As a network programmer, for THE TCP communication process is certainly to be able to, at least to know, when the communication problems are likely to find a solution

TCP packet

For the structure of TCP packets, I’ll just post a picture from the book, which is covered in detail in computer networking

In this article, we focus on ordinals and confirmation numbers, and flag bits:

  1. ACK reply notification
  2. PSH Pushes packets
  3. SYN establishes a connection
  4. FIN Close connection

For example, if the flag bit of SYN in a packet is set to 1, it indicates that the packet is a request for establishing a connection, and ACK indicates a reply packet after receiving a packet

TCP sequence number and confirmation sequence number

It has been mentioned above that the packet contains the serial number and the confirmation serial number, wherein the serial number is abbreviated as SEQ and the confirmation serial number is abbreviated as ACK. The reason why we need to pay special attention to the serial number and confirmation serial number is that we need to pay attention to these two values when capturing and analyzing network communication in the future

At the beginning of a TCP connection, the sequence number of the first packet is a random number generated by the active party. Take the three-way handshake as an example:

  1. The initiator sends a SYN packet, which is the first packet. The sequence number in the packet is randomly generated. Assume that the sequence number is EQUAL to A, but the confirmation number is not
  2. After receiving a SYN packet, the passive receives the SEQUENCE number (A) and replies a SYN-ACK packet (the SYN bit and ACK bit are both 1). The sequence number in the packet is randomly generated. Assume that the sequence number is B, and confirm the sequence number = A in the received packet + the VALUE of the SYN bit in the received packet + the length of data in the received packet. In fact, this is equal to a+1 + 0, that is, a+1. The data part of the SYN packet is empty
  3. The active party receives a SYN-ACK packet and replies an ACK packet. The sequence number in this packet is equal to the sequence number in the received packet (a+1). The sequence number in this packet = SEQUENCE number B in the received packet + the value of the SYN bit in the received packet + the length of the data in the received packet (the method is the same as that in step 2 when the passive party receives the packet), that is, B +1

According to the above procedure, it can be concluded that confirming the serial number is to tell the other party to send the message back with the serial number filled in the text

TCP Communication Process

Combined with the three-way handshake and the four-way wave, the passive side refers to the server side and the active side refers to the client side

  1. Both the active and passive parties are CLOSED at the beginning, and the procedure of the passive party has not been started
  2. The passive program starts the listening port (calling the bind method) with the passive state LISTEN
  3. The active party sends SYN (calling the connect method) with the status SYN_SENT
  4. The passive receives a SYN (the Accept method is blocked when a SYN packet is received), and the status of the passive is SYN_RCVD. The passive replies with syn-ACK, and the current connection is placed in the incomplete connection queue
  5. After receiving a SYN-ACK packet, the active party in the ESTABLISHED state replies with an ACK packet
  6. The passive receives an ACK (which is returned by the Accept method) and is in the ESTABLISHED state
  7. During the intermediate communication, both parties are in the ESTABLISHED state
  8. The active closing party sends the FIN (calling the close method), and the active closing party status is FIN_WAIT_1
  9. The passive closing party receives the FIN and replies with ACK. In this case, the passive closing party is in CLOSE_WAIT state
  10. The active shutdown party receives an ACK, and then the active shutdown party changes state FIN_WAIT_2
  11. The passive close party continues to send the FIN (calling the close method) with the status of the passive close party being LAST_ACK
  12. The active shutdown party receives the FIN and replies with ACK. In this case, the active shutdown party is in TIME_WAIT state
  13. The passive shuttered party receives the ACK and is in the CLOSED state
  14. The active closing party will be in CLOSED state after waiting for two MSL times

The above 3-6 is the three-time handshake process, and 8-14 is the four-time wave process, in which the one initiating the closure needs to wait twice MSL time before it becomes CLOSED. If there are a large number of short connections, such frequent sending of packets and waiting for a period of time before closing are very resource-consuming

You can run the netstat -anp command to view the number of ESTABLISHED connections and TIME_WAIT connections

Note: after step 3 above, the active party does not continue to do step 5, and the passive party’s pending connection queue will be occupied. If the active party keeps doing this, eventually the passive party’s pending connection queue will be full and the passive party cannot accept new connections. The same problem occurs when the connection is closed, resulting in a large number of time_waits or close_waits that take up resources on the server side and are used for much of the server tuning

tcpdump

After understanding the TCP communication process, you can analyze the entire communication process by capturing packets using tcpdump

The tcpdump captures TCP packets and analyzes the communication status. In general, the tcpdump captures a packet and analyzes the connection problems that occasionally exhaust air

The installation

apt install tcpdump
Copy the code

The command parameter

parameter instructions
-D Lists the network interfaces that can be captured on the current server, namely network cards
-i Fetching from the specified network interface
-n Show the IP
-nn Display IP address and port
-c Set the number of captured packets. When the number reaches this value, packet capture stops automatically
-w Specifies that the captured packet is output to a file, but not to the screen. If the file exists, it will be overwrittenwiresharkOpen the
-r Read captured packet data from a file and display it on the screen. It can be used with other parameters, such as -nn to control whether the IP address and port are displayed

