I am building an app where my phone frequently send data to my server. Since I would be using my mobile data, I was wondering how much data it cost to set up (and tear down?) a TCP connection to my server.
TCP Three-way handshake
Device 1 sends its TCP sequence number and maximum segment size to Device 2.
Device 2 responds by sending its sequence number and maximum segment size to Device 1.
Device 1 acknowledges receipt of the sequence number and segment size information.
Each packet is composed of an IP header and data (payload). In this case, the data section contains TCP. The TCP header contains various fields including the source and destination ports, sequence and acknowledgment numbers, window size, TCP flags, urgent pointer, and reserved bits.
Like the IP header, the TCP header may also contain options. (Note that TCP options and IP options are two different things.) Because the TCP options change the length of the TCP header, the length is set in the header.
IPv4 header is five 4-byte chunks, or 20 bytes total.
TCP typically usually uses 24 bytes of the header for handshake (first two packets) and about 20 for normal packet transmission.
Maximum Segment Size (MSS): 4 bytes
Window Scale (WSCALE): 3 bytes
Timestamp (TS): 10 bytes
No Operation (NOP): 1 byte
Selective Acknowledgment Permitted (SackOK): 2 bytes
Selective Acknowledgment Data: 10 bytes (plus 8 bytes for each additional pair of sequence numbers)
Terminating a Connection
Even though establishing a connection using 3-way handshake requires only 3 packets to be transmitted, tearing down one requires 4!
In the first frame the client sends a FIN that is accompanied by an ACK. The FIN parameter is set, it will inform the server that it has no more data to send.
The response (2nd frame) would be simply the server acknowledging the FIN sent from the client.
Even though TCP has established connections between the two computers, the connections are still independent of one another. Therefore, the server will also transmit a FIN to the client.
You guessed it right ... the client would ACK the FIN of the server in the last forth packet.
The offset of each of the frames is typically 20 bytes.
To sum it up.
Establishing a connection: ~ 128-136 bytes
Tearing down a connection: ~ 160 bytes
If you plan to use TLS / SSL handshake, this is estimated to be between 4.5k-6.5k.
Note: Please also take a look at TCP/IP Header Compression
Sources:
Inside the TCP Handshake
Explanation of the Three-Way Handshake via TCP/IP
Studying Normal Traffic, Part Three: TCP Headers | Symantec Connect
Related
I've noticed in wireshark that I'm able to send 4096 bytes of data to a HTTP webserver (from uploading a file) however the server only seems to be acknowledging data 1460 bytes at a time. Why is this the case?
The size of TCP segments is restricted to the MSS (Maximum Segment Size), which is basically the MTU (Maximum Transmission Unit) less the bytes comprising the IP and TCP overhead. On a typical Ethernet link, the MTU is 1500 bytes and basic IP and TCP headers comprise 20 bytes each, so the MSS is 1460 (1500 - 20 - 20).
If you're seeing packets indicated with a length field of 4096 bytes, then it almost certainly means that you're capturing on the transmitting host and Wireshark is being handed the large packet before it's segmented into 1460 byte chunks. If you were to capture at the receiving side, you would see the individual 1460 byte segments arriving and not a single, large 4096 byte packet.
For further reading, I would encourage you to read Jasper Bongertz's blog titled, "The drawbacks of local packet captures".
TCP by default uses path MTU discovery:
When system send packet to the network it set don't fragment flag (DF) in IP header
When IP router or you local machine see DF packet that should be fragmented to match MTU of the next hop link it sends feedback (RTCP fragmentation need) that contains new MTU
When system receives fragmentation needed ICMP it adjusts MSS and send data again.
This procedure is performed to reduce overall load on the network and increase probability of each packet delivery.
This is why you see 1460 packets.
Regarding to you question: the server only seems to be acknowledging data 1460 bytes at a time. Why is this the case?
TCP keep track window that defines "how many bytes of data you can send without acknowledge". Its purpose is to provide flow control mechanisms (sender can't send too much data that can't be processed) and congestion control mechanisms (sender can't send too much data to overload network). Window is defined by receiver side and may be increased during connection when TCP will estimate real channel bandwidth. So you may see one ACK that acknowledges several packets.
We all know that TCP is a streaming protocol.
Unlike UDP, which guarantees that the whole client message will be delivered to server as a single datagram (we're talking about transport layer, so avoid MTU at the moment), TCP can fragment one "message" (data that was passed to the send function) into several smaller packets so we have to use our own delimiters as a messages' borders.
The question is -- how TCP chooses which data should be fragmented and by which size? Is there any common / standard methods that it uses?
TCP uses a parameter called Maximum Segment Size:
The maximum segment size (MSS) is a parameter of the options field of the TCP header that specifies the largest amount of data, specified in bytes, that a computer or communications device can receive in a single TCP segment. It does not count the TCP header or the IP header. The IP datagram containing a TCP segment may be self-contained within a single packet, or it may be reconstructed from several fragmented pieces; either way, the MSS limit applies to the total amount of data contained in the final, reconstructed TCP segment.
The default TCP Maximum Segment Size is 536. Where a host wishes to set the maximum segment size to a value other than the default, the maximum segment size is specified as a TCP option, initially in the TCP SYN packet during the TCP handshake. The value cannot be changed after the connection is established.
If path MTU discovery is enabled, MSS is set to that minus TCP headers size.
On Linux TCP_MAXSEG socket option controls the parameter:
if this option is set before connection establishment, it also changes the MSS value announced to the other end in the initial packet. Values greater than the (eventual) interface MTU have no effect. TCP will also impose its minimum and maximum bounds over the value provided.
