What is TCP?
TCP (Transmission Control Protocol) is a connection oriented transport layer protocol.
Intention of this article:
To understand whole TCP is not an easy task. In this article we will try to understand the basic packets exchanges of TCP through Wireshark. Theory can be read through internet. We will focus more on packet capture analysis.
Why TCP is famous?
There are multiple reasons why TCP is so famous:
- TCP is connection orientated protocol so reliability is very high.
- TCP can control congestion by itself.
- TCP can detect error.
- TCP uses flow control protocol.
- TCP has delay ACK features.
- TCP has selective ACK feature.
- TCP has windows calling feature for throughput improvement.
There are so many other features that make TCP so famous.
Analysis of TCP:
We will follow some steps to generate TCP frames.
Step 1: The simple way to generate TCP packets is by accessing any HTTP website. The reason is, HTTP is an application layer protocol and it uses TCP as underlying transport layer protocol.
To know about HTTP follow below link
Step 2: Start Wireshark.
Step 3: Open below link in any browser.
Step 4: Stop Wireshark and put TCP as filter.
Step 5: ANALYSIS
Now we should see TCP 3-way handshake packets. Here is the simple diagram.
Frame 1 : SYN [ Synchronaziation ]
SYN is the first packet comes from the client to server. In our case 192.168.1.6 is the client [The system where we opened the browser] and gaia.cs.umass.edu is the server.
Here are some important fields in SYN frame
SYN frame is required to send the capabilities of client to server.
Frame 2 : SYN+ACK [ Synchronaziation + Acknowledgement ]
SYN, ACK is the second packet comes from the server to client.
Here are some important fields in SYN, ACK frame
SYN, ACK frame is required to send the capabilities of server to client.
Now client and server have shared their capabilities.
Frame 3 : ACK [Acknowledgement ]
ACK is the third packet comes from the client to server. This is basically an acknowledgement from client to server and also it’s an acceptance of capabilities sent by server.
Here are the important fields for ACK.
Let’s check the important informations shared between client and server:
Receive Window Size: 64240 Bytes Receive Window Size: 29200 Bytes
Maximum segment size: 1460 bytes Maximum segment size: 1412 bytes
SACK Permitted: Yes SACK Permitted: Yes
Window scale: 8 (multiply by 256) Window scale: 7 (multiply by 128)
We have noticed there are differences in values. If client or server accepts other’s capabilities then 3-way handshake is successful.
Here are the important fields of TCP header:
- Source port (16 bits): This is the sending port.
- Destination port (16 bits): This is the receiving port.
- Sequence number (32 bits):
- If SYN bit is set  then this is initial sequence number.
- If SYN bit is not set  then this is the accumulated sequence number of the first data byte of this segment.
- Acknowledgment number (32 bits): If the ACK flag is set then the value of this field is the next sequence number that the sender of the ACK is expecting.
- Header Length: Header size may vary from 20 bytes and maximum of 60 bytes.
- Flags (9 bits):
.... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...0 .... = Acknowledgment: Not set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set
.... .... ...0 = Fin: Not set
- Window size (16 bits): This is the size of receive window in bytes.
- Checksum (16 bits):
It’s used error-checking of the header.
- Urgent pointer (16 bits):
This is an offset from the sequence number indicating the last urgent data byte.
TCP Option - Maximum segment size: 1460 bytes
TCP Option - No-Operation (NOP)
TCP Option - Window scale: 8 (multiply by 256)
TCP Option - SACK permitted
TCP Header size of SYN is 32 Bytes.
TCP Header size of SYN, ACK is 32 Bytes.
TCP Header size of ACK is 20 Bytes as it does not have option fields.
Here is the screenshot with explanation for TCP data and TCP ACK. Here we can see TCP delay ACK feature. Server has sent three TCP data packets to client and client has sent one delay ACK to tell server that it has received all three TCP data packets. That’s why in TCP ACK [Packet number 96 in screenshot] we see ACK=14121 which means client has received till 14121 bytes.
For basic theory of TCP refer