analyzing a TCP handshake in Wireshark
Capturing and analyzing a full TCP handshake using Wireshark.
A captured SYN → SYN-ACK → ACK sequence completing a TCP connection.
As part of a demonstration in network analysis, I captured a TCP three-way handshake using Wireshark. This is the process by which two devices establish a reliable connection over TCP.
Summary of the Handshake
| Packet # | Type | Description |
|---|---|---|
| 1 | SYN | Client initiates connection |
| 2 | SYN-ACK | Server acknowledges and replies |
| 3 | ACK | Client acknowledges, connection ready |
Destination IP: 142.250.1.139 (example Google server)
Port Used: 80 (HTTP)
Critical Observations
- The classic three-step:
- Client sends SYN to begin the connection.
- Server replies with SYN-ACK.
- Client responds with ACK and the connection is open.
- No data is exchanged during the handshake itself, it is strictly session setup.
- This capture was tied to a connection attempt on port 80 (HTTP).
Why it matters
Reading a handshake at the packet level is the difference between knowing the theory and recognising what is actually wrong on a network. A SYN with no SYN-ACK back is a connectivity problem or a firewall drop. A storm of SYNs from one source with no completions is the start of a SYN flood. A handshake completes but no data follows, then a RST: something refused the connection after accepting it.
None of that reads off cleanly from logs. It reads off cleanly from a capture.