Use the Tcpdump analysis tool to verify the TCP connection setup and shutdown process

This article requires the reader before reading should be to the TCP through three handshake to establish and close the connection has certain understanding, this article does not explain three times the handshake, only through an instance to the three handshake to verify.

The establishment and shutdown of TCP connections presumably everyone is already familiar with it! Connect via three handshake and three or four (semi-closed) handshake to close the connection! Here, I want to use a specific instance of the program, to analyze the process!

First of all the tools used, Linux under the Tcpdump command, and their own C language written in a server-side and a client program. The code for the program is as follows:

Header file:

1 #include <stdio.h> 2 #include <stdlib.h> 3 #include <sys/types.h> 4 #include <sys/socket.h> 5 #include <netinet/in .h> 6 #include <netdb.h > 7 #include <errno.h> 8 #include <signal.h> 9 #include <unistd.h>  #include <string.h> #include <sys/wait.h> #include < Arpa/inet.h>

Header

Server-side:

1#include"header.h"2 intMainintargcChar*argv[])3 {4     intSocket_n;//Socket Descriptor5     intlisten_s;//Listening Socket Descriptor6Socklen_t Cli_addr_len;//Client Address length7     structSockaddr_in server_addr;//Server Address8     structSockaddr_in client_addr;//Client Address9 Ten     intn=0;//data length to be received One     Charbuffer[ the];//Data Buffers A     intmaxlen=sizeof(buffer); -memset (Buffer,0, maxlen); -     Charcli_addr[ -]; the  -     //Create a listening socket back -Listen_s=socket (Af_inet,sock_stream,0); -  +     //create a local server socket -memset (&AMP;SERVER_ADDR,0,sizeof(SERVER_ADDR)); +server_addr.sin_family =af_inet; ASERVER_ADDR.SIN_ADDR.S_ADDR =htonl (inaddr_any); atServer_addr.sin_port=htons (9877); -  -     //bind a socket to a local socket address -     if(Bind (Listen_s, (structSOCKADDR *) &server_addr,sizeof(SERVER_ADDR)) <0) -     { -Perror ("error:binding failed!"); inExit0); -     } to     //Listen for link requests +     if(Listen (Listen_s,maxlen) <0) -     { thePerror ("error:listening failed!"); *Exit1); $     }Panax Notoginseng  -      while(1) the     { +     if(Socket_n=accept (listen_s, (structSOCKADDR *) &client_addr,&cli_addr_len) <0) A     { thePerror ("error:accepting failed!"); +Exit1); -     } $ read (Socket_n,buffer,maxlen); $Inet_ntop (AF_INET,&AMP;CLIENT_ADDR.SIN_ADDR,CLI_ADDR,sizeof(CLI_ADDR)); -printf"%s sent%s", Cli_addr,buffer); - Write (Socket_n,buffer,strlen (buffer)); theprintf"the connection you just established is about to close \ n"); - Close (socket_n);Wuyi     } the     return 0; -}

Server

Client:

1#include"header.h"2 intMainintargcChar*argv[])3 {4     intsockfd;5     Charbuffer_s[ the];6     Charbuffer_r[ the];7     structsockaddr_in servaddr;8 9memset (Buffer_r,0,sizeof(Buffer_r));Tenmemset (buffer_s,0,sizeof(buffer_s)); One  A     if(ARGC! =2) -     { -printf"usage:client <ip address>!"); theExit0); -     } -  -SOCKFD = socket (Af_inet,sock_stream,0); +      -memset (&AMP;SERVADDR,0,sizeof(SERVADDR)); +servaddr.sin_family =af_inet; AServaddr.sin_port = htons (9877); atInet_pton (af_inet,argv[1],&servaddr.sin_addr); -  -Connect (SOCKFD, (structSOCKADDR *) &servaddr,sizeof(SERVADDR)); -  -      while(Fgets (buffer_s, the, stdin)! =NULL) -     { in Write (Sockfd,buffer_s,strlen (buffer_s)); -     if(Read (Sockfd,buffer_r, the) ==0) to     { +printf"Client:server terminated prematurely");  -     } the fputs (buffer_r,stdout); *     } $ Panax Notoginseng     return 0; -}

Client

The tcpdump command is this sentence:

9877 127.0. 0.1

This command indicates that I crawled the packet on the LO Network card (loopback interface) with IP 127.0.0.1 and port number 9877 (this 9877 is the interface of the server bindings in my program)!

The results of the operation are as follows:

The client sends a "a\n" to the server and receives a "a\n";

　　

This section of the figure is a bit more, this is related to the part of this article is the bottom of the./server, the server accepts a "a\n", closes the connection immediately after it is passed back to the client, and prompts that "the connection just established will close"!

　　

This is the capture package software caught figure, this must be analyzed and analyzed!

The first thing you need to explain is that this analysis starts with that 15:32:38.348872, that 38264 represents the port number of the client, 9877 is the port number of the server, and there should be an ACK in the sign bit for some packages (the flags section of the figure). But specifically not shown, I think it may be tcpdump omitted, and some packages of the SYN symbol (in one s) may also be omitted. Another point to note is that the server and the client's serial number should be random number, but after the connection is established automatically starting from 1, I think this is tcpdump this software automatically calculated!

The first message indicates that the client sends a package to the server with an ordinal seq of 598232472, and the flag bit is SYN, which is the first handshake to establish the connection. The client sends its own ordinal number.

The second message indicates that the server sends a packet to the client, its ordinal seq is 3283581888, the confirmation number is 5982324272, the flag bit is syc (there should theoretically be an ACK, perhaps not shown here), this is the second handshake to establish the connection, the server sends the serial number on this side, And the serial number of the client is confirmed.

The third message indicates that the client sent to the server a package, no ordinal number, the confirmation number is 1 (I think this is tcpdump this packet capture software processing), indicating that you want to accept the first byte from the server, here, three times the handshake has been completed, the client-to-server connection has been established.

The fourth message indicates that the client sends two bytes of information to the server, the ordinal seq is 1, and the confirmation number is 1. The flag bit is PSH (indicates that it is not cached in the window and is delivered directly to the application).

The fifth message indicates that the server confirms the message sent by the client, the confirmation number is 3, and there is no ordinal number.

The sixth message indicates that the server sends two bytes of information to the client, with a sequence number of 1 and a confirmation number of 3. The sign bit is PSH.

The seventh message represents the fin information that the server sends to the client for a connection termination. The sequence number is 3 and the confirmation number is 3, starting from here the three handshake process that the connection is closed. (This is the server active shutdown, so the three-time handshake has become a two-time handshake ~ ~).

The eighth message represents a confirmation message sent by the client to the server confirming that the confirmation number is 3, which represents the two bytes that the server sends.

The Nineth message indicates that the client sends a confirmation message to the server, the confirmation number is 4, indicating that the server sends the FIN termination information to confirm that the TCP connection is closed.

OK, this is an example of three handshake, hoping to help you better understand the process of three handshake.

Use the Tcpdump analysis tool to verify the TCP connection setup and shutdown process