Re: newbie question about tcp three-way handshaking

[Guy Harris <guy () alum mit edu>]

On Jan 21, 2013, at 6:41 PM, 温金超 <wenjinchao0418 () gmail com> wrote:

> Is should be three-way handshaking or not when trying to establishe a new connection?
> but I tcpdump following:
>  
> 19:23:12.688758 IP 10.1.164.64.51350 > 10.13.220.4.80: S 3779651860:3779651860(0) win 8192 <mss 1260,nop,wscale 
> 8,nop,nop,sackOK>
> 19:23:12.688776 IP 10.13.220.4.80 > 10.1.164.64.51350: S4133937230:4133937230(0) ack 3779651861 win 5840 <mss 
> 1460,nop,nop,sackOK,nop,wscale 9>
> 19:23:12.688779 IP 10.13.220.4.80 > 10.1.164.64.51350: S4133937230:4133937230(0) ack 3779651861 win 5840 <mss 
> 1460,nop,nop,sackOK,nop,wscale 9>
> 19:23:12.689716 IP 10.1.164.64.51350 > 10.13.220.4.80: . ack 1 win 260
>
> 10.13.220.4 ack twice for syn. any idea ?

Are you sniffing on the machine that's sending the two SYN+ACK packets (i.e., sniffing on 10.13.220.4), on the machine 
to which they're being sent (i.e., sniffing on 10.1.164.64), or on some other machine (passively sniffing)?

Do the two SYN+ACK packets have the same IP packet ID value?  Perhaps it's getting retransmitted, either at the link 
layer or the TCP layer, for some reason.  If it's at the link layer, they'll probably have the same IP ID value; if 
it's at the TCP layer, they probably will have different IP ID values.  For tcpdump, use the -v flag to get the IP ID 
printed.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe