Analysis of the TCP three-way handshake and four waving

In network analysis, understand the value of the TCP sequence and acknowledgment numbers can help us learn and troubleshoot TCP protocol, such as by looking at the sequence and acknowledgment numbers to determine whether data transmission out of order.
TCP connection is established between the main communication, the transmission of data, connected closed three processes. Each different working process is completed, and changes the sequence number and acknowledgment numbers in each process is different.
Working TCP protocol in the transport layer, the data stream is a reliable connection-oriented protocol. TCP Reliable reason, because it guarantees the order of transmission of data packets. Sequence is a sequence number guaranteed.

Detailed TCP packet format:

https://blog.csdn.net/mary19920410/article/details/58030147

For seq and ack of understanding:

seq is the sequence number, which is used for subsequent transfers data (of course, also be used when the link),

ack is received acknowledgment packet, the sequence number is the value of waiting to receive packets.

First transmission message, A randomly selected sequence number x to a B as its initial sequence number;

B ack message using a second packet A is confirmed, because the sequence number has been received packets x, is ready to receive packet sequence number x + 1, the ack = x + 1, while B tell their A the initial sequence number is seq = y;

A third message telling B B receives the acknowledgment message and is ready to establish a connection, the entry A own message sequence number is x + 1, so seq = x 1 (i.e., according to the rules above is the value of the ack) +, and ack = y + 1 is ready to receive a positive a B packet sequence number y + 1 is.

seq is the sequence number of the packet itself;

ack is the expected sequence number of a data packet transmitted in each other.

FLAGS expressed understanding for the field:

In the TCP layer, there is a FLAGS field, which has the following identity:. SYN, FIN, ACK, PSH, RST, URG (6 months)

SYN (synchronous establish a connection) represents a connection

ACK (acknowledgement acknowledgment) represents the response

PSH (push transmission) data transmission expressed DATA

FIN (finish end) closes the connection represented by

RST (reset reset) indicates the connection reset.

URG (urgent emergency)

Wherein, while ACK is possible to use the SYN, the FIN, etc., such as SYN and ACK may simultaneously 1, it represents the response after the connection is established,
If only a single SYN, it represents only establish a connection.

When the SYN and SYN + ACK packet occurs, we believe that the client and server to establish a connection. Several TCP handshake is manifested through this ACK.
But SYN and FIN are not simultaneously 1, because the former is to establish a connection represented, while the latter represents the disconnect.
RST typically appear after FIN is 1, it represents the connection reset.
In general, when a FIN packet or RST packets appear, we believe that the client and server disconnected;
PSH is 1, generally only in the content of DATA packet is not zero, i.e. PSH are represented as real content to be transmitted TCP packets.

About SYN attack to understand:

SYN attack belong to DDOS (distributed denial of service that is) kind,

By sending a large number of semi-connection requests (i.e., request SYN) and spoofed source IP and the source port to the target host,

The target host in response to the complex response case (because the source IP address is false IP, i.e. the display does not exist, the target host responds to the + ACK packet, due to the response request of the host did not wait, target host starts the SYN retransmission mechanism, )

After repeatedly transmitted, i.e., up to a certain limit abandon the retransmission, so that the target host is limited to network congestion

Three-way handshake:

Establish a virtual connection is achieved through a three-way handshake

When client B, A request to the server to establish a connection:

1. First ends are in a close state ; then open the server A, in listening the LISTEN state , it indicates connection may be established.

2. A then B first sends a SYN packet, the packet concatenation flag SYN = 1, transmits this number seq = X [X] is a randomly generated first; B end then enters SY_SENT state.

(At this time, ACK packet identifier, and ack acknowledgment number, are not illustrated is 0)

3.A terminal after correctly receiving the packet terminal B replies to a message acknowledgment SYN packet, i.e., SYN + ACK packet to terminal B, and the SYN and ACK flag are set to 1, send sequence number seq = Y the first [] are randomly generated acknowledgment number ack = X + 1; and a terminal enters SYN_RCVD state .

After 4.B terminal correctly receives a packet returned from the server A, A again sends an ACK packet to notify A, connection has been established, and wherein the set ACK flag is 1, the transmission sequence number seq = X + 1, an acknowledgment number = Y + 1; B end then enters the ESTABLISHED state .

5.A terminal receives the packets sent from B, also enters the ESTABLISHED state .

Since then, the client and server into the three-way handshake via TCP protocol, the establishment of good links.

