1. Content of TCP header?
TCP Header Format
Source port (16 bits) : identifies the sending port.
Destination port (16 bits): identifies the receiving port.
Sequence number (32 bits):Has a
dual role:
If the
SYN flag is set (1), then this is the initial sequence number. The sequence
number of the actual first data byte and the acknowledged number in the
corresponding ACK are then this sequence number plus 1.
If the
SYN flag is clear (0), then this is the accumulated sequence number of the
first data byte of this segment for the current session.
Acknowledgement number (32 bits)
if the
ACK flag is set then the value of this field is the next sequence number that
the receiver is expecting. This acknowledges receipt of all prior bytes (if
any). The first ACK sent by each end acknowledges the other end's initial
sequence number itself, but no data.
Data offset (4 bits)
specifies
the size of the TCP header in 32-bit words. The minimum size header is 5 words
and the maximum is 15 words thus giving the minimum size of 20 bytes and
maximum of 60 bytes, allowing for up to 40 bytes of options in the header. This
field gets its name from the fact that it is also the offset from the start of
the TCP segment to the actual data.
Reserved
(3 bits):for
future use and should be set to zero
Flags (9
bits) (aka Control bits)
contains
9 1-bit flags
NS (1
bit) – ECN-nonce concealment protection (added to header by RFC 3540).
CWR (1
bit) – Congestion Window Reduced (CWR) flag is set by the sending host to
indicate that it received a TCP segment with the ECE flag set and had responded
in congestion control mechanism (added to header by RFC 3168).
ECE (1
bit) – ECN-Echo has a dual role, depending on the value of the SYN flag. It
indicates:
If the
SYN flag is set (1), that the TCP peer is ECN capable.
If the
SYN flag is clear (0), that a packet with Congestion Experienced flag in IP
header set is received during normal transmission (added to header by RFC
3168).
URG (1
bit) – indicates that the Urgent pointer field is significant
ACK (1
bit) – indicates that the Acknowledgment field is significant. All packets
after the initial SYN packet sent by the client should have this flag set.
PSH (1
bit) – Push function. Asks to push the buffered data to the receiving
application.
RST (1
bit) – Reset the connection
SYN (1
bit) – Synchronize sequence numbers. Only the first packet sent from each end
should have this flag set. Some other flags and fields change meaning based on
this flag, and some are only valid for when it is set, and others when it is
clear.
FIN (1
bit) – No more data from sender
Window
size (16 bits)
the size
of the receive window, which specifies the number of window size units (by
default, bytes) (beyond the sequence number in the acknowledgment field) that
the sender of this segment is currently willing to receive (see Flow control
and Window Scaling)
Checksum
(16 bits)
The
16-bit checksum field is used for error-checking of the header and data
Urgent
pointer (16 bits)
if the
URG flag is set, then this 16-bit field is an offset from the sequence number
indicating the last urgent data byte
Options (Variable 0–320 bits, divisible by 32)
2. TCP Three-way handshake, TCP Synchronisation:
Before the sending device and the
receiving device start the exchange of data, both devices need to be synchronised. During the TCP initialisation process, the sending
device and the receiving device exchange a few control packets for synchronisation purposes. This exchange is known as Three-way handshake.
The Three-way handshake begins with
the initiator sending a TCP
segment with the SYN control
bit flag set.
TCP allows one side to establish a
connection. The other side may either accept the connection or refuse it. If we
consider this from application layer point of view, the side that is
establishing the connection is the client and the side waiting for a connection
is the server.
TCP identifies two types of OPEN
calls:
Active Open:In an Active Open call a
device (client process) using TCP takes the active role and initiates the
connection by sending a TCP SYN
message to start the
connection.
Passive Open: A passive OPEN can specify that the device
(server process) is waiting for an active OPEN from a specific client. It does
not generate any TCP message
segment. The server processes listening for the clients are in Passive Open
mode.
TCP
Three-way Handshake
Step 1: Device A (Client) sends a TCP segment with
SYN = 1, ACK = 0, ISN (Initial Sequence Number) = 2000.
An Initial Sequence Number (ISN) is
a random Sequence Number, allocated for the first
packet in a new TCP connection.
The Active Open device (Device A)
sends a segment with the SYN flag set
to 1, ACK flag set
to 0 and an Initial Sequence Number 2000 (For Example), which marks the
beginning of the sequence numbers for data that device A will transmit. SYN is
short for Synchronise. SYN flag announces
an attempt to open a connection.
Step 2: Device B (Server) receives Device A's TCP segment and
returns a TCP segment with
SYN = 1, ACK = 1, ISN = 5000 (Device B's Initial Sequence Number), Acknowledgement Number = 2001 (2000 + 1, the next sequence number Device B expecting from Device A).
