6.1.7 Lab: Explore Three-way Handshake In Wireshark

Let's explore the intricate dance of the three-way handshake using Wireshark, a powerful network protocol analyzer. This handshake is the foundation of reliable communication in the TCP/IP model, ensuring that data is transferred accurately and efficiently between devices. By dissecting this process with Wireshark, we can gain a deeper understanding of how connections are established and maintained on the internet.

What is the Three-Way Handshake?

The three-way handshake is a fundamental process in TCP (Transmission Control Protocol) communication. It's the method used to establish a connection between two devices before any actual data is exchanged. Think of it as a polite introduction before a conversation begins. This handshake involves three distinct steps:

SYN (Synchronize): The client sends a SYN packet to the server, essentially asking to initiate a connection. This packet contains the client's initial sequence number, which is a random number used to track the data flow.
SYN-ACK (Synchronize-Acknowledge): The server responds with a SYN-ACK packet. This packet acknowledges the client's SYN packet and also includes the server's own initial sequence number. The server is now ready to receive data from the client.
ACK (Acknowledge): The client sends an ACK packet to the server, acknowledging the server's SYN-ACK. This finalizes the connection establishment, and data transfer can begin.

This seemingly simple exchange is crucial for reliable communication. It allows both parties to agree on initial sequence numbers, ensuring that data is transmitted in the correct order and that lost packets can be retransmitted.

Why is the Three-Way Handshake Important?

The three-way handshake serves several important purposes:

Connection Establishment: It provides a reliable mechanism to establish a connection between two devices. Without it, data could be sent without knowing if the recipient is ready to receive it, leading to data loss and communication failures.
Synchronization: It synchronizes the sequence numbers between the client and the server. These sequence numbers are used to track the order of data packets, ensuring that they are reassembled correctly at the destination.
Reliability: It enhances the reliability of TCP communication. By requiring an acknowledgment for each packet, the three-way handshake helps to detect and retransmit lost packets, guaranteeing that data is delivered accurately.
Security: Although not a primary security mechanism, the three-way handshake can offer a basic level of protection against certain types of attacks, such as SYN floods.

Preparing for the Wireshark Capture

Before diving into the analysis, it's crucial to set up the environment for capturing network traffic with Wireshark. Here's a step-by-step guide:

Download and Install Wireshark: If you haven't already, download Wireshark from the official website () and install it on your system. Follow the installation instructions carefully, ensuring that you install the necessary components for capturing network traffic.
Choose the Correct Interface: Launch Wireshark and select the correct network interface that you want to capture traffic from. This is typically your Ethernet or Wi-Fi adapter, depending on how your device is connected to the network.
Apply a Filter (Optional): To focus on the three-way handshake, apply a filter to capture only TCP traffic. You can do this by typing "tcp" in the filter bar at the top of the Wireshark window and pressing Enter.
Initiate a Connection: Start a network application that uses TCP, such as a web browser, and access a website. This will generate the TCP traffic that you want to analyze. Alternatively, you can use a command-line tool like ping or telnet to initiate a connection to a specific server.
Start Capturing: Click the blue shark fin icon to start capturing network traffic. Wireshark will begin recording all packets that pass through the selected network interface.

Analyzing the Three-Way Handshake in Wireshark

Now that you've captured network traffic, you can analyze the three-way handshake in Wireshark. Here's how to identify and dissect the packets:

Stop the Capture: After initiating a connection and capturing some traffic, stop the capture by clicking the red square icon in Wireshark.
Filter for the Handshake: Apply a filter to isolate the three-way handshake packets. You can use the filter "tcp.flags.syn == 1" to find the initial SYN packet. This will narrow down the captured traffic to only show packets with the SYN flag set.
Examine the SYN Packet: Select the first packet in the filtered list. This should be the SYN packet sent by the client. In the packet details pane, you'll see information about the packet, including the source and destination IP addresses, the source and destination ports, the TCP flags, and the initial sequence number.
- Source and Destination: Note the IP addresses and port numbers of the client and server. This will help you identify the subsequent packets in the handshake.
- TCP Flags: Verify that the SYN flag is set (tcp.flags.syn == 1) and that the ACK flag is not set (tcp.flags.ack == 0).
- Sequence Number: Observe the initial sequence number (ISN) generated by the client. This number will be used to track the data flow between the client and server.
Examine the SYN-ACK Packet: Look for the next packet in the handshake, which is the SYN-ACK packet sent by the server. This packet will have the SYN and ACK flags set (tcp.flags.syn == 1 and tcp.flags.ack == 1).
- Source and Destination: The source IP address and port number should be the server's, and the destination IP address and port number should be the client's.
- TCP Flags: Verify that both the SYN and ACK flags are set.
- Sequence and Acknowledgment Numbers: Observe the server's initial sequence number (ISN) and the acknowledgment number. The acknowledgment number should be the client's initial sequence number plus one (ISN + 1). This indicates that the server has successfully received the client's SYN packet.
Examine the ACK Packet: The final packet in the handshake is the ACK packet sent by the client. This packet will have only the ACK flag set (tcp.flags.ack == 1).
- Source and Destination: The source IP address and port number should be the client's, and the destination IP address and port number should be the server's.
- TCP Flags: Verify that only the ACK flag is set.
- Acknowledgment Number: The acknowledgment number should be the server's initial sequence number plus one (ISN + 1). This confirms that the client has received the server's SYN-ACK packet and that the connection is now established.

