TCP資料包格式與實際抓包資料總結
TCP資料包格式與實際抓包資料總結
TCP(Transmission Control Protocol)傳輸控制協議,是一種面向連線的、可靠的、基於位元組流的傳輸層通訊協議。
所謂面向連線的、可靠的協議是:在傳輸資料前,會與對方進行確認,確認可行後,再傳輸。反言之就不面向連線、非可靠的的傳輸協議(UDP)。
這裡需要強調的是,兩種協議不能用優劣或好壞來評判,取決於應用場景。原因:面向連線的、可靠的協議效能是優點,反之也是缺點---就是婆婆媽媽的費時間,效率低;用在要求精確的一些資料傳輸較好。而非面向連線的、非可靠的協議,是不婆婆媽媽且效率高,缺點是容易丟資料,在一些場合就比較合適,如用在傳送實時監控畫面,連續感勝過清晰度(也就是看視訊時,不卡頓比清晰度高好)。
TCP是埠到埠的連線協議。所謂埠到埠,就如住在兩個小區的朋友,相互寄快遞(如:上大路100弄80號),其中小區大門號100弄就相當於IP地址,但小區裡的人家可多了,就得指定單元門牌號80,這樣就能準確溝通,反過來寄快遞也是如此。也就是一臺電腦相當一個小區需要用IP地址標識,每臺電腦上應用程式和服務多種多樣需要用埠號PORT來標識。而這PORT埠號,有些是約定俗成的,有些完全可以由我們來指定。
查詢埠號:
C:\Users\admin>netstat -na
活動連線
協議 本地地址 外部地址 狀態
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP包結構:
Source port 源埠傳送端隨機產生:埠是傳輸層與應用層的服務介面。
Destination port 目的埠為接收端服務的埠:埠是傳輸層與應用層的服務介面。
Sequence number 序列號:TCP連線中傳送的資料流中的每一個位元組都編上一個序號。序號欄位的值則指的是本報文段所傳送的資料的第一個位元組的序號。
Acknowledgment number 應答號碼:這兩個編號用來保證資料的可靠性傳輸;是收到對方的下一個報文段的資料的第一個位元組的序號。
Header length 頭長度:TCP報文段的資料起始處距離 TCP報文段的起始處有多遠。“
Flags 標誌位解釋
Reserved 為保留欄位——佔6bit,保留為今後使用,但目前應置為0。
URG 為1表示高優先順序資料包,緊急指標欄位有效。
ACK 為1表示確認號欄位有效
PSH 為1表示是帶有PUSH標誌的資料,指示接收方應該儘快將這個報文段交給應用層而不用等待緩衝區裝滿。
RST 為1表示出現嚴重差錯。可能需要重現建立TCP連線。還可以用於拒絕非法的報文段和拒絕連線請求。
SYN 為1表示這是連線請求或是連線接受請求,用於建立連線和使順序號同步
FIN 為1表示傳送方沒有資料要傳輸了,要求釋放連線。
Window size 視窗尺寸:視窗尺寸用來控制對方傳送的資料量,單位為位元組。TCP連線的一端根據設定的快取空間大小確定自己的接收視窗大小,然後通知對方以確定對方的傳送視窗的上限。
Checksum 檢驗和:檢驗和欄位檢驗的範圍包括首部和資料這兩部分。
Urgent pointer 緊急指標欄位:緊急指標指出在本報文段中的緊急資料的最後一個位元組的序號。
Opetions 可選項:TCP首部可以有多達40位元組的可選資訊,用於把附加資訊傳遞給終點,或用來對齊其它選項。
Payload 有效載荷:這是為了使整個首部長度是4位元組的整數倍。
TCP建立連線(三次握手建立連線)
