When I'm a Student, being taught there is 4 process in stop http connection.
However today I test only 3 process. It's Wireshark merge data transition?
You were likely taught that TCP connections require a four way close: FIN/ACK -> ACK, FIN/ACK -> ACK. This is true, but it does not have to take four packets to do it.
In the case that you present, the 192.168.0.106 host begins to close with a FIN/ACK. The other end of the connection, rather than simply ACKing this, takes the opportunity to begin closing as well. So, when it responds with a FIN/ACK, it is both ACKing the FIN that it received and beginning its own close. The final packet is the acknowledgement of the FIN from the 211 host.
What this means is that, in this case, only three packets were used, but we still had a FIN from host A that was acknowledged and a FIN from host B that was acknowledged. That is really the only requirement in the protocol.
Related
Say we have sender A sending a message to receiver B using TCP. Say the message to be sent from A to B is split into three packets of length 500 bytes, 500 bytes and 50 bytes, to be sent in that order. How does A indicate to B that the packet of length 50 bytes is the last part of the message? I can understand that an ACK from B to A, sent every other packet received by B, indicates using the sequence number how much data has been received by B since the last ACK was sent by B. I read that FIN is used to terminate the connection between the sender and receiver. However, I can't find a description of how the the last packet, of a message split into several packets, is indicated. I'm thinking the packets have to be reassembled, in order, before the message is sent to the receiving application. I think that as one of TCPs actions is to split the message into packets, there must be some way of the sender flagging the last packet of a message has been sent.
I think that as one of TCPs actions is to split the message into
packets
No, TCP takes a stream of data and segments it into PDUs called segments. It is IP that uses the TCP segments as the payload of IP packets, which are in turn the payload of the data-link protocol, e.g. ethernet, frames.
However, I can't find a description of how the the last packet, of a
message split into several packets, is indicated.
Something like that is up to a higher protocol, e.g. HTTP. I think you are looking at TCP the wrong way. A TCP connection is like a bidirectional pipe; whatever you put in one end comes out the other end. TCP has no idea of the data structure, it just sends whatever it gets from the application or application-layer protocol. When an application or application-layer protocol is through using the connection, it tells TCP to tear it down.
The receiving TCP simply receives data and reorders it, asking for lost or missing segments. It passes properly ordered data up to the application or application-layer protocol, having no idea of the data structure because it is just a data stream to TCP.
Also, remember that both ends of a TCP connection are peers that can send and receive, and either end can send a segment with FIN that tells the other end that it is done sending, but the end sending the FIN is obligated to continue to receive until the other end also sends a FIN to say it is done sending. Either side could also kill the connection with a RST segment.
there must be some way of the sender flagging the last packet of a
message has been sent.
Probably, but that is not the job of TCP, that is up to the application or application-layer protocol. When the application-layer is done, it tells TCP to close, and that starts the FIN process. TCP has no idea what is the last part of a message is because it knows nothing about the data. It keeps the pipe open until it is told to close it.
I am very new to networking, so this might sound simple. Though I have tried to look here and here and here and have got few basics of TCP, there are few questions whose answers I am not certain about.
Is a request and response part of 2 different TCP establishments. To explain that :
Is a connection established, kept alive until all packets are delivered, request sent and connection closed for each request and same happens for its response.
or
A connection is opened, request sent, connection kept alive, response arrives and connection closed.
Is the ACK number always 1 + sequence number of sent segment.
Is a request and response part of 2 different TCP establishments
You need just 3 packets to handshake and establish a bidirectional TCP connection. So no, you do not establish TCP connection for receiving and sending parts.
On the other hand, there is a sutdown() system call which allows to shutdown a part of the bidirectional connection. See man shutdown(2). So there is a possibility to establish a unidirectional connection by opening a bidirectional and then shutdown one of the sides.
Is the ACK number always 1 + sequence number of sent segment.
We usually do not send ACK for every received packet. There are also selective ACKs, retransmissions etc. So in general, the answer is no, the ACK number is not always seq + 1.
On the other hand, if you are sending a small amount of data and waiting for the confirmation, no errors or packet loss occurred, most probably there will be just one packet with that data and one ACK with seq + 1.
Hope that helps.
We're seeing this pattern happen a lot between two RHEL 6 boxes that are transferring data via a TCP connection. The client issues a TCP Window Full, 0.2s later the client sends TCP Keep-Alives, to which the server responds with what look like correctly shaped responses. The client is unsatisfied by this however and continues sending TCP Keep-Alives until it finally closes the connection with an RST nearly 9s later.
