6.1.7 Lab: Explore Three-way Handshake In Wireshark

The Three-Way Handshake in Wireshark: A Deep Dive into TCP Connection Establishment

The three-way handshake is a foundational process in the Transmission Control Protocol (TCP), ensuring reliable communication between devices over a network. This lab exercise, 6.1.7 Lab: Explore Three-Way Handshake in Wireshark, guides you through capturing and analyzing TCP handshake packets using Wireshark, a powerful network protocol analyzer. By the end of this article, you’ll understand how TCP establishes connections, identify key packets in the handshake, and leverage Wireshark to troubleshoot network issues.

Introduction to the Three-Way Handshake

TCP is a connection-oriented protocol, meaning it establishes a dedicated communication channel before data transfer begins. The three-way handshake is the initial phase of this process, involving three steps:

1. SYN (Synchronize): The client sends a synchronization packet to the server, requesting a connection.
2. SYN-ACK (Synchronize-Acknowledge): The server responds with a packet acknowledging the request and initiating its own synchronization.
3. ACK (Acknowledge): The client confirms the server’s response, finalizing the connection.

This process ensures both parties agree on sequence numbers, which are critical for ordering data packets and detecting lost or duplicated transmissions. Without this handshake, TCP would lack the reliability that makes it the backbone of modern internet communication.

Steps to Capture and Analyze the Handshake in Wireshark

Step 1: Install and Configure Wireshark

Download and install Wireshark from its official website. Launch the tool and select the network interface connected to your target device (e.g., Ethernet or Wi-Fi). Ensure you have administrative privileges to capture packets.

Step 2: Initiate a TCP Connection

Open a web browser and navigate to a website (e.g., http://example.com). This action triggers a TCP connection between your device and the server hosting the website.

Step 3: Capture Packets in Wireshark

Click the Start button in Wireshark to begin capturing traffic. Focus on the TCP stream associated with the website’s IP address and port (typically port 80 for HTTP). Use the Apply Filter field to isolate TCP traffic:

• Type tcp to display all TCP packets.
• Refine the filter with tcp.port == 80 to narrow results.

Step 4: Identify the Three-Way Handshake Packets

Look for three distinct packets in the capture:

1. SYN Packet: Sent by your device to the server. Check the TCP Flags column for SYN=1.
2. SYN-ACK Packet: Sent by the server in response. This packet has SYN=1 and ACK=1 flags set.
3. ACK Packet: Sent by your device to confirm the connection. This packet has ACK=1 but no SYN flag.

Each packet includes sequence (Seq) and acknowledgment (Ack) numbers, which are dynamically generated to ensure data integrity.

Scientific Explanation of the Three-Way Handshake

The three-way handshake is governed by TCP’s design principles, which prioritize reliability and error recovery. Here’s a breakdown of its mechanics:

1. SYN Packet: Initiating the Connection

The client sends a SYN packet with a random sequence number (e.g., Seq=12345). This number acts as a starting point for data transmission. The server acknowledges receipt by echoing the sequence number plus one (Ack=12346) and sending its own SYN packet with a unique sequence number (e.g., `Seq

Step 5: Examine the SYN‑ACK Reply

The server’s response appears as a packet whose TCP Flags column shows both SYN=1 and ACK=1. In the packet details pane you will see two critical fields:

• Source Port – the server’s listening port (e.g., 80).
• Destination Port – the client’s ephemeral port, which will be used for the subsequent data flow.

The Sequence Number (Seq) embedded in this packet is the server’s own random starting value (for example, Seq=67890). The Acknowledgment Number (Ack) is set to the client’s initial sequence number plus one (Ack=12346). This tells the client, “I have received your SYN and I am ready to exchange data starting at byte 12346.” ---

Step 6: Parse the Final ACK from the Client

The third exchange is a single packet that carries only the ACK flag. Its Sequence Number continues the client’s stream (e.g., Seq=12346), while the Acknowledgment Number reflects the server’s SYN‑ACK sequence number plus one (Ack=67891). This packet confirms that the client has received the server’s readiness signal and that both sides now share a synchronized view of the data flow.

Scientific Rationale Behind Each Field

1. Random Initial Sequence Numbers (ISNs)
   TCP selects ISNs using a pseudo‑random function that incorporates timestamps and clock values. This randomness mitigates the risk of sequence‑number collisions when multiple connections are opened simultaneously, a property essential for the unique identification of each TCP stream within a single host.

2. Acknowledgment Numbers as Sliding‑Window Controls
   The Ack field does more than echo receipt; it implements a sliding‑window protocol. By advancing the Ack value only after the receiver has processed the corresponding byte, the protocol can dynamically adjust the amount of unacknowledged data the sender may transmit. This mechanism underpins TCP’s ability to balance throughput with reliability without requiring a priori knowledge of network latency.

3. Flag Combination Logic
   The simultaneous presence of SYN and ACK in the second packet is a direct consequence of TCP’s state machine. The server transitions from the SYN‑RECEIVED state to ESTABLISHED only after it has both acknowledged the client’s SYN and presented its own SYN. This dual‑flag configuration guarantees that both parties have agreed on the initial sequence numbers before any payload is exchanged.

4. Checksum Integrity
   Each TCP segment carries a 16‑bit checksum computed over the payload, pseudo‑header (source and destination IP addresses, protocol, and segment length), and the segment’s data. The checksum provides a cryptographic‑level guarantee that any corruption introduced by the network will be detected before the receiver attempts to acknowledge the segment, thereby preserving end‑to‑end data integrity.

Putting It All Together in Wireshark

1. Filter the View – Apply tcp.port == 80 && tcp.flags.syn == 1 to isolate the initial SYN.
2. Follow the Stream – Right‑click the SYN packet and select Follow TCP Stream; Wireshark will reconstruct the entire handshake and subsequent data exchange in a single pane.
3. Inspect Byte‑Level Details – Expand the Internet Protocol and Transmission Control Protocol sections to verify that the Seq, Ack, and flag fields match the expectations described above.
4. Validate the Checksum – In the packet details, scroll to the Checksum field; a value of “correct” confirms that the segment passed the integrity test.

Conclusion

The TCP three‑way handshake is a meticulously engineered protocol exchange that guarantees both parties agree on initial sequence numbers, synchronize their transmission windows, and establish a reliable communication channel before any user data traverses the network. By capturing each SYN, SYN‑ACK, and ACK packet in Wireshark and interpreting the embedded sequence, acknowledgment, and flag values, a network analyst can verify that the handshake performed correctly, that the sliding

This insight not only strengthens your understanding of TCP’s design but also equips you with practical methods to analyze real-world traffic. Leveraging these techniques in Wireshark or similar tools allows you to troubleshoot issues, optimize performance, and ensure secure data transfer across networks.

Understanding these layers empowers you to move beyond surface observations and dive into the mechanics that make TCP such a robust communication standard. By consistently applying these observations, you’ll develop a sharper analytical skillset for network diagnostics.

Conclusion: Mastering TCP’s handshake process and its validation mechanisms in tools like Wireshark transforms you from a casual observer into a proficient network detective, capable of interpreting even the most intricate data flows.