You are on page 1of 17

TCP segment structure[edit] Transmission Control Protocol accepts data from a data stream, divides it into chunks

, and adds a TCP header creating a TCP segment. The TCP segment is then encapsulated into an Internet Protocol (IP) datagram, and exchanged with peers. [ ! The term TCP packet, though sometimes informall" used, is not in line with current terminolog", where segment refers to the TCP Protocol #ata $nit (P#$), datagram[%! to the IP P#$ and frame to the data link la"er P#$& Processes transmit data '" calling on the TCP and passing 'uffers of data as arguments. The TCP packages the data from these 'uffers into segments and calls on the internet module [e.g. IP! to transmit each segment to the destination TCP. [(! ) TCP segment consists of a segment header and a data section. The TCP header contains *+ mandator" fields, and an optional extension field (Options, orange 'ackground in ta'le). The data section follows the header. Its contents are the pa"load data carried for the application. The length of the data section is not specified in the TCP segment header. It can 'e calculated '" su'tracting the com'ined length of the TCP header and the encapsulating IP header from the total IP datagram length (specified in the IP header). TCP ,eader Offset Octet 0 1 2 3 s Octet Bit 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 0 0 -ource port #estination port 32 4 -e.uence num'er 64 )cknowledgment num'er (if ACK set) 8 /eserved N C E U A P R S F 96 #ata offset 0 0 0 0 W C R C S S Y I 12 0indow -i1e S R E G K H T N N 0 0 $rgent pointer (if URG set) 16 128 Checksum 160 20 2ptions (if data offset 3 (. Padded at the end with 4+4 '"tes if necessar".) ... ... ... -ource port (*5 'its) identifies the sending port #estination port (*5 'its) identifies the receiving port -e.uence num'er ( 6 'its) has a dual role& • If the SYN flag is set (*), then this is the initial se.uence num'er. The se.uence num'er of the actual first data '"te and the acknowledged num'er in the corresponding )C7 are then this se.uence num'er plus *. • If the SYN flag is clear (+), then this is the accumulated se.uence num'er of the first data '"te of this segment for the current session. )cknowledgment num'er ( 6 'its) if the ACK flag is set then the value of this field is the next se.uence num'er that the receiver is expecting. This acknowledges receipt of all prior '"tes (if an"). The first ACK sent '" each end acknowledges the other end8s initial se.uence num'er itself, 'ut no data. #ata offset (% 'its) specifies the si1e of the TCP header in 69'it words. The minimum si1e header is ( words and the maximum is *( words thus giving the minimum si1e of 6+ '"tes and maximum of 5+ '"tes, allowing for up to %+ '"tes of options in the header. This field gets its name from the fact that it is also the offset from the start of the TCP segment to the actual data. /eserved (5 'its) for future use and should 'e set to 1ero :lags (; 'its) (aka Control 'its) contains ; *9'it flags • NS (* 'it) < =C>9nonce concealment protection (added to header '" /:C (%+).

if applica'le. -o while the B-. • • • 6.SS ( 6 'its) < Baximum segment si1e (see maximum segment size) [SYN] .field (should 'e +x+%). and others when it is clear.uence num'er in the acknowledgment field) that the sender of this segment is currentl" willing to receive ( see Flow control and Window Scaling) Checksum (*5 'its) The *59'it checksum field is used for error9checking of the header and data $rgent pointer (*5 'its) if the URG flag is set. )n 2ption97ind '"te of +x+6 indicates that this is the Baximum -egment -i1e option. the next two fields ma" 'e set& the 2ption9Aength field indicates the total length of the option. including 2ption97ind and 2ption9Aength '"tes. If the SYN flag is clear (+). :or example.uence num'er indicating the last urgent data '"te 2ptions (@aria'le +< 6+ 'its. and is also onl" one '"te. In short. an 2ption97ind '"te of +x+* indicates that this is a >o92p option used onl" for padding. and is the onl" field that is not optional. FIN (* 'it) < >o more data from sender • • • • • • • • • 0indow si1e (*5 'its) the si1e of the receive window.value is t"picall" expressed in two '"tes. The 2ption97ind field indicates the t"pe of option. -ome options ma" onl" 'e sent when SYN is setE the" are indicated 'elow as [SYN]. which specifies the num'er of window si1e units ('" default.uence num'ers. . 2ption97ind and standard lengths given as (2ption97ind. and does not have an 2ption9Aength or 2ption9#ata '"te following it. #epending on what kind of option we are dealing with. that the TCP peer is =C> capa'le. [SYN] (See selective acknowledgments for details)[F! . '"tes) ('e"ond the se. RST (* 'it) < /eset the connection SYN (* 'it) < -"nchroni1e se. )n 2ption97ind '"te of + is the =nd 2f 2ptions option. )sks to push the 'uffered data to the receiving application. )ll packets after the initial SYN packet sent '" the client should have this flag set. 2nl" the first packet sent from each end should have this flag set. and some are onl" valid for when it is set. ECE (* 'it) < =C>9=cho indicates If the SYN flag is set (*).S (6% 'its) < 0indow scale (see window scaling for details) [SYN][5! %. and the 2ption9#ata field contains the value of the option.• CWR (* 'it) < Congestion 0indow /educed (C0/) flag is set '" the sending host to indicate that it received a TCP segment with the ECE flag set and had responded in congestion control mechanism (added to header '" /:C *5?). an B-option field with a value of +x+(D% will show up as (+x+6 +x+% +x+(D%) in the TCP options section. URG (* 'it) < indicates that the $rgent pointer field is significant ACK (* 'it) < indicates that the )cknowledgment field is significant. 2ptions have up to three fields& 2ption97ind (* '"te).6 (*5 'its) < -elective )cknowledgement permitted. then this *59'it field is an offset from the se. PSH (* 'it) < Push function. Padding) This ma" 'e used to align option fields on 69'it 'oundaries for 'etter performance. and will 'e followed '" a '"te specif"ing the length of the B-.2ption9Aength). 2ption9#ata (varia'le). that a packet with Congestion =xperienced flag in IP header set is received during normal transmission (added to header '" /:C *5?). >ote that this length is the total length of the given options field. the length of the field will 'e % '"tes (C6 '"tes of kind and length). 2ption9Aength (* '"te). -ome other flags change meaning 'ased on this flag. divisi'le '" 6) The length of this field is determined '" the data offset field.%. • + (? 'its) < =nd of options list • * (? 'its) < >o operation (>2P.

