Summary of TCP Transaction Steps
Capture packets and analyze general
Capture packets and analyze a ssh session
Capture packets and analyze a amqp session
How to check if network is exhausted?
Summary of TCP Transaction Steps
- Connection Establishment (Three-Way Handshake):
- Client → Server: Send SYN (request to connect).
- Server → Client: Send SYN-ACK (acknowledge SYN and request).
- Client → Server: Send ACK (acknowledge SYN-ACK).
- Data Transfer:
- Client ↔ Server: Send and acknowledge data segments.
- Server → Client: Send ACK for received segments.
- Client ↔ Server: Retransmit lost segments as needed.
- Connection Termination (Four-Way Handshake):
- Client → Server: Send FIN (request to terminate).
- Server → Client: Send ACK (acknowledge FIN).
- Server → Client: Send FIN (request to terminate).
- Client → Server: Send ACK (acknowledge FIN).
This flow ensures reliable communication in TCP transactions.

Network commands
Test-NetConnection and tnc
Yes, your statement is correct.
When using Test-NetConnection
in PowerShell to check a remote connection to a specific port, the command will return True
(indicating success) only if both of the following conditions are met:
- The port is open (not blocked by a firewall, router, or security rule).
- An application/service is actively listening on that port on the target machine.
If the port is open but no application is listening, the connection will fail (return False
), as the remote system does not respond to the connection attempt.
Example of Using Test-NetConnection
(ps1)
Test-NetConnection -ComputerName "remote-server" -Port 80
Do you need more details
Test-NetConnection -ComputerName "remote-server" -Port 80 -InformationLevel Detailed
Example of using the alias tnc (ps1)
tnc: This is an alias for Test-NetConnection. PowerShell allows users to create shorter, more convenient commands for frequently used cmdlets. Using tnc is simply a shorthand way to execute the same functionality as Test-NetConnection, making it quicker for users familiar with the alias.
tnc remote-server -port 3389
The Windows PowerShell cmdlet Test-NetConnection is a versatile tool for network diagnostics. It’s not directly mirrored in Linux, but its functionalities can be achieved using a combination of other commands.
ping, nc and telnet (bash)
# Windows: Test-NetConnection google.com
Linux: ping -c 4 google.com
# ping is the fundamental network utility to test reachability.
# c 4 sends 4 ICMP (ping) packets and then stops. Omit this for continuous pinging.
# Windows: Test-NetConnection google.com -Port 443
Linux: nc -zv google.com 443
Linux: telnet google.com 443
# nc (netcat) is a versatile tool for making network connections.
# -z means "zero-I/O mode" (don't send any data)
# -v means "verbose".
# It tries to connect to the specified host and port, and exits.
# telnet is another option, though often deprecated in favor of nc due to security concerns (it transmits passwords in plain text).
netstat (cmd, ps1, bash)
netstat
is a command-line utility used to display network connections, routing tables, and listening ports on a computer. It shows details like the protocol, local and foreign addresses, and status of each connection. This helps diagnose network problems by identifying active connections, open ports, and listening services. netstat
is available on various operating systems (e.g., Linux, macOS, and Windows) and its functionality and syntax may vary slightly across platforms.
Example of of using netstat check port (ps1 or cmd)
netstat -ano: This command lists all active connections and listening ports, along with their associated process IDs (PIDs).
-a
shows all connections and listening ports.-n
displays addresses and port numbers in numerical form (avoiding DNS resolution).-o
includes the process ID associated with each connection.
netstat -ano | findstr ":1801 "
A healthy output for this command would typically look something like this:
TCP 0.0.0.0:1801 0.0.0.0:0 LISTENING 1234
Unhealthy Outputs
Meaning: This indicates that there are no active connections or listening applications on port 1801.
(no output)
Connection refused
Meaning: If you see a connection in the TIME_WAIT state, it means that a connection was recently closed on that port, but no application is currently listening for new connections. This may indicate that the service crashed or was stopped.
TCP 192.168.1.2:1801 192.168.1.3:54321 TIME_WAIT 0
LISTENING but Unresponsive
Meaning: While the output indicates that there is an application listening on port 1801, if you try to connect to the port and experience timeouts or connection failures, it may suggest that the application is unresponsive or malfunctioning. You can further investigate this by checking the application associated with PID 5678.
TCP 0.0.0.0:1801 0.0.0.0:0 LISTENING 5678
Multiple Entries with Different States
Meaning: If you see multiple states such as CLOSE_WAIT
, this may indicate that the application is not properly closing connections. An application in CLOSE_WAIT
may have issues managing its connections, which can lead to resource exhaustion.
TCP 0.0.0.0:1801 0.0.0.0:0 LISTENING 5678
TCP 192.168.1.2:1801 192.168.1.3:54321 ESTABLISHED 5678
TCP 192.168.1.2:1801 192.168.1.4:12345 CLOSE_WAIT 5678
Common SYN States
SYN_SENT: This state indicates that a connection request has been sent to the server, and the client is waiting for a response (SYN-ACK). It means that an application on your machine is trying to connect to a service on port 1801 but has not yet completed the connection.
SYN_RECEIVED: This state means that your machine has received a SYN request from a client and has sent back a SYN-ACK in response. The connection is still being established, and the final ACK from the client is awaited.
SYN_SENT
TCP 192.168.1.2:54321 192.168.1.3:1801 SYN_SENT 0
Meaning: In this example, the local machine at 192.168.1.2 is trying to establish a connection from port 54321 to 192.168.1.3 on port 1801, but it has not yet completed the connection.

SYN_RECEIVED
TCP 192.168.1.3:1801 192.168.1.2:54321 SYN_RECEIVED 5678
Meaning: This indicates that the server at 192.168.1.3 has received a SYN request from the client at 192.168.1.2 and is waiting for the final ACK from the client to complete the connection.

SYN states in the output of netstat indicate new connection attempts and can be useful for diagnosing network issues.
A large number of SYN_SENT connections without corresponding SYN_RECEIVED or established connections may indicate problems such as a firewall blocking traffic, a service not running on the target port, or network congestion. Monitoring and analyzing these states can help in troubleshooting connectivity issues effectively.
Capture packets and analyze general
Open an elevated Command Prompt or PowerShell.
Start a trace with:
# netsh trace start persistent=yes capture=yes report=disabled tracefile=c:\trace.etl
netsh trace start capture=yes report=disabled tracefile=c:\trace.etl
Reproduce the network issue or desired connection to generate TCP traffic.
Stop the trace:
netsh trace stop
Convert or view the resulting ETL file. ETL files can be opened in tools like Microsoft Network Monitor, Microsoft Message Analyzer, or Windows Performance Analyzer (though for the last two, you’d need older or specialized tools).
Downloaded tool
Releases · microsoft/etl2pcapng
Moved file and tool to and renamed to localhost…

Etl2pcapng.exe trace.etl trace.pcapng
Ran above command

got

View content by localhost
Wireshark file open

Example filter port


Capture packets and analyze a ssh session
What are the most useful filters for analysing an ssh session with wireshark, can we check for filter with protocol also? (vicuna)
Lets now practice what we know and test it with a Linux server in Azure.
We already have ssh enabled on the VM.
How to check that
Scenario Vm is not running
Scenario Vm is running
Scenario Vm is running but port is blocked
Scenario Vm is running and port is open
Capture packets and analyze a amqp session
What are the most useful filters for analysing an amqp session with wireshark, can we check for filter with protocol also? (vicuna)
tbd
How to check if network is exhausted?
https://github.com/spawnmarvel/quickguides/tree/main/network_monitor
Example Capture wireshark smb
Example below but make a better and shorter one