A summary of the questions of TCP related faces

1, TCP three times handshake process

Wireshark Grab bag is: (Wireshark will automatically display SEQ serial number and ACK as relative value)
　　
　　
1 Host A sends the sign Syn=1, randomly produces the SEQ =1234567 the packet to the server, the Host B is known by the Syn=1, a request establishes the connection; At this time the status A is syn_sent,b to listen
　　
　　
2 Host B after receiving the request to confirm the connection information, to a send ack = (Host a seq+1), logo syn=1,ack=1, randomly generated seq=7654321 package, at this time state a for established,b syn_ Rcvd　
　　
　　
3 Host a received after checking the ACK is correct, that is, the first sent Seq Number+1, as well as bit-code ACK is 1, if correct, host A will resend ack = (Host B seq+1), logo ack=1, Host B after the confirmation of SEQ value and ack= 1 The connection was established successfully. At this point A, B State all become established　　
　　

2, TCP four times wave process

The disconnect process is similar to establishing a connection
1 The host a sends the bit code for the fin=1, uses to turn off the customer A to Server B's data transmission. At this point A's status is Fin_wait_1
2 Server B receives this fin, it sends back an ACK, confirming that the serial number is received plus 1. At this point A is fin_wait_2,b for close_wait
3 Server B Closes the connection to client A and sends a FIN to client A. At this point A is time_wait,b for Last_ack
4 Client A sends back ACK Message Confirmation and sets the confirmation number to receive the serial number plus 1. At this point A, B are closed, the state becomes closed.
When the ACK and Fin in a (2), (3) step are sent in a package,the state of a will change directly from Fin_wait_1 to Time_wait

3, why the establishment of the connection requires three handshake, and disconnect requires four times handshake

　　because each direction requires a fin and ACK, when a fin packet is sent at one end, it is in a semi shutdown state, and the packet can still be received.
When establishing a connection, the server can send syn and ACK in a package .
However, when you disconnect, if you receive a FIN packet at one end, but there is still data not being sent, you need to reply to the ACK of the fin packet to the end. Wait until the remaining data is sent, and then send the fin to the end, disconnecting the connection in this direction.
So many times the fin and ACK need to be sent in two packets, so it takes four times to shake hands

4. Time_wait state duration and cause

Duration is not 2MSL, the maximum lifetime of a packet on the network is MSL.
　　assuming that the last ACK of the client is lost, the server side will retransmit the last FIN packet when the timeout time arrives.
ACK and fin have a maximum lifetime of 2MSL in the network, which can reliably disconnect TCP's two-way connections.

5, timeout retransmission and fast retransmission Timeout retransmission: When the timeout time arrives, the sender has not received an ACK acknowledgement to the end, retransmission the packet fast retransmission: When the following serial number arrives first, if the receiver received 1, 3, 4, and 2 did not receive, will immediately send the sender repeated three ACK A =2 confirmation request is sent back. If the sender receives 3 consecutive ACK of the same ordinal number, the packet is transmitted again. Without having to wait for the timeout

6, TCP first ministerial degree, which fields

7. What are the TCP options

The TCP Header Option field is up to 40B, and some common fields are:
1 option End field (eop,0x00), accounting for 1B, one message segment only once. Put at the end to fill, use is the description: the first no more messages, application data at the beginning of the next 32-digit word
2 No Action field (NOP, 0x01), accounted for 1B, also used for padding, placed at the beginning of the option
3 MSS (maximum packet length), the format is as follows: type (1 B, value 2), lengths (1 B, value 4), numerical value (2B)
Used to determine the size of the MSS at the beginning of the connection, and if not, use the default (536B is generally implemented)
4 window enlargement factor, the format is as follows: Kind (1 B, value is 3), length (1 B, value is 3), numerical value (1B)
New Window value = first Window value * 2 (enlargement factor) second party
Use this to define a larger window at the beginning of the connection when the two sides of the communication think that the header's window value is not large enough. Valid only when the connection starts. Once defined, the communication process cannot be changed.
5 time stamp (apply test RTT and prevent serial number round back)
6 Allow sack and sack options

8, the significance of TCP's parameter backlog in Listen

Two queues are maintained in the Linux kernel:
1 Incomplete queue: Received a SYN set up connection request, in SYN_RCVD state
2 completed queue: TCP Three handshake process completed, in established state
When a SYN arrival request establishes a connection, a new item is created in the unfinished queue. When the three handshake process completes, the socket is moved from the queue to the completed queue.
Backlog has been defined as the maximum value of the sum of two queues, and 1.5 times times the backlog as the maximum length of the unfinished queue.
Typically, the backlog is specified as 5

9, the accept occurs in three times handshake which step

Accept listens to whether the completed queue is non-null and accept blocks when the queue is empty. When the queue is not empty, an item is fetched from the completed queue and returned.
The completion of the queue is three times the handshake process has been completed, so accept occurred after three handshake.

10, three times in the handshake process what is not safe

1) A disguised IP sends a SYN request to the server to establish a connection, and then the server responds to the IP syn and ACK, but the IP corresponding host is not found, and when the timeout server does not receive an ACK, it is sent repeatedly. When a large number of attackers request a connection, the server has a large number of connections that do not complete the three handshake, and the server host backlog is depleted and cannot respond to other connections. SYN flood Attack
Precautionary measures:
1, reduce the SYN timeout time, so that the host release half of the connection as soon as possible 2, the use of SYN cookie settings, if a short period of time to receive an IP repeat SY n request, is considered to be attacked by the IP, discard the subsequent request message from the IP
3, set the filter at the gateway, and deny a further route to a packet with a source IP address that does not belong to its source subnet
2) when a host sends a SYN request connection to the server, After the server replied to ACK and SYN, the attacker intercepted ACK and syn. It then continues to communicate with the server disguised as the original host.

11, TCP, and UDP TCP is a connected , and two hosts must establish a connection by using a three handshake prior to data interaction While UDP is connectionless, the process of not establishing a connection is reliable transmission , TCP protocol guarantees the reliability of data transmission through acknowledgement and retransmission mechanism, and UDP is unreliable transmission TCP also provides congestion control, Sliding windows and other mechanisms to ensure the quality of the transmission, and UDP does not have TCP is based on byte stream , the data as a structure of the flow of bytes to transport, when the application to TCP data length is too long, over the MSS, TCP will segment the data, so TCP data is borderless, and UDP is message-oriented , no matter how long the application to the UDP layer of packets, UDP will not do any split data datagram processing, so UDP retains the application layer data boundary

12, what application layer protocols are TCP based, and which are UDP based tcp:ftp, HTTP, Telnet, SMTP, POP3, HTTPS Udp:dns, SNMP, NFS