uest from the remote TCP. The normal state for the data transfer phase of the connection. or unassigned) The TCP header padding is used to ensure that the TCP header ends and data 'egins on a 6 'it 'oundar".uest.uest previousl" sent. or an acknowledgment of the connection termination re. Connections must 'e properl" esta'lished in a multi9step handshake process (connection esta$lishment) 'efore entering the data transfer phase. .• (.uest. experimental. -ee TCP =:-B diagram for a more detailed state diagram including the states inside the =-T)DAI-. . [SYN][*+! *(.uest after having sent a connection re. CA2-=90)IT ('oth server and client) represents waiting for a connection termination re. the %nternet socket.*+. *?. -H>9-=>T (client) represents waiting for a matching connection re. specified as 69'it 'eginGend pointers.=# state.uest from an" remote TCP and port. ?. The padding is composed of 1eros.uest. )fter data transmission is completed.uest acknowledgment after having 'oth received and sent a connection re.N !!!! """" ### (varia'le 'its. data received can 'e delivered to the user. :I>90)IT96 ('oth server and client) represents waiting for a connection termination re.uest from the local user. :I>90)IT9* ('oth server and client) represents waiting for a connection termination re.S (6% 'its) < TCP )lternate Checksum /e. #uring the lifetime of a TCP connection the local end9point undergoes a series of state changes&[*6! AI-T=> (server) represents waiting for a connection re. ) TCP connection is managed '" an operating s"stem through a programming interface that represents the local end9point for communications.N ### (varia'le 'its) < TCP )lternate Checksum #ata. 65.! *%. not "et standardi1ed.=# ('oth server and client) represents an open connection. or %)9 -elective )C7nowledgement (-)C7)[?! These first two '"tes are followed '" a list of *<% 'locks 'eing selectivel" acknowledged. -H>9/=C=I@=# (server) represents waiting for a confirming connection re. • • • Padding (The remaining options are o'solete. TCP protocol operations ma" 'e divided into three phases. the connection termination closes esta'lished virtual circuits and releases all allocated resources.[**! Protocol operation[edit] ) -implified TCP -tate #iagram.TTTT """" (?+ 'its)9 Timestamp and echo of previous timestamp (see TCP timestamps for details)[.uest from the remote TCP. N is either *+. =-T)DAI-.

uence num'er i. during which time the local port is unavaila'le for new connectionsE this prevents confusion due to dela"ed packets 'eing delivered during su'se. which the other end acknowledges with an )C7.e. a connection can sta" in TIB=90)IT for a maximum of four minutes known as a B-A (maximum segment lifetime).uest previousl" sent to the remote TCP (which includes an acknowledgment of its connection termination re. !"#$%C&& In response. The se. esta'lish the connection parameter (se. The client sets the segment8s se.uence num'er i. and the se. DC*. a full9duplex communication is esta'lished. To esta'lish a connection. 0hen an endpoint wishes to stop its half of the connection. TCP uses a three9wa" handshake.! CA2-=# ('oth server and client) represents no connection state at all. The acknowledgment num'er is set to one more than the received se. . a client ma" initiate an active open. the server replies with a -H>9)C7.e. with each side of the connection terminating independentl". )C*. 6. it transmits a :I> packet. The steps *. 0ith these. 'oth the client and server have received an acknowledgment of the connection. Therefore. )C*. the client sends an )C7 'ack to the server.uence num'er that the server chooses for the packet is another random num'er. 6 esta'lish the connection parameter (se. TIB=90)IT (either server or client) represents waiting for enough time to pass to 'e sure the remote TCP received the acknowledgment of its connection termination re. A)-T9)C7 ('oth server and client) represents waiting for an acknowledgment of the connection termination re.uires a pair of :I> and )C7 segments from each TCP endpoint.uent connections. 2nce the passive open is esta'lished. [)ccording to /:C F.e. . !"#& The active open is performed '" the client sending a -H> to the server. and the acknowledgement num'er is set to one more than the received se.uest). Connection establis ment[edit] To esta'lish a connection. D. )fter 'oth :I>G)C7 exchanges are concluded.CA2-I>I ('oth server and client) represents waiting for a connection termination re.uence num'er to a random value ).uest acknowledgment from the remote TCP. a t"pical tear9down re. Connection termination[edit] Connection termination The connection termination phase uses a four9wa" handshake. The steps 6. %C&& :inall". the server must first 'ind to and listen at a port to open it up for connections& this is called a passive open. )t this point. Defore a client attempts to connect with a server. the side which sent the first :I> 'efore receiving one waits for a timeout 'efore finall" closing the connection.uence num'er is set to the received acknowledgement value i.uence num'er) for one direction and it is acknowledged. the three9wa" (or 9step) handshake occurs& *.uest.uence num'er) for the other direction and it is acknowledged.