Filter the data

Filtering is very important. For example, only the packets of specified IP addresses and ports are captured

Tcpdump-nn TCP // Captures only the packets related to the specified host or IP address. Tcpdump -nn TCP host 192.168.3.3 // Specify the port number tcpdump port 61613 // Specify the source host or IP address. Tcpdump SRC 192.168.3.3 // Specify the destination host or IP address, Tcpdump DST 192.168.3.3 // Between two conditions and tcpdump SRC 192.168.3.3 and port 80 // between two conditions or tcpdump SRC 192.168.3.3 or Tcpdump-nn "port 80 and (SRC 192.168.3.3 or SRC 192.168.3.4)" tcpdump-nn "port 80 and (SRC 192.168.3.3 or SRC 192.168.3.4)"Copy the code

Analyzing data packets

With the above foundation, we can capture all the packets in a communication process and analyze them

This experiment is performed on the same VM. When capturing data using tcpdump, you need to specify the -I LO NIC

Start the packet capture program and capture packets of TCP port 8888:

root@today2:~# tcpdump -nn -i lo tcp port 8888
Copy the code

After startup, output the following information, which indicates that the listening network card is LO:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
Copy the code

To start the server, we use the nc command

nc -lk 8888
Copy the code

To start another client, we use the Telnet command

Telnet 127.0.0.1 8888Copy the code

After the client is started, captured packets are displayed in the packet capture window as follows:

17:48:20.202499 IP 127.0.0.1.59466 > 127.0.0.1.8888: Flags [S], seq 3257142365, win 65495, options [mss 65495,sackOK,TS val 1604396091 ecr 0,nop,wscale 7], Length 0 17:48:202511 IP 127.0.0.1.8888 > 127.0.0.1.59466: Flags [S.], seq 2103221418, ack 3257142366, win 65483, options [mss 65495,sackOK,TS val 1604396091 ecr 1604396091,nop,wscale 7], Length 0 17:48:202520 IP 127.0.0.1.59466 > 127.0.0.1.8888: Flags [.], ack 1, win 512, options [nop,nop,TS val 1604396091 ecr 1604396091], length 0Copy the code

Use the data in the first line to explain the meaning of each paragraph

  1. 17:48:20. 202499Indicates the local timestamp of the system when the packet is captured
  2. IPNetwork-layer protocol type: IPv4. If IPv6 is used, the value of this field is IP6
  3. 127.0.0.1.59466 > 127.0.0.1.8888Source IP address: port and destination IP address: port
  4. Flags [S]This is the Flag bit of the packet. The following table lists the mapping between Flag and Flag bit of the packet
  5. seq 3257142365Sequence number of the packet. It is a random number
  6. win 65495The size of the sender’s window, refer to the course “Computer Networks”
  7. options [...]These are the options
  8. length 0This is the length of the data portion of the message

The first line is a SYN packet sent from the client, the second line is a SYN-ACK packet sent from the server, and the third line is an ACK packet sent from the client. You can analyze the SEQ and ACK packets

Now send a word, either nc or Telnet. Suppose the word is hello. Capture the packet and get the following two packets

18:04:10.723026 IP 127.0.0.1.8888 > 127.0.0.1.59466: Flags [P.], seq 1:7, ack 1, win 512, options [nop,nop,TS val 1605346770 ecr 1604396091], length 6
18:04:10.723040 IP 127.0.0.1.59466 > 127.0.0.1.8888: Flags [.], ack 7, win 512, options [nop,nop,TS val 1605346770 ecr 1605346770], length 0
Copy the code

Finally, stop NC, which will disconnect the connection between the two parties and check the packet capture result:

18:05:03.474050 IP 127.0.0.1.8888 > 127.0.0.1.59466: Flags [F.], seq 7, ack 8, win 512, options [nop,nop,TS val 1605399523 ecr 1605390431], length 0
18:05:03.474123 IP 127.0.0.1.59466 > 127.0.0.1.8888: Flags [F.], seq 8, ack 8, win 512, options [nop,nop,TS val 1605399523 ecr 1605399523], length 0
18:05:03.474132 IP 127.0.0.1.8888 > 127.0.0.1.59466: Flags [.], ack 9, win 512, options [nop,nop,TS val 1605399523 ecr 1605399523], length 0
Copy the code

Note: Everyone says four waves, but there are only three messages! The reason why there are only three packets is that the FIN and ACK packets are combined into one packet and sent to the active closing party in the second line. In this way, one packet transmission is reduced. Packets may be lost when they are transmitted on the network

Flag Indicates the mapping between Flag bits and packets

Flag Sign a
S SYN
. ACK
F FIN
P PSH
R RST

Note: The -w parameter can save captured packet data to a file, and then use wireshark on your PC to open the file. In this way, analysis is more convenient and quick

Original is not easy, one key three even arrange it