Transmission Control Protocol (TCP) is a link-oriented data Transmission Protocol that ensures secure and reliable data Transmission. In order to ensure the reliable transmission of data, it is necessary not only to confirm the number of each byte sent, but also to verify the validity of each packet. Each TCP packet is enclosed in an IP packet. Each IP packet is followed by a TCP header. The FORMAT of a TCP packet is as follows:

Source port and destination port fields

  • TCP Source Port: 16-bit Port number of the application program on the Source computer.
  • TCP Destination Port: 16-bit application Port number of the target computer.

Serial number field

CP Sequence Number: contains 32 bits. It represents the number of the first byte of data sent in this paragraph. In a TCP connection, each byte of the byte stream transmitted is numbered sequentially. When the SYN flag is not 1, this is the sequence number of the first letter of the current data segment; If SYN has a value of 1, the value of this field is the initial sequence value (ISN) used to synchronize the sequence number. In this case, the sequence number of the first byte is 1 greater than the value of the field, which is ISN plus 1.

Confirmation number field

This Acknowledgment Number (ACK Number) : this Acknowledgment Number is 32 bits. It represents the number of the first byte of data that the receiver expects to receive from the sender in the next packet segment. The value is the next sequence number that the receiving computer will receive, that is, the sequence number of the next byte received plus 1.

Data offset field

TCP Header Length: The data offset is the 4-bit offset from the start of the data in the index data segment to the start of the TCP data segment. The “data offset” is used to determine the length of the HEADER of the TCP data segment and to tell the receiving application where the data starts.

Keep field

Reserved: occupies 4 slots. The space reserved for the future development of TCP must be 0.

Flag bit field

  • CWR (Congestion Window Reduce) : Congestion Window reduction flag, used to indicate that it received TCP packets with ECE flags set. After receiving the message, the sender reduces the sending rate by reducing the size of the sending window.
  • ECE (ECN Echo) : Used to indicate that a TCP end has the ECN function during TCP three-way handshake. During data transmission, it is also used to indicate that the ECN of the IP header of the received TCP packet is set to 11, i.e. the network line is congested.
  • URG (Urgent) : indicates whether the data sent in this section contains Urgent data. URG=1 indicates that there is urgent data. The following emergency pointer field is valid when URG=1.
  • ACK: Indicates whether the confirmation number field is valid. If ACK is 1, it is valid. The preceding confirmation number field is valid only if ACK=1. TCP specifies that the ACK value must be 1 after the connection is established.
  • PSH (Push) : indicates whether the peer party pushes the data to the upper layer immediately after receiving the packet. A value of 1 indicates that the data should be submitted to the upper layer immediately rather than cached.
  • RST: indicates whether to reset the connection. If RST=1, it indicates that the TCP connection has a serious error (for example, the host crashes). You must release the connection and re-establish the connection.
  • SYN: Used during connection establishment to synchronize serial numbers. When SYN=1, ACK=0, it indicates that this is a packet segment requesting to establish a connection. When SYN=1, ACK=1, the peer agrees to establish a connection. If SYN is 1, it indicates that the packet requests or agrees to establish a connection. The SYN is 1 only on the first two handshakes.
  • FIN: indicates whether the data is sent. If FIN=1, data has been sent and the connection can be released.

Window size field

Window Size: 16 bits. It indicates how many bytes of data can be received from the Ack Number and how much space is left in the receive window at the current receiver. This field can be used for TCP traffic control.

TCP checksum field

TCP Checksum: contains 16 bits. It is used to confirm whether the transmitted data is corrupted. The sender generates a value based on the data content verification, and the receiver generates a value based on the received data verification. The two values must be the same for the data to be valid. If the two values are different, the packet is discarded. The Checksum is calculated based on the pseudo-header, TCP header, and TCP data.

Emergency pointer field

Urgent Pointer: It is meaningful only when the URG control bit in the front is 1. It indicates the 16-bit number of bytes in this data segment that are emergency data. When all the emergency data is processed, TCP tells the application to resume normal operations. Emergency data can be sent even if the current window size is 0, because emergency data does not need to be cached.

