Use WireShark to capture packets and analyze TCP_IP protocol


The TCP/IP protocol is a set of protocols used for Internet communication. It consists of two main protocols: Transmission Control Protocol ( TCP ) and Internet Protocol ( IP ). The TCP/IP protocol is one of the most commonly used protocols on the Internet, which enables different types of computers and network devices to communicate with each other.

  • TCP is responsible for breaking up data into packets and ensuring their delivery on the network.
  • IP is responsible for routing packets from source address to destination address.

In the book Computer Network (edited by Xie Xiren), the layers involved in TCP/IP network transmission and the meaning of each bit are introduced in detail. In this article, we will use Wireshark to capture packets and analyze the TCP/IP protocol, and use practice to verify the theory.

  • Wireshark is a network protocol analyzer that can help you capture and analyze network packets. It is an open source software that can run on multiple operating systems .
  • The latest version of Wireshark can be downloaded from .

1. TCP/IP protocol

1.1 OSI layering

OSI is the abbreviation of OSI/RM (Open Systems Interconnection Reference Model), which was formulated by ISO in 1983 and formed a formal document.

OSI Layering is a network architectural model that divides network communication into seven distinct layers. Each level has its own features and tasks. The following is a brief introduction to each level from top to bottom:

serial number level name
1 application layer Responsible for providing various applications such as e-mail, file transfer, and remote login.
2 presentation layer Responsible for converting data into a format that applications can understand, it defines how to exchange data between different systems.
3 session layer Responsible for establishing, managing and terminating sessions, it defines how a connection is established between two nodes.
4 transport layer Responsible for splitting data into packets and ensuring their transmission on the network. It also provides a reliable end-to-end transport service.
5 Network layer Responsible for routing data packets from source addresses to destination addresses, it defines how to transmit data packets between different networks.
6 data link layer Responsible for transmitting packets from one node to another, it defines how packets are transmitted on the physical medium.
7 physical layer Responsible for transferring data from one node to another, it defines the specifications for electrical, optical, and mechanical interfaces.

Although the standard has been established, due to some defects, the largest Internet covering the world today does not use the OSI standard, but uses the TCP/IP standard.

1.2 TCP/IP layering

Compared with the OSI 7-layer model, the TCP/IP protocol has only 4 layers, which merges some layers.

Generally speaking, the TCP/IP protocol refers to the TCP/IP protocol cluster, which can be divided into the following parts according to the layering

level protocol name
application layer HTTP、FTP、SMTP、POP3、IMAP、Telnet、SSH、DNS
transport layer TCP、UDP
Network layer IP、ICMP、ARP、RARP
network interface layer Ethernet、Token Ring、FDDI、PPP

The WireShark used for packet capture below uses the TCP/IP standard.

2. Capture packets

2.1 Socket code

Use Java to write server and client codes, and realize the communication between the two by calling Socket API.

Socket is a socket, which is an intermediate software abstraction layer for communication between the application layer and TCP/IPthe protocol family. It is represented as a programming interface (API) that encapsulates the TCP/IP protocol cluster. ServerSocket uses the TCP protocol. If you want to use the UDP protocol, you can use DatagramSocket.

WireShark needs to be started with administrator privileges. By default, it cannot view the loopback that does not use the network card, and needs the next npcap.


    public class Server {
        public static void main(String[] args) throws IOException {
            ServerSocket server = new ServerSocket(10007);
            Socket socket = server.accept();
            BufferedReader br = new BufferedReader(new InputStreamReader(socket.getInputStream()));
            String str = br.readLine();
            System.out.println("客户端说:" + str);
            PrintWriter pw = new PrintWriter(socket.getOutputStream());

    public class Client {
        public static void main(String[] args) throws IOException, InterruptedException {
            Socket socket = new Socket("localhost", 10007);
            BufferedReader br = new BufferedReader(new InputStreamReader(;
            String str = br.readLine();
            PrintWriter pw = new PrintWriter(socket.getOutputStream());
            BufferedReader br2 = new BufferedReader(new InputStreamReader(socket.getInputStream()));
            String str2 = br2.readLine();
            System.out.println("服务器说:" + str2);

2.2 Filter package

  1. Start Wireshark with administrator privileges

  2. Select the corresponding network card interface

  3. open filter


  4. Start the Server, then start the Client, and send hello

  5. filtered packets


3. Analysis

3.1 TCP header

The TCP header looks like this:

