TCP segment structure[edit] Transmission Control Protocol accepts data from a data stream, divides it into chunks, and

adds a TCP header creating a TCP segment. The TCP segment is then encapsulated into an Internet Protocol (IP) datagram, and exchanged with peers. [ ! The term TCP packet, though sometimes informall" used, is not in line with current terminolog", where segment refers to the TCP Protocol #ata $nit (P#$), datagram[%! to the IP P#$ and frame to the data link la"er P#$& Processes transmit data '" calling on the TCP and passing 'uffers of data as arguments. The TCP packages the data from these 'uffers into segments and calls on the internet module [e.g. IP! to transmit each segment to the destination TCP. [(! ) TCP segment consists of a segment header and a data section. The TCP header contains *+ mandator" fields, and an optional extension field (Options, orange 'ackground in ta'le). The data section follows the header. Its contents are the pa"load data carried for the application. The length of the data section is not specified in the TCP segment header. It can 'e calculated '" su'tracting the com'ined length of the TCP header and the encapsulating IP header from the total IP datagram length (specified in the IP header). TCP ,eader Offset Octet 0 1 2 3 s Octet Bit 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 0 0 -ource port #estination port 32 4 -e.uence num'er 64 )cknowledgment num'er (if ACK set) 8 /eserved N C E U A P R S F 96 #ata offset 0 0 0 0 W C R C S S Y I 12 0indow -i1e S R E G K H T N N 0 0 $rgent pointer (if URG set) 16 128 Checksum 160 20 2ptions (if data offset 3 (. Padded at the end with 4+4 '"tes if necessar".) ... ... ... -ource port (*5 'its) identifies the sending port #estination port (*5 'its) identifies the receiving port -e.uence num'er ( 6 'its) has a dual role& If the SYN flag is set (*), then this is the initial se.uence num'er. The se.uence num'er of the actual first data '"te and the acknowledged num'er in the corresponding )C7 are then this se.uence num'er plus *. If the SYN flag is clear (+), then this is the accumulated se.uence num'er of the first data '"te of this segment for the current session. )cknowledgment num'er ( 6 'its) if the ACK flag is set then the value of this field is the next se.uence num'er that the receiver is expecting. This acknowledges receipt of all prior '"tes (if an"). The first ACK sent '" each end acknowledges the other end8s initial se.uence num'er itself, 'ut no data. #ata offset (% 'its) specifies the si1e of the TCP header in 69'it words. The minimum si1e header is ( words and the maximum is *( words thus giving the minimum si1e of 6+ '"tes and maximum of 5+ '"tes, allowing for up to %+ '"tes of options in the header. This field gets its name from the fact that it is also the offset from the start of the TCP segment to the actual data. /eserved (5 'its) for future use and should 'e set to 1ero :lags (; 'its) (aka Control 'its) contains ; *9'it flags NS (* 'it) < =C>9nonce concealment protection (added to header '" /:C (%+).

CWR (* 'it) < Congestion 0indow /educed (C0/) flag is set '" the sending host to indicate that it received a TCP segment with the ECE flag set and had responded in congestion control mechanism (added to header '" /:C *5?). ECE (* 'it) < =C>9=cho indicates If the SYN flag is set (*), that the TCP peer is =C> capa'le. If the SYN flag is clear (+), that a packet with Congestion =xperienced flag in IP header set is received during normal transmission (added to header '" /:C *5?). URG (* 'it) < indicates that the $rgent pointer field is significant ACK (* 'it) < indicates that the )cknowledgment field is significant. )ll packets after the initial SYN packet sent '" the client should have this flag set. PSH (* 'it) < Push function. )sks to push the 'uffered data to the receiving application. RST (* 'it) < /eset the connection SYN (* 'it) < -"nchroni1e se.uence num'ers. 2nl" the first packet sent from each end should have this flag set. -ome other flags change meaning 'ased on this flag, and some are onl" valid for when it is set, and others when it is clear. FIN (* 'it) < >o more data from sender

0indow si1e (*5 'its) the si1e of the receive window, which specifies the num'er of window si1e units ('" default, '"tes) ('e"ond the se.uence num'er in the acknowledgment field) that the sender of this segment is currentl" willing to receive ( see Flow control and Window Scaling) Checksum (*5 'its) The *59'it checksum field is used for error9checking of the header and data $rgent pointer (*5 'its) if the URG flag is set, then this *59'it field is an offset from the se.uence num'er indicating the last urgent data '"te 2ptions (@aria'le +< 6+ 'its, divisi'le '" 6) The length of this field is determined '" the data offset field. 2ptions have up to three fields& 2ption97ind (* '"te), 2ption9Aength (* '"te), 2ption9#ata (varia'le). The 2ption97ind field indicates the t"pe of option, and is the onl" field that is not optional. #epending on what kind of option we are dealing with, the next two fields ma" 'e set& the 2ption9Aength field indicates the total length of the option, and the 2ption9#ata field contains the value of the option, if applica'le. :or example, an 2ption97ind '"te of +x+* indicates that this is a >o92p option used onl" for padding, and does not have an 2ption9Aength or 2ption9#ata '"te following it. )n 2ption97ind '"te of + is the =nd 2f 2ptions option, and is also onl" one '"te. )n 2ption97ind '"te of +x+6 indicates that this is the Baximum -egment -i1e option, and will 'e followed '" a '"te specif"ing the length of the B-- field (should 'e +x+%). >ote that this length is the total length of the given options field, including 2ption97ind and 2ption9Aength '"tes. -o while the B-- value is t"picall" expressed in two '"tes, the length of the field will 'e % '"tes (C6 '"tes of kind and length). In short, an B-option field with a value of +x+(D% will show up as (+x+6 +x+% +x+(D%) in the TCP options section. -ome options ma" onl" 'e sent when SYN is setE the" are indicated 'elow as [SYN]. 2ption97ind and standard lengths given as (2ption97ind,2ption9Aength). + (? 'its) < =nd of options list * (? 'its) < >o operation (>2P, Padding) This ma" 'e used to align option fields on 69'it 'oundaries for 'etter performance.

