September 15, 2000

Introduction to TCP

Transport Control Protocol (TCP) is a reliable connection protocol that works similar to a telephone call. The two stations that use TCP must establish a mutual connection between them, then keep the two way conversation alive to insure full data connectivity.

Let's illustrate using the telephone call analogy. Once you place a call, the party you are calling hears the phone ringing, picks up the hand set and says hello (SYN). You then say hello (SYN ACK), the party you are calling then greets you (ACK), and the conversation starts.

Each time you or the party speaks, the other side periodically responds at times with a verbal queue such as "yes" or some sort of acknowledgement signaling that he or she understood what was said thus far (ACK). If you are going too fast, the party will ask you to slow down (window) or restate your information (retransmission).

Once the conversation ends, you say your good-bye (FIN), the other party says their good-bye (FIN ACK), and you hear the phone hang up (ACK).

TCP works in the same manner as a telephone call in order to keep the data flow reliable. However, the drawback is some overhead needed for acknowledgements and control. Instead of using telephone numbers to communicate between people, TCP uses port numbers to communicate between services running workstations.

There have been many RFCs written about this protocol, the most basic are RFC 793, 761, and 675.

This tutorial spans 88 frames, however not all the frames will have commentary. Some FTP commands will be shown but the underlying TCP functionality, windowing and sequencing will be our main focus.

The first frame shows the FTP client sending a control frame to the FTP server. The control connection port number is 1183, making the data connection port number 21. The port number 1184 (FTP command) is calculated in the FTP header. You will understand where these port numbers fit in the whole scheme of things as you follow this trace.

Frame Source Address Dest. Address  Summary
    1 [192.168.10.4] [192.168.10.5] FTP: C PORT=1183 
                                    PORT 192,168,10,4,4,160

Did you catch the port command string in the FTP header?

[PORT 192,168,10,4,4,160]

This will define the TCP file transfer connection port number. The first four comma-delimited numbers represent the IP address. This is where it gets interesting: The last 2 numbers (4, 160) are numbers inserted in a simple equation calculating the data connection port number that will be used to transfer the requested file.

4 x 256 + 160 = 1184. Watch for port 1184 in the next few frames.

In frame 2, the FTP server responds back with a Port Command Okay in the FTP header and a source port of 21 in the TCP header. The RFC standard port number for FTP is 21.

Frame Source Address Dest. Address  Summary
    2 [192.168.10.5] [192.168.10.4] FTP: R PORT=21   
                                    200 Port command okay.

Now the FTP client sends a file retrieve message in the FTP header to the FTP server - "RETR ftpfile.txt".

Frame Source Address Dest. Address  Summary
    3 [192.168.10.4] [192.168.10.5] FTP: C PORT=1183   
                                    RETR ftpfile.txt

The next frame is sent by the FTP server, initiating the file transfer. The server sends this message in its FTP header: "Sending "/ftpfile.txt" (72436 bytes). Mode STREAM Type ASCII NO-PRINT."

The file is being sent in ASCII mode, it's 72,436 bytes long and is using the STREAM mode utilized by UNIX systems. Note the port numbers in the TCP header, 21 and 1183, this is how TCP keeps track of each connection.

Frame Source Address Dest. Address  Summary
    4 [192.168.10.5] [192.168.10.4] FTP: R PORT=21   
                                    150 Sending "/ftpfile.txt"
                                    (72436 bytes).
                                    Mode STREAM Type ASCII NO-PRINT.

Frame 5 is also sent by the FTP server, but this is where the fun begins. TCP has now taken over the file transfer session by initiating the new port number, thus identifying a separate connection. FTP data port number 20 is usually used for data transfers, but is not being used here. Ports 1184 and 1045 are used. We know where the 1184 came from, that's the data connection port number calculated in frame 1. But where does port 1045 come from? Why isn't port 20 used? In this example, port 20 is already being used by another connection, so the server assigns and substitutes port 20 to a new connection port number (1045).

A timing algorithm generates the Initial sequence number (5010870). This number will be incremented as the frames are transferred between the server and the client. This number is to create a starting point where the sending and receiving nodes can keep track of missing frames for retransmission. The initial sequence number field in the TCP header is shown when the SYN bit is set to 1, afterwards it disappears from the TCP header.

The Next Expected Sequence number is (5010871). Notice it's one increment greater than the Initial sequence number. Since the SYN bit set to 1 is considered data, the Next Expected Sequence number is incremented by 1. Sequence numbers are incremented by the amount of data they hold within the frame, as you'll see later.

