TCP Protocol Analysis

# CHAPTER 7

TCP Protocol Analysis #

1. Introduction #

The internet is inherently chaotic. Packets are dropped by faulty routers, delayed by congested cables, and arrive out of order. If you download a 1GB software update and a single byte is missing, the entire file is corrupted. How does the internet guarantee perfect, flawless data delivery across such a hostile environment? The answer is the Transmission Control Protocol (TCP). TCP is the heavy-duty, highly mathematical protocol responsible for reliability, error-checking, and guaranteed delivery. In this chapter, we will use Wireshark to dissect TCP. We will analyze the famous 3-Way Handshake, decode TCP Flags, and understand how Sequence Numbers ensure data integrity.

2. Learning Objectives #

By the end of this chapter, you will be able to:

• Identify and isolate a TCP conversation in Wireshark.

• Explain the mechanics of the TCP 3-Way Handshake (SYN, SYN-ACK, ACK).

• Decode the primary TCP Flags (SYN, ACK, FIN, RST, PSH).

• Understand how Sequence and Acknowledgment numbers track data.

• Analyze how TCP gracefully closes a connection.

3. Beginner-friendly Explanations #

The Registered Mail System (TCP): Imagine you need to send a 500-page book to a friend, but you can only mail one page at a time.

1. 1. The Handshake: Before you send anything, you call your friend: *"Are you ready to receive a book?"* (SYN). Your friend replies: *"Yes, I am ready. Are you ready to send?"* (SYN-ACK). You reply: *"Yes, starting now."* (ACK).

1. 2. Sequence Numbers: You write a page number (Sequence Number 1) on the first letter and mail it.

1. 3. Acknowledgments: Your friend receives page 1. They text you: *"I got page 1. Please send page 2"* (ACK 2).

1. 4. Reliability: If you send page 5, but your friend texts you *"I got page 4, please send page 5"* again, you know page 5 was lost in the mail. You instantly print a new copy of page 5 and mail it again (Retransmission).

This meticulous, numbered, conversational tracking is exactly how TCP operates.

4. The TCP 3-Way Handshake #

Every single TCP conversation (like loading a website) begins with the 3-Way Handshake. In Wireshark, if you filter for tcp.port == 443, you will always see these three packets at the very top of the connection:

1. 1. Packet 1 (SYN): The Client sends a packet with the SYN flag turned on. (Syncing sequence numbers).

1. 2. Packet 2 (SYN, ACK): The Server replies with the SYN and ACK flags turned on. (I acknowledge your request, and I am syncing my numbers with you).

1. 3. Packet 3 (ACK): The Client replies with the ACK flag turned on. (I acknowledge your sync).

*The connection is now "Established." Data can flow.*

5. Decoding TCP Flags #

If you expand the Transmission Control Protocol layer in the Wireshark Details pane, you will find the "Flags" section. These are literal 1s and 0s that control the state of the connection.

• SYN (Synchronize): Used only during the initial handshake.

• ACK (Acknowledgment): Used to confirm receipt of data. (Almost every packet after the first one has this flag set).

• FIN (Finish): Used to politely, gracefully close the connection. Both sides say goodbye.

• RST (Reset): The brutal "hang up the phone" flag. Used to instantly kill a connection, often when an error occurs or a firewall blocks traffic.

• PSH (Push): Tells the receiving computer to process this data immediately instead of buffering it.

6. Sequence and Acknowledgment Numbers #

TCP tracks data using bytes, not packets. If a Client sends 1,000 bytes of data, its Sequence (Seq) number is 1. The Server receives it. The Server sends a packet back with an Acknowledgment (Ack) number of 1001. The Server is mathematically telling the client: *"I successfully received up to byte 1000. The next byte I expect from you is byte 1001."* Wireshark calculates "Relative" Sequence numbers for you, making them start at 0, which makes reading the flow incredibly easy.

7. TCP Packet Flow Examples #

*Visual Concept: The Handshake Staircase* Imagine reading the Wireshark "Info" column. It looks like a staircase: Client -> Server: [SYN] Seq=0 Len=0 Server -> Client: [SYN, ACK] Seq=0 Ack=1 Len=0 Client -> Server: [ACK] Seq=1 Ack=1 Len=0 Client -> Server: [PSH, ACK] Seq=1 Ack=1 Len=450 (HTTP GET Request)

8. Best Practices #

• Use Follow TCP Stream: Reading sequence numbers manually is exhausting. If you right-click on a TCP packet and select "Follow" -> "TCP Stream", Wireshark will strip away all the routing headers and show you the pure, combined payload data of the entire conversation in a pop-up window!

9. Common Mistakes #

• Ignoring RST Packets: Beginners often ignore packets with the RST (Reset) flag. A burst of RST packets is a massive red flag. It indicates that a server crashed mid-conversation, a firewall aggressively killed the connection, or a hacker is performing a stealth port scan on your network.

10. Mini Project: Isolate a Handshake #

1. 1. Open Wireshark and start a capture.

1. 2. Open a browser and visit a website you haven't visited recently.

1. 3. Stop the capture.

1. 4. Type this exact filter into the display bar: tcp.flags.syn == 1

1. 5. Press Enter. You will only see the SYN and SYN-ACK packets! You have successfully filtered out all the noisy data to reveal only the foundational handshakes of the internet.

11. Practice Exercises #

1. 1. Explain the purpose of the TCP 3-Way Handshake. Why can't a client just start sending data immediately?

1. 2. Differentiate between the polite closure of a connection using the FIN flag, and the aggressive termination of a connection using the RST flag.

12. MCQs with Answers #

13. Interview Questions #

• Q: Walk me through the mechanical steps of the TCP 3-Way Handshake. Include the state of the flags in all three packets.

• Q: Explain how TCP guarantees reliable delivery. If a packet is lost in transit, how does the sender know to retransmit it?

• Q: You are reviewing a Wireshark capture and notice a sudden, massive spike in packets containing the RST (Reset) flag. What network or security events could cause this behavior?

14. FAQs #

Q: Why doesn't every single protocol use TCP if it guarantees delivery? A: Because reliability comes at a massive cost to speed. The 3-Way Handshake takes time. Acknowledging every single packet takes time. Retransmitting lost packets stops the flow of data. For real-time applications where speed is more important than perfection (like a Skype call), the overhead of TCP makes the call unusable. We use a different protocol for that.

15. Summary #

In Chapter 7, we dissected the engine of internet reliability: the Transmission Control Protocol (TCP). We autopsied the TCP header, decoding the critical Flags (SYN, ACK, FIN, RST) that govern the state machine of a connection. We mapped the famous 3-Way Handshake, understanding how client and server synchronize their state before data transmission begins. Furthermore, we explored how Sequence and Acknowledgment numbers create a mathematically perfect system for tracking bytes and triggering retransmissions for lost data.

16. Next Chapter Recommendation #

TCP is heavy, slow, and reliable. What happens when we need a protocol that is lightweight, blindingly fast, and doesn't care if a packet gets lost? Proceed to Chapter 8: UDP Protocol Analysis.