This port remains allocated during the whole conversation.) connection can 'e 4half9open4. sen (s! "t"). The num'er of sessions in the server side is limited onl" '" memor" and can grow as new connections arrive. the TCP implementation must perform a lookup on this ta'le to find the destination process. The receiver continuall" hints the sender on how much data can 'e received (controlled '" the sliding window). to stop transfer and allow the data in the 'uffer to 'e processed.uence is done in parallel for 'oth directions. this host sends a /-T instead of a :I> (-ection %.uired connections. This could possi'l" 'e considered a 69wa" handshake since the :I>G)C7 se. when host ) sends a :I> and host D replies with a :I> J )C7 (merel" com'ines 6 steps into one) and host ) replies with an )C7.6. It is possi'le for 'oth hosts to send :I>s simultaneousl" then 'oth Kust have to )C7.P9$L do. )s an example& s = connect(remote).uence num'er [6! /etransmission of lost packets M an" cumulative stream not acknowledged is retransmitted [6! =rror9free data transfer[*%! :low control M limits the rate a sender transfers data to guarantee relia'le deliver". 'ut the other has not. This allows a TCP application to 'e sure the remote application has read all the data the former sentMwaiting the :I> from the remote side. Doth endpoints must also allocate space for unacknowledged packets and received ('ut unread) data. in which case one side has terminated its end. -ome application protocols ma" violate the 2-I model la"ers. status of the connection. 0hen the receiving host8s 'uffer fills. Decause TCP packets do not include a session identifier. using the TCP openGclose handshaking for the application protocol openGclose handshaking M these ma" find the /-T pro'lem on active close. 0henever a packet is received. a client can run out of resources and 'ecome una'le to esta'lish new TCP connections. =ach entr" in the ta'le is known as a Transmission Control Dlock or TCD. when it activel" closes the connection. It contains information a'out the endpoints (IP and port).* in /:C **66). If an application fails to properl" close unre. running data a'out the packets that are 'eing exchanged and 'uffers for sending and receiving data.6. Doth cause the remote stack to lose all the data received. even from other applications. 'esource usage[edit] Bost implementations allocate an entr" in a ta'le that maps a session to a running operating s"stem process. c#ose(s). Dut the remote TCP stack cannot distinguish 'etween a Connection &$orting 'ST and (ata )oss 'ST. a TCPGIP stack like that descri'ed a'ove does not guarantee that all the data arrives to the other application. It is also possi'le to terminate the connection '" a 9wa" handshake. 'oth endpoints identif" the session using the client8s address and port. 'ut the client must allocate a random port 'efore sending the first -H> to the server. 'ut the other side can. :or a usual program flow like a'ove. If such a host activel" closes a connection 'ut still has not read all the incoming data the stack alread" received from the link. [* ! This is perhaps the most common method. [6! . The terminating side should continue reading the data until the other side terminates as well. as Ainux or .uence. the next acknowledgment contains a + in the window si1e. -ome host TCP stacks ma" implement a half9duplex close se. (ata trans)er[edit] There are a few ke" features that set TCP apart from $ser #atagram Protocol& • • • • 2rdered data transfer M the destination host rearranges according to se. The side that has terminated can no longer send an" data into the connection. and effectivel" limits the num'er of outgoing connections from each of the client8s IP addresses.

In addition to cumulative acknowledgments. and the receiver sends an acknowledgment specif"ing the se. This num'er can 'e ar'itrar". To assure correctness a checksum field is included (see TCP segment structure for details on checksumming). The sending host can send onl" up to that amount of data 'efore it must wait for an acknowledgment and window update from the receiving host. . it would send 'ack an acknowledgment num'er of *+% since that is the se. [6! TCP uses a sliding window flow control protocol. it retransmits the data. . The se. In the first two steps of the 9wa" handshake. #ata Aink Aa"ers with high 'it error rates ma" re. introduction of errors in packets 'etween C/C9protected hops is common. such as is used in PPP or the =thernet frame.uire additional link error correctionGdetection capa'ilities. if a PC sends data to a smartphone that is slowl" processing received data. the se. TCP primaril" uses a cumulative acknowledgment scheme. .uence num'er. the smartphone must regulate the data flow so as not to 'e overwhelmed. :or example. this does not mean that the *59'it TCP checksum is redundant& remarka'l". If the sender infers that data has 'een lost in the network. The sender sets the se. 'oth computers exchange an initial se. TCP receivers can also send selective acknowledgments to provide further information.owever.uence num'er (I->).• Congestion control [6! 'eliable transmission[edit] TCP uses a se*uence num$er to identif" each '"te of data.uence reordered packets. control[edit] TCP uses an end9to9end flow control protocol to avoid having the sender send data too fast for the TCP receiver to receive and process it relia'l".uence prediction attacks. then the se. or packet loss that ma" occur during transmission.uence num'er of the next '"te the" expect to receive.uence num'er identifies the order of the '"tes sent from each computer so that the data can 'e reconstructed in order.uence num'er of the first pa"load '"te in the segment8s data field. the receiver specifies in the receive window field the amount of additionall" received data (in '"tes) that it is willing to 'uffer for the connection. In each TCP segment. :or ever" pa"load '"te transmitted. The weak checksum is partiall" compensated for '" the common use of a C/C or 'etter integrit" check at la"er 6.uence num'er must 'e incremented. 'elow 'oth TCP and IP. *rror detection[edit] -e. +lo. [*(! This is the end9to9end principle at work.aving a mechanism for flow control is essential in an environment where machines of diverse network speeds communicate. 'ut the end9to9end *59'it TCP checksum catches most of these simple errors.uence num'er field of *++. 0hen this packet arrives at the receiving computer. regardless of an" fragmentation.uence num'ers of the four pa"load '"tes are *++. )cknowledgments allow senders to determine when to retransmit lost packets. if a sending computer sends a packet containing four pa"load '"tes with a se. where the receiver sends an acknowledgment signif"ing that the receiver has received all data preceding the acknowledged se. *+6 and *+ .uence num'er of the next '"te it expects to receive in the next packet. *+*. and should in fact 'e unpredicta'le to defend against TCP se.uence num'er field to the se.uence num'ers allow receivers to discard duplicate packets and properl" se. The TCP checksum is a weak check '" modern standards. :or example. disordering.

