Hi there,

 

In this blog post, I would like to talk about TCPIP, Winsock ETL tracing a bit with an example to show you how powerful those tracing facilities could be when troubelshooting connectivity problems. Please note that it is to give you an idea about what kind of information could be retrieved from such ETL traces and not to talk about those tracing facilities inside out. But I’m pretty sure you’ll have an idea at the end.

 

First of all, you need to be running on Windows 7 or Windows 2008 R2 in order to collect the ETL traces I mention here (at least at a detail level mentioned here - also the given netsh command only runs on Windows 7/2008 R2). Let me explain from scratch how I collected those ETL traces:

 

1) I compiled two sample C# network applications from the following links:

 

Server application:

(A sample TCPListener class code taken from MSDN http://msdn.microsoft.com/en-us/library/system.net.sockets.tcplistener.aspx)

 

Client application:

(A sample TCPClient class code taken from MSDN http://msdn.microsoft.com/en-us/library/system.net.sockets.tcpclient.aspx)

 

=> You can see the complete code from server side below (to make it easier for you while following TCPIP and Winsock activity in the ETL trace below)

 

///////////////// SERVER CODE //////////////

using System;

using System.IO;

using System.Net;

using System.Net.Sockets;

using System.Text;

 

class MyTcpListener

{

    public static void Main()

    {

        TcpListener server = null;

        try

        {

            // Set the TcpListener on port 13000.

            Int32 port = 13000;

            IPAddress localAddr = IPAddress.Parse("192.168.1.212");

 

            // TcpListener server = new TcpListener(port);

            server = new TcpListener(localAddr, port);

 

            // Start listening for client requests.

            server.Start();

 

            // Buffer for reading data

            Byte[] bytes = new Byte[256];

            String data = null;

 

            // Enter the listening loop.

            while (true)

            {

                Console.Write("Waiting for a connection... ");

 

                // Perform a blocking call to accept requests.

                // You could also user server.AcceptSocket() here.

                TcpClient client = server.AcceptTcpClient();

                Console.WriteLine("Connected!");

 

                data = null;

 

                                                              

                // Get a stream object for reading and writing

                NetworkStream stream = client.GetStream();

 

                int i;

 

                // Loop to receive all the data sent by the client.

                while ((i = stream.Read(bytes, 0, bytes.Length)) != 0)

                {

                    // Translate data bytes to a ASCII string.

                    data = System.Text.Encoding.ASCII.GetString(bytes, 0, i);

                    Console.WriteLine("Received: {0}", data);

 

                    // Process the data sent by the client.

                    data = data.ToUpper();

 

                    byte[] msg = System.Text.Encoding.ASCII.GetBytes(data);

 

                    // Send back a response.

                    stream.Write(msg, 0, msg.Length);

                    Console.WriteLine("Sent: {0}", data);

                }

 

                // Shutdown and end connection

                client.Close();

            }

        }

        catch (SocketException e)

        {

            Console.WriteLine("SocketException: {0}", e);

        }

        finally

        {

            // Stop listening for new clients.

            server.Stop();

        }

 

 

        Console.WriteLine("\nHit enter to continue...");

        Console.Read();

    }

}

 

///////////////// SERVER CODE //////////////

 

 

Server code does the following in simple terms:

 

- It binds to and starts listening on 192.168.1.212:13000 locally via TcpListener()

- Once there’s an incoming connection, it accepts the connection and reads the incoming data stream in 256 byte chunks and converts it to upper case and sends back to the client until a disconnect request is sent by the client (with a socket close at the client side which will be visible as a TCP FIN most of the time at the server side)

 

2) Then I started ETL tracing with the following command at the server side:

 

netsh trace start scenario=internetclient provider=Microsoft-Windows-TCPIP capture=yes tracefile=tcpip.etl

 

Note: capture=yes parameter also starts a network trace which is also collected in ETL format. This is another cool feature of netsh trace command on Windows 7/2008 R2.

