This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Question in regard with TCP Streams.

0

Dear All

Currently I'm trying to investigate a "possible" network issue for one of our customers but since I've only just had a course in Wireshark and basic TCP knowledge, I was hoping that one of you guys would be able to help me out.

The client is experiencing some performance issues towards one of their applications. After an initial analysis and following 1 particular TCP stream I've noticed that during the timeframe that these issues were found a TCP 3-Way Handshake was set-up in less than 1 ms. This is good and I expected such. The service on the server is a webserver.

What I then noticed is that after the 3-way handshake for 53 seconds (TCP Delta) there was no communication and all of a sudden a GET request from the client towards the server. It looks to me that a TCP session was established towards the application and all other queries (GET requests, POST requests) were being sent within 1 TCP stream. Is this normal and even performant? I would expect this to be causing quite some issues if lots of hosts try to connect towards 1 particular server (connection tables being filled up and the like).

Any information would be greatly appreciated!

Thanks all!

asked 13 Jan '16, 05:57

Herazio's gravatar image

Herazio
6112
accept rate: 0%


One Answer:

1

Reuse of a single TCP session for several requests in a row is in fact saving resources rather than wasting them.

Dangerously simplifying: depending on the scenario, the "connection tables" have to contain the data about a session for some time after its closure, so if you establish a new session from the same client to the same server during that time, you occupy two "rows of the connection tables" instead of one. Plus, if you would decide to systematically use a separate session for each request even if some of the previous requests has not been responded yet (and so its respective session would be still active), you could waste even several "rows in the connection tables" for a single client.

So the usual habit is to establish a tcp session at the occurrence of the first application request and keep it open until some inactivity timer expires or until the related application or e.g. browser window is closed.

Therefore, to find out whether the gap between setting up the TCP session and using it to deliver the first request ever is logical or suspicious, you have to look at the application behaving like this. For a human-controlled web browser it is surely a strange behaviour, for some automated communication tool using http it may not be.

answered 13 Jan '16, 07:03

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%