"Linux" about the TCP three-time handshake and four waves

1. What is TCP?

About OSI's seven-layer model

• TCP on layer fourth--transport, fourth layer of data called segment-"message
• IP in the third layer--network layer, the data on the third layer is called packet-"packet
• ARP in the second layer--data the link layer; On the second layer of data, we call it frame-"frame

Data from the application layer is sent down, each layer will be added header information, encapsulation, and then sent to the data receiving end, that is, each data will be encapsulated and packaged data package process.

Wireshark catches the package with the corresponding protocol layer as shown in

• Frame 36441: Data Frame Overview of the physical layer
• Ethernet II: Data Link Layer Ethernet frame header information
• Internet Protocol Version 4:ipv4 Network layer
• Transmission Control protocol:tcp Transport Layer
• Hypertext Transfer Protocol: Application layer HTTP

In the OSI seven layer model, the role of each layer and the corresponding protocol are as follows:

Wireshark captured the transmission layer of the message

TCP is a protocol, how is this protocol defined, and what is its data format like?

The above is the TCP protocol header format, because it is too important, is to understand the basis of other content, the following will be the information of each field is described in detail

• Source Port and Destination Port : Occupy 16 bits, respectively, the source port number and destination port number, to distinguish between different processes in the host, and the IP address is used to distinguish between different hosts, the source port number and destination port number in conjunction with the IP header source IP address and destination IP address can only determine a TCP connection;
• Span style= "color: #0000ff;" > Sequence Numbe r : Used to identify the data stream that is sent from the TCP originator to the TCP receiver, which represents the ordinal of the first data byte in the data flow in the packet segment, and is mainly used to solve the problem of the network report disorderly order;
• acknowledgment number : 32-bit Confirmation the serial number contains the next sequence number expected to be received at the end of the send acknowledgement, so the confirmation sequence should be the last time the data byte sequence number plus 1 was received successfully. However, the confirmation Sequence Number field is valid only if the ACK flag in the flag bit is 1 o'clock. It is mainly used to solve the problem of not losing packets;
• offset : The number of words in the first department, This value is required because the length of the optional field is variable. This field accounts for 4bit (up to 15 32bit of words, that is, the first ministerial of 4*15=60 bytes), so TCP has a maximum of 60 byte headers. However, there is no optional field, the normal length is 20 bytes;
• tcp flags : There are 6 flag bits in the TCP header, More than one of them can be set to 1 at the same time, mainly for manipulating TCP's state machine, followed by URG , ACK , PSH , RST , SYN , FIN . Each flag bit means the following:

• • URG: This flag indicates that the TCP packet's emergency pointer domain is valid, to ensure that the TCP connection is not interrupted, and to urge the middle-tier device to process the data as soon as possible;
  • ACK: This flag indicates that the answer domain is valid, that is, the preceding TCP answer number will be included in the TCP packet, there are two values: 0 and 1, the time of 1 indicates that the answer domain is valid, and vice versa is 0;
  • PSH: This flag bit indicates the push operation. The so-called push operation means that the packet is delivered to the application immediately after it arrives at the receiving end, rather than queued in the buffer;
  • RST: This flag indicates a connection reset request. Used to reset the connection that generated the error and is also used to reject errors and illegal packets;
  • SYN: Indicates the synchronization sequence number used to establish the connection. The SYN flag bit and the ACK flag bit are used together, when the connection request, SYN =1, ACK = 0; When the connection is responding, SYN =1, ACK = 1; the packet of this flag is often used for port scanning. The scanner sends a only packet SYN , and if the other host responds with a packet back, it indicates that the host has this port, but since this scan is only the first handshake of the TCP three handshake, the success of this scan indicates that the machine being scanned is not very secure, A secure host will force a tightly connected three-time handshake to TCP;
  • FIN: Indicates that the sender has reached the end of the data, that is to say, the data transfer is complete, no data can be transmitted, send the FIN flag bit TCP packets, the connection will be disconnected. The packet of this flag is also often used for port scanning.

