Wireshark-users: Re: [Wireshark-users] Multiple syn's , syn/ack and ack received for single conne
From: Hugo van der Kooij <hugo.van.der.kooij@xxxxx>
Date: Thu, 6 Aug 2015 08:11:59 +0000

This is where streams come into play.

For investigating web traffic I strongly recommend you learn how to utilize the streams information in Wireshark.

I created a Wireshark profile I use for Blue Coat packet captures.

You are welcome to fetch it (and the others) from http://hugo.vanderkooij.org/technical/wireshark-profiles

 

The document is in Dutch but the templates and screenshot should help you a bit.

 

 

Van: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] Namens asad
Verzonden: dinsdag 4 augustus 2015 17:14
Aan: wireshark-users@xxxxxxxxxxxxx
Onderwerp: [Wireshark-users] Multiple syn's , syn/ack and ack received for single connection?

 

I have a scenario, I'm analyzing ssl (decrpyt) traffic to my webserver. I'm investigating server and end-to-end delay issues. In between this I'm stuck at following traffic pattern for which I need some advice/suggestion. The patter shows:-

     client       server
    src port 1 -> 80 (syn)
    src port 2 -> 80 (syn)
    src port 3 -> 80 (syn)
    src port 4 -> 80 (syn)
    .....

     server        client
    src port 80 -> 1  (syn/ack)
    src port 80 -> 2  (syn/ack)

    client         server
    src port 1 -> 80  (ack)
    src port 2 -> 80  (ack)

After, complete of handshake I see <code>"http get request"</code> from client. My issues is:-

 1. why are multiple syns send from
    client to server from different
    source port
 2. why server choose to
    reply on NOT all ports mainly the
    syn/ack is received by first 3
    ports.
 3. Multiple acks to different
    ports?

a sample SYN request just for analysis looks like

"694    47.583499000    192.168.1.56    192.168.1.22    TCP    66    0.000173000    50844→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1"

Please help me understand this behavior.


   


Met vriendelijke groet / With kind regards,

Hugo van der Kooij
support engineer




Delft - Noord-Oost - Zuid
T: +31 15 888 0 345  F: +31 15 888 0 445
E: hugo.van.der.kooij@xxxxx  I:  www.qi.nl