6.1.7 Lab: Explore Three-way Handshake In Wireshark

7 min read

6.1.7 Lab: Explore Three-Way Handshake in Wireshark

Have you ever wondered how your computer actually connects to a website? Plus, like, what happens in those split seconds between hitting Enter and seeing the page load? Turns out, there’s a quiet conversation happening behind the scenes — a digital handshake that makes it all possible. And if you want to peek inside that conversation, Wireshark is your best friend That alone is useful..

This isn’t just for network engineers or IT folks. Whether you’re troubleshooting a slow connection, studying for a certification, or just curious about how the internet works, understanding the three-way handshake and how to analyze it in Wireshark gives you real insight. Let’s break it down.

What Is the Three-Way Handshake?

The three-way handshake is the process TCP uses to establish a reliable connection between two devices. But think of it like a phone call where both parties confirm they’re ready to talk before the conversation starts. Without this handshake, data could get lost or misdelivered, and that’s not good for anything that needs to work consistently — like loading a webpage or sending an email.

Counterintuitive, but true.

Here’s how it works in simple terms:

  • The client sends a SYN (synchronize) packet to the server: “Hey, I want to connect.”
  • The server responds with a SYN-ACK (synchronize-acknowledgment) packet: “Got your request. On the flip side, i’m ready too. Day to day, ”
  • The client sends back an ACK (acknowledgment) packet: “Confirmed. Let’s go.

It sounds simple, but the gap is usually here It's one of those things that adds up. Worth knowing..

Only after these three steps does the actual data transfer begin. It’s elegant in its simplicity, but powerful in what it enables. And when something goes wrong during this process, knowing how to spot it in Wireshark can save hours of frustration That alone is useful..

Breaking Down Each Step

Let’s walk through each part of the handshake and what to look for:

  • SYN Packet: This is the client’s way of saying, “I’d like to start a connection.” In Wireshark, you’ll see this flagged with tcp.flags.syn == 1 and tcp.flags.ack == 0. The sequence number here is usually 0 or a random value, depending on the OS.

  • SYN-ACK Packet: The server replies with both flags set: tcp.flags.syn == 1 and tcp.flags.ack == 1. This tells the client, “I received your request and here’s my initial sequence number.”

  • ACK Packet: Finally, the client sends an acknowledgment. Here, tcp.flags.ack == 1 but tcp.flags.syn == 0. This confirms the connection is established and ready for data Less friction, more output..

Each of these packets contains sequence and acknowledgment numbers that help keep track of where each side is in the data stream. If you see gaps or mismatches in these numbers, that’s a red flag for potential issues.

Why It Matters / Why People Care

Understanding the three-way handshake isn’t just academic — it’s practical. Here’s why:

If a connection fails to establish, you’ll often see the handshake incomplete in Wireshark. That points to a firewall blocking traffic or a server that’s down. And maybe the SYN goes out but no SYN-ACK comes back. On the flip side, if you see too many handshakes happening too quickly, you might be looking at a SYN flood attack, where someone is trying to overwhelm a server with fake connection requests And that's really what it comes down to..

For developers, knowing how the handshake works helps debug application-level issues. Ever seen a timeout error when connecting to an API? It might not be the code — it could be the network layer failing to establish a proper TCP session.

And for security analysts, the handshake is ground zero for spotting anomalies. Even so, unusual patterns in sequence numbers or unexpected flag combinations can signal malicious activity. Real talk, this is where a lot of intrusion detection starts.

How It Works (or How to Do It)

Setting up Wireshark to capture and analyze the three-way handshake is straightforward once you know what to look for. Here’s how to do it step by step Took long enough..

Step 1: Install and Launch Wireshark

First, download Wireshark from the official site and install it. On top of that, once it’s running, choose the network interface you want to monitor — usually your active Wi-Fi or Ethernet connection. Click “Start” to begin capturing packets Small thing, real impact. But it adds up..

Step 2: Generate Traffic

To see the handshake in

To see the handshake in action, you need to generate some traffic that will trigger a TCP connection while Wireshark is capturing packets. Below are a few quick methods, each with its own quirks, so you can pick the one that best fits your environment.

Step 2.1: Open a Web Browser to a New Site

If you have a reachable HTTP/HTTPS endpoint (say, https://www.example.com), simply figure out there in a fresh browser window. The browser will send an HTTP request, which in turn initiates a three‑way handshake. This is the most “real‑world” way to capture the flow because it mimics typical user traffic.

