1

I have a scenario, I'm analyzing ssl (decrpyt) traffic to my webserver. I'm investigating server and end-to-end delay issues. In between this I'm stuck at following traffic pattern for which I need some advice/suggestion. The patter shows:-

 client       server
src port 1 -> 80 (syn)
src port 2 -> 80 (syn)
src port 3 -> 80 (syn)
src port 4 -> 80 (syn)
.....

 server        client
src port 80 -> 1  (syn/ack)
src port 80 -> 2  (syn/ack)

client         server
src port 1 -> 80  (ack)
src port 2 -> 80  (ack)

After, complete of handshake I see "http get request" from client. My issues is:-

  1. Why are multiple SYNs sent from client to server from different source port?

A sample SYN request just for analysis looks like

694 47.583499000    192.168.1.56    192.168.1.22    TCP 66  0.000173000 50844→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1

Please help me understand this behavior.

Sven
  • 98,649
  • 14
  • 180
  • 226
asad
  • 11
  • 3

1 Answers1

1

This is part of the way browsers work. When a webpage loads, you may get a chunked response. If you have an HTML reference to an image in the first chunk, there is no need to wait until the end of the stream to begin trying to load the image, since the bottleneck could be processing related, not network related. Therefore, you can decrease page load times by opening a second connection to a web server to request that image, rather than requesting it after the HTML has finished loading (for example).

Therefore, browsers will open multiple connections for every page view. You can see the limits each browser uses for the number of connections it opens here:

https://stackoverflow.com/a/985704/3127174

Community
  • 1
James Shewey
  • 182
  • 14