Wireshark · Wireshark-users: Re: [Wireshark-users] newbie question about tcp three-way handshaking

Wireshark-users: Re: [Wireshark-users] newbie question about tcp three-way handshaking

From: 温金超 <wenjinchao0418@xxxxxxxxx>

Date: Tue, 22 Jan 2013 14:08:43 +0800

Thanks. and I add comments inline.


On Jan 21, 2013, at 6:41 PM, 温金超 <wenjinchao0418@xxxxxxxxx> wrote:

> Is should be three-way handshaking or not when trying to establishe a new connection?
> but I tcpdump following:
>  
> 19:23:12.688758 IP 10.1.164.64.51350 > 10.13.220.4.80: S 3779651860:3779651860(0) win 8192 <mss 1260,nop,wscale 8,nop,nop,sackOK>
> 19:23:12.688776 IP 10.13.220.4.80 > 10.1.164.64.51350: S4133937230:4133937230(0) ack 3779651861 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 9>
> 19:23:12.688779 IP 10.13.220.4.80 > 10.1.164.64.51350: S4133937230:4133937230(0) ack 3779651861 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 9>
> 19:23:12.689716 IP 10.1.164.64.51350 > 10.13.220.4.80: . ack 1 win 260
> 
> 10.13.220.4 ack twice for syn. any idea ?

>Are you sniffing on the machine that's sending the two SYN+ACK packets (i.e., >sniffing on 10.13.220.4), on the machine to which they're being sent (i.e., sniffing on >10.1.164.64), or on some other machine (passively sniffing)?


I'm sniffing on machine 10.13.220.4.


>Do the two SYN+ACK packets have the same IP packet ID value?  Perhaps it's >getting retransmitted, either at the link layer or the TCP layer, for some reason.  If it's at the >link layer, they'll probably have the same IP ID value; if it's at the TCP layer, they probably will >have different IP ID values.  For tcpdump, use the -v flag to get the IP ID printed.


Confirm that they have the same IP ID value.

And I sniffing again both on client(10.1.164.64) side  and server(10.13.220.4) side, get followings:


On client(10.1.164.64) side, it's normal three-way handshaking.



and on server side(10.13.220.4)


13:57:39.659310 IP (tos 0x0, ttl 124, id 27852, offset 0, flags [DF], proto: TCP (6), length: 52) 10.1.164.64.59211 > 10.13.220.4.80: S, cksum 0xc08c (correct), 563933632:563933632(0) win 8192 <mss 1260,nop,wscale 8,nop,nop,sackOK>
13:57:39.659389 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: TCP (6), length: 52) 10.13.220.4.80 > 10.1.164.64.59211: S, cksum 0x8bf2 (correct), 3096740955:3096740955(0) ack 563933633 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 9>
13:57:39.659413 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: TCP (6), length: 52) 10.13.220.4.80 > 10.1.164.64.59211: S, cksum 0x8bf2 (correct), 3096740955:3096740955(0) ack 563933633 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 9>
13:57:39.660220 IP (tos 0x0, ttl 124, id 27853, offset 0, flags [DF], proto: TCP (6), length: 40) 10.1.164.64.59211 > 10.13.220.4.80: ., cksum 0xe292 (correct), 1:1(0) ack 1 win 260

Both SYN+ACK have the same IP id 0.

Why the sniffing result is different between client side and server side?

Follow-Ups:
- Re: [Wireshark-users] newbie question about tcp three-way handshaking
  - From: Jaap Keuter
- Re: [Wireshark-users] newbie question about tcp three-way handshaking
  - From: 温金超

References:
- [Wireshark-users] newbie question about tcp three-way handshaking
  - From: 温金超

Prev by Date: Re: [Wireshark-users] newbie question about tcp three-way handshaking
Next by Date: Re: [Wireshark-users] newbie question about tcp three-way handshaking
Previous by thread: Re: [Wireshark-users] newbie question about tcp three-way handshaking
Next by thread: Re: [Wireshark-users] newbie question about tcp three-way handshaking
Index(es):
- Date
- Thread