This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Not all SYN packets shown

0

Hi,

When I start a valid TCP session, I see the expected SYN,SYN/ACK,ACK,PSH/ACK,ACK,FIN/ACK,ACK packets. When I try to start a TCP session to an non-existing IP address, no packets at all are shown. Shouldn't there be a SYN packet that is never answered? How can I make sure that I do not miss such a packet?

Thanks in advance,

Remco Poelstra

asked 20 Dec '10, 06:55

Remco%20Poelstra's gravatar image

Remco Poelstra
1112
accept rate: 0%


One Answer:

3

If you start a TCP session to a non-existing IP address in the locally connected subnet. Your system will do an ARP request to find the mac-address for the requested IP address. However, no system will answer the ARP request, so no SYN packet can be send.

If you start the TCP session to a non-existing IP address in a remote subnet, you should be able to see the SYN packet. But only if the routing table on your system knows a route to the IP address (the default gateway if no specific route is configured). You will only see the SYN if you capture on the interface to which the (default) route points.

answered 20 Dec '10, 07:24

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks for your answer. This makes my problem more interesting. I don't now whether this is the right place to ask, but you people seem to know a lot about TCP :). I've a device (small embedded microcontroller) that sometimes doesn't respond to TCP connections. Given your answer I verified that an ARP request is send and it's answered by the device. For some reason, the answer is not followed by a SYN packet. Why could that be? I also noticed that at the moments that the TCP connections is accepted, there is no preceding ARP, so the system probably already knows where the small device lives. My computer is a Mac running the iPhone simulator, if that might help.

Many thanks.

Kind regards,

Remco Poelstra

(21 Dec '10, 00:41) Remco Poelstra

OK, so you start the TCP session from the iPhone simulator to the embedded micro controller (Hmmm... nice, you must be working on an interesting project :-)).

Does it work when you immediately try another session after the one that fails? If it fails consistently for a while, does a session from the Mac itself do work?

Can you check the arp-table on the Iphone simulator to see whether it has received the arp reply?

Is the iPhone simulator "bridged" to your Mac's ethernet adapter?

(21 Dec '10, 00:57) SYN-bit ♦♦