TCP Header Analysis
[!NOTE] This module explores the core principles of TCP Header Analysis, deriving solutions from first principles and hardware constraints to build world-class, production-ready expertise.
1. What is TCP?
Transmission Control Protocol (TCP) is a connection-oriented, reliable protocol that ensures data is delivered in order and without errors.
2. The TCP Header (20-60 Bytes)
TCP adds a header to the Application data to manage the connection.
| Field | Bits | Purpose |
|---|---|---|
| Source Port | 16 | The port of the sending application. |
| Dest Port | 16 | The port of the receiving application (e.g., 443 for HTTPS). |
| Sequence # | 32 | Used to reassemble data in the correct order. |
| ACK # | 32 | Tells the sender which byte is expected next. |
| Flags | 9 | Control bits: SYN, ACK, FIN, RST, PSH, URG. |
| Window Size | 16 | Flow control: “Don’t send more than X bytes yet.” |
3. The 3-Way Handshake (Connection Setup)
Before sending data, TCP must establish a session.
- SYN: Client sends “Let’s sync.” (Seq = x).
- SYN-ACK: Server replies “Acknowledged. Let’s sync too.” (Seq = y, Ack = x+1).
- ACK: Client replies “Acknowledged.” (Ack = y+1). Now the connection is ESTABLISHED.
4. Interactive: The Handshake
Watch the flags fly across the network.
CLIENT
Port: 54321
SYN
SERVER
Port: 443
Waiting for user...
5. Termination (4-Way Wave)
Closing a connection is different because it is Full-Duplex. One side might be done, but the other side might still have data to send.
- FIN: “I have no more data to send.”
- ACK: “Understood, I’ll stop expecting data from you.”
- FIN: (From other side) “I’m also done.”
- ACK: “Understood. Connection closed.”