TCP Header Analysis
[!NOTE] This module explores the core principles of TCP Header Analysis, deriving solutions from first principles and hardware constraints to build world-class, production-ready expertise.
1. What is TCP?
Transmission Control Protocol (TCP) is a connection-oriented, reliable protocol that ensures data is delivered in order and without errors.
Unlike stateless protocols, TCP requires the OS kernel to maintain complex state for every active connection. This involves allocating Sockets, maintaining send and receive memory buffers, and tracking sequence numbers and timers. At scale (e.g., millions of concurrent connections), this state machine demands significant RAM and CPU overhead, known as the C10K (or C10M) problem.
2. The TCP Header (20-60 Bytes)
TCP adds a header to the Application data to manage the connection.
| Field | Bits | Purpose |
|---|---|---|
| Source Port | 16 | The port of the sending application. |
| Dest Port | 16 | The port of the receiving application (e.g., 443 for HTTPS). |
| Sequence # | 32 | Used to reassemble data in the correct order. |
| ACK # | 32 | Tells the sender which byte is expected next. |
| Flags | 9 | Control bits: SYN, ACK, FIN, RST, PSH, URG. |
| Window Size | 16 | Flow control: “Don’t send more than X bytes yet.” |
3. The 3-Way Handshake (Connection Setup)
Before sending data, TCP must establish a session.
- SYN: Client sends “Let’s sync.” (Seq = x).
- SYN-ACK: Server replies “Acknowledged. Let’s sync too.” (Seq = y, Ack = x+1).
- ACK: Client replies “Acknowledged.” (Ack = y+1). Now the connection is ESTABLISHED.
4. Interactive: The Handshake
Watch the flags fly across the network.
5. Termination (4-Way Wave)
Closing a connection is different because it is Full-Duplex. One side might be done, but the other side might still have data to send.
- FIN: “I have no more data to send.”
- ACK: “Understood, I’ll stop expecting data from you.”
- FIN: (From other side) “I’m also done.”
- ACK: “Understood. Connection closed.”