TCP Interview Questions

1. Content of TCP header?

  

TCP Header Format

Source port (16 bits) : identifies the sending port.

Destination port (16 bits): identifies the receiving port.

Sequence number (32 bits):Has a dual role:

If the SYN flag is set (1), then this is the initial sequence number. The sequence number of the actual first data byte and the acknowledged number in the corresponding ACK are then this sequence number plus 1.

If the SYN flag is clear (0), then this is the accumulated sequence number of the first data byte of this segment for the current session.

Acknowledgement number (32 bits)

if the ACK flag is set then the value of this field is the next sequence number that the receiver is expecting. This acknowledges receipt of all prior bytes (if any). The first ACK sent by each end acknowledges the other end's initial sequence number itself, but no data.

Data offset (4 bits)

specifies the size of the TCP header in 32-bit words. The minimum size header is 5 words and the maximum is 15 words thus giving the minimum size of 20 bytes and maximum of 60 bytes, allowing for up to 40 bytes of options in the header. This field gets its name from the fact that it is also the offset from the start of the TCP segment to the actual data.

Reserved (3 bits):for future use and should be set to zero

Flags (9 bits) (aka Control bits)

contains 9 1-bit flags

NS (1 bit) – ECN-nonce concealment protection (added to header by RFC 3540).

CWR (1 bit) – Congestion Window Reduced (CWR) flag is set by the sending host to indicate that it received a TCP segment with the ECE flag set and had responded in congestion control mechanism (added to header by RFC 3168).

ECE (1 bit) – ECN-Echo has a dual role, depending on the value of the SYN flag. It indicates:

If the SYN flag is set (1), that the TCP peer is ECN capable.

If the SYN flag is clear (0), that a packet with Congestion Experienced flag in IP header set is received during normal transmission (added to header by RFC 3168).

URG (1 bit) – indicates that the Urgent pointer field is significant

ACK (1 bit) – indicates that the Acknowledgment field is significant. All packets after the initial SYN packet sent by the client should have this flag set.

PSH (1 bit) – Push function. Asks to push the buffered data to the receiving application.

RST (1 bit) – Reset the connection

SYN (1 bit) – Synchronize sequence numbers. Only the first packet sent from each end should have this flag set. Some other flags and fields change meaning based on this flag, and some are only valid for when it is set, and others when it is clear.

FIN (1 bit) – No more data from sender

Window size (16 bits)

the size of the receive window, which specifies the number of window size units (by default, bytes) (beyond the sequence number in the acknowledgment field) that the sender of this segment is currently willing to receive (see Flow control and Window Scaling)

Checksum (16 bits)

The 16-bit checksum field is used for error-checking of the header and data

Urgent pointer (16 bits)

if the URG flag is set, then this 16-bit field is an offset from the sequence number indicating the last urgent data byte

Options (Variable 0–320 bits, divisible by 32)

2.  TCP Three-way handshake, TCP Synchronisation:

Before the sending device and the receiving device start the exchange of data, both devices need to be synchronised. During the TCP initialisation process, the sending device and the receiving device exchange a few control packets for synchronisation purposes. This exchange is known as Three-way handshake.

The Three-way handshake begins with the initiator sending a TCP segment with the SYN control bit flag set.

TCP allows one side to establish a connection. The other side may either accept the connection or refuse it. If we consider this from application layer point of view, the side that is establishing the connection is the client and the side waiting for a connection is the server.

TCP identifies two types of OPEN calls:

Active Open:In an Active Open call a device (client process) using TCP takes the active role and initiates the connection by sending a TCP SYN message to start the connection.

Passive Open: A passive OPEN can specify that the device (server process) is waiting for an active OPEN from a specific client. It does not generate any TCP message segment. The server processes listening for the clients are in Passive Open mode.

TCP Three-way Handshake

Step 1: Device A (Client) sends a TCP segment with SYN = 1, ACK = 0, ISN (Initial Sequence Number) = 2000.

An Initial Sequence Number (ISN) is a random Sequence Number, allocated for the first packet in a new TCP connection.

The Active Open device (Device A) sends a segment with the SYN flag set to 1, ACK flag set to 0 and an Initial Sequence Number 2000 (For Example), which marks the beginning of the sequence numbers for data that device A will transmit. SYN is short for Synchronise. SYN flag announces an attempt to open a connection.

