I wonder if the Don't Fragment flag is always set for TCP SYN packets.
By looking at some Wireshark captures this seems to be the case and according to Benefits of "Don't Fragment" on TCP Packets? the "DF flag is typically set on IP packets carrying TCP segments".
Is there a RFC about that?
Related
I couldn't understand why UDP header has 'length' field, and why it is needed?
If the reason is to know where the 'application message(L5 data)' begins in the segment, it can just be gotten from 'UDP data - UDP header length(it is already known value)'.
Because UDP can be transmitted over another protocol than IP.
And also because UDP transmits datagram messages with a length (udp length) which can be sent over multiple IP fragmented packets.
Source: https://notes.shichao.io/tcpv1/ch10/
The UDP header length field is the length of the UDP header plus the UDP data. It is indeed redundant since this length can be calculated from the IP header total length field where the UDP datagram length is the IP total length minus the IP header length.
UDP uses message stream NON FIFO as communication model between the sender and receiver. If the size is not mentioned then it will not be possible to decipher the message at rxr.
Say m1m2m3 is sent then each message to be notified so that u can trace back the message.
Regards
What happen when ICMP is disabled in an router and when packet size greater than MTU how the router fragments that packet?Will TCP header be present in IP fragmented packets?
I don't test this scenario but ... I think that if the IP fragmentation is enabled, your IP packet data part will be fragmented and transferred independently because the fragmentation was used at L3 layer. Without ICMP, the sending computer don't know that the packet size is bigger than the allowed network MTU and it cannot send new fragmented data at L4 layer (TCP header will be presented in each packet). But we are fragmenting on L3 layer and we have to use fragment offset field. I think that the TCP header will be presented only in one packet, followed by fragmented TCP data part.
Try to make an experiment to test this behavior.
I'm filtering packets with libpcap with a filter like "tcp src localhost". It filters all the packets whose source is localhost (my host).
When localhost doesn't receive a TCP confirmation of an already sendt packet, localhost will forward the packet.
Not all the packets filtered by libpcap will arrive to its destination, and I need to identify when a packet is a "forwarded packet". Is there any way with libpcap to identify a forwarded packet?
By my understanding, you're looking for TCP retransmissions. These can be found by display fitters in wireshark after capturing. These two should help you:
Retransmitted packets can be found through the display filter tcp.analysis.retransmission (more such filters).
When the receiver gets an out-of-order packet (usually indicates lost packet), it sends a ACK for the missing seq number. This is a duplicate ACK and these can be found by using tcp.analysis.duplicate_ack (details).
I use raw socket to create TCP packets, with focus on the sequence number and TCP flags(SYN, ACK)
I used one machine S to send a tcp ACK packet (flag ACK is set to 1) and another machine R to receive it these two machines are in different subnets, all in my school
meanwhile, I used tcpdump to capture the packets.
Strange things happens! On machine S, the captured packet is as expected, it is an ACK packet however, on the receiving machine R, the packet becomes a SYN packet, and the sequence number is changed, the seq no is 1 smaller the expected and the ack_seq become 0!
what are potential problems?
my guess is that the router/firewall modified the ACK packet to a SYN packet because it never sees a SYN SYN/ACK exchange ahead of the ACK?
is it possible or not?
the two captured packets are:
https://docs.google.com/file/d/0B09y_TWqTtwlVnpuUlNwUmM1YUE/edit?usp=sharing
https://docs.google.com/file/d/0B09y_TWqTtwlTXhjUms4ZnlkMVE/edit?usp=sharing
The biggest problem you will encounter will be that the receiving TCP stack in each case will receive the packet and possibly reply to it. What you are attempting is really not possible.
I have a question on how TCP_ACK works when the original packet are fragmented.
For example, original packet size is 1,500*N bytes and MTU is 1,500. Then, the packet will be frgmented into (approximately) N packets.
In this case, how does the receiver sends TCP_ACK to the sender?
I checked with wireshark, it seems that the receiver sends TCP_ACK for every two fragmented packet. Is it right?
Could you give me some refereces for this or explanation?
Thanks.
IP layer on the receiver stack reassembles all the IP fragments into a single TCP segment before handing the packet over to TCP. Under normal conditions, TCP should send only one ACK for the entire TCP segment. The ACK # would be the next expected SEQ # as usual.