Hello TCP!
for Network Engineers
Personally I been having completed this research on TCP/IP because I had an interview with a established security player… sadly I failed the security questions; as my knowledge in it is very low.
However I did learn alot about TCP/IP thanks to my preparation.
The Basic
Transmission Control Protocol-Internet Protocol (TCP/IP) is a model/suite of communication protocol used to interconnect network devices on the internet or network.
It can be seen as an entire suite consists of TCP & IP protocols, which are set of rules & procedures which functions as an abstraction layer between internet applications & routing and switching fabric. It also dictates the way data is sent and received.
Usually a TCP header is included in the data portion of each packet that uses TCP/IP. Before transmitting data, TCP opens a connection with the recipient. It ensures all packets arrive in order once transmission begins. Via TCP, the recipient will acknowledge receiving each packet that arrives. Missing packets will be sent again if receipt is not acknowledged.
TCP is designed for reliability, not speed. Because TCP has to make sure all packets arrive in order, loading data via TCP/IP can take longer if some packets are missing.
Based on the table above the process is applications generate data at Layer 7, and the device/host sends data down the OSI model. As the data moves down the OSI model, it is encapsulated or modified as needed. At Layer 3, the device/host decides whether the data needs to be sent to another application on the same device, and it would then start to move the data up the stack. Or, if the data needs to be sent to a different device, the device/host continues processing down the OSI model toward Layer 1. Layer 1 is responsible for transmitting the information on to the media (for example, cable, fiber, radio waves). On the receiving side, data starts at Layer 1, then moves to Layer 2, and so on, until it has moved completely up to Layer 7 and on to the receiving application.
TCP Window
Why should you care about TCP windowing? Because it drives the speed of data transfers and hence the experience of your users accessing the applications.
TCP receive window can be increased exponentially. The specific function is called TCP Window Scaling. When advertising its window, a client or server will also advertise the scale factor (multiplier) that will be used for the life of the connection.
Important to know when using window scaling; both sides of the connection must advertise this capability in the handshake process. If one side or the other cannot support scaling, then neither will use this function. The scale factor, or multiplier, will only be sent in the SYN packets during the handshake and will be used for the life of the connection. This is one reason why it is so important to capture the handshake process when performing TCP analysis.
Zero Window
When a client (or server — but it is usually the client) advertises a zero value for its window size, this indicates the TCP receive buffer is full and cannot receive any more data. This can be caused by a stuck processor or be busy with some other task, which causes the TCP receive buffer to fill. Zero Windows can also be caused by a problem within the application, where the TCP buffer is not being retrieved.
A TCP Zero Window from a client will halt the data transmission from the server side, allowing time for the problem station to clear its buffer. When the client begins to digest the data, it will let the server know to resume the data flow by sending a TCP Window Update packet. This will advertise an increased window size and the flow will resume.
TCP Flags
Purpose: Help TCP segment by allowing the sender or receiver to specify which flags should be used so the segment is handled correctly by the other end.
1st Flag — Urgent Pointer
This flag is used to identify incoming data as ‘urgent’. Such incoming segments do not have to wait until the previous segments are consumed by the receiving end but are sent directly and processed immediately.
By setting the abort signal’s segment Urgent Pointer flag to ‘1’, the remote machine will not wait till all queued data is processed and then execute the abort. Instead, it will give that specific segment priority, processing it immediately and stopping all further data processing.
2nd Flag — ACKnowledgement
The ACKnowledgement flag is used to acknowledge the successful receipt of packets. If you run a packet sniffer while transferring data using the TCP, you will notice that, in most cases, for every packet you send or receive, an ACKnowledgement follows. So if you received a packet from a remote host, then your workstation will most probably send one back with the ACK field set to “1”. If sender requires one ACKnowledgement for every 3 packets sent, the receiving end will send the ACK after the 3rd sequential packet is received. This is also called Windowing.
3rd Flag — PUSH
This particular flag is used quite frequently at the beginning and end of a data transfer, affecting the way the data is handled at both ends. The Push flag is usually set on the last segment of a file to prevent buffer deadlocks. It is also seen when used to send HTTP or other types of requests through a proxy — ensuring the request is handled appropriately and effectively.
When a host sends its data, it is temporarily queued in the TCP buffer, a special area in the memory, until the segment has reached a certain size and is then sent to the receiver. This design guarantees that the data transfer is as efficient as possible, without wasting time and bandwidth by creating multiple segments, but combining them into one or more larger ones.
4th Flag — Reset (RST)
The reset flag is used when a segment arrives that is not intended for the current connection. In other words, if you were to send a packet to a host in order to establish a connection, and there was no such service waiting to answer at the remote host, then the host would automatically reject the request and then send a reply with the RST flag set. This indicates that the remote host has reset the connection.
5th Flag — SYNchronisation Flag
SYN flag is initially sent when establishing the classical 3-way handshake between two hosts:
In the above diagram, Host A needs to download data from Host B using TCP as its transport protocol. The protocol requires the 3-way handshake to take place so a virtual connection can be established by both ends in order to exchange data.
During the 3-way handshake we are able to count a total of 2 SYN flags transmitted, one by each host.
6th Flag — FIN Flag
FIN flag is used to tear down the virtual connections created using the previous flag (SYN), the FIN flag always appears when the last packets are exchanged between a connection.
It is important to note that when a host sends a FIN flag to close a connection, it may continue to receive data until the remote host has also closed the connection, although this occurs only under certain circumstances. Once the connection is teared down by both sides, the buffers set aside on each end for the connection are released.
A normal teardown procedure is depicted below:
Sequence Number
The client on either side of a TCP session maintains a 32-bit sequence number it uses to keep track of how much data it has sent. This sequence number is included on each transmitted packet, and acknowledged by the opposite host as an acknowledgement number to inform the sending host that the transmitted data was received successfully.
