Wireshark analyzes and verifies the TCP protocol.

Any skill requires deliberate practice and consistent persistence over time.

Recently, I specifically organized and reviewed the knowledge related to TCP, verified it through packet capture, and analyzed the entire process from TCP connection establishment to end-to-end connection. I believe that after reading this article, those who didn't understand it in class before should now have a better understanding.

TCP provides a connection-oriented and reliable byte stream service, which means that two TCP applications must establish a TCP connection before exchanging data, and only two parties can communicate within a TCP connection. TCP and UDP both use the same network layer.

When using TCP to send data, the data is divided into segments that TCP considers most suitable for transmission. This is different from UDP, where the length of the datagram remains unchanged. This data block is called a segment, and the initial sequence number (ISN) of each segment is randomly generated based on a certain algorithm. Of course, this sequence number is also the data number of the first data byte in the segment. This article will introduce the TCP protocol from the following aspects:

TCP protocol data format
How TCP establishes a connection
How TCP terminates a connection
TCP state transition diagram
Wireshark analysis and verification
Why SYN and FIN occupy a sequence number

TCP Data Format#

TCP data is encapsulated in IP datagrams, as shown in the following figure:

Source Port: The port of the data sender.
Destination Port: The port of the data receiver.
Sequence Number: 16 bits, occupies 4 bytes, used to identify the data byte stream sent from the TCP sender to the TCP receiver. Its value is the data number of the first data byte in the segment. This sequence number is a 32-bit unsigned number, and when the sequence number reaches 2^32 - 1, it starts from 0 again.
Acknowledgment Number: 16 bits, occupies 4 bytes, refers to the data number of the data byte expected to be received, which is the value of the last data byte number of the previous segment plus 1.
SYN: Flag, used to initiate a TCP connection, set SYN = 1.
ACK: Flag, indicates that the acknowledgment number is valid, set ACK = 1.
RST: Flag, used to reset the connection, set RST = 1.
FIN: Flag, indicates that the sender has completed sending and wants to terminate the connection, set FIN = 1.
URG: Flag, indicates that the urgent pointer is valid, set URG = 1.
PSH: Flag, indicates that the receiver should pass this data to the application layer as soon as possible, set PSH = 1.

How TCP Establishes a Connection#

The source port number and destination port number are included in the TCP segment to locate the application processes of the sender and receiver. Combined with the source IP address and destination IP address in the IP header, a TCP connection between the client and server is uniquely determined, which ensures the possibility of communication between the client and server and is the basis for establishing a TCP connection.

In addition, it should be noted that the initial sequence number (ISN) of each segment is randomly generated based on a certain algorithm and is different from each other. In order to ensure that the SYN flag occupies a sequence number, it will be further analyzed later.

The process of establishing a TCP connection through three-way handshake is as follows:

When the client requests a connection, it sends a segment with seq = x and sets the SYN flag to 1, initiating a TCP connection to the server. The server knows that the client is requesting to establish a connection based on SYN = 1.
After receiving the request, the server responds by sending a segment with seq = y, setting the ACK and SYN flags to 1, and setting the acknowledgment number (ack) to the client's sequence number plus 1, i.e., ack = x + 1.
After receiving the response from the server, the client verifies whether the acknowledgment number (ack) is the client's previous segment's sequence number plus 1, i.e., ack = x + 1. If it is correct, the client sends a segment with seq = x + 1, sets the acknowledgment number (ack) to the server's sequence number plus 1, i.e., ack = y + 1. After receiving this segment, the server and client have established a TCP connection and can communicate with each other.

The process of establishing a TCP connection through three-way handshake is illustrated below:

It is well known that TCP establishes a connection through three-way handshake. How can we better understand this process?

In fact, the establishment of a TCP connection is a process in which two hosts "call" each other to communicate. Whether it is the client or the server, the process is the same: sending a [SYN] packet to request a connection and waiting for the corresponding host to send an ACK to respond to this request. The entire process consists of two requests and two responses. If both hosts respond correctly, the TCP connection is successfully established. The second handshake can be divided into two steps:

The server sends an ACK segment to respond to the client's request.
The server sends a SYN segment to request a connection from the client.

Obviously, these two steps are aimed at the client, so they are combined together. In this way, the two hosts establish a TCP connection by "calling" each other. The acknowledgment number in the response of each host is the sequence number of the previous segment sent by the corresponding host plus 1, i.e., ack = seq + 1.

