Linux Network Programming--wireshark parsing the format of the TCP header

Summary:

This paper introduces the knowledge of TCP-oriented connection theory, and describes the meanings of each field of TCP message. In this paper, a TCP connection is selected from the Wireshark capture packet to establish the relevant message segment.

I. Overview

TCP is a reliable connection-oriented transport protocol, two process data before the need to establish a connection, where the connection is only a few allocated in the end system cache and state variables, the middle of the packet switch does not maintain regardless of the connection status information.

The connection establishes the entire step such as the following (i.e. three handshake protocol):

First, the client sends a special TCP message segment;

Second, the server also has a special TCP message segment to respond;

Finally, the client then responds with a third special message segment.

Figure 13 Handshake Protocol [1]

Second, TCP message format

2.1 Overview

To provide reliable transmission of data, the TCP header field has more fields. The TCP message format is for example:

Figure 2 TCP Message Format

Source and Destination Port

used for multiplexing/multiplexing data from or to a top-level application. Be able to understand this. Port is used to identify different processes for the same computer.

Serial Number and confirmation number

These two fields are a critical part of the TCP reliable transport service, and the serial number is the byte stream number of the first bytes of the packet (TCP regards the data as an ordered stream of bytes, and TCP implicitly numbers each byte of the data stream). This understanding may be more intuitive when the message is decomposed into multiple segments. The serial number is the offset of the first byte of the message segment over the entire message. The OK number specifies the next expected byte . TCP is full-duplex, if data from Host B is received from host A, the confirmation number that is populated by host a into the message segment is the next byte ordinal that host a expects to receive from Host B.

Not clear the relationship between the two? See (three-time handshake):

Figure 3 The TCP connection establishment process under normal circumstances

Header Length (4 bits)

because the options are indefinite, it is necessary to identify the length of the entire header field (in 32-bit words), which is the number of 5+ options. 4-bit, unit is 32-bit word, so the first longest is 15*4=60 byte, that is, the option is the longest is 40 bytes (10 options).

Sign

URG

indicates that the upper body of the sender is marked as "emergency" data in the packet segment, and when urg=1, the emergency pointer then indicates the position of the emergency data in the current data segment (relative to the byte offset of the current sequence number), and the TCP receiver must notify the upper-level entity.

Ack

When ack=0, indicates that the data segment does not include confirmation information. When Ack=1. Indicates that the segment includes a confirmation that a segment of the message has been successfully received.

PSH

when psh=1. The receiver gives the data to the upper layer immediately after receiving the data, not until the entire buffer is full.

Rst

used to reset an already chaotic connection (such as a master crash), or to reject an invalid data segment or deny a connection request. Generally, assume that the data segment you get is set to the RST bit. That means you have a problem at the end.

Syn

used to establish the connection process in the connection request. syn=1 and Ack=0 indicate that the data segment does not use a piggyback acknowledgment domain, and the connection answer is a confirmation. namely Syn=1 and Ack=1.

Note: A piggyback is a confirmation that the client-to-server data is loaded in a data packet that hosts the server to the client.

FIN

used to release a connection indicating that the sender has no data to transmit.

At this point, the receiving Party may continue to receive data. Fortunately, both the SYN and FIN data segments have serial numbers. This ensures that both data segments are processed in the correct order.

Form size

used for flow control (to make sure that either party does not send too many packets too quickly to overwhelm the other party), the form size specifies the number of bytes that can be sent from the confirmed byte count.

Checksum

provides additional reliability. When calculating the test and the checksum domain of TCP is set to 0, assuming that the data field has an odd number of bytes, the data field fills an additional 0 bytes. Checksum algorithm: Add all 16-bit words in the form of a 1 complement. Take the complement of the cumulative result. Therefore, when the receiver runs the same calculation (including the checksum domain), the result should be 0.

Emergency pointers

The Urg bit of the reference flag field.

Options

The Options section is designed to fit a complex network environment and better serve the application layer.

The maximum TCP option is 40 bytes. See 2.2 for details.

Data

A TCP segment without any data is also legal. Often used to confirm and control information.

2.2 Option field [2]

The TCP Options section is very good in the session where the connection is now established. Just out of the current TCP connection establishment phase, that is, three handshake. The TCP Options section is actually used in the following ways:

(1) Maximum message transmission segment (MMS, Maximum Segment Size)

used to send the sender to negotiate with the receiver the maximum segment length (although the payload data does not contain the TCP header field). TCP in three handshake, each party will announce the expected to receive MSS (MSS only in today's SYN packet), assuming that one side does not accept the MSS value of the other side, then use the default 536 byte payload data, that is, the host can accept 20+536 bytes of TCP segment.

(2) Form enlargement option (Window scaling)

the form size field for TCP messages is 16 bits. That is, the maximum value is 65535, but as latency and bandwidth are higher than communication (such as satellite communications), larger forms are required to meet performance and throughput rates . This is the meaning of the form enlargement option. Examples are provided in [2].

