Wireshark analysis and verification of TCP protocol

The original text was first published on WeChat public account: Jongxingzhi (jzman-blog)

Recently, I deliberately sorted out TCP-related knowledge, verified it through packet capture, and analyzed the whole process from TCP establishment to end-to-end connection. I believe that those who did not understand in class before, like me, should have almost understood after reading this article. Up.

TCP provides a connection-oriented, reliable byte stream service, which means that two TCP applications must establish a TCP connection before exchanging data, and only two parties can communicate in a TCP connection. TCP and UDP all use the same network layer.

When using TCP to send data, the data will be divided into data blocks that TCP considers the most suitable for sending. This is different from UDP. The length of the datagram generated by UDP remains unchanged. This data block is called a segment. The initialization sequence number ISN (Initial Sequence Number) of each segment is randomly generated according to a certain algorithm, of course, this sequence number is also the data number of the first data byte of the segment. This article will introduce the TCP protocol from the following aspects:

1. Data format of TCP protocol
2. How does TCP establish a connection
3. How does TCP disconnect
4. TCP state transition diagram
5. Wireshark analysis and verification
6. Why SYN and FIN account for a serial number

TCP data format

TCP data is encapsulated in IP datagrams, as shown in the following figure:

• Source Port: The port of the data sender;
• Destination Port: the port of the data receiver;
• Sequence number (Sequenece number): 16 bits occupies 4 bytes, used to identify the data byte stream sent from the TCP sender to the TCP receiver, and its value is the data number of the first data byte of the segment. This The serial number is a 32-bit unsigned number, and the serial number reaches 2^32 -1 and then starts from 0;
• Acknowledgment number: 16 bits occupies 4 bytes, which refers to the data number of the data byte expected to be received, that is, the value of the last data byte number of the last message segment plus 1;
• SYN: Flag bit, the synchronization sequence number is used to initiate a TCP connection, set SYN = 1;
• ACK: Flag bit, confirm that the serial number is valid, set ACK = 1;
• RST: Flag bit, reconnect connection, set RST = 1;
• FIN: Flag bit, the sender completes the sending task, hopes to disconnect, set FIN = 1;
• URG: Flag bit, emergency pointer is valid, set URG = 1;
• PSH: Flag bit, the receiver should deliver this data to the application layer as soon as possible, set PSH = 1;

How does TCP establish a connection

The TCP message segment contains the source port number and the destination port number, which are used to find the application process of the sender and the receiver, plus the source IP address and destination IP address of the IP header to uniquely determine a TCP connection, which ensures that the client The possibility of communication between the client and the server is also the basis for establishing a TCP connection.

In addition, it is necessary to make it clear that the initial sequence number ISN (Initial Sequence Number) of each message segment is randomly generated according to a certain algorithm and is different. In addition, to ensure that the connection establishment flag SYN occupies a sequence number, it will be described later. further analysis.

The process of TCP establishing a connection through a three-way handshake is as follows:

1. The client sends a request segment reported a connection seq = x, set the flag SYN = 1to initiate a TCP connection to the server, the server according to SYN = 1know the client requests to establish a connection;
2. After the server receives the client requests confirmation, then sends a message segment seq = y, the flag is set ACK = 1, SYN = 1the ack acknowledgment number to client's sequence number plus 1, that is ack = x + 1;
3. After the client receives the server, it determines whether the ack is the sequence number of the last message segment sent by the client plus one, that is, it is satisfied ack = x + 1. If it is correct, it sends a message segment to the server and seq = x + 1sets the flag bit ack = y + 1. The server receives it. The TCP connection between the client and the server is established and can communicate with each other.

TCP establishes a connection through a three-way handshake as shown below:

We all know that TCP establishes a connection through a three-way handshake, so how can we better understand the process of establishing a connection?

In fact, the TCP connection is established on two hosts "mutual call" the other party to the process of communication, either the client or server process is the same, are sending [SYN]packets to establish a connection request, then wait for the host to send the corresponding ACKanswer this For the second request, the whole process requests the connection twice and responds to the other party's request twice. If anyone answers correctly, the link is successfully established. The second handshake can be divided into two processes:

1. Server sends ACKsegment response to client requests;
2. Server sends SYNsegments to client requests to establish a connection.

Obviously these two process targets are both clients, so they are combined, so that the two hosts establish a TCP connection by "calling each other". When the two hosts respond separately, the confirmation number is the message segment sent by the corresponding host. Add 1 to the serial number, ie ack = seq + 1.

