Wireshark mailing list archives
Re: newbie question about tcp three-way handshaking
From: Jaap Keuter <jaap.keuter () xs4all nl>
Date: Wed, 23 Jan 2013 06:48:52 +0100
On 01/22/2013 09:40 AM, 温金超 wrote:
2013/1/22 温金超 <wenjinchao0418 () gmail com <mailto:wenjinchao0418 () gmail com>> Thanks. and I add comments inline. On Jan 21, 2013, at 6:41 PM, 温金超 <wenjinchao0418@xxxxxxxxx> wrote: > Is should be three-way handshaking or not when trying to establishe a new connection? > but I tcpdump following: > > 19:23:12.688758 IP 10.1.164.64.51350 > 10.13.220.4.80: S 3779651860:3779651860(0) win 8192 <mss 1260,nop,wscale 8,nop,nop,sackOK> > 19:23:12.688776 IP 10.13.220.4.80 > 10.1.164.64.51350: S4133937230:4133937230(0) ack 3779651861 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 9> > 19:23:12.688779 IP 10.13.220.4.80 > 10.1.164.64.51350: S4133937230:4133937230(0) ack 3779651861 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 9> > 19:23:12.689716 IP 10.1.164.64.51350 > 10.13.220.4.80: . ack 1 win 260 > > 10.13.220.4 ack twice for syn. any idea ? >Are you sniffing on the machine that's sending the two SYN+ACK packets (i.e., >sniffing on 10.13.220.4), on the machine to which they're being sent (i.e., sniffing on >10.1.164.64), or on some other machine (passively sniffing)? I'm sniffing on machine 10.13.220.4. >Do the two SYN+ACK packets have the same IP packet ID value? Perhaps it's >getting retransmitted, either at the link layer or the TCP layer, for some reason. If it's at the >link layer, they'll probably have the same IP ID value; if it's at the TCP layer, they probably will >have different IP ID values. For tcpdump, use the -v flag to get the IP ID printed. Confirm that they have the same IP ID value. And I sniffing again both on client(10.1.164.64) side and server(10.13.220.4) side, get followings: On client(10.1.164.64) side, it's normal three-way handshaking. and on server side(10.13.220.4) 13:57:39.659310 IP (tos 0x0, ttl 124, id 27852, offset 0, flags [DF], proto: TCP (6), length: 52) 10.1.164.64.59211 > 10.13.220.4.80: S, cksum 0xc08c (correct), 563933632:563933632(0) win 8192 <mss 1260,nop,wscale 8,nop,nop,sackOK> 13:57:39.659389 IP (tos 0x0, ttl 64,* id 0*, offset 0, flags [DF], proto: TCP (6), length: 52) 10.13.220.4.80 > 10.1.164.64.59211: S, cksum 0x8bf2 (correct), 3096740955 <tel:3096740955>:3096740955(0) ack 563933633 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 9> 13:57:39.659413 IP (tos 0x0, ttl 64, *id 0*, offset 0, flags [DF], proto: TCP (6), length: 52) 10.13.220.4.80 > 10.1.164.64.59211: S, cksum 0x8bf2 (correct), 3096740955 <tel:3096740955>:3096740955(0) ack 563933633 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 9> 13:57:39.660220 IP (tos 0x0, ttl 124, id 27853, offset 0, flags [DF], proto: TCP (6), length: 40) 10.1.164.64.59211 > 10.13.220.4.80: ., cksum 0xe292 (correct), 1:1(0) ack 1 win 260 Both SYN+ACK have the same IP id 0. Why the sniffing result is different between client side and server side?Hi,It would be interesting to know what kind of network interface is installed on the server 10.13.220.4. Is there some kind of bonding interface? On what interface is this server capture taken?Thanks, JaapHi Jaap, The server 10.13.220.4 have 2 physcial network interface, eth0 and eth1, who have the save ip: 10.13.220.4. And eth1 has been configed serval virtural ip. and my tcpdump commend: tcpdump -i any -nn -vvv -v -s 0 tcp and host 10.13.220.4 and port 80 Thanks, jinchao
Hi, Well, then obviously you are capturing *below* the bonded interface. Therefore the *outgoing* frames are seen twice, one for each physical interface, and the *incoming* frames once, because they come from a switch, which uses a single port to send the frame[*]. You can't really fall back to capturing a single physical interface (eth0, eth1) because you do not know where the switch will send the returned frames. To get rid of the duplicates you can either: 1) capture on the bonding interface (bond0 or whatever name it takes) 2) use editcap -d to remove the duplicates from the capture file afterwards. [*] unless flooding, multicast, MAC table miss. Thanks, Jaap ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- newbie question about tcp three-way handshaking 温金超 (Jan 21)
- Re: newbie question about tcp three-way handshaking Guy Harris (Jan 21)
- Re: newbie question about tcp three-way handshaking Shain Singh (Jan 21)
- Re: newbie question about tcp three-way handshaking 温金超 (Jan 21)
- Re: newbie question about tcp three-way handshaking Jaap Keuter (Jan 21)
- Re: newbie question about tcp three-way handshaking 温金超 (Jan 22)
- Re: newbie question about tcp three-way handshaking Jaap Keuter (Jan 22)
- Re: newbie question about tcp three-way handshaking 温金超 (Jan 22)