Step 2.2: Use curl or wget from the Command Line

For a script‑friendly approach, open a terminal and run:

curl -v https://www.example.com

The -v flag forces verbose output, showing the underlying TCP flags. Practically speaking, if you’re on macOS or Linux, you can also use wget --verbose https://www. example.com. These tools will establish a connection quickly and cleanly, making it easier to spot the SYN, SYN‑ACK, and ACK packets.

Step 2.3: Fire a Connection with nc (Netcat)

Netcat is great for low‑level socket testing. To open a TCP connection to port 80 (HTTP) on a remote host, run:

nc -zv www.example.com 80

While this command doesn’t exchange application data, it still performs the full handshake, giving you a pure TCP view. If you want to see the actual flags, you can use the -l flag to listen locally and then connect from another machine, but the simple nc -zv already triggers the exchange And that's really what it comes down to..

Step 2.4: Simulate a TLS Handshake

If you’re interested in how the three‑way handshake interacts with encryption, you can open a secure connection to an HTTPS site using a tool like openssl s_client:

openssl s_client -connect www.example.com:443 

This will perform the TCP handshake first, then immediately start the TLS negotiation. It’s a handy way to see the handshake layered on top of the TCP handshake.

Step 3: Apply Display Filters to Isolate the Handshake

Once you have traffic, the capture window can become noisy. Use Wireshark’s display filter bar to focus on the three‑way handshake:

  • Show only SYN packets: tcp.flags.syn == 1 && tcp.flags.ack == 0
  • Show only SYN‑ACK packets: tcp.flags.syn == 1 && tcp.flags.ack == 1
  • Show only ACK packets (no SYN): tcp.flags.ack == 1 && tcp.flags.syn == 0

You can combine them for a clearer view, e.Now, syn == 1 && tcp. ack == 1 && tcp.flags.flags.flags.So naturally, flags. flags.syn == 1 && tcp.Also, , (tcp. g.flags.ack == 0) || (tcp.Also, ack == 1) || (tcp. syn == 0).

Step 4: Examine the Packet Details

  1. Select the SYN packet and open the Packet Details pane. Verify that tcp.flags.syn is set, tcp.flags.ack is clear, and note the Sequence Number (usually 0 or a random value).
  2. Select the corresponding SYN‑ACK and check that both syn and ack flags are true. The Acknowledgment Number should match the client’s sequence number plus one.
  3. Select the final ACK and confirm ack is set while syn is not. The Acknowledgment Number should now equal the server’s initial sequence number plus one.

Pay attention to the Window Size, Checksum, and Options fields. Unusual values (e.g., a zero window) can hint at congestion or a deliberate manipulation attempt.

Step 5: Export and Document the Findings

  • Export the capture as a PCAP file (File → Export Specified Packets → Save as PCAPNG). This is useful for later review or sharing with teammates.
  • Generate a summary using Statistics → Summary → Generate Report. Include key metrics such as the number of handshake attempts, average round‑trip time, and any retransmissions.
  • Annotate the capture with notes (right‑click → Add Annotation) to flag any anomalies you notice, such as a missing SYN‑ACK (possible firewall block) or duplicate sequence numbers (potential replay attack).

Step 6: Validate Against Expected Behavior

Compare the observed handshake with the TCP specification (

Understanding the TLS handshake within this context provides a clear picture of how secure communication is initiated. Worth adding: by following the outlined steps, you can effectively interpret the sequence of events that ensure data remains encrypted and protected during transmission. And in summary, mastering the TLS handshake process empowers you to figure out encrypted networks with confidence and precision. Observing each stage—from the initial TCP connection to the final ACK—helps reinforce trust in the security layer being applied. And this detailed examination not only aids troubleshooting but also strengthens your ability to secure future communications. Conclusion: Mastering this process is essential for anyone aiming to implement reliable security in today’s digital environment Easy to understand, harder to ignore..

Currently Live

Coming in Hot

A Natural Continuation

Readers Went Here Next

Thank you for reading about 6.1.7 Lab: Explore Three-way Handshake In Wireshark. We hope the information has been useful. Feel free to contact us if you have any questions. See you next time — don't forget to bookmark!
⌂ Back to Home