TCP Details

  1. Stateful Protocol
  2. TCP Section Analysis
    1. First: Packet transmission time delta (not in section)
      1. If there is a significant delta between SYN and SYN-ACK packets, you're closer to the client
      2. If there is an insignificant delta between SYN and SYN-ACK packets, you're closer to the server
        1. The delay would be between the SYN-ACK and ACK
    2. Source/Destination ports
    3. Stream Index
      1. Identifies the conversation stream
      2. Helpful if multiple TCP conversations going on at once
    4. Conversation Completeness
      1. Tracks which handshakes the conversation has received (SYN, SYN-ACK, FIN, etc.)
      2. A "complete" conversation has everything
    5. Segment length
      1. How much data is encapped in the packet
    6. Sequence/Acknowledgement numbers
      1. First number is the ISN (Initial Sequence Number)
        1. Usually totally random and very large
        2. Wireshark converts the raw ISN to be a relative ISN
          1. e.g., 234908572139847589234 = 1
      2. The Sequence number is the one generated by the sender
      3. The Acknowledgement number is the sequence number the sender predicts it will receive in the host's next packet
        1. The next bit is called a ghost bit
        2. Subsequent numbers are based off the TCP Segment Length
          1. S9 - Practical TCP Analysis-1.png
          2. Confirms receipt of all sent bytes
          3. S9 - Practical TCP Analysis-2.png
    7. Flags
      1. The first 4 flags (Reserved, Accurate ECN/Nonce, Congestion Window Reduced, ECN-Echo, and Urgent) are not often used
      2. The last 5 flags (Acknowledgement, Push, Reset, Syn, and Fin) are frequently used
        1. Ack: Once established, basically every packet will have an ACK flag
        2. Push: Sending data that should should be processed quickly
          1. It's the end of a block, should be sent out the door quickly, etc.
        3. Reset/Fin: Used to close a conversation
        4. Syn: Used to initiate a conversation (SYN, SYN/ACK)
    8. Window Size
      2. The amount of data that can be received at once
      3. Think of it like a receive buffer
      1. If the other host sends more data than the other can receive, it will cause congestion and issues
      4. 2 byte value
      1. Absolutely highest value is 65535 bytes
      2. Not ideal for modern networks
      3. TCP Options attempts to fix this
    9. TCP Options are exchanged in the SYN packets
      1. Maximum Segment Size (MSS): An advertised value in bytes
        1. Not negotiated, just an advertisement
      2. Windows scale: Allows sender the multiple the Window Size value by a certain amount
        1. Can increase window size up to 1 gigabyte
      3. SACK (Selective Acknowledgement): Allows acknowledgement of non-contiguous datablocks
        1. Both sides must support
    10. Closing TCP Connections
      1. Two ways to shut down
        1. Fin: A clean shutdown
        2. Reset: An abortive release
          1. Common during scans to send a reset to connection requests on ports you're not listening on
            1. When scan requests hit open ports, you'll often see SYN, SYN-ACK, ACK, RST
            2. For scans that hit closed ports, you'll often see SYN, then RST immediately from the target host
          2. If the scan is blocked by a firewall, there won't be any response
      2. If a packet crashes, nothing happens, sessions end unexpected, etc., it can indicate a reset
        1. Not necessarily bad on their own, but if there are a lot of them, or people are complaining about disconnected sessions, can indicate a problem
  3. TCP Troubleshooting
    1. Convenient Columns to track TCP packet sequence and receipt
      1. TCP Segment length
      2. Relative Sequence Number
      3. Ack number
      4. S9 - Practical TCP Analysis-2.png
        1. Since the client acknowledgement doesn't include new data, its Seq number doesn't change
    2. Dropped TCP Packets
      1. tcp.analysis.flags are Wireshark analysis flags saying that something is missing
      2. Big chunk of missing packets
        1. S9 - Practical TCP Analysis-3.png
        2. Missing data between 1095618 and 1047438
          1. There are 48,180 missing bytes; divide by maximum segment size (1460) to get 33 packets (32 missing packets and the last received packet)
        3. Client sends a block of Dup ACKs, which tells the sender which packets it needs to retransmit
          1. A Duplicate Acknowledgement number goes out to last-good packet before missing chunk
          2. In TCP Options, under Selective ACK (SACK), the missing data
            1. Provides the left edge (first missing packets) and right edge (first packet received after missing packets)
        4. When looking for the retransmission, check the "Next Sequence Number" or add the TCP Length to the last good Seq number
          1. S9 - Practical TCP Analysis-4.png
        5. Sometimes Wireshark tracks retransmissions as "Out-of-order"
      3. When you see a lot of packets missing in a row, it can imply a router buffer issue
        1. When it's spottier, it can be a link-layer issue
    3. TCP Keep-Alive Packets
      1. TCP will send keep-alive packets after a set period of inactivity
        1. Keep-alive packets roll the sequence number back one, add a single byte to length, and are basically checking with its stateful partner if it still has an established connection
        2. Example:
          1. Client sends data to HTTP server, with a next-SEQ number of 1496.
          2. Server responds quickly with ACK of 1496
          3. After 45 seconds of inactivity, Client sends TCP Keep-Alive by decrementing the next-SEQ by 1 to 1495, and adds a ghost byte
          4. Server responds quickly with ACK of 1496, indicating the connection is still alive, but service has not responded yet.
        3. TCP Details-2.png