Step 2: Device B (Server) receives Device A's TCP segment and returns a TCP segment with SYN = 1, ACK = 1, ISN = 5000 (Device B's Initial Sequence Number), Acknowledgement Number = 2001 (2000 + 1, the next sequence number Device B expecting from Device A).

Step 3: Device A sends a TCP segment to Device B that acknowledges receipt of Device B's ISN, With flags set as SYN = 0, ACK = 1, Sequence number = 2001, Acknowledgement number = 5001 (5000 + 1, the next sequence number Device A expecting from Device B)

This handshaking technique is referred to as TCP Three-way handshake or SYN, SYN-ACK, ACK.

After the Three-way handshake, the connection is open and the participant computers start sending data using the agreed sequence and acknowledge numbers.

TCP Three-way Handshake - A Real World Example

Let us dissect the process of TCP three-way handshake, using a real world example. I am including the Wireshark screen shots also, to understand the concepts more clearly.

I am sitting at my desk and I need to open Google web page for a search. The URL is https://www.google.com. Protocol used is HTTPS over TCP and Destination TCP Port number is TCP 443. I have entered the URL in my browser and hit the "Enter" key.

Topology and IP addresses for TCP Three-way handshake study are shown below.

Step 1: First step in establishing a reliable TCP connection (using Three-way handshake) between my computer and the Web Server is to send a TCP segment, with SYN flag set to 1, to the Web Server. All other TCP Flags are set to 0. The TCP Segment with SYN Flag set to 1, is informing the Web Server that my computer wants to open a TCP session with the Web Server.

The Initial Sequence Number (ISN) generated by the TCP/IP protocol stack in my computer is 2605483508.

Key values for the TCP Three-Way handshake SYN request (Sent from My Computer to Web Server) are shown in below table.

Step 2: After receiving the SYN request from my computer, the Web Server replied back with a TCP SYN-ACK packet. In a TCP SYN-ACK packet, both SYN and ACK flags are set to 1 and the remaining TCP Flags are set to 0.

The SYN Flag set to 1 is to inform my computer that the Web Server is also willing to open a TCP session with my computer. The ACK Flag set to 1 is to Acknowledge previous TCP SYN reqest.

Initial Sequence Number (ISN) generated by the TCP/IP protocol stack running on the Web server is 877776654. 

The Acknowledgement number 2605483509 is to inform My Computer that the previous data was received successfully. Acknowledgement number points that the next Sequence Number of the TCP segment from my computer to the Web Server should be 2605483509.

Note that the Acknowledgement number is increased by 1 if SYN, ACK or FIN flags are set in a received TCP packet. If the TCP packet is carrying data, the Acknowledgement number is increased according to the size of the data the packet is carrying.

Key values for the TCP Three-Way handshake SYN-ACK message (Sent from Web Server to My Computer) are shown in below table.

Step 3: The final step in establishing a TCP reliable connection using Three-Way handshake is to send back a TCP ACK packet to the Web Server, for the SYN-ACK packet we received in last step.

My Sequence number is 2605483509, as specified as the Acknowledgement number in the previous SYN-ACK packet. My Acknowledgement number to the Web Server is 877776655.

Key values for the TCP Three-Way handshake ACK message (Sent from My Computer to Web Server) are shown in below table.

Once the TCP Three-way handshake ACK message is sent, TCP connection is Established and the computers can now start communicating reliably using TCP.

3. Transmission Control Protocol (TCP) Connection Termination.

When the data transmission is complete and the device want to terminate the connection, the device initiating the termination, places a TCP segment (Segment is the name of the data packet at transport layer, if the protocol is TCP) with the FIN flag set to one. The purpose of FIN bit is to enable TCP to gracefully terminate an established session. The application then enters in a state called the FIN-WAIT state. When at FIN-WAIT state, Device A continues to receive TCP segments from Device B and processes the segments already in the queue, but no additional data is accepted from the application.

TCP Connection Termination

In the example shown above, assume Device A has completed its transmission and indicates this by sending a segment to Device B with the FIN bit set to 1. Device B will acknowledge the segment with an ACK. At this point in time, Device B will no longer accept data from Device A. Device B can continue to accept data from its application to transmit to Device A. If Device B does not have any more data to transmit, it will also terminate the connection by transmitting a segment to Device A with the FIN bit set to 1. Device A will then ACK that segment and terminates the connection.

4. How TCP sliding window work, TCP sliding window, TCP Window

What is a TCP Window:

A TCP window is the amount of unacknowledged data a sender can send on a particular connection before it gets an acknowledgement back from the receiver, that it has received some of the data.

