The TCP (Transmission Control Protocol) is one of the base protocols of the Internet protocol suite implemented. It came into existance when initial work was being done for IP (Internet Protocol) and with an urge to make UDP more reliable.
TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network. Most of applications using internet transport data through TCP (i.e www, email, file transfers); hence we commonly see TCP/IP referred together. Most of other protocol also uses TCP as its base (i.e SMTP)
To make a connection more reliable TCP uses three way handshake; open, retransmission and for error detection for single packet. TCP is vulnerable to following attacks
- Denial of Service Attack
- Connection Hijacking (or MIM Attack)
- TCP Veto Attack
- Reset Attack
Wireshark
To intercept and inspect packets, we are going to use WireShark utility. Please install Wireshark and Telnet Client if you already do not have one for OS archtype being used.
Initiate and Capture TCP Traffic
So to capture TCP traffic; we need to initiate one. To do that we are going to use Telnet Client and to capture traffic; we would need WireShark up and running. Follow steps below to capture TCP traffic
- Start WireShark software and Click on Capture tab
- Fire up a terminal window and type
telnet www.google.com 80
. By this we are opening a connection towww.google.com
server using port 80 - Close terminal window (this closes the connection)
- Stop WireShark capture
Inspect TCP SYN Traffic
TCP SYN (Synchronised) is used to initiate and establish a connection between devices. Observe the traffic captured in the top Wireshark packet list pane. To view only TCP traffic related to the web server connection, type tcp.port == 80
in the Search box
- Select the first TCP packet, labeled http [SYN].
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your default gateway’s MAC address and the source should be your MAC address. You can use
ipconfig /all
to confirm. - Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is your IP address.
- Observe the Destination address. Notice that the destination address is the IP address of one of Google’s web servers.
- Expand Transmission Control Protocol to view TCP details.
- Observe the Source port. Notice that it is a dynamic port selected for this connection.
- Observe the Destination port. Notice that it is http (80).
- Observe the Sequence number. Notice that it is 0 (relative sequence number). To see the actual sequence number, select the Sequence number to highlight the sequence number in the bottom Wireshark bytes pane.
- Expand Flags to view flag details.
- Observe the flag settings. Notice that SYN is set, indicating the first segment in the TCP three-way handshake.
Inspect TCP ACK Traffic
TCP ACK is an acknowledgement from other server to confirm that it has received TCP SYN. Follow below steps to inspect TCP ACK in WireShark
- In the top Wireshark packet list pane, select the second TCP packet, labeled SYN, ACK.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your MAC address and the source should be your default gateway MAC address.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is the Google web server IP address.
- Observe the Destination address. Notice that the destination address is your IP address.
- Expand Transmission Control Protocol to view TCP details.
- Observe the Source port. Notice that it is http (80).
- Observe the Destination port. Notice that it is the same dynamic port selected for this connection.
- Observe the Sequence number. Notice that it is 0 (relative sequence number). To see the actual sequence number, select Sequence number to highlight the sequence number in the bottom Wireshark bytes pane.
- Observe the Acknowledgement number. Notice that it is 1 (relative ack number). To see the actual acknowledgement number, select Acknowledgement number to highlight the acknowledgement number in the bottom pane. Notice that the actual acknowledgement number is one greater than the sequence number in the previous segment.
- Expand Flags to view flag details.
- Observe the flag settings. Notice that SYN and ACK are set, indicating the second segment in the TCP three-way handshake.
Inspect TCP SYN ACK Traffic
TCP SYN message from local device and ACK of the earlier packet to confirm that it has received earlier packet. Follow below steps to inspect TCP SYN ACK in WireShark
- In the top Wireshark packet list pane, select the third TCP packet, labeled http ACK.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your default gateway MAC address and the source should be your MAC address.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is your IP address.
- Observe the Destination address. Notice that the destination address is the Google web server IP address.
- Expand Transmission Control Protocol to view TCP details.