These individual /TT samples are then averaged over time to create a -moothed /ound Trip Time (-/TT) using Naco'son8s algorithm. it ma" repeatedl" advertise a small receive window. the TCP sender attempts recover" '" sending a small packet so that the receiver responds '" sending another acknowledgement containing the new window si1e.imum segment si/e[edit] . where network performance can fall '" several orders of magnitude. The" also "ield an approximatel" max9 min fair allocation 'etween flows. there are a num'er of TCP congestion avoidance algorithm variations. The receive window shifts each time the receiver receives and acknowledges a new segment of data. There are su'tleties in the estimation of /TT. These mechanisms control the rate of data entering the network. are used '" senders to infer network conditions 'etween the TCP sender and receiver.uence num'ers and receive windows 'ehave ver" much like a clock.TCP se. senders emplo" a retransmission timeout (/T2) that is 'ased on the estimated round9trip time (or /TT) 'etween the sender and receiver. TCP uses a num'er of mechanisms to achieve high performance and avoid congestion collapse. =nhancing TCP to relia'l" handle loss. :or example. TCP senders and receivers can alter the 'ehavior of the flow of data. -a. congestion avoidance. Bodern implementations of TCP contain four intertwined algorithms& -low9start. and the sender cannot send more data until receiving a new window si1e update from the receiver. manage congestion and go fast in ver" high9speed environments are ongoing areas of research and standards development. This -/TT value is what is finall" used as the round9trip time estimate. and fast recover" (/:C (5?*). minimi1e errors.uent window si1e update from the receiver is lost. or lack of acknowledgments. This is more generall" referred to as congestion control andGor network congestion avoidance. the se. as well as the variance in this round trip time. )s a result. Coupled with timers.uence num'ers. The persist timer is used to protect TCP from a deadlock situation that could arise if a su'se. fast retransmit. If a receiver is processing incoming data in small increments. 2nce it runs out of se. )cknowledgments for data sent. given the relativel" large overhead of the TCP header. In addition. This is referred to as the sill" window s"ndrome. keeping the data flow 'elow a rate that would trigger collapse. 0hen a receiver advertises a window si1e of +.uence num'er loops 'ack to +. 0hen the persist timer expires. senders must 'e careful when calculating /TT samples for retransmitted packetsE t"picall" the" use 7arn8s )lgorithm or TCP timestamps (see /:C * 6 ). Congestion control[edit] The final main aspect of TCP is congestion control. the sender stops sending data and starts the persist timer. The 'ehavior of this timer is specified in /:C 56.?. since it is inefficient to send onl" a few '"tes of data in a TCP segment.

negotiation4. -trictl" speaking. 2indo. -)C7 uses the optional part of the TCP header ( see TCP segment structure for details). The pro'lem is visi'le on some sites 'ehind a defective router.should 'e set small enough to avoid IP not 4negotiated4 'etween the originator and the receiver. '"tes + to . the B-.The maximum segment si1e (B--) is the largest amount of data..uence num'ers *+++ and . that TCP is willing to receive in a single segment.. where each -)C7 'lock is conve"ed '" the starting and ending se. the B-. scaling[edit] . the TCP sender will retransmit the packet previous to the out9of9order packet and slow its data deliver" rate for that connection. and the first packet is lost during transmission.. [*5! This situation ma" arise..+++ to . and the TCP sender can then reinstate the higher transmission rate. two completel" independent values of B-. In a pure cumulative acknowledgment protocol. the receiver cannot sa" that it received '"tes *. $locks. suppose *+.. The TCP window si1e field controls the flow of data and its value is limited to 'etween 6 and 5(. if one of the devices participating in a connection has an extremel" limited amount of memor" reserved (perhaps even smaller than the overall discovered Path BT$) for processing incoming TCP segments. This is negotiated when connection is esta'lished. in addition to the se. In fact. The window scale option is used onl" during the TCP 9wa" handshake. an extension to the -)C7 option that was defined in /:C 6?? .ledgments[edit] /el"ing purel" on the cumulative acknowledgment scheme emplo"ed '" the original TCP protocol can lead to inefficiencies when packets are lost. The sender thus retransmits onl" the first packet. which allows the receiver to acknowledge discontinuous 'locks of packets that were received correctl".. !electi0e ac1no. This causes sending and receiving sides to assume different TCP window si1es. for example. defined in /:C 6+*?.. t"picall" the B-. TCP senders can use path BT$ discover" to infer the minimum BT$ along the network path 'etween the sender and receiver.. a scaling factor is used. -caling up to larger window si1es is a part of what is necessar" for TCP Tuning.. the receiver would send -)C7 with se. To tr" to accomplish this. as in the 'asic TCP acknowledgment.uence num'ers of a contiguous range that the receiver correctl" avoid IP fragmentation within the network. specified in '"tes. Doth sides must send the option in their -H> segments to ena'le window scaling in either direction.+++ '"tes are sent in *+ different TCP packets. The duplicate9-)C7 option.announcement is also often called 4B-.option when the TCP connection is esta'lished. The acknowledgement can specif" a num'er of S&C.. The window scale value represents the num'er of 'its to left9shift the *59'it window si1e field. which can lead to packet loss and excessive retransmissions. is an option used to increase the maximum window si1e from 5( announced '" each side using the B-. The TCP window scale option. The result is non9sta'le traffic that ma" 'e ver" slow. successfull". as defined in /:C * 6 . The TCP receiver sends a #9)C7 to indicate that no packets were lost. a larger TCP window si1e ma" 'e used. The window scale value can 'e set from + (no shift) to *% for each direction independentl". B-.. -elective acknowledgment is also used in -tream Control Transmission Protocol (-CTP). -ome routers and packet firewalls rewrite the window scaling factor during a transmission. -ince the si1e field cannot 'e expanded.+++ '"tes. Thus the sender ma" then have to resend all *+..are permitted for the two directions of data flow in a TCP connection.. and use this to d"namicall" adKust the B-. in which case it is derived from the maximum transmission unit (BT$) si1e of the data link la"er of the networks to which the sender and receiver are directl" attached.ain article/ TCP window scale option :or more efficient use of high 'andwidth networks. The -)C7 option is not mandator" and it is used onl" if 'oth parties support it. 'ut failed to receive the first packet.uence num'er of the last contiguous '"te received successivel". To solve this pro'lem TCP emplo"s the selective acknowledgment +S&C. The use of -)C7 is widespread M all popular TCP stacks support it. :or example. solves this pro'lem. 'ecause that would impl" that 'oth originator and receiver will negotiate and agree upon a single. If it does so..( ( '"tes to * giga'"te.( ( '"tes. :urthermore. containing '"tes + to . unified B-that applies to all communication in 'oth directions of the connection.option. In the example a'ove. ) TCP sender can interpret an out9of9order packet deliver" as a lost packet.. :or 'est performance.[*F! .