• Windows: Window size, known as a sliding window, for flow control; This is a complex question that is not summarized in this blog post.

About three handshakes and four waves

Wireshark Grab Bag

A network connection in a reverse proxy

2, three times what is the handshake

TCP is connection-oriented, and you must first establish a connection between the two parties in either direction before the other party sends the data. In the TCP/IP protocol, the TCP protocol provides a reliable connection service, which is initialized by a three-time handshake. The purpose of the three-time handshake is to synchronize the serial number and confirmation number of both parties and Exchange TCP window size information.

First handshake: establishes the connection. The client sends the connection request message segment, the SYN location is 1, Sequence Number X, and then the client enters the SYN_SEND state, waiting for the server to confirm;

Second handshake: The server receives the SYN message segment. The server receives the message segment of the client, SYN it needs to SYN confirm the segment, set it Acknowledgment Number to X+1 ( Sequence Number + 1), and also send the SYN request information itself, the SYN location is 1, Sequence Number y The server will put all of the above information into a message segment (that is SYN+ACK , a message segment), a concurrent send to the client, when the server entered the SYN_RECV state;

Third handshake: The client receives a message segment from the server SYN+ACK . Then Acknowledgment Number set to Y+1, send the message segment to the server, ACK after the message segment is sent, the client and server side are ESTABLISHED in state, complete the TCP three handshake.

After three handshakes, the client and server can start transmitting data, and using tcpdump to grab packets on the server, you can see

[Email protected] ~]# tcpdump-i lo  port 12000tcpdump:verbose output suppressed, use-v OR-VV for full protocol Dec Odelistening on Lo, Link-type en10mb (Ethernet), capture size 65535 bytes22:58:54.952917 IP localhost.48383 > localhost . entextxid:flags [S], seq 439289121, Win 65495, options [MSS 65495,sackok,ts val 4017863386 ECR 0,nop,wscale 7], length 0  22:58:54.952928 IP localhost.entextxid > Localhost.48383:flags [S.], seq 3569639229, Ack 439289122, win 65483, options [MSS 65495,sackok,ts Val 4017863386 ECR 4017863386,nop,wscale 7], length 022:58:54.952938 IP localhost.48383 > Localho St.entextxid:Flags [.], ACK 1, Win, options [Nop,nop,ts Val 4017863386 ECR 4017863386], length 0

We can see

Client = Server SEQ = 439289121 flags = S

Server=>client ack=seq+1=439289122, seq = 3569639229 flags = S

Client=>server ack=1 flags = Empty

• Win: The Window field clearly indicates the amount of data that is now allowed to be sent (often changing)
• MSS (Maximum Segment Size): The maximum segment length, that is, the maximum length of the data field in each TCP segment. Here we need to negotiate in the handshake, both sides give the MSS, and finally the minimum MSS is determined as the final MSS.IP datagram Maximum transmission unit is the MTU (Maximum transmission unit,effect of short board), mtu=1500 for most LANs using Ethernet. MSS is often calculated based on MTU, usually mss=mtu-sizeof (IP header)-sizeof (TCP header) =1500-20-20=1460
• Sackok Confirmation Field

After the connection is established, we are sending a command

23:08:44.906783 IP localhost.48387 > Localhost.entextxid:Flags [P.], seq 1:8, ack 1, Win, options [Nop,nop,ts Val 4018453340 ECR 4018450643], length 723:08:44.906802 IP localhost.entextxid > Localhost.48387:flags [.], ACK 8, win 512  , options [Nop,nop,ts Val 4018453340 ECR 4018453340], length 023:08:44.906997 IP localhost.entextxid > localhost.48387:  Flags [P.], seq 1:1174, ack 8, win, options [Nop,nop,ts Val 4018453340 ECR 4018453340], length 117323:08:44.907008 IP localhost.48387 > Localhost.entextxid:Flags [.], ACK 1174, win 531, options [Nop,nop,ts Val 4018453340 ECR 4018453340 ], length 0

3, that four time to break up?

