To analyze the TCP Three-Way Handshake, you can use Wireshark to look for three specific packets at the very beginning of a connection. Here is how to find and understand them:
1. Identify the Handshake in Wireshark
After you have captured the traffic from your curl command:
- Apply a Filter: In the display filter bar at the top, type
tcpand press Enter. This hides other traffic (like DNS or UDP) and shows only TCP segments. - Look for Flags: Look at the "Info" column. You are searching for three consecutive packets between your IP and the server IP that look like this:
[SYN](The synchronization request)[SYN, ACK](The server's acknowledgment and response)[ACK](Your final acknowledgment)
2. The Three Steps Explained
The handshake is how TCP ensures both sides are ready to talk:
- Step 1: SYN (Synchronize)
- Sent by: Your computer (the client).
- Purpose: "I want to start a connection. Here is my initial sequence number."
- Step 2: SYN-ACK (Synchronize-Acknowledgment)
- Sent by: The server (
labex.io). - Purpose: "I received your request! I also want to connect. Here is my sequence number and I acknowledge yours."
- Sent by: The server (
- Step 3: ACK (Acknowledgment)
- Sent by: Your computer.
- Purpose: "Got it! We are now connected and ready to transfer data."
3. Deep Dive into Packet Details
If you click on one of these packets (e.g., the SYN packet):
- Look at the Middle Pane (Packet Details).
- Expand the Transmission Control Protocol section.
- Expand the Flags field. You will see that the specific bit for "Syn" or "Acknowledgment" is set to
1(True).
4. Pro Tip: Time Sequence
You can also see this visually!
- Go to the top menu: Statistics -> Flow Graph.
- Change the "Flow type" to TCP Flows.
- You will see a clear diagram of the lines going back and forth, starting with SYN, SYN-ACK, and ACK.
By understanding the handshake, you can verify if a server is responding or if a firewall is blocking the connection! Ready to try finding these in your capture.pcapng file?