Note: You need to run the above command from an elevated command prompt

 

3) Then I started tcpserver.exe at the server side and then started tcpclient.exe at the client side. Once the tcpclient.exe is started, it connects to server and then sends a 13 bytes message “Test message1” and reads from the socket to get the response from the server and then closes the connection.

 

4) Then I stopped ETL tracing with the following command at the server side:

 

netsh trace stop

 

5) As a result of this action, an ETL file named tcpip.etl was created and then I opened it with Network Monitor 3.4 since it supports decoding ETL files. You can see an example screenshot below:

 

6) Now let’s focus on the session over which communication took place. You can find the relevant session by browsing the conversations at the left pane. In this scenario the right conversation was 12

 

Note: I used the following color coding in order to better distinguish TCPIP driver, AFD driver activities and real network packets:

 

Winsock activity

TCPIP driver activity

Network packets

 

Note: You can also see below the network packets that belong to the given session for your convenience: (even though individual packets will be examined)

 

196          Idle (0)    W2K8DC1               WIN7CLIENT1-2K8                 TCP          TCP:Flags=......S., SrcPort=55908, DstPort=13000, PayloadLen=0, Seq=260959134, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

199          Idle (0)    WIN7CLIENT1-2K8                 W2K8DC1               TCP          TCP: [Bad CheckSum]Flags=...A..S., SrcPort=13000, DstPort=55908, PayloadLen=0, Seq=2428590241, Ack=260959135, Win=8192 ( Negotiated scale factor 0x8 ) = 8192

200          Idle (0)    W2K8DC1               WIN7CLIENT1-2K8                 TCP          TCP:Flags=...A...., SrcPort=55908, DstPort=13000, PayloadLen=0, Seq=260959135, Ack=2428590242, Win=513

213          tcpserver.exe (2704)              W2K8DC1               WIN7CLIENT1-2K8                 TCP          TCP:Flags=...AP..., SrcPort=55908, DstPort=13000, PayloadLen=13, Seq=260959135 - 260959148, Ack=2428590242, Win=513

223          tcpserver.exe (2704)              WIN7CLIENT1-2K8                 W2K8DC1               TCP          TCP: [Bad CheckSum]Flags=...AP..., SrcPort=13000, DstPort=55908, PayloadLen=13, Seq=2428590242 - 2428590255, Ack=260959148, Win=513 (scale factor 0x0) = 513

227          Idle (0)    W2K8DC1               WIN7CLIENT1-2K8                 TCP          TCP:Flags=...A...F, SrcPort=55908, DstPort=13000, PayloadLen=0, Seq=260959148, Ack=2428590255, Win=513

235          Idle (0)    WIN7CLIENT1-2K8                 W2K8DC1               TCP          TCP: [Bad CheckSum]Flags=...A...., SrcPort=13000, DstPort=55908, PayloadLen=0, Seq=2428590255, Ack=260959149, Win=513 (scale factor 0x0) = 513

239          tcpserver.exe (2704)              WIN7CLIENT1-2K8                 W2K8DC1               TCP          TCP: [Bad CheckSum]Flags=...A...F, SrcPort=13000, DstPort=55908, PayloadLen=0, Seq=2428590255, Ack=260959149, Win=513 (scale factor 0x0) = 513

245          Idle (0)    W2K8DC1               WIN7CLIENT1-2K8                 TCP          TCP:Flags=...A...., SrcPort=55908, DstPort=13000, PayloadLen=0, Seq=260959149, Ack=2428590256, Win=513

 

 

a) The following WinsockAFD/TCPIP activity is a result of the following code fragment at server:

 

...

            // Set the TcpListener on port 13000.

