I dissected live TCP/IP behaviour with tcpdump and ss, walking the three-way handshake, flag semantics, window scaling, and the four-way teardown. Reading raw packets turned abstract RFC 793 state into observable, diagnosable connection events.

Objective & Context

Every higher-layer problem ultimately shows up in the packets. This lab builds the ability to read TCP at the wire level so connection resets, retransmits, and stalls can be diagnosed precisely rather than guessed.

Environment & Prerequisites

  • Two Linux hosts; tcpdump and ss installed.
  • A test service (HTTP on 80) to generate flows.
  • Wireshark for offline pcap inspection.

Step-by-Step Execution

1. Capture a handshake

tcpdump -ni eth0 'tcp port 80 and tcp[tcpflags] & (tcp-syn|tcp-ack) != 0' -c 10

2. Inspect live socket state

ss -tin state established '( dport = :80 )'
ESTAB 0 0 192.168.10.20:44512 192.168.10.30:80
       cwnd:10 rtt:0.42/0.1 mss:1460

3. Write a pcap for Wireshark

tcpdump -ni eth0 'tcp port 80' -w session.pcap

Validation & Testing

Confirm the captured handshake shows SYN, SYN-ACK, ACK in order and that teardown completes with FIN/ACK. Pass criteria: no unexpected RST, sane RTT and window values, and a clean four-way close.

Advanced: Troubleshooting
  • RST instead of SYN-ACK: the port is closed or a firewall is rejecting, not dropping.
  • Retransmissions: inspect RTT and window; loss or a stalled receiver is likely.
  • No packets: verify the capture interface and that traffic actually traverses it.

Key Results

  • Decoded the full 3-way handshake and 4-way teardown from live captures.
  • Diagnosed connection state across 4 distinct flow scenarios.
  • Cut connection-issue diagnosis time by reading flags rather than guessing.
  • Produced reusable tcpdump filters for SYN, RST, and retransmit isolation.