that the window scale must 'e limited to 6 + to remain under * ID (which is correct. 'ut the se.[6! TCP 22D data was not designed for the modern Internet. This wait creates small. -etting the socket option TCP/N01E2AY overrides the default 6++ ms send dela". :or example.e most recent t(mest"m) rece(*e -rom 'o+). can help TCP determine in which order packets were sent.[6! There is no wa" to indicate or control it in $ser space using Derkele" sockets and it is controlled '" Protocol stack onl". The urgent pointer onl" alters the processing on the remote host and doesn8t expedite an" processing on the network itself.uence num'er in the first % ID or the secondO4 )nd the timestamp is used to 'reak the tie. This dela" would 'ecome ver" anno"ing. so 6 packets go out on a *+ B'itGs ethernet taking P*. along with the rest of the urgent data. This is done '" specif"ing the data as urgent. This tells the receiving program to process it immediatel".is used when the TCP window si1e exceeds the possi'le num'ers of se. The signals must 'e sent without waiting for the program to finish its current transfer.TCP timestamps[edit] TCP timestamps. These signals are most often needed when a program on the remote machine fails to operate correctl". [*?![*.is *%5+. )n example is when TCP is used for a remote login session. which means onl" single '"tes of 22D data are relia'le. This is assuming it is relia'le at all as it is one of the least commonl" used protocol elements and tends to 'e poorl" implemented.uence that interrupts or a'orts the program at the other end.uence num'er limit is % ID)E however a scale of *5 and a window si1e of 5(( ( would 'e 5(( 5 less than the 6 6 possi'le se. a t"pical send 'lock would 'e % 7D. Ban" operating s"stems will increment the timestamp for ever" elapsed millisecondE however the /:C onl" states that the ticks should 'e proportional. /:C * 6 incorrectl" states in section 6.[citation needed! )lso. 0hen it gets to the remote host there are two slightl" different interpretations of the protocol. There are two timestamp fields& " $%&'te sen er t(mest"m) *"#+e (m' t(mest"m)) " $%&'te ec. TCP timestamps are not normall" aligned to the s"stem clock and start at some random value. 0hen finished.uence num'ers and thus an accepta'le "et excessive value.6 ms each followed '" a third carr"ing the remaining **F5 after a *.ueued stream instead of waiting for the stream to finish.uence num'ers (6 6). or P&WS (see /:C * 6 for details). TCP informs the application and resumes 'ack to the stream . dela"s if repeated constantl" during a file transfer. TCP waits for 6++ ms or for a full packet of data to send (>agle8s )lgorithm tries to group small messages into a single packet). Decause of this error man" s"stems have limited the max scale to 6*% to 4follow the /:C4.[6+! 4ulnerabilities[edit] . TCP timestamps are used in an algorithm known as Protection &gainst Wrapped Se*uence num'ers. the =ifel detection algorithm (/:C (66) uses TCP timestamps to determine if retransmissions are occurring 'ecause packets are lost or simpl" out of order. 'ut potentiall" serious. defined in /:C * 6 . the user can send a ke"'oard se. Out o) band data[edit] 2ne is a'le to interrupt or a'ort the . In the case where a packet was potentiall" retransmitted it answers the . P)0.F ms pause 'ecause TCP is waiting for a full 'uffer.o re)#' t(mest"m) *"#+e (t. The /:C defines the PSH push 'it as 4a message to the receiving TCP stack to send this data immediatel" up to the receiving application4. In the case of telnet. )pplication programs use this socket option to force output to 'e sent after writing a character or line of characters. each user ke"stroke is echoed 'ack '" the server 'efore the user can see it on the screen.uestion& 4Is this se.ueue. a t"pical B-.! +orcing data deli0er3[edit] >ormall".