            Int32 port = 13000;

            IPAddress localAddr = IPAddress.Parse("192.168.1.212");

 

            // TcpListener server = new TcpListener(port);

            server = new TcpListener(localAddr, port);

 

 

Calling TcpListener constructor triggers a socket creation and local bind activity at the server side behind the scenes. As can be seen from the following converted ETL lines, the server process (tcpserver.exe) is binding to 192.168.1.212:13000

 

50            tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:socket: 0 (0x0): Process 0x893F92B0 (0x00000A90), Endpoint 0x8A28E2D8, Family 2 (0x2), Type SOCK_STREAM, Protocol 6 (0x6), Seq 1006 (0x3EE), Status Success

51            tcpserver.exe (2704)              TCPIP_MicrosoftWindowsTCPIP:TCP: endpoint (Family=IPV4 PID=2704 (0xA90)) created.

52            tcpserver.exe (2704)              TCPIP_MicrosoftWindowsTCPIP:TCP: endpoint 0x89304008 (Family=IPV4, PID=2704 (0xA90)) created with status = Success.

53            tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:socket: 1 (0x1): Process 0x893F92B0 (0x00000A90), Endpoint 0x8A28E2D8, Family 0 (0x0), Type Unknown value: 0, Protocol 0 (0x0), Seq 1013 (0x3F5), Status Success

54            tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:bind: 0 (0x0): Process 0x893F92B0, Endpoint 0x8A28E2D8, Address 192.168.1.212:13000, Seq 7010 (0x1B62), Status Success

55            tcpserver.exe (2704)              TCPIP_MicrosoftWindowsTCPIP:TCP: endpoint/connection 0x89304008 acquired port number 13000 (0x32C8).

56            tcpserver.exe (2704)              TCPIP_MicrosoftWindowsTCPIP:TCP: endpoint (sockaddr=192.168.1.212:13000) bound.

57            tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:bind: 1 (0x1): Process 0x893F92B0, Endpoint 0x8A28E2D8, Address 192.168.1.212:13000, Seq 7022 (0x1B6E), Status Success

 

 

b) Then the server makes the following call to start listening on the socket and accept any incoming connection requests:

 

 

...

            // Start listening for client requests.

            server.Start();

 

            // Buffer for reading data

            Byte[] bytes = new Byte[256];

            String data = null;

 

            // Enter the listening loop.

            while (true)

            {

                Console.Write("Waiting for a connection... ");

 

                // Perform a blocking call to accept requests.

                // You could also user server.AcceptSocket() here.

                TcpClient client = server.AcceptTcpClient();

...

 

58            tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:Listen: 0 (0x0): Process 0x893F92B0, Endpoint 0x8A28E2D8, Backlog 200 (0xC8), Seq 13006 (0x32CE), Status Success

59            tcpserver.exe (2704)              TCPIP_MicrosoftWindowsTCPIP:TCP: endpoint/connection 0x8A213398 replaced base endpoint 0x89304008 and acquired reference to port number 13000 (0x32C8).

60            tcpserver.exe (2704)              TCPIP_MicrosoftWindowsTCPIP:TCP: listener 0x8A213398 (sockaddr=192.168.1.212:13000) activated.

61            tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:Listen: 1 (0x1): Process 0x893F92B0, Endpoint 0x8A28E2D8, Backlog 200 (0xC8), Seq 13012 (0x32D4), Status Success

62            tcpserver.exe (2704)              TCPIP_MicrosoftWindowsTCPIP:TCP: endpoint (sockaddr=192.168.1.212:13000) closed.

63            tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:Wait for listen: 0 (0x0): Process 0x893F92B0, Endpoint 0x8A28E2D8, Seq 6216 (0x1848), Status Success

 

 

c) After some time, a remote client connects to server at TCP port 13000. This can be seen from the TCP SYN packet received from WIN7CLIENT1-2K8 (192.168.1.200)

 

196          Idle (0)    W2K8DC1               WIN7CLIENT1-2K8                 TCP                                                         TCP:Flags=......S., SrcPort=55908, DstPort=13000, PayloadLen=0, Seq=260959134, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

 

 

d) TCPIP driver immediately responds to TCP SYN with a TCP SYN ACK and it also moves to SynRcvdState from ListenState:

 

197          Idle (0)                                   TCPIP_MicrosoftWindowsTCPIP:TCP: connection 0x8921DD28 transition from ListenState to SynRcvdState, SndNxt = 0 (0x0).

