I know that control bits in tcp define the flags of TCP connection like SYN, FIN, ACK. But from my network traffic sometimes for some packets control bits are 0 (not-set).
What does this behaviour mean?
Those are flags of a TCP segment, not connection.
When a flag bit isn't set that indicates the absence of the meaning and behavior defined for the corresponding flag.
It means ACK and only ACK flag is set. RFC says ACK is 16, however it's only 16 when used in combination with another flag e.g. SYN/ACK (18), FIN/ACK (17). Flags value 0 could also indicate a 'null' scan.
If you see a flow record with value 2 and there are 8 packets in it, that means there are both SYN packet(s) and ACK packets.
If you see 18 and there are more than 1 packet in the flow that means there is at least one SYN/ACK and the rest are ACK.
Related
The below screenshot shows the relevant packets I am analysing, which are independent from the rest of the network traffic.
I know that this is malformed network traffic, however I am confused as to why the correct values should be [RST,ACK] Seq = 1 Ack = 1 ... in oppose to the values seen in the screen shot for packet 8.
Any help would be appreciated, as most of the online documentation and explanations I have read, have not given a concrete explanation.
According to RFC 793, page 37:
In the SYN-State (The sender sent a segment with SYN flag, packet 7), The received RST segment (packet 8) is acceptable if the ACK field acknowledges the SYN.
So, packet 8 is malformed and not acceptable for sender of SYN segment, because ACK field is here 0 (relative) instead of 1.
In TCP 3-way handshake, 3 segments will be sent (SYN, SYN ACK, ACK). What if the third segment(ACK) is lost? Is the sender going to resend the segment or give up establishing the connection? And how do the two hosts know the segment is lost?
TCP has a sequence number in all packets. Hence it's easy to know if a packet was lost or not. If a host doesn't get an ACK on a packet he just resends it.
In most cases though, even if that ACK was lost, there will be no resending for a very simple reason. Directly after the ACK, the host that opened the TCP protocol is likely to start sending data. That data will, as all TCP packets, have an ACK number, so the recipient would get an ACK that way. Hence, the sender of the SYN-ACK should reasonably not care that it didn't get the ACK, because it gets an "implicit" ACK in the following package.
The re-send of the SYN-ACK is only necessary of there no data is received at all.
Update: I found the place in the RFC that specified exactly this:
If our SYN has been acknowledged (perhaps in this
incoming segment) the precedence level of the incoming segment must
match the local precedence level exactly, if it does not a reset
must be sent.
In other words, if the ACK is dropped but the next packet is not dropped, then everything is fine. Otherwise, the connection must be reset. Which makes perfect sense.
I am not an expert on this particular situation, but I suspect what will happen is the client will think it is connected but the server will not. If the client tries to send data to the server, the server will reject it and send a RST packet to the client so it can reset its "connection".
I use raw socket to create TCP packets, with focus on the sequence number and TCP flags(SYN, ACK)
I used one machine S to send a tcp ACK packet (flag ACK is set to 1) and another machine R to receive it these two machines are in different subnets, all in my school
meanwhile, I used tcpdump to capture the packets.
Strange things happens! On machine S, the captured packet is as expected, it is an ACK packet however, on the receiving machine R, the packet becomes a SYN packet, and the sequence number is changed, the seq no is 1 smaller the expected and the ack_seq become 0!
what are potential problems?
my guess is that the router/firewall modified the ACK packet to a SYN packet because it never sees a SYN SYN/ACK exchange ahead of the ACK?
is it possible or not?
the two captured packets are:
https://docs.google.com/file/d/0B09y_TWqTtwlVnpuUlNwUmM1YUE/edit?usp=sharing
https://docs.google.com/file/d/0B09y_TWqTtwlTXhjUms4ZnlkMVE/edit?usp=sharing
The biggest problem you will encounter will be that the receiving TCP stack in each case will receive the packet and possibly reply to it. What you are attempting is really not possible.
Why does the TCP three-way handshake bump the sequence number when acking during the initial handshake? How is that better than just leaving the acknowledgement number equal to the sequence number?
The connection is established with
Client sends SYN,A
Server responds with SYN-ACK,A+1,B
Client confirms with ACK,B+1
How is that better than
Client sends SYN,A
Server responds with SYN-ACK,A,B
Client confirms with ACK,B
That's because the ACK field means this when the ACK flag is set:
Acknowledgment number (32 bits) – if the ACK flag is set then the value of this field is the next sequence number that the receiver is expecting.
If it is not set to (inital sequence number+1), it would be inconsistently mean both ack'ing the SYN (both SYN and ACK flags must be set in this packet) and saying it is expecting that sequence number again (i.e. hasn't received it).
Wireshark and Network Monitor provide filters for this but I want to know how can I infer whether a packet is a TCP Keep-Alive or Keep-Alive Ack by looking at the header or payload.
A TCP keep-alive packet is an ACK with the sequence number set to one less than the
current sequence number for the connection.
Here's what Wireshark says about a keep-alive ACK:
Set when all of the following are true:
The segment size is zero.
The window size is non-zero and hasn’t changed.
The current sequence number is the same as the next expected sequence number.
-The current acknowledgement number is the same as the last-seen acknowledgement number.
The most recently seen packet in the reverse direction was a keepalive.
The packet is not a SYN, FIN, or RST.