A deep understanding of TCP/IP protocol stack

Abstract: This article briefly introduces TCP connection-oriented theory knowledge, describes the meaning of each field of TCP packets in detail, and captures data from Wireshark.
Select a TCP connection in the group to establish the relevant packet segment for analysis. Www.2cto.com 1. Overview TCP is a reliable connection-oriented transmission protocol. Two processes need to establish a connection before sending data to each other.
The group switch in the middle does not maintain any connection status information. Connection establishment process
The three-way handshake protocol is as follows ):

First, the client sends a special TCP packet segment. Second, the server responds with another special TCP packet segment. Finally, the client uses the third special packet segment as the response. Figure 1 three-way handshake protocol [1] II. TCP packet format 2.1 Overview in order to provide reliable data transmission, there are many fields in the TCP packet header field. The TCP packet format is as follows: figure 2 TCP packet format source and target port are used for Multiplexing/multi-channel decomposition of data from or from the top layer application. It can be understood that the port is used to identify
Different processes on the same computer. The serial number and validation number fields are the key parts of the TCP reliable transmission service. The serial number is the first byte stream Number of the message segment.
(TCP regards data as an ordered byte stream. TCP implicitly numbers each byte of the data stream ). In this case
The solution may be more intuitive. When a packet is divided into multiple packet segments, the serial number is the first byte of the packet segment in the entire packet
Offset. The confirm number specifies the next expected byte. TCP is full-duplex. Assume that the host B is received from host.
The validation number of host A filling in the packet segment is the next byte number that host A expects to receive from host B.
Have the relationship between the two been clarified? See Figure 3 (three-way handshake): the length of the header of the TCP connection establishment process (4 digits) is not long because the options are not long, this requires the length of the entire header field (unit: 32 characters), that is, 5 + options
Number. 4-bit. The unit is 32 characters. Therefore, the maximum length of the header is 15*4 = 60 bytes, that is, the maximum length of the option is 40 characters.
Section (10 options ). The URG indicates that there is an upper-layer entity marked as "urgent" data in the message segment by the sender. When URG = 1, the subsequent closeness
Indicates the location of the emergency data in the current data segment (the byte offset relative to the current serial number ).
The recipient must notify the upper-layer entity. When ACK is set to 0, it indicates that the data segment does not contain confirmation information. When ACK is set to 1, it indicates that the text segment includes a pair
The message segment has been successfully received for confirmation. When PSH is set to 1, the Receiver immediately delivers the data to the upper layer after receiving the data, rather than until the entire buffer zone is full. RST is used to reset a chaotic connection (such as a master crash). It can also be used to reject an invalid data segment or reject
A connection request. Generally, if the data segment you get is set with the RST bit, it means that
An error occurred. SYN is used to establish the connection. In the connection request, SYN = 1 and ACK = 0 indicate that the data segment does not use the RST band.
And the connection response token carries a confirmation, that is, SYN = 1 and ACK = 1. Note: refer to the number of bytes that are loaded into a server-to-client for confirmation of client-to-server data.
Data packets. FIN is used to release a connection, indicating that the sender has no data to transmit. At this time, the receiver may continue to connect
Data collection. Fortunately, both SYN and FIN data segments have serial numbers, which ensures that these two data segments are correct.
The order is processed. The window size is used for throttling (ensure that neither party connected sends an excessive group too quickly and the other party is drowned ).
The size specifies the number of bytes that can be sent from the confirmed bytes. The Checksum provides extra reliability. During the verification, the Checksum field of TCP is set to 0.
If the number of bytes is odd, the data field fills in an additional 0 bytes. Checksum algorithm: Based on all 16 characters
1. Therefore, when the receiver executes the same calculation (including
Checksum field), the result should be 0. For an emergency pointer, refer to the URG bit of the flag field. The option is designed to fit complex network environments and better serve the application layer. Maximum TCP options
It is 40 bytes. For details, see 2.2. TCP segments without any data are also valid and are usually used to confirm and control information. 2.2 option field [2] the TCP option section appears in the established connection session, as long as it appears in the TCP connection establishment stage,
That is, three handshakes. The actual use of the TCP option includes the following: (1) the Maximum message transmission Segment (MMS, Maximum Segment Size) is used to send and send the Maximum message Segment length negotiated with the receiver (only net load data, does not include the TCP header field ).
In TCP three-way handshake, each party will announce the desired MSS (the MSS only appears in the SYN Packet ),
If one party does not accept the MSS value of the other party, the default 536-byte net load data is used, that is, the host can access
The TCP packet segment consists of 20 + 536 bytes. (2) Window scaling: The Window Size Field of TCP packets occupies 16 bits, that is, the maximum value is 65535.
Communication generation (such as satellite communication) requires a larger window to meet the performance and throughput. This is the window expansion option.