it is found to have the same se. That allowed an attacker to 'lindl" send a se. -BTP (6(). To do so. 'ut the" can also identif" named services that have 'een registered '" a third part". (66).attack involving the exploitation of the TCP Persist Timer was anal"1ed in Phrack Q55. $nlike in connection hiKacking. and d"namicGprivate. the connection is never des"nchroni1ed and communication continues as normal after the malicious pa"load is accepted.uence num'er is now chosen at random. #"namicGprivate ports do not contain an" meaning outside of an" particular TCP connection. TCP 0eto[edit] )n attacker who can eavesdrop and predict the si1e of the next packet to 'e sent can cause the receiver to accept a malicious pa"load without disrupting the existing connection. --. The results of a thorough securit" assessment of TCP. This is known as a -H> flood attack. -ome examples include& :TP (6+ and 6*).[65! Impersonating a different IP address was not difficult prior to /:C *.uence num'er and a pa"load si1e of the next expected packet. 0ell9 known applications running as servers and passivel" listening for connections t"picall" use these ports. 'ut makes the attack particularl" resistant to detection. The attacker inKects a malicious packet with the se. destination host address.uence num'er from the ongoing communication and forges a false segment that looks like the next segment in the stream.[6 ! -ockstress is a similar attack.uence num'er and length as a packet alread" received and is silentl" dropped as a normal duplicate packetMthe legitimate packet is 4vetoed4 '" the malicious packet. 0hen the legitimate packet is ultimatel" received.[6*! and is currentl" 'eing pursued within the I=T:. attackers can cause the server to consume large amounts of resources keeping track of the 'ogus connections.[66! (enial o) ser0ice[edit] D" using a spoofed IP address and repeatedl" sending purposel" assem'led -H> packets. registered. --A (%% ) and . so as to get permanent control of the hiKacked TCP connection. This means that a server computer can provide several clients with several services simultaneousl". or 'ring it to that condition using denial9of9service attacks. 0hen the receiving host acknowledges the extra segment to the other side of the connection.%?. or %nternet sockets. s"nchroni1ation is lost.ain article/ TCP se*uence prediction attack )n attacker who is a'le to eavesdrop a TCP session and redirect packets can hiKack a TCP connection. a normal occurrence in an IP network. The large increase in network traffic from the )C7 storm is avoided. The onl" evidence to the receiver that something is amiss is a single duplicate packet. -uch a simple hiKack can result in one packet 'eing erroneousl" accepted at one end. /egistered ports are t"picall" used '" end user applications as ephemeral source ports when contacting servers. #"namicGprivate ports can also 'e used '" end user applications. source port. the attacker learns the se. TCP veto gives the attacker less control over the communication. T=A>=T (6 ). that might 'e mitigated with s"stem resource management. when the initial se*uence num$er was easil" guessa'le.TCP ma" 'e attacked in a variet" of wa"s. and destination port.iKacking might 'e com'ined with )/P or routing attacks that allow taking control of the packet flow.[6(! Connection i5ac1ing[edit] . This is wh" the initial se. The sender of the vetoed packet never sees an" evidence of an attack. though s"n cookies come with their own set of vulnera'ilities. Port num'ers are categori1ed into three 'asic categories& well9known. The well9known ports are assigned '" the Internet )ssigned >um'ers )uthorit" (I)>)) and are t"picall" used '" s"stem9level or root processes. Proposed solutions to this pro'lem include -H> cookies and cr"ptographic pu11les. that is. were pu'lished in 6++.. . )rriving TCP data packets are identified as 'elonging to a specific TCP connection '" its sockets. without the need to deplo" )/P or routing attacks& it is enough to ensure that the legitimate host of the impersonated IP address is down. along with possi'le mitigations for the identified issues. as long as a client takes care of initiating an" simultaneous connections to one destination port from different source ports. . the com'ination of source host address. =ach side of a TCP connection has an associated *59'it unsigned port num'er (+95(( () reserved '" the sending or receiving application. [6F! TCP ports[edit] .ain article/ TCP and 0(P port TCP uses port num'ers to identif" sending and receiving application end9points on a host. 'ut are less commonl" so. followed '" man" )C7 packets.uence of packets that the receiver would 'elieve to come from a different IP address. [6%! )n advanced #o.TTP (?+).

In 6++*. TCPCT was designed due to necessities of #>--=C. or prox" 'ased solutions (which re.uire modifications at the client or server). -uggested solutions can 'e categori1ed as end9to9end solutions (which re. 0estwood. [ 6! The reference implementation[ ! of Bultipath TCP is 'eing developed in the Ainux kernel. The redundanc" offered '" Bultipath TCP in the context of wireless networks [ *! ena'les statistical multiplexing of resources.(e0elopment[edit] TCP is a complex protocol.[ F! TCP o0er .?*. tcpcr"pt is an extension proposed in Nul" 6+*+ to provide transport9level encr"ption directl" in TCP itself.(--A). while significant enhancements have 'een made and proposed over the "ears. due to wireless packet loss.are implementations[edit] 2ne wa" to overcome the processing power re. .or1s[edit] TCP has 'een optimi1ed for wired networks. wireless links are known to experience sporadic and usuall" temporar" losses due to fading. that cannot 'e considered congestion. [ ?! link la"er solutions (such as /AP in cellular networks). )n" packet loss is considered to 'e the result of network congestion and the congestion window si1e is reduced dramaticall" as a precaution.uire an" configuration. and TCP . re. It is designed to work transparentl" and not re. and the v% specification /:C F. It works '" skipping the three9wa" handshake using a cr"ptographic 4cookie4.owever. such as @egas. [ ?![ . descri'es updated algorithms that avoid undue congestion. TCP >ew /eno. pu'lished in -eptem'er *. It is similar to an earlier proposal called TGTCP. :)-T TCP. one of the most important TCP9related /:Cs in recent "ears. a congestion avoidance signaling mechanism. )fter the (erroneous) 'ack9off of the congestion window si1e. widel" known as TCP 2ffload =ngines (T2=).[ %![ (! TCP Cookie Transactions (TCPCT) is an extension proposed in #ecem'er 6++. The main pro'lem of T2=s is that the" are hard to integrate into computing s"stems.osts. and other radio effects. The original TCP congestion avoidance algorithm was known as 4TCP Tahoe4. tcpcr"pt itself does not provide authentication. $nlike -H> cookies. TCPCT does not conflict with other TCP extensions such as window scaling.ost /e. /:C **66. there can 'e a congestion avoidance phase with a conservative decrease in window si1e. hand off.[ 5! )s of Nul" 6+*6. 6ard.owever. /:C 6(?*. . TCP @egas. /:C *5? was written to descri'e explicit congestion notification (=C>). Bultipath TCP also 'rings performance 'enefits in datacenter environments. the first tcpcr"pt I=T: draft has 'een pu'lished and implementations exist for several maKor platforms. @eno and -anta Cru1. it is an I=T: Internet draft. This causes the radio link to 'e underutili1ed.F%. where servers have to handle large num'ers of short9lived TCP connections.![ +! is an ongoing effort within the I=T: that aims at allowing a TCP connection to use multiple paths to maximise resource usage and increase redundanc". TCP Interactive (iTCP) [6?! is a research effort into TCP extensions that allows applications to su'scri'e to TCP events and register handler components that can launch applications for various purposes.uire some changes in the network without modif"ing end nodes). =xtensive research has 'een done on the su'Kect of how to com'at these harmful effects. including application9assisted congestion control. to secure servers against denial9of9service attacks.! ) num'er of alternative congestion control algorithms have 'een proposed to help solve the wireless pro'lem. . Bultipath TCP (BPTCP) [6.uirements for Internet . 'ut provides simple primitives down to the application to do that. $nlike TA. and thus increases TCP throughput dramaticall".uiring extensive changes in the operating s"stem of the computer or device. (ebugging[edit] .ireless net. 'ut man" alternative algorithms have since 'een proposed (including TCP /eno. 2ne compan" to develop such a device was )lacritech."'la). TCP :ast 2pen is an extension to speed up the opening of successive TCP connections 'etween two endpoints. clarified a num'er of TCP protocol implementation re. its most 'asic operation has not changed significantl" since its first specification /:C 5F( in *. TCP Congestion Control.uirements. )s of 6+*+. .uirements of TCP is to 'uild hardware implementations of it. which was not widel" adopted due to securit" issues. shadowing.

