Wireshark

TCP 3-Way Handsake Analysis in Wireshark

2 years ago
by Bamdeb Ghosh

Transmission Control Protocol is a very important protocol in transport layer for OSI or TCP/IP model. There are many advantages in TCP like:

  • TCP does re-transmission if any sent data is not acknowledged by the receiver within some time.
  • TCP establishes some connection before sending the data. We call that connection as 3-way handshake.
  • TCP has congestion control mechanism.
  • TCP can detect error using some methods.

Let us learn mainly on TCP 3-way handshake. Let’s also learn about the important fields in Wireshark for 3-way handshake.

3-Way Handshake

There are three frames exchanges that happen in a 3-way handshake:

  1. SYN
  2. SYN+ACK
  3. ACK

The first frame is always sent by the client to the server. Let us understand this from a simple diagram:

“CLIENT” “SERVER”

Frame1: Client sends SYN frame to server----------------------------------->

<-------------------------------------------Server sends SYN+ACK frame to client: Frame2

Frame3: Client sends ACK frame to server----------------------------------->

We can see these three frames in Wireshark. The “tcp” filter can be used in Wireshark to see all TCP frames. Here is the screenshot for the three frames:

Let us now understand all three frames in details:

SYN

This frame contains many information about the client’s capabilities to inform the server. The following screenshot shows all the important fields of the SYN frame:

Here are the important fields for the SYN frame:

    Source Port: 50602
    Destination Port: 80
    Sequence Number: 0
    Acknowledgment Number: 0    
    Header Length: 32 bytes
    Flags: 0x002 (SYN):
        Acknowledgment: Not set
        Push: Not set
        Reset: Not set
        Syn: Set  -----> This bit set because this is an SYN frame.
        Fin: Not set
       
     Window: 65535
     Urgent Pointer: 0
     TCP Option - Maximum segment size: 1460 bytes
     TCP Option - Window scale: 3 (multiply by 8)
     TCP Option - SACK permitted

SYN+ACK

This frame contains many information about the server’s capabilities to inform the client. The following screenshot shows all the important fields of the SYN+ACK frame:

This frame also acknowledges the SYN frame that is sent by the client.

Here are the important fields for the SYN+ACK frame:

    Source Port: 80
    Destination Port: 50602    
    Sequence Number: 0  
    Acknowledgment Number: 1    
   
    Header Length: 32 bytes (8)
    Flags: 0x012 (SYN, ACK)
        Acknowledgment: Set
        Push: Not set
        Reset: Not set
        Syn: Set
        Fin: Not set
       
    Window: 29200
    Urgent Pointer: 0
    TCP Option - Maximum segment size: 1412 bytes    
    TCP Option - SACK permitted
    TCP Option - Window scale: 7 (multiply by 128)

 

We can see that “Acknowledge” and “SYN” bits are set in this frame. This is because this frame is SYN+ACK.

ACK

This frame is the last frame of the 3-way handshake and also the acknowledgement of the SYN+ACK by the client. The following screenshot shows all the important fields of the ACK frame:

Here are the important fields for the ACK frame:

    Source Port: 50602
    Destination Port: 80
    Sequence Number: 1        
    Acknowledgment Number: 1    
    Header Length: 20 bytes (5)
    Flags: 0x010 (ACK)
        Urgent: Not set
        Acknowledgment: Set
        Push: Not set
        Reset: Not set
        Syn: Not set
        Fin: Not set
       
    Window: 32768

Here, only the “Acknowledge” bit is set because this is an ACK frame.

Explanation for Some Important Common Fields

Port 80: We observed one fixed port 80 in this tutorial. It’s because this is an HTTP capture and port 80 is fixed (server side) for HTTP communication.

Sequence Number: The sequence number of that frame. Sync is the first frame so we have 0 as a sequence number.

TCP Flags:

Acknowledgement – This bit is set if the frame is an ACK. Example: SYN+ACK, ACK frame.

SYN – This bit is set if the frame is a SYN. Example: SYN.

Window: This field shares the sender’s max window size in receive mode. Example: We have the window size of 65535 bytes in the SYN frame. This means that the receiver can receive a maximum TCP data of 65535 bytes at any point of time.

SACK Permitted: This bit is set if send supports SACK [selective acknowledgement].

Maximum Segment Size: We can also call it MSS. This defines the maximum data frame that the sender can receive. Example: We get MSS as 1460 bytes in the SYN frame.

Conclusion

We learned about the TCP 3-way handshake and all the useful fields for SYN, SYN+ACK, and ACK frames. If you want to learn more on TCP, you can follow this RFC link https://tools.ietf.org/html/rfc793.

About the author

Bamdeb Ghosh

Bamdeb Ghosh is having hands-on experience in Wireless networking domain.He's an expert in Wireshark capture analysis on Wireless or Wired Networking along with knowledge of Android, Bluetooth, Linux commands and python. Follow his site: wifisharks.com

View all posts