In computer networking
and communication, 3 way handshaking term usually refers to a 3 way of TCP
connection between the initiator (client) and the destination (server). When
people open website through web browser,
in order to get the page they are willing to, a TCP 3 way handshaking is
performed. However, for casual user this TCP connection phase is not important
since what they look after is the content of the website. Meanwhile, for
computer students and practitioners, especially in network and communication
fields, this is probably the basic concept of how people interact with the
website.
While 3 way handshake
refers to a connecting phase, there is another term that is called 4 way handshake
when people terminate the connection from
the web they are connected to. The 3 and 4 in these terms refer to the
number of flags and flows involved in the process. In order to see how this
process works, there are some tools that will help monitor this. In this
section, I will use two common tools, Wireshark and tcpdump.
The process was simple,
turned on the tcpdump and wireshark, then opened a web page. Once the page is
fully loaded, close the page. Then, turned off the tcpdump and wireshark to got
the full result.
3 way handhsake
This term is conists of SYN, SYN-ACK, and ACK operations. Finding this one is
relatively easy since most of the time these packets will be on top of the
tcpdump and wireshark capture. First we will analyze the tcpdump lines of
packet.
17:55:56.883445 IP 192.168.0.104.35514 > 185.11.240.184.80: Flags [S],
seq 2284771406, win 29200, options [mss 1460,sackOK,TS val 2784161 ecr
0,nop,wscale 7], length 0
17:55:56.906077 IP 185.11.240.184.80 > 192.168.0.104.35514: Flags
[S.], seq 1587779942, ack 2284771407, win 4356, options [mss 1460,nop,nop,TS
val 3919552311 ecr 2784161,sackOK,eol], length 0
17:55:56.906118 IP 192.168.0.104.35514 > 185.11.240.184.80: Flags [.],
ack 1, win 29200, options [nop,nop,TS val 2784167 ecr 3919552311], length 0
Analysis:
- Packet 1:
· The IP address of 192.168.0.104 is my IP
address which is the source who initialized the connection. The source port
number is 35514.
· 185.11.240.184 is the destination IP
address. The web is obviously on the http port (port no. 80).
· The next part of the packet is the S
flag (SYN).
· The sequence number of this packet is 2284771406
and belongs to the client.
· The windows size is specified at 29200
and the mss is 1460.
· The length 0, means there is no data
sent during this connection establishment.
- Packet 2:
· In this packet, 185.11.240.184 is the
source and my IP address is the destination.
· The flags on this packet is S and ‘.’.
The S indicates a SYN and the ‘.’ is the placeholder for another flags which is
none.
· The sequence number on this packet is 1587779942
and belongs to the host destination. Therefore the sequence is different with
the 1st packet since the 1st packet sequence belongs to the client.
· The ack number is 2284771407 which is
one increment from the client’s initial sequence number. It means that the next
expected packet is a packet with sequence number of 1208536307.
· The length 0, means there is no data
sent during this connection establishment.
- Packet 3:
· In this packet, the client is trying to
give an acknowledgement to complete the syn, syn-ack, ack process of 3 way
handshaking.
· The client give an ack number of 1 means
it is expecting a 1 byte data.
· The length 0, means there is no data
sent during this connection establishment.
Below is the wireshark capture and diagram that represents
the 3 way handshake.
Notes that wireshark cannot fully captured the actual ack
and sequence number. It only shows the relative numbers between the connection.
4 way handshake
Finding the correct
way handshake is a little bit harder since you may see many FIN flag at
the end of termination. The easy way is to find the FIN flag that has the same
port number with the one from the connection establishment. Remember that on the
connection establishment, my machine was connected to port 35514. Below is the
Tcpdump lines that represents a 4 way handshake.
17:56:09.312042 IP 192.168.0.104.35514 > 185.11.240.184.80: Flags
[F.], seq 443, ack 62090, win 64800, options [nop,nop,TS val 2787269 ecr
3919563474], length 0
17:56:09.351301 IP 185.11.240.184.80 > 192.168.0.104.35514: Flags [.],
ack 444, win 4798, options [nop,nop,TS val 3919564759 ecr 2787269], length 0
17:56:09.352359 IP 185.11.240.184.80 > 192.168.0.104.35514: Flags
[F.], seq 62090, ack 444, win 4798, options [nop,nop,TS val 3919564759 ecr
2787269], length 0
17:56:09.352383 IP 192.168.0.104.35514 > 185.11.240.184.80: Flags [.],
ack 62091, win 64800, options [nop,nop,TS val 2787279 ecr 3919564759], length 0
Analysis
- Packet 1:
· The first packet shows that the client
which is my IP address initializes the termination of the connection.
· This termination is shown from the F
(FIN) flags.
· The client has sequence number of 443 and
ack number of 62090. This means the next expected sequence to be received by
client is 62090.
· The length 0, means there is no data
sent during this termination initialization which is the same with connection
phase.
- Packet 2:
· In this packet, the host is the source
that gave an ack number to my machine.
· After the host received the F flag on
1st packet it gives an ack number of 444 in which a one increment from the
client sequence number on 1st packet.
· The ack number of 444 means it has
received sequence number of 443 and is the expected sequence to be next
received is 6100.
- Packet 3:
· In this packet, the host destination
gives an FP flags to the client. At first, I was unsure about the FP flag since
P might mean push. But there is no data being sent on this packet if we look at
the sequence number and the length. Therefore, I assumes the FP means FIN
passive. FIN passive means the F flag was actually initialize by the other
source which is the client (active). In conclusion, I assume FP flags is only
to differentiate who is the initializes of the termination.
· The sequence number is 62090 the same as
the ack of the 1st line.
· The length 0 means there is no data
being sent during this packet sending.
- Packet 4:
· This is the last step of the 4 way
handshaking.
· The client received the sequence number
of 62090, thus it has ack number of the increment +1 of 62090 which now become 62091.
· The length 0, means there is no data
sent during this termination initialization.
Wireshark capture
This time, wireshark is
able to give proper sequence and ack number since it is able to track the
number from the previous operations. While on the connection phase, wireshark
only gives relative number.
References:
http://www.masterraghu.com/subjects/np/introduction/unix_network_programming_v1.3/ch02lev1sec6.html
No comments:
Post a Comment