Wireshark Grasping package illustration TCP three times handshake/four times wave detailed _wireshark

Source: Internet
Author: User
Tags ack file transfer protocol
A. TCP/IP protocol family

TCP/IP is a protocol family, which is usually developed at different levels, each of which is responsible for different communication functions. Contains the following four levels:

1. The link layer, also known as the data Link layer or network interface layer, usually includes the device driver in the operating system and the corresponding network interface card in the computer. Together they handle details of the physical interface with the cable (or any other transmission medium).

2. The network layer, also known as the Internet layer, deals with the activities grouped on the network, such as the selection of groups. Network layer protocols include the IP Protocol (Internet Protocol), ICMP protocol (the Protocol for the Internet Control Message), and the IGMP Protocol (Internet Group Management Protocol).

3. The transport layer provides end-to-end communication primarily for applications on two host computers. In the TCP/IP protocol family, there are two distinct transport protocols: TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). TCP provides high reliability data communication for two hosts. His work involves dividing the data that the application gives to it into appropriate chunks to the network layer below, confirming the packets received, setting the timeout clock for sending the last confirmed packet, and so on. Because the transport layer provides high reliability end-to-end communication, the application layer can ignore all of these details. UDP, on the other hand, provides a very simple service for the application tier. It simply sends packets called datagrams from one host to another, but does not guarantee that the datagram will reach the other end. Any required reliability must be provided by the application layer.

4. The application layer is responsible for handling specific application details. This includes Telnet (telnet), FTP (File Transfer Protocol), SMTP (Simple Mail Transfer Protocol), and SNMP (Simple Network Management Protocol).

Wireshark caught the package with the corresponding protocol layer as shown in the following figure:

1. Frame: Overview of the data frame of the physical layer

2. Ethernet II: Data Link Layer Ethernet frame header information

3. Internet Protocol Version 4: Internet Layer IP packet header information

4. Transmission Control Protocol: Data segment header information for the transport layer, here is the TCP

5. Hypertext Transferprotocol: Application layer information, here is HTTP protocol two. TCP protocol

TCP is a link-oriented, reliable communication protocol based on byte stream. TCP packs the user data into a message segment, sends it to start a timer, the other end receives data to confirm, reorder data, and discards duplicate data.

The characteristics of TCP are:

1. TCP is a connection-oriented Transport layer protocol

2. Each TCP connection can have only two endpoints, each TCP connection can only be point-to-point

3. TCP provides reliable delivery of services

4. TCP provides Full-duplex communication. The data is transmitted independently in two directions. Therefore, each end of the connection must maintain the serial number of the transmitted data in each direction.

5. For word throttling. The meaning of byte-throttling: Although the application and TCP interactions are one block of data, TCP's data handed down by the application is just a series of unstructured byte streams

The header of the TCP message, as shown in the following illustration:

1. Source port number: The port number of the originator of the data, 16bit

2. Destination port number: Port number of the data receiver, 16bit

3. Serial number: 32bit, used by the sender

4. Confirm Serial Number: 32bit Confirmation number, is the receiving data party expects to receive the sender's next message segment ordinal number, therefore confirms the serial number should be last has successfully received the data byte ordinal number plus 1.

5. Header Length: The number of 32bit words in the header, which can represent the header of the 15*32bit=60 byte. The general header length is 20 bytes.

6. Reservations: 6bit, all 0

7. Emergency Urg: When Urg=1, indicates that the message section has emergency data, should be transmitted as soon as possible.

8. Confirm that bit ack:ack = 1 o'clock represents a confirmed TCP packet, and a value of 0 is not a confirmation packet.

9. Push bit PSH: When the sending end is psh=1, the receiving end is delivered to the application process as soon as possible.

10. Reset Bit (RST): When Rst=1, indicates that a serious error occurred in the TCP connection, the connection must be released, and then re-establish the connection.

11. Synchronous bit SYN: The connection is established to synchronize the serial number. Syn=1, ack=0 represents a connection request message segment. Syn=1,ack=1 agreed to establish a connection.

12. When the bit fin:fin=1 is terminated, it indicates that the data for the sender of this segment has been sent and the transport connection is released.

13. Window: Used to control the amount of data sent by each other, notify the issuance of the determined send window limit.

14. Inspection and: The scope of the field test includes the first and the data. is computed and stored by the originator and validated by the receiving end.

15. Emergency pointer: The emergency pointer is valid when Urg=1, which indicates the number of bytes of emergency data in this section.

16. Options: variable length, up to 40 bytes long

Each field in the TCP package captured by Wireshark is shown in the following figure: three. TCP three times handshake

When TCP establishes a connection, there will be three handshake processes, as shown in the following illustration, Wireshark intercepts three handshake three packets. The fourth package is HTTP, which means that HTTP does use TCP to establish a connection.

Here's a step-by-step analysis of three handshake processes:

First handshake: The client sends a connection request packet to the server, and the flag bit SYN (synchronous serial number) is set to 1, the serial number is x=0

Second handshake: The server received a message from the client, by Syn=1 know the client requirements to establish online. Send to the client a SYN and ACK are 1 TCP packets, set the initial serial number y=0, the confirmation number (acknowledgement number) set to the customer's serial numbers plus 1, that is x+1 = 0+1=1, as shown below:

Third handshake: The client receives the packet from the server and checks to see if the acknowledgement number is correct, that is, the first time the number is sent plus 1 (x+1=1). And the flag ACK is 1. If correct, the server sends the confirmation packet again, the ACK sign bit is the 1,syn sign bit is 0. Confirm ordinal number (acknowledgement) =y+1=0+1=1 and send serial number to x+1=1. When the client receives a confirmation that the ordinal value is connected with ack=1, the connection is successful and the data can be transmitted.
Four. TCP four times wave

When TCP disconnects, there are four wave-waving processes, as shown in the following illustration, where Wireshark intercepts four waves of four packets.

Here's a step-by-step analysis of four wave processes:

First wave: The client sends a TCP packet to the server to turn off the data transfer from the client to the server. Set the flag bit fin and ACK to 1, the ordinal number is x=1, and the confirmation number is z=1.

After the server receives the fin, sends back an ACK (flag bit ack=1) confirming that the serial number plus 1, or x=x+1=2, is received. The serial number is =z the confirmation number received.

The server shuts down the connection to the client and sends a fin. The flag bit fin and ACK are set to 1, the serial number is Y=1, and the confirmation number is x=2.

The client receives the fin sent by the server, sends back ACK confirmation (sign bit ack=1), confirms the serial number of the received number plus 1, namely y+1=2. The serial number is x=2 the confirmation number received.

From:http://blog.sina.com.cn/s/blog_411bab060102w8v0.html

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.