3.2 Actual Combat Analysis

  1. Source port and destination port, each occupying 2 bytes


  2. Serial number, occupying 4 bytes


  3. Confirmation number, occupying 4 bytes


  4. Data offset, occupying 4 bits, half a byte

    tcp_ip_04_data offset.png

  5. Reserved, 6 digits


  6. Flag control bit: URG/ACK/PSH/RST/SYN/FIN, occupying 6 bits

    tcp_ip_06_flag bit.png

  7. window, occupying 2 bytes


  8. checksum, 2 bytes


  9. Urgent pointer, occupying 2 bytes

    tcp_ip_09_emergency pointer.png

  10. Option, the number of bytes is not fixed, the following is 12 bytes


3.3 Three-way handshake

The first three packets of the tcp connection establishment are the three packets of the handshake. The following will analyze the specific process of the three-way handshake from the theory combined with the actual packet capture

  1. Client sends to server

    When the client establishes a TCP connection, it will enable a random serial number, and store its value in the serial number field of the TCP header of the first message segment exchanged with each other, and the serial number field value of the subsequent TCP message segment will be incremented sequentially

    In the following packet capture process, it can be found that 0x4cf2bfaa is the random sequence number of the first packet, and wireshark has marked the relative sequence number Seq as 0, which is the first packet.

    Moreover, the TCP client needs to set SYN to 1 when sending, and the client enters the SYN-SENT state at this time

    tcp_ip_11_establish connection.png

  2. Server sends to client

    After receiving the message, the server agrees to establish a connection and send a confirmation message to the client. This message needs to set both SYN and ACK to 1, ack to the sent seq+1, and enable a random sequence number for itself , in the message, it can be found that the random sequence number is 0x890b1b78, and the server enters the SYN-RCVD state at this time

    tcp_ip_11_establish connection 2.png

  3. Client sends to server

    After the client receives it, it needs to confirm and send the message again. This time the message sets ACK to 1, the serial number to its previous serial number + 1 = 0x4cf2bfab, and ack to the serial number sent by the server + 1 = 0x890b1b79. When it is sent, it will enter the ESTABLISHED state, and the server will also enter the ESTABLISHED state after receiving it

    tcp_ip_11_establish connection 3.png

The above process can be summarized as follows, in the above example x is actually 0x4cf2bfaa, y is actually 0x890b1b78

客户端 服务器 CLOSED CLOSED LISTEN 发送SYN=1,seq=x SYN-SENT 返回SYN=1,ACK=1,seq=y,ack=x+1 SYN-RCVD 回复ACK=1,seq=x+1,ack=y+1 ESTABLISHED ESTABLISHED 客户端 服务器 TCP三次握手

3.4 Four waves

The chart that can be obtained from page 226 of the book is as follows:

Both the server and the client that established the connection can release the connection. Both parties need to wave their hands four times. The java code above is found to be the server that releases the connection first.

  1. The server sends a FIN message

    Send FIN=1, ACK=1, seq=u (the packet capture u is actually 0x91dd5af1 this time).

    It is recorded in the book that u is the serial number of the last byte of the previously sent data plus 1. This is not clear, and the actual ACK is also set to 1. Is it necessary? follow-up study

    tcp_ip_12_release connection 1.png

  2. The client sends ACK=1, seq=v (the actual seq of this packet capture is 0x6a067550), and the ack is u+1 (the actual packet capture is 0x91dd5af2 this time)

    v is the sequence number of the last byte of the previously sent data plus 1.

    tcp_ip_12_release connection 2.png

  3. The client then sends FIN=1, ACK=1, seq=w (this time the captured packet is actually 0x6a067550), ack=u+1 (this time the captured packet is actually 0x91dd5af2)

    The w here actually captures the packet and finds that w is the same as v

    tcp_ip_12_release connection 3.png

  4. The server sends ACK=1, seq=u+1 (this time the captured packet is actually 0x91dd5af2), ack=w+1 (this time the captured packet is actually 0x6a067551)

    tcp_ip_12_release connection 4.png

The above process can be summarized as follows. Since both the client and the server can send FIN packets to release the connection, the following chart releases the connection from the client

客户端 服务器 ESTABLISHED ESTABLISHED 发送FIN=1,seq=u FIN-WAIT-1 返回 ACK=1,seq=v,ack=u+1 FIN-WAIT-2 CLOSE-WAIT 返回 FIN=1,ACK=1,seq=w,ack=u+1 LAST-ACK 回复ACK=1,seq=u+1,ack=w+1 CLOSED TIME-WAIT 等待2MSL后,CLOSED 客户端 服务器 TCP四次挥手


  1. Computer Network (6th Edition, edited by Xie Xiren)
  2. OSI seven layer model
  3. TCP protocol transfer layer specification
  4. TCP's three-way handshake and four-way wave

Guess you like