{"id":2000,"date":"2022-02-03T13:15:03","date_gmt":"2022-02-03T13:15:03","guid":{"rendered":"https:\/\/blog.samarthya.me\/wps\/?p=2000"},"modified":"2022-02-03T13:15:06","modified_gmt":"2022-02-03T13:15:06","slug":"wireshark-tracking-the-syn-syn-ack-handshake","status":"publish","type":"post","link":"https:\/\/blog.samarthya.me\/wps\/2022\/02\/03\/wireshark-tracking-the-syn-syn-ack-handshake\/","title":{"rendered":"Wireshark: Tracking the [SYN] [SYN-ACK] Handshake"},"content":{"rendered":"\n

Disclaimer<\/strong>: Wont dig into the 5 layers of the TCP\/IP model, but will visually track the information exchange between a server hosted on loopback<\/code> and a curl<\/code> request made to the server.<\/p>\n\n\n\n

Read more about handshake here<\/a>.<\/p>TCP handshape<\/cite><\/blockquote>\n\n\n\n

TCP (Transmission Control Protocol)<\/a> uses a\u00a0three-way handshake<\/strong> (aka\u00a0TCP-handshake,\u00a0three message handshake, and\/or SYN-SYN-ACK) to set up a TCP\/IP connection over an IP based network<\/strong>.<\/p>\n\n\n\n

Download PCAP file from here<\/a>Download<\/a><\/div>\n\n\n\n

Look at the sample traffic (screenshot below)<\/p>\n\n\n\n

\"\"
As it shows in the default profile<\/figcaption><\/figure>\n\n\n\n

Server<\/code>: I have a docker image hosted and returning response<\/p>\n\n\n\n

> docker run --env HTTP_PORT=8181 -i -t --rm -p 8181:8181 samarthya\/spinnaker:v1.0\n2022\/02\/03 07:34:40  initializing the application FN:init \n\n   ____    __\n  \/ __\/___\/ \/  ___\n \/ _\/\/ __\/ _ \\\/ _ \\\n\/___\/\\__\/_\/\/_\/\\___\/ v4.6.3\nHigh performance, minimalist Go web framework\nhttps://echo.labstack.com\n____________________________________O\/_______\n                                    O\\\n\u21e8 http server started on [::]:8181\n{\"time\":\"2022-02-03T07:37:29.4829763Z\",\"id\":\"\",\"remote_ip\":\"172.17.0.1\",\"host\":\"localhost:8181\",\"method\":\"GET\",\"uri\":\"\/\",\"user_agent\":\"curl\/7.77.0\",\"status\":200,\"error\":\"\",\"latency\":21200,\"latency_human\":\"21.2\u00b5s\",\"bytes_in\":0,\"bytes_out\":17}\n{\"time\":\"2022-02-03T07:37:30.7684587Z\",\"id\":\"\",\"remote_ip\":\"172.17.0.1\",\"host\":\"localhost:8181\",\"method\":\"GET\",\"uri\":\"\/ping\",\"user_agent\":\"curl\/7.77.0\",\"status\":200,\"error\":\"\",\"latency\":198400,\"latency_human\":\"198.4\u00b5s\",\"bytes_in\":0,\"bytes_out\":16}\n{\"time\":\"2022-02-03T07:43:55.5147719Z\",\"id\":\"\",\"remote_ip\":\"172.17.0.1\",\"host\":\"localhost:8181\",\"method\":\"GET\",\"uri\":\"\/\",\"user_agent\":\"curl\/7.77.0\",\"status\":200,\"error\":\"\",\"latency\":97900,\"latency_human\":\"97.9\u00b5s\",\"bytes_in\":0,\"bytes_out\":17}\n{\"time\":\"2022-02-03T07:43:59.2803389Z\",\"id\":\"\",\"remote_ip\":\"172.17.0.1\",\"host\":\"localhost:8181\",\"method\":\"GET\",\"uri\":\"\/ping\",\"user_agent\":\"curl\/7.77.0\",\"status\":200,\"error\":\"\",\"latency\":74300,\"latency_human\":\"74.3\u00b5s\",\"bytes_in\":0,\"bytes_out\":16}\n<\/code><\/pre>\n\n\n\n
Fired in a few quick requests while the Wireshark<\/code> is capturing the traffic on loopback (the trace is available above for download)<\/p>\n\n\n\n
% curl http:\/\/localhost:8181\/    \nHello, Docker! <3%                                                                                                                                                                                                                             % curl http:\/\/localhost:8181\/ping\n{\"Status\":\"OK\"}\n<\/code><\/pre>\n\n\n\n
Let’s track the information exchange in Wireshark.<\/p>\n\n\n\n
Click the first LINE<\/code> in the view<\/h2>\n\n\n\n
Important concepts we will look at is Sequence Number to track further. For example the traffic captured starts at 285059489<\/code><\/p>\n\n\n\n
\"\"
58471 -> 8181<\/figcaption><\/figure>\n\n\n\n
If you look at the flags you can see except SYN all other flags are false (off), essentially this is the first feed from the client to the server, where the options are expressed sequence number published and marking system is read to request for information.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Since it is the first packet from the client, you can verify the acknowledgment number as under<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
There is no acknowledgment number from Server, yet and hence Ack<\/code> not set in the Flags<\/code>.<\/p>\n\n\n\n
In contrast the first response from Server has a different flag value<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Look at the SYN and ACK which is now set.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Look at acknowledgement number 285059490<\/code> it is +1 of the seq number received from client. So client sets of the number to let the server know this is how we are going to track the information and the server acknowledges by adding + 1 for response (for the Handshake)<\/p>\n\n\n\n
It also publishes its sequence number 225898208<\/code> for the client to use and track.<\/p>\n\n\n\n
Looking at the next packet<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Look at how the sequence number is added and sent back in the 3’rd packet.<\/p>\n\n\n\n
\"\"
Simplified Sequences<\/figcaption><\/figure><\/div>\n\n\n\n
Point to remember<\/h2>\n\n\n\n
Only the first packet does not have the ACK<\/code> bit set, rest all of the other packets in the conversation will have this bit set.<\/p>\n","protected":false},"excerpt":{"rendered":"
Disclaimer: Wont dig into the 5 layers of the TCP\/IP model, but will visually track the information exchange between a server hosted on loopback and a curl request made to the server. Read more about handshake here. TCP handshape TCP (Transmission Control Protocol) uses a\u00a0three-way handshake (aka\u00a0TCP-handshake,\u00a0three message handshake, and\/or SYN-SYN-ACK) to set up a […]<\/p>\n","protected":false},"author":1,"featured_media":2012,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"image","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[34],"tags":[],"class_list":["post-2000","post","type-post","status-publish","format-image","has-post-thumbnail","hentry","category-technical","post_format-post-format-image"],"_links":{"self":[{"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/posts\/2000","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/comments?post=2000"}],"version-history":[{"count":0,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/posts\/2000\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/media\/2012"}],"wp:attachment":[{"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/media?parent=2000"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/categories?post=2000"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/tags?post=2000"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}