TCP three-time handshake and four times wave break

This is the most detailed TCP three handshake and four broken articles, which have been identified at the end of the text, if any offense, please notify, will be deleted.

However, it added to my own understanding, try to make the article more perfect, do some supplementary work. Increase the practical application of the points of attention, do know it, but also know the results.
A. TCP/IP protocol family

TCP/IP is a protocol family, which is usually developed at different levels, each of which is responsible for different communication functions. Contains the following four levels:

1. The link layer, also known as the data Link layer or network interface layer, usually includes the device driver in the operating system and the corresponding network interface card in the computer. Together they handle details of the physical interface with the cable (or any other transmission medium).

2. The network layer, also known as the Internet layer, deals with the activities grouped on the network, such as the selection of groups. Network layer protocols include the IP Protocol (Internet Protocol), ICMP protocol (the Protocol for the Internet Control Message), and the IGMP Protocol (Internet Group Management Protocol).

3. The transport layer provides end-to-end communication primarily for applications on two host computers. In the TCP/IP protocol family, there are two distinct transport protocols: TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). TCP provides high reliability data communication for two hosts. His work involves dividing the data that the application gives to it into appropriate chunks to the network layer below, confirming the packets received, setting the timeout clock for sending the last confirmed packet, and so on. Because the transport layer provides high reliability end-to-end communication, the application layer can ignore all of these details. UDP, on the other hand, provides a very simple service for the application tier. It simply sends packets called datagrams from one host to another, but does not guarantee that the datagram will reach the other end. Any required reliability must be provided by the application layer.

4. The application layer is responsible for handling specific application details. This includes telnet (remote login), FTP (File Transfer Protocol), SMTP (Simple Mail Transfer Protocol) and SNMP (Simple Network Management Protocol), and so on, the DNS (domain resolution) low-level uses the resolved IP address to communicate.

Wireshark caught the package with the corresponding protocol layer as shown in the following figure:

1. Frame: Overview of the data frame of the physical layer

2. Ethernet II: Data Link Layer Ethernet frame header information

3. Internet Protocol Version 4: Internet Layer IP packet header information

4. Transmission Control Protocol: Data segment header information for the transport layer, here is the TCP

5. Hypertext Transfer Protocol: Information about the application layer, here is the HTTP protocol two. TCP protocol

TCP is a link-oriented, reliable communication protocol based on byte stream. TCP packs the user data into a message segment, sends it to start a timer, the other end receives data to confirm, reorder data, and discards duplicate data.

The characteristics of TCP are:

1. TCP is a connection-oriented Transport layer protocol

2. Each TCP connection can have only two endpoints, each TCP connection can only be point-to-point

3. TCP provides reliable delivery of services

4. TCP provides Full-duplex communication. The data is transmitted independently in two directions. Therefore, each end of the connection must maintain the serial number of the transmitted data in each direction.

5. For word throttling. The meaning of byte-throttling: Although the application and TCP interactions are one block of data, TCP's data handed down by the application is just a series of unstructured byte streams

The header of the TCP message, as shown in the following illustration:

1. Source port number: The port number of the originator of the data, 16bit

2. Destination port number: Port number of the data receiver, 16bit

3. Serial number: 32bit, used by the sender

4. Confirm Serial Number: 32bit Confirmation number, is the receiving data party expects to receive the sender's next message segment ordinal number, therefore confirms the serial number should be last has successfully received the data byte ordinal number plus 1.

5. Header Length: The number of 32bit words in the header, which can represent the header of the 15*32bit=60 byte. The general header length is 20 bytes.

6. Reservations: 6bit, all 0

7. Emergency Urg: When Urg=1, indicates that the message section has emergency data, should be transmitted as soon as possible.

8. Confirm that bit ack:ack = 1 o'clock represents a confirmed TCP packet, and a value of 0 is not a confirmation packet.

9. Push bit PSH: When the sending end is psh=1, the receiving end is delivered to the application process as soon as possible.

10. Reset Bit (RST): When Rst=1, indicates that a serious error occurred in the TCP connection, the connection must be released, and then re-establish the connection.

11. Synchronous bit SYN: The connection is established to synchronize the serial number. Syn=1, ack=0 represents a connection request message segment. Syn=1,ack=1 agreed to establish a connection.

12. When the bit fin:fin=1 is terminated, it indicates that the data for the sender of this segment has been sent and the transport connection is released.

13. Window: Used to control the amount of data sent by each other, notify the issuance of the determined send window limit.

14. Inspection and: The scope of the field test includes the first and the data. is computed and stored by the originator and validated by the receiving end.

15. Emergency pointer: The emergency pointer is valid when Urg=1, which indicates the number of bytes of emergency data in this section.

16. Options: variable length, up to 40 bytes long

Note: The TCP flag bit has 6 kinds of signs, corresponding to the above 7-12, belong to the contiguous 6 sign bit. ACK flag bit and ACK number are not a thing. ACK is only 0 and 12 values, ACK number is the confirmation ordinal of 32bits.