How TCP Terminates a Connection#

Before discussing how to terminate a connection, it is necessary to understand the half-closed state of TCP.

TCP provides the ability to receive data from the other end even after it has finished sending, which is the half-closed state of TCP. For example, when the client completes the data transmission task, it sends a segment with the FIN flag set to 1 to the server. At this time, the client no longer has the ability to send data, but it can still receive data from the server. The TCP connection is terminated when the server responds with a segment with the FIN flag set to 1 to the client. In addition, to ensure that the FIN flag occupies a sequence number, it will be further analyzed later.

It is because of the half-closed state of TCP that four-way handshake is required to terminate a connection. In fact, the process of terminating a TCP connection is also a process in which two hosts "call" each other to end the connection. The TCP connection can only be completely terminated when both hosts respond to each other's request to terminate the connection.

As mentioned earlier, the second handshake process of TCP connection establishment can be divided into two stages, but in the process of terminating a TCP connection, these two stages cannot be combined into one because of the half-closed state of TCP. This half-closed state has its application possibilities, so in the process of terminating a TCP connection, four-way handshake is required to completely terminate the TCP connection.

The process of terminating a TCP connection through four-way handshake is as follows:

After the client completes the sending task, it sends a segment with seq = m, sets the FIN flag to 1, and sets the acknowledgment number (ack) to the server's previous segment's sequence number plus 1, i.e., ack = m + 1, indicating that it wants to terminate the connection.
After receiving the segment from the client requesting to terminate the connection, the server responds by sending a segment with seq = n, setting the ACK flag to 1, and setting the acknowledgment number (ack) to the client's previous segment's sequence number plus 1, i.e., ack = m + 1. If the client correctly receives this segment, it will enter the half-closed state, where it can only receive data from the server but cannot send data to the server.
After the server completes the sending task, it sends a segment with seq = n + 1, sets the FIN flag to 1, and sets the acknowledgment number (ack) to the client's previous segment's sequence number plus 1, i.e., ack = m + 1, indicating that it wants to terminate the connection.
After receiving the segment from the server requesting to terminate the connection, the client responds by sending a segment with seq = m + 1, setting the ACK flag to 1, and setting the acknowledgment number (ack) to the server's previous segment's sequence number plus 1, i.e., ack = n + 1. If the server correctly receives this segment, it will terminate the connection with the client. At this point, the client and server are completely disconnected.

The following is a diagram of TCP connection termination:

Wireshark Analysis and Verification#

By capturing packets with Wireshark, you can verify the above content. If you only want to verify the process of TCP connection establishment and termination, you only need to select the corresponding network card, start packet capture, and then open the browser to visit a few pages. Under normal circumstances, the corresponding network packets will be captured. Then, you can enter "tcp" in the display filter to filter TCP protocol, select one randomly, right-click and choose "Follow" -> "TCP Stream" to view the relevant information of the TCP connection, as shown below:

I won't analyze it in detail here. This TCP connection did not send any data, which is also convenient for analyzing the process of TCP connection establishment and termination.

TCP State Transition Diagram#

During the process from connection establishment to termination, TCP has a total of 11 states. Here is a TCP state transition diagram:

Why SYN and FIN Occupy a Sequence Number#

In the previous analysis, SYN and FIN each occupy a sequence number. According to the definition of sequence number, this means that the segment carries 1 byte of data. The sequence number of the next segment is the sequence number of the previous segment plus 1.

Taking the TCP connection establishment through three-way handshake as an example, under normal circumstances, when the client sends a segment with SYN = 1, seq = x to request a connection, the server responds by sending a segment with ACK = 1, ack = x + 1, where ACK = 1 indicates that the connection request from the client has been received, and the acknowledgment number (ack) ack = x + 1 indicates that the segment with sequence number x has been received, and the next expected segment should have a sequence number of x + 1. Obviously, the server responds to the client's request to establish a connection with a segment with sequence number x.

If SYN does not occupy a sequence number, when the server receives the client's request to establish a connection, it responds with a segment with ACK = 1, ack = x. According to the definition of the acknowledgment number (ack) ack = x, it means that the segment with sequence number x - 1 has been received, and it cannot confirm the segment that the client requested to establish a connection. As a result, TCP cannot complete the three-way handshake and cannot establish a TCP connection.

The same reasoning applies to FIN. Therefore, in the TCP protocol, SYN and FIN each occupy a sequence number. If there are any errors, please correct me.