How does TCP disconnect

Before introducing how to disconnect, you must first understand the half-closed state of TCP.

TCP provides the ability to also receive the other end at the end of its transmission, which is the TCP half-closed state, for example is: The client completed the data transfer task, send a flag FIN = 1of the segment to the server, in this case the client does not send the data capacity, but also the ability to receive data server, until the server responds with a flag FIN = 1of the segment to the client, so far TCP disconnected. In addition, in order to ensure that the disconnection flag FIN occupies a serial number, it will be further analyzed in the following text.

It is precisely because of the half-closed state of TCP that TCP disconnection requires a four-way handshake. In fact, the process of TCP disconnection is also the process of two hosts "calling each other" to end. Only both hosts are disconnected from each other. The entire TCP connection is completely disconnected when the request is answered.

In the above, we know that the second handshake process of TCP connection establishment can be divided into two phases, which are finally combined. Also in the process of TCP disconnection, the reason why this process cannot be combined and sent is the half-closed state of TCP This kind of half-closed state has the possibility of its application, so in the process of TCP disconnection, it is necessary to complete four waves of hands to completely disconnect the TCP connection.

The process of TCP disconnecting through four waves of hands is as follows:

1. After the client completes the sending task, it sends a segment to the server , sets the seq = mflag bit FIN = 1, and confirms that the sequence number ack is set to the sequence number of the last segment sent by the server plus 1 to tell the server to disconnect;
2. After the server receives the segment to be disconnected from the client, it responds to a segment to the client , sets the seq = nflag bit ACK = 1, and sets the acknowledgment sequence number ack to the sequence number of the last segment sent by the client plus 1. That is ack = m + 1, when the client receives the message segment correctly, it unilaterally disconnects from the service segment and enters a semi-closed state, that is, it can only receive data from the server, but cannot send data to the server;
3. After the server completes the sending task, it sends a message segment to the client , sets the seq = n + 1flag bit FIN = 1, and confirms that the sequence number ack is set to the sequence number of the last message segment sent by the client plus 1, that is ack = m + 1, tells the client to disconnect ；
4. After the client receives the segment to be disconnected from the server, it responds with a segment to the server , sets the seq = m + 1flag bit ACK = 1, and sets the acknowledgment sequence number ack to the sequence number of the last segment sent by the server plus 1. That is ack = n + 1, when the server receives the segment correctly, it disconnects from the client. At this time, the client and the server are completely disconnected.

Let's take a look at the icon of TCP disconnection:

Wireshark analysis and verification

Open Wireshark to capture packets to verify the above content. If you just verify the process of TCP connection and disconnection, you only need to select the corresponding network card, start capturing packets, and then open the browser to visit several pages. Normally, it’s OK. The corresponding network packet will be captured, and then you can enter tcp in the display filter to filter the TCP protocol, choose one at random, right-click and select Trace Flow, TCP Flow to view the relevant information of the TCP connection, as follows:

I won’t analyze it in detail. The TCP connection has not sent data, and it is just convenient to analyze the process of TCP connection establishment and disconnection.

TCP state transition diagram

There are altogether 11 states of TCP from connection to disconnection. A diagram of the state transition of TCP is attached, as follows:

Why SYN and FIN account for a serial number

In the previous analysis, SYN and FIN each account for a serial number, corresponding to the definition of the serial number is that the segment carries 1 byte of data, then the serial number of the next segment is the previous message The sequence number of the segment is increased by 1.

TCP handshake to establish a connection over three times, for example, under normal circumstances, when a client sends a segment SYN = 1，seq = xrequest after the connection establishment request, the server receives a packet segments sent by the client to answer clients, that server sends a message segment ACK = 1，ack = x + 1, which ACK= 1acknowledged receipt of the received connection request from a client, the acknowledgment number ack = x + 1represents the serial number has been received for the segment of x, and the next sequence number of the segment is expecting to receive x + 1, apparently answering service end customers The segment of sequence number x that the client requests to connect.

If the SYN does not account for a serial number, when the server receives a client request to establish a connection segment, a segment of the server response AXK = 1，ack = x, according to the definition of ack sequence number acknowledged ack = xhe has received has received a serial number x - 1If the segment of the message segment, then it is impossible to confirm the segment of the client request to connect, and TCP cannot complete the three-way handshake normally, and the TCP connection cannot be established.

Of course, the same is true for FIN, so in the TCP protocol, SYN and FIN each account for a serial number. If there is an error, please correct me.