Wireshark-users: Re: [Wireshark-users] newbie question about tcp three-way handshaking

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Wed, 23 Jan 2013 06:48:52 +0100
On 01/22/2013 09:40 AM, 温金超 wrote:
> 
> 
> 2013/1/22 温金超 <wenjinchao0418@xxxxxxxxx <mailto:wenjinchao0418@xxxxxxxxx>>
> 
>     Thanks. and I add comments inline.
> 
>     On Jan 21, 2013, at 6:41 PM, 温金超 <wenjinchao0418@xxxxxxxxx> wrote: > Is
>     should be three-way handshaking or not when trying to establishe a new
>     connection? > but I tcpdump following: > > 19:23:12.688758 IP
>     10.1.164.64.51350 > 10.13.220.4.80: S 3779651860:3779651860(0) win 8192 <mss
>     1260,nop,wscale 8,nop,nop,sackOK> > 19:23:12.688776 IP 10.13.220.4.80 >
>     10.1.164.64.51350: S4133937230:4133937230(0) ack 3779651861 win 5840 <mss
>     1460,nop,nop,sackOK,nop,wscale 9> > 19:23:12.688779 IP 10.13.220.4.80 >
>     10.1.164.64.51350: S4133937230:4133937230(0) ack 3779651861 win 5840 <mss
>     1460,nop,nop,sackOK,nop,wscale 9> > 19:23:12.689716 IP 10.1.164.64.51350 >
>     10.13.220.4.80: . ack 1 win 260 > > 10.13.220.4 ack twice for syn. any idea ?
>     >Are you sniffing on the machine that's sending the two SYN+ACK packets (i.e., >sniffing on 10.13.220.4), on the machine to which they're being sent (i.e., sniffing on >10.1.164.64), or on some other machine (passively sniffing)?
> 
> 
> 
>     I'm sniffing on machine 10.13.220.4.
> 
> 
>     >Do the two SYN+ACK packets have the same IP packet ID value?  Perhaps it's >getting retransmitted, either at the link layer or the TCP layer, for some reason.  If it's at the >link layer, they'll probably have the same IP ID value; if it's at the TCP layer, they probably will >have different IP ID values.  For tcpdump, use the -v flag to get the IP ID printed.
> 
> 
> 
>     Confirm that they have the same IP ID value.
> 
> 
>     And I sniffing again both on client(10.1.164.64) side  and server(10.13.220.4) side, get followings:
> 
> 
> 
>     On client(10.1.164.64) side, it's normal three-way handshaking.
> 
> 
> 
> 
> 
> 
>     and on server side(10.13.220.4)
> 
> 
> 
>     13:57:39.659310 IP (tos 0x0, ttl 124, id 27852, offset 0, flags [DF], proto: TCP (6), length: 52) 10.1.164.64.59211 > 10.13.220.4.80: S, cksum 0xc08c (correct), 563933632:563933632(0) win 8192 <mss 1260,nop,wscale 8,nop,nop,sackOK>
>     13:57:39.659389 IP (tos 0x0, ttl  64,* id 0*, offset 0, flags [DF], proto: TCP (6), length: 52) 10.13.220.4.80 > 10.1.164.64.59211: S, cksum 0x8bf2 (correct), 3096740955 <tel:3096740955>:3096740955(0) ack 563933633 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 9>
>     13:57:39.659413 IP (tos 0x0, ttl  64, *id 0*, offset 0, flags [DF], proto: TCP (6), length: 52) 10.13.220.4.80 > 10.1.164.64.59211: S, cksum 0x8bf2 (correct), 3096740955 <tel:3096740955>:3096740955(0) ack 563933633 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 9>
> 
>     13:57:39.660220 IP (tos 0x0, ttl 124, id 27853, offset 0, flags [DF], proto: TCP (6), length: 40) 10.1.164.64.59211 > 10.13.220.4.80: ., cksum 0xe292 (correct), 1:1(0) ack 1 win 260 
> 
> 
> 
> 
> 
>     Both SYN+ACK have the same IP id 0.
>     Why the sniffing result is different between client side and server side?
> 
> 
>>Hi,
> 
>>It would be interesting to know what kind of network interface is installed on
>>the server 10.13.220.4. Is there some kind of bonding interface? On what
>>interface is this server capture taken?
> 
>>Thanks,
>>Jaap
> 
> 
> 
> Hi Jaap,
> 
> The server 10.13.220.4 have 2 physcial network interface, eth0 and eth1, who have the save ip: 10.13.220.4. And eth1 has been configed serval virtural ip.
> 
> and my tcpdump commend:
> 
> tcpdump  -i any -nn -vvv -v -s 0  tcp and host 10.13.220.4 and port 80   
> 
> 
> Thanks,
> 
> jinchao
> 


Hi,

Well, then obviously you are capturing *below* the bonded interface. Therefore
the *outgoing* frames are seen twice, one for each physical interface, and the
*incoming* frames once, because they come from a switch, which uses a single
port to send the frame[*].

You can't really fall back to capturing a single physical interface (eth0, eth1)
because you do not know where the switch will send the returned frames. To get
rid of the duplicates you can either:

1) capture on the bonding interface (bond0 or whatever name it takes)

2) use editcap -d to remove the duplicates from the capture file afterwards.


[*] unless flooding, multicast, MAC table miss.

Thanks,
Jaap