3. TCP SYN Packet with
all options
• All options MSS, Window Scale, No OP, Time Stamps, TCP SACK will be
discussed in Later Slides
4. TCP Sequence Numbering
• TCP Sequence number is randomly chosen 32 bit
value . Wireshark converts it to relative sequence
number to make it easy for us .
• We can track TCP Data using sequence numbers
• When 3 way handshake is complete ,and client is
sending data to server with a length say 99 and
it’s sequence number is 644 .
• Now It’s next sequence number is 644+99
• So the next packet will have sequence number 743
5. TCP Acknowledgement
numbers
• When Client sends a TCP data with Length
‘X’ ,Server will acknowledge with
Acknowledgement number as X+1.
• In this way server will acknowledge I have
received X bytes of Data
• Refer screenshot. First screenshot is client
sending Data and Second screenshot is
Server sending acknowledgement
7. TCP Flow
Control
/Congestion
Control
• TCP is highly guaranteed and reliable
packet delivery mechanism.
• Each packet has to be made sure that it
has been received . Though this
mechanism is good it is Bandwidth
consuming .It can congest network too.
• Also packets can be dropped when a
server is sending at a data rate higher
than what client can process
• Let’s discuss how to tackle all these in
next slides
8. TCP Window Size
Let’s look at one flow control mechanism
There is a 2 byte field in TCP Header called Window Size Value
This is a way of telling sender that I can receive so many bytes of data without aknowledement
TCP in the later stages will decrement the window Size, as and when data is received to the buffer
Wireshark will mark the last packet of the Sender without a ACK as TCP Window Full
TCP Window Size zero from the receiver means it no longer can receive data
9. TCP Sliding Window
• Now we know what is Window
Size, Let’s understand Sliding
Window Concept
• Say Now client sent a Window
Size of 10k and Server is ready to
send 10 TCP segments of 1000
bytes without receiving ACK i.e
Segment 1 to Segment 10
• But in between if client sends
ACK2 for Segment 2 Server will
slide the window and will try to
send segment 3 to Segment 12
without being ACKnowledged
10. NAGLE’S Algo Rules:
If there are unacknowledged in-flow data ,new data
is buffered
If data to be sent <MSS, it is buffered until MSS
When to send Data: ?Below points are answers
Immediately if a full MSS packet size can be sent
(atleast complete MSS data is accumulated)
All previous sent data has been acknowledged
11. TCP FLAGS
IN TCP CONNECTION, FLAGS ARE USED TO INDICATE A PARTICULAR
STATE OF CONNECTION OR TO PROVIDE SOME ADDITIONAL
USEFUL INFORMATION LIKE TROUBLESHOOTING PURPOSES OR TO
HANDLE A CONTROL OF A PARTICULAR CONNECTION.
MOST COMMONLY USED FLAGS ARE “SYN”, “ACK” AND “FIN” AND
“RST”.”SYN” AND “ACK” IS ALREADY DISCUSSED IN PREVIOUS
SLIDES . “FIN” AND “RST” WILL DISCUSSED IN LATER SLIDE
OTHER TWO IMPORTANT FLAGS ARE “PUSH” AND “URGENT”
LETS DISCUSS THESE TWO FLAGS IN THE NEXT SLIDE
12. PUSH v/s URGENT
FLAG
• Push (PSH) – Transport layer by default waits for some time for
application layer to send enough data equal to maximum
segment size so that the number of packets transmitted on
network minimizes which is not desirable by some application
like interactive applications(chatting). Similarly transport layer at
receiver end buffers packets and transmit to application layer if
it meets certain criteria. This problem is solved by using PSH.
Transport layer sets PSH = 1 and immediately sends the segment
to network layer as soon as it receives signal from application
layer. Receiver transport layer, on seeing PSH = 1 immediately
forwards the data to application layer.
In general, it tells the receiver to process these packets as they
are received instead of buffering them.
• Urgent (URG) –Data inside a segment with URG = 1 flag is
forwarded to application layer immediately even if there are
more data to be given to application layer. It is used to notify the
receiver to process the urgent packets before processing all
other packets. The receiver will be notified when all known
urgent data has been received.
