TCP - Transmission Control Protocol
3-way handshake:
1. SYN C -> S Flag: S - sequence 3193676571
2. SYN,ACK C <- S Flag: S,A - sequence: 2635445872, acknowledged sequence: 3193676572 (previous+1)
3. ACK C -> S Flag: A - sequence 3193676572 (previous acknowledged), acknowledged sequence: 2635445873 (previous+1)
Then communication is with PUSH / ACK - PUSH indicates that we can send data to application - no need to wait for other segments
4. PUSH C -> S Flag: P,A - sequence 3193676572 (previous acknowledged), acknowledged sequence: 2635445873 (previous+1) - ACK seq is the same as in packet 3 as we are initiators of packet 3 and 4 - we ACK packet no 2.
5. Single ACK C <- S Flag: A - sequence 2635445873 (previous acknowledged), acknowledged sequence: 3193677036 (previous+[TCP Segment Len: 464 of previous packet]+1)
Graceful finish:
A graceful end to a TCP connection might be called a four-way handshake. Where FIN is sent and ACK is replied (no matter by whom FIN is sent - might be C or S)
Usually it happens:
6. FIN C -> S Flag: F,A - Client wanst to terminate the connection
7. FIN,ACK C <- S Flag: F,A - Server acknowladges the termination and also wants to terminate it gracefully.
8. ACKC -> S Flag: A - Client confirms termination of the session.
MSS/MTU
Durring the TCP negotiation the MSS was exchanged (C - 1240, S - 1380) - the routers on the path might adjust this value, if configured to do so (with ip tcp adjust-mss).
Usually the segments should not exceed this value, TCP segment size is 1238 in this example:
9. MTU/MSS C<- S Flag: P,A - TCP segment size is 1238 in this example - less or equal to advertised 1240.
TCP Window size
The window size tells how much data we can transmit before the receiver will send an acknowledgment. Typically the TCP connection will start with a small window size and every time when there is a successful acknowledgement, the window size will increase. The window size keeps increasing as long as the receiver sends acknowledgments for all our segments or when the window size hits a certain maximum limit.
Usually in SYN packet we send our window size that indicates the size of our buffer - it informs the server that should not send us more data, than that buffer, before hears ACK from us.
Window scale - it allows us to exceed 65535 by telling us how much we can exceed it 2^6 = 64
TCP Option - Window scale: 6 (multiply by 64) - this is a maximum window size 65535x64
OPEN Question: why we ACK after 9 segments (11052 of data) - windows size was 131072
Possible answers:
The TCP implementation ACKs every other data packet. So you should see, typically, two data packets received and then an ACK sent. The sender, of course, is not waiting for the ACK anyway. It will continue to transmit until the window is full, even in the absence of an ACK.
The ACK is sent by the OS after the data are successfully put into the sockets read buffer. No application logic is involved here yet.
10. Window C <- S Flag: A
There are three TCP windows used in a TCP connection:
- Receive Window (RWIN)
- Send Window (SWIN)
- Congestion Window (CWIN)
SACK
SACKs allow a receiver to acknowledge non-consecutive data, so that the sender can retransmit only what is missing at the receiver’s end.
Selective acknowlegements can represent gaps in sequence space, to prevent the sender having to retransmit everything after a single loss if the window is very large.
