TCP 3-Way Handshake using Wireshark

The Black Sheep
5 min readJul 11, 2022

--

Wireshark is a very popular network protocol analyser through which a network administrator can thoroughly examine the flow of data traffic to/from a computer system in a network.

As soon as you click on start on a particular interface (such as a router/port), information regarding all the incoming and outgoing data packets (on the selected interface) are displayed.

You can filter the results according to the

  • protocol (Eg tcp)
  • protocol and port (either source or destination port) (Eg tcp.port eq 80)
  • IP address (Eg ip.src==192.168.0.103) (Eg ip.dst==192.168.0.103)
  • Based on byte sequence in the payload , use the contains filter with the protocol name and byte sequence.(Eg tcp contains 00:01:02)
  • Other complex conditions using or or and (Eg tcp and dns)
  • Adding not in the front of a statement negates it

Before starting to analyze the TCP handshake from Wireshark, make sure you choose an internet enabled interface to connect to the internet (which is how we will connect to the website). Also, you will need to click on the stop button once the connection is been established, to monitor only the initial packets separately without mixing things up.

This is a screenshot of my Wireshark application, after clicking on the stop button.

Now lets narrow it down a little bit to only monitor the tcp traffic (since there are 137 packets). Now the queue is pretty small.

Before filtering

Now with the above filters added together, lets filter out the connections to monitor what we want to analyze which is the tcp connection. Now there is only 62 packets.

After filtering

It’s time to talk about what’s included in these packets.

As TCP/IP protocol is connection oriented, a reliable connection must be obtained and acknowledged, before any data can be transmitted.

The three main stages of this process are as follows:

  1. Connection establishment
  2. Data transmission
  3. Connection termination

The three-way handshake will happen in the first(an active open) and the second stages(an active close) where the connection is established and terminated.

Also, the control bits are as follows:

  • SYN: Synchronize sequence numbers
  • ACK: Acknowledgment field significant
  • FIN: No more data from sender
  • URG: Urgent Pointer field significant
  • PSH: Push Function
  • RST: Reset the connection

We will only focus on the first 3 of the control bits in the article for simplicity.

Establishing a connection

Now to analyze each stage of the process further, I will use Wireshark to look into each packet.

Stage 1-Connection establishment:

First the top most packet is sent from the client (192.168.8.102) to the server (52.213.14.58). It is a SYN segment as mentioned under the Info section. Basically, a SYN request is used to synchronize the sequence numbers with the server. In this, the initial sequence number (ISN) is specified. Along with each packet transferred, the ISN is incremented by 1when sent to the server. To start a connection, the client and server must synchronize each other's sequence numbers. The Acknowledgment field (ACK: 0) is set to zero because it's the first part of the three-way handshake.

1

The second frame is the act of the server sending back the ACK and SYN segment back to the client. The server is acknowledging the request of the client for synchronization and is also sending its request to the client for synchronization of its sequence numbers. The ACK number is proof to the client that the ACK is specific to the SYN the client initiated. The process of acknowledging the client's request allows the server to increment the client's sequence number by one and use it as its acknowledgment number.

2

In the third frame, the client sends an ACK segment, acknowledging the request from the server for synchronization. This completes the process of establishing a reliable connection and the three-way handshake.

3

Stage 2-Data transmission:

After the establishment of the connection, the data starts transmitting back and forth. This stage usually consists a lot of (acknowledgements) ACK which is why the next frames consists a lot of ACK which keeps incrementing in value. Also, notice how the Win (Window size) and the Len (Length) is valued.

4

Stage 3-Connection termination:

The termination of this reliable connection needs to transmit four packets of data. As TCP connection is full-duplex (data can flow in each direction independent of the other), each direction must be terminated independently.

By the end of the successful connection, the client sends a FIN that’s accompanied by an ACK, which informs the server that it has no more data to send. ACK is used to identify the specific connection they've established.

Next, the server acknowledges the FIN that was transmitted from the client using an ACK.

After receiving the FIN from the client computer, the server must also transmit a FIN to the client.

Finally, the client acknowledges the server’s FIN by and incrementing the sequence number by 1 and sending a one final ACK. This signals the server to close the TCP connection successfully.

Thanks for reading. Until next time! 👋🏽

References

  1. https://www.youtube.com/watch?v=UpUd5zEUUgI
  2. https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/three-way-handshake-via-tcpip
  3. https://www.youtube.com/watch?v=4dSaAMZsPvw

--

--

The Black Sheep
The Black Sheep

Written by The Black Sheep

Everything in my point of view. Here for you to read on....

No responses yet