We're seeing this pattern happen a lot between two RHEL 6 boxes that are transferring data via a TCP connection. The client issues a TCP Window Full, 0.2s later the client sends TCP Keep-Alives, to which the server responds with what look like correctly shaped responses. The client is unsatisfied by this however and continues sending TCP Keep-Alives until it finally closes the connection with an RST nearly 9s later.
This is despite the RHEL boxes having the default TCP Keep-Alive configuration:
net.ipv4.tcp_keepalive_time = 7200
net.ipv4.tcp_keepalive_probes = 9
net.ipv4.tcp_keepalive_intvl = 75
...which declares that this should only occur until 2hrs of silence. Am I reading my PCAP wrong (relevant packets available on request)?
Below is Wireshark screenshot of the pattern, with my own packet notes in the middle.
Actually, these "keep-alive" packets are not used for TCP keep-alive! They are used for window size updates detection.
Wireshark treats them as keep-alive packets just because these packets look like keep-alive packet.
A TCP keep-alive packet is simply an ACK with the sequence number set to one less than the current sequence number for the connection.
(We assume that ip 10.120.67.113 refers to host A, 10.120.67.132 refers to host B.) In packet No.249511, A acks seq 24507484. In next packet(No.249512), B send seq 24507483(24507484-1).
Why there are so many "keep-alive" packets, what are they used for?
A sends data to B, and B replies zero-window size to tell A that he temporarily can't receive data anymore. In order to assure that A knows when B can receive data again, A send "keep-alive" packet to B again and again with persistence timer, B replies to A with his window size info (In our case, B's window size has always been zero).
And the normal TCP exponential backoff is used when calculating the persist timer. So we can see that A send its first "keep-alive" packet after 0.2s, send its second packet after 0.4s, the third is sent after 0.8, the fouth is sent after 1.6s...
This phenomenon is related to TCP flow control.
The source and destination IP addresses in the packets originating from client do not match the destination and source IP addresses in the response packets, which indicates that there is some device in between the boxes doing NAT. It is also important to understand where the packets have been captured. Probably a packet capture on the client itself will help understand the issue.
Please note that the client can generate TCP keepalive if it does not receive a data packet for two hours or more. As per RFC 1122, the client retries keepalive if it does not receive a keepalive response from the peer. It eventually disconnects after continuous retry failure.
The NAT devices typically implement connection caches to maintain the state of ongoing connections. If the size of the connection reaches limit, the NAT devices drops old connections in order to service the new connections. This could also lead to such a scenario.
The given packet capture indicates that there is a high probability that packets are not reaching the client, so it will be helpful to capture packets on client machine.
I read the trace slightly differently:
Sender sends more data than receiver can handle and gets zerowindow response
Sender sends window probes (not keepalives it is way to soon for that) and the application gives up after 10 seconds with no progress and closes the connection, the reset indicates there is data pending in the TCP sendbuffer.
If the application uses a large blocksize writing to the socket it may have seen no progress for more than the 10 seconds seen in the tcpdump.
If this is a straight connection (no proxies etc.) the most likely reason is that the receiving up stop receiving (or is slower than the sender & data transmission)
It looks to me like packet number 249522 provoked the application on 10.120.67.113 to abort the connection. All the window probes get a zero window response from .132 (with no payload) and then .132 sends (unsolicited) packet 249522 with 63 bytes (and still showing 0 window). The PSH flag suggests that this 63 bytes is the entire data written by the app on .132. Then .113 in the same millisecond responds with an RST. I can't think of any reason why the TCP stack would send a RST immediately after receiving data (sequence numbers are correct). In my view it is almost certain that the app on .113 decided to give up based on the 63 byte message sent by .132.
TCP RFC mentions that the receiver should send an ACK for every 2 full size segment it receives (assuming they are inorder) and should not delay an ACK.
Considering the window size is 8 segments and sender sends 8 full segments, does this mean, the receiver sends 4 ACKs even though it has received 8 segments?
Can it not acknowledge all 8 segments with one ACK?
Ill just copy paste the important Part of the RFC right in here:
4.2.3.2 When to Send an ACK Segment
A host that is receiving a stream of TCP data segments can
increase efficiency in both the Internet and the hosts by
sending fewer than one ACK (acknowledgment) segment per data
segment received; this is known as a "delayed ACK" [TCP:5].
A TCP SHOULD implement a delayed ACK, but an ACK should not
be excessively delayed; in particular, the delay MUST be
less than 0.5 seconds, and in a stream of full-sized
segments there SHOULD be an ACK for at least every second
segment.
The Full RFC can be found here: RFC 1122
My application connects to the server using TCP and system is working fine. Using Wireshark I noticed that some TCP packets of 60 bytes are sent with no data. Is this normal?
as part of TCP transmissions and handshake are there some packets sent with no data?
Thanks
Kumar
There are the ACK packets that carry no data and only acknowledge received data. When using Wireshark it should display these "flags" on the empty packets.
To be more accurate you should show a screenshot of the wireshark capture, so we know what the size you mean is.
Meanwhile I dissected an ACK packet of IPv4 TCP traffic here and these are my results:
Protocol Size Description
Ethernet protocol 14 byte 2 MAC adresses (6 byte), Protocoll type (2 byte)
Internet protocol 20 byte The default header size
TC protocol 32 byte The default header size (20 byte) + options (12 byte)
_____________________________________________________________________________________
Total 66 byte
without EP 52 byte (Probably the size the OP is talking about)
without EP, Opts 40 byte (The size talked about in the comments)
The options in my case were 2 NOPs (each 1 byte) and two timestamps (each 5 byte??). The order of the protocols is the same as in Wireshark.
Wireshark splits the information down to each field, so you can see what takes up how much space.