3-way handshake

Just to revise, 3-way handshake is one of the mandatory processes which are part of TCP protocol for communication between two entities.

The following output is part of TCP 3-way handshake captured by tcpdump:

root@mykplabs:~$ sudo tcpdump –i wlan0 host 139.162.21.95
    
20:34:10.082148 IP 10.10.0.210.52251 > 139.162.21.95.80: Flags [S], seq 3508972439, win 29200, options [mss 1460,sackOK,TS val 4720684 ecr 0,nop,wscale 7], length 0
    
20:34:10.175930 IP 139.162.21.95.80 > 10.10.0.210.52251: Flags [S.], seq 1849891626, ack 3508972440, win 28960, options [mss 1326,sackOK,TS val 3482350049 ecr 4720684,nop,wscale 7], length 0
    
20:34:10.176028 IP 10.10.0.210.52251 > 139.162.21.95.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 4720707 ecr 3482350049], length 0  

In the preceding output, we can see that the first packet has an [S] flag set, which basically means SYN. It also contains the source IP which is 10.10.0.210 and the destination IP, 139.162.21.95, followed by the destination port which is 80.

At this point, this request will first go to the firewall. The firewall will check these values against its rule table to verify if it can be allowed or not and depending on this, it will take the decision.

Now that we understand the basics of a firewall and how it retrieves data from packets, we can go ahead and understand more about it in detail.