I have noticed that reading an output of a TCP dump is as follows:
The requesting Host sends a synchronization flag (SYN) in a TCP segment to create a connection.
The receiving Host 192.168.2.165 receives the SYN flag and returns an acknowledgment flag (ACK).
The requesting Host 192.168.2.10 receives the SYN flag and returns it's own ACK flag.
But only 104 of my the network transactions are [SYN] or [SYN,ACK], the rest of the 14,711 are mostly just [ACK], which makes it even more confusing.
Whats this about and for what reason, how does I read it then?
I just want to create a splunk search that can basically group up each start and end transaction, How can this be done?
The ACKs after the initial 3-way handshake are to acknowledge received packets, so you'll be seeing a lot of those. Without these ACK flags set the TCP delivery mechanisms wouldn't work. More information for instance here: http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Data_transfer
You can identify a unique transmission by creating a transaction based on the source host, source port, destination host and destination value.
Thanks, so basically the first Ack is a Get and the next two Acks are the Responses but the first three are only the 3-way handshake Acks for the connection creation.
One more question though, is this "HTTP HTTP/1.1 200 OK" considered to be a GET request?, as in a response GET from the POST before it?
I think you're confusing terms here. HTTP traffic happens on the session layer whereas establishing TCP connections happens on the transport layer.
"HTTP/1.1 200 OK" is not a request, it is a response. It can be a response to both a POST and a GET (or most other HTTP methods as well for that matter).
I see, so what I can see in the TCP dumps is that the TCP Transport layer as the 'Source' is sending a request to the HTTP session layer as the destination to actually begin handling the data?
No...that's not what's happening. The layers aren't interacting in that way. The TCP packets carry data, in this case HTTP data. You should read up on the OSI model and how it works. TCP is acting as a transport. HTTP works on top of it.
The best way to create the transaction is described in my answer. The ack sequence ID's change all the time so you will have a hard time creating a transaction out of only that.
I would strongly recommend going to Amazon and finding either the Stevens or Comer series on TCP/IP (or Both!) and studying up. You need to properly understand the protocols themselves before trying to use Splunk to process TCPDUMP data.