6.1.7 Lab: Explore Three-way Handshake In Wireshark

Explore the Three-Way Handshake in Wireshark: A Hands-On Guide

Introduction
The three-way handshake is a foundational process in the Transmission Control Protocol (TCP), ensuring reliable communication between devices before data transfer begins. This article breaks down the intricacies of the handshake using Wireshark, a powerful network protocol analyzer. By capturing and analyzing real-time network traffic, you’ll gain practical insights into how TCP establishes connections, synchronizes sequence numbers, and confirms readiness. This lab exercise not only demystifies the handshake but also equips you with skills to troubleshoot network issues and deepen your understanding of TCP’s role in modern networking Nothing fancy..

Introduction to the Three-Way Handshake

The three-way handshake is a critical mechanism in TCP that establishes a connection between a client and a server. It involves three steps:

1. SYN (Synchronize): The client sends a SYN packet to the server, requesting a connection.
2. SYN-ACK (Synchronize-Acknowledge): The server responds with a SYN-ACK packet, acknowledging the client’s request and sending its own SYN.
3. ACK (Acknowledge): The client replies with an ACK packet, confirming the server’s SYN.

This process ensures both parties agree on sequence numbers, which are essential for tracking data packets and ensuring they arrive in the correct order. Without this handshake, data transmission would be error-prone, leading to lost or misordered information No workaround needed..

In this lab, you’ll use Wireshark to observe these steps in action, providing a visual and interactive way to grasp the handshake’s mechanics.

Preparing for the Lab

Before diving into Wireshark, ensure your environment is set up correctly:

1. Install Wireshark: Download and install the latest version of Wireshark from its official website.
2. Run as Administrator: On Windows, right-click Wireshark and select “Run as Administrator” to capture network traffic effectively.
3. Identify Your IP Address: Note your device’s IP address (e.g., 192.168.1.5) and the target device’s IP (e.g., 192.168.1.10). This will help filter traffic during analysis.

Once configured, you’re ready to capture the handshake.

Capturing the Three-Way Handshake in Wireshark

1. Start a Capture: Open Wireshark and click the “Start” button to begin capturing packets.
2. Initiate a Connection: Open a web browser and deal with to a website (e.g., https://example.com). This action triggers a TCP connection to the server.
3. Stop the Capture: Once the connection is established, click “Stop” in Wireshark to halt packet collection.

Your capture window will now display a series of packets. Here's the thing — focus on the TCP stream associated with the connection to example. com.

Analyzing the Three-Way Handshake

1. Identify the SYN Packet:

   • Look for a packet with the SYN flag set to 1. This is the client’s initial request to the server.
   • Example: A packet from your device (192.168.1.5) to the server (192.168.1.10) with SYN=1 and ACK=0.

2. Locate the SYN-ACK Response:

   • The server responds with a packet containing both SYN=1 and ACK=1. This acknowledges the client’s request and initiates the server’s own connection.
   • Example: A packet from the server (192.168.1.10) to your device (192.168.1.5) with SYN=1 and ACK=1.

3. Find the Final ACK:

   • The client replies with an ACK packet, confirming the server’s SYN. This packet has ACK=1 and SYN=0.
   • Example: A packet from your device (192.168.1.5) to the server (192.168.1.10) with ACK=1.

Key Observations:

• Sequence Numbers: Each SYN packet includes a unique sequence number (e.g., 123456789). The server’s SYN-ACK packet includes its own sequence number, which the client acknowledges.
• Acknowledgment Numbers: The ACK packets confirm the receipt of the previous packets. Take this case: the client’s final ACK might acknowledge the server’s sequence number.

Understanding the Role of Sequence and Acknowledgment Numbers

Sequence numbers act as identifiers for data packets, ensuring they are processed in the correct order. During the handshake:

• The client’s SYN packet includes a sequence number (e.g., 1000).
• The server’s SYN-ACK packet includes its own sequence number (e.g., 2000) and acknowledges the client’s sequence number.
• The client’s final ACK confirms the server’s sequence number, closing the loop.

This synchronization prevents data corruption and ensures reliable communication. Wireshark’s Protocol Hierarchy view (accessible via the menu) allows you to drill down into these details, revealing the exact values of sequence and acknowledgment numbers Turns out it matters..