Step 3: Device A sends a TCP segment to
Device B that acknowledges receipt of Device B's ISN, With flags set as SYN =
0, ACK = 1, Sequence number = 2001, Acknowledgement number = 5001 (5000 + 1, the next
sequence number Device A expecting from Device B)
This handshaking technique is
referred to as TCP Three-way handshake or SYN, SYN-ACK, ACK.
After the Three-way handshake, the
connection is open and the participant computers start sending data using the
agreed sequence and acknowledge numbers.
TCP
Three-way Handshake - A Real World Example
Let us dissect the process of TCP
three-way handshake, using a real world example. I am including the Wireshark
screen shots also, to understand the concepts more clearly.
I am sitting at my desk and I need
to open Google web page for a search. The URL is https://www.google.com. Protocol
used is HTTPS over TCP and Destination TCP Port number is TCP 443. I have
entered the URL in my browser and hit the "Enter" key.
Topology and IP addresses for TCP
Three-way handshake study are shown below.
Step 1: First step in establishing a reliable TCP
connection (using Three-way handshake) between my computer and the Web Server
is to send a TCP segment, with SYN flag set to 1, to the Web Server. All other TCP Flags are set to 0. The TCP Segment with SYN
Flag set to 1, is informing the Web Server that my computer wants to open a TCP
session with the Web Server.
The Initial Sequence Number (ISN)
generated by the TCP/IP protocol stack in my computer is 2605483508.
Key values for the
TCP Three-Way handshake SYN request (Sent from My Computer to Web Server) are
shown in below table.
Step 2: After receiving the SYN request from my computer, the Web Server replied back with a TCP SYN-ACK packet. In a TCP SYN-ACK packet, both SYN and ACK flags are set to 1 and the remaining TCP Flags are set to 0.
The SYN Flag set to 1 is to inform
my computer that the Web Server is also willing to open a TCP session with my
computer. The ACK Flag set to 1 is to Acknowledge previous TCP SYN reqest.
Initial Sequence Number (ISN)
generated by the TCP/IP protocol stack running on the Web server is 877776654.
The Acknowledgement number 2605483509 is to inform My Computer
that the previous data was received successfully. Acknowledgement number points that the next Sequence Number of
the TCP segment from my computer to the Web Server should be 2605483509.
Note that the Acknowledgement number is increased by 1 if SYN, ACK or FIN flags are set in a received TCP packet. If
the TCP packet is carrying data, the Acknowledgement number is increased
according to the size of the data the packet is carrying.
Key values for the TCP Three-Way handshake SYN-ACK message (Sent from
Web Server to My Computer) are shown in below table.
Step 3: The final step in establishing a TCP reliable
connection using Three-Way handshake is to send back a TCP ACK packet to the
Web Server, for the SYN-ACK packet we received in last step.
My Sequence number is 2605483509, as specified as the Acknowledgement number in the previous SYN-ACK packet. My Acknowledgement number to the Web Server is 877776655.
Key values for the TCP Three-Way handshake ACK message (Sent from My
Computer to Web Server) are shown in below table.
Once the TCP Three-way handshake ACK
message is sent, TCP connection is Established and the computers can now start
communicating reliably using TCP.
3. Transmission Control Protocol (TCP) Connection Termination.
When the data transmission is complete and the device want to
terminate the connection, the device initiating the termination, places a TCP segment (Segment is the name of the
data packet at transport layer, if the protocol is TCP) with the FIN flag set to one.
The purpose of FIN bit is to enable TCP to gracefully terminate an established session. The
application then enters in a state called the FIN-WAIT state. When at FIN-WAIT
state, Device A continues to receive TCP segments from Device B and processes the segments
already in the queue, but no additional data is accepted from the application.
TCP Connection Termination
In the example shown above, assume Device A has completed its
transmission and indicates this by sending a segment to Device B with the FIN bit set to 1. Device B
will acknowledge the segment with an ACK. At this point in time, Device B will
no longer accept data from Device A. Device B can continue to accept data from
its application to transmit to Device A. If Device B does not have any more
data to transmit, it will also terminate the connection by transmitting a
segment to Device A with the FIN bit set
to 1. Device A will then ACK that
segment and terminates the connection.
4. How TCP sliding window work, TCP sliding window, TCP Window
What is a TCP Window:
A TCP window is the amount of unacknowledged data a sender can
send on a particular connection before it gets an acknowledgement back from the
receiver, that it has received some of the data.
What is TCP windowing?
TCP
windowing concept is primarily used to avoid congestion in the traffic. It
controls the amount of unacknowledged data a sender can send before it gets an
acknowledgement back from the receiver that it has received it.
TCP Sliding Window:
The working of the TCP sliding window mechanism can be explained
as below.
The sending device can send all packets within the TCP
window size (as specified in the TCP header) without receiving an ACK,
and should start a timeout timer for each of them.
