"Author's homepage": Shibie Sanri wyx
"About the author": CSDN top100, Alibaba Cloud blog expert, Huawei Cloud Sharing expert, high-quality creator in the field of network security
"Recommended column": Friends who are interested in network security can follow the column "Network Security Beginner to Master"
Use the WireShark tool to capture the data packets of the TCP three-way handshake, analyze the TCP three-way handshake process, and analyze the role of each field in the TCP message.
Step 1: Visit Baidu
1) Open wireshark, enable packet capture, and then open the browser to visit Baidu to trigger the TCP three-way handshake.
2) Open cmd and ping www.baidu.comget Baidu’s IP address.
Step 2: Filter TCP protocol data packets
1) Display filter input: tcp and ip.addr==110.242.68.3, filter the data packets of TCP protocol.
The top three packets are the data packets of the TCP three-way handshake, and each packet corresponds to a handshake.
Step 3: Packet Analysis
Let’s first analyze what the three handshake packets do.
1) First look at the first data packet, the source address (Source field) is me
cmd execution ifconfigto verify:
The destination address (Detintion field) is Baidu's address
Info field, which is the description of the request. You can see that there is a SYN in it.
To summarize what the first package did:
my computer sent a TCP request to Baidu's server. SYN indicated that this was a request to establish a connection, which was the first handshake.
2) Looking at the second data packet, the source address (Source field) is Baidu’s address.
The destination address (Detintion field) is my
Info field which is the description. You can see that there is a SYN and ACK
To summarize what this package does:
Baidu's server (after receiving my link request) sends a TCP request to my computer. SYN+ACK indicates that this is a response request, which is the second handshake.
3) Looking at the third data packet again, the source address (Source field) is me
The destination address (Detintion field) is Baidu’s server.
The Info field is the description. You can see that there is an ACK in it.
To summarize what this package does:
my computer (after receiving the response request from Baidu server) sends a TCP request to Baidu's server. ACK indicates that this is a confirmation request, which is the third handshake.
After sending this confirmation request, the three-way handshake is completed, and the client will open a one-way link to the server; after the server receives the confirmation request, it will open a one-way link to the client; if the connections in both directions are opened, then Data can be transferred.
Step 4: Data message analysis
The format of the TCP protocol data message is as shown below. Next, we analyze the corresponding relationship and function of each field based on the captured data packet.
1) Click on the data packet of the TCP protocol. The fourth line of Transmission Control Protocol is the data of the TCP protocol. Differentiate protocols by first letter.
- The Source Port field is the source port. The client will use a random port to initiate a TCP connection to the server.
- The Destination Port field is the destination port. Because we are using the https protocol to access Baidu, here we initiate a TCP connection to the server's port 443.
2) Serial numbers and confirmation numbers are used to reorganize data in order
- Sequence Number: Indicates the position of the starting byte of this transmission data in the entire data stream, which is a relative sequence number.
- Sequence Number (Raw): Original sequence number
- Next Sequence Numvber: The sequence number of the next packet
- Acknowledgment Number: The sequence number of the next packet expected to be received, relative sequence number
- Acknowledgment Number (Raw): Original serial number
3) Data offset represents the distance from the data to the starting position and is used to calculate the header length of the TCP message
4) The flag bit is used to confirm the role of the request. The two flag bits that need to be paid attention to in the three-way handshake are: Acknowledgment (ack) and syn
- Reserved: reserved bit
- Nonce: explicit congestion notification, indicating that congestion is about to occur, allowing the sender to reduce the transmission rate
- CWR: Reduce congestion window
- ECN-Echo: has two meanings, depending on the value of SYN
- Urgent URG (Urgent): 1 indicates high priority packets
- Confirm ACK (Acknowledgment): 1 indicates that the confirmation number field is valid
- Push PSH (Push): 1 means that the receiver hands this message to the application layer as soon as possible without waiting for the buffer to be filled.
- Reset RST (Reset): 1 indicates a serious error and the connection needs to be re-established
- Reset SYN: synchronization sequence number when establishing a connection; SYN=1 and ACK=0 indicate a connection request, SYN=1 and ACK=1 indicate a connection request
- Terminate FIN: 1 indicates the transfer is completed and requests the release of the link
Pay attention to the data packet of the first handshake. Because only the value of Syn in the flag bit is 1, Flags displays SYN, and the Info field of the request also displays SYN.
Look at the data packet of the second request again. Because the values of Syn and Acknowledgment in the flag bits are both 1, Flags shows SYN, ACK, and the Info field of the request also shows SYN, ACK.
5) Finally, there are the window size, checksum, emergency pointer, options, and fill fields.
- The window field indicates the window size, telling the other party what the maximum number of bytes it can receive is used for flow control.
- The Checksum field represents the checksum and is used to verify the integrity of the data packet.
- The Urgent Poiter field represents an emergency pointer, which is valid when the flag URG is 1. It represents an offset and is added to the sequence number field value.
- Options field represents options, variable length
- Timestamps field represents padding