13. Selective Acknowledgement
• First let’s see a case when Selective Acknowledgement option is not available
in TCP
• Take an example of client sending request to a Server and Server responding
in four TCP segments without SACK option on both client and Server .When
one of the segment is lost ,client sends a Duplicate Acknowledgement
• The server receives the client's first duplicate acknowledgment for packet #1.
Because the client has only confirmed receipt of the first of the four
segments, the server must retransmit all three remaining segments in the
response.
• The client successfully receives and acknowledges the three remaining
segments.
• This mechanism is inefficient and how it is tackled with SACK is shown in next
slide
14. Selective Ack continued
Case when SACK Option is available on TCP
Take the previous example , when client realizes it has lost Segment 2 .It sends a Duplicate ACK and in the Option it informs that
it has received Segment 3
The server receives the client's duplicate ACK for segment #1 and SACK for segment #3 (both in the same TCP packet). From this,
the server deduces that the client is missing segment #2, so segment #2 is retransmitted. The next SACK received by the server
indicates that the client has also received segment #4 successfully, so no more segments need to be transmitted.
The client receives segment #2 and sends an acknowledgment to indicate that it has received all data up to an including
segment #4.
15. The
Timestamps
• The Timestamp option can be used to measure the round-trip time (RTT) of every
packet that is acknowledged . This is done by including a Timestamp Value in every
segment that is sent. These TSv values are echoed by the opposite side of the
connection Tsecr(Time stamp echo reply) .
• TS values are just a 4 byte number derived from starting point when sender sends to
begin a packet Say TS value of sender is ‘x’ sender expects the receiver to update it’s TS
Echo Reply value to be X
• The TS Value what receiver sends is also just 4 byte number in the starting packet .
• Later Sender and receiver packet TS values gets incremented based on internal clock or
time delta between packets
• Now we know that the difference between a received TSecr value and the current
timestamp clock value provides a RTT measurement. Current Time stamp here refers to
TimeStamp at this moment of the sender (Internal clock)
16. No Operation
Option
It is required that all the TCP Header has to be
multiples of 4 bytes in length
Sometimes an option can be of length less than 4
bytes
So to Pad that one byte No Op Option is used
No Op option is used between TCP options for 4 byte
alignment
No Operation has been defined as padding to allow
any option to be expanded to multiples of 4 bytes
However, it is not mandatory to include the no
operation option.
17. MTU V/S
MSS
• MTU=MSS+IP Header+TCP Header
• MSS is the maximum payload which TCP can
carry
• MSS is negotiated between client and
servers using 3-Way Handshake
• TCP MSS can be clamped as per need basis
based on configuration to make sure
fragmentation does not happen
• Details of TCP MSS clamping is not discussed
here
18. FIN V/S
Resets
• We all know that TCP connection
termination is graceful
• Say E.g. :You are done using an APP ,your
system sends a TCP FIN and waits for ACK
and FIN from Server. Server too sends FIN
and ACK
• RST is not a cool thing to happen on
Network
• Say E.g.: Your client sending TCP SYN on port
8080 to Server and Server is not listening on
Port 8080 ,It immediately sends RST and
connection is closed
• Remember both client and server can send
FIN/RST
19. TCP
SYN/Flood
Attack and
Mitigation
• TCP SYN flood (a.k.a. SYN flood) is a type of Distributed
Denial of Service (DDoS) attack that exploits part of the
normal TCP three-way handshake to consume
resources on the targeted server and render it
unresponsive.
• There are several methods modern day Firewalls use to
mitigate this attack . One simple technique is below
• SYN cookies—using cryptographic hashing, the server
sends its SYN-ACK response with a sequence number
(seqno) that is constructed from the client IP address,
port number, and possibly other unique identifying
information. When the client responds, this hash is
included in the ACK packet. The server verifies the ACK,
and only then allocates memory for the connection.
20. THANK YOU –
Some links to
learn TCP
https://www.youtube.com/watch?v=XMcYwr-
yJGA&list=PLW8bTPfXNGdAZIKv-
y9v_XLXtEqrPtntm&index=7
https://cloudshark.io/articles/tcp-window-
scaling-examples/
https://packetlife.net/blog/2010/jun/17/tcp-
selective-acknowledgments-sack/