Because TCP connections are full-duplex, each direction must be closed separately. The principle is that when a party completes its data sending task, it can send a fin to terminate the connection in this direction. Receiving a fin only means there is no data flow in this direction, and a TCP connection can still send data after receiving a fin. The first party to close will perform an active shutdown, while the other side performs a passive shutdown

The first breakup: Host 1 (Can make the client, can also be the server side), set up Sequence Number and Acknowledgment Number , to host 2 send a FIN message segment; At this time, the host 1 into the FIN_WAIT_1 state; This means that the host 1 has no data to be sent to host 2;

Second breakup: Host 2 received the host 1 sent the FIN message segment, to the host 1 back a ACK message segment, Acknowledgment Number Sequence Number add 1; Host 1 into the FIN_WAIT_2 state; Host 2 tells the host 1, I also have no data to send, you can close the connection;

Third breakup: Host 2 to the host 1 send a FIN message segment, request to close the connection, while the host 2 into the CLOSE_WAIT State;

The fourth break: Host 1 received the host 2 sent the message segment, FIN to host 2 sent a ACK message segment, and then host 1 into the TIME_WAIT state, host 2 received a host 1 of the ACK message segment, the connection is closed, at this time, the host 1 wait for 2MSL still did not receive a reply, This proves that the server side has shut down properly, so the host 1 can also shut down the connection.

At this point, TCP's four breakup was so enjoyable to complete

4. Why do I have to shake hands three times

• LISTEN: This is also very easy to understand a state, that the server side of a socket is listening state, can accept the connection.
• syn_sent: When the client socket performs a connect connection, it sends a SYN message first, so it will then enter the Syn_sent state and wait for the server to send the 2nd message in the three-time handshake. The Syn_sent status indicates that the client has sent a SYN message. (Sender side)
• SYN_RCVD: This state and syn_sent thinking back echo this state to accept the SYN message, under normal circumstances, this state is the server side of the socket in the establishment of a TCP connection during the three handshake session in the process of a middle state, very short, Basically with netstat you are very difficult to see this state, unless you deliberately write a client test program, deliberately three times the TCP handshake process last ACK message is not sent. Therefore, when the ACK message is received from the client, it goes into the established state. (Server side)
• established: This is easy to understand, indicating that the connection has been established.

Now that you have summed up the three-time handshake for TCP, why do you have to do it three times? How do you think two times can be done. Why does TCP have to connect three times? This is said in Shehiren's computer network:

In order to prevent the failed connection request packet suddenly transmitted to the service side, resulting in an error.

In the book, we also cite an example, as follows:

"Invalid connection request segment" is generated in a situation where the first connection request message segment of the client is not lost, but is stuck in a network node for a long period of time before it reaches the server at some point after the connection is released. Originally this is a message segment that has already expired. However, after the server receives this failed connection request message segment, it is mistaken for a new connection request from the client. The client is then sent a confirmation message segment, agreeing to establish a connection. Assuming that the "three-time handshake" is not used, the new connection is established as soon as the server issues a confirmation. Because the client is now not making a connection request, the server acknowledgement is ignored and data is not sent to the server. But the server thought the new transport connection had been established and waited for the client to send the data. In this way, many of the server's resources are wasted. The use of "three-time handshake" method can prevent the above phenomenon. For example, in that case, the client does not issue confirmation to the server's confirmation. The server knows that the client does not require a connection because it cannot receive a confirmation. ”

This is clear, preventing server-side waiting and wasting resources.

5, why to break up four times

The TCP protocol is a connection-oriented, reliable, byte-stream-based Transport Layer communication Protocol, which is full-duplex, so each direction must be closed separately. The principle is that when a party completes its data sending task, it can send a fin to terminate the connection in this direction. Receiving a fin only means there is no data flow in this direction, and a TCP connection can still send data after receiving a fin. The first party to close will perform an active shutdown, while the other side performs a passive shutdown

When the host 1 sends the FIN message segment, only indicates that the host 1 has no data to send, the host 1 tells the host 2, its data has all been sent, but this time the host 1 can still accept data from the host 2, when the host 2 returns the ACK message segment, It is known that the Host 1 no data sent, but host 2 can still send data to host 1, when the host 2 also sent a FIN message segment, this time indicates that the host 2 also no data to send, will tell the host 1, I have no data to send, And then each other will happily interrupt this TCP connection. If you want to understand the principle of four break-up correctly, you need to understand the state changes during the four breakup process.

