Wireshark-users: Re: [Wireshark-users] How to identify session setup / confirmation

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 9 Mar 2009 14:51:21 -0700

On Mar 9, 2009, at 5:57 AM, Stringer, Rich (R.) wrote:

Hello All,

I am trying to analyze packets between two Microsoft Biztalk servers. I am looking for two things.
1.  1st server requesting a session with the 2nd server.
2.  Confirmation that the communication session is setup / ack'd.

This is the primary focus of my search.
3.  1st Biztalk sends an XML message to the 2nd Biztalk server.
4. 2nd Biztalk servers sends a response to the 1st Biztalk server ack'ing that the message was received.

What are the packet characteristics that I should be looking for?

That depends on whether setting up a session is done purely at the transport protocol layer or if Biztalk requires its *own* session setup once a transport-layer session is set up.
What does the presence of the PSH, SYN, and ACK flags mean?

The presence of the TCP PSH flag means nothing in this context. (See RFC 793 for a discussion of what it means.)

When setting up a TCP session:

the machine initiating the session sends to the machine with which it's trying to initiate a session a packet with the SYN flag set;

if the machine receiving that packet is willing to set up the connection, it acknowledges the SYN with a packet with ACK set, as well as saying it's willing to accept the connection by setting the SYN flag in that packet as well;

the machine receiving the SYN+ACK packet acknowledges the SYN with an ACK.

See RFC 793 for a detailed discussion of setting up TCP connections.

Note that no XML messages are likely to be sent until the connection is set up, so the SYN flag is independent of any Biztalk messages. Once the connection is set up, the ACK flag is used to acknowledge that, *at the transport layer*, TCP data has been received. The Biztalk layer doesn't know anything about TCP-layer acknowledgments, so, in the case of

3.  1st Biztalk sends an XML message to the 2nd Biztalk server.
4. 2nd Biztalk servers sends a response to the 1st Biztalk server ack'ing that the message was received.

there could be two separate responses "ack'ing that the message was received" - one could be an ACK at the TCP layer indicating that a TCP segment containing some or all of the first XML message was received (there is no guarantee that a single Biztalk message will be in a single TCP segment), and, once all of the segments containing the XML message have been received and the message is delivered to the Biztalk server code, it might send a reply at the Biztalk layer saying that the Biztalk XML message was received (I don't know how the Biztalk protocols work, so I don't know if it would bother sending such an acknowledgment or not).