This experiment uses Wireshark to capture communication packets. 1) Observe the structure of the IP packet. 2) Observe the process of TCP's three-way handshake and four-way handshake.
Preliminary knowledge: IP datagram structure, TCP datagram structure.
Table of contents
3. TCP three-way handshake and four-way wave process
1. Use Wireshark to capture the packets of the complete communication process of the ping command
2. The process of TCP's "three-way handshake" and "four-way wave"
-
principle
1. IP datagram structure
2. TCP datagram structure
3. TCP three-way handshake and four-way wave process
1) Three-way handshake
① Client process A sends a connection request message segment to server process B , with SYN= 1 in the header and a sequence number SN= i , indicating that the sequence number of the first byte of the transmitted data is i . At this point, the TCP client process enters the SYN-SENT state.
② After receiving A 's connection request segment, server B will reply with a confirmation segment if it agrees to the connection. Confirm SYN=1 , ACK=1 in the header of the message segment , its serial number SN=j , and confirmation number AN=i+1 . At this point, the TCP server process enters the SYN-RCVD state.
③ After the A client process receives the confirmation segment, it also sends a confirmation back to B. Confirm the ACK=1 in the header of the message segment , the confirmation number AN=j+1 , and the sequence number SN=i+1 . At this time, A running the client process informs the upper application process that the connection has been established ( or opened ) , and enters the ESTABLISHED state. After B running the server process receives A 's confirmation, it also notifies the upper layer application process, and also enters the ESTABLISHED state.
2) Wave four times
①If A sends a connection release message segment to B , FIN=1 in its header , select a serial number SN=u , which is the serial number of the last byte of the previously transmitted data plus 1 , which means sending The data has ended, and the TCP connection is actively closed. At this point A enters the FIN-WAIT-1 state, waiting for confirmation from B.
② After B receives the release connection message, if it agrees to the connection, it will reply the confirmation message segment. Confirm SYN=1 , ACK=1 in the header of the message segment , its serial number SN=v , and confirmation number AN=u+1 . Then B enters the CLOSED-WAIT state and notifies the high-level application process at the same time. In this way, the connection from A to B is released, and the connection is in a half -closed state. After A receives the confirmation segment from B , it enters the FIN-WAIT-2 state, waiting for B to send a connection release segment.
③ After that, B will no longer receive data from A , but if B has data to send to A , it can still continue to send. If B finishes sending the data to A , it sends a connection release message segment to A. In this message segment, FIN=1 , SN=v ( it is the sequence number of the last byte of the previously transmitted data plus 1) . In addition, the acknowledgment number AN=u+1 that was sent last must be repeated . At this time, B enters the LAST-ACK state and waits for the confirmation segment sent by A.
④ After A receives the connection release segment, it must issue an acknowledgment. The acknowledgment number is AN=v+1 , and the sequence number SN=u+1 . Then enter the TIME-WAIT state. After B receives the confirmation message segment from A , it enters the CLOSED state, and cancels the corresponding transmission control block TCB , and ends this TCP connection.
Note: After entering the TIME -WAIT state, the TCP connection has not been completely released this time, and the time set by the waiting timer ( = 2MSL) must pass before A enters the CLOSED state, and the entire connection is released at this time .
-
steps and results
1. Use Wireshark to capture the packets of the complete communication process of the ping command
1) Packet capture process:
① Determine the target address: select www.baidu.com as the target address; ② Configure the filter: set the filter settings for the protocol, ping uses the ICMP protocol, use the capture filter before capturing the packet, and set the filter to icmp; ③ Start the packet capture : Click start to start capturing packets, and type "ping www.baidu.com" at the command prompt; ④ Exit after capturing packets.
2) Packet capture result:
(Figure 1) is the result of packet capture. It can be seen from the figure that there are a total of 8 ICMP packets, including 4 ICMP packets from the local machine to the server, and 4 ICMP data packets from the server to the local machine. It is consistent with the Windows ping command sending four test packets.
Taking the first ICMP data packet from the local machine to the server as an example, you can see the frame components in the middle pane, the third line is the header part of the IP datagram, and the fourth line is the data part of the IP datagram. Select the third line, and you can see the hexadecimal code corresponding to the IP header in the lower pane. There are 20 hexadecimal numbers in total, that is, the header has a total of 20B.
Expand the third line of the middle pane, and you can see the detailed information of the parsed IP header. You can also analyze the detailed information of the IP header according to the structure of the IP protocol packet and the hexadecimal number in the lower pane.
3) Analyze the captured IP header structure:
| version number |
head length |
packet length |
packet flag |
the sign |
fragment offset |
| IPv4 |
5×4B = 20B |
60b |
0xE621 |
0 |
0 |
| survival time |
protocol |
checksum |
source address |
Destination address |
|
| 64 |
ICMP |
0x3FBD |
192.168.43.157 |
112.80.248.76 |
2. The process of TCP 's " three-way handshake " and " four-way wave "
The HTTP protocol requires reliable data transmission, so the TCP protocol is used at the transport layer.