Common Issues and Troubleshooting

While the three-way handshake is dependable, issues can arise:

• SYN Flood Attacks: An attacker sends numerous SYN packets without completing the handshake, overwhelming the server. Wireshark can help identify such patterns by filtering for tcp.flags.syn==1 && tcp.flags.ack==0.
• Firewall or NAT Interference: Firewalls may block SYN packets, preventing the handshake. Use Wireshark to check if packets are being dropped.
• Misconfigured Devices: Incorrect sequence numbers or missing ACKs can disrupt the handshake. Wireshark’s TCP Stream feature helps trace these issues.

By analyzing these scenarios, you’ll learn how to diagnose and resolve common TCP problems That's the whole idea..

Conclusion

The three-way handshake is a cornerstone of TCP, ensuring secure and reliable communication. Through this lab, you’ve explored how Wireshark captures and deciphers this process, from the initial SYN request to the final ACK. Understanding this mechanism not only enhances your grasp of TCP but also equips you to troubleshoot network issues effectively. As you continue your networking journey, remember that tools like Wireshark are invaluable for dissecting complex protocols and deepening your technical expertise.

Final Tip: Experiment with different websites or services to observe variations in handshake behavior. This hands-on practice will solidify your understanding and prepare you for real-world networking challenges.

Extending the Handshake: TCP Options and Window Scaling

Beyond the basic three-way handshake, TCP includes optional fields that can be negotiated during the connection setup. These options enhance performance and adaptability.

• MSS (Maximum Segment Size): This option tells the other end the largest chunk of data it can accept. You will often see values like 1460 or 1440 bytes depending on the network path and MTU settings.
• Window Scaling: TCP originally used a 16-bit window field, limiting throughput. Window scaling extends this by multiplying the advertised window by a scaling factor. Wireshark displays the scaled window size in the decoded packet details.
• Timestamps (TCP Timestamp Option): This option introduces a timestamp field that helps track round-trip times and protects against sequence number reuse. You can spot it in Wireshark as tcp.options.timestamp.

To view these options in Wireshark, select any packet in the handshake exchange and expand the TCP layer in the packet details pane. You will see a sub-tree labeled Options with each negotiated parameter listed.

Observing the Handshake on Different Protocols

The three-way handshake is not limited to web browsing. Try initiating connections using other services to see how the handshake behaves:

• SSH: Open an SSH session to a remote server and capture the handshake. Notice that the server's SYN-ACK is followed immediately by application-layer data, since SSH is a session-based protocol.
• FTP: FTP uses two connections — a control channel and a data channel. Each channel performs its own three-way handshake. Capturing both reveals how TCP handles multiple simultaneous connections.
• DNS over TCP: While DNS primarily uses UDP, large responses trigger a fallback to TCP. Capturing this transition shows the handshake occurring mid-transaction.

Each scenario reinforces the same underlying mechanics while demonstrating TCP's flexibility across diverse application contexts.

Practical Exercise: Reproducing the Handshake

To cement your understanding, try this exercise:

1. Start a Wireshark capture on your local interface.
2. Open a web browser and figure out to a website you have not visited recently (to force a fresh TCP connection).
3. Stop the capture after the page loads.
4. Filter the trace with tcp.flags.syn==1 || tcp.flags.syn==1 && tcp.flags.ack==1.
5. Identify the client SYN, server SYN-ACK, and client ACK. Record the sequence and acknowledgment numbers for each.
6. Expand the TCP options in each packet and note any negotiated parameters.

This exercise mirrors the workflow described earlier but puts you in the driver's seat, reinforcing both the theory and the tooling skills required for real-world analysis.

Conclusion

Mastering the TCP three-way handshake is a foundational milestone for anyone working in networking, cybersecurity, or systems administration. Through hands-on experimentation with Wireshark, you have learned how sequence and acknowledgment numbers synchronize two endpoints, how TCP options shape connection behavior, and how to recognize and troubleshoot common anomalies. The knowledge gained here — from dissecting packet captures to identifying SYN flood patterns — translates directly into practical, real-world skills. As you encounter more complex protocols and network environments, this strong conceptual base will serve as a reliable foundation for deeper exploration.