TCP - The handshake
3 way handshake
TCP is a streaming protocol
SYN packet - synchronize the sequence numbers. The number is incremented by the number of bytes sent/received.
[stream index] - unique conversation four touple
[conversation completeness] - how much of the entire conversation did wireshark capture.
sequence number (raw) - Random number sent by client/server to count data transmission.
[sequence number] (relative) - Wireshark will zero-out the sequence number to make it easier to track the conversations back and forth.
SYN, ACK
This is where the server will acknowledge receiving the client SYN with a ACK and then send it’s sequence number to the client.
ACK
The client will acknowledge the servers SYN and complete the three way handshake.
How TCP Flags work
Flags tell us the function of the packet.
Most important flags:
- Acknowledgement - set after we get a ack packet
- Push - means the receiver should send this packet to the application layer right away.
- Reset - when we are done with the connection close immediately.
- Syn - when we open the connection
-Fin - close connection properly
TCP options
During the handshake a client will advertise its capabilities using options. The options used depends on the operating system.
- Maximum segment size (MSS) - This is the maximum segment size the sender is willing to receive. Note that this value is not negotiated it is exchanged.
-Selective Acknowledgement (SACK) - allows selective acknowledgement of data.
-Window scale - The TCP window value, also known as the receive window, is a key component of TCP’s flow control mechanism. It’s a value in the TCP header that tells a sending device how much data (in bytes) it can send before it must wait for an acknowledgment (ACK) from the receiving device. The window scale is the multiplier used to increase the window size. This is useful for reducing latency.
[Calculated window size] - wireshark calculates the final window value for us.
How sequence and Acknowledgement numbers work
Initial handshake
- client sends sequence number [SYN]
-server receives sequence number and adds +1 to it. It sends an acknowledgement of the seqence number it received and also sends its sequence number to the client [SYN,ACK]
-client receives acknowledgement of its sequence number and the servers sequence number. Sends the servers sequence number back +1 [ACK]
Both client and server is now ready to communicate.
The sequence numbers will now be incremented by the segment length ie. the size of the data being sent (not the frame length).
Ack number = sequence number + segment length
Scenario - Slow application Response Time
-Look for slow applications
-What is the delta time between the first SYN and the SYN,ACK response.This is your initial network round trip time. You can use this value as a rough benchmark for your analysis going forward.
-You can also look at the RTT to ACK segment value
-Also look at Time since previous frame in this TCP stream value.
Scenario - Network Latency