The receiving device should acknowledge each packet it received,
indicating the sequence number of the last well-received packet. After
receiving the ACK from the receiving device, the sending device
slides the window to right side.
In this case, the sending device can send up to 5 TCP
Segments without receiving an acknowledgement from the receiving device.
After receiving the acknowledgement for Segment 1 from the receiving device,
the sending device can slide its window one TCP Segment to the right
side and the sending device can transmit segment 6 also.
If any TCP Segment lost while its journey to the
destination, the receiving device cannot acknowledge the sender. Consider while
transmission, all other Segments reached the destination except Segment 3. The
receiving device can acknowledge up to Segment 2. At the sending device, a
timeout will occur and it will re-transmit the lost Segment 3. Now the
receiving device has received all the Segments, since only Segment 3 was lost.
Now the receiving device will send the ACK for Segment 5, because it
has received all the Segments to Segment 5.
Acknowledgement (ACK) for Segment 5 ensures the sender the
receiver has succesfully received all the Segments up to 5.
TCP uses a byte level numbering system for communication.
If the sequence number for a TCP segment at any instance was 5000 and the
Segment carry 500 bytes, the sequence number for the next Segment will be
5000+500+1. That means TCP segment only carries the sequence number
of the first byte in the segment.
The Window size is expressed in number of bytes and is
determined by the receiving device when the connection is established and can
vary later. You might have noticed when transferring big files from one Windows
machine to another, initially the time remaining calculation will show a large
value and will come down later.
We have four categories in above example.
1) Bytes already sent and acknowledged (upto Byte 20).
2) Bytes sent but not acknowledged (Bytes 21-24).
3) Bytes the receiver is ready to accept (Bytes 25-28).
4) Bytes the receiver is not ready to accept (Byte 29 onwards).
The Send Window is the sum of Bytes sent but not acknowledged
and Bytes the receiver is ready to accept (Usable Window).
A visual demo of TCP Sliding Window mechanism can be viewed here.
5. Which device does reassembly and why?
Always
end device will do reassembly. Reason is buffer issue and all fragments packets
should pass through same router.
6. What is tcp sync attack?
A sender
transmits a volume of connections that cannot be completed. This causes the
connection queues to fill up, thereby denying service to legitimate TCP users.
A TCP SYN attack (also called SYN attack) is a common type of Denial of Service
attack.
7.Explain tcp sync flooding.
TCP
Intercept is designed to prevent a SYN flooding Denial of Service attack by
tracking, optionally intercepting and validating TCP connection requests. A SYN flooding attack involves flooding a
server with a barrage of requests for connection. However, since these messages have invalid
return addresses, the connections can never be established. The resulting volume of unresolved open
connections eventually overwhelms the server and can cause it to deny service
to valid requests. TCP Intercept is capable of operating in two different modes
- intercept mode and monitor mode. When
used in intercept mode (the default setting), it checks for incoming TCP
connection requests and will proxy-answer on behalf of the destination server
to ensure that the request is valid before connecting to the server. In monitor mode, TCP Intercept passively
watches the connection requests flowing through, and, if a connection fails to
get established in a configurable interval, it will intervene and terminate the
connection attempt.
MCQ's
1 .Two users are accessing a Network application simultaneously.
Which fields in the TCP/IP header would the server use to distinguish between
the connections?
a.
Source IP address in the IP header.
b. Destination IP address in the IP header.
c. Source port in the TCP header.
d. Destination port in the TCP header.
b. Destination IP address in the IP header.
c. Source port in the TCP header.
d. Destination port in the TCP header.
2. A
web client opens two instances of a website using a browser. Which of the
fields would be different for both the connections
a. Source port number.
b. Destination port number.
c. Source IP address
d. Destination IP address.
b. Destination port number.
c. Source IP address
d. Destination IP address.
3.
Which of the following fields are used to identify if the packet has to be sent
on the same or different network.
a.
Destination port number.
b. Subnet Mask.
c. Destination network address.
d. Domain name of the destination.
b. Subnet Mask.
c. Destination network address.
d. Domain name of the destination.
4. A PC
does not have DNS server IP address configured on its adapter. What would
happen if the user pings a website on the PC.
a.Response
would be received as ping uses ICMP.
b.Response would be received as ping does not use DNS.
c.Response would fail as DNS resolution would fail.
d.None of the above.
b.Response would be received as ping does not use DNS.
c.Response would fail as DNS resolution would fail.
d.None of the above.
5.
Which field is used in a TCP/IP header is used to identify the server
application.
a.Source
port number
b.Destination port number.
c.Socket number.
d.Socket port number.
b.Destination port number.
c.Socket number.
d.Socket port number.
