![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
TCP 3-way handshake log
i.e. Browser connect to Web Server
# 會加 1 15:05:35.832940 IP client.60201 > server.http: Flags [S], seq 3461336557, win 29200, options [mss 1460,sackOK,TS val 1514187132 ecr 0,nop,wscale 7], length 0 15:05:35.832979 IP server.http > client.60201: Flags [S.], seq 2413143099, ack 3461336558, win 14480, options [mss 1460,sackOK,TS val 1381918275 ecr 1514187132,nop,wscale 7], length 0 15:05:35.833299 IP client.60201 > server.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 1514187132 ecr 1381918275], length 0 # Data 15:05:35.833312 IP client.60201 > server.http: Flags [P.], seq 1:79, ack 1, win 229, options [nop,nop,TS val 1514187132 ecr 1381918275], length 78 15:05:35.833338 IP server.http > client.60201: Flags [.], ack 79, win 114, options [nop,nop,TS val 1381918275 ecr 1514187132], length 0 15:05:35.833920 IP server.http > client.60201: Flags [P.], seq 1:899, ack 79, win 114, options [nop,nop,TS val 1381918275 ecr 1514187132], length 898 15:05:35.834393 IP client.60201 > server.http: Flags [.], ack 899, win 243, options [nop,nop,TS val 1514187133 ecr 1381918275], length 0 # 會加 1 15:05:35.834409 IP client.60201 > server.http: Flags [F.], seq 79, ack 899, win 243, options [nop,nop,TS val 1514187133 ecr 1381918275], length 0 15:05:35.834488 IP server.http > client.60201: Flags [F.], seq 899, ack 80, win 114, options [nop,nop,TS val 1381918275 ecr 1514187133], length 0 15:05:35.834761 IP client.60201 > server.http: Flags [.], ack 900, win 243, options [nop,nop,TS val 1514187133 ecr 1381918275], length 0
# type of packet
[S] - SYN (Start Connection)
[S.] - SYN-ACK
[.] - ACK
[P] - PSH (Push Data)
[F] - FIN (Finish Connection)
[R] - RST (Reset Connection)
length: TCP packet length (in Bytes) not including the headers
remark
TCP
Size of Ethernet frame = 24 Bytes
Size of IPv4 Header (without any options) = 20 bytes
Size of TCP Header (without any options) = 20 Bytes
Total size of empty TCP datagram = 24 + 20 + 20 = 64 bytes
UDP
Size of UDP header = 8 bytes
Total size of empty UDP datagram = 24 + 20 + 8 = 52 bytes
mss N - the maximum segment size (MSS), only seen in a SYN packet
sackOK – indicates the host permits the use of Selective Acknowledgement, only seen in a SYN packet
TS val N - the sending host’s timestamp
ecr N – the echo reply timestamp value
nop – used to align option headers to 32-bit word boundaries by padding 1 byte with 00000001
may be used more than once if necessary [see RFC 793]
wscale N — window scale and value, only seen in a SYN packet
Sequence and Acknowledgment Numbers
* 32-bit
* host initiates a TCP session => its initial Seq randomly
# Wireshark will display relative sequence
0 (naturally)
對方 Ack = 對方 Seq + 對方 len
Next Seq = 對方 Ack
* SYN or FIN flag in a received packet triggers an increase of 1 in the sequence (SYN or FIN 無 payload 的)
Wireshark Useful Function
Statistics > Flow Graph
