Table of Contents for
Packet Analysis with Wireshark

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Packet Analysis with Wireshark by Anish Nath Published by Packt Publishing, 2015
  1. Cover
  2. Table of Contents
  3. Packet Analysis with Wireshark
  4. Packet Analysis with Wireshark
  5. Credits
  6. About the Author
  7. About the Reviewers
  8. www.PacktPub.com
  9. Preface
  10. What you need for this book
  11. Who this book is for
  12. Conventions
  13. Reader feedback
  14. Customer support
  15. 1. Packet Analyzers
  16. Introducing Wireshark
  17. Other packet analyzer tools
  18. Summary
  19. 2. Capturing Packets
  20. Troubleshooting
  21. Wireshark user interface
  22. Wireshark features
  23. Tcpdump and snoop
  24. References
  25. Summary
  26. 3. Analyzing the TCP Network
  27. TCP connection establishment and clearing
  28. TCP data communication
  29. TCP close sequence
  30. Lab exercise
  31. TCP troubleshooting
  32. TCP latency issues
  33. Wireshark TCP sequence analysis
  34. References
  35. Summary
  36. 4. Analyzing SSL/TLS
  37. The SSL/TLS handshake
  38. Key exchange
  39. Decrypting SSL/TLS
  40. Debugging issues
  41. Summary
  42. 5. Analyzing Application Layer Protocols
  43. BOOTP/DHCP
  44. DNS
  45. HTTP
  46. References
  47. Summary
  48. 6. WLAN Capturing
  49. Analyzing the Wi-Fi networks
  50. Wi-Fi sniffing products
  51. Summary
  52. 7. Security Analysis
  53. The DOS attack
  54. Scanning
  55. ARP duplicate IP detection
  56. DrDoS
  57. BitTorrent
  58. Wireshark protocol hierarchy
  59. Summary
  60. Index

TCP connection establishment and clearing

In this section we will learn how the TCP opens and closes its connections. In order to establish a connection, the three-way handshake procedure is used as described in the following section.

TCP three-way handshake

The three-way handshake is a connection establishment procedure from the client socket to the server socket, as shown in the following image:

TCP three-way handshake

Before the start of the TCP three-way handshake, the client will be in the CLOSED state and the server will be in the LISTEN state as shown:

SN

TCP-A (122.167.84.137) state

Flow CTL

TCP-B (10.0.0.221) state

From

To

From

To

1

CLOSED

  

CLOSED

LISTEN

The TCP state machine

To examine a three-way handshake in Wireshark, open the normal-connection.pcap file provided in the book.

Handshake message – first step [SYN]

The first step of the handshake process is that the socket client will construct a SYN packet and send it to the server. During this process the socket client will perform the following tasks:

  1. tcp.flags.syn is set to 1 and its SYN packet is sent by the client.
  2. The client generates and sets the tcp.seq=3613047129 the initial sequence number (ISN). Wireshark shows, by default, relative sequence numbers; a user can change this setting under: Edit | Preferences | Protocols | TCP | Relative sequence numbers.
  3. The client sets tcp.ack =0.
  4. The tcp.window_size is advertised to the server and its value is in the packet tcp.window_size_value == 65535, which tells it that it can transmit up to 65535 bytes of data depending on MSS. For example if MSS is 1440 bytes, the client can transmit 45 segments.
  5. TCP client includes other tcp.options such as Maximum Segment Size (MSS), No-Operation (NOP), window scale, timestamps, and SACK permitted.
  6. The client chooses tcp.options.sack_perm == 1 in the "selective acknowledgements" processing.
  7. TSval/TSecr is the timestamp tcp.options.timestamp.tsval == 123648340.

The following table depicts the state transition of the first handshake message:

Sr. No.

TCP-A (122.167.84.137) state

Flow CTL

TCP-B (10.0.0.221) state

From

To

From

To

1

CLOSED

  

CLOSED

LISTEN

2

CLOSED

SYN_SENT

<SEQ=3613047129><CTL=SYN>

LISTEN

 

TCP state machine changes SYN_SENT

Handshake message – second step [SYN, ACK]

In this process the server responds to the client's SYN:

  1. The server sets tcp.flags.syn =1 and tcp.flags.ack=1, confirming that the SYN has been accepted.
  2. The server generates and sets ISN tcp.seq=2581725269.
  3. The server sets tcp.ack=3613047130 as the client tcp.seq+1.
  4. The server sets tcp.window_size_value == 26847 as the server window size.
  5. The server sets tcp.options and responds to the client.

The following table depicts the state transitions of the second handshake message:

Sr. No.

TCP-A (122.167.84.137) state

Flow CTL

TCP-B (10.0.0.221) state

From

To

From

To

1

CLOSED

  

CLOSED

LISTEN

2

CLOSED

SYN_SENT

<SEQ=3613047129><CTL=SYN>

LISTEN

 

3

SYN_SENT

 

<SEQ=2581725269><ACK=3613047130><CTL=SYN,ACK>

LISTEN

SYN-RECEIVED

TCP state machine changes when SYN-RECEIVED is sent by the server

Handshake message – third step [ACK]

After successfully exchanging this message, the TCP connection will be established in this connection:

  1. The client sets tcp.flags.ack == 1 and sends to the server.
  2. The client tcp.seq=3613047130 is ISN+1 and tcp.ack=2581725270 is SYN_ACK( tcp.seq+1).
  3. The client window size is set again and this will be used by the server tcp.window_size_value == 4105.

Tip

tcp.analysis.flags shows you packets that have some kind of expert message from Wireshark.

The following table depicts the state transitions of the third handshake message:

Sr. No.

TCP-A (122.167.84.137) state

Flow CTL

TCP-B (10.0.0.221) state

From

To

From

To

1

CLOSED

  

CLOSED

LISTEN

2

CLOSED

SYN_SENT

<SEQ=3613047129><CTL=SYN>

LISTEN

 

3

SYN_SENT

 

<SEQ=2581725269><ACK=3613047130><CTL=SYN,ACK>

LISTEN

SYN-RECEIVED

4

SYN_SENT

ESTABLISHED

<SEQ=3613047130>><ACK=2581725270><CTL=ACK>

SYN-RECEIVED

ESTABLISHED

TCP state machine when the client sends ACK