6. When
does data transfer commence in a TCP based communication.
a.After the TCP 3 way handshake
b.Before the TCP 3 way handshake
c.After the TCP 4 way handshake
d.None of the above.
b.Before the TCP 3 way handshake
c.After the TCP 4 way handshake
d.None of the above.
7. When
does the TCP 4 way handshake commence
a.There
is nothing like TCP 4 way handshake.
b.After the 3 way handshake
c.Before the 4 way handshake
d.After data transfer is completed.
b.After the 3 way handshake
c.Before the 4 way handshake
d.After data transfer is completed.
8.
Where is the source port number used in a TCP/IP header.
a.Inside transport layer headers like TCP or UDP
b.Inside IP layer header.
c.Inside application layer headers like FTP, HTTP etc.
d.None of the above.
b.Inside IP layer header.
c.Inside application layer headers like FTP, HTTP etc.
d.None of the above.
8.What TCP MSS Does and How It Works?
The TCP
Maximum Segment Size (MSS) defines the maximum amount of data that a host is
willing to accept in a single TCP/IP datagram. This TCP/IP datagram may be
fragmented at the IP layer. The MSS value is sent as a TCP header option only
in TCP SYN segments. Each side of a TCP connection reports its MSS value to the
other side. Contrary to popular belief, the MSS value is not negotiated between
hosts. The sending host is required to limit the size of data in a single TCP
segment to a value less than or equal to the MSS reported by the receiving
host.
Originally,
MSS meant how big a buffer (greater than or equal to 65496K) was allocated on a
receiving station to be able to store the TCP data contained within a single IP
datagram. MSS was the maximum segment (chunk) of data that the TCP receiver was
willing to accept. This TCP segment could be as large as 64K (the maximum IP
datagram size) and it could be fragmented at the IP layer in order to be
transmitted across the network to the receiving host. The receiving host would
reassemble the IP datagram before it handed the complete TCP segment to the TCP
layer.
Below
are a couple of scenarios showing how MSS values are set and used to limit TCP
segment sizes, and therefore, IP datagram sizes.
Scenario
1 illustrates the way MSS was first implemented. Host A has a buffer of 16K and
Host B a buffer of 8K. They send and receive their MSS values and adjust their
send MSS for sending data to each other. Notice that Host A and Host B will
have to fragment the IP datagrams that are larger than the interface MTU but
still less than the send MSS because the TCP stack could pass 16K or 8K bytes
of data down the stack to IP. In Host B's case, packets could be fragmented
twice, once to get onto the Token Ring LAN and again to get onto the Ethernet
LAN.
Scenario
1
Host A
sends its MSS value of 16K to Host B.
Host B
receives the 16K MSS value from Host A.
Host B
sets its send MSS value to 16K.
Host B
sends its MSS value of 8K to Host A.
Host A
receives the 8K MSS value from Host B.
Host A
sets its send MSS value to 8K.
In order
to assist in avoiding IP fragmentation at the endpoints of the TCP connection,
the selection of the MSS value was changed to the minimum buffer size and the
MTU of the outgoing interface (- 40). MSS numbers are 40 bytes smaller than MTU
numbers because MSS is just the TCP data size, which does not include the 20
byte IP header and the 20 byte TCP header. MSS is based on default header
sizes; the sender stack must subtract the appropriate values for the IP header
and the TCP header depending on what TCP or IP options are being used.
The way
MSS now works is that each host will first compare its outgoing interface MTU
with its own buffer and choose the lowest value as the MSS to send. The hosts
will then compare the MSS size received against their own interface MTU and
again choose the lower of the two values.
Scenario
2 illustrates this additional step taken by the sender to avoid fragmentation
on the local and remote wires. Notice how the MTU of the outgoing interface is
taken into account by each host (before the hosts send each other their MSS
values) and how this helps to avoid fragmentation.
Scenario
2
Host A
compares its MSS buffer (16K) and its MTU (1500 - 40 = 1460) and uses the lower
value as the MSS (1460) to send to Host B.
Host B
receives Host A's send MSS (1460) and compares it to the value of its outbound
interface MTU - 40 (4422).
Host B
sets the lower value (1460) as the MSS for sending IP datagrams to Host A.
Host B
compares its MSS buffer (8K) and its MTU (4462-40 = 4422) and uses 4422 as the
MSS to send to Host A.
Host A
receives Host B's send MSS (4422) and compares it to the value of its outbound
interface MTU -40 (1460).
Host A
sets the lower value (1460) as the MSS for sending IP datagrams to Host B.
1460 is
the value chosen by both hosts as the send MSS for each other. Often the send
MSS value will be the same on each end of a TCP connection.
In
Scenario 2, fragmentation does not occur at the endpoints of a TCP connection
because both outgoing interface MTUs are taken into account by the hosts.
Packets can still become fragmented in the network between Router A and Router
B if they encounter a link with a lower MTU than that of either hosts' outbound
interface.