This is despite the RHEL boxes having the default TCP Keep-Alive configuration:
net.ipv4.tcp_keepalive_time = 7200
net.ipv4.tcp_keepalive_probes = 9
net.ipv4.tcp_keepalive_intvl = 75
...which declares that this should only occur until 2hrs of silence. Am I reading my PCAP wrong (relevant packets available on request)?
Below is Wireshark screenshot of the pattern, with my own packet notes in the middle.
Actually, these "keep-alive" packets are not used for TCP keep-alive! They are used for window size updates detection.
Wireshark treats them as keep-alive packets just because these packets look like keep-alive packet.
A TCP keep-alive packet is simply an ACK with the sequence number set to one less than the current sequence number for the connection.
(We assume that ip 10.120.67.113 refers to host A, 10.120.67.132 refers to host B.) In packet No.249511, A acks seq 24507484. In next packet(No.249512), B send seq 24507483(24507484-1).
Why there are so many "keep-alive" packets, what are they used for?
A sends data to B, and B replies zero-window size to tell A that he temporarily can't receive data anymore. In order to assure that A knows when B can receive data again, A send "keep-alive" packet to B again and again with persistence timer, B replies to A with his window size info (In our case, B's window size has always been zero).
And the normal TCP exponential backoff is used when calculating the persist timer. So we can see that A send its first "keep-alive" packet after 0.2s, send its second packet after 0.4s, the third is sent after 0.8, the fouth is sent after 1.6s...
This phenomenon is related to TCP flow control.
The source and destination IP addresses in the packets originating from client do not match the destination and source IP addresses in the response packets, which indicates that there is some device in between the boxes doing NAT. It is also important to understand where the packets have been captured. Probably a packet capture on the client itself will help understand the issue.
Please note that the client can generate TCP keepalive if it does not receive a data packet for two hours or more. As per RFC 1122, the client retries keepalive if it does not receive a keepalive response from the peer. It eventually disconnects after continuous retry failure.
The NAT devices typically implement connection caches to maintain the state of ongoing connections. If the size of the connection reaches limit, the NAT devices drops old connections in order to service the new connections. This could also lead to such a scenario.
The given packet capture indicates that there is a high probability that packets are not reaching the client, so it will be helpful to capture packets on client machine.
I read the trace slightly differently:
Sender sends more data than receiver can handle and gets zerowindow response
Sender sends window probes (not keepalives it is way to soon for that) and the application gives up after 10 seconds with no progress and closes the connection, the reset indicates there is data pending in the TCP sendbuffer.
If the application uses a large blocksize writing to the socket it may have seen no progress for more than the 10 seconds seen in the tcpdump.
If this is a straight connection (no proxies etc.) the most likely reason is that the receiving up stop receiving (or is slower than the sender & data transmission)
It looks to me like packet number 249522 provoked the application on 10.120.67.113 to abort the connection. All the window probes get a zero window response from .132 (with no payload) and then .132 sends (unsolicited) packet 249522 with 63 bytes (and still showing 0 window). The PSH flag suggests that this 63 bytes is the entire data written by the app on .132. Then .113 in the same millisecond responds with an RST. I can't think of any reason why the TCP stack would send a RST immediately after receiving data (sequence numbers are correct). In my view it is almost certain that the app on .113 decided to give up based on the 63 byte message sent by .132.
In a TCP connection the end that performs the active close is required to stay in TIME_WAIT state for 2MSL of time. Why exactly does it need to be 2MSL? Many people said that one MSL is for the final ACK and the other MSL is for retransmitted FIN. But, the RTO of FIN is way shorter than MSL, and the FIN doesn't need to wait for an MSL to be retransmitted. So, their explanation doesn't make sense to me. Can anyone present a specific example of how segments are exchanged during that time?
Figure 1. Packet exchange for TCP connection.
Why does the TIME_WAIT state exist?
The book <<UNIX Network Programming(Volume1,3rd)>> give an answer:
There are two reasons for the TIME_WAIT state:
To implement TCP's full-duplex connection termination reliably
To allow old duplicate segments to expire in the network
I think this is also the answer to this question(Why TIME_WAIT state need to be 2MSL long?)
First look at reason 1. In order to reliably terminate the full-duplex connection, suppose that the last ACK sent by the client in Figure 1 is lost, and the server will retransmit the FIN. In order to receive this timeout and retransmitted FIN, the client needs TIME_WAIT Status; does the TIME_WAIT status have to be 2MSL? In fact, this depends on the server-side FIN timeout retransmission time RTO. If RTO is less than MSL, then TIME_WAIT state MSL is enough. If RTO is greater than 2MSL then TIME_WAIT state 2MSL is not enough, so only when RTO is between MSL and 2MSL , Reason 1 for the existence of the TIME_WAIT state is the reason why the time of TIME_WAIT is 2MSL. In fact, in general, RTO is much smaller than MSL, but considering the worst case, RTO is 2MSL, so the TIME_WAIT state is 2MSL to ensure that the worst case can also receive the FIN that is retransmitted over time.
The time of TIME_WAIT is another important reason for 2MSL. Reason 2, in order to ensure that all packets generated during the duration of this connection disappear from the network, that is, to ensure that when a new TCP connection is established, the old duplicate packets from the connection are already in Disappeared from the network. Some people here may have a question: After the client replies to the last ACK, it feels that all packets can disappear with one MSL. Why do all packets of 2MSL disappear? The reason is:
Suppose that the client sends an ACK just after one MSL time, and the server just starts to retransmit the FIN over time before receiving the ACK, so if the FIN disappears, 2MSL is needed.
Let's recall the process
A FIN B
B ACK A
B FIN A
A ACK B
After above 4 steps, A is now at TIME_WAIT stage while B is at LASK_ACK.
What if step 4(A ACK B) is lost?
B will wait for 1 MSL for step 4, yet failed to get it, so B redo step 3, and step 3 will take 1 MSL to reach A. Hence, A has to wait for 2 MSL for a graceful wave goodbyte.
But there is another question, what if step 4 is lost again? :)
I also have the same question about this. I thought of an assumption.
In extreme senario, suppose the last ACK from client end spends MSL to reach server end. At this point, the end point thinks that this ACK has already perished due to MSL timeout. So server end retransmit the FIN imediately. In order to assure this FIN can reach client end (or if not, we have to assure its perishment), we must have another MSL.
The purpose of TIME-WAIT is to prevent delayed packets from one connection being accepted by a later connection. It can happen as:
A connection from (address a, port p) to (address b, port q) is terminated
A second connection from (address a, port p) to (address b, port q) is established
A duplicate packet from the first connection is delayed in the network and arrives at the second connection when its sequence number is in the second connection’s window.
In such cases the endponts have no idea to identify to identify which connection the packet belongs.
The two reasons for the existence of the TIME-WAIT state and the 2SML timer:
If the last ACK segment is lost, the server TCP, which sets a timer for the last FIN (Finish) bit set, assumes that its FIN is lost and resends it. If the client goes to the CLOSED state and closes the connection before the 2MSL timer expires, it never receives this resent FIN segment, and consequently, the server never receives the final ACK. The server cannot close the connection. The 2MSL timer makes the client wait for a duration that is enough time for an ACK to be lost (one SML) and a FIN to arrive (another SML). If during the TIME-WAIT state, a new FIN arrives, the client sends a new ACK and restarts the 2SML timer.
A duplicate segment from one connection might appear in the next one. Assume a client and a server have closed a connection. After a short period, they open a connection with the same socket addresses (same source and destination IP addresses and the same source and destination port numbers). A duplicated segment from the previous connection may arrive in this new connection and be interpreted as belonging to the new connection if there is not enough time between the two connections. To prevent this problem, TCP requires that an incarnation cannot occur unless a 2MSL amount of time has elapsed.
Tcp must prevent old duplicates from a connection from reappearing at some later time and being misinterpreted as belonging to a new the same connection. To do this, Tcp will not initiate a new connection that is currently in the TIME_WAIT state.
The TIME_WAIT state is twice the MSL, this allows MSL seconds for a packet in one direction to be lost, and another MSL seconds for the reply to be lost.
What could be good list of failure scenaros for testing a reliable UDP layer? I have thought of the below cases:
Drop Data packets
Drop ACK, NAK Packets
Send packets in out of sequence.
Drop intial hand shaking packets
Drop close / shutdown packets
Duplicate packets
Please help in identifying other cases that reliable UDP needs to handle?
The list you've given sounds pretty good. Also think about:
Very delayed packets (where most packets come through fine, but one or two are delayed by several minutes);
Very delayed duplicates (where the original came through quickly, but the duplicate arrived after several minutes delay);
Silent dropping of all packets above a certain size (both unidirectional and bidirectional cases);
Highly variable delays;
Sequence number wrapping tests.
Have you tried intentionally corrupting packets in transit?
Also, have you considered a scenario where only one-way communication is possible? In this case, the sending host thinks that the send failed, but the receiving end successfully processes the message. For instance:
host A sends a message to host B
B successfully receives message and replies with ACK
ACK gets dropped in the network
A waits for timeout and re-sends message (repeats steps 1-3)
host A exceeds retry count and thinks the send failed, but host B has in fact processed the message
I have thought UDP is a connectionless and unreliable protocol and that is does not require and specific transport handshake between hosts. And hence there is no such thing as a reliable UDP protocol.