Understanding wireshark tcp flow
by OlgaM from LinuxQuestions.org on (#5QFWF)
Hello, dear forum!
I captured tcp packet in wireshark and couldn't understand a few strange things.
1. Normal tcp packets doesn't need PSH flag. Is it some sort of attack?
2. In string number 5 Ack=714. It means that from server to my laptop was sent 714 bites. If Len=0 it means that 714 bites of header and payload = 0?
3. Packets in string number 6 have PSH flag. Does it mean that previous packet (5) was no sucsessfull? Len=16 it means that packet has 16 bite of payload?
4. In string number 9 Seq=714 Ack=17 (17 bytes of header length?)
5. In string 9 Seq=714 Ack=492. Why Ack not equal 731 (714 + 17) instead of 492?
6 Why in string number 11 flag set to ASK, not SYN, ACK?
7. In string15 there is SYN flas set. but I don't see any FIN flag before.
8. In string 27 Ack=719 not 721?
9. In string 24:
0.084606985192.168.1.2192.168.1.1TCP54[TCP Dup ACK 22#1] 34938 80 [ACK] Seq=720 Ack=268 Win=64128 Len=0
Wireshark mark this by black color as "bad tcp", why?
10. What is the role for symbols below in wireshak window?
Understanding low-level tcp basis is very important to me. Thank you for any attempts to point me to right direction.
*
Code:1 0.000000000 192.168.1.2 192.168.1.1 TCP 74 34936 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=3595656117 TSecr=0 WS=128
2 0.003662105 192.168.1.1 192.168.1.2 TCP 66 80 34936 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=32
3 0.003691751 192.168.1.2 192.168.1.1 TCP 54 34936 80 [ACK] Seq=1 Ack=1 Win=64256 Len=0
4 0.003803721 192.168.1.2 192.168.1.1 HTTP 767 POST /jrd/webapi?api=GetSystemStatus HTTP/1.1* (application/x-www-form-urlencoded)
5 0.024447941 192.168.1.1 192.168.1.2 TCP 54 80 34936 [ACK] Seq=1 Ack=714 Win=32128 Len=0
6 0.052296708 192.168.1.1 192.168.1.2 TCP 70 80 34936 [PSH, ACK] Seq=1 Ack=714 Win=32128 Len=16 [TCP segment of a reassembled PDU]
7 0.052296845 192.168.1.1 192.168.1.2 HTTP/JSON 528 HTTP/1.1 200 OK , JavaScript Object Notation (application/json)
8 0.052364039 192.168.1.2 192.168.1.1 TCP 54 34936 80 [ACK] Seq=714 Ack=17 Win=64256 Len=0
9 0.052930703 192.168.1.2 192.168.1.1 TCP 54 34936 80 [FIN, ACK] Seq=714 Ack=492 Win=64128 Len=0
10 0.061251843 192.168.1.2 192.168.1.1 TCP 74 34938 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=3595656179 TSecr=0 WS=128
11 0.064187519 192.168.1.1 192.168.1.2 TCP 54 80 34936 [ACK] Seq=492 Ack=715 Win=32128 Len=0
12 0.064187779 192.168.1.1 192.168.1.2 TCP 66 80 34938 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=32
13 0.064330872 192.168.1.2 192.168.1.1 TCP 54 34938 80 [ACK] Seq=1 Ack=1 Win=64256 Len=0
14 0.065632767 192.168.1.2 192.168.1.1 HTTP 772 POST /jrd/webapi?api=GetSMSStorageState HTTP/1.1* (application/x-www-form-urlencoded)
15 0.066381036 192.168.1.2 192.168.1.1 TCP 74 34940 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=3595656184 TSecr=0 WS=128
16 0.074954073 192.168.1.1 192.168.1.2 TCP 66 80 34940 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=32
17 0.075028197 192.168.1.2 192.168.1.1 TCP 54 34940 80 [ACK] Seq=1 Ack=1 Win=64256 Len=0
18 0.075349695 192.168.1.2 192.168.1.1 HTTP 772 POST /jrd/webapi?api=GetConnectionState HTTP/1.1* (application/x-www-form-urlencoded)
19 0.080664337 192.168.1.1 192.168.1.2 TCP 70 80 34938 [PSH, ACK] Seq=1 Ack=719 Win=32128 Len=16 [TCP segment of a reassembled PDU]
20 0.080664489 192.168.1.1 192.168.1.2 HTTP/JSON 304 HTTP/1.1 200 OK , JavaScript Object Notation (application/json)
21 0.080744236 192.168.1.2 192.168.1.1 TCP 54 34938 80 [ACK] Seq=719 Ack=17 Win=64256 Len=0
22 0.081363475 192.168.1.2 192.168.1.1 TCP 54 34938 80 [FIN, ACK] Seq=719 Ack=268 Win=64128 Len=0
23 0.084534363 192.168.1.1 192.168.1.2 TCP 54 80 34938 [ACK] Seq=1 Ack=719 Win=32128 Len=0
24 0.084606985 192.168.1.2 192.168.1.1 TCP 54 [TCP Dup ACK 22#1] 34938 80 [ACK] Seq=720 Ack=268 Win=64128 Len=0
25 0.084649572 192.168.1.1 192.168.1.2 TCP 54 80 34940 [ACK] Seq=1 Ack=719 Win=32128 Len=0
26 0.084649729 192.168.1.1 192.168.1.2 TCP 54 80 34938 [ACK] Seq=268 Ack=720 Win=321
27 0.086781498 192.168.1.1 192.168.1.2 TCP 70 80 34940 [PSH, ACK] Seq=1 Ack=719 Win=32128 Len=16 [TCP segment of a reassembled PDU]
I captured tcp packet in wireshark and couldn't understand a few strange things.
