This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Strange timing in SSL handshake

0

Saw this pcap about a SSL handshake. The timing seems a little strange:

The time between TCP SYN and SYNACK is 91ms. But the time between CLIENT_HELLO and SERVER_HELLO is only 9ms.

Wonder what's the reason for that.

asked 04 Sep '15, 08:03

pktUser1001's gravatar image

pktUser1001
201495054
accept rate: 12%

One Answer:

0

The path is probably going through a firewall infrastructure.
When A SYN packet hits the firewall, it will cause a lookup in the filter rules database, create a connection entry in its stateful connection table etc.
All this processing might be duplicated at the edges of the public network, so it is not surprising that the SYN packets are delayed as they are being inspected for security reasons.
Once the connection is setup, the packets just pass through an 'existing' connection and are simply routed which certainly is faster...
Just a thought that might or might not be the what is happening here ...

Regards Matthias

answered 04 Sep '15, 15:50

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

It makes sense. Wonder what's the best way to measure round-trip time from a pcap.

(04 Sep '15, 18:53) pktUser1001