Hi All,

I am trying to understand the tcpdump output . The packets that I
am analyzing are when
when a tcp connection is established at port 80 . The output is as
follows

[root@gdrd5 ~]# tcpdump -i eth0 host 172.16.5.129

tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:44:43.033353 IP 172.16.5.129.34459 > gdrd5.cdacecity.in.http: S
"" 2012082717:2012082717(0) win 5840 " 158479315 0,nop,wscale 2>
15:44:43.033401 IP gdrd5.cdacecity.in.http > 172.16.5.129.34459: S "
1067063448:1067063448(0) ack 2012082718 win 5792 " 1460,sackOK,timestamp 369354097 158479315,nop,wscale 2>
15:44:43.033511 IP 172.16.5.129.34459 > gdrd5.cdacecity.in.http: . ack
1 " win 1460 "
15:44:48.985256 IP 172.16.5.129.34459 > gdrd5.cdacecity.in.http: P
1:5(4) ack 1 win 1460
15:44:48.985314 IP gdrd5.cdacecity.in.http > 172.16.5.129.34459: . ack
5 win 1448


In the above output , a TCP connection was established at port 80 .
The sender is
172.16.5.129 and the receiver is gdrd5.cdacecity.in.http .


Can somebody please interpret the meaning of the contents that are
within "" (inverted comma)
in the above output. e.g

"" 2012082717:2012082717(0) win 5840 "
" 1067063448:1067063448(0) ack 2012082718 win 5792 "
" win 1460 "

The following is my understanding. During a TCP connection phase , the
sender and receiver negotiates the window size. In this scenario , the
sender is advertising a window size of 5840
bytes and the receiver is telling that it can use a window size of
5792 bytes. But the negotiated window size is (in the third step i.e
when the sender replies with ACK bit set ) equal to 1460 which is the
MSS value advertised by the receiver.

Is this negotiation to the value of MSS ( win 1460 ) is according to
TCP Slow Start algorithm for flow control.
i.e the congestion window is negotiated to the the receiver's segment
value according to RFC2001.

Please clear me if my understanding is wrong.