Join Lisa Bock for an in-depth discussion in this video Dissecting the TCP three-way handshake, part of Troubleshooting Your Network with Wireshark.
- Transmission Control Protocol is a connection oriented protocol. It begins with a handshake and ends with a termination session. Normal TCP traffic begins with a 3-way handshake. The SYN packet will synchronize the sequence numbers, and the first two packets of the 3-way handshake have the SYN flag set. In a 3-way handshake, a client initiates the conversation by requesting to have a communication session with a server.
First the client sends a synchronization packet. If the server accepts, it responds with a synchronization acknowledgment saying that the door is open, the light is on, let's do this thing. The client responds within an acknowledgment. Now, the session begins and we have a socket created. There is no data sent in a 3-way handshake. Periodically, services will be refused. Then, you will see a reset.
No response may indicate a firewall. You may receive an ICMP Destination Unreachable packet. A code might be the network was unreachable or the host was unreachable but most likely the target port is firewalled. The host may try again with another SYN packet. At the end of a conversation, generally, there is a proper termination with an exchange of FIN packets. However, sometimes the connection will simply timeout and close, or no password was sent so the connection is simply reset, or FIN packets are exchanged for a normal termination.
For normal termination, we see simply an exchange of FIN and FIN ACK packets from the client to the server, and the server back to the client. Now, we can see a TCP example. Again, this is a packet capture we've captured before, and we have a beginning and an end in this packet capture. Now, we're first going to look at the 3-way handshake. Remember no data is transferred before we begin an initiate contact with the server, respond with a SYN ACK, and then our final acknowledgment, and then we can begin to send data.
Now, our 3-way handshake will begin by going to Frame 1. This is where our client initiates contact with a server. We see that the client 192.168.1.2 initiates contact with the server at 22.214.171.124. Now, this is a SYN packet, so I'm going to drop this down. We'll take a look at the Transmission Control Protocol header. I'm now going to take a look at the flags.
We're going to drop this down, and we see that the SYN flag is set. Now in that initial packet, we're attempting to synchronize the sequence numbers. On my side, we see that the sequence numbers set at 0. Coming back from the server, we see that the server at 126.96.36.199 responds to the client at 192.168.1.2 with a SYN ACK.
We go down to the flags and we see that the SYN flag is set and so is the acknowledgment flag. Again, we're trying to synchronize the sequence numbers. As expected, the sequence number is 0. Now, we have set this as relative sequence numbers in Wireshark so they makes sense. Our third packet, is the third packet in a 3-way handshake. At this point, the client at 192.168.1.2 sends to the server at 188.8.131.52 the final acknowledgment.
We'll take a look at that and we see that that acknowledgment flag is set. Now, we see the sequence number is 1. Now, we can begin transferring data. During that 3-way handshake, we see the length is 0, because there is no data. Remember, it's only a handshake. Now, we'll bring these up and now we're going to take a look and locate a FIN packet. With a Transmission Control Protocol being a connection oriented protocol, we have a setup, and then we have a tear-down.
We have the tear-down with an exchange of FIN packets. Let's located some packets with the FIN flag set. I'm going to expand the TCP header, and let's prepare a filter. We'll go down here to the FIN flag and right-click. Now, if I say apply as a filter, it's going to simply run it, and as you see that FIN flag is set at 0. I want to prepare as a filter, and selected, and modify that. So, tcp.flags.fin is set at 0.
I'm going to say give me the ones that are set at 1 and apply. Now, I can see at Frame 38 we have an exchange of FIN packets along with 39. I'll clear that, and we'll go down to that, and see how the connection closes. At the end of the conversation, we do see an exchange of FIN and FIN ACK packets. Go down below and take a look at the flags that are set. In this case, you see the FIN flags set and the acknowledgment flag set. They're set from the client to the server, then the server back to the client.
This flows as the connection and completes the session.
- Exploring the Wireshark interface
- Using display and capture filters
- Dissecting the OSI model
- Analyzing TCP, IPv4, and other protocols
- Detecting denial-of-service attacks and password attacks
- Using security tools for ethical hacking