- April 5, 2020
- Posted by: Syed Shujaat
- Category: Uncategorized
I normally use Wireshark to trace network communication issues while tracing issues with TCP/UDP packet transmission.
TCP stands for Transmission Control Protocol: The mechanism behind each packet authentication and verification method is called 3 WAY Handshake= SYN, SYN+ACK, and ACK.
- Computer A Sends SYN to Computer B. In this SYN request it lists initial Sequence (SEQ) number, Let’s say its Zero.
- Computer B Receives SYNC and sends SYN+ACK to Computer A. Computer B says that I got your SYN, SEQ of Computer A (0) + 1 (ACK) = ACK. It sends the ACK to computer A.
- Computer A then receives the ACK and replies to Computer B to update its SEQ number to ACK+1.
- Eventually, each side will establish its own ACK and SEQ numbers as they progress communication both ways while verifying packets.
SEQ= Its the packet size sent to computer B, not the packet number. At this point, Computer B will also stick in its own SEQ # since its 2-way communication so both machines know their SEQ to increments.
Let’s suppose Computer B is basically Saying that I got computer A’s SEQ value 8 Bytes and My ACK value increment by 1 (SEQ+1=9) and btw the Computer B’s SEQ# is Zero which will be helpful for computer A to determine the data transfer back & forth. It is seamless 2-way communication to let both computers establish a trust relationship.
Note: ACK +1 will be added for Computer B SEQ # to acknowledge the handshake authenticity by setting up the next expected SEQ number.
The next command from Computer A will be the HTTP GET request.
Example:
- Let’s say Computer A types Http://somewebsite data which is 20 Bytes. The Computer The original SEQ was 1 now and it will become 21.
- Computer B receives SYN and adds the SEQ +1 (SYC +ACK)=22, ACK Value is now 22 send to computer A. Computer B will set SEQ number was 1 . Computer B then replied to computer A SYN+ACK = 21 Bytes (ACK) + It will send some data with it let’s replying to the website requested data= 1000 Butes.
- Computer A will get ACK (21), It will add 1 to Computer B’s SEQ (1000 + 1) to let computer B know to expect next SEQ# from A and packet communication will carry one with TCP SYN, SYN+ACK and ACK model.
WireShark: You can trace the packets by placing the following filters.
TCP packets have following attributes to it,
- Source/Destination IP
- IP SYN
- Port number
- SEQ
- Stream Index: Each TCP has unique streams. Almost 2 different conversations. TCP can have multiple streams to sperate its TCP communications.
- Win (TCP Sliding Window) and Windows Size Scaling Factor: which varies as packet flow back & forth between Source & Destination. It’s how much data can be sent at one to destination machine before I get the acknowledgment from A to B and B to A. TCP is designed to send data faster as it determines the TCP window of the data flow.
Command: I normally use IP.addr== [IP address]
And you can be more specific with the following filter IP.addr== [IP address] && TCP.stream== [stream Index number]
i.e (ip.addr eq 192.168.1.1 and ip.addr eq 216.54.203.12) and (tcp.port eq 55678 and tcp.port eq 80)
UDP: (User Datagram Protocol) is an alternative communications protocol to Transmission Control Protocol (TCP) used primarily for establishing low-latency and loss-tolerating connections between applications on the internet. Most Media streaming and VOIP (RTP: Real-Time Protocol) technology use UDP where retransmission of packet loss is insignificant.UDP uses the following parameters
- Source/Destination Port
- Stream Index
- Checksum
- Timestamp