This is a static archive of our old Q&A Site. Please post any new questions and answers at

How to capture http 3-way handshake?


How to capture the NATed out-bound HTTP syn request and inbound HTTP responses in a 3-way handshake process; identify our public IP address and our device’s private IP address?

asked 19 Aug '14, 19:47

randy%20S's gravatar image

randy S
accept rate: 0%

edited 19 Aug '14, 19:49

One Answer:


Hi Randy,

One way would be to trace on the inside and the outside interfaces of the firewall. If you can use one PC with two NICs that would be good because both traces will be timestamped by one clock and so pretty closely synchronized. If must use two PCs, try to manually sync the clocks on them as best you can. Capture the traces and the match the packets in each trace using the detsination Internet address (the server the PC is trying to talk to) and the TCP sequence numbers (usually the firewall NAT doesn't change these). Remember to switch off the TCP protocol preference "Relative Sequence Numbers" in Wireshark so that you get distinctive sequence numbers.

Best regards...Paul

answered 20 Aug '14, 06:29

PaulOfford's gravatar image

accept rate: 11%