Turn from:
Http://blog.chinaunix.net/uid-9112803-id-3212041.html
Summary:
In this paper, we briefly introduce the theory of TCP-oriented connection, describe the meanings of each field of TCP messages, and select TCP connections from Wireshark capture packet to establish the relevant message segment.
I. Overview
TCP is a reliable connection-oriented transport protocol, two processes to send data before the need to establish a connection, where the connection is only some of the cache and state variables allocated in the end system, the middle of the packet switch does not maintain any connection status information. The whole process of connection establishment is as follows (i.e. three handshake protocol):
First, the client sends a special TCP message segment;
Second, the server responds with another special TCP message segment;
Finally, the client then responds with a third special message segment.
Figure 13 Handshake Protocol [1]
Second, TCP message format
2.1 Overview
In order to provide reliable data transfer, the TCP message header field has more fields, and the TCP message format is as follows:
Figure 2 TCP Message Format
Source and destination ports
Used for multiplexing/multiplexing of data from or to upper-layer applications, it is understood that ports are used to identify different processes on the same computer.
Serial number and confirmation number
These two fields are a critical part of the TCP reliable transport service, and the serial number is the byte stream number of the first bytes of the packet (TCP regards the data as an ordered stream of bytes, and TCP implicitly numbers each byte of the data stream). This understanding may be more intuitive, when the message is decomposed into multiple segments, the sequence number is the first byte of the message segment in the entire message offset. The OK number specifies the next expected byte . TCP is full-duplex, assuming that Host B's data is received from host A, the confirmation number that host a fills in the message segment is the next byte ordinal that host a expects to receive from Host B. Not clear the relationship between the two? See (three-time handshake):
Figure 3 The TCP connection establishment process under normal circumstances
Header Length (4 bits)
Because the options are indefinite, it is necessary to identify the length of the entire header field (in 32-bit words), which is the number of 5+ options. 4-bit, unit is 32-bit word, so the first longest is 15*4=60 byte, that is, the option is the longest is 40 bytes (10 options).
logo
URG
Indicates that the upper body of the sender is marked as "emergency" data in the packet segment, and when urg=1, the emergency pointer then indicates the position of the emergency data in the current data segment (relative to the byte offset of the current sequence number), and the TCP receiver must notify the upper-level entity.
ACK
When Ack=0, indicates that the data segment does not contain a confirmation message, when Ack=1, indicates that the segment includes a confirmation that the message segment has been successfully received.
PSH
When psh=1, the receiver gives the data to the upper layer immediately after receiving the data, rather than until the entire buffer is full.
RST
Used to reset an already chaotic connection (such as a master crash), or to reject an invalid data segment or deny a connection request. In general, if the data segment you get is set to the RST bit, that means you have a problem at the end.
SYN
Used to establish the connection process, in connection requests,syn=1 and ack=0 indicate that the data segment does not use a piggyback acknowledgment domain, and the connection answer is a confirmation that syn=1 and Ack=1.
Note: A piggyback refers to the acknowledgement of client-to-server data being loaded in a data packet that hosts the server to the client.
FIN
Used to release a connection indicating that the sender has no data to transmit. At this point, the receiver may continue to receive data, fortunately, the SYN and fin data segments have serial numbers, ensuring that the two data segments are processed in the correct order.
Window Size
For flow control (to ensure that neither side of the connection is sending too much of the packet too quickly to overwhelm the other), the window size specifies how many bytes can be sent from the confirmed byte count.
Checksum
Provides additional reliability when calculating the test and the TCP checksum domain is set to 0, and if the data field has an odd number of bytes, the data field fills an additional 0 bytes. Checksum algorithm: Add all 16-bit words in the form of a 1 complement, and take the complement of the cumulative result. Therefore, when the receiver performs the same calculation (including the checksum domain), the result should be 0.
Emergency Pointers
The Urg bit of the reference flag field.
Options
The options section is designed to fit a complex network environment and better serve the application layer. The maximum TCP option is 40 bytes. See 2.2 for details.
Data
A TCP segment without any data is also legal and is typically used to confirm and control information.
2.2 Option Field [2]
The TCP Options section is well-established in a connected session, as long as the TCP connection is established, that is, three handshakes. The TCP Options section is actually used in the following ways:
(1) maximum message transmission segment (MMS, Maximum Segment Size)
Used to send the sender to negotiate with the receiver the maximum message segment length (only the payload data, excluding the TCP header field). TCP in three handshake, each party will announce the expected to receive MSS (MSS only in the SYN packet), if the other party does not accept the MSS value, then use the default 536 byte payload data, that is, the host can accept 20+536 bytes of TCP segment.
(2) Window enlargement option (Windows scaling)
The window large small segment of the TCP message occupies 16 bits, that is, the maximum value is 65535, but with the delay and the bandwidth of the relatively large communication generation (such as satellite communications), the need for a larger window to meet performance and throughput , which is the significance of the window expansion options exist. See resources [2] for examples.
