preface

Although BOTH TCP and UDP use the same network layer (IP), TCP provides a completely different service to the application layer than UDP. TCP provides a connection-oriented, reliable byte stream service. Connection-oriented means that two applications using TCP (typically a client and a server) must establish a TCP connection before exchanging data with each other. The process is very similar to making a phone call. You dial and ring, wait for the other person to pick up and say “Hello”, and then explain who it is. This article will explain the classic TCP process of establishing a connection (the so-called “three-way handshake”) and disconnecting (the so-called “four-way wave”).

This section describes the FORMAT of TCP packets

The following figure shows the FORMAT of TCP packets:

1.png

(7.37KB, download times: 153)

Download the attachment and save it to the album

Note the following fields in the preceding figure: (1) Number: Seq Number, which is a 32-bit number, identifies the byte stream sent from the TCP source to the TCP destination. The initiator marks this byte stream when sending data. (2) Confirmation number: THE Ack number is 32 bits. The confirmation number field is valid only when the Ack flag bit is 1. Ack=Seq+1. (3) Flag bits: there are 6 flag bits in total, namely URG, ACK, PSH, RST, SYN, and FIN. Specific meanings are as follows: (A) URG: Urgent Pointer is valid. (B) ACK: confirm that the serial number is valid. (C) PSH: The receiver should deliver the packet to the application layer as soon as possible. (D) RST: Resets the connection. (E) SYN: Initiates a new connection. (F) FIN: Releases a connection. Note that: (A) Do not confuse the acknowledgement sequence Ack with the Ack in the flag bit. (B) Confirming party Ack= initiating party Req+1, both ends are paired.

Detailed explanation of the three handshakes

Three-way Handshake Establishes a TCP connection. The client and server send Three packets to confirm the establishment of a TCP connection. In socket programming, this process is triggered by the client executing CONNECT, as shown below:

(1) First handshake: The Client sets the SYN flag bit to 1, randomly generates a value seq=J, and sends the packet to the Server. The Client enters the SYN_SENT state and waits for the Server’s confirmation. (2) Second handshake: When the Server receives the packet, the flag bit SYN=1 knows that the Client requests to establish a connection. The Server sets the flag bit SYN and ACK to 1, ACK =J+1, randomly generates a value seq=K, and sends the packet to the Client to confirm the connection request. The Server enters the SYN_RCVD state. (3) The third handshake: After receiving the confirmation, the Client checks whether the ACK is J+1 and ack is 1. If yes, the Client sets the flag ACK bit to 1, ack=K+1, and sends the packet to the Server. The Server checks whether the ACK is K+1 and ACK is 1. The Client and Server enter the ESTABLISHED state and complete the three-way handshake. Data can be transmitted between the Client and Server. The SYN attacks: In the three-way handshake, after the Server sends a SYN-ACK, the TCP connection before receiving an ACK from the Client is called half-open connect. In this case, the Server is in SYN_RCVD state. The Server state changes to ESTABLISHED. In a SYN attack, the Client forges a large number of nonexistent IP addresses and sends SYN packets to the Server. The Server replies with an acknowledgement packet and waits for the Client to confirm the attack. The source IP address does not exist. These forged SYN packets occupy unconnected queues, causing normal SYN requests to be discarded because the queues are full, resulting in network congestion or even system breakdown. SYN attacks are typical DDOS attacks. The SYN attack detection method is very simple. If a large number of half-connected states exist on the Server and the source IP addresses are random, the Server is under SYN attack.

#netstat -nap | grep SYN_RECV
Copy the code

4 times wave process details

The three-handshake is familiar, the four-wave less so. The so-called four-way Wavehand refers to the termination of a TCP connection. When a TCP connection is disconnected, the client and server need to send a total of 4 packets to confirm the disconnection. In socket programming, this process is triggered by either the client or the server executing a close, as shown below:

The TCP connection is in full duplex, so each direction must be closed separately. This principle is that when a party finishes sending data, it sends a FIN to terminate the connection in this direction. Receiving a FIN only means that no data flows in this direction, that is, no more data is received. However, data can still be sent on this TCP connection until a FIN is also sent in that direction. The party that closes first performs an active shutdown, while the other party performs a passive shutdown, as depicted in the figure above.

  • First wave: The Client sends a FIN to stop data transmission from the Client to the Server, and the Client enters the FIN_WAIT_1 state.
  • Second wave: After receiving a FIN, the Server sends an ACK to the Client. The ACK sequence number is +1 (the same as that for SYN, one FIN occupies one sequence number). The Server enters CLOSE_WAIT state.
  • Third wave: The Server sends a FIN to disable data transfer from the Server to the Client, and the Server enters the LAST_ACK state.
  • Fourth wave: After receiving the FIN, the Client enters the TIME_WAIT state and sends an ACK to the Server to confirm that the FIN number is +1. The Server enters the CLOSED state and waves four times.

The above is the situation where one party takes the initiative to close and the other party takes the initiative to close. In practice, active closure can also be initiated at the same time. The specific process is shown in the following figure:

The flow and state are already clear in the figure above and will not be described here. You can refer to the previous four wave parsing steps.

conclusion

Three handshakes and four handshakes are typical interview questions. Here are some questions for XDJM’s reference:

  • (1) What is the three-way handshake or process? How about four handshakes? The answer is that.
  • (2) Why is it three handshakes to establish a connection and four waves to close it?

This is because in LISTEN state, the server receives a SYN packet for establishing a connection and sends the ACK and SYN packets to the client. And close the connection, when I received the other side of the FIN message just said to each other can no longer send data but also receives the data, the board may not all data are sent to each other, so their can immediately close, also can send some data to each other, then send the FIN message now agreed to close the connection to the other side, therefore, Your ACK and FIN are usually sent separately.