Optional field

Option: the length varies, but must be an integer multiple of 32bits.

TCP Establishing a connection

TCP establishes a connection in three steps, known as the three-way handshake. Below is a normal three-way handshake to establish a connection:

  • Machine A sends A packetSYNIf the value is set to 1, you want to establish a connection. The assumption in this package is seQx.
    • Machine A sendsSYNAfter the packet is enteredSYN_SENTstate
  • Machine B receives the message sent by ASYNAfter the data is answered, a packet will beSYNandACKSet to 1, assuming that the sequence number of the response packet isyAnd the sequence of the next received database is expected to bex+1
    • B Returns the response packet and entersSYN_RECDstate
  • User A responds to the response packet sent by user BACKThe flag is set to 1 and the serial number isx + 1, the serial number of the next received packet is expected to bey+1
    • The connection between machine A and machine B is established successfully

TCP three-way handshake packet capture authentication

To verify that the three-way handshake is correct, use the Wireshark to capture packets. To obtain the IP address of www.baidu.com, run the ping command:

Ping www.a.shifen.com [183.232.231.174] with 32 bytes of data: Reply from 183.232.231.174: Bytes =32 time =16ms TTL=54 Reply from 183.232.231.174: bytes =32 time =16ms TTL=54 Reply from 183.232.231.174: Bytes =32 time =16ms TTL=54 183.232.231.172 Ping statistics: Packets: Sent =3, received =3, Lost = 0 (0% lost), estimated round trip time in milliseconds: Minimum = 16ms, maximum = 16ms, average = 16msCopy the code

The following output shows the IP address of www.baidu.com: 183.232.231.174. Then use the Filter of Wireshark to display only TCP packets that communicate with www.baidu.com:

IP. Src_host == "183.232.231.174" or IP. Dst_host == "183.232.231.174" and TCPCopy the code

After using the Wireshark to capture and analyze packets, verify that the three-way handshake is the same as that described in the previous section.

Why three handshakes?

Why three handshakes? The three-way handshake has two main purposes: information reciprocity and prevention of timeouts.

Information equivalence

Four pieces of information need to be confirmed when two machines communicate:

  • The ability to send packets by itself
  • The ability to receive papers by yourself
  • The ability of the peer to send packets
  • Notification of receipt of a newspaper
First handshake

First handshake When MACHINE A sends SYN packets to machine B, only Machine B can confirm its ability to receive and the ability of the other machine to send packets.

The information that the machine can confirm after a handshake is completed is:

  • B The ability of the machine to receive messages
  • A The capability of the machine to send packets
Second handshake

After each handshake, USER B responds to the SYN packet sent by machine A. In this case, Machine A can confirm the packet sending capability, packet receiving capability, packet sending capability, and packet receiving capability

After the second handshake is completed, A machine can confirm the following information:

  • A The capability of the machine to send packets
  • A Machine’s ability to receive messages
  • B The capability of the machine to send packets
  • B The ability of the machine to receive messages
Third handshake

After shaking hands for three times, A responds to THE SYN + ACK packet sent by MACHINE B. In this case, machine B confirms its ability to send and receive packets

B The machine can confirm the following information:

  • B The capability of the machine to send packets
  • A Machine’s ability to receive messages

So far, after three handshakes, machine A and MACHINE B can achieve information equivalence, and both parties can confirm their own and the other party’s ability to receive and send messages. Finally, it is convenient to understand and make information equivalence into A small table:

To prevent a timeout

In addition to ensuring information reciprocity, the three-way handshake also prevents dirty connections due to request timeouts. The TTL network packets usually exceed the TCP request timeout time. If A connection is created after two handshakes, the data is transmitted and the connection is released. The first connection request that times out reaches MACHINE B, and machine B thinks that it is A request of machine A to create A new connection and agrees to create A connection. Since machine A’s state is not SYN_SENT, the confirmation data of machine B will be discarded directly, resulting in machine B’s unilateral completion of connection creation.