Wireshark Display Filters for Three-Way Handshake

Wireshark display filters are powerful tools for isolating and analyzing specific packets. Here are some useful filters for examining the three-way handshake:

tcp.flags.syn == 1: This filter shows only packets with the SYN flag set, which includes the initial SYN packet and the SYN-ACK packet.
tcp.flags.syn == 1 and tcp.flags.ack == 0: This filter specifically isolates the initial SYN packet sent by the client.
tcp.flags.syn == 1 and tcp.flags.ack == 1: This filter isolates the SYN-ACK packet sent by the server.
tcp.flags.ack == 1 and tcp.flags.syn == 0: This filter shows packets with the ACK flag set but not the SYN flag, which includes the final ACK packet in the handshake and subsequent data packets.
tcp.stream eq [stream_index]: Replace [stream_index] with the stream index number to filter for all packets belonging to a specific TCP connection. You can find the stream index by right-clicking on a packet and selecting "Follow" -> "TCP Stream."

Troubleshooting Common Issues

While analyzing the three-way handshake, you might encounter some common issues. Here are some troubleshooting tips:

Missing SYN Packet: If you don't see the initial SYN packet, it could be due to network congestion, firewall rules blocking the packet, or a problem with the client application.
Missing SYN-ACK Packet: If the server doesn't respond with a SYN-ACK packet, it could indicate that the server is down, the port is blocked, or there's a network connectivity issue.
Missing ACK Packet: If the client doesn't send the final ACK packet, it could be due to a problem with the client application, network congestion, or a firewall rule blocking the packet.
Retransmissions: You might see retransmissions of the SYN, SYN-ACK, or ACK packets. This indicates that the original packet was lost or corrupted and had to be retransmitted. This is normal in some network conditions, but excessive retransmissions can indicate a problem with the network.
Reset (RST) Packets: A RST packet indicates that the connection is being reset. This can happen if one of the devices receives a packet that it doesn't expect or if the connection is closed abruptly. If you see RST packets in your capture, it could indicate a problem with the application or the network.

Security Implications of the Three-Way Handshake

The three-way handshake, while fundamental, can be a target for certain types of attacks. Understanding these vulnerabilities is crucial for network security.

SYN Flood Attacks: One of the most common attacks is the SYN flood. In this attack, the attacker sends a flood of SYN packets to the server, but never completes the handshake by sending the final ACK packet. This leaves the server in a half-open state, consuming resources and potentially leading to a denial-of-service (DoS) attack.
Mitigating SYN Flood Attacks: There are several techniques to mitigate SYN flood attacks, including:
- SYN Cookies: The server responds to the SYN packet with a SYN-ACK packet that contains a "cookie," which is a cryptographic hash of the client's IP address, port number, and other information. The server doesn't allocate resources until it receives the ACK packet with the correct cookie.
- SYN Proxies: A SYN proxy sits in front of the server and completes the three-way handshake with the client. It then establishes a separate connection with the server, shielding the server from the SYN flood.
- Firewall Rules: Firewalls can be configured to detect and block SYN flood attacks by limiting the rate of incoming SYN packets.

The Role of Sequence and Acknowledgment Numbers

Sequence and acknowledgment numbers are integral to the reliability of TCP communication. They ensure that data is transmitted in the correct order and that lost packets can be retransmitted.

Sequence Numbers: Each TCP packet is assigned a sequence number, which indicates the position of the data in the stream. The initial sequence number (ISN) is randomly generated by the client and server during the three-way handshake.
Acknowledgment Numbers: The acknowledgment number indicates the next sequence number that the sender expects to receive. By acknowledging received data, the receiver confirms that it has successfully received the data and is ready for the next packet.
Retransmissions: If a sender doesn't receive an acknowledgment for a packet within a certain timeout period, it will retransmit the packet. This ensures that data is delivered reliably, even if packets are lost or corrupted.

Analyzing TCP Options

TCP options are additional parameters that can be included in the TCP header to enhance the functionality of the protocol. Some common TCP options include:

Maximum Segment Size (MSS): This option specifies the maximum amount of data that the sender can include in a single TCP segment.
Window Scale: This option allows the sender to increase the size of the receive window, which improves throughput on high-bandwidth networks.
Selective Acknowledgment (SACK): This option allows the receiver to acknowledge non-contiguous blocks of data, which improves the efficiency of retransmissions.

You can analyze TCP options in Wireshark by examining the "Options" field in the TCP header.

Common Ports and the Three-Way Handshake

The three-way handshake is used to establish connections on various ports, each associated with different services. Here are some common ports and how the handshake applies to them:

Port 80 (HTTP): Used for standard web traffic. When you visit a website, your browser initiates a three-way handshake with the web server on port 80 to establish a connection.
Port 443 (HTTPS): Used for secure web traffic. Similar to port 80, but the connection is encrypted using TLS/SSL.
Port 21 (FTP): Used for file transfer. The three-way handshake is used to establish a control connection for sending commands and a data connection for transferring files.
Port 22 (SSH): Used for secure remote login. The three-way handshake establishes an encrypted connection for secure communication.
Port 25 (SMTP): Used for sending email. The three-way handshake establishes a connection between the email client and the email server.

Conclusion

Understanding the three-way handshake is crucial for anyone working with computer networks. It's the foundation of reliable TCP communication, ensuring that data is transmitted accurately and efficiently. By using Wireshark to analyze the handshake, you can gain a deeper understanding of how connections are established and maintained on the internet. From troubleshooting network issues to understanding security implications, the three-way handshake is a fundamental concept that every network professional should master. By dissecting this process with Wireshark, you're well-equipped to tackle a wide range of networking challenges.