The “Transmission Control Protocol”. TCP was formalized in September 1981 in RFC 793.
The TCP model
TCP model
- Layer 4: Application (highest)
- Layer 3: Transport
- Layer 2: Internet
- Layer 1: Network interface (lowest)
OSI vs. TCP models
Link to originalComparison of the TCP and OSI models
Roughly, the TCP Model encapsulates the OSI Model.
Link to original+--------------+-------------------+ | OSI LAYER | TCP/IP LAYER | +--------------+-------------------+ | Application | | +--------------+ | | Presentation | Application | +--------------+ | | Session | | +--------------+-------------------+ | Transport | Transport | +--------------+-------------------+ | Network | Internet | +--------------+-------------------+ | Data Link | | +--------------+ Network Interface | | Physical | | +--------------+-------------------+
Packet headers
TCP headers
- Time to Live (TTL) — How long a packet should live on the network before being discarded.
- Source port — A random (unused) port chosen by the sender.
- Destination port — The port on the receiving end, which normally is determined by the application being used.
- Source address — “From” IP address.
- Destination address — “To” IP address.
- Sequence number — A random number that identifies a given connection.
- Acknowledgement number — Starts at the sequence number and then increases by the number of bytes received in the previous packet (or 1 is the previous packet did not include a data segment). Used to ensure that no data is lost, and that packets are reassembled in the right order.
- Checksum — Integrity check.
- Data — The, well, data.
- Flag(s) — How the packet should be handled (SYN, ACK, FIN, RST, etc.).
There’s potentially a lot more detail than this in a TCP packet header, however.
Acknowledgement number
TCP acknowledgement number
The TCP “acknowledgment number” contains the next sequence number that the sender is expecting to receive (so basically senders determine the next sequence number). This is the current sequence number (for the other host) + the number of bytes in the data segment of the packet being sent to that host.
Packets with a zero-length data segment that start or continue a conversation (for example, SYN packets) get their sequence/acknowledgement number incremented by 1. This is called a “ghost byte”.
The acknowledgement number for RST packets is always 0.
The initial SYN packet that starts the three-way handshake should not have an acknowledgement number
Link to originalFlags
Link to originalTCP header flags
Link to original
- URG — Process the current TCP packet immediately. Directs the receiving system to examine the “urgent pointer” field.
- ACK — Acknowledgement. Directs the receiving system to examine the “acknowledgement number” field.
- PSH — Push. Elevate the priority of the packet’s data, but does not otherwise change rules around packet processing.
- RST — Reset. Terminates the connection forcefully.
- SYN — Synchronize. Used during the initial three-way handshake to set a shared (starting) sequence number.
- FIN — Finish. Indicates that the connection may be dropped gracefully.
TCP window size
TCP window size
The TCP “Window” is the maximum number of bits that the sending system expects to receive from a request (it represents the current buffer size for that connection on that system). This is a 2-byte number, such that the maximum (unscaled) window size if 65535 bytes.
Link to original
TCP options
TCP options
TCP “options” are set in the initial handshake (the initiating host will propose in the SYN packet, and the receiving host will reply with what it supports in the SYN/ACK packet). Note that each system sets its own window scale and MSS values (but these value must be set by both hosts in order to be used in a connection).
- Window Scale — Set the multiplier for the window size (see above) as as a power of two, such that a “Window scale” of 7 is a multiplier of 2⁷ = 128. Window scales can be up to 14, which allows (once multiplied with the maximum window size) up to 1 GB of data to be transmitted before an ACK is required. Typically set to 2 for webservers, or to 0 for systems that wish to allow the use of this option in a conversation but don’t support large buffers themselves.
- Maximum Segment Size (MSS) — The maximum data segment size that a system can receive. This is different than the window size, which is the amount of data that a system expects before it gets an ACK (it’s basically that system’s buffer for this connection).
- Selective Acknowledgement (SACK) — Allows for packets to be acknowledged as they are received, rather than at the end of a window. Using SACK allows for dropped packets to be retransmitted sooner, and prevents the retransmission of packets that were properly received after a dropped packet. However, using SACK requires that the transmitting host keep track of what packets were sent in memory, which means that it’s typically not set on resource-constrained systems (IoT, etc.).
- No-Op (NOP) — A “blank” value (01) used to pad out the options field, since header size must be a power of two bytes but (1) each option need to fall on a byte boundary and (2) we may not have enough options to fill out the space requested. How NOPs are used is highly implementation-dependent. NOPs can also be used by middle-boxes (firewalls, routers, etc.) to strip options.
If SACK is used, then acknowledge packet numbers are also placed in the options block.
Differences in how TCP options are responded to for incoming SYN packets or ordered for outgoing SYN/ACK packets are important for fingerprinting operating systems and TCP stacks.
Link to original
The initial round trip time
TCP initial round trip time
The “initial round trip time” (IRTT) is the time taken for the initial SYN packet in the TCP handshake to the final ACK packet in the initial three-way handshake. Most TCP implementations will initially wait for up to 0.5 seconds until retransmitting a packet, but will dynamically adjust this to 3x – 4x the IRTT after the initial handshake. Wireshark will report the IRTT value in the final ACK packet of the three-way handshake.
Link to original