關於建立連線,其實就是用標記位定義的意思,在兩方來回問答,實現傳送方與接收方兩方資料傳輸前準備工作。
1. C電腦 發給 S電腦 一個SYN = 1訊號,意思是我要同步一下(相當於連線請求訊號)
2. S電腦 回傳併發給 C電腦 一個ACK = 1, SYN=1 訊號,意思是我同意同步(相當於你的連線請求,我確認可以;我也想連線可以不?)
3. C電腦 再發給 S電腦 一個ACK = 1訊號,意思是我也同意(我也確認可以)
在此要注意的是,兩臺電腦,可能有很多個連線確認,那些應答進行配對呢?通過SEQ序列號來此標記(SEQ加不加1對於理解無所謂的,只是一種配對的確認演算法):
從以上可以看出,C電腦有一次問,得到一次答;S電腦也有一次問,得到一次答;
只是第二步是將S電腦的要問的,及它的答覆一次性給出,即兩步並一步做了。
如下圖,標識的同步為1,意思就是在問我要和您同步傳輸資料?其他標記位以此類推。
TCP拆除連線(四次握手拆除連線)(SEQ加不加1對於理解無所謂的,只是一種配對的確認演算法)
1. C電腦 發給 S電腦 一個FIN = 1訊號,意思是我要下線了(相當於下線請求訊號)
2. S電腦 回傳併發給 C電腦 一個ACK=1 訊號,意思是我同意下線(相當於您的下線請求,我確認哈)
3. S電腦 又回傳併發給 C電腦 一個FIN=1 訊號,意思是我也下線(相當於回一個下線請求訊號)
4. C電腦 再發給 S電腦 一個ACK = 1訊號,意思是我也同意(我也確認下線)
從以上可以看出,C電腦有一次問,得到一次答;S電腦也有一次問,得到一次答;
但與建立連線不同,是將S電腦的要回答的也要問的,分成兩步做的,所以有共4步。
其實與建立連線是一個套路。就是中間有點差別:一個是兩件事一步做,另一個兩件事兩步做。
如下圖,標識的FIN下線訊號為1,意思就是在問我要下線了?其他標記位以此類推。
以下是外網摘錄的總結:
Summary of key facts about the Transmission Control Protocol
The TCP protocol has shaped the history and development of computer networks for nearly a half a century. TCP can be easily combined with Internet protocol (IP), which also has a long history, and it has many advantages over other alternatives such as UDP and SCTP. The most important features can be summarized as follows:
- TCP is connection-oriented and enables two-way communication between two endpoints after the three-way handshake.
- TCP is reliable because the protocol ensures that all data is fully transmitted and can be assembled by the receiver in the correct order.
- TCP allows data to be sent in individual segments of up to 1,500 bytes (including headers) in size.
- TCP is positioned at the transport layer (layer 4) of the OSI model.
- TCP is usually used in conjunction with the Internet Protocol (IP) and is commonly known as the TCP/IP protocol stack.
- The TCP header has a default size of 20 bytes. Up to 40 bytes of additional options can be added.
Structure of a TCP header
The individual components or fields of the header of the TCP protocol have the following meaning:
Source port (16 bits): Identifies the port number of the sender.
Destination port (16 bits): Identifies the port number of receiver.
Sequence number (32 bits): The sequence number specifies the first byte of attached payload data or is sent when the connection is established or terminated. It is also used for validating and sorting the segments after transmission.
Acknowledgment number (32 bits): This field contains the next sequence number that the sender is expecting. An ACK flag (in the “Flags” field) is a precondition for validity.
Offset (4 bits): The “Offset” field specifies the length of the TCP header in 32-bit words to highlight the starting point of the payload data. This starting point varies from segment to segment due to the variable “Options” field.
Reserved (6 bits): Reserved for future use according to RFC 793 and not yet in use. This field must always be set to 0.
Flags (6 bits): The six possible single bits in the “Flags” field enable various TCP actions for organizing communication and data processing. The following flags are either set or not set for these actions:
- URG: The "Urgent" flag signals to the TCP application that the payload data must be processed immediately up to the set Urgent pointer (see above).
- ACK: In combination with the acknowledgment number, the ACK flag acknowledges the receipt of TCP packets. If the flag is not set, the confirmation number is also invalid.
- PSH: The "Push" flag ensures that a TCP segment is immediately pushed through without first being sent to the buffer of the sender and receiver.
- RST: If there is an error during transmission, a TCP packet with the RST flag set can be used to reset the connection.
- SYN: Messages that have SYN flag set represent the first step of the three-way handshake, meaning they initiate the connection.
- FIN: The "Finish" flag signals to the other party that a sender is ending the transmission.
Window size (16 bits): This field specifies the number of bytes that the sender is willing to receive.
Checksum (16 bits): The Transmission Control Protocol can reliably detect transmission errors. The checksum calculated from the header, the payload data and the pseudo-header is used for this purpose.
Urgent pointer (16 bits): The urgent pointer indicates the position of the first byte after the payload data that is to be processed urgently. As a result, this field is only valid and relevant if the URG flag is set.
Options (0 - 320 bits): Use the Options field if you want to include TCP functions that don’t belong in the general header, for example if you want to define the maximum segment size. The length of the options must always be a multiple of 32, otherwise zero-bit padding is required.
What is Transmission Control Protocol (TCP)?
TCP (Transmission Control Protocol) is one of the main protocols of the Internet protocol suite.
It lies between the Application and Network Layers which are used in providing reliable delivery services.
It is a connection-oriented protocol for communications that helps in the exchange of messages between the different devices over a network.
Working of TCP
To make sure that each message reaches its target location intact, the TCP/IP model breaks down the data into small bundles and afterward reassembles the bundles into the original message on the opposite end. Sending the information in little bundles of information makes it simpler to maintain efficiency as opposed to sending everything in one go.
After a particular message is broken down into bundles, these bundles may travel along multiple routes if one route is jammed but the destination remains the same.
We can see that the message is being broken down, then reassembled from a different order at the destination
For example, When a user requests a web page on the internet, somewhere in the world, the server processes that request and sends back an HTML Page to that user. The server makes use of a protocol called the HTTP Protocol. The HTTP then requests the TCP layer to set the required connection and send the HTML file.
Now, the TCP breaks the data into small packets and forwards it towards the Internet Protocol (IP) layer. The packets are then sent to the destination through different routes.
The TCP layer in the user’s system waits for the transmission to get finished and acknowledges once all packets have been received.
Features of TCP
Some of the most prominent features of Transmission control protocol are
1. Segment Numbering System
TCP keeps track of the segments being transmitted or being received by assigning numbers to each and every single one of them.
A specific Byte Number is assigned to data bytes that are to be transferred while segments are assigned sequence numbers.
Acknowledgment Numbers are assigned to received segments.
2. Flow Control
Flow control limits the rate at which a sender transfers data. This is done to ensure reliable delivery.
The receiver continually hints the sender on how much data can be received (using a sliding window)
3. Error Control
TCP implements an error control mechanism for reliable data transfer
Error control is byte-oriented
Segments are checked for error detection
Error Control includes – Corrupted Segment & Lost Segment Management, Out-of-order segments, Duplicate segments, etc.
4. Congestion Control
TCP takes into account the level of congestion in the network
Congestion level is determined by the amount of data sent by a sender
Advantages
It is a reliable protocol
It provides an error-checking mechanism as well as one for recovery
It gives flow control
It makes sure that the data reaches the proper destination in the exact order that it was sent
Open Protocol, not owned by any organization or individual
It assigns an IP address to each computer on the network and a domain name to each site thus making each device site to be distinguishable over the network.
Disadvantages
TCP is made for Wide Area Networks, thus its size can become an issue for small networks with low resources
TCP runs several layers so it can slow down the speed of the network
It is not generic in nature. Meaning, it cannot represent any protocol stack other than the TCP/IP suite. E.g., it cannot work with a Bluetooth connection.
No modifications since their development around 30 years ago.
How exactly do TCP connections work?
TCP allows for transmission of information in both directions. This means that computer systems that communicate over TCP can send and receive data at the same time, similar to a telephone conversation. The protocol uses segments (packets) as the basic units of data transmission. In addition to the payload, segments can also contain control information and are limited to 1,500 bytes. The TCP software in the network protocol stack of the operating system is responsible for establishing and terminating the end-to-end connections as well as transferring data.
The TCP software is controlled by the various network applications, such as web browsers or servers, via specific interfaces. Each connection must always be identified by two clearly defined endpoints (client and server). It doesn’t matter which side assumes the client role and which assumes the server role. All that matters is that the TCP software is provided with a unique, ordered pair consisting of IP address and port (also referred to as "2-tuple" or "socket") for each endpoint.
The three-way handshake: How a TCP connection is established in detail
Prerequisites for establishing a valid TCP connection: Both endpoints must already have a unique IP address (IPv4 or IPv6) and have assigned and enabled the desiredport for data transfer. The IP address serves as an identifier, whereas the port allows the operating system to assign connections to the specific client and server applications.
The actual process for establishing a connection with the TCP protocol is as follows:
1.First, the requesting client sends the server a SYN packet or segment (SYN stands for synchronize) with a unique, random number. This number ensures full transmission in the correct order (without duplicates).
2.If the server has received the segment, it agrees to the connection by returning a SYN-ACK packet (ACK stands for acknowledgment) including the client's sequence number plus 1. It also transmits its own sequence number to the client.
3.Finally, the client acknowledges the receipt of the SYN-ACK segment by sending its own ACK packet, which in this case contains the server's sequence number plus 1. At the same time, the client can already begin transferring data to the server.
TCP connection establishment (Three way handshake)
TCP teardown: How a controlled TCP connection termination works
Both sides of a connection can terminate a TCP connection, and even one-sided termination is also possible. This is also known as a half-open connection, whereby the other side is still allowed to transfer data even if one side has already disconnected.
The individual steps of two-way termination (initiated by the client for the sake of simplicity in this example) can be summarized as follows:
1.The client sends a FIN segment to notify the server that it no longer wants to send data. It sends its own sequence number, just as it does when the connection is established.
2.The server acknowledges receipt of the package with an ACK segment that contains the sequence number plus 1.
3.When the server has finished the data transfer, it also sends a FIN packet, to which it adds its sequence number.
4.Now it is the client's turn to send an ACK packet including the sequence number plus 1, which officially terminates the TCP connection for the server.
However, the connection is not immediately terminated for the side that sent the last ACK segment (in our case, the client). Since there’s no guarantee that the last packet sent has actually arrived, the client or server will initially remain in time-wait state until the maximum lifetimes of the ACK segment and any new FIN segments (according to RFC 793, two minutes for each segment) have expired.