Recently I got a strange phenomenon that is server sends FIN/ACK at the same time without getting prior FIN from client(There was no FIN from client in my Wireshark dump at least.)
As far as I know, normal TCP disconnection is 4 way hand shaking like FIN-ACK-FIN-ACK or 3 way like FIN - ACK/FIN - ACK, so if some one sends FIN/ACK there should be prior FIN to notify 'no more sending data & connection will be closed' from the counter part.
I'm not sure this is just missing packet because I used port mirroring to grab the packets, or it is possible to happen normally.
Any idea for this? No body experienced this before?
asked 02 Mar '16, 00:56
There is no requirement for the client to send the first FIN. Either side (client or server) can send it whenever they want to signal "that's it, I have nothing more to say". It also doesn't mean that the other side has to signal the same - it can continue to send data as much as it likes.
In the end you should see the connection terminate with 2 FINs and 2 ACKs belonging to the FINs. Sometimes you also see FIN - ACK - RST, where one side closes the connection with a rather harsh reset flag. If you have only one FIN flag (and no RST) your connection is technically still open.
Be aware that FIN flags are often piggy-packed on data packets, which makes them easy to overlook. You should isolate your TCP connection first, and then search for FIN flagged packets within the connection to check if there are two FINs.
answered 02 Mar '16, 03:55
The closing of TCP connection is never 3-way handshake but rather 2-way. Any of the device can initiate closing the session by sending the FIN packet, and it gets in to the FIN-WAIT1 state. Then it expect the other device to send the FIN afterwards for that it gets into the FIN-WAIT2 state. in this case connection can be resumed by the other devices if he is not wish to terminate the connection. When both devices are agreed to terminate the connection by sending their FIN and gets the ACK for them. The connection is terminated. That is the reason you are seeing four packets (that's not four-way handshake but two-way.
For, ACK you are seeing along with FIN is the acknowledge for the last byte received. you can check the acknowledgement number as well to ensure that.
answered 16 Sep '16, 16:14