Example:
We have 5 packets: 0-99, 100-199, 200-299, 300-399, 400-499
We can send in the ACK packet:
ACK seq 200, SACK left edge 300, SACK right edge 500
Server knows that 200-299 gone missing and can retransmit only this segment
1 SYN
Frame 1: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: Apple_b7:a6:ec (6c:7e:67:b7:a6:ec), Dst: Cisco_e1:a0:68 (2c:54:2d:e1:a0:68)
Internet Protocol Version 4, Src: 10.13.13.122, Dst: 85.128.216.230
Transmission Control Protocol, Src Port: 55330, Dst Port: 80, Seq: 0, Len: 0
Source Port: 55330
Destination Port: 80
[Stream index: 0]
[Conversation completeness: Complete, WITH_DATA (31)]
[TCP Segment Len: 0]
Sequence Number: 0 (relative sequence number)
Sequence Number (raw): 3193676571
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 0
Acknowledgment number (raw): 0
1011 .... = Header Length: 44 bytes (11)
Flags: 0x002 (SYN)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...0 .... = Acknowledgment: Not set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set
.... .... ...0 = Fin: Not set
[TCP Flags: ··········S·]
Window: 65535
[Calculated window size: 65535]
Checksum: 0x85ec [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (24 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), Timestamps, SACK permitted, End of Option List (EOL), End of Option List (EOL)
TCP Option - Maximum segment size: 1240 bytes
Kind: Maximum Segment Size (2)
Length: 4
MSS Value: 1240 <<< we dvertise our MSS
TCP Option - No-Operation (NOP)
TCP Option - Window scale: 6 (multiply by 64)
TCP Option - No-Operation (NOP)
TCP Option - No-Operation (NOP)
TCP Option - Timestamps
Kind: Time Stamp Option (8)
Length: 10
Timestamp value: 94448755: TSval 94448755, TSecr 0
Timestamp echo reply: 0
TCP Option - SACK permitted
TCP Option - End of Option List (EOL)
TCP Option - End of Option List (EOL)
[Timestamps]
2 SYN, ACK
Frame 2: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_e1:a0:68 (2c:54:2d:e1:a0:68), Dst: Apple_b7:a6:ec (6c:7e:67:b7:a6:ec)
Internet Protocol Version 4, Src: 85.128.216.230, Dst: 10.13.13.122
Transmission Control Protocol, Src Port: 80, Dst Port: 55330, Seq: 0, Ack: 1, Len: 0
Source Port: 80
Destination Port: 55330
Sequence Number: 0
Sequence Number (raw): 2635445872
Acknowledgment Number: 1
Acknowledgment number (raw): 3193676572
1010 .... = Header Length: 40 bytes (10)
Flags: 0x012 (SYN, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······A··S·]
Window: 65535
Checksum: 0x11dd
Urgent Pointer: 0
Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale
TCP Option - Maximum segment size: 1380 bytes
Kind: Maximum Segment Size (2)
Length: 4
MSS Value: 1380 <<< other end advertises its MSS
TCP Option - SACK permitted
TCP Option - Timestamps
Kind: Time Stamp Option (8)
Length: 10
Timestamp value: 2966913045: TSval 2966913045, TSecr 94448755
Timestamp echo reply: 94448755
TCP Option - No-Operation (NOP)
TCP Option - Window scale: 10 (multiply by 1024)
3 ACK
Frame 3: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Apple_b7:a6:ec (6c:7e:67:b7:a6:ec), Dst: Cisco_e1:a0:68 (2c:54:2d:e1:a0:68)
Internet Protocol Version 4, Src: 10.13.13.122, Dst: 85.128.216.230
Transmission Control Protocol, Src Port: 55330, Dst Port: 80, Seq: 1, Ack: 1, Len: 0
Source Port: 55330
Destination Port: 80
[Stream index: 0]
[Conversation completeness: Complete, WITH_DATA (31)]
[TCP Segment Len: 0]
Sequence Number: 1
Sequence Number (raw): 3193676572
Acknowledgment Number: 1
Acknowledgment number (raw): 2635445873
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······A····]
Window: 2053
[Calculated window size: 131392]
[Window size scaling factor: 64]
Checksum: 0x37c5 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
TCP Option - No-Operation (NOP)
TCP Option - No-Operation (NOP)
TCP Option - Timestamps
Kind: Time Stamp Option (8)
Length: 10
Timestamp value: 94448901: TSval 94448901, TSecr 2966913045
Timestamp echo reply: 2966913045
[Timestamps]
