Network traffic analysis for IR: TCP protocol with Wireshark


Introduction to TCP

The Transmission Control Protocol (TCP) is one of the most commonly used protocols on the Internet. Unlike UDP (User Datagram Protocol), TCP is not a “fire and forget” protocol. TCP tracks sent packets, confirms that they are received, and retransmits copies if necessary.

As a result, TCP is ideally suited for applications that require a high level of reliability in their communication channels. One common use of TCP is to transport Hypertext Transfer Protocol (HTTP) packets that make requests and serve web pages.

TCP in Wireshark

TCP differs from other protocols because it is intended to provide reliable data transfer. As a result, a TCP communication is very formalized, using several different types of packets denoted by different TCP flags. A TCP communication channel is configured using TCP handshake and provides a number of guarantees to the sender and receiver.

TCP flags

One of the main differentiators between TCP and UDP packets is the use of flags in TCP. Like ICMP types and codes, TCP flags describe the purpose of the packet. The TCP flags are:

  • SYNchronization: request a connection
  • ACKnowledgement: acknowledges receipt of a package
  • END: gracefully closes a connection
  • ReSeT: immediately terminates a connection
  • PuSH: tells the recipient to immediately process a packet (instead of buffering it)
  • URGent: process a packet before all other packets

Different types of packets are used at different times in the TCP session. Some are meant to be used for a set amount of time during connection (like SYN and FIN), others are used throughout (like ACK) and the rest are only used in unusual scenarios (RST, PSH and URG).

TCP connections and the use of flags are very stereotypical. However, it is possible to abuse flags. A common reason to abuse metrics is analysis from different operating systems (Read More …)

Source link

Leave A Reply

Your email address will not be published.