TCP three-way handshake and tcpdump packet capture analysis process

1. Establish a TCP connection (three-way handshake) Process

Client A, server B, initial sequence number seq, validation number ACK

Initial status: B is listening, and A is open

• A-> B: seq = x (A sends the connection request packet segment to B, A enters the synchronous sending status SYN-SENT)

• B-> A: ACK = x + 1, seq = Y (B receives the packet segment, sends confirmation to A, B enters the synchronous receipt status SYN-RCVD)

• A-> B: ACK = Y + 1 (a confirms again after receiving confirmation from B, and a enters the connection status established)

Status after connection: B enters the connection status established after receiving confirmation from.

Why do I need to shake hands three times?

This prevents invalid connection requests from being suddenly transmitted to the server, so that the server mistakenly believes that a connection is required.

2. TCP connection release (four waves) Process

A-> B: seq = U (A sends a connection to release the packet segment and enters the Stop wait 1 State fin-wait-1)

B-> A: ACK = u + 1, seq = V (B receives the packet segment and sends a confirmation. TCP is in the semi-closed state. B can also send data to, B enters the wait state)

B-> A: ACK = u + 1, seq = W (B resends the confirmation number to enter the final confirmation status LAST-ACK)

A-> B: ACK = W + 1, seq = u + 1 (a sends a confirmation and enters the time wait state time-Wait)

A enters the closed State only after 2msl is set for the timer.

Why does a have to wait for 2msl after Entering time-Wait?

• Ensure that the last ACK packet segment sent by a can reach B
• Prevent invalid packets from appearing in the connection

Iii. Use tcpdump

Tcpdump is a packet analysis tool that intercepts packets on the network. It supports filtering at the network layer, protocol, host, network, or port, and provides and, or, not and other logical statements to Remove useless information.

Monitor data packets of a specified host

Tcpdump host <IP address>: Intercepts all packets received and sent by the host of the IP address.
Tcpdump host <IP address> and <IP address>: Intercept communication between hosts corresponding to two IP addresses

Monitor data packets on a specified port

Tcpdump port <port number>: Intercept data packets from port 80 of the Local Machine

4. handshake process of packet capture Analysis

Packet capture method: first, use the tcpdump command to intercept data packets between the local host and a remote host, and then open the website corresponding to a remote host. Here, use my domain namewww.fonxian.cnPerform the test.

ping www.fonxian.cn

Obtain the IP address corresponding to the domain name:151.101.100.133

ifconfg

Obtain the Intranet IP address of the local machine:192.168.0.108

The purpose of the-S parameter is to obtain the absolute value of ack. If this parameter is not added, the ack of the third handshake is relative value 1.

sudo tcpdump -S host 192.168.0.108 and 151.101.100.133

Get

TCP three-way handshake and tcpdump packet capture analysis process