Wireshark mailing list archives

Re: newbie question about tcp three-way handshaking

From: 温金超 <wenjinchao0418 () gmail com>
Date: Tue, 22 Jan 2013 14:08:43 +0800

Thanks. and I add comments inline.


On Jan 21, 2013, at 6:41 PM, 温金超 <wenjinchao0418@xxxxxxxxx> wrote:

Is should be three-way handshaking or not when trying to establishe a new connection?
but I tcpdump following:

19:23:12.688758 IP 10.1.164.64.51350 > 10.13.220.4.80: S 3779651860:3779651860(0) win 8192 <mss 1260,nop,wscale 
8,nop,nop,sackOK>
19:23:12.688776 IP 10.13.220.4.80 > 10.1.164.64.51350: S4133937230:4133937230(0) ack 3779651861 win 5840 <mss 
1460,nop,nop,sackOK,nop,wscale 9>
19:23:12.688779 IP 10.13.220.4.80 > 10.1.164.64.51350: S4133937230:4133937230(0) ack 3779651861 win 5840 <mss 
1460,nop,nop,sackOK,nop,wscale 9>
19:23:12.689716 IP 10.1.164.64.51350 > 10.13.220.4.80: . ack 1 win 260

10.13.220.4 ack twice for syn. any idea ?
Are you sniffing on the machine that's sending the two SYN+ACK packets (i.e., >sniffing on 10.13.220.4), on the 
machine to which they're being sent (i.e., sniffing on >10.1.164.64), or on some other machine (passively sniffing)?



I'm sniffing on machine 10.13.220.4.

Do the two SYN+ACK packets have the same IP packet ID value?  Perhaps it's >getting retransmitted, either at the link 
layer or the TCP layer, for some reason.  If it's at the >link layer, they'll probably have the same IP ID value; if 
it's at the TCP layer, they probably will >have different IP ID values.  For tcpdump, use the -v flag to get the IP ID 
printed.




Confirm that they have the same IP ID value.


And I sniffing again both on client(10.1.164.64) side  and
server(10.13.220.4) side, get followings:


On client(10.1.164.64) side, it's normal three-way handshaking.


and on server side(10.13.220.4)


13:57:39.659310 IP (tos 0x0, ttl 124, id 27852, offset 0, flags [DF],
proto: TCP (6), length: 52) 10.1.164.64.59211 > 10.13.220.4.80: S, cksum
0xc08c (correct), 563933632:563933632(0) win 8192 <mss 1260,nop,wscale
8,nop,nop,sackOK> 13:57:39.659389 IP (tos 0x0, ttl 64,* id 0*, offset 0,
flags [DF], proto: TCP (6), length: 52) 10.13.220.4.80 > 10.1.164.64.59211:
S, cksum 0x8bf2 (correct), 3096740955:3096740955(0) ack 563933633 win 5840
<mss 1460,nop,nop,sackOK,nop,wscale 9> 13:57:39.659413 IP (tos 0x0, ttl 64,
*id 0*, offset 0, flags [DF], proto: TCP (6), length: 52) 10.13.220.4.80 >
10.1.164.64.59211: S, cksum 0x8bf2 (correct), 3096740955:3096740955(0) ack
563933633 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 9>

13:57:39.660220 IP (tos 0x0, ttl 124, id 27853, offset 0, flags [DF],
proto: TCP (6), length: 40) 10.1.164.64.59211 > 10.13.220.4.80: .,
cksum 0xe292 (correct), 1:1(0) ack 1 win 260


Both SYN+ACK have the same IP id 0.
Why the sniffing result is different between client side and server side?

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

newbie question about tcp three-way handshaking 温金超 (Jan 21)
- Re: newbie question about tcp three-way handshaking Guy Harris (Jan 21)
- Re: newbie question about tcp three-way handshaking Shain Singh (Jan 21)
- Re: newbie question about tcp three-way handshaking 温金超 (Jan 21)
  - Re: newbie question about tcp three-way handshaking Jaap Keuter (Jan 21)
  - Re: newbie question about tcp three-way handshaking 温金超 (Jan 22)
    - Re: newbie question about tcp three-way handshaking Jaap Keuter (Jan 22)
    - Re: newbie question about tcp three-way handshaking 温金超 (Jan 22)