When this three-way handshake is complete, the connection is established, each packet will set the ACK bit TCP connection

[] Again combing the following

1. (B) –> [SYN] –> (A)

If the server A and the client B communication. When A and B when the communication to

B first sends a SYN (Synchronize) labeled packet to A, telling A request to establish a connection.

Note: only a SYN packet is the TCP packet SYN flag is set to 1 (see TCP header Resources) recognize that it is very important.

Only when A by B SYN packet sent, before establishing a connection, in addition no other.

So, if your firewall drop all SYN packets sent out of the network interface, then you will not make any external hosts the initiative to establish a connection.

2. (B) <– [SYN/ACK] <–(A)

Next, the A will send a confirmation packet is received on the SYN packet (SYN / ACK) back to confirm for the first SYN packet, and to continue the handshake operation.

Note: SYN / ACK packets only for the SYN and ACK flag pack 1.

3. (B) –> [ACK] –> (A)

B receives the SYN / ACK packet, B send a packet acknowledgment (ACK), the notification A connection has been established.

So far, the three-way handshake is completed, a TCP connection is completed

Note: ACK packet is the TCP packet only ACK flag to 1.

Note that when the three this handshake is complete, the connection is established, each packet will set the TCP connection ACK bit

【for example】

Handshake phase:

No. direction seq ack

1　　 A->B 10000 0

2 B->A 20000 10000+1=10001

3 A->B 10001 20000+1=20001

Data transfer phase:

No. direction seq ack size

23 A->B 40000 70000 1514

24 B->A 70000 40000+1514-54=41460 54

25 A->B 41460 70000+54-54=70000 1514

26 B->A 70000 41460+1514-54=42920 54

Handshake explanation:

1: A B initiates a connection request, a random number to the initialization seq A, here assumed to be 10000, when ACK = 0

2: A connection request is received after the B, also a random number B SEQ of initialization, assuming 20,000, meaning: I have received your request, this side stream I start from this number. Seq ACK B is added to 1 A, that is, 10000 + 1 = 10001

3: A received a reply B, it's seq is ACK B + 1 [size is seq its previous request plus 1], that is, 10000 + 1 = 10001, the meaning is: your reply I received, my the party began to stream from this number. A case is an ACK seq B plus 1, i.e., 20000 + 1 = 20001

Data transfer phase explained:

23: B A received incoming seq = 40000, ack = packet 70000, size = 1514 to

24: So B also send a packet to A, told B, your last package I received.

seq B on to it receives an ACK packet filling,

SEQ its ACK is received packet plus the packet size (not including the Ethernet protocol header, the IP header, TCP header),

B to confirm the data sent over the whole received.

25: A upon receipt of B ack sent me a packet is 41460, 41460 saw, just seq its last packet plus the size of the package, you understand, the last data packet sent safely Arrivals.

It then sends a packet to another B.

The seq packet being transmitted also it receives an ACK packet filling,

ACK to size (54) to seq packets it receives (70,000) plus package filling, i.e. ack = 70000 + 54-54 (full head length, no data entry).

In fact recognized when the handshake and the other end of the serial number should be the number plus 1,

When the transmission data is the serial number plus other carries the other application layer data length.

If the return Ethernet packet is calculated from the applied length, it too detours.

In addition, if the other party is no data over, then their confirmation number unchanged,

The last sequence number plus the sequence number of this application layer data transmission length.

TCP three times waving process analysis:

Establishing a connection requires three steps, but need to close a connection after four steps.

Since a TCP connection is full-duplex mode, it needs to close each direction separately.

When the TCP connection is closed, the first one closed (i.e., a first transmission termination packet) The active close, and the other (the termination packet is received) and then performs the passive closed.

4 closing the connection steps as follows:

1. Active sends FIN + ACK packet, i.e. packet flag FIN and ACK flags are set to 1; and transmitting the sequence number seq = X, the acknowledgment number ack = Z; [SYN and as a FIN consumes a sequence number]

[Acknowledgment number is the sequence number value of a data packet sent by the client;

And the sequence number of the last packet acknowledgment number is sent by the server in the + packet size of the data carried;]

2. The passive side returns an ACK packet, i.e. packet ACK flag is set to 1; and transmitting the sequence number seq = Z (i.e., above the value of the received acknowledgment number), the acknowledgment number ack = X + 1 (expected received the next sequence number text message);

3. Passive sends a FIN + ACK packet, sending sequence number seq = Y, confirmation number ack = X [] ack unpredictable;

[Acknowledgment number is the sequence number values of the last packet transmitted in the server, the acknowledgment number is the sequence number of the last packet sent by the client of + the size of the data carried by the packet]

4. the active side returns an acknowledgment packet ACK, sending sequence number seq = X, ack = Y + 1

Baidu Encyclopedia analysis:

Connection to terminate the agreement (fourth wave)

Since a TCP connection is full-duplex, so each direction must be shut down separately. This principle is that when one task completes its data transmission can send a FIN to terminate the connection direction. Receive a FIN only means that no data is flowing in this direction, a TCP connection can still send data after receiving a FIN. First off will be the one to perform active close, while the other performs a passive close.

