Why TCPDump Command Didn’t Capture Three-Way Handshake

tcptcpdump

That's what I do .

1、open tcpdump command sudo tcpdump -i lo0 tcp port 20009

2、start a sample server nc -l 20009

3、connect 20009 port telnet localhost 20009

4、tcpdump command got :

○ → sudo tcpdump  -i lo0 tcp port 20009
Password:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 262144 bytes
17:38:42.778304 IP6 localhost.58951 > localhost.20009: Flags [S], seq 4206287588, win 65535, options [mss 16324,nop,wscale 5,nop,nop,TS val 461712269 ecr 0,sackOK,eol], length 0
17:38:42.778341 IP6 localhost.20009 > localhost.58951: Flags [R.], seq 0, ack 4206287589, win 0, length 0
17:38:42.778536 IP localhost.58952 > localhost.20009: Flags [S], seq 2745154881, win 65535, options [mss 16344,nop,wscale 5,nop,nop,TS val 461712269 ecr 0,sackOK,eol], length 0
17:38:42.778614 IP localhost.20009 > localhost.58952: Flags [S.], seq 3385478755, ack 2745154882, win 65535, options [mss 16344,nop,wscale 5,nop,nop,TS val 461712269 ecr 461712269,sackOK,eol], length 0
17:38:42.778629 IP localhost.58952 > localhost.20009: Flags [.], ack 1, win 12759, options [nop,nop,TS val 461712269 ecr 461712269], length 0
17:38:42.778643 IP localhost.20009 > localhost.58952: Flags [.], ack 1, win 12759, options [nop,nop,TS val 461712269 ecr 461712269], length 0

why the client(localhost.58952) don't send back the ack(value 1) to server (localhost.20009) in the third step ?

Best Answer

Your system has defined localhost as both ::1 (ipv6) and 127.0.0.1 (ipv4), so telnet first tries ipv6 and if this fails it tries ipv4. The first packet is a SYN to ::1 but because no process is listening on that address and port, the system responds with a RST (packet 2). Packet 3 is then the SYN to 127.0.0.1 and packet 4 is the SYN+ACK etc.

Related Solutions

TCP – Is a Three-Way Handshake Required for an HTTP POST?

Both HTTP GET and HTTP POSTS use TCP. If you are asking whether a POST also requires a 3-way TCP handshake (syn-synack-ack), it does just like any other TCP connection. The TCP handshake is required before any application protocol (such as HTTP) starts work.

FYI, your three-way handshake is incorrect; it should be "syn-synack-ack"

ADD:

If browser use QUIC (Quick UDP Internet Connections, pronounced quick. Proposed by Google) protocol for HTTP is possible to avoid 3-way TCP handshake. But AFAIK it supported in Chrome and Google.

Most software prefer HTTP/2 which still TCP but wit many features it use persistent connection then 3-way handshake done once for each server server.

If this protocols is used, 3-way hanshake can be avoided by any request, including GET.

TCP 3-Way Handshake – Why Do We Need a 3-Way Handshake?

Break down the handshake into what it is really doing.

In TCP, the two parties keep track of what they have sent by using a Sequence number. Effectively it ends up being a running byte count of everything that was sent. The receiving party can use the opposite speaker's sequence number to acknowledge what it has received.

But the sequence number doesn't start at 0. It starts at the ISN (Initial Sequence Number), which is a randomly chosen value. And since TCP is a bi-directional communication, both parties can "speak", and therefore both must randomly generate an ISN as their starting Sequence Number. Which in turn means, both parties need to notify the other party of their starting ISN.

So you end up with this sequence of events for a start of a TCP conversation between Alice and Bob:

Alice ---> Bob    SYNchronize with my Initial Sequence Number of X
Alice <--- Bob    I received your syn, I ACKnowledge that I am ready for [X+1]
Alice <--- Bob    SYNchronize with my Initial Sequence Number of Y
Alice ---> Bob    I received your syn, I ACKnowledge that I am ready for [Y+1]

Notice, four events are occurring:

Alice picks an ISN and SYNchronizes it with Bob.
Bob ACKnowledges the ISN.
Bob picks an ISN and SYNchronizes it with Alice.
Alice ACKnowledges the ISN.

In actuality though, the middle two events (#2 and #3) happen in the same packet. What makes a packet a SYN or ACK is simply a binary flag turned on or off inside each TCP header, so there is nothing preventing both of these flags from being enabled on the same packet. So the three-way handshake ends up being:

Bob <--- Alice         SYN
Bob ---> Alice     SYN ACK 
Bob <--- Alice     ACK

Notice the two instances of "SYN" and "ACK", one of each, in both directions.

So to come back to your question, why not just use a two-way handshake? The short answer is because a two way handshake would only allow one party to establish an ISN, and the other party to acknowledge it. Which means only one party can send data.

But TCP is a bi-directional communication protocol, which means either end ought to be able to send data reliably. Both parties need to establish an ISN, and both parties need to acknowledge the other's ISN.

So in effect, what you have is exactly your description of the two-way handshake, but in each direction. Hence, four events occurring. And again, the middle two flags happen in the same packet. As such three packets are involved in a full TCP connection initiation process.

Best Answer

Related Solutions

TCP – Is a Three-Way Handshake Required for an HTTP POST?

TCP 3-Way Handshake – Why Do We Need a 3-Way Handshake?

Related Topic