Note the MSS (Maximum Segment Size) field of 1460 in the TCP header. This is a TCP negotiation that takes place in the first few frames of the TCP handshake or call-setup process. This dictates the largest amount of data that TCP will send in a single frame. MSS only appears when the SYN bit is set to 1. The segment size cannot be larger than the MTU (Maximum Transfer Unit).

The SACK option can be found in RFC 1072. SACK is a mechanism that quickly handles multiple dropped windows.

Frame Source Address Dest. Address  Summary
    5 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045 SYN
                                    SEQ=5010870 LEN=0 WIN=8192

The next frame is a SYN frame from the FTP client. Note the MSS field, it remained the same. In this case, both machines agree to use the same maximum data size. If one of these machines were connected through a different network topology (such as a dial-up line), the MSS number may be different.

The acknowledgement number in the TCP header (5010871) corresponds to the Next Expected Sequence number from frame 5, indicating that this is the next sequential frame. Since this is the second Synchronization (SYN) frame connecting the TCP call, the FTP client sends it's own Initial Sequence Number (3374583) as well.

Since IP frames traverse multiple routers, switches, or hubs, a frame can arrive out of sequence. This sequential numbering scheme keeps the frames aligned for re-assembly on the other side of the conversation. To insure data continuity, TCP is in charge of fragmenting frames going out and sequentially re-assembling the frames coming in.

Frame Source Address Dest. Address  Summary
    6 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184 SYN 
                                    ACK=5010871 SEQ=3374583 LEN=0 WIN=8760

Sequence numbers not only insure data continuity, but also double as byte counters. The sequence numbers are incremented by the number of bytes within the data portion of the frame.

In frame 7, the FTP server sends this standard acknowledgement frame back to the FTP client. This acknowledges the Next Expected Sequence Number, 3374584. Note that this specific sequence number (3374584) belongs to the FTP client. A second sequence number belongs to the FTP server, as shown below (5010871).

Keep in mind that we're seven frames into this trace, and no file data has been sent yet.

Frame Source Address Dest. Address  Summary
    7 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     
                                    ACK=3374584 WIN=8760

And now the TCP sequence number dance begins, as the previous frame's Next Expected Sequence number (5010871) becomes the sequence number of the next frame.

This is also where the first frame of data is being sent to the FTP client with 1460 bytes of data, as indicated at the end of the TCP header. This makes the Next Expected Sequence number increment appropriately.

The Next Expected Sequence Number jumps to 5012331 from 5010871, which results in 1460 increments (the number of bytes contained within this packet). Note also that the acknowledgement number, 3374584, didn't change. Why not? That's because the acknowledgement number the FTP client. If the FTP client sends data back to the FTP server, this number will increment upward. Because the FTP client is the recipient of data and only sends standard acknowledgement frames (containing no data), this number remains the same throughout.

The FTP server sends this frame with the data.

Frame Source Address Dest. Address  Summary
    8 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584 
                                    SEQ=5010871 LEN=1460 WIN=8760

Now the FTP server sends another frame with 588 Bytes of data. Notice the acknowledgement number 3374584, it still hasn't changed. However the Next Expected Sequence Number is incremented by 588 and the Sequence Number of this frame (5012331) matches the Next Expected Sequence Number of the previous frame. This is how TCP sequencing works.

Frame Source Address Dest. Address  Summary
    9 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584 
                                    SEQ=5012331 LEN=588 WIN=8760

The acknowledgement number (5012919) in frame 10 sent by the FTP client is different - it matches the Next Expected Sequence Number in the previous frame! Remember, the previous frames containing data were sent by the FTP server and were not acknowledged by the FTP client (except for this next frame, which is a standard acknowledgement frame).

Wait a minute! If TCP is supposed to acknowledge each frame, why was the frame before this one not acknowledged by the FTP client? You've just experienced the WINDOWING MECHANISM at work. Later frames will show one acknowledgement frame per 5 data frames sent by the FTP server. This is done for network efficiency, reducing control overhead.

Also, note the Window size (8760). This number changes or 'slides' depending on the free space that each machine has for packet buffers at each socket. A socket is known as a connection which comprises of an IP address and a corresponding port number, i.e., 192.168.10.4: 1184.

Frame Source Address Dest. Address  Summary
   10 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184     
                                    ACK=5012919 WIN=8760

Now that the previous two frames were acknowledged by the FTP client, this next frame sent by the FTP server contains even more data. The server sends 1460 bytes of data, which dictates the Next Expected Sequence Number (5014379). TCP will send 3 frames of data containing 1460 bytes each. This is where the window gets smaller.

Have you ever noticed that when you download a file, the bytes per second counter steadily increases? This is a direct result of the TCP windowing mechanism.

Let's skip to frame 14 to the next acknowledgement sent by the FTP client as these next 3 frames contain data sent to the client by the FTP server.

Frame Source Address Dest. Address  Summary
   11 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584 
                                    SEQ=5012919 LEN=1460 WIN=8760
   12 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584 
                                    SEQ=5014379 LEN=1460 WIN=8760
   13 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584 
                                    SEQ=5015839 LEN=1460 WIN=8760

Three frames of data have been sent by the FTP server. Now, the FTP client acknowledges these frames by sending a standard acknowledgement frame back to the FTP server.

Remember, the windowing mechanism uses the Window field in the TCP header to determine how much data the receiver can accept at one time. This dictates the window size. You can note this number in this next frame.

Acknowledgement frames control the flow of data, and the throttle is dictated by the packet buffer at the receiving end. As you will see, this packet buffer gets full because FTP is sending a lot of data at one time and is not being handled fast enough by the receiving end. The receiving end has to pull back on the throttle by sending a smaller window size in the TCP header.

Look at the frame below and then jump ahead to packets 33 and 34.

Frame Source Address Dest. Address  Summary
   14 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184     ACK=5017299
                                    WIN=8760
   15 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5017299 LEN=1460 WIN=8760
   16 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5018759 LEN=1460 WIN=8760
   17 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5020219 LEN=1460 WIN=8760
   18 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5021679 LEN=1460 WIN=8760
   19 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184     
                                    ACK=5023139 WIN=7300
   20 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5023139 LEN=1460 WIN=8760
   21 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5024599 LEN=1460 WIN=8760
   22 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5026059 LEN=1196 WIN=8760
   23 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5027255 LEN=1460 WIN=8760
   24 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5028715 LEN=588 WIN=8760
   25 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184     ACK=5029303
                                    WIN=1136
   26 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184     ACK=5029303
                                    WIN=8760
   27 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5029303 LEN=1460 WIN=8760
   28 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5030763 LEN=1460 WIN=8760
   29 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5032223 LEN=1460 WIN=8760
   30 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045 ACK=3374584
                                    SEQ=5033683 LEN=1460 WIN=8760
   31 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5035143 LEN=1460 WIN=8760
   32 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5036603 LEN=1460 WIN=8760

This frame (33) sent by the FTP client which acknowledges frame 29, indicates a full buffer, and halts the data transfer. The FTP server thinks there were frames lost and waits to see what happens next. Note the acknowledgement number in the TCP header of this packet (5032223). This was the sequence number of frame 29, not frame 32. Also, notice the Window size of 5840.

Frame Source Address Dest. Address  Summary
   33 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184     ACK=5032223
                                    WIN=5840

The next frame (34) is also sent by the FTP client. This frame acknowledges the last frame of data (Frame 32) with the acknowledgement number of 5038063. HOWEVER, note the Window size in this frame, 0!

What does this mean? The FTP client is saying STOP THE TRANSMISSION, I CAN'T HANDLE ANY MORE! The FTP server now patiently waits for another frame from the FTP client in order to continue.

Frame Source Address Dest. Address  Summary
   34 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184     ACK=5038063
                                    WIN=0

The next frame is also sent by the FTP client. This frame contains a suitable window size. This indicates to the FTP server, which is waiting to send more data, that it is okay to start sending more data frames. In other words, this standard acknowledgement frame signals the FTP server that everything is clear. The window size is back to 8760, SEND AT FULL THROTTLE.

Frame Source Address Dest. Address  Summary
   35 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184     ACK=5038063
                                    WIN=8760

The FTP server replies in kind, and sends data again as seen in frame 36.

To make things even more interesting, the network connection was pulled to simulate a connection break. You can see this in frame 55.

Frame Source Address Dest. Address  Summary
   36 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5038063 LEN=1460 WIN=8760
   37 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5039523 LEN=1460 WIN=8760
   38 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5040983 LEN=1460 WIN=8760
   39 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5042443 LEN=1460 WIN=8760
   40 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5043903 LEN=1460 WIN=8760
   41 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5045363 LEN=1460 WIN=8760
   42 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184     ACK=5046823
                                    WIN=0
   43 [192.168.10.4] [192.168.10.5] TCP: D=21 S=1183       ACK=4966456
                                    WIN=8506
   44 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184     ACK=5046823
                                    WIN=1460
   45 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5046823 LEN=1460 WIN=8760
   46 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184     ACK=5048283
                                    WIN=8760
   47 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5048283 LEN=1460 WIN=8760
   48 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5049743 LEN=1460 WIN=8760
   49 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5051203 LEN=1460 WIN=8760
   50 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5052663 LEN=1460 WIN=8760
   51 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5054123 LEN=1460 WIN=8760
   52 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5055583 LEN=344 WIN=8760
   53 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184     ACK=5055927
                                    WIN=1116
   54 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184     ACK=5055927
                                    WIN=8760

The delta time of this frame is 18.5 seconds! Since this frame was sent after an acknowledgement from the FTP client, the FTP server is quiet and patiently waiting until it is connected to the network again to send this frame. Following this frame is another acknowledgement frame from the FTP client, then more frames from the FTP server.

Let's skip to frame 77.

Frame Source Address Dest. Address  Summary
   55 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5055927 LEN=1460 WIN=8760
   56 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184     ACK=5057387
                                    WIN=8760
   57 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5057387 LEN=1460 WIN=8760
   58 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5058847 LEN=1460 WIN=8760
   59 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184     ACK=5060307
                                    WIN=8760
   60 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5060307 LEN=1460 WIN=8760
   61 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5061767 LEN=1460 WIN=8760
   62 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184     ACK=5063227
                                    WIN=8760
   63 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5063227 LEN=1460 WIN=8760
   64 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5064687 LEN=1460 WIN=8760
   65 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184     ACK=5066147
                                    WIN=8760
   66 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5066147 LEN=1460 WIN=8760
   67 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5067607 LEN=1460 WIN=8760
   68 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5069067 LEN=1460 WIN=8760
   69 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184     ACK=5070527
                                    WIN=8760
   70 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5070527 LEN=1460 WIN=8760
   71 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5071987 LEN=1460 WIN=8760
   72 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5073447  LEN=912 WIN=8760
   73 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184     ACK=5074359
                                    WIN=8760
   74 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5074359 LEN=1460 WIN=8760
   75 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5075819 LEN=1460 WIN=8760
   76 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5077279 LEN=1460 WIN=8760

In frame 77, the FTP server signals through TCP connection 1183 that the file transfer has completed via FTP header message. The last few frames of data will be sent to the FTP client, then the connection will be torn down. Note the push flag (PSH) is set to 1, meaning that this is data to be handed up to the application and ultimately to the user's screen.

Frame Source Address Dest. Address  Summary
   77 [192.168.10.5] [192.168.10.4] FTP: R PORT=1183   
                                    226- Transfer finished
                                    successfully. Data connection closed.
DLC:  ----- DLC Header -----
DLC:
DLC:  Frame 77 arrived at  21:01:20.3152; frame size is 172 (00AC hex)
DLC:     bytes.
DLC:  Destination = Station NGC   031731
DLC:  Source      = Station 3Com7 5E7A3E
DLC:  Ethertype   = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP:       000. ....   = routine
IP:       ...0 ....   = normal delay
IP:       .... 0...   = normal throughput
IP:       .... .0.. = normal reliability
IP: Total length    = 158 bytes
IP: Identification  = 24837
IP: Flags           = 4X
IP:       .1.. .... = don't fragment
IP:       ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live    = 128 seconds/hops
IP: Protocol        = 6 (TCP)
IP: Header checksum = 03FB (correct)
IP: Source address      = [192.168.10.5]
IP: Destination address = [192.168.10.4]
IP: No options
IP:
TCP: ----- TCP header -----
TCP:
TCP: Source port             = 21 (FTP)
TCP: Destination port        = 1183
TCP: Sequence number         = 4966456
TCP: Next expected Seq number= 4966574
TCP: Acknowledgment number   = 3329981
TCP: Data offset             = 20 bytes
TCP: Flags                   = 18
TCP:               ..0. .... = (No urgent pointer)
TCP:               ...1 .... = Acknowledgment
TCP:               .... 1... = Push
TCP:               .... .0.. = (No reset)
TCP:               .... ..0. = (No SYN)
TCP:               .... ...0 = (No FIN)
TCP: Window                  = 8695
TCP: Checksum                = D3F8 (correct)
TCP: No TCP options
TCP: [118 Bytes of data]
TCP:
FTP: ----- File Transfer Data Protocol -----
FTP:
FTP: Line  1:  226- Transfer finished successfully. Data connection closed.
FTP:
FTP: Line  2: 226 UL: 0 DL: 9 Ratio: 0:0 Credit: unlimited *disabled
FTP:

In frame 77, you'll see many TCP flags or fields. Thus far, you have seen six fields in the TCP header, right after the Flags field. The flags field is basically a counter for the flags beneath. Let's briefly go through each one.

The Urgent (URG) field tells the recipient of the frame that urgent data is contained within the frame and that it must reach the application at once. This is usually sent when a user initiates an interrupt command, like CTRL-C.

The Acknowledgement (ACK) field signals an acknowledgement of a previous frame.

The Push (PSH) field tells the recipient that it does not want the data to remain in the buffer waiting for another segment of data, but to hand over the data to the application at the time of arrival. It indicates that the data within the frame is in its entirety and not segmented.

The Reset (RST) field is sent when a connection request arrives and no process is listening on the destination port. Usually, this is sent with an end of file or by the user hitting a control key to end a session. This can also indicate that there are limited resources at the other end of the connection, and the connection cannot be supported any longer.

The Synchronize (SYN) field is a request to initiate a connection.

Finally, the Finish (FIN) field is a request to close a connection.

Speaking of closing connections, let's skip to frame 83 to see this actually occur.

Frame Source Address Dest. Address  Summary
   78 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184     ACK=5078739
                                    WIN=8760
   79 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5078739 LEN=1460 WIN=8760
   80 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5080199 LEN=1460 WIN=8760
   81 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5081659 LEN=1460 WIN=8760
   82 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374584
                                    SEQ=5083119 LEN=188 WIN=8760


Once the last frame of data arrives to its destination (the FTP client), the client acknowledges the last frame by sending a standard acknowledgement frame with the acknowledgement number 5083307. This matches the previous frame's Next Expected Sequence number. This confirms that all of the data has successfully been transmitted, and now the connection can be torn down.

Remember, each opened connection takes up a certain amount of system resources, so it's important to close the connection once the transaction is completed.

Frame Source Address Dest. Address  Summary
   83 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184     ACK=5083307
                                    WIN=8572

Frame 84 is sent by the FTP server and has the FIN bit set to 1. This begins the connection tear-down of port 1045. Remember, port 1045 was substituted as the FTP control port 20 by the FTP application.

Frame Source Address Dest. Address  Summary
   84 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045 FIN ACK=3374584
                                    SEQ=5083307 LEN=0 WIN=8760

The FTP client now acknowledges the previous FIN frame with a standard TCP acknowledgement frame.

Frame Source Address Dest. Address  Summary
   85 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184     ACK=5083308
                                    WIN=8572

The FTP client sends another frame to the FTP server with the FIN bit set to 1, acknowledging the close of the TCP connection.

Frame Source Address Dest. Address  Summary
   86 [192.168.10.4] [192.168.10.5] TCP: D=1045 S=1184 FIN ACK=5083308
                                    SEQ=3374584 LEN=0 WIN=8572

As a final acknowledgement, the FTP server sends a standard TCP acknowledgement back to the FTP client, effectively closing the connection. This last acknowledgement frame is sent as a verification that resources are now available for other connections. If this frame was not sent, the FIN, FIN, ACK (connection tear-down) sequence will have to start again.

Frame Source Address Dest. Address  Summary
   87 [192.168.10.5] [192.168.10.4] TCP: D=1184 S=1045     ACK=3374585
                                    WIN=8760

The last frame is sent by the FTP client as an acknowledgement of frame 77, which contained FTP data for the user stating that the file transfer was completed.

Frame Source Address Dest. Address  Summary
   88 [192.168.10.4] [192.168.10.5] TCP: D=21 S=1183       ACK=4966574
                                    WIN=8388

With this introduction to TCP, you should now be able to look at any network trace and watch the conversations between workstations. Good luck, and good analysis!

Download the trace file for this tutorial!
Uncompressed ENC (Sniffer) Ethernet Format
Sniffer Technologies CAP Format

Posted by james_messer at September 15, 2000 07:25 PM



Comments
Post a comment

Thanks for signing in, . Now you can comment. (sign out)

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Remember me?