Windows scaling accounts for 3 bytes, and the last byte is the shift value (Shift count), which is the number of window bits 16 of the header that moves to the left, such as a shift value of 14, and the new window maximum size is increased to 65535* (2^14).
The window enlargement option is negotiated at the beginning of the TCP establishment, and if the window is expanded, sending the shift value =0 can revert to the original window size, or 65535, when the window is no longer needed.
(3) Select confirmation option (SACK, selective acknowledgements)
In this case, host a sends the message segment 12345, Host B receives 135 and the message is error-free,sack is used to ensure that only the missing message segments are re -transmitted, rather than retransmission all the message segments.
The SACK option requires 2 function bytes, one to indicate the use of the SACK option (SACK Permission), and the other to indicate how many bytes this option takes.
How does that describe the missing message segment 2, indicating that 2 of the left and right borders are 1, 3 respectively. TCP data packets have a word block boundary, which is represented by a sequence number.
What is the maximum number of byte block boundary information that can be specified? The answer is 4. This is because the maximum option field is 40 bytes, 2 function bytes are removed, the serial number is 32 bits or 4 bytes, and the left and right borders are required, so (40-2)/8 = 4.
(4) timestamp option (timestamps)
The timestamp option is used to calculate the round trip time RTT, where the sender sends the time value of the current clock into the timestamp field when sending the message segment, the receiver copies the value of the timestamp field into the acknowledgment message, and when the receiving party receives the acknowledgement message, compares the timestamp of the acknowledgment message (equal to the timestamp of the sender sending the message segment) The RTT can be calculated.
The timestamp option can also be used to prevent wrapping the ordinal paws. The serial number is only 32 bits, each 2^32 serial number will wrap around (think of the ring queue), using the timestamp option is easy to distinguish the same sequence number of message segments.
(5) NOP (no-operation)
The head of TCP must be a multiple of 4 bytes, and most options are not 4-byte multiples, and are insufficient to be populated with NOP. In addition, NOP is also used to split different option data, such as window enlargement options and sack using NOP isolation (The following example will see this).
Third, the case analysis
3.1 Overview
Or to visit Baidu home page For example, first use the DNS protocol to resolve the URL to an IP address, and then between the client and the server to establish a TCP connection, with Wireshark capture groups such as:
Figure 4 Wireshark capture establishing a TCP connection grouping
You will find it strange, in theory it should be 3 groups, how to have 6 groups? First of all, the 6 messages to send and receive (combining time and message meaning), as follows:
Figure 5 Establishing an instance of a TCP connection
From the diagram, the connection was established, the client sent two pieces of message, which may be to establish a connection faster (assuming there is a request packet loss, not to wait a period of time, re-text). Next, the TCP connection setup process is analyzed with 19, 21, 22 (shown in the Red line).
3.1 First handshake
Wireshark capture TCP Connection The first handshake message segment is as follows:
Figure 6 TCP connection First handshake instance
Here are a few key fields to analyze:
The Flag field, Syn=1, Ack=0, indicates that the data segment does not use a piggyback acknowledgment field.
The maximum segment Length (MMS) 1460 is how, the link layer of the Ethernet physical characteristics of the data frame length of 1500 (that is, the MTU, the maximum transmission unit), 1460=1500-20 (IP first ministerial) -20 (TCP first ministerial degree). Do not be fooled by the packet header length of 32 bytes, this is only the establishment of the connection process. The relationship between MSS and MTU [2]:
Fig. 7 The relationship between MSS and MTU
The NOP field, which can be populated as less than 4 times times the number section, can also be separated as an option, with 3 NOP appearing in the segment, with specific features:
Figure 8 TCP Message NOP field
3.3 Second Handshake
The server responds to the client TCP message segment, at which time the confirmation number is 1, syn=1, ack=1 indicates that the connection answer is a confirmation, the Wireshark capture packet is as follows:
Figure 9 TCP Connection Second handshake instance
Why is MSS 1452 instead of 1460? This is because using PPPoE (point-to-point over Ethernet, allows the Ethernet host to connect to an unwarranted access concentrator via a simple bridging device [3]) dial-up Internet, The Ppop header is 8 bytes, so the MTU of PPPoE is 1492,MSS and 1492-40=1452.
So, what is the MSS for data transfer after TCP connection is established, 1460 or 1452 or 536? My understanding is the default value of 536, so to understand it? Ask for advice!
3.4 Third Handshake
Client again the server's message segment, at this time the serial number and confirmation number is 1, there is no option field, Wireshark capture group information as follows:
Figure Ten TCP connection third handshake instance
It is worth noting that because the window expansion size negotiation is not the case, so the window is not enlarged, that is, the maximum window size is 65535.
Thus, the TCP connection is established:-)
The TCP protocol (TCP message format + three handshake instance) with Wireshark capture packet in-depth understanding of TCP/IP protocol stack