1

Linux spends 3 packets to establish a TCP connection and 3 packets to close it, as shown by the tcpdump capture

# establishing TCP connection
22:37:09.150456 IP 127.0.0.1.49327 > 127.0.0.1.8000: Flags [S], seq 598953185, win 65535, options [mss 1368,nop,wscale 4,nop,nop,TS val 808887890 ecr 0,sackOK,eol], length 0
22:37:09.150498 IP 127.0.0.1.8000 > 127.0.0.1.49327: Flags [S.], seq 1017784291, ack 598953186, win 14480, options [mss 1460,sackOK,TS val 116674605 ecr 808887890,nop,wscale 6], length 0
22:37:09.159764 IP 127.0.0.1.49327 > 127.0.0.1.8000: Flags [.], ack 1, win 8220, options [nop,nop,TS val 808887900 ecr 116674605], length 0

# closing TCP connection
22:37:18.297179 IP 127.0.0.1.49327 > 127.0.0.1.8000: Flags [F.], seq 1, ack 1, win 8220, options [nop,nop,TS val 808897004 ecr 116674605], length 0
22:37:18.297426 IP 127.0.0.1.8000 > 127.0.0.1.49327: Flags [F.], seq 1, ack 2, win 227, options [nop,nop,TS val 116676892 ecr 808897004], length 0
22:37:18.308698 IP 127.0.0.1.49327 > 127.0.0.1.8000: Flags [.], ack 2, win 8220, options [nop,nop,TS val 808897016 ecr 116676892], length 0

but on OS X there are 4 packets to establish a TCP connection and 5 packets to close it, as shown by the tcpdump capture

# establishing TCP connection
22:37:54.586720 IP 127.0.0.1.49341 > 127.0.0.1.6060: Flags [S], seq 2470554991, win 65535, options [mss 16344,nop,wscale 4,nop,nop,TS val 808939126 ecr 0,sackOK,eol], length 0
22:37:54.586765 IP 127.0.0.1.6060 > 127.0.0.1.49341: Flags [S.], seq 1700081564, ack 2470554992, win 65535, options [mss 16344,nop,wscale 4,nop,nop,TS val 808939126 ecr 808939126,sackOK,eol], length 0
22:37:54.586774 IP 127.0.0.1.49341 > 127.0.0.1.6060: Flags [.], ack 1, win 9186, options [nop,nop,TS val 808939126 ecr 808939126], length 0
22:37:54.586781 IP 127.0.0.1.6060 > 127.0.0.1.49341: Flags [.], ack 1, win 9186, options [nop,nop,TS val 808939126 ecr 808939126], length 0

# closing TCP connection
22:38:00.631596 IP 127.0.0.1.49341 > 127.0.0.1.6060: Flags [F.], seq 1, ack 1, win 9186, options [nop,nop,TS val 808945145 ecr 808939126], length 0
22:38:00.631631 IP 127.0.0.1.6060 > 127.0.0.1.49341: Flags [.], ack 2, win 9186, options [nop,nop,TS val 808945145 ecr 808945145], length 0
22:38:00.631641 IP 127.0.0.1.49341 > 127.0.0.1.6060: Flags [.], ack 1, win 9186, options [nop,nop,TS val 808945145 ecr 808945145], length 0
22:38:00.631719 IP 127.0.0.1.6060 > 127.0.0.1.49341: Flags [F.], seq 1, ack 2, win 9186, options [nop,nop,TS val 808945145 ecr 808945145], length 0
22:38:00.631768 IP 127.0.0.1.49341 > 127.0.0.1.6060: Flags [.], ack 2, win 9186, options [nop,nop,TS val 808945145 ecr 808945145], length 0

What do the extra packets do?

Rio
  • 335
  • 2
  • 11
  • Did you ever find this out outside of this site? I looked at this a lot, I even went as far as setting up FreeBSD to see if this was a Unix network stack behaviour (it wasn't) and taking packet captures from a friend's Macbook to see if I could figure it out (I couldn't). – suprjami Apr 23 '14 at 13:54

2 Answers2

0

Just as you saw, after three-way handshake, there is a TCP datagram without body. But the win change from 65535 to 9186.

If you use Wireshark tool to dump the TCP packet, you will see this:

TCP Window Update from 65535 to 9186.

Wireshark TCP three-way handshake on OSX

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
user3033075
  • 1
  • 1
-1

This might have something to do with TCP delayed acknowledgment. OSX seems to have this enabled.

On a side note:

Maybe you should try wireshark to analyze network traffic. It has helpful additional information in its GUI to help you understand every bit of a package.

Christopher Perrin
  • 4,811
  • 19
  • 33
  • 2
    tcpdump is perfectly valid for looking at this. The information is not easier to access in wireshark if you have to 1) install a GUI, 2) install wireshark. – Jed Daniels Jul 22 '13 at 03:02
  • I think we have a misunderstanding. Wireshark has of course the overhead of a GUI, but this is an advantage as well. The GUI has lots of useful information to the flags and every bit of a package. This is helpful to understand something like this better. – Christopher Perrin Jul 22 '13 at 05:54
  • 1
    If you don't have a GUI, you can, at least the way Wireshark is packaged for many Linux distributions, just install the tty-mode version, TShark (although you have to figure out what the name of that package is). For OS X, however, the Wireshark developers only offer a full-blown package with both Wireshark and TShark, and it currently requires that you "install a GUI" in the sense of installing X11. –  Jul 22 '13 at 16:22
  • `tshark` comes in the `wireshark` package, along with other commandline tools such as `editcap`. At least that's the case in RHEL/CentOS and Fedora. – suprjami Jul 23 '13 at 10:28