1. TCP three-way handshake
The sender sends a packet with SYN=1 and ACK=0 flag to the receiver, requesting a connection, which is the first handshake. If the receiver receives the request and allows the connection, it will send a packet with the SYN=1 and ACK=1 flag to the sender, telling it that it can communicate, and asking the sender to send a confirmation packet, which is the second handshake. Finally, the sender sends a packet with SYN=0 and ACK=1 to the receiver, telling it that the connection has been confirmed, which is the third handshake. After that, a TCP connection is established and communication begins.
2. Flag information in the TCP package
*SYN: Synchronization flag
The Synchronize Sequence Numbers field is valid. This flag is only valid when a TCP connection is established during a triple handshake. It prompts the server of the TCP connection to check the serial number, which is the initial sequence number of the initial TCP connection (usually the client). Here, the TCP sequence number can be thought of as a 32-bit counter ranging from 0 to 4,294,967,295. Every byte of data exchanged over a TCP connection is sequenced. The sequence number column in the TCP header contains the sequence number of the first byte in the TCP segment.
*ACK: Confirmation Flag
The Acknowledgement Number field is valid. Most of the time, the flag bit is placed. The confirmation number (w+1, Figure-1) contained in the confirmation number column in the TCP header is the next expected sequence number, and the remote end is indicatedsystemAll data has been successfully received.
*RST: Reset flag
The reset sign is valid. Used to reset the corresponding TCP connection.
*URG: Emergency sign
The urgent pointer sign is valid. emergency sign placement,
*PSH: Push logo
When the flag is placed, the receiver does not queue the data, but transfers the data to the application as quickly as possible. The flag is always set when dealing with connections in interaction modes such as telnet or rlogin.
*FIN: End sign
The packet with this flag is used to end a TCP callback, but the port is still open to receive subsequent data.
3. The role of several states of TCP in our analysis
In the TCP layer, there is a FLAGS field, which has the following identifiers: SYN, FIN, ACK, PSH, RST, URG. Among them, the first five fields are useful for our daily analysis. They mean the following: SYN means to establish a connection, FIN means to close the connection, ACK means to respond, PSH means to have DATA transfer, and RST means connection reset. Among them, ACK may be used at the same time as SYN, FIN, etc., for example, SYN and ACK may be 1 at the same time, which represents the response after establishing a connection, if it is only a single SYN, it only represents the establishment of a connection. TCP's several handshakes are manifested through such ACKs. However, SYN and FIN will not be 1 at the same time, because the former means to establish a connection, while the latter means to disconnect. RST usually appears after FIN to 1, indicating a connection reset. Generally, when a FIN packet or an RST packet appears, we assume that the client is disconnected from the server. When SYN and SYN+ACK packages appear, we think that the client has established a connection with the server. PSH of 1 generally only appears in packets with non-0 DATA content, which means that PSH of 1 means that real TCP packet content is being passed. TCP connection establishment and connection closure are done through a request-response pattern
|
Posted on 1/5/2015 12:10:05 PM
|
|
|