Each field in the TCP package captured by Wireshark is shown in the following illustration:

three. TCP three times handshake

When TCP establishes a connection, there will be three handshake processes, as shown in the following illustration, Wireshark intercepts three handshake three packets. The fourth package is HTTP, which means that HTTP does use TCP to establish a connection. If the connection is HTTPS or HTTP/2, the fourth packet will be the SSL/TLS message.

Here's a step-by-step analysis of three handshake processes:

Overview:

First handshake: Host a send bit code for syn=1, randomly generated SEQ number=1234567 packets to the server, Host B by Syn=1 know, a required to establish online;

second handshake: Host B to confirm the online information after receiving the request, send ACK number to a = (Host a seq+1), syn=1,ack=1, randomly generated seq=7654321 package

third handshake: Host a received after checking ACK number is correct, that is, the first time sent Seq number+1, and bit-code ACK is 1, if correct, Host A will again send ACK number= (Host B seq+1), ack=1, Host B received confirmation of the SEQ value and Ack=1 connection was established successfully.

completes three handshake, host A and Host B begin to transmit data.
first handshake: When the connection is established, the client sends the SYN packet (SYN=J) to the server, and enters the Syn_send state, waiting for the server to confirm; the 
second handshake: The server receives the SYN packet, must confirm the customer's SYN (ACK=J+1), At the same time also send a SYN packet (syn=k), that is, the Syn+ack packet, at this time the server into the SYN_RECV State;
third handshake: The client receives the server's Syn+ack packet, sends a confirmation packet ack (ACK=K+1) to the server, sends the packet to complete, The client and server enter the established state, completing three handshake. Completes three handshake, the client and the server begin to transmit the data.

Detailed

First handshake: The client sends a connection request packet to the server, and the flag bit SYN (synchronous serial number) is set to 1, the serial number is x=0

Second handshake: The server received a message from the client, by Syn=1 know the client requirements to establish online. Send to the client a SYN and ACK are 1 TCP packets, set the initial serial number y=0, the confirmation number (acknowledgement number) set to the customer's serial numbers plus 1, that is x+1 = 0+1=1, as shown below:

Third handshake: The client receives the packet from the server and checks to see if the acknowledgement number is correct, that is, the first time the number is sent plus 1 (x+1=1). And the flag ACK is 1. If correct, the server sends the confirmation packet again, the ACK sign bit is the 1,syn sign bit is 0. Confirm ordinal number (acknowledgement) =y+1=0+1=1 and send serial number to x+1=1. When the client receives a confirmation that the ordinal value is connected with ack=1, the connection is successful and the data can be transmitted.

Add:

SYN attack

In three handshake, after the server sends the Syn-ack, the TCP connection before receiving the client's ACK is called a Half-open connect. The server is in the SYN_RECV state. When an ACK is received, the server is transferred to the established state.

SYN attack is to attack the client in a short time to forge a large number of non-existent IP address, continue to send SYN packets to the server, the server reply to confirm the package, and wait for customer confirmation, because the source address is non-existent, the server needs to continue to resend until the timeout, these forged SYN packets will take up a long time disconnected queue, The normal SYN request is discarded, the target system runs slowly, the serious person causes network jam and even the system is paralyzed.

SYN attack is a typical DDoS attack. It is very convenient to detect SYN attacks, when you see a large number of semi-connected states on the server, especially the source IP address is random, it can be concluded that this is a SYN attack. Under Linux, you can check for SYN attacks as follows

netstat-n-P TCP | grep syn_recv

Generally newer TCP/IP protocol stacks are modified to prevent SYN attack and modify TCP protocol implementation. The main methods are SynAttackProtect protection mechanism, SYN-cookie technology, increasing the maximum half connection and shortening the timeout time.

However, the SYN attack cannot be completely prevented.

four. TCP four times wave

When TCP disconnects, there are four wave-waving processes, as shown in the following illustration, where Wireshark intercepts four waves of four packets.

Here's a step-by-step analysis of four wave processes:

First wave: The client sends a TCP packet to the server to turn off the data transfer from the client to the server. Set the flag bit fin and ACK to 1, the ordinal number is x=1, and the confirmation number is z=1.

After the server receives the fin, sends back an ACK (flag bit ack=1) confirming that the serial number plus 1, or x=x+1=2, is received. The serial number is =z the confirmation number received.

The server shuts down the connection to the client and sends a fin. The flag bit fin and ACK are set to 1, the serial number is Y=1, and the confirmation number is x=2.

The client receives the fin sent by the server, sends back ACK confirmation (sign bit ack=1), confirms the serial number of the received number plus 1, namely y+1=2. The serial number is x=2 the confirmation number received.

Need to explain, this is only the TCP layer of three handshake, belong to the most basic knowledge, HTTP communication can not be separated from three times handshake, and a higher number of HTTPS and HTTP/2, etc. are on this basis for communication, understanding well three times shake hands to lay a good foundation, ready to a higher level.

Original link: TCP three times handshake and four wave diagram