TCP
Basic: http://frankfu.click/networking/networking-fundamental/transport-layer.html/2/
Three way handshake
  • SYN
  • SYN/ACK
  • ACK
 Flags:
  • random sequence number: for security consideration, prevent spoof. The other side will add one on the one it received.
  • To make it easier to read, wireshark use relative sequence number, anyway, in the Packet Bytes area, the hex number reveals the actual sequence number

sequence_number

In the picture, the actual sequence number is 0x9932403b, which is 2570207291 in decimal.
 Acknowledgement of TCP segments
TCP Acknowledgement number specifies the start point of data segment expected by the receiver, each host maintains its own acknowledge number which is a track of the data has been received.
Another example:
tcpSYN-ACK

-----------------------------------------------------------------------------------------------------------------------------------------------------------

SEQ=1 ACK=1 LENGTH=500

English = "We're on our first packet, I've got 500 bytes for you"


SEQ=1 ACK=501 LENGTH = 200

English = "I acknowledge that you sent 500 bytes and for my first transmission to you I have 200 bytes"


SEQ = 501 ACK = 201 LENGTH = 200

English = "I acknowledge that you sent 200 bytes and I'm sending you another 200 bytes starting with number 501"
Graceful Session termination
  • FIN = no more data from me
  • FIN-WAIT
  • FIN ACK
Reset = forced killing connection
  • RST
Filtering
  • tcp.flags.syn == 1
  • tcp.flags.reset == 1

 

DHCP

 

Filtering DHCP related traffic
  • bootp.option.dhcp!=0 will show all the DHCP release, DHCP discover, DHCP Offer, DHCP request, DHCP ACK , etc
Value Message type
1 DHCPDISCOVER
2 DHCPOFFER
3 DHCPREQUEST
4 DHCPDECLINE
5 DHCPACK
6 DHCPNAK
7 DHCPRELEASE
8 DHCPINFORM

Example:

We will issue ipconfig /release and then ipconfig /renew on a windows client machine.

The wireshark captured all the DHCP related traffic:

dhcp_traffic

To analyze all these traffic

Request:

dhcp_request

  • the Destination MAC address is ff:ff:ff:ff:ff:ff
  • The destination IP address is 255.255.255.255 and source IP address is 0.0.0.0
  • Source Port 68, Destination port 67
  • Protocol is UDP
  • Message type: boot request
  • Hops: 0, so the DHCP message can not go beyond default gateway.
  • Also note the next server IP address and Relay agent IP address are all 0.0.0.0

Offer

dhcp_offer

  • The info tells us that the DHCP offer message is a multicast as well, no matter from the MAC address ff:ff:ff:ff:ff:ff or from the IP address 255.255.255.255.
  • source port is 67 and destination port is 68.
  • Message type: Boot reply, value 2.
  • The offered IP address 192.168.90.32
  • subnet mask: 255.255.255.0
  • Lease time: 3 days, and renewal time is 1.5 days, which is when 50% lease time expired.
  • DHCP server: 192.168.90.252
  • Domain name: apm.com
  • Router ( default gateway): 192.168.90.1
  • Domain name server: 192.168.90.252

 

Reference

http://packetlife.net/blog/2010/jun/7/understanding-tcp-sequence-acknowledgment-numbers/

http://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml

Transport Layer