transferred from: http://blog.csdn.net/webnumen/archive/2007/03/26/1541330.aspx
TCP Serial number and confirmation number detailed
In network analysis, reading the trend of TCP serial number and confirmation number, can help us to learn the TCP protocol and troubleshoot communication problems, such as by viewing the serial number and confirmation number can determine whether the data transmission is disorderly. But I looked at the current lot of information and found that most of them simply introduced the TCP communication process, and not the serial number and confirmation number in detail, combined with the explanation of the example is even less. Due to the work of the recent period of time, the serial number and confirmation number of TCP need to be further studied, the following is my study of some knowledge points, I hope the TCP serial number and confirmation number of interested friends have some help.
1. Introduction and function of serial number and confirmation number
The TCP protocol works in the OSI Transport layer and is a reliable connection-oriented data flow protocol, and TCP is reliable because it guarantees the order in which packets are transmitted. The order is guaranteed by a serial number. A serial number is also included in the response package, which indicates that the receiver has the package ready for this serial number. When TCP transmits a packet, it puts the packet into the resend queue, initiates the timer, deletes the packet from the queue if it receives a confirmation message about the package, and if the timer still does not receive a confirmation message, the packet needs to be resent. In addition, TCP uses the sequence number in the data fragment to ensure that all transmitted data can be reorganized in the normal order, thus guaranteeing the complete transmission.
2. TCP Communication Process
In the TCP communication, there are three processes, such as connection establishment, data transmission and connection closing. Each process does a different job, and the sequence number and confirmation number vary in each process.
2.1 TCP to establish a connection
TCP establishes a connection, which is what we often call the three handshake, which takes three steps to complete. In the three-time handshake of TCP, the one end of the send first SYN executes the active open. Instead of receiving this SYN, the other end of the next SYN executes the passive open.
This is explained by the client initiating a connection to the server.
1) 1th step: The client sends a synchronous packet request to the server to establish a connection in which the initial sequence number (ISN) is a random value generated by the client and the confirmation number is 0;
2) 2nd step: After the server receives this synchronization request packet, a synchronous acknowledgment is made to the client. In this packet, the serial number (ISN) is a random value generated by the server, the confirmation number is the initial sequence number of the client +1;
3) 3rd step: After the client receives this synchronization acknowledgement packet, a confirmation is made to the server. In the packet, the sequence number is the acknowledgment number value in the last synchronization request packet, and the confirmation number is the initial sequence number of the server +1.
Note: Because a SYN will occupy an ordinal number, add 1.
The initial sequence number (ISN) changes over time, and different operating systems have different implementations, so the initial sequence number for each connection is different. Both ends of the TCP connection will interact with some information, such as window size, MSS, etc., in order to prepare for the subsequent data transfer when the connection is established.
RFC793 points out that isn can be regarded as a 32bit counter, each 4ms plus 1, so that the purpose of selecting the serial number is to prevent the delay in the network of the packet is repeated later, and cause one end of a connection to make it wrong judgment.
2.2 TCP Transfer data
After the TCP connection is established, the data transfer can begin. TCP works in full duplex mode, and it can simultaneously carry out bidirectional data transfer. In order to simplify, we only talk about the server sending data to the client, and the principle that the client sends the data to the server is similar, and it is not repeated here.
After the server sends a packet to the client, the client receives the packet and sends a confirmation packet to the server.
The brief process of transferring data is as follows:
1) Send data: The server sends a packet with data to the client with the same sequence number and confirmation number as the sequence number and confirmation number in the packet that establishes the third step of the connection;
2) Confirm Receipt: The client receives the packet and sends a confirmation packet to the server that the sequence number is the acknowledgment number value in the previous packet, and the confirmation number is the size of the data in the last packet sent by the server + the data in the packet.
The sequence number in the data fragment ensures that all transmitted data is reorganized in the normal order, and that the integrity of the data transmission is guaranteed.
2.3 tcp Shutdown Connection
As we mentioned earlier, it takes 3 steps to establish a connection, but it takes 4 steps to close a connection. Because the TCP connection is a full-duplex mode of operation, it needs to be closed separately in each direction. When TCP closes a connection, the first party that shuts down (that is, the first terminating packet is sent) performs an active shutdown, and the other party (which receives the terminating packet) performs a passive shutdown.
The 4 steps to close a connection are as follows:
1) 1th step: After the server finishes its data sending task, it proactively sends a terminating packet to the client to close the TCP connection in this direction. In the packet, the serial number is the confirmation number value from the last packet sent by the client, and the confirmation number is the serial number in the last packet sent by the server + the size of the data in the packet;
2) 2nd step: After the client receives the terminating packet sent by the server, a confirmation message is sent to the server to close the TCP connection in that direction. In the packet, the sequence number is the confirmation number in step 1th, and the sequence number in the packet confirming the 1th step is +1;
3) 3rd step: Similarly, after the client completes its data sending task, it also sends a terminating packet to the server to close the TCP connection in that direction, with the serial number being the confirmation number in the previous packet sent by the server, and the confirmation number as the serial number in the previous packet sent by the client + The size of the data contained in the packet;
4) 4th step: After the server receives the terminating packet sent by the client, it sends a confirmation to the client to close the TCP connection in that direction. At this point in the packet, the sequence number is the confirmation number in step 3rd, and the confirmation number is the sequence number +1 in the 3rd step packet;
Note: Because Fin is the same as SYN, it also takes a serial number. In theory, the server sends a termination packet when the TCP connection is closed, only the terminating bit is set to 1, and then the client confirms. However, in the actual TCP implementation, in the terminating packet, the acknowledgment bit and the terminating bit are set to 1, the confirmation position is 1 to confirm the last transmitted data, and the terminating position is 1 to close the TCP connection in that direction.