• FIN_WAIT_1: This state should be well explained, in fact, FIN_WAIT_1 and FIN_WAIT_2 the real meaning of the state is to wait for each other's fin message. The difference between the two states is that the FIN_WAIT_1 state is actually when the socket in the established state, it would like to actively close the connection, sent to the other side of the FIN message, when the socket is entered into the FIN_WAIT_1 state. And when the other party responds to the ACK message, then into the FIN_WAIT_2 state, of course, in the actual normal situation, regardless of the circumstances of the other party, should immediately respond to the ACK message, so the FIN_WAIT_1 state is generally more difficult to see, and the FIN_WAIT_2 state is sometimes often can be seen with netstat. (Active side)
• FIN_WAIT_2: The above has explained in detail this state, FIN_WAIT_2 the actual state of the socket, indicating a semi-connection, that is, one side requires close connection, but also tell the other side, I have a little bit of data to send you (ACK information), and then close the connection. (Active side)
• CLOSE_WAIT: The meaning of this state is actually expressed in waiting to be closed. How do you understand it? When the other side close a socket FIN to send a message to yourself, your system will undoubtedly respond to an ACK message to the other side, this time into the CLOSE_WAIT state. Next, the real thing you really need to consider is whether you still have the data sent to the other person, if not, then you can close the socket, send FIN messages to each other, that is, close the connection. So what you CLOSE_WAIT need to accomplish in the state is waiting for you to close the connection. (Passive side)
• LAST_ACK: This state is still relatively easy to understand, it is a passive shutdown after sending a FIN message, and finally wait for the other party's ACK message. When an ACK message is received, it is also possible to enter the closed available state. (Passive side)
• TIME_WAIT: It received the fin message from the other side, and sent out the ACK message, so 2MSL can return to the closed available state. If the finWAIT1 state, received the other side with the fin sign and the ACK sign of the message, you can directly into the TIME_WAIT state, without having to go through the FIN_WAIT_2 state. (Active side)
• CLOSED: Indicates a connection interruption.

6. Why use 3 handshake instead of 2 handshake

If the two-time handshake, the client may be due to network congestion and other reasons to send multiple request packets, then the server will establish a connection, waste a lot of server resources.

7, why the connection is three times handshake, and close the connection is four times wave

This is because the server is in the listen state, after receiving the SYN message to establish the connection request, the ACK and SYN are placed in a message sent to the client. And when the connection is closed, when the other side of the fin message, only to indicate that the other party no longer send the data but also can receive data, you may not all the data are sent to each other, so you can immediately close, you can send some data to each other, then send fin message to the other side to express the consent to now close the connection, Therefore, your own ACK and fin are generally divided into the development of send.

8, why in four wave must wait for 2MSL of time what is 2MSL

The MSL is maximum Segment Lifetime, translated as "Maximum message survival time", which is the longest time any message exists on the network, and the message will be discarded over this time.

2MSL that is twice times the time_wait state of the msl,tcp is also known as the 2MSL wait state, when one end of TCP initiates an active shutdown, after the last ACK packet is sent, that is, after the 3rd handshake is completed, the fourth handshake after the ACK packet has entered the TIME_WAIT state, The MSL time must be two times longer in this state. (The MSL is specified in RFC 793 for 2 minutes, the actual application is 30 seconds, 1 minutes and 2 minutes, etc.)