6,%,SS ( 6 'its) < Baximum segment si1e (see maximum segment size) [SYN] , ,S (6% 'its) < 0indow scale (see window scaling for details) [SYN][5! %,6 (*5 'its) < -elective )cknowledgement permitted. [SYN] (See selective acknowledgments for details)[F!

(,N !!!! """" ### (varia'le 'its, N is either *+, *?, 65, or %)9 -elective )C7nowledgement (-)C7)[?! These first two '"tes are followed '" a list of *<% 'locks 'eing selectivel" acknowledged, specified as 69'it 'eginGend pointers. ?,*+,TTTT """" (?+ 'its)9 Timestamp and echo of previous timestamp (see TCP timestamps for details)[;! *%, ,S (6% 'its) < TCP )lternate Checksum /e.uest. [SYN][*+! *(,N ### (varia'le 'its) < TCP )lternate Checksum #ata.

Padding

(The remaining options are o'solete, experimental, not "et standardi1ed, or unassigned) The TCP header padding is used to ensure that the TCP header ends and data 'egins on a 6 'it 'oundar". The padding is composed of 1eros.[**! Protocol operation[edit]

) -implified TCP -tate #iagram. -ee TCP =:-B diagram for a more detailed state diagram including the states inside the =-T)DAI-,=# state. TCP protocol operations ma" 'e divided into three phases. Connections must 'e properl" esta'lished in a multi9step handshake process (connection esta$lishment) 'efore entering the data transfer phase. )fter data transmission is completed, the connection termination closes esta'lished virtual circuits and releases all allocated resources. ) TCP connection is managed '" an operating s"stem through a programming interface that represents the local end9point for communications, the %nternet socket. #uring the lifetime of a TCP connection the local end9point undergoes a series of state changes&[*6! AI-T=> (server) represents waiting for a connection re.uest from an" remote TCP and port. -H>9-=>T (client) represents waiting for a matching connection re.uest after having sent a connection re.uest. -H>9/=C=I@=# (server) represents waiting for a confirming connection re.uest acknowledgment after having 'oth received and sent a connection re.uest. =-T)DAI-,=# ('oth server and client) represents an open connection, data received can 'e delivered to the user. The normal state for the data transfer phase of the connection. :I>90)IT9* ('oth server and client) represents waiting for a connection termination re.uest from the remote TCP, or an acknowledgment of the connection termination re.uest previousl" sent. :I>90)IT96 ('oth server and client) represents waiting for a connection termination re.uest from the remote TCP. CA2-=90)IT ('oth server and client) represents waiting for a connection termination re.uest from the local user.

CA2-I>I ('oth server and client) represents waiting for a connection termination re.uest acknowledgment from the remote TCP. A)-T9)C7 ('oth server and client) represents waiting for an acknowledgment of the connection termination re.uest previousl" sent to the remote TCP (which includes an acknowledgment of its connection termination re.uest). TIB=90)IT (either server or client) represents waiting for enough time to pass to 'e sure the remote TCP received the acknowledgment of its connection termination re.uest. [)ccording to /:C F; a connection can sta" in TIB=90)IT for a maximum of four minutes known as a B-A (maximum segment lifetime).! CA2-=# ('oth server and client) represents no connection state at all. Connection establis ment[edit] To esta'lish a connection, TCP uses a three9wa" handshake. Defore a client attempts to connect with a server, the server must first 'ind to and listen at a port to open it up for connections& this is called a passive open. 2nce the passive open is esta'lished, a client ma" initiate an active open. To esta'lish a connection, the three9wa" (or 9step) handshake occurs& *. 6. !"#& The active open is performed '" the client sending a -H> to the server. The client sets the segment8s se.uence num'er to a random value ). !"#$%C&& In response, the server replies with a -H>9)C7. The acknowledgment num'er is set to one more than the received se.uence num'er i.e. )C*, and the se.uence num'er that the server chooses for the packet is another random num'er, D. %C&& :inall", the client sends an )C7 'ack to the server. The se.uence num'er is set to the received acknowledgement value i.e. )C*, and the acknowledgement num'er is set to one more than the received se.uence num'er i.e. DC*.

)t this point, 'oth the client and server have received an acknowledgment of the connection. The steps *, 6 esta'lish the connection parameter (se.uence num'er) for one direction and it is acknowledged. The steps 6, esta'lish the connection parameter (se.uence num'er) for the other direction and it is acknowledged. 0ith these, a full9duplex communication is esta'lished. Connection termination[edit]

Connection termination The connection termination phase uses a four9wa" handshake, with each side of the connection terminating independentl". 0hen an endpoint wishes to stop its half of the connection, it transmits a :I> packet, which the other end acknowledges with an )C7. Therefore, a t"pical tear9down re.uires a pair of :I> and )C7 segments from each TCP endpoint. )fter 'oth :I>G)C7 exchanges are concluded, the side which sent the first :I> 'efore receiving one waits for a timeout 'efore finall" closing the connection, during which time the local port is unavaila'le for new connectionsE this prevents confusion due to dela"ed packets 'eing delivered during su'se.uent connections.

) connection can 'e 4half9open4, in which case one side has terminated its end, 'ut the other has not. The side that has terminated can no longer send an" data into the connection, 'ut the other side can. The terminating side should continue reading the data until the other side terminates as well. It is also possi'le to terminate the connection '" a 9wa" handshake, when host ) sends a :I> and host D replies with a :I> J )C7 (merel" com'ines 6 steps into one) and host ) replies with an )C7. [* ! This is perhaps the most common method. It is possi'le for 'oth hosts to send :I>s simultaneousl" then 'oth Kust have to )C7. This could possi'l" 'e considered a 69wa" handshake since the :I>G)C7 se.uence is done in parallel for 'oth directions. -ome host TCP stacks ma" implement a half9duplex close se.uence, as Ainux or ,P9$L do. If such a host activel" closes a connection 'ut still has not read all the incoming data the stack alread" received from the link, this host sends a /-T instead of a :I> (-ection %.6.6.* in /:C **66). This allows a TCP application to 'e sure the remote application has read all the data the former sentMwaiting the :I> from the remote side, when it activel" closes the connection. Dut the remote TCP stack cannot distinguish 'etween a Connection &$orting 'ST and (ata )oss 'ST. Doth cause the remote stack to lose all the data received. -ome application protocols ma" violate the 2-I model la"ers, using the TCP openGclose handshaking for the application protocol openGclose handshaking M these ma" find the /-T pro'lem on active close. )s an example& s = connect(remote); sen (s! "t"); c#ose(s); :or a usual program flow like a'ove, a TCPGIP stack like that descri'ed a'ove does not guarantee that all the data arrives to the other application. 'esource usage[edit] Bost implementations allocate an entr" in a ta'le that maps a session to a running operating s"stem process. Decause TCP packets do not include a session identifier, 'oth endpoints identif" the session using the client8s address and port. 0henever a packet is received, the TCP implementation must perform a lookup on this ta'le to find the destination process. =ach entr" in the ta'le is known as a Transmission Control Dlock or TCD. It contains information a'out the endpoints (IP and port), status of the connection, running data a'out the packets that are 'eing exchanged and 'uffers for sending and receiving data. The num'er of sessions in the server side is limited onl" '" memor" and can grow as new connections arrive, 'ut the client must allocate a random port 'efore sending the first -H> to the server. This port remains allocated during the whole conversation, and effectivel" limits the num'er of outgoing connections from each of the client8s IP addresses. If an application fails to properl" close unre.uired connections, a client can run out of resources and 'ecome una'le to esta'lish new TCP connections, even from other applications. Doth endpoints must also allocate space for unacknowledged packets and received ('ut unread) data. (ata trans)er[edit] There are a few ke" features that set TCP apart from $ser #atagram Protocol&

2rdered data transfer M the destination host rearranges according to se.uence num'er [6! /etransmission of lost packets M an" cumulative stream not acknowledged is retransmitted [6! =rror9free data transfer[*%! :low control M limits the rate a sender transfers data to guarantee relia'le deliver". The receiver continuall" hints the sender on how much data can 'e received (controlled '" the sliding window). 0hen the receiving host8s 'uffer fills, the next acknowledgment contains a + in the window si1e, to stop transfer and allow the data in the 'uffer to 'e processed.
[6!

Congestion control [6!

'eliable transmission[edit] TCP uses a se*uence num$er to identif" each '"te of data. The se.uence num'er identifies the order of the '"tes sent from each computer so that the data can 'e reconstructed in order, regardless of an" fragmentation, disordering, or packet loss that ma" occur during transmission. :or ever" pa"load '"te transmitted, the se.uence num'er must 'e incremented. In the first two steps of the 9wa" handshake, 'oth computers exchange an initial se.uence num'er (I->). This num'er can 'e ar'itrar", and should in fact 'e unpredicta'le to defend against TCP se.uence prediction attacks. TCP primaril" uses a cumulative acknowledgment scheme, where the receiver sends an acknowledgment signif"ing that the receiver has received all data preceding the acknowledged se.uence num'er. The sender sets the se.uence num'er field to the se.uence num'er of the first pa"load '"te in the segment8s data field, and the receiver sends an acknowledgment specif"ing the se.uence num'er of the next '"te the" expect to receive. :or example, if a sending computer sends a packet containing four pa"load '"tes with a se.uence num'er field of *++, then the se.uence num'ers of the four pa"load '"tes are *++, *+*, *+6 and *+ . 0hen this packet arrives at the receiving computer, it would send 'ack an acknowledgment num'er of *+% since that is the se.uence num'er of the next '"te it expects to receive in the next packet. In addition to cumulative acknowledgments, TCP receivers can also send selective acknowledgments to provide further information. If the sender infers that data has 'een lost in the network, it retransmits the data. *rror detection[edit] -e.uence num'ers allow receivers to discard duplicate packets and properl" se.uence reordered packets. )cknowledgments allow senders to determine when to retransmit lost packets. To assure correctness a checksum field is included (see TCP segment structure for details on checksumming). The TCP checksum is a weak check '" modern standards. #ata Aink Aa"ers with high 'it error rates ma" re.uire additional link error correctionGdetection capa'ilities. The weak checksum is partiall" compensated for '" the common use of a C/C or 'etter integrit" check at la"er 6, 'elow 'oth TCP and IP, such as is used in PPP or the =thernet frame. ,owever, this does not mean that the *59'it TCP checksum is redundant& remarka'l", introduction of errors in packets 'etween C/C9protected hops is common, 'ut the end9to9end *59'it TCP checksum catches most of these simple errors. [*(! This is the end9to9end principle at work. +lo, control[edit] TCP uses an end9to9end flow control protocol to avoid having the sender send data too fast for the TCP receiver to receive and process it relia'l". ,aving a mechanism for flow control is essential in an environment where machines of diverse network speeds communicate. :or example, if a PC sends data to a smartphone that is slowl" processing received data, the smartphone must regulate the data flow so as not to 'e overwhelmed. [6! TCP uses a sliding window flow control protocol. In each TCP segment, the receiver specifies in the receive window field the amount of additionall" received data (in '"tes) that it is willing to 'uffer for the connection. The sending host can send onl" up to that amount of data 'efore it must wait for an acknowledgment and window update from the receiving host.

TCP se.uence num'ers and receive windows 'ehave ver" much like a clock. The receive window shifts each time the receiver receives and acknowledges a new segment of data. 2nce it runs out of se.uence num'ers, the se.uence num'er loops 'ack to +. 0hen a receiver advertises a window si1e of +, the sender stops sending data and starts the persist timer. The persist timer is used to protect TCP from a deadlock situation that could arise if a su'se.uent window si1e update from the receiver is lost, and the sender cannot send more data until receiving a new window si1e update from the receiver. 0hen the persist timer expires, the TCP sender attempts recover" '" sending a small packet so that the receiver responds '" sending another acknowledgement containing the new window si1e. If a receiver is processing incoming data in small increments, it ma" repeatedl" advertise a small receive window. This is referred to as the sill" window s"ndrome, since it is inefficient to send onl" a few '"tes of data in a TCP segment, given the relativel" large overhead of the TCP header. Congestion control[edit] The final main aspect of TCP is congestion control. TCP uses a num'er of mechanisms to achieve high performance and avoid congestion collapse, where network performance can fall '" several orders of magnitude. These mechanisms control the rate of data entering the network, keeping the data flow 'elow a rate that would trigger collapse. The" also "ield an approximatel" max9 min fair allocation 'etween flows. )cknowledgments for data sent, or lack of acknowledgments, are used '" senders to infer network conditions 'etween the TCP sender and receiver. Coupled with timers, TCP senders and receivers can alter the 'ehavior of the flow of data. This is more generall" referred to as congestion control andGor network congestion avoidance. Bodern implementations of TCP contain four intertwined algorithms& -low9start, congestion avoidance, fast retransmit, and fast recover" (/:C (5?*). In addition, senders emplo" a retransmission timeout (/T2) that is 'ased on the estimated round9trip time (or /TT) 'etween the sender and receiver, as well as the variance in this round trip time. The 'ehavior of this timer is specified in /:C 56;?. There are su'tleties in the estimation of /TT. :or example, senders must 'e careful when calculating /TT samples for retransmitted packetsE t"picall" the" use 7arn8s )lgorithm or TCP timestamps (see /:C * 6 ). These individual /TT samples are then averaged over time to create a -moothed /ound Trip Time (-/TT) using Naco'son8s algorithm. This -/TT value is what is finall" used as the round9trip time estimate. =nhancing TCP to relia'l" handle loss, minimi1e errors, manage congestion and go fast in ver" high9speed environments are ongoing areas of research and standards development. )s a result, there are a num'er of TCP congestion avoidance algorithm variations. -a.imum segment si/e[edit]

The maximum segment si1e (B--) is the largest amount of data, specified in '"tes, that TCP is willing to receive in a single segment. :or 'est performance, the B-- should 'e set small enough to avoid IP fragmentation, which can lead to packet loss and excessive retransmissions. To tr" to accomplish this, t"picall" the B-- is announced '" each side using the B-- option when the TCP connection is esta'lished, in which case it is derived from the maximum transmission unit (BT$) si1e of the data link la"er of the networks to which the sender and receiver are directl" attached. :urthermore, TCP senders can use path BT$ discover" to infer the minimum BT$ along the network path 'etween the sender and receiver, and use this to d"namicall" adKust the B-- to avoid IP fragmentation within the network.. B-- announcement is also often called 4B-- negotiation4. -trictl" speaking, the B-- is not 4negotiated4 'etween the originator and the receiver, 'ecause that would impl" that 'oth originator and receiver will negotiate and agree upon a single, unified B-that applies to all communication in 'oth directions of the connection. In fact, two completel" independent values of B-- are permitted for the two directions of data flow in a TCP connection. [*5! This situation ma" arise, for example, if one of the devices participating in a connection has an extremel" limited amount of memor" reserved (perhaps even smaller than the overall discovered Path BT$) for processing incoming TCP segments. !electi0e ac1no,ledgments[edit] /el"ing purel" on the cumulative acknowledgment scheme emplo"ed '" the original TCP protocol can lead to inefficiencies when packets are lost. :or example, suppose *+,+++ '"tes are sent in *+ different TCP packets, and the first packet is lost during transmission. In a pure cumulative acknowledgment protocol, the receiver cannot sa" that it received '"tes *,+++ to ;,;;; successfull", 'ut failed to receive the first packet, containing '"tes + to ;;;. Thus the sender ma" then have to resend all *+,+++ '"tes. To solve this pro'lem TCP emplo"s the selective acknowledgment +S&C,- option, defined in /:C 6+*?, which allows the receiver to acknowledge discontinuous 'locks of packets that were received correctl", in addition to the se.uence num'er of the last contiguous '"te received successivel", as in the 'asic TCP acknowledgment. The acknowledgement can specif" a num'er of S&C, $locks, where each -)C7 'lock is conve"ed '" the starting and ending se.uence num'ers of a contiguous range that the receiver correctl" received. In the example a'ove, the receiver would send -)C7 with se.uence num'ers *+++ and ;;;;. The sender thus retransmits onl" the first packet, '"tes + to ;;;. ) TCP sender can interpret an out9of9order packet deliver" as a lost packet. If it does so, the TCP sender will retransmit the packet previous to the out9of9order packet and slow its data deliver" rate for that connection. The duplicate9-)C7 option, an extension to the -)C7 option that was defined in /:C 6?? , solves this pro'lem. The TCP receiver sends a #9)C7 to indicate that no packets were lost, and the TCP sender can then reinstate the higher transmission rate. The -)C7 option is not mandator" and it is used onl" if 'oth parties support it. This is negotiated when connection is esta'lished. -)C7 uses the optional part of the TCP header ( see TCP segment structure for details). The use of -)C7 is widespread M all popular TCP stacks support it. -elective acknowledgment is also used in -tream Control Transmission Protocol (-CTP). 2indo, scaling[edit] .ain article/ TCP window scale option :or more efficient use of high 'andwidth networks, a larger TCP window si1e ma" 'e used. The TCP window si1e field controls the flow of data and its value is limited to 'etween 6 and 5(,( ( '"tes. -ince the si1e field cannot 'e expanded, a scaling factor is used. The TCP window scale option, as defined in /:C * 6 , is an option used to increase the maximum window si1e from 5(,( ( '"tes to * giga'"te. -caling up to larger window si1es is a part of what is necessar" for TCP Tuning. The window scale option is used onl" during the TCP 9wa" handshake. The window scale value represents the num'er of 'its to left9shift the *59'it window si1e field. The window scale value can 'e set from + (no shift) to *% for each direction independentl". Doth sides must send the option in their -H> segments to ena'le window scaling in either direction. -ome routers and packet firewalls rewrite the window scaling factor during a transmission. This causes sending and receiving sides to assume different TCP window si1es. The result is non9sta'le traffic that ma" 'e ver" slow. The pro'lem is visi'le on some sites 'ehind a defective router.[*F!

TCP timestamps[edit] TCP timestamps, defined in /:C * 6 , can help TCP determine in which order packets were sent. TCP timestamps are not normall" aligned to the s"stem clock and start at some random value. Ban" operating s"stems will increment the timestamp for ever" elapsed millisecondE however the /:C onl" states that the ticks should 'e proportional. There are two timestamp fields& " $%&'te sen er t(mest"m) *"#+e (m' t(mest"m)) " $%&'te ec,o re)#' t(mest"m) *"#+e (t,e most recent t(mest"m) rece(*e

-rom 'o+).

TCP timestamps are used in an algorithm known as Protection &gainst Wrapped Se*uence num'ers, or P&WS (see /:C * 6 for details). P)0- is used when the TCP window si1e exceeds the possi'le num'ers of se.uence num'ers (6 6). In the case where a packet was potentiall" retransmitted it answers the .uestion& 4Is this se.uence num'er in the first % ID or the secondO4 )nd the timestamp is used to 'reak the tie. /:C * 6 incorrectl" states in section 6. that the window scale must 'e limited to 6 + to remain under * ID (which is correct, 'ut the se.uence num'er limit is % ID)E however a scale of *5 and a window si1e of 5(( ( would 'e 5(( 5 less than the 6 6 possi'le se.uence num'ers and thus an accepta'le "et excessive value. Decause of this error man" s"stems have limited the max scale to 6*% to 4follow the /:C4.[citation needed! )lso, the =ifel detection algorithm (/:C (66) uses TCP timestamps to determine if retransmissions are occurring 'ecause packets are lost or simpl" out of order. Out o) band data[edit] 2ne is a'le to interrupt or a'ort the .ueued stream instead of waiting for the stream to finish. This is done '" specif"ing the data as urgent. This tells the receiving program to process it immediatel", along with the rest of the urgent data. 0hen finished, TCP informs the application and resumes 'ack to the stream .ueue. )n example is when TCP is used for a remote login session, the user can send a ke"'oard se.uence that interrupts or a'orts the program at the other end. These signals are most often needed when a program on the remote machine fails to operate correctl". The signals must 'e sent without waiting for the program to finish its current transfer.[6! TCP 22D data was not designed for the modern Internet. The urgent pointer onl" alters the processing on the remote host and doesn8t expedite an" processing on the network itself. 0hen it gets to the remote host there are two slightl" different interpretations of the protocol, which means onl" single '"tes of 22D data are relia'le. This is assuming it is relia'le at all as it is one of the least commonl" used protocol elements and tends to 'e poorl" implemented. [*?![*;! +orcing data deli0er3[edit] >ormall", TCP waits for 6++ ms or for a full packet of data to send (>agle8s )lgorithm tries to group small messages into a single packet). This wait creates small, 'ut potentiall" serious, dela"s if repeated constantl" during a file transfer. :or example, a t"pical send 'lock would 'e % 7D, a t"pical B-- is *%5+, so 6 packets go out on a *+ B'itGs ethernet taking P*.6 ms each followed '" a third carr"ing the remaining **F5 after a *;F ms pause 'ecause TCP is waiting for a full 'uffer. In the case of telnet, each user ke"stroke is echoed 'ack '" the server 'efore the user can see it on the screen. This dela" would 'ecome ver" anno"ing. -etting the socket option TCP/N01E2AY overrides the default 6++ ms send dela". )pplication programs use this socket option to force output to 'e sent after writing a character or line of characters. The /:C defines the PSH push 'it as 4a message to the receiving TCP stack to send this data immediatel" up to the receiving application4.[6! There is no wa" to indicate or control it in $ser space using Derkele" sockets and it is controlled '" Protocol stack onl".[6+! 4ulnerabilities[edit]

TCP ma" 'e attacked in a variet" of wa"s. The results of a thorough securit" assessment of TCP, along with possi'le mitigations for the identified issues, were pu'lished in 6++;,[6*! and is currentl" 'eing pursued within the I=T:.[66! (enial o) ser0ice[edit] D" using a spoofed IP address and repeatedl" sending purposel" assem'led -H> packets, followed '" man" )C7 packets, attackers can cause the server to consume large amounts of resources keeping track of the 'ogus connections. This is known as a -H> flood attack. Proposed solutions to this pro'lem include -H> cookies and cr"ptographic pu11les, though s"n cookies come with their own set of vulnera'ilities.[6 ! -ockstress is a similar attack, that might 'e mitigated with s"stem resource management. [6%! )n advanced #o- attack involving the exploitation of the TCP Persist Timer was anal"1ed in Phrack Q55.[6(! Connection i5ac1ing[edit] .ain article/ TCP se*uence prediction attack )n attacker who is a'le to eavesdrop a TCP session and redirect packets can hiKack a TCP connection. To do so, the attacker learns the se.uence num'er from the ongoing communication and forges a false segment that looks like the next segment in the stream. -uch a simple hiKack can result in one packet 'eing erroneousl" accepted at one end. 0hen the receiving host acknowledges the extra segment to the other side of the connection, s"nchroni1ation is lost. ,iKacking might 'e com'ined with )/P or routing attacks that allow taking control of the packet flow, so as to get permanent control of the hiKacked TCP connection.[65! Impersonating a different IP address was not difficult prior to /:C *;%?, when the initial se*uence num$er was easil" guessa'le. That allowed an attacker to 'lindl" send a se.uence of packets that the receiver would 'elieve to come from a different IP address, without the need to deplo" )/P or routing attacks& it is enough to ensure that the legitimate host of the impersonated IP address is down, or 'ring it to that condition using denial9of9service attacks. This is wh" the initial se.uence num'er is now chosen at random. TCP 0eto[edit] )n attacker who can eavesdrop and predict the si1e of the next packet to 'e sent can cause the receiver to accept a malicious pa"load without disrupting the existing connection. The attacker inKects a malicious packet with the se.uence num'er and a pa"load si1e of the next expected packet. 0hen the legitimate packet is ultimatel" received, it is found to have the same se.uence num'er and length as a packet alread" received and is silentl" dropped as a normal duplicate packetMthe legitimate packet is 4vetoed4 '" the malicious packet. $nlike in connection hiKacking, the connection is never des"nchroni1ed and communication continues as normal after the malicious pa"load is accepted. TCP veto gives the attacker less control over the communication, 'ut makes the attack particularl" resistant to detection. The large increase in network traffic from the )C7 storm is avoided. The onl" evidence to the receiver that something is amiss is a single duplicate packet, a normal occurrence in an IP network. The sender of the vetoed packet never sees an" evidence of an attack. [6F! TCP ports[edit] .ain article/ TCP and 0(P port TCP uses port num'ers to identif" sending and receiving application end9points on a host, or %nternet sockets. =ach side of a TCP connection has an associated *59'it unsigned port num'er (+95(( () reserved '" the sending or receiving application. )rriving TCP data packets are identified as 'elonging to a specific TCP connection '" its sockets, that is, the com'ination of source host address, source port, destination host address, and destination port. This means that a server computer can provide several clients with several services simultaneousl", as long as a client takes care of initiating an" simultaneous connections to one destination port from different source ports. Port num'ers are categori1ed into three 'asic categories& well9known, registered, and d"namicGprivate. The well9known ports are assigned '" the Internet )ssigned >um'ers )uthorit" (I)>)) and are t"picall" used '" s"stem9level or root processes. 0ell9 known applications running as servers and passivel" listening for connections t"picall" use these ports. -ome examples include& :TP (6+ and 6*), --, (66), T=A>=T (6 ), -BTP (6(), --A (%% ) and ,TTP (?+). /egistered ports are t"picall" used '" end user applications as ephemeral source ports when contacting servers, 'ut the" can also identif" named services that have 'een registered '" a third part". #"namicGprivate ports can also 'e used '" end user applications, 'ut are less commonl" so. #"namicGprivate ports do not contain an" meaning outside of an" particular TCP connection.