If it is A three-way handshake, machine B will also confirm the connection request to machine A after receiving the connection request. However, because A is not in the SYN_SENT state, machine A will not reply to machine B for confirming the connection request. However, machine B has not received the confirmation message for A long time. The connection will eventually fail to be created, so there will be no dirty connections.

TCP Disconnection

TCP is a full-duplex communication. Both parties can serve as the sender and receiver of data. However, TCP is disconnected sometimes. TCP requires three handshakes to establish a connection, but four handshakes to disconnect a connection, as shown in the figure:

  • Machine A sends the closed packet. Set FIN to 1, assuming the serial number is U. After sending the closed packet, machine A processes the FIN_WAIT_1 state

  • Upon receiving the request to close the connection, B notifies the application to finish processing the remaining data

  • In response to A’s request to close the connection, B sets the ACK flag to 1, SEq to V, AND ACK to U +1. Then MACHINE B is in CLOSE_WAIT state

  • After receiving the response, USER A is in FIN_WAIT_2 state and waits for the FIN packet from machine B

  • After processing the field, user B sends data packets to user A, sets the FIN and ACK flags to 1, seQ to W, and ACK to U +1, and then waits for the reply from user A in the LAST_WAIT state

  • After receiving the FIN packet, machine A sends an ACK packet with the SEQ set to U +1 and ACK set to W +1. In this case, machine A processes the TIME_WAIT state

  • B After receiving the ACK packet, the machine is in the CLOSED state and the connection is CLOSED

  • After waiting in TIME_WAIT state for 2MSL, machine A also enters CLOSEED state and the connection is closed

MSL indicates the Maximum Segment Lifetime.

2MSL is twice MSL

Four waves of disconnection can be expressed in a more graphic way:

  • Boy: Let’s break up.
  • Girl: Ok, I need to go to the house and finish packing and I’ll text you. (Boys can no longer hug girls.)
  • . In an hour
  • Girl: I’m done, break up (this time girls can’t hug boys)
  • Male: Ok (at this time both sides agree after a period of time, can respectively look for a new object)

TCP four wave capture authentication

The packet capture process is the same as the three-way packet capture process, which is not described here. View the screenshot of the packet captured after the access:

  • The first package is made up of192.168.1.6The machine, the client, sends oneFINPackage, seq80Ack to2782
  • The second package consists of183.232.231.174(Server), right192.168.1.6The machine (that is, the client) sends oneACKPackage, seq2782Ack to81
  • The third package consists of183.232.231.174(Server), right192.168.1.6The machine (that is, the client) sends oneACKandFINPackage, seq2782Ack to81
  • The fourth package consists of192.168.1.6, a response to the serverACKPackage, seq81Ack to2783

The four-wave flow is consistent with our description.

TIME_WAIT state

The machine that initiatively closes (machine A) indicates that after receiving A FIN packet and sending an ACK packet, the machine performs TIME_WAIT and closes 2MSL later. If you receive FIN and ACK packets on TIME_WAIT_1, you can enter the TIME_WAIT state without entering the TIME_WAIT_2 state.

Why TIME_WAIT

Confirm that passive shutdown (machine B) can be entered smoothlyCLOSEDstate

If machine A sends the last ACK packet but the ACK packet fails to reach machine B due to network reasons, machine B considers that machine A has not received A FIN+ACK packet and sends A FIN+ACK packet again. If machine A selfish closes the connection and enters the CLOSED state after sending the last ACK, machine B may fail to receive the ACK packet and close the connection.

Fail-safe request

The TIME_WAIT state prevents an invalid request packet from being confused with a properly connected request packet. Because the TIME_WAIT state does not actually release handle resources, the local port used in the Socket during this time cannot be used by default.

CLOSE_WAIT state

After receiving the FIN packet from the peer, machine B responds an ACK packet and enters CLOSE_WAIT state. Notify the application, process the remaining data, and release resources.

Welcome to my official account, Architecture Digest, for exclusive 120G free learning resources to help you learn as an architect!

Public account background replyarch028Obtain information: