Wireshark-users: Re: [Wireshark-users] Multiple syn's , syn/ack and ack received for single conne
From: asad <a.alii85@xxxxxxxxx>
Date: Tue, 4 Aug 2015 23:28:54 +0500
Thanks, for the fast response.

I have tested the same by visiting home-pages of other websites as well and none had such behavior parallel requests by browser. It mostly works as classical.

syn
syn-ack
ack

Now, consecutive syn's. Yes you were right, down the packet-capture I see all the syn,syn-ack and ack packets. Thanks for mentioning.

regards
asad

On Tue, Aug 4, 2015 at 11:05 PM, T B <phreakocious@xxxxxxxxx> wrote:
A web browser can make multiple connections to the same server to fetch different resources in parallel.  The other syn/ack responses are probably in the capture as well, but further down.  The sockets should be processed in the order they're received, but there are lots of reasons why it might not all happen immediately.  None of this seems strange so far.

Hope this helps.

On Tue, Aug 4, 2015 at 11:13 AM, asad <a.alii85@xxxxxxxxx> wrote:
I have a scenario, I'm analyzing ssl (decrpyt) traffic to my webserver. I'm investigating server and end-to-end delay issues. In between this I'm stuck at following traffic pattern for which I need some advice/suggestion. The patter shows:-

     client       server
    src port 1 -> 80 (syn)
    src port 2 -> 80 (syn)
    src port 3 -> 80 (syn)
    src port 4 -> 80 (syn)
    .....

     server        client
    src port 80 -> 1  (syn/ack)
    src port 80 -> 2  (syn/ack)

    client         server
    src port 1 -> 80  (ack)
    src port 2 -> 80  (ack)

After, complete of handshake I see <code>"http get request"</code> from client. My issues is:-

 1. why are multiple syns send from
    client to server from different
    source port
 2. why server choose to
    reply on NOT all ports mainly the
    syn/ack is received by first 3
    ports.
 3. Multiple acks to different
    ports?

a sample SYN request just for analysis looks like

"694    47.583499000    192.168.1.56    192.168.1.22    TCP    66    0.000173000    50844→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1"

Please help me understand this behavior.


   

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe