adam's notes

TCP Handshake and Teardown

  • a TCP connection is typically established to transfer a single file
    • a client session for a webpage (HTTP) might involve multiple TCP connections being opened with the server
      • managed using handshake transactions
        • use TCP flags

TCP Three-Way Handshake

  • A connection is established using a three-way handshake:

  1. client sends a segment with the SYN flag to the server
    • has a randomly generated sequence number
    • client enters SYN-SENT state
  2. server, currently in the LISTEN state, responds with a SYN/ACK segment
    • contains its own randomly generated sequence number
    • server enters SYN-RECEIVED state
  3. client responds with an ACK segment
    • client assumes the connection is established
  4. server opens a connection with the client and enters the ESTABLISHED state

Info

  • servers can support thousands or millions of TCP connections simultaneously
  • sending machine expects regular acknowledgements for segments it sends
    • if a period elapses without an acknowledgement, it assumes the info did not arrive and automatically resends it
    • this overhead makes the system relatively slow
    • connection-oriented transmission is suitable when:
      • reliability and data integrity are important

TCP Connection Teardown

  • There are functions for:
    • resetting a connection
    • keeping a connection alive if no actual data is being transmitted (instead of timing out)
  • To close a connection, called a teardown:
    1. client sends a FIN segment to the server and enters FIN-WAIT1 state
    2. server responds with an ACK segment and enters the CLOSE-WAIT state
      • client receives the ACK segment and enters the FIN-WAIT2 state
    3. server sends its own FIN segment to the client and goes to the LAST-ACK state
    4. client responds with an ACK and enters the TIME-WAIT state
      • after defined period, client closes its connection
    5. server closes the connection when it receives the ACK from the client
  • some implementations use one less step by combining the FIN and ACK responses into a single segment operation
  • host can end a session abruptly using a reset (RST) segment
    • not typical behavior, may need to be investigated
      • server or security appliance might refuse connections using RST
      • client or server application might be faulty
      • could be suspicious scanning activity ongoing

Graph View

Backlinks