1. Normal tcp packets doesn't need PSH flag. Is it some sort of attack?
2. In string number 5 Ack=714. It means that from server to my laptop was sent 714 bites. If Len=0 it means that 714 bites of header and payload = 0?
3. Packets in string number 6 have PSH flag. Does it mean that previous packet (5) was no sucsessfull? Len=16 it means that packet has 16 bite of payload?
4. In string number 9 Seq=714 Ack=17 (17 bytes of header length?)
5. In string 9 Seq=714 Ack=492. Why Ack not equal 731 (714 + 17) instead of 492?
6 Why in string number 11 flag set to ASK, not SYN, ACK?
7. In string15 there is SYN flas set. but I don't see any FIN flag before.
8. In string 27 Ack=719 not 721?
9. In string 24:
0.084606985192.168.1.2192.168.1.1TCP54[TCP Dup ACK 22#1] 34938 80 [ACK] Seq=720 Ack=268 Win=64128 Len=0
Wireshark mark this by black color as "bad tcp", why?
10. What is the role for symbols below in wireshak window?
Understanding low-level tcp basis is very important to me. Thank you for any attempts to point me to right direction.
*
Code:1 0.000000000 192.168.1.2 192.168.1.1 TCP 74 34936 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=3595656117 TSecr=0 WS=128
2 0.003662105 192.168.1.1 192.168.1.2 TCP 66 80 34936 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=32
3 0.003691751 192.168.1.2 192.168.1.1 TCP 54 34936 80 [ACK] Seq=1 Ack=1 Win=64256 Len=0
4 0.003803721 192.168.1.2 192.168.1.1 HTTP 767 POST /jrd/webapi?api=GetSystemStatus HTTP/1.1* (application/x-www-form-urlencoded)
5 0.024447941 192.168.1.1 192.168.1.2 TCP 54 80 34936 [ACK] Seq=1 Ack=714 Win=32128 Len=0
6 0.052296708 192.168.1.1 192.168.1.2 TCP 70 80 34936 [PSH, ACK] Seq=1 Ack=714 Win=32128 Len=16 [TCP segment of a reassembled PDU]
7 0.052296845 192.168.1.1 192.168.1.2 HTTP/JSON 528 HTTP/1.1 200 OK , JavaScript Object Notation (application/json)
8 0.052364039 192.168.1.2 192.168.1.1 TCP 54 34936 80 [ACK] Seq=714 Ack=17 Win=64256 Len=0
9 0.052930703 192.168.1.2 192.168.1.1 TCP 54 34936 80 [FIN, ACK] Seq=714 Ack=492 Win=64128 Len=0
10 0.061251843 192.168.1.2 192.168.1.1 TCP 74 34938 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=3595656179 TSecr=0 WS=128
11 0.064187519 192.168.1.1 192.168.1.2 TCP 54 80 34936 [ACK] Seq=492 Ack=715 Win=32128 Len=0
12 0.064187779 192.168.1.1 192.168.1.2 TCP 66 80 34938 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=32
13 0.064330872 192.168.1.2 192.168.1.1 TCP 54 34938 80 [ACK] Seq=1 Ack=1 Win=64256 Len=0
14 0.065632767 192.168.1.2 192.168.1.1 HTTP 772 POST /jrd/webapi?api=GetSMSStorageState HTTP/1.1* (application/x-www-form-urlencoded)
15 0.066381036 192.168.1.2 192.168.1.1 TCP 74 34940 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=3595656184 TSecr=0 WS=128
16 0.074954073 192.168.1.1 192.168.1.2 TCP 66 80 34940 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=32
17 0.075028197 192.168.1.2 192.168.1.1 TCP 54 34940 80 [ACK] Seq=1 Ack=1 Win=64256 Len=0
18 0.075349695 192.168.1.2 192.168.1.1 HTTP 772 POST /jrd/webapi?api=GetConnectionState HTTP/1.1* (application/x-www-form-urlencoded)
19 0.080664337 192.168.1.1 192.168.1.2 TCP 70 80 34938 [PSH, ACK] Seq=1 Ack=719 Win=32128 Len=16 [TCP segment of a reassembled PDU]
20 0.080664489 192.168.1.1 192.168.1.2 HTTP/JSON 304 HTTP/1.1 200 OK , JavaScript Object Notation (application/json)
21 0.080744236 192.168.1.2 192.168.1.1 TCP 54 34938 80 [ACK] Seq=719 Ack=17 Win=64256 Len=0
22 0.081363475 192.168.1.2 192.168.1.1 TCP 54 34938 80 [FIN, ACK] Seq=719 Ack=268 Win=64128 Len=0
23 0.084534363 192.168.1.1 192.168.1.2 TCP 54 80 34938 [ACK] Seq=1 Ack=719 Win=32128 Len=0
24 0.084606985 192.168.1.2 192.168.1.1 TCP 54 [TCP Dup ACK 22#1] 34938 80 [ACK] Seq=720 Ack=268 Win=64128 Len=0
25 0.084649572 192.168.1.1 192.168.1.2 TCP 54 80 34940 [ACK] Seq=1 Ack=719 Win=32128 Len=0
26 0.084649729 192.168.1.1 192.168.1.2 TCP 54 80 34938 [ACK] Seq=268 Ack=720 Win=321
27 0.086781498 192.168.1.1 192.168.1.2 TCP 70 80 34940 [PSH, ACK] Seq=1 Ack=719 Win=32128 Len=16 [TCP segment of a reassembled PDU]