- Observe the Source port. Notice that it is the same dynamic port selected for this connection.
- Observe the Destination port. Notice that it is http (80).
- Observe the Sequence number. Notice that it is 1 (relative sequence number). To see the actual sequence number, select Sequence number to highlight the sequence number in the bottom Wireshark bytes pane.
- Observe the Acknowledgement number. Notice that it is 1 (relative ack number). To see the actual acknowledgement number, select Acknowledgement number to highlight the acknowledgement number in the bottom pane.
- Expand Flags to view flag details.
- Observe the flag settings. Notice that ACK is set, indicating the third segment in the TCP three-way handshake. The client has established a TCP connection with the server.
Inspect TCP FIN ACK Traffic
FIN ACK used to terminate a connection. This is last confirmatory packet that closes the connection.
- In the top Wireshark packet list pane, select the fourth TCP packet, labeled http FIN, ACK.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your default gateway MAC address and the source should be your MAC address.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is your IP address.
- Observe the Destination address. Notice that the destination address is the Google web server IP address.
- Expand Transmission Control Protocol to view TCP details.
- Observe the Source port. Notice that it is the same dynamic port selected for this connection.
- Observe the Destination port. Notice that it is http (80).
- Observe the Sequence number. Notice that it is 1 (relative sequence number).
- Observe the Acknowledgement number. Notice that it is 1 (relative ack number).
- Expand Flags to view flag details.
- Observe the flag settings. Notice that FIN and ACK are set, indicating the first segment in the TCP teardown handshake. The client has indicated it is closing the TCP connection with the server.
Inspect TCP FIN ACK Traffic
FIN ACK used to terminate a connection. This is last confirmatory packet that closes the connection.
- In the top Wireshark packet list pane, select the fifth TCP packet, labeled FIN, ACK.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your MAC address and the source should be your default gateway MAC address.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is the Google web server IP address.
- Observe the Destination address. Notice that the destination address is your IP address.
- Expand Transmission Control Protocol to view TCP details.
- Observe the Source port. Notice that it is http (80).
- Observe the Destination port. Notice that it is the same dynamic port selected for this connection.
- Observe the Sequence number. Notice that it is 1 (relative sequence number).
- Observe the Acknowledgement number. Notice that it is 2 (relative ack number).
- Expand Flags to view flag details.
- Observe the flag settings. Notice that FIN and ACK are set, indicating the second segment in the TCP three-way handshake. The server has indicated it is closing the TCP connection with the client.
Inspect TCP ACK Traffic
TCP ACK used is acknowledgement packet sent by client to server to confirm acknowledgement for closing connection
- In the top Wireshark packet list pane, select the sixth TCP packet, labeled http ACK.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your default gateway MAC address and the source should be your MAC address.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is your IP address.
- Observe the Destination address. Notice that the destination address is the Google web server’s IP address.
- Expand Transmission Control Protocol to view TCP details.
- Observe the Source port. Notice that it is the same dynamic port selected for this connection.
- Observe the Destination port. Notice that it is http (PORT 80).
- Observe the Sequence number. Notice that it is 2 (relative sequence number).
- Observe the Acknowledgement number. Notice that it is 2 (relative ack number).
- Expand Flags to view flag details.
- Observe the flag settings. Notice that ACK is set, indicating the third segment in the TCP teardown handshake. The client has acknowledged the server closing the TCP connection.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
About The Author
I am Pankaj Baagwan, a System Design Architect. A Computer Scientist by heart, process enthusiast, and open source author/contributor/writer. Advocates Karma. Love working with cutting edge, fascinating, open source technologies.
To consult Pankaj Bagwan on System Design, Cyber Security and Application Development, SEO and SMO, please reach out at me[at]bagwanpankaj[dot]com
For promotion/advertisement of your services and products on this blog, please reach out at me[at]bagwanpankaj[dot]com
Stay tuned <3. Signing off for RAAM