The TCP 3-way handshake is a fundamental process in TCP/IP communication used to establish a reliable connection between two devices before data transfer begins. Understanding and being able to visualize this handshake in Wireshark is crucial for diagnosing connection issues and understanding the basics of TCP communication.
The Three Steps of the Handshake
The 3-way handshake involves the exchange of three TCP segments between the client (the device initiating the connection) and the server (the device listening for connections):
- SYN (Synchronize):
- The client sends a TCP segment to the server with the SYN (Synchronize Sequence Number) flag set in the TCP header.
- This segment also contains the client’s initial sequence number (ISN), which is a random number used to track the order of data segments during the connection.
- The destination port number in the IP header will be the port on which the server is listening for connections (e.g., port 80 for HTTP, port 443 for HTTPS). The source port number will be an ephemeral (temporary) port chosen by the client.
- SYN-ACK (Synchronize-Acknowledge):
- Upon receiving the SYN segment, the server (if it’s listening on the specified port and willing to accept the connection) responds with a TCP segment containing both the SYN (Synchronize Sequence Number) and ACK (Acknowledgment) flags set.
- The server includes its own initial sequence number (server ISN).
- The acknowledgment number in the TCP header is set to the client’s ISN + 1, indicating that the server has successfully received the client’s SYN segment and is expecting the next segment to start from that acknowledged sequence number.
- The source port number in the IP header will be the server’s listening port, and the destination port will be the client’s ephemeral port.
- ACK (Acknowledgment):
- The client receives the SYN-ACK segment from the server and responds with a TCP segment containing only the ACK (Acknowledgment) flag set.
- The acknowledgment number in this segment is set to the server’s ISN + 1, acknowledging the server’s SYN-ACK.
- The sequence number in this segment is the client’s ISN + 1 (the next sequence number for data transmission from the client).
- Once this ACK is received by the server, the TCP connection is established, and data transfer can begin.
Visualizing the 3-Way Handshake in Wireshark
When you capture traffic involving a new TCP connection in Wireshark, you should typically see these three packets exchanged in sequence:
- Packet 1 (Client to Server):
- Protocol: TCP
- Flags: [SYN]
- Source Port: (Client’s ephemeral port)
- Destination Port: (Server’s listening port)
- Info Column: Often shows something like
[SYN] Seq=X Win=Y Len=0 MSS=Z...where X is the client’s ISN, Y is the initial window size, and Z is the Maximum Segment Size.
- Packet 2 (Server to Client):
- Protocol: TCP
- Flags: [SYN, ACK]
- Source Port: (Server’s listening port)
- Destination Port: (Client’s ephemeral port)
- Info Column: Often shows something like
[SYN, ACK] Seq=A Ack=X+1 Win=B Len=0 MSS=C...where A is the server’s ISN, and Ack=X+1 acknowledges the client’s SYN.
- Packet 3 (Client to Server):
- Protocol: TCP
- Flags: [ACK]
- Source Port: (Client’s ephemeral port)
- Destination Port: (Server’s listening port)
- Info Column: Often shows something like
[ACK] Seq=X+1 Ack=A+1 Win=D Len=0...acknowledging the server’s SYN-ACK.
Troubleshooting with the 3-Way Handshake
Observing the 3-way handshake in Wireshark can be invaluable for troubleshooting connection problems:
- Missing SYN: If you don’t see a SYN packet from the client, it might indicate a problem with the client reaching the server (e.g., network connectivity issues, firewall blocking outbound traffic).
- Missing SYN-ACK: If the server doesn’t respond with a SYN-ACK, it could mean the server isn’t listening on the specified port, a firewall is blocking inbound traffic to the server, or the server is down.
- Missing ACK: If the client doesn’t send the final ACK, the connection might not be fully established, potentially leading to timeouts or connection failures.
By learning to recognize the TCP 3-way handshake in Wireshark, you gain a fundamental skill for understanding TCP communication and diagnosing network connectivity issues.
