TCP is intended to be a host-to-host protocol in common use in multiple networks. In this chapter, we will analyze the TCP protocol in detail with lab exercises and examples.
This chapter covers the following topics:
Recapping TCP
TCP connection establishment and clearing
TCP troubleshooting
TCP latency issues
Wireshark TCP sequence analysis
Recapping TCP
Transmission Control Protocol (TCP) was first defined in RFC 675, and the v4 specification came out in RFC 793. TCP provides:
Connection-oriented setup and tear-down of TCP sessions
The service sends and receives a stream of bytes, not messages, and guarantees that all bytes received will be identical with bytes sent and in the correct order
Reliable, in-order delivery, uses sequence number to recover from data that is damaged, lost, duplicated, or delivered out of order by the Internet communication system
Flow control prevents the receiver's buffer space from overflowing
Congestion control (as defined in RFC 5681) algorithms are: slow start, congestion avoidance, fast retransmit, and fast recovery
Multiplexing; every TCP conversation has two logical pipes; an outgoing and incoming pipe
TCP header fields
Each TCP segment has a 20-byte header with optional data values, as shown in the following screenshot displaying a TCP frame in the Wireshark Packet Details pane:
The following table describes the header fields and Wireshark filters along with their descriptions:
TCP header
Wireshark filter name
Description
Source port (16 bits)
tcp.srcport
Sender port
Destination port (16 bits)
tcp.dstport
Receiver port
Sequence Number (32 bits)
tcp.seq
Defines the ISN and controls the state of the TCP
Acknowledgement number (32 bits)
tcp.ack
The ACK contains the next SEQNo that a host wants to receive
Flags (9 bits)
tcp.flags
Control bits
Reserved
tcp.flags.res
For future use
Nonce
tcp.flags.ns
Experimental
CWR
tcp.flags.cwr
Congestion window reduced
ECN
tcp.flags.ecn
ECN-Echo
Urgent
tcp.flags.urg
Urgent pointer field is set
Acknowledgement
tcp.flags.ack
Acknowledgement is set
Push
tcp.flags.push
Push the data
Reset
tcp.flags.reset
Reset the connection
SYN
tcp.flags.syn
Synchronize sequence numbers
FIN
tcp.flags.fin
No more data
Window size (16 bits)
tcp.window_size
Used to advertise the window size in a three-way handshake
Checksum (16 bits)
tcp.checksum
Error checking
Urgent pointer (16 bits)
tcp.urgent_pointer
Inform the receiver that some data in the segment is urgent (SEQNo <= urgent message <= SEQNo + urgent pointer)
Options (0-132 bits) divisible by 32
tcp.options
Options such as maximum segment size, No-Operation (NOP), window scale, timestamps, SACK permitted
TCP states
A connection progresses through a series of states during its lifetime. The states are:
TCP state
Description
LISTEN
The server is open for incoming connection.
SYN-SENT
The client has initiated the connection.
SYN-RECEIVED
The server has received the connection request.
ESTABLISHED
The client and server are ready for the data transfer, a connection has been established.
FIN-WAIT-1
The client or server has closed the socket. In Linux the default is 60 ms:
Either client or server has not closed the socket. The CLOSE_WAIT state will not expire.
LAST-ACK
Waiting for pending ACK from the client. It's the final stage of the TCP conversation with the client.
TIME-WAIT
TIME_WAITindicates that the local application closed the connection, and the other side acknowledged and sent a FIN of its own. In Linux the default is 60 ms: