HakTip 126 – Wireshark 101: Transmission Control Protocol
This week on HakTip, Shannon Morse explains the Transmission Control Protocol (or TCP) within Wireshark.
Today we are breaking down the Transmission Control Protocol or TCP for short, which runs in Layer 4 of the OSI model and runs on top of IP. TCP basically makes sure your data gets to where it’s supposed to go in a reliable way. Consider that IP is the pizza, and TCP is the pizza delivery guy (or girl), she ensures your pizza gets to you on time.
Let’s check out a TCP Header Packet. The first part will be the Source Port, used to transmit the packet, then you have the Destination Port which is the port to where the packet will be transmitted. Next up is the Sequence Number. This ensures that part of the data stream isn’t missing from the whole packet. It identifies the TCP segment. The Acknowledgment Number is the sequence # for the next packet. Flags can include URG, ACH, PSH, RST, SYN, and FIN for type of TCP packet. Window Size is the size of the TCP receiver buffer in bytes. Checksum ensures the contacts are intact and legit. Urgent Pointer is if the URG flag is there, this part will give extra instructions about where the CPU should begin reading data in the packet. And options are extra info.
Let’s take a look at a TCP Packet header so we can point these out.
TCP works by transmitting data on ports, which range between 1-65,535. Ports 1-1023 are Standard Ports (like Port 80 for HTTP falls within this category), and ports 1024-65535 are ephemeral ports, which are randomly selected when a device needs to find an open port. Both the destination and the client need to know what port the other is listening on to be able to transmit data between them. Oftentimes, a source port will be chosen at random when TCP sends a packet.
TCP packets start with a handshake that ensures the host and destination are up and ready to communicate, checks the open port, and sends a sequence number so data stays in line. The host will send a SYN packet to the destination, the destination will send a SYN/ACK packet, then the Host will send an ACK packet back. During this handshake, the Sequence Number will go up by one each time.
The TCP Teardown is the last thing that happens between the two devices before their communication is over, and it’s signified by a FIN flag. The host sends the destination a FIN/ACK packet, then the destination sends the host an ACK packet, then a FIN/ACK, and the host responds with an ACK. Let’s see if we can find a teardown packet header.
Lastly, sometimes a TCP packet will need to send something called a RESET, or RST as it would be called in the Flag section. If a connection is halted all of a sudden by accident, the TCP packet will try to reset with this flag. This will halt all traffic during the sequence and close out the packet.
Let me know what you think. Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.