What is TCP windowing?

TCP windowing concept is primarily used to avoid congestion in the traffic. It controls the amount of unacknowledged data a sender can send before it gets an acknowledgement back from the receiver that it has received it.

TCP Sliding Window:

The working of the TCP sliding window mechanism can be explained as below.

The sending device can send all packets within the TCP window size (as specified in the TCP header) without receiving an ACK, and should start a timeout timer for each of them.

The receiving device should acknowledge each packet it received, indicating the sequence number of the last well-received packet. After receiving the ACK from the receiving device, the sending device slides the window to right side.

In this case, the sending device can send up to 5 TCP Segments without receiving an acknowledgement from the receiving device. After receiving the acknowledgement for Segment 1 from the receiving device, the sending device can slide its window one TCP Segment to the right side and the sending device can transmit segment 6 also.

If any TCP Segment lost while its journey to the destination, the receiving device cannot acknowledge the sender. Consider while transmission, all other Segments reached the destination except Segment 3. The receiving device can acknowledge up to Segment 2. At the sending device, a timeout will occur and it will re-transmit the lost Segment 3. Now the receiving device has received all the Segments, since only Segment 3 was lost. Now the receiving device will send the ACK for Segment 5, because it has received all the Segments to Segment 5.

Acknowledgement (ACK) for Segment 5 ensures the sender the receiver has succesfully received all the Segments up to 5.

TCP uses a byte level numbering system for communication. If the sequence number for a TCP segment at any instance was 5000 and the Segment carry 500 bytes, the sequence number for the next Segment will be 5000+500+1. That means TCP segment only carries the sequence number of the first byte in the segment.

The Window size is expressed in number of bytes and is determined by the receiving device when the connection is established and can vary later. You might have noticed when transferring big files from one Windows machine to another, initially the time remaining calculation will show a large value and will come down later.

  

We have four categories in above example.

1) Bytes already sent and acknowledged (upto Byte 20).

2) Bytes sent but not acknowledged (Bytes 21-24).

3) Bytes the receiver is ready to accept (Bytes 25-28).

4) Bytes the receiver is not ready to accept (Byte 29 onwards).

The Send Window is the sum of Bytes sent but not acknowledged and Bytes the receiver is ready to accept (Usable Window).

A visual demo of TCP Sliding Window mechanism can be viewed here.

5. Which device does reassembly and why?

Always end device will do reassembly. Reason is buffer issue and all fragments packets should pass through same router.

6. What is tcp sync attack?

A sender transmits a volume of connections that cannot be completed. This causes the connection queues to fill up, thereby denying service to legitimate TCP users. A TCP SYN attack (also called SYN attack) is a common type of Denial of Service attack.

7.Explain tcp sync flooding.

TCP Intercept is designed to prevent a SYN flooding Denial of Service attack by tracking, optionally intercepting and validating TCP connection requests.  A SYN flooding attack involves flooding a server with a barrage of requests for connection.  However, since these messages have invalid return addresses, the connections can never be established.  The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests. TCP Intercept is capable of operating in two different modes - intercept mode and monitor mode.  When used in intercept mode (the default setting), it checks for incoming TCP connection requests and will proxy-answer on behalf of the destination server to ensure that the request is valid before connecting to the server.  In monitor mode, TCP Intercept passively watches the connection requests flowing through, and, if a connection fails to get established in a configurable interval, it will intervene and terminate the connection attempt.

MCQ's

1 .Two users are accessing a Network application simultaneously. Which fields in the TCP/IP header would the server use to distinguish between the connections?

a. Source IP address in the IP header.
b. Destination IP address in the IP header.
c. Source port in the TCP header.
d. Destination port in the TCP header.

2. A web client opens two instances of a website using a browser. Which of the fields would be different for both the connections

a. Source port number.
b. Destination port number.
c. Source IP address
d. Destination IP address.

3. Which of the following fields are used to identify if the packet has to be sent on the same or different network.

a. Destination port number.
b. Subnet Mask.
c. Destination network address.
d. Domain name of the destination.

4. A PC does not have DNS server IP address configured on its adapter. What would happen if the user pings a website on the PC.

a.Response would be received as ping uses ICMP.
b.Response would be received as ping does not use DNS.
c.Response would fail as DNS resolution would fail.
d.None of the above.

5. Which field is used in a TCP/IP header is used to identify the server application.

a.Source port number
b.Destination port number.
c.Socket number.
d.Socket port number.