[SEQ/ACK analysis]
4 PUSH
Frame 4: 530 bytes on wire (4240 bits), 530 bytes captured (4240 bits)
Ethernet II, Src: Apple_b7:a6:ec (6c:7e:67:b7:a6:ec), Dst: Cisco_e1:a0:68 (2c:54:2d:e1:a0:68)
Internet Protocol Version 4, Src: 10.13.13.122, Dst: 85.128.216.230
Transmission Control Protocol, Src Port: 55330, Dst Port: 80, Seq: 1, Ack: 1, Len: 464
Source Port: 55330
Destination Port: 80
[Stream index: 0]
[Conversation completeness: Complete, WITH_DATA (31)]
[TCP Segment Len: 464]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 3193676572
[Next Sequence Number: 465 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
Acknowledgment number (raw): 2635445873
1000 .... = Header Length: 32 bytes (8)
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······AP···]
Window: 2053
[Calculated window size: 131392]
[Window size scaling factor: 64]
Checksum: 0x3d95 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[Timestamps]
[SEQ/ACK analysis]
TCP payload (464 bytes)
Hypertext Transfer Protocol
5 Single ACK
Frame 5: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Cisco_e1:a0:68 (2c:54:2d:e1:a0:68), Dst: Apple_b7:a6:ec (6c:7e:67:b7:a6:ec)
Internet Protocol Version 4, Src: 85.128.216.230, Dst: 10.13.13.122
Transmission Control Protocol, Src Port: 80, Dst Port: 55330, Seq: 1, Ack: 465, Len: 0
Source Port: 80
Destination Port: 55330
[Stream index: 0]
[Conversation completeness: Complete, WITH_DATA (31)]
[TCP Segment Len: 0]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 2635445873
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 465 (relative ack number)
Acknowledgment number (raw): 3193677036
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······A····]
Window: 66
[Calculated window size: 67584]
[Window size scaling factor: 1024]
Checksum: 0x3d26 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[Timestamps]
[SEQ/ACK analysis]
6 FIN
Frame 50: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Apple_b7:a6:ec (6c:7e:67:b7:a6:ec), Dst: Cisco_e1:a0:68 (2c:54:2d:e1:a0:68)
Internet Protocol Version 4, Src: 10.13.13.122, Dst: 85.128.216.230
Transmission Control Protocol, Src Port: 55330, Dst Port: 80, Seq: 2458, Ack: 30099, Len: 0
Source Port: 55330
Destination Port: 80
[Stream index: 0]
[Conversation completeness: Complete, WITH_DATA (31)]
[TCP Segment Len: 0]
Sequence Number: 2458 (relative sequence number)
Sequence Number (raw): 3193679029
[Next Sequence Number: 2459 (relative sequence number)]
Acknowledgment Number: 30099 (relative ack number)
Acknowledgment number (raw): 2635475971
1000 .... = Header Length: 32 bytes (8)
Flags: 0x011 (FIN, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...1 = Fin: Set
[TCP Flags: ·······A···F]
Window: 2048
[Calculated window size: 131072]
[Window size scaling factor: 64]
Checksum: 0xa324 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[Timestamps]
7 FIN, ACK
Frame 51: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Cisco_e1:a0:68 (2c:54:2d:e1:a0:68), Dst: Apple_b7:a6:ec (6c:7e:67:b7:a6:ec)
Internet Protocol Version 4, Src: 85.128.216.230, Dst: 10.13.13.122
Transmission Control Protocol, Src Port: 80, Dst Port: 55330, Seq: 30099, Ack: 2459, Len: 0
Source Port: 80
Destination Port: 55330
[Stream index: 0]
[Conversation completeness: Complete, WITH_DATA (31)]
[TCP Segment Len: 0]
Sequence Number: 30099 (relative sequence number)
Sequence Number (raw): 2635475971
[Next Sequence Number: 30100 (relative sequence number)]
Acknowledgment Number: 2459 (relative ack number)
Acknowledgment number (raw): 3193679030
1000 .... = Header Length: 32 bytes (8)
Flags: 0x011 (FIN, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...1 = Fin: Set
[TCP Flags: ·······A···F]
Window: 71
[Calculated window size: 72704]
[Window size scaling factor: 1024]
Checksum: 0xaa13 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[Timestamps]
[SEQ/ACK analysis]
8 ACK
Frame 52: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Apple_b7:a6:ec (6c:7e:67:b7:a6:ec), Dst: Cisco_e1:a0:68 (2c:54:2d:e1:a0:68)
