This is the first blog post of 2021! A shitty year has ended and like everyone else i do have good hopes from 2021. This year i will try to write more. First topic i choose to write is TCP. From now on, i will start a series called Zero to Hero. It is a self-explanatory title but i will try to shred topics into chunks in order to deep dive them. Before going further, please go and grab a tea or coffee ,since it will be a long post, and get ready to take some notes. Note-taking is a key skill to learning for me.
Theory
We must know the theory behind the TCP. Why do we need it? Why can’t we use UDP instead? What will change when we know the theory? Well, from my side you will have a better understanding and can ask questions and analyse better for TCP related problems.
A long time ago in a galaxy far, far away… In May of 1974, two pioneers of the Internet Vinton Gray Cerf and Bob Khan has found a protocol called TCP or as writers of this article said,
“A protocol that supports the sharing of resources that exist
in different packet switching networks is presented. The protocol provides
for variation in individual network packet sizes, transmission failures,
sequencing, flow control, end-to-end error checking, and the creation and
destruction of logical process-to-process connections.“
TCP is founded in order to share data between switching networks. It’s design goals was covering transmission failures, sequencing, flow control, end-to-end error checking and reliability. These attiributes also makes TCP a widely used Layer 4 protocol.
RFC 793 mentions that switching network was ARPANET. As you may guess that TCP is sitting 3rd layer of the TCP/IP – DoD Model. I used my painting skills and brought you the below chart for a side by side comparison to both models. We can call Transport layer is the heart of the both models. In RFC 793 they are saying that TCP is reliable host to host to host communication protocol.
So from now on, we know that we needed TCP for sharing data between hosts in a reliable way. That’s why we couldn’t use UDP. It is not reliable.
TCP Header
Below drawing is the x-ray vision of TCP header. It is the structure that we will examine.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+Source Port
16 bits Source port field. In theory it may have a value between 1-65535. I started from 1 because 0 is reserved and can not be used. We can say source port field is also responsible for connection tracking. Remember CGNAT, we differentiate hosts from their source ports.
Destination Port
16 bits Destination port field. Similar to source port field it has a range of 1-65535. Destination port is known as service field. It shows us the service that we will use. For example we use a destination port of 22 for ssh service, or 80 to 443 for a web service.
Sequence Number
32 bits field that is responsible for how much data will be sent. With the help of acknowledgment number it tracks the order of the communication. Relative sequence number generally starts with 0 and after 3-way handshake it increases rapidly. I will highly recommend you to read this blog post about the sequence and acknowledgment number.
Acknowledgment Number
32 bits field that is responsible for tracking how much data arrived at the receiver side.
Data Offset
RFC explanation of this may be a little bit confusing. Basically in the receiver side it tells the upper layers where the data begins. It is 4 bits. A longer and detailed explanation of the Data Offset field can be found here.
Reserved
It has no use right now. It is reserved for “future”. It is a 4 bit field.
Flags
It is a 9 bits long field since we have 9 flags and every flag has 1 bit.
- NS Flag : Nonce Sum Flag. It is an experimental flag.
- ECE Flag : Explicit Congestion Notification – Echo. If endpoints are ECN capable, this flag is detecting congestion along the way. More info can be found here.
- CWR Flag : Congestion Window Reduced flag is using with ECE Flag to sending host to know that receiver has a packet with ECE flag set.
- URG Flag : Urgent Flag works with Urgent pointer. It’s job is to inform the receiver side about the urgent data. Receiver side then can check the urgent pointer to know how much data is urgent and needs to be process earlier. As always more info can be found here.
- ACK Flag : Acknowledgment flag. It has a duty to let the other side know that packet has been received. I acknowledge that. A short example would be 3-way handshake. SYN sent, receiver got it and sends SYN + ACK says that i got your SYN. Finally sender got receiver’s SYN + ACK and sends ACK to notify receiver that i got your SYN + ACK.
- PSH Flag : It is PUSH flag. It is similar to URG flag except it does not buffered and must be pushed immediately. What i mean is if receiver side has a packet with PSH flag set, packet must be pushed directly to the application instead of buffering first.
- RST Flag : Reset flag is used for resetting a tcp connection.
- SYN Flag : It initialize a TCP connection by sending Synchronisation flag is set to 1.
- FIN Flag : Since TCP is a full-duplex protocol this flag can be sent by both side. This flag closes the connection gracefully unless RST flag.
Window
This field is to notify the sender that how much data is receiver wants to recieve. It is a 16 bits field.
Checksum
It is a 16 bits field. It’s job is to make sure that sent data and recieved data is error-free.
Urgent Pointer
As i already told in URG Flag its job is pointing the sequence of the urgent data. It is also a 16 bits field.
Options
This field has 0-352 bits long depends on the options used. It has more then 30 options that can be used. Full list can be found here with corresponding RFCs. Most used ones are:
- SACK – Selective ACK
- Nop – No – Operation
- MSS – Maximum Segment Size
- Timestamps
Padding
It indicates that where the header ends and data begins. It has a variable length between 0 – 32 bits.
Data
Data payload of the packet.
+---------------------+-------------+
| Field | Size (bits) |
+---------------------+-------------+
| Source Port | 16 |
| Destination Port | 16 |
| Sequence Number | 32 |
| Acknowledgement Num | 32 |
| Data Offset | 4 |
| Reserved | 4 |
| CWR flag | 1 |
| ECE flag | 1 |
| URG flag | 1 |
| ACK flag | 1 |
| PSH flag | 1 |
| RST flag | 1 |
| SYN flag | 1 |
| FIN flag | 1 |
| NS flag | 1 |
| Window | 16 |
| Checksum | 16 |
| Urgent Pointer | 16 |
| Options | 0(-352) |
+---------------------+-------------+A summary of the fields and their corresponding bits.
Since we have completed the theory, we will move on with practice analysing packet captures and see those fields on the job.
Thank you for reading so far, if you want to add or say something please comment below.
