From Wikipedia
TCP is used mostly by various applications available by internet, including the World Wide Web (WWW), E-mail, File Transfer Protocol, Secure Shell, peer file, and streaming media applications.
3 Way Handshakes
The handshaking process usually takes place in order to establish rules for communication when a computer sets about communicating with a foreign device. When a computer communicates with another device like a modem, printer, or network server, it needs to handshake with it to establish a connection.
- Client sends a TCP packet to the server with the SYN flag
- Server responds to the client request with the SYN and ACK flags set.
- Client completes the connection by sending a packet with the ACK flag set
Structure of TCP segment
Transmission Control Protocol accepts data from a data stream, splits it into chunks, and adds a TCP header creating a TCP segment. A TCP segment only carries the sequence number of the first byte in the segment.
A TCP segment consists of a segment header and a data section. The TCP header contains 10 mandatory fields, and an optional extension field.
| Source Port | The 16-bit source port number, Identifies the sending port. |
| Destination Port | The 16-bit destination port number. Identifies the receiving port |
| Sequence Number | The sequence number of the first data byte in this segment. If the SYN control bit is set, the sequence number is the initial sequence number (n) and the first data byte is n+1. |
| Acknowledgment Number | If the ACK control bit is set, this field contains the value of the next sequence number that the receiver is expecting to receive. |
| Data Offset | The number of 32-bit words in the TCP header. It indicates where the data begins. |
| Reserved | Six bits reserved for future use; must be zero. |
| Flags | CWR, ECE, URG, ACK, PSH, RST, SYN, FIN |
| Window | Used in ACK segments. It specifies the number of data bytes, beginning with the one indicated in the acknowledgment number field that the receiver (the sender of this segment) is willing to accept. |
| Checksum | The 16-bit one’s complement of the one’s complement sum of all 16-bit words in a pseudo-header, the TCP header, and the TCP data. While computing the checksum, the checksum field itself is considered zero. |
| Urgent Pointer | Points to the first data octet following the urgent data.
Only significant when the URG control bit is set. |
| Options | Just as in the case of IP datagram options, options can be
either: – A single byte containing the option number – A variable length option in the following format |
| Padding | The TCP header padding is used to ensure that the TCP header ends and data begins on a 32 bit boundary. The padding is composed of zeros.
|
Different Types of TCP flags
TCP flags are used within TCP header as these are control bits that specify particular connection states or information about how a packet should be set. TCP flag field in a TCP segment will help us to understand the function and purpose of any packet in the connection.
| List of flags
|
Description |
| CWR | Congestion Window Reduced (CWR) flag is set by the sending host to shows that it received a TCP segment with the ECE flag set |
| ECE | ECN-Echo indicate that the TCP peer is ECN capable during 3-way handshake |
| URG | Indicates that the urgent pointer field is significant in this segment. |
| ACK | Indicates that the acknowledgment field is significant in this segment. |
| PSH | Push function to transfer data |
| RST | Resets the connection. |
| SYN | Synchronizes the sequence numbers. |
| FIN | No more data from sender. |
Analysis TCP packet using Wireshark
As you have read above “structure of TCP segment” and its “field” now we are going to elaborate it with the help of Wireshark. We hope that reader must be aware with the 7 layers of OSI model, so that TCP packet analysis will be more cleared.
From given below image you can see we had sniffed the network in order to capture TCP packets, it is clearly showing: time, source IP, destination IP, Protocol, length of packets and information.
As I had told above if you are aware of OSI model then you can see it has shown three layers of OSI: layer 2 (Ethernet), layer 3 (Internet Protocol version 4), layer 4 (Transmission Control Protocol (TCP)).
Now let’s analysis layer 4 and compare above theory with given below image. You can see I have underline all fields of TCP segment. Now read following information of TCP packets.
Source Port: 58302
Destination Port: 80
Sequence number: 0
Acknowledgment number: 0
Flags: SYN
Window size value: 29200
Checksum: unverified
Urgent Pointer: 0
Option: 20 bytes
The SYN (synchronize) flag is the TCP packet flag which is set to start a TCP connection for “3 way handshakes” and the Sequence number and Acknowledgment number are 0.
From given below image you can see expanded field for flags is showing only 1 flag SYN is set between source port and Destination port rest flags are not set at this moment. Hence the control bits will get 1 for that sets flag in TCP connection otherwise it remains zero.
Packets setting the SYN flag can also be used to perform a SYN flood and a SYN scan.
As I had explain above in three way handshakes first client request with SYN flag after that Server responds to the client request with the SYN and ACK flags set, and from following information we observe same sequence of packet transferring between client and server and as well as the Sequence number is 0 & Acknowledgment number is 1.
Source Port: 58302
Destination Port: 80
Sequence number: 0
Acknowledgment number: 1
Flags: SYN, ACK
Window size value: 42408
Checksum: unverified
Urgent Pointer: 0
Option: 12 bytes
From expanded field of flags you can observe that this time 2 flags SYN and ACK are set rest are remain unset or say zero and control bit is set 1-1 for both flag. This is the 2nd step for “3 way handshake”.
From following information we found this time the Sequence number & Acknowledgment number are 1 and Client completes the connection by sending a packet with the ACK flag set. Now TCP connection has be established between client and server.
Source Port: 58302
Destination Port: 80
Sequence number: 1
Acknowledgment number: 1
Flags: ACK
Window size value: 229
Checksum: unverified
Urgent Pointer: 0
Option: 12 bytes
From given below image you can observer that the control bit is 1 for acknowledgement flag and this is the third step required for “3 way handshake” between source port and destination port.
Once TCP 3 ways handshake connection established then data can transfer between client and server as you can see from last image it has shown 7th layer for Hypertext Transfer Protocol also for data transferring.
Source Port: 58302
Destination Port: 80
Sequence number: 1
Acknowledgment number: 1
Flags: PUSH, ACK
Window size value: 229
Checksum: unverified
Urgent Pointer: 0
Option: 12bytes
The use of push function and the PUSH flag is to move forward the data from the sending user to the receiving user. In order to permit applications to read from and write to this socket at any time, buffers are implemented on both sides of a TCP connection.
Here you can observe that control bit set to 1 for PUSH and ACK flag as a result a new layer get open for data transferring between sender application and receiver application.
Now when transfer data packet explored we found http header details like:
Host: google.com
User-Agent: Mozilla/5.0
At last the different types of cookie that you can observe in given below image.
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
The post Analysing TCP Headers using Wireshark appeared first on Hacking Articles.