That option dumps all the packets. which can 'e ena'led on the socket using setsockopt. can 'e useful in de'ugging networks. TCP states. -tream Control Transmission Protocol (-CTP) is another IP protocol that provides relia'le stream oriented services similar to TCP. and has not "et seen widespread deplo"ment.) packet sniffer. particularl" those where TCP is perceived to 'e inefficient. the $ser #atagram Protocol ($#P) is used. This causes pro'lems for real9time applications such as streaming media. network stacks and applications that use TCP '" showing the user what packets are passing through a link. ) pseudo9header that mimics the IPv% packet header used in the checksum computation is shown in the ta'le 'elow. @enturi Transport Protocol (@TP) is a patented proprietar" protocol that is designed to replace TCP transparentl" to overcome perceived inefficiencies related to wireless data transport.owever. )lso. Bultipurpose Transaction Protocol (BTPGIP) is patented proprietar" software that is designed to adaptivel" achieve high throughput and transaction performance in a wide variet" of network conditions. -ome networking stacks support the -2R#=D$I socket option. The sum is then 'itwise complemented and inserted as the checksum field. some tricks such as transmitting data 'etween two hosts that are 'oth 'ehind >)T (using -T$> or similar s"stems) are far simpler without a relativel" complex protocol like TCP in the wa". network 'ooting. which intercepts TCP traffic on a network link. a timing 'ased protocol such as )s"nchronous Transfer Bode ()TB) can avoid TCP8s retransmits overhead. This provides the application multiplexing and checksums that TCP does. most storage area networks (-)>s) prefer to use :i're Channel protocol (:CP) instead of TCPGIP. the method used to compute the checksum is defined in /:C F. C ec1sum computation[edit] TCP c ec1sum )or 7P04[edit] 0hen TCP runs over IPv%. . & The checksum field is the 12 $it one3s complement of the one3s complement sum of all 124$it words in the header and text# %f a segment contains an odd num$er of header and text octets to $e checksummed the last octet is padded on the right with zeros to form a 124$it word for checksum purposes# The pad is not transmitted as part of the segment# While computing the checksum the checksum field itself is replaced with zeros# In other words. :inall". 'ut does not handle streams or retransmission. and servers that serve simple re. it is especiall" designed to 'e used in situations where relia'ilit" and near9real9time considerations are important. The TCP congestion avoidance algorithm works ver" well for ad9hoc environments where the data sender is not known in advance. >etstat is another utilit" that can 'e used for de'ugging. which is helpful in de'ugging. where TCP is unsuita'le. %lternati0es[edit] :or man" applications TCP is not appropriate. for em'edded s"stems. after appropriate padding. or to replace them with other methods like forward error correction or interpolation. real9time multipla"er games and voice over IP (@oIP) where it is generall" more useful to get most of the data in a timel" fashion than it is to get all of the data in order. Ienerall". 'ut if the environment is predicta'le. giving the application developer the a'ilit" to code them in a wa" suita'le for the situation. It is newer and considera'l" more complex than TCP. TCP pseudo9header for checksum computation (IPv%) 49: 891.g. 16931 -ource address 8it o))set 0 093 . and events on that socket. #>servers) the complexit" of TCP can 'e a pro'lem. 2ne pro'lem (at least with normal implementations) is that the application cannot access the packets coming after a lost packet until the retransmitted cop" of the lost packet is received.uests from huge num'ers of clients (e. TCP also has issues in high 'andwidth environments. all *59'it words are added using one8s complement arithmetic. :or 'oth historical and performance reasons.

The protocol value is 5 for TCP (cf. it uses the destination address in the IPv5 header. TCP pseudo9header for checksum computation (IPv5) 8it o))set 09: 891. as per /:C 6%5+& &n5 transport or other upper4la5er protocol that includes the addresses from the %P header in its checksum computation must $e modified for use over %Pv2 to include the 1674$it %Pv2 addresses instead of 864$it %Pv9 addresses# ) pseudo9header that mimics the IPv5 header for computation of the checksum is shown 'elow.6 2.uence num'er 384 )cknowledgement num'er 416 #ata offset /eserved :lags 0indow 448 Checksum $rgent pointer 480 2ptions (optional) 480=.6=288> Seros -ource port #estination address Protocol -e.uence num'er )cknowledgement num'er :lags 2ptions (optional) #ata TCP length #estination port #ata offset /eserved Checksum 0indow $rgent pointer The source and destination addresses are those of the IPv% header. it uses the address in the last element of the /outing header. otherwise.32 64 <6 128 160 1<2 224 2. the method used to compute the checksum is changed. The TCP length field is the length of the TCP header and data (measured in octets).6 TCP length 288 Seros >ext header 320 -ource port #estination port 3. TCP length < the length of the TCP header and data >ext . at the receiving node.2 -e. and.eader < the protocol value for TCP • • . Aist of IP protocol num'ers). 16923 24931 0 32 -ource address 64 <6 128 160 #estination address 1<2 224 2. TCP c ec1sum )or 7P06[edit] 0hen TCP runs over IPv5. at the originating node.12> #ata • • -ource address < the one in the IPv5 header #estination address < the final destinationE if the IPv5 packet doesn8t contain a /outing header. TCP uses the destination address in the IPv5 header.

