help with a strange three way handshake

11-26-2007, 04:09 PM

I've got this dump

# syn
11:32:50.415885 SERVERONE.34877 > SERVERTWO.smtp: S
500330151:500330151(0) win 5840 <mss 1380,sackOK,timestamp 3229915070
0,nop,wscale 0> (DF) (ttl 52, id 36410, len 60)

# syn ack double why? Maybe a long time whitout an answer so we have
retrasmission?
11:32:50.416164 SERVERTWO.smtp > SERVERONE.34877: S
3005103307:3005103307(0) ack 500330152 win 5792 <mss
1460,sackOK,timestamp 2251114386 3229915070,nop,wscale 2> (DF) (ttl
64, id 0, len 60)
11:32:54.515189 SERVERTWO.smtp > SERVERONE.34877: S
3005103307:3005103307(0) ack 500330152 win 5792 <mss
1460,sackOK,timestamp 2251115411 3229915070,nop,wscale 2> (DF) (ttl
64, id 0, len 60)

# half "ack", indeed no S flag but mss and sackOK that have not to be
here ..
11:32:54.520263 SERVERONE.34877 > SERVERTWO.smtp: . ack 1 win 5792
<mss 1460,sackOK,timestamp 2251115411 3229915070,nop,wscale 2> (DF)
(ttl 39, id 0, len 60)

Someone can explain me this strange "three way" that indeed is not
functioning at all, the subsequent packets dump is

11:32:54.520502 SERVERTWO.smtp > SERVERONE.34877: . ack 1 win 5792
<nop,nop,timestamp 2251115412 3229915070> (DF) (ttl 64, id 0, len 52)
11:33:00.519293 SERVERTWO.smtp > SERVERONE.34877: S
3005103307:3005103307(0) ack 500330152 win 5792 <mss
1460,sackOK,timestamp 2251116912 3229915070,nop,wscale 2> (DF) (ttl
64, id 0, len 60)
11:33:00.524286 SERVERONE.34877 > SERVERTWO.smtp: . ack 1 win 5792
<mss 1460,sackOK,timestamp 2251116912 3229915070,nop,wscale 2> (DF)
(ttl 39, id 0, len 60)
11:33:00.524489 SERVERTWO.smtp > SERVERONE.34877: . ack 1 win 5792
<nop,nop,timestamp 2251116912 3229915070> (DF) (ttl 64, id 0, len 52)
11:33:12.519379 SERVERTWO.smtp > SERVERONE.34877: S
3005103307:3005103307(0) ack 500330152 win 5792 <mss
1460,sackOK,timestamp 2251119912 3229915070,nop,wscale 2> (DF) (ttl
64, id 0, len 60)
11:33:12.524171 SERVERONE.34877 > SERVERTWO.smtp: . ack 1 win 5792
<mss 1460,sackOK,timestamp 2251119912 3229915070,nop,wscale 2> (DF)
(ttl 39, id 0, len 60)
11:33:12.524390 SERVERTWO.smtp > SERVERONE.34877: . ack 1 win 5792
<nop,nop,timestamp 2251119912 3229915070> (DF) (ttl 64, id 0, len 52)
11:33:36.731392 SERVERTWO.smtp > SERVERONE.34877: S
3005103307:3005103307(0) ack 500330152 win 5792 <mss
1460,sackOK,timestamp 2251125965 3229915070,nop,wscale 2> (DF) (ttl
64, id 0, len 60)
11:33:36.736748 SERVERONE.34877 > SERVERTWO.smtp: . ack 1 win 5792
<mss 1460,sackOK,timestamp 2251125965 3229915070,nop,wscale 2> (DF)
(ttl 39, id 0, len 60)
11:33:36.736985 SERVERTWO.smtp > SERVERONE.34877: . ack 1 win 5792
<nop,nop,timestamp 2251125965 3229915070> (DF) (ttl 64, id 0, len 52)
11:34:24.943542 SERVERTWO.smtp > SERVERONE.34877: S
3005103307:3005103307(0) ack 500330152 win 5792 <mss
1460,sackOK,timestamp 2251138018 3229915070,nop,wscale 2> (DF) (ttl
64, id 0, len 60)
11:34:24.950072 SERVERONE.34877 > SERVERTWO.smtp: . ack 1 win 5792
<mss 1460,sackOK,timestamp 2251138018 3229915070,nop,wscale 2> (DF)
(ttl 39, id 0, len 60)
11:34:24.950314 SERVERTWO.smtp > SERVERONE.34877: . ack 1 win 5792
<nop,nop,timestamp 2251138019 3229915070> (DF) (ttl 64, id 0, len 52)
11:37:50.410027 SERVERONE.34877 > SERVERTWO.smtp: F 1:1(0) ack 1 win
5840 <nop,nop,timestamp 3229945068 2251138019> (DF) (ttl 52, id 36412,
len 52)
11:37:50.410264 SERVERTWO.smtp > SERVERONE.34877: R
3005103308:3005103308(0) win 0 (DF) (ttl 64, id 0, len 40)

As you see we have a reset at the end.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
TCP connect handshake	stargazer3p14@gmail.com	Linux Networking	10	11-27-2007 09:22 PM
4-Way Handshake	Alexandr Mishagin	Wireless Networks	1	05-10-2005 05:40 PM
WPA-PSK handshake	neelaka	Wireless Networks	1	01-27-2005 11:27 AM
Is it possible to record a DHCP handshake?	Elias Aarnio	Linux Networking	1	12-06-2004 02:15 PM
IKE HANDSHAKE	Giobbe	Linux Networking	0	11-25-2004 12:35 PM