How to tell the first fin packet of tcp connection from the second with tcpdump?

Question

I am developing a http server. And now i want to do some statistics, to be specific, I want to know how many of the tcp connections are closed by client, and how many of them are closed by my server.

I turned the Keep-alive feature off on my http server, so the normal case is that my server sends the first FIN packet and the client sends the second one, which means the connection is closed by my server normally. If they are in the reverse order, it indicates an abnormal closing, which I cares.

Here is the question, How can I tell the first FIN packet from the second with tcpdump? Since both of them are set in the FIN and ACK flag bit.

Thanks in advance and Happy new year!

Answer 1

I am tunneling a connection through ssh to my webserver, which is listening on 5000/tcp. I ran a tcpdump of the session, and even if you ignore timestamps, it's still clear who sent what from the TCP source port number.

05:42:06.344592 IP localhost.5000 > localhost.37924: Flags [F.], seq 243, 
    ack 419, win 529, options [nop,nop,TS val 120830308 ecr 120830308], length 0
05:42:06.381872 IP localhost.37924 > localhost.5000: Flags [.], ack 244, 
    win 513, options [nop,nop,TS val 120830318 ecr 120830308], length 0
05:42:06.382504 IP localhost.37924 > localhost.5000: Flags [F.], seq 419, 
    ack 244, win 513, options [nop,nop,TS val 120830318 ecr 120830308], length 0
05:42:06.382535 IP localhost.5000 > localhost.37924: Flags [.], ack 420, 
    win 529, options [nop,nop,TS val 120830318 ecr 120830318], length 0

At 05:42:06.344592 , my webserver ACK'd bytes from the client and set the FIN flag. I know it was the webserver, because the source port is 5000. In the real world, it's even easier, your source IP address alone gives it away.

At 05:42:06.382504 the client sent an ACK to the server's FIN . Again, we know because the source port is not 5000.