Wireshark: Tracking the [SYN] [SYN-ACK] Handshake

Saksham

Disclaimer: Wont dig into the 5 layers of the TCP/IP model, but will visually track the information exchange between a server hosted on loopback and a curl request made to the server.

Read more about handshake here.

TCP handshape

TCP (Transmission Control Protocol) uses a three-way handshake (aka TCP-handshake, three message handshake, and/or SYN-SYN-ACK) to set up a TCP/IP connection over an IP based network.

Look at the sample traffic (screenshot below)

As it shows in the default profile

Server: I have a docker image hosted and returning response

> docker run --env HTTP_PORT=8181 -i -t --rm -p 8181:8181 samarthya/spinnaker:v1.0
2022/02/03 07:34:40  initializing the application FN:init 

   ____    __
  / __/___/ /  ___
 / _// __/ _ \/ _ \
/___/\__/_//_/\___/ v4.6.3
High performance, minimalist Go web framework
https://echo.labstack.com
____________________________________O/_______
                                    O\
⇨ http server started on [::]:8181
{"time":"2022-02-03T07:37:29.4829763Z","id":"","remote_ip":"172.17.0.1","host":"localhost:8181","method":"GET","uri":"/","user_agent":"curl/7.77.0","status":200,"error":"","latency":21200,"latency_human":"21.2µs","bytes_in":0,"bytes_out":17}
{"time":"2022-02-03T07:37:30.7684587Z","id":"","remote_ip":"172.17.0.1","host":"localhost:8181","method":"GET","uri":"/ping","user_agent":"curl/7.77.0","status":200,"error":"","latency":198400,"latency_human":"198.4µs","bytes_in":0,"bytes_out":16}
{"time":"2022-02-03T07:43:55.5147719Z","id":"","remote_ip":"172.17.0.1","host":"localhost:8181","method":"GET","uri":"/","user_agent":"curl/7.77.0","status":200,"error":"","latency":97900,"latency_human":"97.9µs","bytes_in":0,"bytes_out":17}
{"time":"2022-02-03T07:43:59.2803389Z","id":"","remote_ip":"172.17.0.1","host":"localhost:8181","method":"GET","uri":"/ping","user_agent":"curl/7.77.0","status":200,"error":"","latency":74300,"latency_human":"74.3µs","bytes_in":0,"bytes_out":16}

Fired in a few quick requests while the Wireshark is capturing the traffic on loopback (the trace is available above for download)

% curl http://localhost:8181/    
Hello, Docker! <3%                                                                                                                                                                                                                             % curl http://localhost:8181/ping
{"Status":"OK"}

Let’s track the information exchange in Wireshark.

Click the first LINE in the view

Important concepts we will look at is Sequence Number to track further. For example the traffic captured starts at 285059489

58471 -> 8181

If you look at the flags you can see except SYN all other flags are false (off), essentially this is the first feed from the client to the server, where the options are expressed sequence number published and marking system is read to request for information.

Since it is the first packet from the client, you can verify the acknowledgment number as under

There is no acknowledgment number from Server, yet and hence Ack not set in the Flags.

In contrast the first response from Server has a different flag value

Look at the SYN and ACK which is now set.

Look at acknowledgement number 285059490 it is +1 of the seq number received from client. So client sets of the number to let the server know this is how we are going to track the information and the server acknowledges by adding + 1 for response (for the Handshake)

It also publishes its sequence number 225898208 for the client to use and track.

Looking at the next packet

Look at how the sequence number is added and sent back in the 3’rd packet.

Simplified Sequences

Point to remember

Only the first packet does not have the ACK bit set, rest all of the other packets in the conversation will have this bit set.

Leave a Reply

Your email address will not be published. Required fields are marked *