On Thu, Apr 28, 2011 at 8:40 PM, Joe Renwick <joe@gonetforward.com> wrote:
Packet "1" is Syn from MySQL client to Server Packet "2" is Syn/Ack from Server Packet "3" is a TCP Push! ??? HERE IS WHERE I AM CONFUSED
The "Push" is a red herring here. Push is an historic flag that is (almost) always ignored now days, but for historic reasons almost every TCP packet has it set. So packet 3 isn't really a "Push" packet, but it IS a data packet : 3: 21:49:13.462210 74.81.76.195.3306 > 8.25.42.100.32929: P 2601320300:2601320363(63) ack 4107544001 win 46 <nop,nop,timestamp 2581054349 2065216038> The "(63)" means the packet has 63 bytes of data in it. So if there's something strange happening here, it's that the server is sending a data packet before it gets the 3rd packet in the 3-way handshake. Whilst that's definitely strange, it's probably legal. It's definitely legal to include data in the SYN-ACK packet itself (and even, I think, in the initial SYN packet!) although I've never seen anything that implements that. In this case, the data isn't in the SYN-ACK itself but in a packet following it. I'm not sure if that's legal or not, but I can't see why it wouldn't be. My firewall is dropping packet "3" as it is not happy there is a push going
on before it sees the completed handshake.
Not at all surprising. Most firewalls will drop anything that's even slightly unexpected, and this would certainly fit into that category - even if it's legal. Scott.