198          Idle (0)                                   TCPIP_MicrosoftWindowsTCPIP:TCP: connection 0x8921DD28: Sent data with number of bytes = 1 (0x1) and Sequence number = 2428590241 (0x90C158A1).

199          Idle (0)    WIN7CLIENT1-2K8                 W2K8DC1               TCP                                                         TCP: [Bad CheckSum]Flags=...A..S., SrcPort=13000, DstPort=55908, PayloadLen=0, Seq=2428590241, Ack=260959135, Win=8192 ( Negotiated scale factor 0x8 ) = 8192

200          Idle (0)    W2K8DC1               WIN7CLIENT1-2K8                 TCP                                                         TCP:Flags=...A...., SrcPort=55908, DstPort=13000, PayloadLen=0, Seq=260959135, Ack=2428590242, Win=513

 

 

e) After receiving a TCP ACK from the client, the endpoint moves to EstablishedState which is the state where both parties could start exchanging data:

 

201          Idle (0)                                   TCPIP_MicrosoftWindowsTCPIP:TCP: connection 0x8921DD28: Received data with number of bytes = 0 (0x0). ThSeq = 260959135 (0xF8DEB9F).

202          Idle (0)                                   TCPIP_MicrosoftWindowsTCPIP:TCP: connection 0x8921DD28 transition from SynRcvdState to EstablishedState, SndNxt = 2428590242 (0x90C158A2).

 

 

 

f) Now Winsock driver indicates a connection request to the application layer (tcpserver) and then the connection is accepted by the server process:

 

203          Idle (0)    192.168.1.200        Wscore_MicrosoftWindowsWinsockAFD:Connect indication: 3 (0x3): Process 0x893F92B0, Endpoint 0x8A28E2D8, Address 192.168.1.200:55908, Backlog Count 0 (0x0), Seq 6501 (0x1965), Status Success

204          Idle (0)                                   Wscore_MicrosoftWindowsWinsockAFD:Wait for listen: 1 (0x1): Process 0x893F92B0, Endpoint 0x8A28E2D8, Seq 6220 (0x184C), Status Success

205          Idle (0)                                   TCPIP_MicrosoftWindowsTCPIP:TCP: listener (local=192.168.1.212:13000 remote=192.168.1.200:55908) accept completed. TCB = 0x8921DD28. PID = 2704 (0xA90).

206          tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:socket: 0 (0x0): Process 0x893F92B0 (0x00000A90), Endpoint 0x892FB6D8, Family 2 (0x2), Type SOCK_STREAM, Protocol 6 (0x6), Seq 1006 (0x3EE), Status Success

207          tcpserver.exe (2704)              TCPIP_MicrosoftWindowsTCPIP:TCP: endpoint (Family=IPV4 PID=2704 (0xA90)) created.

208          tcpserver.exe (2704)              TCPIP_MicrosoftWindowsTCPIP:TCP: endpoint 0x88BF7B08 (Family=IPV4, PID=2704 (0xA90)) created with status = Success.

209          tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:socket: 1 (0x1): Process 0x893F92B0 (0x00000A90), Endpoint 0x892FB6D8, Family 0 (0x0), Type Unknown value: 0, Protocol 0 (0x0), Seq 1013 (0x3F5), Status Success

210          tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:accept: 0 (0x0): Process 0x893F92B0, Endpoint 0x8A28E2D8, Address 192.168.1.200:55908, Accept Endpoint 0x892FB6D8, Current Backlog 0 (0x0), Seq 6010 (0x177A), Status Success

211          tcpserver.exe (2704)              TCPIP_MicrosoftWindowsTCPIP:TCP: endpoint (sockaddr=0.0.0.0:0) closed.