3. Actual packet Analysis
In combination with the above theory, we access the Web page to capture the packet, and verify the sequence number and confirmation number changes when the TCP connection is established, the data is transferred, and the connection is closed by the actual packet.
Open the Division to the network analysis system, first to reduce data interference, set up in the filter only capture the TCP protocol data, and then start capturing, while accessing www.csna.cn, after the page download is complete, stop capturing.
In this environment, the client is 192.168.0.92, the server is: 222.77.187.23.
3.1 TCP To establish a connection
In the captured packet, we first look at the three handshake information that establishes the connection, and observe the change in the sequence number and confirmation number in the packet. To make it easier for everyone to see, I used the "Add packet Annotations" feature here.
Let's start by looking at the first step to establishing a connection, as shown in Figure 1.
(Figure 1 Establishing a connection first step)
In Figure 1, the client initiates a synchronous request packet to the server, requests a connection to the server's 80 port, and the client randomly generates an initial sequence number (ISN) of 2712239078 and a confirmation number of 0.
Note: In the actual situation, we visit the website first is the domain name resolution, here we set up the filter so did not capture the DNS packet.
Next we look at the second step of establishing a connection. As shown in Figure 2.
(Figure 2 Establishing a connection second step)
In Figure 2, the server receives the client's synchronization request packet and sends a synchronous acknowledgment to the client. In this packet, the server randomly generates an initial sequence number (1288781508), and the initial serial number sent by the client (ISN) plus 1 (2712239078+1=2712239079) is sent back to the customer segment as a confirmation number.
Let's look at the third step of establishing a connection, as shown in Figure 3.
(Figure 3 Establishing the third step of the connection)
In Figure 3, once the client receives this synchronization acknowledgement packet, it confirms the server again. In this packet, the serial number is the confirmation number (2712239079) of the previous packet, and the confirmation number is the initial sequence number (ISN) plus 1 (1288781508+1=1288781509) of the server, confirming the synchronization acknowledgment packet for the server so that the TCP connection is established.
3.2 TCP Transfer data
After the TCP connection is established, the data is transferred immediately, where the client actively sends a GET request to the server to submit its own request information.
Let's look at the GET request packets that the client sends to the server, as shown in Figure 4,
(Figure 4 Transmitting data)
In Figure 4, we look at the value of the serial number and confirmation number for the GET Request data packet that the client sends to the server. In the packet, the sequence number is 2712239079 and the confirmation number is 1288781509, which is the same as the sequence number and confirmation number in the third step of the three handshake.
Figure 4 shows that the packet size is 1018 bytes, which subtracts 14 bytes of the Ethernet header, 20 bytes of IP header, 20 bytes of TCP header and 4 bytes of FCS (1018-14-20-20-4=960), to get the transmitted data size of 1432. We add the serial number in the packet to the data size (that is, 2712239079+960 =2712240039) and find that the value of the "Next serial number" exactly matches the confirmation number in the packet that the server sends to the client in the next packet, as shown in Figure 5.
(Figure 5 Confirm receipt)
Note: "Next serial number" is a section of the network analysis system in order to facilitate users to find the next continuous packet, and according to the packet sequence number and confirmation number automatically calculated that the field in the actual packet does not exist.
3.3 tcp Shutdown Connection
After the transfer data is complete, TCP closes the connection, where the server actively shuts down the TCP connection in that direction. We continue to observe the captured packets, first of all, the first step to close the connection, here is the server active shutdown, as shown in Figure 6.
(Figure 6 Closing the connection first step)
In Figure 6, the server proactively initiates a packet of acknowledgment and termination bits at the same time to the client, confirming that location 1 indicates confirmation of the last transmitted data, terminating position 1 means shutting down the TCP connection in that direction, and shutting down the server and client TCP connections. In this packet, the serial number is the confirmation number (1288781777) in the last packet sent by the client, and the confirmation number is the serial number in the last packet sent by the server + the size of the data in the packet (2712238597+1432=2712240039);
The client then receives the terminating packet and sends a confirmation packet to the server with the sequence number of the confirmation number in step 1th (2712240039) and the sequence number +1 (1288781777+1=1288781778) in the packet confirming the 1th step;
We look at the changes in the serial number and confirmation number, as shown in Figure 7.
(Figure 7 Closing the connection second step)
This is followed by a passive shutdown from the client, which is in the same way that the server initiated the shutdown, but this time it is a passive shutdown of the TCP connection in the direction of the client, we do not repeat the instructions, as shown in Figure 8 and Figure 9.
(Figure 8 Closing the connection third step)
(Figure 9 Closing the connection fourth step)
We have successfully verified the theory mentioned above based on the above-mentioned analysis of the packet-capture of TCP, data transmission and three process closure.