Meaning of existence. For examples, see references [2]. Windows scaling occupies three bytes. The last byte is the Shift count, that is, the first window.
The number of digits is 16 to the left. If the shift value is 14, the maximum value of the new window is increased to 65535*(2 ^ 14 ). The window expansion option is negotiated at the beginning of TCP establishment. If window expansion is implemented
When the window is expanded, the original window size can be restored after the sent shift value is 0, that is, 65535. (3) Select the validation option (SACK, Selective Acknowledgements). In this case, host A sends A message segment of 12345, host B receives 135 messages, and the message is error-free. SACK is used
Ensure that only the missing packets are retransmitted, instead of all packets. The SACK option requires two feature bytes. One is used to specify the SACK Option (SACK Permission ),
Specify the number of bytes of this option. How to describe the lost packet segment 2, indicating that the Left and Right boundaries of 2 are 1 and 3 respectively. TCP data packets are
Block boundary, which is represented by the serial number.
How many bytes of boundary information can be specified at www.2cto.com? The answer is four. This is because the maximum value of the option field is 40.
Remove two feature bytes. The serial number is 32-bit or 4-byte and requires the left and right boundary.
(40-2)/8 = 4. (4) The timestamps option is used to calculate the round-trip time RTT. The sender sends the time value of the current clock during the packet segment.
In the timestamp field, the receiver copies the value of the timestamp field to the confirmation message. When the receiver receives
Confirm the message, compare the timestamp (equal to the timestamp of the sender's message segment) with the current clock,
You can calculate the RTT. The timestamp option can also be used to prevent loop number PAWS. The serial number is only 32 bits. Every 2 ^ 32 serial numbers will
Round-Robin (think about the ring Queue), The timestamp option is used to easily distinguish packet segments with the same serial number. (5) the header of NOP (NO-Operation) TCP must be a multiple of 4 bytes, and most options are not a multiple of 4 bytes. If the header is insufficient, it should be filled with NOP.
In addition, NOP is also used to split data of different options, such as the use of NOP between window expansion options and SACK
Isolation (this is shown in the following instance ). Iii. Overview of instance resolution 3.1 refer to accessing the Baidu homepage as an example. First, use the DNS protocol to resolve the URL to an IP address, and then go to the client and the service
Set up TCP connections between devices and use Wireshark-captured groups, for example, figure 4 Wireshark-captured to set up TCP connection groups. You may think this is a bit strange. In theory, it should be three groups, how can there be 6 groups? Don't worry, first put the six
Send and receive packets (combined with time and message meanings), as shown in Figure 5. TCP connection is used to establish an instance. As shown in the figure below, when a connection is established, the client sends two packets, this may be for faster connection establishment (assuming there are
The request segment is lost, so it won't wait for a while to resend the packet ). Next, take 19, 21, 22 (
Analyzes the TCP connection establishment process. 3.1 The first handshake 19Wireshark captures the packet segment of the first handshake of the TCP connection as follows: Figure 6 The first handshake instance of the TCP connection mainly selects several fields for analysis: flag field, SYN = 1 and ACK = 0 indicate that the validation domain of the data segment is not used. How does the maximum message segment length (MMS) 1460 come from? The Ethernet physical characteristics of the Link Layer determine that the data frame length is
1500 (MTU, maximum transmission unit), 1460 = 1500-20 (IP header length)-20 (TCP Header length ). Do not be
The length of the first part of the message is 32 bytes. This is only the connection process. For the relationship between MSS and MTU, see [2]: Figure 7 NOP field of the MSS-MTU relationship, which can be filled with less than 4 multiples of bytes or separated as options. Three message segments appear
NOP. For specific functions, see Figure 8 TCP packet NOP field 3.3 second handshake 21 Server Response client TCP packet segment. The confirmation number is 1, SYN = 1, ACK = 1 indicates connection response
With a confirmation, Wireshark capture group is as follows: Figure 9 Why is the MSS 1452 instead of 1460 for a TCP connection second handshake instance? This is because PPPoE (Point-to-Point over Ethernet,
The Ethernet host can be connected to an unreasonable Access Concentrator through a simple bridging device [3]) for dial-up Internet access,
The PPoP header is 8 bytes, so the MTU of PPPoE is 1492, And the MSS is 1492-40 = 1452. What is the MSS for data transmission after a TCP connection is established? 1460 or 1452 or 536? In my understanding
The default value is 536. Is that correct? Please advise!
Www.2cto.com 3.4 The third handshake 22 the client resends the message segment of the server. At this time, the serial number and confirmation number are both 1, and no option field is available. Wireshark
The captured group information is as follows: Figure 10 the TCP connection to the third handshake instance is worth noting. Because the window expansion negotiation fails, the window size is not expanded, that is, the window size is the largest.
It is 65535. In this case, the TCP connection is established :-)