(1) TCP client sends a FIN, for closing the client to the server data transmission .

(2) server receives the FIN, it sends back an ACK, acknowledgment number is the sequence number plus 1 received. And SYN as a FIN will take a number.

(3) is connected to the server closes the client sends a FIN to the client.

(4) The client sends back ACK message ACK by incrementing the received sequence number by 1.

State analysis

CLOSED:

Initial state.

LISTEN

This is also very easy to understand a state, represents a SOCKET server in a listening state , you can accept the connection.

SYN_RCVD:

This status means that receives a SYN packet , under normal circumstances, this state is a server-side SOCKET in establishing TCP connection three-way handshake an intermediate state during the session, it is short, you basically use netstat is difficult to see this state, unless you specifically wrote a client test program , deliberately TCP handshake process three times last ACK packet will not be sent. Therefore, when this state, when the client receives the ACK packet, it enters the ESTABLISHED state.

SYN_SENT:

The state SYN_RCVD echoed, when the client execute CONNECT SOCKET connection, it first sends a SYN packet , so it will be immediately entered into the SYN_SENT state, and wait for the server to send the three-way handshake in the first two messages. SYN_SENT state that the client has been sending a SYN packet.

ESTABLISHED：

This is easy to understand that a connection has been established.

FIN_WAIT_1:

To properly explain this state, in fact, the true meaning of FIN_WAIT_1 and FIN_WAIT_2 states are represented FIN wait for each other's messages . The difference between these two states is: FIN_WAIT_1 state is actually when SOCKET in the ESTABLISHED state, it wants to take the initiative to close the connection, sends a FIN packet to each other, then that is the SOCKET into FIN_WAIT_1 state. And when the other party to respond to ACK packet, it enters the FIN_WAIT_2 state, of course, in the actual normal circumstances, no matter under what circumstances the other side, should immediately respond to ACK packets, so FIN_WAIT_1 state is generally more difficult to see, and FIN_WAIT_2 state when there can often see with netstat.

FIN_WAIT_2：

As already explained in detail in this state, in fact SOCKET FIN_WAIT_2 state, it represents a semi-connected, that one party requires close connection, but also tell each other, I do a little data to transmit to you, and then close the connection later . [May also transmit data, so the results are difficult to predict ack]

TIME_WAIT:

Acknowledge the receipt of each other's FIN packet , and sends the ACK packet, it would be to return to the state after 2MSL CLOSED available. If the next FIN_WAIT_1 state, while the other received a packet with the FIN flag and the ACK flag, you can go directly to the TIME_WAIT state, without going through FIN_WAIT_2 state.

CLOSING:

This state is rather special, the reality should be rare, it is a relatively rare state of exception. Under normal circumstances, when you send a FIN packet after, logically, it should first receive (or received simultaneously) each other's ACK packet, stop receiving FIN messages. But CLOSING state means after you send a FIN packet, and receives no ACK packet, but instead received each other's FIN packet. This can happen then under what circumstances? In fact, think of it, is not difficult to conclude: that is, if the two sides almost at the same time close a SOCKET, then appeared the case sides also send FIN messages, but also there will be CLOSING state, said both sides are being closed SOCKET connection .

CLOSE_WAIT:

In fact, the meaning of this state is a closed waiting. How to understand it? When the other party close a SOCKET send FIN messages to yourself, your system will no doubt respond with an ACK packet to the other party, then proceeds to CLOSE_WAIT state. Now what, in fact, what you really need to consider whether there is to see you send data to each other, if not, then you can also close the SOCKET, send FIN messages to each other, that is, close the connection. So you're in CLOSE_WAIT state, it needs to be done is to wait for you to close the connection.

LAST_ACK:

This state is relatively easy to better understand, it is a passive closed party sends FIN packets after the final ACK packet waiting for the other side. Upon receiving the ACK packet, i.e., can enter into the CLOSED state is available.