Is it possible for SYN/ACK to not be immediately proceeded by a SYN in a network trace

Question

I'm writing a simple program to calculate initial RTTs from a network capture I took using Wireshark. To do this I wan't to calculate the difference in time between the SYN and the SYN/ACK. I don't know much about locating these in my trace, I was gonna parse for SYNs that immediately have SYN/ACKs in the next line. But I was wondering if its possible that other TCP data could be on the next line thus ruining my plan? If so how do I find the corresponding SYN/ACK to a SYN? Thanks for any help.

Answer 1

I think other TCP data could be on the next line. For example:

• If the network device opens two concurrent connections, the line that follows the SYN may show a TCP packet from the other stream.

• If a congested router in the network path drops the initial SYN packet, the capture file may present two or more consecutive SYN packets related to the same connection.

I suggest the following algorithm:

1. Find a TCP packet P2 whose SYN and ACK flags are set. P2.ack, P2.dst and P2.src will be the acknowledge number, destination port and source port, respectively.

2. Search backwards a TCP packet P1, whose:

   2.1. Source port matches P2.dst AND

   2.2. Destination port matches P2.src AND

   2.3. Sequence number matches P2.ack - 1 AND

   2.4. SYN flag is set AND

   2.5. ACK flag is not set

3. RTT will be the time between the packets P1 and P2.

Consider comparing IP header data also. The P1's source address must match P2's destination address and vice versa.

References: TCP segment structure ; Connection establishment