TCP & UDP Packets

I normally use Wireshark to trace network communication issues while tracing issues with TCP/UDP packet transmission.

TCP stands for  Transmission Control Protocol: The mechanism behind each packet authentication and verification method is called 3 WAY Handshake= SYN, SYN+ACK, and ACK. 

  • Computer A Sends SYN to Computer B. In this SYN request it lists initial Sequence (SEQ) number, Let’s say its Zero.
  • Computer B Receives SYNC and sends SYN+ACK to Computer A. Computer B says that I got your SYN, SEQ of Computer A (0) + 1 (ACK) = ACK. It sends the ACK to computer A.
  • Computer A then receives the  ACK and replies to Computer B to update its SEQ number to ACK+1.
  • Eventually, each side will establish its own ACK and SEQ numbers as they progress communication both ways while verifying packets.

SEQ= Its the packet size sent to computer B, not the packet number. At this point, Computer B will also stick in its own SEQ # since its 2-way communication so both machines know their SEQ to increments.

Let’s suppose Computer B is basically Saying that I got computer A’s SEQ value 8 Bytes and My ACK value increment by 1 (SEQ+1=9) and btw the Computer B’s SEQ# is Zero which will be helpful for computer A to determine the data transfer back & forth. It is seamless 2-way communication to let both computers establish a trust relationship.

Note: ACK +1 will be added for Computer B SEQ # to acknowledge the handshake authenticity by setting up the next expected SEQ number.

The next command from Computer A will be the HTTP GET  request.


  • Let’s say Computer A types Http://somewebsite data which is 20 Bytes. The Computer The original SEQ was 1 now and it will become 21.
  • Computer B receives SYN and adds the SEQ +1 (SYC +ACK)=22, ACK Value is now 22 send to computer A. Computer B will set SEQ number was 1 . Computer B then replied to computer A SYN+ACK = 21 Bytes (ACK) + It will send some data with it let’s replying to the website requested data= 1000 Butes.
  • Computer A will get ACK (21), It will add 1 to Computer B’s SEQ (1000 + 1) to let computer B know to expect next SEQ# from A and packet communication will carry one with TCP SYN, SYN+ACK and ACK model.
  • CCNA Training » TCP and UDP Tutorial

WireShark: You can trace the packets by placing the following filters. 

TCP packets have following attributes to it,

  • Source/Destination IP
  • IP SYN
  • Port number
  • SEQ
  • Stream Index: Each TCP has unique streams. Almost 2 different conversations. TCP can have multiple streams to sperate its TCP communications.
  • Win (TCP Sliding Window)  and Windows Size Scaling Factor: which varies as packet flow back & forth between Source & Destination. It’s how much data can be sent at one to destination machine before I get the acknowledgment from A to B and B to A. TCP is designed to send data faster as it determines the TCP window of the data flow.

Command: I normally use IP.addr== [IP address] 

And you can be more specific with the following filter IP.addr== [IP address] && [stream Index number]

i.e (ip.addr eq and ip.addr eq and (tcp.port eq 55678 and tcp.port eq 80)


UDP: (User Datagram Protocol) is an alternative communications protocol to Transmission Control Protocol (TCP) used primarily for establishing low-latency and loss-tolerating connections between applications on the internet. Most Media streaming and VOIP (RTP: Real-Time Protocol) technology use UDP where retransmission of packet loss is insignificant.UDP uses the following parameters

  • Source/Destination Port
  • Stream Index
  • Checksum
  • Timestamp