MySQL Madness

Scott Howard scott at
Fri Apr 29 04:33:08 UTC 2011

On Thu, Apr 28, 2011 at 8:40 PM, Joe Renwick <joe at> wrote:

> Packet "1" is Syn from MySQL client to Server
> Packet "2" is Syn/Ack from Server
> Packet "3" is a TCP Push!  ??? HERE IS WHERE I AM CONFUSED

The "Push" is a red herring here.  Push is an historic flag that is (almost)
always ignored now days, but for historic reasons almost every TCP packet
has it set.

So packet 3 isn't really a "Push" packet, but it IS a data packet :
 3: 21:49:13.462210 > P
2601320300:2601320363(63) ack 4107544001 win 46 <nop,nop,timestamp
2581054349 2065216038>

The "(63)" means the packet has 63 bytes of data in it.  So if there's
something strange happening here, it's that the server is sending a data
packet before it gets the 3rd packet in the 3-way handshake.

Whilst that's definitely strange, it's probably legal.  It's definitely
legal to include data in the SYN-ACK packet itself (and even, I think, in
the initial SYN packet!) although I've never seen anything that implements

In this case, the data isn't in the SYN-ACK itself but in a packet following
it. I'm not sure if that's legal or not, but I can't see why it wouldn't be.

My firewall is dropping packet "3" as it is not happy there is a push going
> on before it sees the completed handshake.

Not at all surprising.  Most firewalls will drop anything that's even
slightly unexpected, and this would certainly fit into that category - even
if it's legal.


More information about the NANOG mailing list