Tech tips

TCP Header (TCP Options) # 2.9

Welcome to Blog Post  # 10

You are never too old to set another goal or to dream a new dream.- C.S. Lewis

Last blog post we discussed Ports, Sequence Number, Acknowledgment Number, Flags, Window Size, and Checksum. Now in this, we will discuss TCP Option. And rap this TCP Header in chapter 2.

Key Takeaway :

  • MSS 
  • SACK
  • TimeStamp
  • Window Scale
  • NOP

The options field is used during the connection setup. To negotiate or inform certain parameters and they are used layer to carry information to implement certain information.

1. MSS (Maximum Segment Size)

MSS means the size of each segment. With context to window size, suppose we have a Window Size of 10000 bytes for the receive window. Let’s say MSS is 1000 bytes. Total 10 Segments of 1000 bytes it will send to accommodate receive buffer at the remote end.

In simple terms, Window Size is the total capacity, MSS is the largest chunk of data that TCP will send to the other end. To conclude 10000 bytes is my Window Size, MSS is 1000 bytes largest chunks of data it can send. So a total of 10 numbers of Segments it can send to accommodate 10000 bytes.

MSS is set a value at the TCP level at Transport Layer, during the three-way Handshake they exchange the maximum amount of data they can receive.

Here MSS only refers to the payload, it will not consider the TCP, IP, or frame header. Typically only the data.

1.1 Example : 

1460 Bytes of data.

Notice here, when the receiver advertises its MSS it’s 1412. In some cases, the TCP MSS can be changed y the router as well.

1.1.1 From Sender Side PCAP

1.1.2 Receiver Side PCAP

1.2 Why one it do that?

Might be some cloud in the middle of some tunnel in the middle. That we need to add some overhead to make those tunnels work.

This is another way to adjust the MSS which gives more header space.

It’s not negotiated in any way. When a connection is established, each end has the option of announcing the MSS it expects to receive.


MSS only appears at the TCP SYN Packet. If one end doesn’t receive an MSS Option from another end, a default of 536 bytes is assumed. With header 536 + 20 Bytes IP + 20 Bytes of TCP = 576 Bytes.

In general, the larger MSS the better, until fragmentation occurs. This may not always be true.

2. Selective Acknowledgment (SACK)

As we discussed, there is a cumulative Acknowledgment. Another ACK mechanism in the TCP Options field is Selective ACK to handle multiple dropped packets within a window.

Please go through my previous blog post on Sequence Number and Acknowledge Number. Let’s understand what happens when we do not have a SACK option.

Now we have the SACK option available which is already been in exchange for the capability during the Three-Way Handshake process.

When data transfer starts from client and server, some packets are in flight or you can say in wire not yet acknowledge.

When a segment lost in the network, rather than resending an entire stream of data, after the lost point. What a server can do indicate through TCP SACK.

2.1 If we don’t have SACK, how segment lost addresses. 

In order to understand SACK, we need to understand the TCP Sequence number in detail.

2.2. If we have SACK, how segment lost addresses.

2.2.1. PCAP Sender

2.2.2. PCAP Receiver

Specifically, it informs what sequence number went missing. Once the client receives those ACK from the server its knows exactly which sequence number segments are missing. And need to retransmit that particular packets only.

3. Timestamp

A timestamp is an option under TCP, let’s look at it and understand its functionality.

When TCP sends the very first Segment (the SYN Segment) it doesn’t have any idea of the  Network Round trip time. How long and how far way the host is connected.

Timestamp in option enables TCP to get a better idea of the network endpoint. In this way, it can better use of the network in between.

When a sender sends an SYN Segment within the Timestamp, it set a random value in Time Selective Value, sends it across.

On receipt of this TSval, the receiver put the same value in the Timestamp echo reply.

Now we can find out how much time it took the packet echoed back to me by the receiver.

By the way, TCP will get a good idea of latency between the two endpoints.

This Timestamp derives from the Wireshark. In order to enable Timestamp right-click under protocol preference. Calculate the conversation time stamp. You will get the value of RTT.

3.1 Timestamp PCAP with First Frame and Previous Frame details

Note NOP and Window Scale already discussed in the previous post.

Comment here