2026-06-03

TCP SACK and DSACK PCAP Analysis: Selective ACK, Duplicate SACK, Packet Loss, Reordering, and Spurious Retransmissions

How to analyze TCP SACK and DSACK options in packet captures, selective acknowledgments, packet loss recovery, reordering, duplicate ACKs, and spurious retransmissions.

tcp sack, dsack, selective ack, duplicate sack, packet loss, reordering, pcap analysis

TCP retransmission analysis gets much more precise when Selective Acknowledgment is available. Users search for "TCP SACK pcap", "DSACK Wireshark", "duplicate SACK", "spurious retransmission", "TCP reordering vs packet loss", and "selective ACK packet capture" when a trace shows duplicate ACKs, retransmissions, and out-of-order packets but the root cause is unclear.

PCAP Surgery is useful because SACK evidence is carried in TCP options. If you trim away the wrong packets, lose the handshake, or separate ACKs from data, the diagnosis becomes weaker.

What SACK adds

Traditional TCP ACKs acknowledge the next expected byte. If one segment is missing but later segments arrive, the receiver can only keep ACKing the gap.

SACK lets the receiver say: "I am still missing this earlier range, but I have received these later ranges."

This helps distinguish:

  • Actual packet loss.
  • Out-of-order delivery.
  • Duplicate packets.
  • Receiver behavior.
  • Sender recovery behavior.

SACK must be negotiated

SACK capability is negotiated in the SYN and SYN-ACK. If the capture starts after the handshake, you may not know whether SACK was permitted.

Always preserve:

  • SYN.
  • SYN-ACK.
  • SACK permitted option.
  • Window scale option.
  • Timestamp option if present.

This is why a "small pcap around the retransmission" can be insufficient.

Duplicate ACKs with SACK blocks

Duplicate ACKs do not all mean the same thing. A duplicate ACK with SACK blocks can tell the sender exactly which later byte ranges arrived.

Evidence to inspect:

  • ACK number.
  • SACK left edge and right edge.
  • Repeated SACK blocks.
  • New SACK information.
  • Whether missing data later appears.
  • Whether retransmission fills the gap.

This is much stronger than just counting duplicate ACKs.

Packet loss vs reordering

If a segment arrives late but not lost, SACK may show later data was already received. The sender may retransmit, and then the original packet may also arrive. That can look messy.

Questions:

  • Did the original segment arrive late?
  • Did the retransmission arrive first?
  • Did DSACK later report duplicate data?
  • Is there a path that reorders packets?
  • Are bursts crossing multiple links, tunnels, or load-balanced paths?

PCAP Surgery can help isolate the exact sequence range and compare packet order.

What DSACK means

Duplicate SACK can report that duplicate data was received. This is useful for identifying spurious retransmissions or reordering.

DSACK evidence may suggest:

  • Sender retransmitted unnecessarily.
  • Network delivered original data late.
  • Capture point saw duplicates.
  • Receiver got both original and retransmitted bytes.
  • Middlebox duplicated packets.

That is a different conclusion from "the packet was lost."

Spurious retransmissions

A retransmission is not always proof of loss. It may be triggered by:

  • Reordering.
  • Delayed ACK behavior.
  • Capture offload artifacts.
  • Too-small retransmission timeout.
  • ACK compression.
  • Virtualization timing.
  • Path asymmetry.

SACK and DSACK help prove whether data was truly missing or just late.

Capture point matters

If the pcap is one-sided or taken behind a NAT, SACK interpretation can be tricky. A packet may be absent from your capture point but present at the receiver.

Useful practice:

  • Compare sender-side and receiver-side captures.
  • Keep timestamps synchronized.
  • Preserve sequence numbers.
  • Avoid trimming out ACK-only packets.
  • Note offload and capture location.

SACK analysis without ACK packets is not analysis.

Debug checklist

Use this workflow:

  1. Keep the TCP handshake.
  2. Confirm SACK permitted.
  3. Find first duplicate ACK.
  4. Decode SACK blocks.
  5. Map SACK ranges to data packets.
  6. Identify retransmitted sequence ranges.
  7. Check for DSACK.
  8. Separate loss from reordering.
  9. Check capture point and offload context.
  10. Preserve before/after packets around the recovery event.

Final diagnosis

TCP SACK and DSACK provide precise evidence for packet loss, reordering, duplicate delivery, and spurious retransmissions. The key is to preserve handshake options, ACK-only packets, SACK blocks, and retransmitted sequence ranges.

PCAP Surgery helps keep that evidence intact so TCP loss analysis can move beyond generic duplicate ACK counts.