strange behaviour in TCP-Connect-Handshake

strange behaviour in TCP-Connect-Handshake

Post by Oliver Jo » Sat, 03 Aug 2002 20:40:05


we have found something strange in TCP-Connect-Handshake. Here is the
tcpdump of a connect:

12:41:27.997216 eth0 < > S
1550641618:1550641618(0) win 5840 <mss 1460,sackOK,timestamp 646924298
0,nop,wscale 0> (DF)

12:41:27.997243 eth0 > > .
281850:281850(0) ack 124 win 32120 <nop,nop,timestamp 88850 648121803>

12:41:27.998085 eth0 < > R
1438731713:1438731713(0) win 0 (DF) sends the syn-packet to, and answers
with a ack-packet, but without the syn-flag set. I thought this might be
violating the TCP-protcol. It happens 3 to 4 times per second on a
Squid-Server with lots of Requests (100-200 per second). We use the
2.4.18-kernel. We have tried a 2.2.20-kernel and it worked normal.

What could be the problem?

many thanks


Dipl. Inf. (FH) Oliver Joa
senior IT-architect

Gatrixx NetSolutions GmbH
Karl-Goetz-Strasse 5
97424 Schweinfurt
Fon +49 9721 797 420
Fax +49 9383 999-58
Mobil +49 160 47874 62

Weitere Informationen erhalten Sie unter:

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at
Please read the FAQ at


1. TCP connect handshake


I am implementing TCP connection functionality for my own embedded
system. I am trying to connect to a listening program on Linux and
capture network traffic with Ethereal network analyzer.
Note: Ethereal runs on the same Linux machine, to which I am trying to
connect to.

What I see is really strange.

Sequence of events is the following ("device" means my system):

device -> ARP request: who has the Linux machine's IP address
Linux -> ARP response: I have it
device -> SYN to the Linux'ex IP address
Linux -> SYN+ACK to device's IP address
device -> ACK to Linux'es IP address
Delay of 4.2 seconds
Linux -> SYN+ACK to device's IP address (packet identical to the
previous SYN+ACK)
device -> ACK to Linux'es IP address (analyzer says: TCP segment lost)
Linux -> ARP request: who has device's IP address
device -> ARP response: I have it
Linux -> SYN+ACK to device's IP address (packet identical to the
previous SYN+ACK)
device -> ACK to Linux'es IP address
and so on.

As strange as it sounds, it looks like Ethereal sees the ACK that my
system sends to SYN+ACK, but Linux'es TCP layer doesn't (???). Even
more strange, that was after Linux did see the first SYN that I sent.
Packets are formed correctly, and the checksum is correct.

I tried to connect to the same Linux machine from a Windows program
and captures the dump. It succeeded normally after SYN/SYN+ACK/ACK;
packets that Windows sent were identical to what I sent except for
different ISN, window size and obviously the checksum.

Did anybody encounter such a behavior with any system connecting to
Linux?.. Any idea what can go wrong?

I can send the pcap dump.


2. Things come in threes...

3. Further Newbie questions about strange TCP/IP behaviour on Solaris 8 (IA)

4. Script to update httpd.conf with current IP address?

5. Strange TCP/IP socket behaviour

6. disabling/hiding Netscape bottom bar features

7. Strange TCP/IP behavior...

8. Can someone give me an example of mount/umount usage?

9. Strange TCP/IP socket behaviour

10. Strange rcp behavior between UnixWare and Solaris, tcp windowing issues?

11. Strange TCP behaviour

12. strange tcpd (tcp-wwrappers) behaviour

13. tcp/ip from Win98 to Linux: Strange behaviour