Unlock TCP Secrets: Visualizing Handshakes and Retransmissions with Wireshark & tcpdump

Why Network Packets Appear Invisible

When studying computer networks, packet exchanges are invisible to the naked eye, making concepts feel abstract. Using tcpdump (command‑line) together with Wireshark (graphical) turns these invisible packets into clear, analyzable data.

Capturing ICMP Ping Packets with tcpdump

To capture only ICMP echo requests/replies, run:

tcpdump -i eth0 -nn -s 0 icmp and host 192.168.1.1

The resulting .pcap file can be opened in Wireshark, where the packet list shows the ICMP echo request and the corresponding ICMP echo reply with incrementing seq numbers.

Key tcpdump Options

Use -i to select the interface.

Use -nn to avoid name resolution.

Filter expressions (e.g., icmp and host 183.232.231.174) limit captured traffic.

Because tcpdump’s output is not human‑friendly, the capture is usually saved as a .pcap file and analyzed later with Wireshark.

Analyzing HTTP Traffic and TCP Handshake

Capture traffic on a server (e.g., http://192.168.3.200) with: tcpdump -i eth0 -w http.pcap port 80 Wireshark then displays the three‑way handshake packets, the HTTP request/response, and the four‑way termination packets. The Statistics → Flow Graph view can plot the entire TCP flow.

Understanding Retransmission Timers (RTO)

When a SYN packet is lost, Linux retransmits it with exponentially increasing RTO values (1 s, 3 s, 7 s, 15 s, 31 s). The maximum number of SYN retransmissions is controlled by /proc/sys/net/ipv4/tcp_syn_retries (default 5). Changing the value: echo 2 > /proc/sys/net/ipv4/tcp_syn_retries limits the retransmissions to two attempts, which can be verified by re‑capturing the traffic.

Second‑Handshake Loss (SYN‑ACK)

When the server’s SYN‑ACK is dropped, both client and server retransmit. The server’s limit is tcp_synack_retries (default 5). Adjusting it with: echo 2 > /proc/sys/net/ipv4/tcp_synack_retries shows only two server retransmissions in the capture.

Third‑Handshake Loss (ACK)

If the client’s ACK is lost, the server stays in SYN_RECV state, repeatedly retransmitting SYN‑ACK until tcp_synack_retries is exceeded, after which the connection is aborted. The client remains in ESTABLISHED and continues to retransmit its data packets up to tcp_retries2 (default 15).

TCP Fast Open

Linux kernel parameter net.ipv4.tcp_fastopen enables Fast Open (0 = off, 1 = client, 2 = server, 3 = both). With Fast Open, the client can embed a cookie in the SYN, reducing the handshake for subsequent connections to a single RTT.

Fast Retransmit and Selective Acknowledgment (SACK)

When three duplicate ACKs are received, the sender triggers fast retransmit. Enabling SACK (via net.ipv4.tcp_sack) allows the receiver to inform the sender exactly which segment is missing, avoiding unnecessary retransmissions.

TCP Flow Control and Zero‑Window

The receiver advertises a window size in each ACK. If the buffer fills, the window becomes zero, pausing the sender. The sender then probes the window with keep‑alive packets; the intervals double (3.4 s, 6.8 s, 13.5 s, …) until the window reopens.

Nagle Algorithm and Delayed ACK

Nagle batches small segments until either an ACK is received or the segment reaches the MSS. Delayed ACK holds ACKs for up to 200 ms (or as low as 40 ms) to combine them with outgoing data. When both are enabled, latency can increase dramatically; disabling Nagle ( TCP_NODELAY) or delayed ACK ( TCP_QUICKACK) resolves the issue.

Key Linux Kernel Parameters

tcp_syn_retries

– max SYN retransmissions (default 5). tcp_synack_retries – max SYN‑ACK retransmissions (default 5). tcp_retries2 – max data‑segment retransmissions after connection establishment (default 15). net.ipv4.tcp_keepalive_time – idle time before keep‑alive probes (7200 s). net.ipv4.tcp_keepalive_intvl – interval between probes (75 s). net.ipv4.tcp_keepalive_probes – number of probes before giving up (9).

Understanding these parameters helps diagnose why connections stall, why retransmissions occur, and how to tune the system for better performance.