Internet Protocol Version 4, Src: 10.13.13.122, Dst: 85.128.216.230
Transmission Control Protocol, Src Port: 55330, Dst Port: 80, Seq: 2459, Ack: 30100, Len: 0
Source Port: 55330
Destination Port: 80
[Stream index: 0]
[Conversation completeness: Complete, WITH_DATA (31)]
[TCP Segment Len: 0]
Sequence Number: 2459 (relative sequence number)
Sequence Number (raw): 3193679030
[Next Sequence Number: 2459 (relative sequence number)]
Acknowledgment Number: 30100 (relative ack number)
Acknowledgment number (raw): 2635475972
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······A····]
Window: 2048
[Calculated window size: 131072]
[Window size scaling factor: 64]
Checksum: 0xa239 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[Timestamps]
[SEQ/ACK analysis]
9 MTU/MSS
Frame 36: 1294 bytes on wire (10352 bits), 1294 bytes captured (10352 bits)
Ethernet II, Src: Cisco_e1:a0:68 (2c:54:2d:e1:a0:68), Dst: Apple_b7:a6:ec (6c:7e:67:b7:a6:ec)
Internet Protocol Version 4, Src: 85.128.216.230, Dst: 10.13.13.122
Transmission Control Protocol, Src Port: 80, Dst Port: 55330, Seq: 19835, Ack: 2055, Len: 1228
Source Port: 80
Destination Port: 55330
[Stream index: 0]
[Conversation completeness: Complete, WITH_DATA (31)]
[TCP Segment Len: 1228]
Sequence Number: 19835 (relative sequence number)
Sequence Number (raw): 2635465707
[Next Sequence Number: 21063 (relative sequence number)]
Acknowledgment Number: 2055 (relative ack number)
Acknowledgment number (raw): 3193678626
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
Window: 70
[Calculated window size: 71680]
[Window size scaling factor: 1024]
Checksum: 0x9a3e [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[Timestamps]
[SEQ/ACK analysis]
TCP payload (1228 bytes)
[Reassembled PDU in frame: 44]
TCP segment data (1228 bytes)
10 Window
The multiplier we take from 3-way hand shake only
Frame 25: 1294 bytes on wire (10352 bits), 1294 bytes captured (10352 bits)
Ethernet II, Src: Cisco_e1:a0:68 (2c:54:2d:e1:a0:68), Dst: Apple_b7:a6:ec (6c:7e:67:b7:a6:ec)
Internet Protocol Version 4, Src: 85.128.216.230, Dst: 10.13.13.122
Transmission Control Protocol, Src Port: 80, Dst Port: 55330, Seq: 8783, Ack: 2055, Len: 1228
Frames ommited
Frame 33: 1294 bytes on wire (10352 bits), 1294 bytes captured (10352 bits)
Ethernet II, Src: Cisco_e1:a0:68 (2c:54:2d:e1:a0:68), Dst: Apple_b7:a6:ec (6c:7e:67:b7:a6:ec)
Internet Protocol Version 4, Src: 85.128.216.230, Dst: 10.13.13.122
Transmission Control Protocol, Src Port: 80, Dst Port: 55330, Seq: 18607, Ack: 2055, Len: 1228
We ACK:
Frame 34: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Apple_b7:a6:ec (6c:7e:67:b7:a6:ec), Dst: Cisco_e1:a0:68 (2c:54:2d:e1:a0:68)
Internet Protocol Version 4, Src: 10.13.13.122, Dst: 85.128.216.230
Transmission Control Protocol, Src Port: 55330, Dst Port: 80, Seq: 2055, Ack: 19835, Len: 0
Frame 35: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Apple_b7:a6:ec (6c:7e:67:b7:a6:ec), Dst: Cisco_e1:a0:68 (2c:54:2d:e1:a0:68)
Internet Protocol Version 4, Src: 10.13.13.122, Dst: 85.128.216.230
Transmission Control Protocol, Src Port: 55330, Dst Port: 80, Seq: 2055, Ack: 19835, Len: 0
Source Port: 55330
Destination Port: 80
[Stream index: 0]
[Conversation completeness: Complete, WITH_DATA (31)]
[TCP Segment Len: 0]
Sequence Number: 2055 (relative sequence number)
Sequence Number (raw): 3193678626
[Next Sequence Number: 2055 (relative sequence number)]
Acknowledgment Number: 19835 (relative ack number)
Acknowledgment number (raw): 2635465707
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
Window: 2048 <<< we informing about our buffer size
[Calculated window size: 131072]
[Window size scaling factor: 64]
Checksum: 0xdcb5 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
TCP Option - No-Operation (NOP)
TCP Option - No-Operation (NOP)
TCP Option - Timestamps
[Timestamps]
[SEQ/ACK analysis]