212          tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:accept: 1 (0x1): Process 0x893F92B0, Endpoint 0x8A28E2D8, Seq 6011 (0x177B), Status Success

 

 

 

g) Remote client sends 13 bytes of data to the Server:

 

213          tcpserver.exe (2704)             W2K8DC1               WIN7CLIENT1-2K8                                                TCP          TCP:Flags=...AP..., SrcPort=55908, DstPort=13000, PayloadLen=13, Seq=260959135 - 260959148, Ack=2428590242, Win=513

54 65 73 74 20 6D 65 73 73 61 67 65 31  Test message1

 

 

 

h) And this is reflected with a Data indication to the application:

 

214          tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:Data indication: 3 (0x3): Process 0x893F92B0, Endpoint 0x892FB6D8, Buffer 0x89C5BD88, Length 13 (0xD), Seq 9000 (0x2328)

215          tcpserver.exe (2704)              TCPIP_MicrosoftWindowsTCPIP:TCP: connection 0x8921DD28 delivery 0x8921DE20 indicated 0x0000000D bytes accepted 0x0000000D bytes, status = Success. RcvNxt = 260959135 (0xF8DEB9F).

216          tcpserver.exe (2704)              TCPIP_MicrosoftWindowsTCPIP:TCP: connection 0x8921DD28: Received data with number of bytes = 13 (0xD). ThSeq = 260959135 (0xF8DEB9F).

 

 

 

i) Now the client posts a Recv() with a buffer size of 256 bytes which is a result of the following server code fragment and it receives 13 bytes in return which was just received from the remote client:

 

...

            // Buffer for reading data

            Byte[] bytes = new Byte[256];

            String data = null;

...

 

                // Loop to receive all the data sent by the client.

                while ((i = stream.Read(bytes, 0, bytes.Length)) != 0)

                {

...

 

 

217          tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:recv: 0 (0x0): Process 0x893F92B0, Endpoint 0x892FB6D8, Buffer Count 1 (0x1), Buffer 0x0197F300, Length 256 (0x100), Seq 4115 (0x1013), Status Success

218          tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:recv: 1 (0x1): Process 0x893F92B0, Endpoint 0x892FB6D8, Buffer Count 1 (0x1), Buffer 0x0197F300, Length 13 (0xD), Seq 4116 (0x1014), Status Success

 

 

 

j) After receiving the data, server code converts it to upper case and send back to the client with the following code which is again 13 bytes in length:

 

...

                    data = data.ToUpper();

 

                    byte[] msg = System.Text.Encoding.ASCII.GetBytes(data);

 

                    // Send back a response.

                    stream.Write(msg, 0, msg.Length);

                    Console.WriteLine("Sent: {0}", data);

...

 

 

219          tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:send: 0 (0x0): Process 0x893F92B0, Endpoint 0x892FB6D8, Buffer Count 1 (0x1), Buffer 0x8930165C, Length 13 (0xD), Seq 3047 (0xBE7), Status Success

220          tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:send: 0 (0x0): Process 0x893F92B0, Endpoint 0x892FB6D8, Buffer Count 1 (0x1), Buffer 0x8930165C, Length 13 (0xD), Seq 3056 (0xBF0), Status Success

221          tcpserver.exe (2704)              TCPIP_MicrosoftWindowsTCPIP:TCP: connection 0x8921DD28 send posted posted 13 (0xD) bytes at 2428590242 (0x90C158A2).

222          tcpserver.exe (2704)              TCPIP_MicrosoftWindowsTCPIP:TCP: connection 0x8921DD28: Sent data with number of bytes = 13 (0xD) and Sequence number = 2428590242 (0x90C158A2).

