Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multiple syn's , syn/ack and ack received for single connection?

From: Hugo van der Kooij <hugo.van.der.kooij () qi nl>
Date: Thu, 6 Aug 2015 08:11:59 +0000
This is where streams come into play.
For investigating web traffic I strongly recommend you learn how to utilize the streams information in Wireshark.
I created a Wireshark profile I use for Blue Coat packet captures.
You are welcome to fetch it (and the others) from http://hugo.vanderkooij.org/technical/wireshark-profiles

The document is in Dutch but the templates and screenshot should help you a bit.


Van: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] Namens asad
Verzonden: dinsdag 4 augustus 2015 17:14
Aan: wireshark-users () wireshark org
Onderwerp: [Wireshark-users] Multiple syn's , syn/ack and ack received for single connection?

I have a scenario, I'm analyzing ssl (decrpyt) traffic to my webserver. I'm investigating server and end-to-end delay 
issues. In between this I'm stuck at following traffic pattern for which I need some advice/suggestion. The patter 
shows:-

     client       server
    src port 1 -> 80 (syn)
    src port 2 -> 80 (syn)
    src port 3 -> 80 (syn)
    src port 4 -> 80 (syn)
    .....

     server        client
    src port 80 -> 1  (syn/ack)
    src port 80 -> 2  (syn/ack)

    client         server
    src port 1 -> 80  (ack)
    src port 2 -> 80  (ack)

After, complete of handshake I see <code>"http get request"</code> from client. My issues is:-

 1. why are multiple syns send from
    client to server from different
    source port
 2. why server choose to
    reply on NOT all ports mainly the
    syn/ack is received by first 3
    ports.
 3. Multiple acks to different
    ports?

a sample SYN request just for analysis looks like

"694    47.583499000    192.168.1.56    192.168.1.22    TCP    66    0.000173000    50844→80 [SYN] Seq=0 Win=8192 Len=0 
MSS=1460 WS=4 SACK_PERM=1"

Please help me understand this behavior.





Met vriendelijke groet / With kind regards,

Hugo van der Kooij
support engineer



[cid:imagebe954e.JPG@8836471e.4087dd03]<https://www.qi.nl/over-qi-ict>

Delft<https://www.qi.nl/vestigingen#delft> - Noord-Oost<https://www.qi.nl/vestigingen#Qi-ict-noordoost> - 
Zuid<https://www.qi.nl/vestigingen#qi-ict-zuid>
[cid:image5aaa20.PNG@33265dd5.4fb736b1]<http://www.facebook.com/qiict>  [cid:image37607d.JPG@cbef21bb.439029ad] 
<https://nl.linkedin.com/company/qi-ict>        [cid:imagede92d3.JPG@db9891a9.4b9d8368] <http://twitter.com/qiict>      
[cid:imaged07fd5.JPG@a946959a.43b2fc84] <http://www.youtube.com/user/QiictDelft>

T: +31 15 888 0 345     F: +31 15 888 0 445
E: hugo.van.der.kooij () qi nl<mailto:hugo.van.der.kooij () qi nl>    I:  www.qi.nl<http://www.qi.nl>







___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: