Tuesday, August 23, 2011

TCP/IP: The Three-way handshake

TCP/IP: The Three-way handshake
myline
Each and every communication through TCP starts with a procedure called three-way-handshake. Here I'm going to illustrate the process for future reference --- for myself.



three-way-handshake

Here client is shown as active participant and server is shown as passive participant because client initiates (active) a connection to a server which waits (passive) for connetions on a particular port.
The three-way handshae is done in the following process:

  1. The client sends a SYN packet to the server indicating that it wants to set a TCP connection. It also sends ISN (Initial Sequenc Number). Here ISN is x.
  2. If the server is 'alive' and listening on the requested port and can accept an incoming connection, it replies with its own SYN + ACK packet. It sends its own ISN (Initial Sequence Number) (for this connection, y ) and acknowledges the clients request by sending back client's ISN + 1 sequence number (x + 1) .
  3. Finally, after receiving the server's SYN + ACK response, the client sends back an ACK packet with a sequence number of server's ISN + 1 (y + 1) .
Now this is all theory! Let's see whether we can observer a real TCP connection and whether we can identify the three-way-handshake process. We'll be using tcpdump to observe the process. Commands used to capture the TCP communication is:

tcpdump -n -S -t 
Here, -n don't convert addresses (i.e., host addresses, port numbers,
	    etc.) to names.
	 -S print absolute, rather than relative, TCP sequence numbers.
	 -t don't print timestamp.
    
192.168.1.12.1051 > 192.168.1.11.23: S 4255483971:4255483971(0) 
                              win 65535  (DF)
    192.168.1.11.23 > 192.168.1.12.1051: S 4279842714:4279842714(0) 
	                           ack 4255483972 win 32120  (DF)
    192.168.1.12.1051 > 192.168.1.11.23: . ack 4279842715 win 65535 (DF)
  1. First line: someone on client (192.168.1.12) is connecting to port 23 (telnet) of server (192.168.1.11). We can see that SYN flag is set (S), followed by:
    4255483971:4255483971(0)

    Here, 4255483971(=x) is the ISN (Initial Sequence Number) and it apears twice separated by ':' because there's no payload (0 in parentheses indicates this).

    win 65535 indicates that the client has a buffer that can hold 65535 bytes.

    mss 1460 indicates that the network on which the client exists can accept a maximum of 1460 bytes payload in a single packet. mss stands for maximum segment size .

    requests that the packet shouldn't be fragmented.

    Interesting fact: though the client has a buffer that can accept 65535 bytes of data, the network cannot accept more than 1460 bytes of payload.
  2. Second line: server replies with a SYN and ACK flagged packet. It also sends its ISN (4279842714=y) and acknowledge number (clinet's ISN + 1 = 4255483972).

    Server's window size is 32120 and maximum segment size is 1460.
  3. Third line: client sends back acknowledgement packet with a sequence number of 4279842715 (server's ISN + 1 = 4279842715).

    Note that this packet has no flag set (`.' indicates that no flags were set).
 Thanks to:
http://www.reocities.com/jchakma/TCPIP/ThreeWayHandshake.html
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)