TCP establishes and releases connections

In this case, visit http://www.baidu.com to demonstrate the process of TCP connection establishment and release. The IP of this machine is 192.168.4.100.

Capture process

1. Execute ping www.baidu.comthe command to resolve the IP of www.baidu.com.

C:\Users\Administrator>ping www.baidu.com

正在 Ping www.a.shifen.com [183.232.231.174] 具有 32 字节的数据:
来自 183.232.231.174 的回复: 字节=32 时间=46ms TTL=128
来自 183.232.231.174 的回复: 字节=32 时间=35ms TTL=128
来自 183.232.231.174 的回复: 字节=32 时间=37ms TTL=128
来自 183.232.231.174 的回复: 字节=32 时间=53ms TTL=128

183.232.231.174 的 Ping 统计信息:
    数据包: 已发送 = 4，已接收 = 4，丢失 = 0 (0% 丢失)，
往返行程的估计时间(以毫秒为单位):
    最短 = 35ms，最长 = 53ms，平均 = 42ms

2. Since the nodes and locations are different, the resolved IPs are also different. This time the obtained IP is 183.232.231.174. Through the first step of wireshark, the network capture device captures packets of my Ethernet0 network card, and uses it to src or dst host 183.232.231.174filter data to avoid obtaining other irrelevant data packets. After setting, press Enter to start capturing packets.

3. In order to eliminate the interference of the browser, use the command in the cmd window to request www.baidu.com curl http://www.baidu.com:

C:\Users\Administrator>curl http://www.baidu.com
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下，你就知道</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=百度一下 class="bg s_btn"></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新闻</a> <a href=http://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地图</a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>视频</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>贴吧</a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&amp;tpl=mn&amp;u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登录</a> </noscript> <script>document.write('<a href="http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeURIComponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb">登录</a>');</script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">更多产品</a> </div> </div> </div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>关于百度</a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>&copy;2017&nbsp;Baidu&nbsp;<a href=http://www.baidu.com/duty/>使用百度前必读</a>&nbsp; <a href=http://jianyi.baidu.com/ class=cp-feedback>意见反馈</a>&nbsp;京ICP证030173号&nbsp; <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>

4. If it goes well, you can see the entire process of establishing a connection, requesting data and releasing the connection in wireshark after the request:

Note : If the packet is not caught, check again ping www.baidu.comto see if the IP has changed. If the IP captured by ping and wireshark is not the same, then the packet will not be captured.

Establish a TCP connection with a three-way handshake

The first three are the three-way handshake, the data packet to establish the connection. It can be seen in these packages:

1. In the message sent by the first handshake packet 192.168.4.100, SYN=1, Seq=0. Hope to communicate with the other server synchronously, and generate a random Seq=0.
2. In the response message of the second handshake packet 183.232.231.174, SYN=1, ACK=1, Seq=0, and Ack is the Seq+1 of the first handshake packet is 0+1=1, and a random Seq=0. Reply to the synchronization confirmation message to confirm to the client.
3. In the message sent by the third handshake packet 192.168.4.100, ACK=1, Seq is 1 of the second packet Ack, and Ack is Seq+1 of the second handshake packet, which means 0+1=1. Reply to the confirmation message to confirm the connection to the server.

After completing the three-way handshake, the connection between the local machine 192.168.4.100 and the server 183.232.231.174 has been established.

send data

The 4th to 9th packets are normal request data. Since the request is the plaintext protocol of http, you can see the GET request in wireshark. After finishing, the local machine 192.168.4.100 is ready to start disconnecting.

Release the TCP connection with a four-way handshake

The last four packets are the ones that release the connection:

1. In the message sent by the 10th data packet 192.168.4.100, FIN=1, Seq=78. Indicates that the local machine no longer sends messages and can disconnect, and randomly generates a Seq sequence number.
2. In the response message of the 11th data packet 183.232.231.174, ACK=1, and Seq=2782, Ack is Seq+1 of the 10th packet, which is 78+1=79. It means to confirm the data packet just now, and also randomly generate a Seq=2782. At this time, the connection is in a half-closed state, and the machine no longer sends data, but if 183.232.231.174 still has data to send, the machine can still accept.
3. In the message sent by the 12th data packet 183.232.231.174, FIN=1, ACK=1, and the Seq is still 2782 just now, and the Seq+1 of the 10th packet is still 78+1=79. Since there is a FIN indicating that the data has been sent, tell the machine to disconnect.
4. In the response message of the 12th data packet 192.168.4.100, ACK=1, Seq is 79 for the Ack of the 12th packet, and Seq+1 for the 12th packet is 2783. Tell me that 183.232.231.174 has received the FIN packet and can disconnect.