TCP/IP

Ref: https://networklessons.com/cisco/ccnp-route/tcp-header

• Source port: this is a 16 bit field that specifies the port number of the sender.

• Destination port: this is a 16 bit field that specifies the port number of the receiver.

• Sequence number: the sequence number is a 32 bit field that indicates how much data is sent during the TCP session. When you establish a new TCP connection (3 way handshake) then the initial sequence number is a random 32 bit value. The receiver will use this sequence number and sends back an acknowledgment. Protocol analyzers like wireshark will often use a relative sequence number of 0 since it’s easier to read than some high random number.

• Acknowledgment number: this 32 bit field is used by the receiver to request the next TCP segment. This value will be the sequence number incremented by 1.

• DO: this is the 4 bit data offset field, also known as the header length. It indicates the length of the TCP header so that we know where the actual data begins.

• RSV: these are 3 bits for the reserved field. They are unused and are always set to 0.

• Flags: there are 9 bits for flags, we also call them control bits. We use them to establish connections, send data and terminate connections:

  • URG: urgent pointer. When this bit is set, the data should be treated as priority over other data.

  • ACK: used for the acknowledgment.

  • PSH: this is the push function. This tells an application that the data should be transmitted immediately and that we don’t want to wait to fill the entire TCP segment.

  • RST: this resets the connection, when you receive this you have to terminate the connection right away. This is only used when there are unrecoverable errors and it’s not a normal way to finish the TCP connection.

A TCP reset is an immediate close of a TCP connection. This allows for the resources that were allocated for the previous connection to be released and made available to the system. The receiver of a RST segment should also consider the possibility that the application protocol client at the other end was abruptly terminated and did not have a chance to process the data that was sent to it.

• • SYN: we use this for the initial three way handshake and it’s used to set the initial sequence number.

  • FIN: this finish bit is used to end the TCP connection. TCP is full duplex so both parties will have to use the FIN bit to end the connection. This is the normal method how we end an connection.

• Window: the 16 bit window field specifies how many bytes the receiver is willing to receive. It is used so the receiver can tell the sender that it would like to receive more data than what it is currently receiving. It does so by specifying the number of bytes beyond the sequence number in the acknowledgment field.

• Checksum: 16 bits are used for a checksum to check if the TCP header is OK or not.

• Urgent pointer: these 16 bits are used when the URG bit has been set, the urgent pointer is used to indicate where the urgent data ends.

• Options: this field is optional and can be anywhere between 0 and 320 bits.

Challenge ACK

• As a response to client's SYN, the Server challenges by sending an ACK to confirm the loss of the previous connection and the request to start a new connection.

• This challenge ACK has acknowledgement number from previous connection and upon seeing the unexpected ACK, client sends a RST; thus tearing down TCP connection on the server also.

• "SWE" has SYN+ECN Echo+ECN Cwnd Reduced; it's an initial SYN, and is, to use the terminology in section 6.1.1 of RFC 3168, an "ECN-setup SYN packet". It indicates that the host sending the packet supports ECN.

• "SE" has SYN+ECN Echo set; it probably also has ACK set (as per the "ack" field in the packet), so it's a SYN+ACK response to the initial SYN, and it is, to use the terminology in section 6.1.1 of RFC 3168, an "ECN-setup SYN-ACK packet". It indicates that the host sending the packet supports ECN.

The general format of a TCP protocol line from TCP DUMP is:

src > dst: Flags [tcpflags], seq data-seqno, ack ackno, win window, urg urgent, options [opts], length len

Tcpflags are some combination of S (SYN), F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or '.' (ACK), or 'none' if no flags are set.