(e0elopment[edit] TCP is a complex protocol. ,owever, while significant enhancements have 'een made and proposed over the "ears, its most 'asic operation has not changed significantl" since its first specification /:C 5F( in *;F%, and the v% specification /:C F; , pu'lished in -eptem'er *;?*. /:C **66, ,ost /e.uirements for Internet ,osts, clarified a num'er of TCP protocol implementation re.uirements. /:C 6(?*, TCP Congestion Control, one of the most important TCP9related /:Cs in recent "ears, descri'es updated algorithms that avoid undue congestion. In 6++*, /:C *5? was written to descri'e explicit congestion notification (=C>), a congestion avoidance signaling mechanism. The original TCP congestion avoidance algorithm was known as 4TCP Tahoe4, 'ut man" alternative algorithms have since 'een proposed (including TCP /eno, TCP @egas, :)-T TCP, TCP >ew /eno, and TCP ,"'la). TCP Interactive (iTCP) [6?! is a research effort into TCP extensions that allows applications to su'scri'e to TCP events and register handler components that can launch applications for various purposes, including application9assisted congestion control. Bultipath TCP (BPTCP) [6;![ +! is an ongoing effort within the I=T: that aims at allowing a TCP connection to use multiple paths to maximise resource usage and increase redundanc". The redundanc" offered '" Bultipath TCP in the context of wireless networks [ *! ena'les statistical multiplexing of resources, and thus increases TCP throughput dramaticall". Bultipath TCP also 'rings performance 'enefits in datacenter environments. [ 6! The reference implementation[ ! of Bultipath TCP is 'eing developed in the Ainux kernel.[ %![ (! TCP Cookie Transactions (TCPCT) is an extension proposed in #ecem'er 6++; to secure servers against denial9of9service attacks. $nlike -H> cookies, TCPCT does not conflict with other TCP extensions such as window scaling. TCPCT was designed due to necessities of #>--=C, where servers have to handle large num'ers of short9lived TCP connections. tcpcr"pt is an extension proposed in Nul" 6+*+ to provide transport9level encr"ption directl" in TCP itself. It is designed to work transparentl" and not re.uire an" configuration. $nlike TA- (--A), tcpcr"pt itself does not provide authentication, 'ut provides simple primitives down to the application to do that. )s of 6+*+, the first tcpcr"pt I=T: draft has 'een pu'lished and implementations exist for several maKor platforms. TCP :ast 2pen is an extension to speed up the opening of successive TCP connections 'etween two endpoints. It works '" skipping the three9wa" handshake using a cr"ptographic 4cookie4. It is similar to an earlier proposal called TGTCP, which was not widel" adopted due to securit" issues.[ 5! )s of Nul" 6+*6, it is an I=T: Internet draft.[ F! TCP o0er ,ireless net,or1s[edit] TCP has 'een optimi1ed for wired networks. )n" packet loss is considered to 'e the result of network congestion and the congestion window si1e is reduced dramaticall" as a precaution. ,owever, wireless links are known to experience sporadic and usuall" temporar" losses due to fading, shadowing, hand off, and other radio effects, that cannot 'e considered congestion. )fter the (erroneous) 'ack9off of the congestion window si1e, due to wireless packet loss, there can 'e a congestion avoidance phase with a conservative decrease in window si1e. This causes the radio link to 'e underutili1ed. =xtensive research has 'een done on the su'Kect of how to com'at these harmful effects. -uggested solutions can 'e categori1ed as end9to9end solutions (which re.uire modifications at the client or server), [ ?! link la"er solutions (such as /AP in cellular networks), or prox" 'ased solutions (which re.uire some changes in the network without modif"ing end nodes). [ ?![ ;! ) num'er of alternative congestion control algorithms have 'een proposed to help solve the wireless pro'lem, such as @egas, 0estwood, @eno and -anta Cru1. 6ard,are implementations[edit] 2ne wa" to overcome the processing power re.uirements of TCP is to 'uild hardware implementations of it, widel" known as TCP 2ffload =ngines (T2=). The main pro'lem of T2=s is that the" are hard to integrate into computing s"stems, re.uiring extensive changes in the operating s"stem of the computer or device. 2ne compan" to develop such a device was )lacritech. (ebugging[edit]

) packet sniffer, which intercepts TCP traffic on a network link, can 'e useful in de'ugging networks, network stacks and applications that use TCP '" showing the user what packets are passing through a link. -ome networking stacks support the -2R#=D$I socket option, which can 'e ena'led on the socket using setsockopt. That option dumps all the packets, TCP states, and events on that socket, which is helpful in de'ugging. >etstat is another utilit" that can 'e used for de'ugging. %lternati0es[edit] :or man" applications TCP is not appropriate. 2ne pro'lem (at least with normal implementations) is that the application cannot access the packets coming after a lost packet until the retransmitted cop" of the lost packet is received. This causes pro'lems for real9time applications such as streaming media, real9time multipla"er games and voice over IP (@oIP) where it is generall" more useful to get most of the data in a timel" fashion than it is to get all of the data in order. :or 'oth historical and performance reasons, most storage area networks (-)>s) prefer to use :i're Channel protocol (:CP) instead of TCPGIP. )lso, for em'edded s"stems, network 'ooting, and servers that serve simple re.uests from huge num'ers of clients (e.g. #>servers) the complexit" of TCP can 'e a pro'lem. :inall", some tricks such as transmitting data 'etween two hosts that are 'oth 'ehind >)T (using -T$> or similar s"stems) are far simpler without a relativel" complex protocol like TCP in the wa". Ienerall", where TCP is unsuita'le, the $ser #atagram Protocol ($#P) is used. This provides the application multiplexing and checksums that TCP does, 'ut does not handle streams or retransmission, giving the application developer the a'ilit" to code them in a wa" suita'le for the situation, or to replace them with other methods like forward error correction or interpolation. -tream Control Transmission Protocol (-CTP) is another IP protocol that provides relia'le stream oriented services similar to TCP. It is newer and considera'l" more complex than TCP, and has not "et seen widespread deplo"ment. ,owever, it is especiall" designed to 'e used in situations where relia'ilit" and near9real9time considerations are important. @enturi Transport Protocol (@TP) is a patented proprietar" protocol that is designed to replace TCP transparentl" to overcome perceived inefficiencies related to wireless data transport. TCP also has issues in high 'andwidth environments. The TCP congestion avoidance algorithm works ver" well for ad9hoc environments where the data sender is not known in advance, 'ut if the environment is predicta'le, a timing 'ased protocol such as )s"nchronous Transfer Bode ()TB) can avoid TCP8s retransmits overhead. Bultipurpose Transaction Protocol (BTPGIP) is patented proprietar" software that is designed to adaptivel" achieve high throughput and transaction performance in a wide variet" of network conditions, particularl" those where TCP is perceived to 'e inefficient. C ec1sum computation[edit] TCP c ec1sum )or 7P04[edit] 0hen TCP runs over IPv%, the method used to compute the checksum is defined in /:C F; & The checksum field is the 12 $it one3s complement of the one3s complement sum of all 124$it words in the header and text# %f a segment contains an odd num$er of header and text octets to $e checksummed the last octet is padded on the right with zeros to form a 124$it word for checksum purposes# The pad is not transmitted as part of the segment# While computing the checksum the checksum field itself is replaced with zeros# In other words, after appropriate padding, all *59'it words are added using one8s complement arithmetic. The sum is then 'itwise complemented and inserted as the checksum field. ) pseudo9header that mimics the IPv% packet header used in the checksum computation is shown in the ta'le 'elow. TCP pseudo9header for checksum computation (IPv%) 49: 891; 16931 -ource address

