Wireshark-users: Re: [Wireshark-users] How to identify session setup / confirmation
On Mar 9, 2009, at 5:57 AM, Stringer, Rich (R.) wrote:
Hello All,
I am trying to analyze packets between two Microsoft Biztalk
servers. I am looking for two things.
1. 1st server requesting a session with the 2nd server.
2. Confirmation that the communication session is setup / ack'd.
This is the primary focus of my search.
3. 1st Biztalk sends an XML message to the 2nd Biztalk server.
4. 2nd Biztalk servers sends a response to the 1st Biztalk server
ack'ing that the message was received.
What are the packet characteristics that I should be looking for?
That depends on whether setting up a session is done purely at the
transport protocol layer or if Biztalk requires its *own* session
setup once a transport-layer session is set up.
What does the presence of the PSH, SYN, and ACK flags mean?
The presence of the TCP PSH flag means nothing in this context. (See
RFC 793 for a discussion of what it means.)
When setting up a TCP session:
the machine initiating the session sends to the machine with which
it's trying to initiate a session a packet with the SYN flag set;
if the machine receiving that packet is willing to set up the
connection, it acknowledges the SYN with a packet with ACK set, as
well as saying it's willing to accept the connection by setting the
SYN flag in that packet as well;
the machine receiving the SYN+ACK packet acknowledges the SYN with an
ACK.
See RFC 793 for a detailed discussion of setting up TCP connections.
Note that no XML messages are likely to be sent until the connection
is set up, so the SYN flag is independent of any Biztalk messages.
Once the connection is set up, the ACK flag is used to acknowledge
that, *at the transport layer*, TCP data has been received. The
Biztalk layer doesn't know anything about TCP-layer acknowledgments,
so, in the case of
3. 1st Biztalk sends an XML message to the 2nd Biztalk server.
4. 2nd Biztalk servers sends a response to the 1st Biztalk server
ack'ing that the message was received.
there could be two separate responses "ack'ing that the message was
received" - one could be an ACK at the TCP layer indicating that a TCP
segment containing some or all of the first XML message was received
(there is no guarantee that a single Biztalk message will be in a
single TCP segment), and, once all of the segments containing the XML
message have been received and the message is delivered to the Biztalk
server code, it might send a reply at the Biztalk layer saying that
the Biztalk XML message was received (I don't know how the Biztalk
protocols work, so I don't know if it would bother sending such an
acknowledgment or not).