223          tcpserver.exe (2704)             WIN7CLIENT1-2K8                 W2K8DC1               TCP                          TCP: [Bad CheckSum]Flags=...AP..., SrcPort=13000, DstPort=55908, PayloadLen=13, Seq=2428590242 - 2428590255, Ack=260959148, Win=513 (scale factor 0x0) = 513

224          tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:send: 1 (0x1): Process 0x893F92B0, Endpoint 0x892FB6D8, Buffer Count 1 (0x1), Buffer 0x8930165C, Length 13 (0xD), Seq 3051 (0xBEB), Status Success

 

 

 

k) Another Recv() with an 256 bytes buffer is posted by the application: (since the server is still in the while loop)

 

225          tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:recv: 0 (0x0): Process 0x893F92B0, Endpoint 0x892FB6D8, Buffer Count 1 (0x1), Buffer 0x892810E8, Length 256 (0x100), Seq 4107 (0x100B), Status Success

226          tcpserver.exe (2704)              TCPIP_MicrosoftWindowsTCPIP:TCP: connection 0x8921DD28, delivery 0x8921DE20, Request 0x89E65020  posted for 0x00000100 bytes, flags = 0 (0x0). RcvNxt = 260959148 (0xF8DEBAC).

 

 

 

l) The remote client sends a TCP FIN segment to the server and this is indicated up to the application and also the endpoint moves to CloseWaitState:

 

227          Idle (0)    W2K8DC1               WIN7CLIENT1-2K8                 TCP                                                         TCP:Flags=...A...F, SrcPort=55908, DstPort=13000, PayloadLen=0, Seq=260959148, Ack=2428590255, Win=513

228          Idle (0)                                   TCPIP_MicrosoftWindowsTCPIP:TCP: connection 0x8921DD28: Received data with number of bytes = 1 (0x1). ThSeq = 260959148 (0xF8DEBAC).

229          Idle (0)                                   TCPIP_MicrosoftWindowsTCPIP:TCP: connection 0x8921DD28: Cumulative ACK updated cwnd = 2920 (0xB68).

230          Idle (0)                                   TCPIP_MicrosoftWindowsTCPIP:TCP: connection 0x8921DD28 transition from EstablishedState to CloseWaitState, SndNxt = 2428590255 (0x90C158AF).

 

 

 

m) Server process determines that the remote client wants to close the connection by getting 0 bytes out of recv(): (which was posted by stream.Read(bytes, 0, bytes.Length) call indirectly)

 

231          Idle (0)                                   Wscore_MicrosoftWindowsWinsockAFD:recv: 1 (0x1): Process 0x893F92B0, Endpoint 0x892FB6D8, Buffer Count 1 (0x1), Buffer 0x892810E8, Length 0 (0x0), Seq 4123 (0x101B), Status Success

232          Idle (0)                                   TCPIP_MicrosoftWindowsTCPIP:TCP: connection 0x8921DD28 delivery 0x8921DE20 delivering FIN. RcvNxt = 260959149 (0xF8DEBAD).

 

 

 

n) Server process also issues a disconnect by calling the following:

 

...

                // Shutdown and end connection

                client.Close();

...

 

 

233          Idle (0)                                   Wscore_MicrosoftWindowsWinsockAFD:disconnect indicated: 3 (0x3): Process 0x893F92B0, Endpoint 0x892FB6D8, Seq 12001 (0x2EE1)

234          Idle (0)                                   Wscore_MicrosoftWindowsWinsockAFD:send: 1 (0x1): Process 0x893F92B0, Endpoint 0x892FB6D8, Buffer Count 1 (0x1), Buffer 0x8930165C, Length 13 (0xD), Seq 3024 (0xBD0), Status Success

235          Idle (0)    WIN7CLIENT1-2K8                 W2K8DC1               TCP                                                         TCP: [Bad CheckSum]Flags=...A...., SrcPort=13000, DstPort=55908, PayloadLen=0, Seq=2428590255, Ack=260959149, Win=513 (scale factor 0x0) = 513

236          tcpserver.exe (2704)              TCPIP_MicrosoftWindowsTCPIP:TCP: connection disconnect issued, length=0x00000000.