Wait 2MSL time The main purpose is to be afraid of the last ACK package the other party confiscated, then the other side after the timeout will be re-send the third handshake fin bag, active close to the re-issued Fin packet can be sent again an ACK reply packet. Ports on both ends cannot be used in the TIME_WAIT state, and will not continue to work until the end of 2MSL time. Any late message segments are discarded when the connection is in the 2MSL wait phase. In practice, however, you can use this port by setting the SO_REUSEADDR option to not have to wait until the end of 2MSL time.

Survival time: The TCP Message (segment) is the data part of the IP datagram (datagram), and the IP header has a TTL domain, the TTL is the abbreviation of time to live, the Chinese can be translated as "lifetime", the time to live is the source host set the initial value but not the specific time to save , instead of storing a maximum number of routes that an IP datagram can pass, this value is reduced by 1 for each router that handles him, and when this value is 0 The datagram is discarded, sending an ICMP message to the source host.

The TTL is related to the MSL but is not a simple equal relationship, and the MSL is greater than or equal to the TTL.

Why time_wait status needs to stay 2MSL for such a long time

If the TIME_WAIT state hold time is not long enough, the first connection terminates normally. A second connection with the same five-tuple appears, and the first concatenated duplicate message arrives, interfering with the second connection. TCP must prevent a duplicate message of a connection from appearing after the connection is terminated, so that the time_wait status remains long enough (2MSL), and the TCP message connected to the corresponding direction is either completely complete or discarded. When a second connection is established, it is not confused.

9.time_waitcause

A) Nginx uses a short connection, may cause a large number of connections in the TIME_WAIT state

b) The TCP/IP designer was originally designed to do this, Prevent packets from the last connection, get lost and re-appear, affect the new connection (after2MSL, all duplicate packets in the last connection will disappear);Reliable shut-offTCPConnectionThe last one sent by the active closing partyack (FIN), it is possible to lose, then the passive will re-sendFinIf the active party is at this timeCLOSEDState, it will respondrstand notack. SoThe active party should be intime_waitstate, and cannot beCLOSED

c) the solution of excessive time_wait

Net.ipv4.tcp_syncookies = 1//indicates that SYN Cookies are turned on. When a SYN wait queue overflow occurs, cookies are enabled to protect against a small number of SYN attacks, the default is 0, which means close; Net.ipv4.tcp_tw_reuse = 1//means turn on reuse. Allows the time-wait sockets to be reused for new TCP connections, which defaults to 0 for shutdown, net.ipv4.tcp_tw_recycle = 1//For fast recycling of time-wait sockets on TCP connections, and 0 for shutdown by default. Net.ipv4.tcp_fin_timeout = 30//indicates that if the socket is closed by this side, this parameter determines when it remains in the fin-wait-2 state. Net.ipv4.tcp_keepalive_time = 1200//indicates the frequency at which TCP sends keepalive messages when KeepAlive is employed. The default is 2 hours, which is changed to 20 minutes. Net.ipv4.ip_local_port_range = 1024 65000//indicates the range of ports used for outward connection. Small by default: 32768 to 61000, 1024 to 65000. Net.ipv4.tcp_max_syn_backlog = 8192//Indicates the length of the SYN queue, default is 1024, and the queue length is 8192, which can accommodate more network connections waiting to be connected. Net.ipv4.tcp_max_tw_buckets = 5000//Indicates that the system maintains the maximum number of time_wait sockets at the same time, if this number is exceeded, the time_wait socket is immediately cleared and the warning message is printed, which defaults to 180000. Instead of 5000.

For Apache, Nginx and other servers, the parameters of the last few lines can be a good way to reduce the number of time_wait sockets, but for squid, the effect is not small. This parameter controls the maximum number of time_wait sockets, preventing squid servers from being dragged to death by a large number of time_wait sockets.

Reference articles

Http://www.cnblogs.com/tankxiao/archive/2012/10/10/2711777.html

http://blog.csdn.net/whuslei/article/details/6667471

http://molewan.blog.51cto.com/287340/114592

http://www.jellythink.com/archives/705

Https://wiki.wireshark.org/DisplayFilters

"Linux" about the TCP three-time handshake and four waves