tcp 3-way handshake

 

 

 


TCP 3-way handshake log

 

i.e. Browser connect to Web Server

# 會加 1
15:05:35.832940 IP client.60201 > server.http: Flags [S], seq 3461336557, win 29200, options [mss 1460,sackOK,TS val 1514187132 ecr 0,nop,wscale 7], length 0
15:05:35.832979 IP server.http > client.60201: Flags [S.], seq 2413143099, ack 3461336558, win 14480, options [mss 1460,sackOK,TS val 1381918275 ecr 1514187132,nop,wscale 7], length 0
15:05:35.833299 IP client.60201 > server.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 1514187132 ecr 1381918275], length 0

# Data
15:05:35.833312 IP client.60201 > server.http: Flags [P.], seq 1:79, ack 1, win 229, options [nop,nop,TS val 1514187132 ecr 1381918275], length 78
15:05:35.833338 IP server.http > client.60201: Flags [.], ack 79, win 114, options [nop,nop,TS val 1381918275 ecr 1514187132], length 0
15:05:35.833920 IP server.http > client.60201: Flags [P.], seq 1:899, ack 79, win 114, options [nop,nop,TS val 1381918275 ecr 1514187132], length 898
15:05:35.834393 IP client.60201 > server.http: Flags [.], ack 899, win 243, options [nop,nop,TS val 1514187133 ecr 1381918275], length 0

# 會加 1
15:05:35.834409 IP client.60201 > server.http: Flags [F.], seq 79, ack 899, win 243, options [nop,nop,TS val 1514187133 ecr 1381918275], length 0
15:05:35.834488 IP server.http > client.60201: Flags [F.], seq 899, ack 80, win 114, options [nop,nop,TS val 1381918275 ecr 1514187133], length 0
15:05:35.834761 IP client.60201 > server.http: Flags [.], ack 900, win 243, options [nop,nop,TS val 1514187133 ecr 1381918275], length 0

# type of packet

[S]  - SYN (Start Connection)

[S.] - SYN-ACK

[.]  - ACK

[P]  - PSH (Push Data)

[F]  - FIN (Finish Connection)

[R]  - RST (Reset Connection)

length: TCP packet length (in Bytes) not including the headers

remark

TCP

Size of Ethernet frame = 24 Bytes

Size of IPv4 Header (without any options) = 20 bytes

Size of TCP Header (without any options) = 20 Bytes

Total size of empty TCP datagram = 24 + 20 + 20 = 64 bytes

UDP

Size of UDP header = 8 bytes

Total size of empty UDP datagram = 24 + 20 + 8 = 52 bytes

mss N - the maximum segment size (MSS), only seen in a SYN packet  

sackOK – indicates the host permits the use of Selective Acknowledgement, only seen in a SYN packet

TS val N - the sending host’s timestamp

ecr N – the echo reply timestamp value

nop – used to align option headers to 32-bit word boundaries by padding 1 byte with 00000001
          may be used more than once if necessary  [see RFC 793]

wscale N — window scale and value, only seen in a SYN packet

 


Sequence and Acknowledgment Numbers

 

 * 32-bit
 * host initiates a TCP session => its initial Seq randomly

# Wireshark will display relative sequence

0 (naturally)

對方 Ack = 對方 Seq + 對方 len

Next Seq = 對方 Ack

* SYN or FIN flag in a received packet triggers an increase of 1 in the sequence (SYN or FIN 無 payload 的)

 

 


Wireshark Useful Function

 

Statistics > Flow Graph