date: “2016-12-01” draft: false title: “TCP”
TCP provides reliable, ordered, and error-checked delivery of a stream of bytes between applications running on hosts communicating by an IP network.
TCP Headers
byte 0 1 2 3 4
bits 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 | Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
4 | Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
8 | Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |C|E|U|A|P|R|S|F| |
12 | Offset| Rsrvd.|W|C|R|C|S|S|Y|I| Window |
| | |R|E|G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
16 | Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
20 | Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
24 | data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
TCP header length is 20 bytes plus options (up to 40 bytes)
TODO Header Descriptions
| Bytes | Field | Description |
|---|---|---|
tcp[todo] |
Source Port | Sender’s port number (Ephemeral Ports) |
tcp[todo] |
Destination Port | Port number of the receiver |
tcp[todo] |
Sequence Number | Has two roles:
|
tcp[todo] |
Acknowledgement Number | If the ACK flag is set then the value of this field is the next sequence number that the receiver is expecting. A SYN packet should have this set to 0. |
tcp[todo] |
Reserved | For future use and should be set to zero. Note: RFC 3168 (The Addition of Explicit Congestion Notification (ECN) to IP) has taken two bits from the Reserved field and added them to the flags field. |
tcp[todo] |
TCP Flags | In bit order (8 to 1) : CWR, ECE, URG, ACK, PSH, RST, SYN, FIN. Note More information available in resources |
tcp[todo] |
Window | Size of the receive window. This is the number of bytes that the sender is currently willing to receive. Details: For more efficient use of high bandwidth networks, a larger TCP window size may be used (through the window scale option). The TCP window size field controls the flow of data and its value is limited to between 2 and 65,535 bytes. Access the TCP header reference from the Resources section for a complete description of the Window field. |
tcp[todo] |
Checksum | 16-bit checksum used for error checking |
tcp[todo] |
Urgent Pointer | If the URG flag is set, then this 16-bit field is an offset from the sequence number indicating the last urgent data byte. |
| See Below | TCP Options | Can be between 0-320 bits in length. Must be a multiple of a 32-bit word. Data offset field adjusted appropriately. Options have up to three fields:
|
TCP Options
| Name | Type | Length (b) | Value | Packet |
|---|---|---|---|---|
| End of list | 0 | 1 | n/a | |
| NOP | 1 | 1 | n/a | |
| Max Segmt Size (MSS) | 2 | 4 | Segment Size (2b) | SYN |
| Window Scale | 3 | 3 | Scale (1b) | SYN |
| SACK OK | 4 | 2 | n/a | SYN |
| SACK | 5 | 10,18,26, or 34 | Selective ACK begin / end pointers | |
| Timestamp | 8 | 10 | time,echo (4b each) |
TCP Example Packets
tcp[TODO]- connection start, step 1 of TWHS (SYN)tcp[TODO]- server responses, step 2 of TWHS (SYN+ACK)tcp[TODO]- , step 3 of TWHS (ACK)
TCP BPF Shortcuts
| BPF Shortcut Syntax | Description |
|---|---|
port p |
packet is IPv4/v6, tcp or udp, and has a source or destination port of p |
dst port p |
packet is IPv4/v6, tcp pr udp, and has a destination port of p |
src port p |
packet is IPv4/v6, tcp or udp, and has a source port of p |
tcp port p |
packet is IPv4/v6, tcp, and has a source or destination port of p |
tcp dst port p |
packet is IPv4/v6, tcp, and has a destination port of p |
tcp src port p |
packet is IPv4/v6, tcp, and has a source port of p |
tcp |
abbreviaition for: ip proto tcp |
TCP State machine
TODO: Three way handshake description