Windows Scaling accounts for 3 bytes, and the last byte is the shift value (Shift count), which is the number of form bits 16 of the header that moves to the left, such as a shift value of 14. The new form maximum value is increased to 65535* (2^14).

The form enlargement option is negotiated at the beginning of the TCP establishment, assuming that the form has been implemented for expansion. When you no longer need to enlarge the form. Sending the shift value =0 can revert to the original form size. That is, 65535.

(3) Select confirmation option (SACK, selective acknowledgements)

Consider this case, host a sends the message segment 12345, Host B receives 135 and the message is error-free. The sack is used to ensure that only the missing segments are re-transmitted , rather than retransmission of all segments of the message.

The sack option requires 2 bytes of functionality. One is used to indicate the use of the SACK option (SACK Permission), and one indicates how many bytes this option takes.

So how to describe the missing segment 2. The left and right borders of 2 are 1 and 3 respectively. TCP data packets have a word block boundary. The boundary is represented by a serial number.

What is the maximum number of byte block boundary information that can be specified? The answer is 4. This is because the option field is 40 bytes maximum, removing 2 function bytes. The serial number is 32 bits or 4 bytes, and the left and right borders are required. So (40-2)/8 = 4.

(4) timestamp option (timestamps)

The timestamp option is used to calculate the round trip time RTT, where the sender sends the time value of the current clock into the timestamp field when sending the message segment, and the receiver copies the value of the timestamp field into the acknowledgment message, and when the receiving party receives the acknowledgement message, the timestamp of the acknowledgment message is equal to the timestamp of the sender's sending message segment ) and today's clock, you can calculate the RTT.

The timestamp option can also be used to prevent wrapping the ordinal paws.

The serial number is only 32 bits, and each 2^32 serial number will wrap around (think of the ring queue). The use of timestamp option is very easy to distinguish the same sequence of message segments.

(5) NOP (no-operation)

the head of TCP must be a multiple of 4 bytes, and most options are not 4-byte multiples. Insufficient to fill with NOP.

In addition, NOP is also used to cut different options data, such as the form enlargement option and sack using NOP isolation (as the following example will see this).

Third, the case analysis

3.1 Overview

or to visit Baidu home page For example, first use the DNS protocol to resolve the URL to an IP address, and then establish a TCP connection between the client and server. Groups captured with Wireshark for example with:

Figure 4 Wireshark capture establishing a TCP connection grouping

You'll think it's a little strange, in theory it should be 3 subgroups, how about 6 groups? Don't worry. These 6 messages are sent (combined with time and message meanings), such as the following:

Figure 5 Establishing an instance of a TCP connection

from the diagram, the connection was established at the beginning. The client sent two pieces of message. This may be to make the connection faster (if there is a request segment missing.) Not to wait for a period of time, re-transmitting text). Next. Analyze the TCP connection setup process in 19, 21, 22 (as seen in the red line).

3.1 First time handshake 19

Wireshark captures the TCP connection for the first handshake message segment such as the following:

Figure 6 TCP connection First handshake instance

Here are a few key fields to analyze:

the Flag field. Syn=1, ack=0 indicates that the data segment does not use a piggyback acknowledgment domain.

The maximum message segment length (MMS) 1460 is how it came about. The Ethernet physical characteristics of the link layer determine the data frame length of 1500 (that is, MTU, Maximum transmission unit), 1460=1500-20 (Head of IP) -20 (TCP first ministerial). Do not be fooled by the packet header length of 32 bytes, this is only the establishment of the connection process. The relationship between MSS and MTU [2]:

Fig. 7 The relationship between MSS and MTU

nop field. Can be filled as less than 4 times times the number of sections, can also be separated as an option, the message segment appeared 3 NOP, detailed functions see:

Figure 8 TCP Message NOP field

3.3 Second Handshake 21

The server responds to the CLIENTTCP message segment, at which point the confirmation number is 1. Syn=1, ack=1 indicate that the connection answer is a confirmation, Wireshark capture grouping such as the following:

Figure 9 TCP Connection Second handshake instance

Why is MSS 1452 instead of 1460?

This is due to the use of PPPoE (point-to-point over Ethernet. Enables the Ethernet host to connect to an unwarranted access concentrator via a simple bridging device [3]) dial-up internet access. The Ppop header is 8 bytes, so the MTU of PPPoE is 1492,MSS and 1492-40=1452.

So, what is the MSS that transmits data after the TCP connection is established, 1460 or 1452 or 536? My understanding is the default value of 536, so to understand it? Ask for advice!

3.4 Third Handshake 22

the client again servers the message segment, at which time the serial number and the confirmation number are 1. Without the option field, Wireshark captures the grouping information such as the following:

Figure Ten TCP connection third handshake instance

Worth noting. The form is not enlarged because the form extended size negotiation is not expanded, that is, the size of the form is 65535 maximum.

Thus, the TCP connection is established:-)

Linux Network Programming--wireshark parsing the format of the TCP header