TCP packet

To analyze a network traffic you should understand before the behaviour of the traffic, how a connection is stablished, which packages are traveling through the network, kind of routing…. For that reason, you should know about:

OSI model (MANDATORY!!!). This is the framework of comunications. If you don’t understand this model…. 😦

Routing protocols. Depending of your necessity but protocols as RIP, EIGRP, OSPF, BGP, MPLS are used a lot.

Common ports ( DNS, HTTP,Telnet, FTP…..)

Subnetting. Have in mind the concepts and all kind of classes. There are a lot of subnet calculators that can help us but you  should know how it works.

Today I will explain a TCP packet.

TCP is a transport layer protocol used by applications that require guaranteed delivery.

MAC header IP header TCP header Data

TCP header:

Source Port. 16 bits.

Destination Port. 16 bits.

Sequence Number. 32 bits.
The sequence number of the first data byte in this segment. If the SYN bit is set, the sequence number is the initial sequence number and the first data byte is initial sequence number + 1.

Acknowledgment Number. 32 bits.
If the ACK bit is set, this field contains the value of the next sequence number the sender of the segment is expecting to receive. Once a connection is established this is always sent.

Data Offset. 4 bits.
The number of 32-bit words in the TCP header. This indicates where the data begins. The length of the TCP header is always a multiple of 32 bits.

reserved. 3 bits.
Must be cleared to zero.

ECN, Explicit Congestion Notification. 3 bits.
Added in RFC 3168.

00 01 02
<N C E

N, NS, Nonce Sum. 1 bit.
Added in RFC 3540. This is an optional field added to ECN intended to protect against accidental or malicious concealment of marked packets from the TCP sender.

C, CWR. 1 bit.

E, ECE, ECN-Echo. 1 bit.

Control Bits. 6 bits.

00 01 02 03 04 05

U, URG. 1 bit.
Urgent pointer valid flag.

A, ACK. 1 bit.
Acknowledgment number valid flag.

P, PSH. 1 bit.
Push flag.

R, RST. 1 bit.
Reset connection flag.

S, SYN. 1 bit.
Synchronize sequence numbers flag.

F, FIN. 1 bit.
End of data flag.

Window. 16 bits, unsigned.
The number of data bytes beginning with the one indicated in the acknowledgment field which the sender of this segment is willing to accept.

Checksum. 16 bits.
This is computed as the 16-bit one’s complement of the one’s complement sum of a pseudo header of information from the IP header, the TCP header, and the data, padded as needed with zero bytes at the end to make a multiple of two bytes. The pseudo header contains the following fields:

00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Source IP address
Destination IP address
0 IP Protocol Total length

Urgent Pointer. 16 bits, unsigned.
If the URG bit is set, this field points to the sequence number of the last byte in a sequence of urgent data.

Options. 0 to 40 bytes.
Options occupy space at the end of the TCP header. All options are included in the checksum. An option may begin on any byte boundary. The TCP header must be padded with zeros to make the header length a multiple of 32 bits.

Kind Length Description References
0 1 End of option list. RFC 793
1 1 No operation. RFC 793
2 4 MSS, Maximum Segment Size. RFC 793
3 3 WSOPT, Window scale factor. RFC 1323
4 2 SACK permitted. RFC 2018
5 Variable. SACK. RFC 2018, RFC 2883
6 6 Echo. (obsolete). RFC 1072
7 6 Echo reply. (obsolete). RFC 1072
8 10 TSOPT, Timestamp. RFC 1323
9 2 Partial Order Connection permitted. RFC 1693
10 3 Partial Order service profile. RFC 1693
11 6 CC, Connection Count. RFC 1644
12 6 CC.NEW RFC 1644
13 6 CC.ECHO RFC 1644
14 3 Alternate checksum request. RFC 1146
15 Variable. Alternate checksum data. RFC 1146
16 Skeeter.
17 Bubba.
18 3 Trailer Checksum Option.
19 18 MD5 signature. RFC 2385
20 SCPS Capabilities.
21 Selective Negative Acknowledgements.
22 Record Boundaries.
23 Corruption experienced.
24 SNAP.
26 TCP Compression Filter.
27 8 Quick-Start Response. RFC 4782
28 4 User Timeout. RFC 5482
29 TCP-AO, TCP Authentication Option.

  • 252
253 RFC3692-style Experiment 1. RFC 4727
254 RFC3692-style Experiment 2. RFC 4727

Data. Variable length.

TCP State machine:

State Description
CLOSE-WAIT Waits for a connection termination request from the remote host.
CLOSED Represents no connection state at all.
CLOSING Waits for a connection termination request acknowledgment from the remote host.
ESTABLISHED Represents an open connection, data received can be delivered to the user. The normal state for the data transfer phase of the connection.
FIN-WAIT-1 Waits for a connection termination request from the remote host or an acknowledgment of the connection termination request previously sent.
FIN-WAIT-2 Waits for a connection termination request from the remote host.
LAST-ACK Waits for an acknowledgment of the connection termination request previously sent to the remote host (which includes an acknowledgment of its connection termination request).
LISTEN Waits for a connection request from any remote TCP and port.
SYN-RECEIVED Waits for a confirming connection request acknowledgment after having both received and sent a connection request.
SYN-SENT Waits for a matching connection request after having sent a connection request.
TIME-WAIT Waits for enough time to pass to be sure the remote host received the acknowledgment of its connection termination request.