The transport layer protocols include TCP and UDP used to transport application protocols.
The User Datagram Protocol (UDP) is considered an unreliable transport. In this, there's no guarantee of packet delivery or ordering, but it has a lower overhead and is used by time-sensitive applications such as voice and video traffic.
The following screenshot shows the fields contained in an UDP header:
The UDP header is only 8-bytes long, consisting of:
The Transmission Control Protocol (TCP) provides a reliable delivery of data by detecting lost, duplicated, or out-of-order packets, requesting retransmission of lost data, or rearranging packets in the right order before delivering them to the application. TCP can also accept a large chunk of data from an application and handle getting the data transported to the other end reliably using multiple packets and reassembling them at the other end.
The following screenshot highlights the significant fields of a basic TCP header:
The TCP header contents and length can vary depending on options that may be in use, but in its simplest implementation it consists of:
The use of sequence and acknowledgment numbers is how TCP ensures reliable delivery of data by tracking the number and order of received bytes.
Sequence and acknowledgment numbers are large and difficult for humans to follow. Wireshark can convert and display these as relative values that start with 0 at the beginning of a session to make it easier to inspect them and relate the values to the number of bytes transmitted and received.
The following table lists the flags that are most commonly used in a TCP header:
Flag field name |
Description |
---|---|
URG (urgent) |
This indicates the Urgent Pointer field (after the TCP header checksum) that should be examined. This flag is normally 0; the Urgent Pointer field is only examined if this bit is set. |
ACK (acknowledgment) |
This is the acknowledgment packet. |
PSH (push) |
This indicates whether the sending node's TCP stack should bypass any buffering and pass the data directly to the network and on to the receiving application. |
RST (reset) |
This is used to close the connection explicitly. |
SYN (synchronize) |
This is used to synchronize sequence numbers and used in a three-way TCP session initiation handshake process. |
FIN (finish) |
This is used when the transaction is finished. This does not mean that the connection is to be closed explicitly, but is commonly seen at the end of sessions. |
The TCP also supports a number of additional options, several of which are in common use in modern networks that you should be aware of. The snippet of a TCP header illustrated in the following screenshot depicts several of the most popular options:
The TCP options highlighted in the preceding screenshot include:
13.58.5.57