It does not generate any TCP message segment. #uring the TCP initialization process. efore the sending device and the receiving device start the e!change of data. This feature ma" cause packet anal"1ers detecting out'ound network traffic upstream of the network adapter that are unaware or uncertain a'out the use of checksum offload to report invalid checksum in out'ound packets. In an *ctive &pen call a device (client process) using TCP takes the active role and initiates the connection "y sending a TCP SYN message to start the connection. . . ?????????TCP !"# model??????????? In this lesson. TCP identifies two types of &P'( calls) *ctive &pen.ence. If we consider this fro% application layer point of view. The server processes listening for the clients are in Passive &pen %ode. you will learn how two TCP devices synchronize using three way handshake (3 way handshake) and what are the three steps of a TCP three way handshake and how two TCP devices synchronize.C ec1sum o))load [edit] Ban" TCPGIP software stack implementations provide options to use hardware assistance to automaticall" compute the checksum in the network adapter prior to transmission onto the network or upon reception from the network for validation. overall network performance is increased. Passive &pen * passive &P'( can specify that the device (server process) is waiting for an active &P'( fro% a specific client. The other side %ay either accept the connection or refuse it. "oth devices need to "e synchronized. The three$way handshake "egins with the initiator sending a TCP segment with the SYN control "it flag set.from using precious CP$ c"cles calculating the checksum. This ma" relieve the 2. the sending device and the receiving device e!change a few control packets for synchronization purposes. This e!change is known as a three$way handshake. TCP allows one side to esta"lish a connection. the side that is esta"lishing the connection is the client and the side waiting for a connection is the server.

I+( 5s Initial Sequence Num er). SYN is short for +-(chronize. the three steps of a TCP three way handshake and how two TCP devices synchronize. *C/ .. (+erver) receives #evice *5s TCP segment and returns a TCP segment with +-( . Ackn!wledgment num er . #evice * sends a TCP segment to #evice nu%"er #evice * e!pecting fro% #evice ) +-( .TCP Three-way Handshake +tep . 2000. which %arks the "eginning of the se1uence nu%"ers for data that device * will trans%it. .. that acknowledges receipt of #evice 5s I+(. I+( (Initial +e1uence (u%"er) . you will learn the ter%s 8TCP 7indow8.. . Click 8(e!t8 to continue... 8TCP +liding 7indow8 and how 8TCP +liding 7indow8 works. -ou have learned what is TCP three way hand shake (3 way handshake). +e1uence nu%"er . SYN flag announces an atte%pt to open a connection. ACK flag set to 0 and an Initial +e1uence (u%"er 2000 (3or '!a%ple).. .. *C/ . (2000 4 . .. #evice * (Client) sends a TCP segment with +-( . 200. the connection is open and the participant co%puters start sending data using the sequence and ackn!wledge num ers... 600. 0. 7ith flags set as +tep 3. 200. In this lesson. #evice . *fter the three$way handshake. The *ctive &pen device (#evice *) sends a seg%ent with the SYN flag set to . 0. The first "yte trans%itted to #evice +tep 2. +-($*C/. the ne!t se1uence This handshaking techni1ue is referred to as the Three$way handshake or +-(. the ne!t sequence e!pecting fro% #evice *). Ackn!wledgment Num er . (6000 4 . *C/ . *C/. 6000 (#evice num er #evice will have the se1uence nu%"er I+(4. .

the sending device can send up to 6 TCP Segments without receiving an acknowledge%ent fro% the receiving device. The receiving device should acknowledge each packet it received. "ecause it has received all the +eg%ents to +eg%ent 6. Ackn!wledgement %ACK& for +eg%ent 6 ensures the sender the receiver has succesfully received all the +eg%ents up to 6. a ti%eout will occur and it will re$trans%it the lost +eg%ent 3."hat is a TCP "ind!w# * TCP window is the a%ount of unacknowledged data a sender can send on a particular connection "efore it gets an acknowledg%ent "ack fro% the receiver. all other +eg%ents reached the destination e!cept +eg%ent 3. fro% the receiving device. The sending device can send all packets within the TCP wind!w si$e (as specified in the TCP header) without receiving an ACK. TCP uses a "yte level nu%"ering syste% for co%%unication. That %eans TCP segment only carries the se1uence nu%"er of the first "yte in the seg%ent. since only +eg%ent 3 was lost.. The receiving device can acknowledge up to +eg%ent 2. that it has received so%e of the data. (ow the receiving device has received all the +eg%ents. TCP Sliding "ind!w The working of the TCP sliding window %echanis% can "e e!plained as "elow. the sending device slides the window to right side. -ou %ight have noticed when transferring "ig files fro% one 7indows %achine to another. and should start a ti%eout ti%er for each of the%. initially the ti%e re%aining calculation will show a large value and will co%e down later. If the se1uence nu%"er for a TCP seg%ent at any instance was 6000 and the +eg%ent carry 600 "ytes. . In this case. (ow the receiving device will send the ACK for +eg%ent 6. If any TCP +eg%ent lost while its :ourney to the destination. the se1uence nu%"er for the ne!t +eg%ent will "e 600046004. *fter receiving the ACK fro% the receiving device. indicating the se1uence nu%"er of the last well$ received packet. *fter receiving the acknowledge%ent for +eg%ent . the sending device can slide its window one TCP Segment to the right side and the sending device can trans%it seg%ent 9 also. *t the sending device. Consider while trans%ission. the receiving device cannot acknowledge the sender. The "ind!w si$e is e!pressed in nu%"er of "ytes and is deter%ined "y the receiving device when the connection is esta"lished and can vary later.

and how TCP +liding 7indow %echanis% works.7e have four catagories in a"ove e!a%ple. ytes sent "ut not acknowledged ( ytes 2.). ytes the receiver is not ready to accept ( yte 2= onwards). In this lesson. you have learned what is a TCP 7indow. ytes the receiver is ready to accept ( ytes 26$2<).) 2) 3) .) ytes already sent and acknowledged (upto yte 20). Click 8(e!t8 to continue. .$2. ytes sent "ut not acknowledged and ytes the receiver is ready to accept (>sa"le The +end 7indow is the su% of 7indow). . * visual de%o of TCP +liding 7indow %echanis% can "e viewed here.