Wireshark - lots of ACK but no SYN?

Question

I need to figure out what type of malicious activity is present in this .pcapng file I have received for my coursework using wireshark, however I'm not asking anyone to solve it don't worry. I'm curious about something else. From my understanding, when there is a TCP connection handshake, on Wireshark it is displayed as: SYN SYN, ACK ACK I'm just a beginner at the moment, so I'm trying to understand, most of the TCP frames in Wireshark are displaying ACK without any SYN, and some say PSH instead. Can someone educate me on why? I tried to search it up but it just talks about SYN ACK handshakes and doesn't answer my question. I'm also wondering why this file is a .pcapng and not a .pcap like I usually deal with. Thank you! please ask for clarity if this does not make sense and I'll try my best.TCP HandshakeNo SYN

Answer 1

Perhaps that capture started after the 3-way handshake had already occurred, so it only captured traffic that came after the handshake. If so, it wouldn't contain any SYNs, and every frame after that would have the ACK flag set, whether it contains any data or not.

See the TCP specification, RFC 793, for an explanation of what the PSH flag means. For example, under "Basic Data Transfer" in section 1.3 "Operation", it says:

Sometimes users need to be sure that all the data they have submitted to the TCP has been transmitted. For this purpose a push function is defined. To assure that data submitted to a TCP is actually transmitted the sending user indicates that it should be pushed through to the receiving user. A push causes the TCPs to promptly forward and deliver data up to that point to the receiver. The exact push point might not be visible to the receiving user and the push function does not supply a record boundary marker.

I.e., the TCP implementation might buffer up data that it receives and not hand it to the program receiving the data until either enough data is received, enough time passes without any additional data arriving, or a PSH flag is seen. It would do that to increase the amount of data delivered, on average, to that program per data delivery, to reduce overhead.

Answer 2

The pcap-ng file format expands the basic pcap format's features by allowing you to store more capture-related data. PCAPNG (PCAP Next Generation) is more expandable, portable, and has a more flexible file structure than PCAP. It also contains other information about the packet and the interface used to capture it, such as drop counts, DNS data, and so on.

From the attached screenshot, I can infer that it is a TCP 3 way handshake to establish connection. TCP requires 3-way handshake to establish a connection between the client and server before sending the data. For your reference, https://wiki.wireshark.org/TCP_3_way_handshaking.md