0

I'm trying to see a simple 3-Way Handshake using telnet on the Client side and tcpdump on the Server side, both Client and Server are inside VMs.
I use telnet this way :

telnet 172.10.10.21 80

On the server side, I look at the tcpdump trace :

18:09:33.669452 IP 172.10.10.11.43124 > 172.10.10.21.http: Flags [S], seq 803884468, win 29200, options [mss 1460,sackOK,TS val 1452463 ecr 0,nop,wscale 7], length 0
18:09:33.669727 IP 172.10.10.21.http > 172.10.10.11.43124: Flags [S.], seq 2031277521, ack 803884469, win 28960, options [mss 1460,sackOK,TS val 1451501 ecr 1452463,nop,wscale 6], length 0
18:09:33.670525 IP 172.10.10.11.43124 > 172.10.10.21.http: Flags [.], ack 2031277522, win 229, options [nop,nop,TS val 1452463 ecr 1451501], length 0

So we can the the 3-Way handshake.
But when looking at the TCP state on the server side, it's still in SYN_RECV. About 30 secondes later, we can see new things in tcpdump :

18:10:04.667812 IP 172.10.10.21.http > 172.10.10.11.43124: Flags [S.], seq 2031277521, ack 803884469, win 28960, options [mss 1460,sackOK,TS val 1459251 ecr 1452463,nop,wscale 6], length 0
18:10:04.669330 IP 172.10.10.11.43124 > 172.10.10.21.http: Flags [.], ack 2031277522, win 229, options [nop,nop,TS val 1460213 ecr 1451501], length 0

Another SYN+ACK is send by the Server.
It looks like it didn't received the ACK from the Client on the first time.
This time, the TCP state on the server side it ESTABLISHED. Why didn't it established the connection on the first time?
I've tried several times, and still got the same result.

JoeJoe
  • 3
  • 1
  • 5
  • Would you mind ordering your outputs by line? It's hard to read. – Broco Mar 29 '18 at 09:24
  • @Broco Yes, it's done – JoeJoe Mar 29 '18 at 09:30
  • We might need some more info, firewall, used system... also, on the top yellow box, you said "On the server side", but you mean client, right? – Broco Mar 29 '18 at 09:56
  • @Broco I'm using ubuntu server 16.04.3 with default configuration on both sides. I think it's on the server side, because I run tcpdump on the VM with the apache server installed (172.10.10.21), and use telnet from 172.10.10.11 . Let me know if it's unclear or if I'm missing something – JoeJoe Mar 29 '18 at 11:15
  • Well tryed it with the port 22 and the TCP state on the server side is ESTABLISHED at the "first" 3 Way-Handshake. Maybe this behavior is specific for the port 80. – JoeJoe Apr 06 '18 at 07:47

0 Answers0