6. When does data transfer commence in a TCP based communication.

a.After the TCP 3 way handshake
b.Before the TCP 3 way handshake
c.After the TCP 4 way handshake
d.None of the above.

7. When does the TCP 4 way handshake commence

a.There is nothing like TCP 4 way handshake.
b.After the 3 way handshake
c.Before the 4 way handshake
d.After data transfer is completed.

8. Where is the source port number used in a TCP/IP header.

a.Inside transport layer headers like TCP or UDP
b.Inside IP layer header.
c.Inside application layer headers like FTP, HTTP etc.
d.None of the above.

8.What TCP MSS Does and How It Works?

The TCP Maximum Segment Size (MSS) defines the maximum amount of data that a host is willing to accept in a single TCP/IP datagram. This TCP/IP datagram may be fragmented at the IP layer. The MSS value is sent as a TCP header option only in TCP SYN segments. Each side of a TCP connection reports its MSS value to the other side. Contrary to popular belief, the MSS value is not negotiated between hosts. The sending host is required to limit the size of data in a single TCP segment to a value less than or equal to the MSS reported by the receiving host.

Originally, MSS meant how big a buffer (greater than or equal to 65496K) was allocated on a receiving station to be able to store the TCP data contained within a single IP datagram. MSS was the maximum segment (chunk) of data that the TCP receiver was willing to accept. This TCP segment could be as large as 64K (the maximum IP datagram size) and it could be fragmented at the IP layer in order to be transmitted across the network to the receiving host. The receiving host would reassemble the IP datagram before it handed the complete TCP segment to the TCP layer.

Below are a couple of scenarios showing how MSS values are set and used to limit TCP segment sizes, and therefore, IP datagram sizes.

Scenario 1 illustrates the way MSS was first implemented. Host A has a buffer of 16K and Host B a buffer of 8K. They send and receive their MSS values and adjust their send MSS for sending data to each other. Notice that Host A and Host B will have to fragment the IP datagrams that are larger than the interface MTU but still less than the send MSS because the TCP stack could pass 16K or 8K bytes of data down the stack to IP. In Host B's case, packets could be fragmented twice, once to get onto the Token Ring LAN and again to get onto the Ethernet LAN.

Scenario 1

Host A sends its MSS value of 16K to Host B.

Host B receives the 16K MSS value from Host A.

Host B sets its send MSS value to 16K.

Host B sends its MSS value of 8K to Host A.

Host A receives the 8K MSS value from Host B.

Host A sets its send MSS value to 8K.

In order to assist in avoiding IP fragmentation at the endpoints of the TCP connection, the selection of the MSS value was changed to the minimum buffer size and the MTU of the outgoing interface (- 40). MSS numbers are 40 bytes smaller than MTU numbers because MSS is just the TCP data size, which does not include the 20 byte IP header and the 20 byte TCP header. MSS is based on default header sizes; the sender stack must subtract the appropriate values for the IP header and the TCP header depending on what TCP or IP options are being used.

The way MSS now works is that each host will first compare its outgoing interface MTU with its own buffer and choose the lowest value as the MSS to send. The hosts will then compare the MSS size received against their own interface MTU and again choose the lower of the two values.

Scenario 2 illustrates this additional step taken by the sender to avoid fragmentation on the local and remote wires. Notice how the MTU of the outgoing interface is taken into account by each host (before the hosts send each other their MSS values) and how this helps to avoid fragmentation.

Scenario 2

Host A compares its MSS buffer (16K) and its MTU (1500 - 40 = 1460) and uses the lower value as the MSS (1460) to send to Host B.

Host B receives Host A's send MSS (1460) and compares it to the value of its outbound interface MTU - 40 (4422).

Host B sets the lower value (1460) as the MSS for sending IP datagrams to Host A.

Host B compares its MSS buffer (8K) and its MTU (4462-40 = 4422) and uses 4422 as the MSS to send to Host A.

Host A receives Host B's send MSS (4422) and compares it to the value of its outbound interface MTU -40 (1460).

Host A sets the lower value (1460) as the MSS for sending IP datagrams to Host B.

1460 is the value chosen by both hosts as the send MSS for each other. Often the send MSS value will be the same on each end of a TCP connection.

In Scenario 2, fragmentation does not occur at the endpoints of a TCP connection because both outgoing interface MTUs are taken into account by the hosts. Packets can still become fragmented in the network between Router A and Router B if they encounter a link with a lower MTU than that of either hosts' outbound interface.

http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html#topic2