Chapter 3. Analyzing the TCP Network

TCP is intended to be a host-to-host protocol in common use in multiple networks. In this chapter, we will analyze the TCP protocol in detail with lab exercises and examples.

This chapter covers the following topics:

  • Recapping TCP
  • TCP connection establishment and clearing
  • TCP troubleshooting
  • TCP latency issues
  • Wireshark TCP sequence analysis

Recapping TCP

Transmission Control Protocol (TCP) was first defined in RFC 675, and the v4 specification came out in RFC 793. TCP provides:

  • Connection-oriented setup and tear-down of TCP sessions
  • The service sends and receives a stream of bytes, not messages, and guarantees that all bytes received will be identical with bytes sent and in the correct order
  • Reliable, in-order delivery, uses sequence number to recover from data that is damaged, lost, duplicated, or delivered out of order by the Internet communication system
  • Flow control prevents the receiver's buffer space from overflowing
  • Congestion control (as defined in RFC 5681) algorithms are: slow start, congestion avoidance, fast retransmit, and fast recovery
  • Multiplexing; every TCP conversation has two logical pipes; an outgoing and incoming pipe

TCP header fields

Each TCP segment has a 20-byte header with optional data values, as shown in the following screenshot displaying a TCP frame in the Wireshark Packet Details pane:

TCP header fields

The following table describes the header fields and Wireshark filters along with their descriptions:

TCP header

Wireshark filter name

Description

Source port (16 bits)

tcp.srcport

Sender port

Destination port (16 bits)

tcp.dstport

Receiver port

Sequence Number (32 bits)

tcp.seq

Defines the ISN and controls the state of the TCP

Acknowledgement number (32 bits)

tcp.ack

The ACK contains the next SEQNo that a host wants to receive

Flags (9 bits)

 

tcp.flags

Control bits

Reserved

tcp.flags.res

For future use

Nonce

tcp.flags.ns

Experimental

CWR

tcp.flags.cwr

Congestion window reduced

ECN

tcp.flags.ecn

ECN-Echo

Urgent

tcp.flags.urg

Urgent pointer field is set

Acknowledgement

tcp.flags.ack

Acknowledgement is set

Push

tcp.flags.push

Push the data

Reset

tcp.flags.reset

Reset the connection

SYN

tcp.flags.syn

Synchronize sequence numbers

FIN

tcp.flags.fin

No more data

Window size (16 bits)

tcp.window_size

Used to advertise the window size in a three-way handshake

Checksum (16 bits)

tcp.checksum

Error checking

Urgent pointer (16 bits)

tcp.urgent_pointer

Inform the receiver that some data in the segment is urgent (SEQNo <= urgent message <= SEQNo + urgent pointer)

Options (0-132 bits) divisible by 32

tcp.options

Options such as maximum segment size, No-Operation (NOP), window scale, timestamps, SACK permitted

TCP states

A connection progresses through a series of states during its lifetime. The states are:

TCP state

Description

LISTEN

The server is open for incoming connection.

SYN-SENT

The client has initiated the connection.

SYN-RECEIVED

The server has received the connection request.

ESTABLISHED

The client and server are ready for the data transfer, a connection has been established.

FIN-WAIT-1

The client or server has closed the socket. In Linux the default is 60 ms: 

[bash ~]# cat /proc/sys/net/ipv4/tcp_fin_timeout
60

FIN-WAIT-2

The client or server has released the connection. In Linux the default is 60 ms: 

[bash ~]# cat /proc/sys/net/ipv4/tcp_fin_timeout
60

CLOSE-WAIT

Either client or server has not closed the socket. The CLOSE_WAIT state will not expire.

LAST-ACK

Waiting for pending ACK from the client. It's the final stage of the TCP conversation with the client.

TIME-WAIT

TIME_WAIT indicates that the local application closed the connection, and the other side acknowledged and sent a FIN of its own. In Linux the default is 60 ms: 

[bash ~]# cat /proc/sys/net/ipv4/tcp_fin_timeout
60

CLOSED

Fictional state

Note

This socket command-line utility can be used to monitor network connections and their states:

[bash ~]ss -nt4 state CLOSE-WAIT
[bash ~]ss -nt4 state ESTABLISHED
[bash ~]netstat -an | grep CLOSE-WAIT
[bash ~]netstat -an | grep ESTABLISHED
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.182.250