1 ) Capture steps:
①After many trials, choose a suitable website, for example: China National Knowledge Network ( www.cnki.net ). ②Type " ping www.cnki.net " in the command prompt , and check that the IP address of CNKI is 103.52.172.83 . ③Open the Wireshark software, do not set the input capture conditions, and directly start the packet capture. ④ Access CNKI in the browser, and a large number of data packets will appear in Wireshark at this time. ⑤After waiting for a while, end the packet capture. And enter " tcp&&ip.addr==103.52.172.83 " in the display filter to filter TCP packets, and the source or destination address contains " 103.52.172.83 ". ⑥Observe the filtered data packets, and select the appropriate local application port, such as " 55131 ". ⑦Continue to enter " &&tcp.port==55131 " in the display filter , and you will be able to see the TCP interaction data packets of the complete process after confirmation. ⑧In order to watch the process of "three-way handshake" and "four-way wave" more intuitively, the frame length can be further limited and longer frames can be filtered out. Such as " &&frame.len<100 ".
2 ) Packet capture result:
(Figure 2 ) is the filtered TCP packet capture result of "CNKI". From the upper pane of the figure, you can clearly see the "three-way handshake" process (the first three lines) and the "four-way wave" process (the last five lines), and the black result in the penultimate line is an error message.
3) Result analysis:
① The first handshake: select (Figure 2) the first data packet, and select the data part of the IP datagram in the middle pane. The hex code in the data section will be highlighted in the lower pane (Figure 3).
(Figure 3) "b1 fe 11 8f" in the hexadecimal code is the Seq serial number, and the "80 02" part includes signs such as ACK, SYN, and FIN. According to the analysis, it can be seen that the SYN bit has been set to 1, and the other bits are all 0.
② The second handshake: (Figure 4), it can be seen that a new serial number Seq is generated, which is "8f fa f4 5a". And confirm that the sequence number is Seq+1 of the first handshake, which is "b1 fe 11 90". And both ACK and SYN bits are set to 1.
③ The third handshake: (Figure 5), it can be seen that the confirmation sequence number is Seq+1 of the second handshake, which is "8f fa f4 5b", and ACK is set to 1.
④ The first wave: (Figure 6), the Seq is "8f fa fb 4b", the confirmation sequence number is "b1 fe 1a f5", and the FIN and ACK flags are both set to 1. CNKI is the active party.
⑤ Second wave: (Figure 7), Seq is the confirmation sequence number of the first wave "b1 fe 1a f5", and the confirmation sequence number is Seq+1 of the first wave, "8f fa fb 4c". And the ACK flag is set to 1. Indicates that the passive party has received the FIN request sent by the active party.
⑥ The third wave: (Figure 8), compared to the third wave (Figure 7), both the FIN flag and the ACK flag are set to 1, indicating that the passive party has no more data to send, and you can Disconnect.
⑦ The fourth wave: (Figure 9), the ACK flag is set to 1, and the active party sends a reply to the passive party to receive FIN. At this time, four waved hands are completed.
4) Problem analysis:
It has been verified by packet capture that in reality, the four-wave process of most servers does not send four data packets, usually only three data packets , such as (Figure 10).
(Figure 10), the machine is the active party, and initiates a FIN request to port 80 of the server. After the server receives the request, if there is no more data to send, it will combine the second wave and the third wave into one data packet and send it to the local machine at the same time . Select the second waving packet, and you can see that the FIN and ACK flags are set to 1 at the same time.
-
Questions to discuss:
1. What common applications require TCP's three-way handshake and four-way handshake to establish and release connections?
Applications using the TCP protocol require three handshakes and four handshakes to establish and release connections. Such as: HTTP, FTP, SMTP, SNMP, Telnet, etc.
2. How does the protocol work when there is no response during the TCP three-way handshake?
In the field of server security, one of the common Denial of Service (DoS) attacks is the SYN flood attack. If there is no response during the TCP three-way handshake, it is equivalent to the requester launching a SYN flood attack.
When the attacker sends the first handshake, the server will return a SYN-ACK for confirmation. If the attacker uses means such as source address spoofing to prevent the server from receiving the ACK, the server will be in a semi-connected state waiting for the ACK within a certain period of time. Since the number of TCP connections is limited, if there are a large number of false connections at the same time, the server will stop responding, forming a DoS (Denial of Service) attack.
By optimizing the server system settings and reducing the SYN timeout, the server can release the resource occupation of the semi-connection as soon as possible. The IP address of the requesting party can also be stored in the form of SYN Cookie. If a certain IP repeats the SYN request within a short period of time, it can be intercepted.
-
Summarize:
This experiment uses Wireshark software to capture ping packets, analyzes the header fields of the IP protocol, and verifies the theoretical learning content of the IP protocol. At the same time, captured the TCP "three-way handshake" and "four-way wave" data packets, and intuitively felt the workflow of the TCP protocol.
In the process of capturing TCP packets in this experiment, it has been verified that most servers are in the process of "four waved hands". If the active party initiates a request and the passive party has no more data to send, the second handshake and the second handshake are usually combined. The three-way handshake process is combined into one and sent to the active party, which can reduce the occupation of resources.
There is a defect in the TCP three-way handshake process that has not yet been solved by a better alternative standard from the root cause. During the three-way handshake, if the requester disappears after initiating the first handshake and does not reply to the confirmation from the requested party, the requested party will hang for a period of time. Simultaneous occurrence of multiple such requests will result in a denial of service by the requested party. In the server, the SYN timeout period needs to be set reasonably to prevent SYN flood attacks.