237          tcpserver.exe (2704)              TCPIP_MicrosoftWindowsTCPIP:TCP: connection 0x8921DD28 transition from CloseWaitState to LastAckState, SndNxt = 2428590255 (0x90C158AF).

238          tcpserver.exe (2704)              TCPIP_MicrosoftWindowsTCPIP:TCP: connection 0x8921DD28: Sent data with number of bytes = 1 (0x1) and Sequence number = 2428590255 (0x90C158AF).

239          tcpserver.exe (2704)             WIN7CLIENT1-2K8                 W2K8DC1               TCP                          TCP: [Bad CheckSum]Flags=...A...F, SrcPort=13000, DstPort=55908, PayloadLen=0, Seq=2428590255, Ack=260959149, Win=513 (scale factor 0x0) = 513

 

 

 

o) Finally the server does the socket cleanup:

 

240          tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:socket cleanup: 0 (0x0): Process 0x893F92B0, Endpoint 0x892FB6D8, Seq 2002 (0x7D2), Status Success

241          tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:socket cleanup: 1 (0x1): Process 0x893F92B0, Endpoint 0x892FB6D8, Seq 2003 (0x7D3), Status Success

242          tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:closesocket: 0 (0x0): Process 0x893F92B0, Endpoint 0x892FB6D8, Seq 2000 (0x7D0), Status Success

243          tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:closesocket: 1 (0x1): Process 0x893F92B0, Endpoint 0x892FB6D8, Seq 2001 (0x7D1), Status Success

244          tcpserver.exe (2704)              Wscore_MicrosoftWindowsWinsockAFD:Wait for listen: 0 (0x0): Process 0x893F92B0, Endpoint 0x8A28E2D8, Seq 6216 (0x1848), Status Success

 

 

 

p) And after receiving an ACK to the FIN sent by the server, the session moves to ClosedState:

 

245          Idle (0)    W2K8DC1               WIN7CLIENT1-2K8                 TCP                                                         TCP:Flags=...A...., SrcPort=55908, DstPort=13000, PayloadLen=0, Seq=260959149, Ack=2428590256, Win=513

246          Idle (0)                                   TCPIP_MicrosoftWindowsTCPIP:TCP: connection 0x8921DD28: Received data with number of bytes = 0 (0x0). ThSeq = 260959149 (0xF8DEBAD).

247          Idle (0)                                   TCPIP_MicrosoftWindowsTCPIP:TCP: connection 0x8921DD28: Cumulative ACK updated cwnd = 2933 (0xB75).

248          Idle (0)                                   TCPIP_MicrosoftWindowsTCPIP:TCP: connection 0x8921DD28 transition from LastAckState to ClosedState, SndNxt = 2428590256 (0x90C158B0).

249          Idle (0)                                   TCPIP_MicrosoftWindowsTCPIP:TCP: connection 0x8921DD28 (local=192.168.1.212:13000 remote=192.168.1.200:55908) disconnect completed.

250          Idle (0)                                   TCPIP_MicrosoftWindowsTCPIP:TCP: connection 0x8921DD28 (local=192.168.1.212:13000 remote=192.168.1.200:55908) close issued.

251          Idle (0)                                   TCPIP_MicrosoftWindowsTCPIP:TCP: connection 0x8921DD28 (local=192.168.1.212:13000 remote=192.168.1.200:55908) shutdown initiated (0xC0000241 - STATUS_CONNECTION_ABORTED). PID = 2704 (0xA90).

252          Idle (0)                                   TCPIP_MicrosoftWindowsTCPIP:TCP: connection 0x8921DD28 transition from ClosedState to ClosedState, SndNxt = 2428590256 (0x90C158B0).

 

 

 

Hope this helps

 

Thanks,

Murat