Skip to content

How to identify TCP Three-way Handshake in Wireshark? 


First, start with capturing the packets from the device it could be Windows/Linux or any other Vendor Appliance like Load Balancers(F5. A10), Firewalls (Checkpoint, PaloAlto etc.), they all have different methods to capture the traffic follow the vendor-specific Knowledge article.

Once you have the capture desired traffic captured(.pcap – Wireshark supported format), open the .pcap file in Wireshark


Here is the example of a TCP 3-way handshake, you can see the first packet is SYN from the source machine to google which is the destination,

Google then replied back with SYN, ACK which means hey ya!, I got your request & the third is Source machine to Google which is ACK, which means Ok I got the packet. This is TCP 3-way handshake now if you look at the image and see furthermore there are 3 more packets which are FIN, ACK which means both source/destination agrees with each other to close the connection & the source machine replied back with ACK stating the connection is closed.


This is the basics of TCP 3-way handshake, feel free to ask any question in the comment section of this article. I will be sharing more Wireshark filters in upcoming posts.

Leave a Reply

Your email address will not be published.