Before a client and a server can exchange data (payload), the client and server must established a TCP connection. This is done via the TCP 3 way handshake.

1. SYN - The client sends a SYN (Synchronize) packet to the server
2. SYN ACK - The server sends a SYN ACK (Synchronize Acknowledge) packet to the client
3. ACK - The client sends an ACK (Acknowledge) packet to the server

The 3 way handshake can be seen in Wireshark. In this example, the client (192.168.0.103) sends a SYN packet to the server (192.168.0.130), the server sends a SYN ACK packet to the client, and the client sends a ACK packet to the server.

To see the 3 way handshake in Wireshark, you will almost always want to add the stream index column.

HTTP

HTTPS

After the connection has been established, there can be anywhere from a few to hundreds of packets. If using HTTP, you should at least see a GET request from the client to the server, an ACK from the server to the client, and an OK from the server to the client.

If using HTTPS, there should be a TLSv1.2 packets to establish a secured, encrypted connection.

Next, there will usually be some sort of payload to transfer from the server to the client. HTTP Continuation packets are common, as these packets are segments of the payload.

For a deeper understanding of HTTP Continuation packets, refer to the article on Understanding HTTP Continuation or TCP segment of a reassembled PDU packets in Wireshark.

When the client application remains idle for some time, the client will send a Keep Alive ACK to the server. In this example, we see 2 TCP Keep-Alive packets, one from the client to the server and another from the server to the client. This is normal, and not suggestive of a problem. The client is simply asking the server to keep the TCP connection alive, and the server acknowledges (ACK) the request to keep the connection alive.

When the client closes the application, the TCP connection will be closed. The client will send a FIN ACK request packet to the server, the server will send a FIN ACK response packet to the client, and lastly the client with send an ACK packet to the server, and the TCP connection is closed.

HTTP

HTTPS