.
TCP RST (‘reset’)
When a TCP connection is established, each TCP packet header contains a reset (RST) flag bit. Normally, this bit is set to 0. However, RST packet is a packet with this bit set to 1 which indicates to the receiver that it should terminate the TCP connection. So RST packet can be used to stop a connection and also can be sent from the receiver when it did not expect the arrive of a TCP packet.
Duplicate Acknowledgment (DupACK)
One of the reason that may cause sending Duplicate Acknowledgments is packet loss. A DupACK is sent when a receiver receives out-of-order packets. Out-of-order packets (Also knows as Out-of-order delivery) occurs when a set of data packets are sent/delivered in a different order. This problem’s impact can be similar to the impact caused by packet loss.
Please note that the abovementioned list is not exhaustive.