0

When I create a simple http server (a socket listening to a port) I don't see the actual TCP handshake taking place. Why is that? Why is it hidden from me?

For example if I start a server on port 9822 like this:

nc -l 9822

And then I open my web browser and go to that address, I only see the HTTP request but not the TCP handshake with ACK, SYN

liga@linux:~$ nc -l 9822
GET / HTTP/1.1
Host: 192.168.1.10:9822
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,lv;q=0.8,tr;q=0.7

But wait, where is the TCP handshake?

Liga
  • 135
  • 2
  • 12

1 Answers1

3

I think you have the wrong expectations where the SYN etc should be visible. These are only flags on the TCP packets and are not part of the actual application payload. But netcat only shows the actual payload. To see the TCP level details you need to use a packet capture tool like tcpdump or wireshark.

Steffen Ullrich
  • 13,227
  • 27
  • 39
  • So it's not possible to make netcat show the full packet instead of only the payload? – Liga Feb 03 '20 at 08:10
  • 1
    @Liga: No, netcat does not even see the "full packet" since with the socket API it only gets the actual application data. It doesn't even know if some data were transferred in one packet or multiple packets. – Steffen Ullrich Feb 03 '20 at 08:19