This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Multiple syn’s ,syn/ack and ack received for single connection?

0

I have a scenario, I'm analyzing ssl (decrpyt) traffic to my webserver. I'm investigating server and end-to-end delay issues. In between this I'm stuck at following traffic pattern for which I need some advice/suggestion. The patter shows:-

 client       server
src port 1 -> 80 (syn)
src port 2 -> 80 (syn)
src port 3 -> 80 (syn)
src port 4 -> 80 (syn)
.....

server        client
src port 80 -> 1  (syn/ack)
src port 80 -> 2  (syn/ack)


client         server
src port 1 -> 80  (ack)
src port 2 -> 80  (ack)

After, complete of handshake I see “http get request” from client. My issues is:-

  1. why are multiple syns send from client to server from different source port
  2. why server choose to reply on NOT all ports mainly the syn/ack is received by first 3 ports.
  3. Multiple acks to different ports?

a sample SYN request just for analysis looks like

“694 47.583499000 192.168.1.56 192.168.1.22 TCP 66 0.000173000 50844→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1”

Please help me understand this behavior.

asked 04 Aug ‘15, 08:03

lazerz's gravatar image

lazerz
4181014
accept rate: 0%

One Answer:

1
  1. That depends on the implementation of your client.
  2. The server may have only so many processes/threads/workers available to handle connections.
  3. Each SYN from an IP:port is a new (TCP) connection, therefore requires it's own ACK.

answered 04 Aug '15, 08:33

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

This being said,I'm experiencing same behavior from different machines, as for load on server in that case why i'm not seeing timeout or retransmissions etc?

(04 Aug '15, 08:48) lazerz