scott at doc.net.au
Fri Apr 29 04:33:08 UTC 2011
On Thu, Apr 28, 2011 at 8:40 PM, Joe Renwick <joe at gonetforward.com> wrote:
> Packet "1" is Syn from MySQL client to Server
> Packet "2" is Syn/Ack from Server
> Packet "3" is a TCP Push! ??? HERE IS WHERE I AM CONFUSED
The "Push" is a red herring here. Push is an historic flag that is (almost)
always ignored now days, but for historic reasons almost every TCP packet
has it set.
So packet 3 isn't really a "Push" packet, but it IS a data packet :
3: 21:49:13.462210 184.108.40.206.3306 > 220.127.116.11.32929: P
2601320300:2601320363(63) ack 4107544001 win 46 <nop,nop,timestamp
The "(63)" means the packet has 63 bytes of data in it. So if there's
something strange happening here, it's that the server is sending a data
packet before it gets the 3rd packet in the 3-way handshake.
Whilst that's definitely strange, it's probably legal. It's definitely
legal to include data in the SYN-ACK packet itself (and even, I think, in
the initial SYN packet!) although I've never seen anything that implements
In this case, the data isn't in the SYN-ACK itself but in a packet following
it. I'm not sure if that's legal or not, but I can't see why it wouldn't be.
My firewall is dropping packet "3" as it is not happy there is a push going
> on before it sees the completed handshake.
Not at all surprising. Most firewalls will drop anything that's even
slightly unexpected, and this would certainly fit into that category - even
if it's legal.
More information about the NANOG