8it o))set 0

093

32 64 <6 128 160 1<2 224 2;6 2;6=288>

Seros -ource port

#estination address Protocol -e.uence num'er )cknowledgement num'er :lags 2ptions (optional) #ata

TCP length #estination port

#ata offset /eserved Checksum

0indow $rgent pointer

The source and destination addresses are those of the IPv% header. The protocol value is 5 for TCP (cf. Aist of IP protocol num'ers). The TCP length field is the length of the TCP header and data (measured in octets). TCP c ec1sum )or 7P06[edit] 0hen TCP runs over IPv5, the method used to compute the checksum is changed, as per /:C 6%5+& &n5 transport or other upper4la5er protocol that includes the addresses from the %P header in its checksum computation must $e modified for use over %Pv2 to include the 1674$it %Pv2 addresses instead of 864$it %Pv9 addresses# ) pseudo9header that mimics the IPv5 header for computation of the checksum is shown 'elow. TCP pseudo9header for checksum computation (IPv5) 8it o))set 09: 891; 16923 24931 0 32 -ource address 64 <6 128 160 #estination address 1<2 224 2;6 TCP length 288 Seros >ext header 320 -ource port #estination port 3;2 -e.uence num'er 384 )cknowledgement num'er 416 #ata offset /eserved :lags 0indow 448 Checksum $rgent pointer 480 2ptions (optional) 480=;12> #ata

-ource address < the one in the IPv5 header #estination address < the final destinationE if the IPv5 packet doesn8t contain a /outing header, TCP uses the destination address in the IPv5 header, otherwise, at the originating node, it uses the address in the last element of the /outing header, and, at the receiving node, it uses the destination address in the IPv5 header. TCP length < the length of the TCP header and data >ext ,eader < the protocol value for TCP

C ec1sum o))load [edit] Ban" TCPGIP software stack implementations provide options to use hardware assistance to automaticall" compute the checksum in the network adapter prior to transmission onto the network or upon reception from the network for validation. This ma" relieve the 2- from using precious CP$ c"cles calculating the checksum. ,ence, overall network performance is increased. This feature ma" cause packet anal"1ers detecting out'ound network traffic upstream of the network adapter that are unaware or uncertain a'out the use of checksum offload to report invalid checksum in out'ound packets.

?????????TCP !"# model???????????

In this lesson, you will learn how two TCP devices synchronize using three way handshake (3 way handshake) and what are the three steps of a TCP three way handshake and how two TCP devices synchronize. efore the sending device and the receiving device start the e!change of data, "oth devices need to "e synchronized. #uring the TCP initialization process, the sending device and the receiving device e!change a few control packets for synchronization purposes. This e!change is known as a three$way handshake. The three$way handshake "egins with the initiator sending a TCP segment with the SYN control "it flag set. TCP allows one side to esta"lish a connection. The other side %ay either accept the connection or refuse it. If we consider this fro% application layer point of view, the side that is esta"lishing the connection is the client and the side waiting for a connection is the server. TCP identifies two types of &P'( calls) *ctive &pen. In an *ctive &pen call a device (client process) using TCP takes the active role and initiates the connection "y sending a TCP SYN message to start the connection. Passive &pen * passive &P'( can specify that the device (server process) is waiting for an active &P'( fro% a specific client. It does not generate any TCP message segment. The server processes listening for the clients are in Passive &pen %ode.

TCP Three-way Handshake +tep ,. #evice * (Client) sends a TCP segment with +-( . ,, *C/ . 0, I+( (Initial +e1uence (u%"er) . 2000. The *ctive &pen device (#evice *) sends a seg%ent with the SYN flag set to ,, ACK flag set to 0 and an Initial +e1uence (u%"er 2000 (3or '!a%ple), which %arks the "eginning of the se1uence nu%"ers for data that device * will trans%it. SYN is short for +-(chronize. SYN flag announces an atte%pt to open a connection. The first "yte trans%itted to #evice +tep 2. #evice . 6000 (#evice
num er #evice

will have the se1uence nu%"er I+(4,.

(+erver) receives #evice *5s TCP segment and returns a TCP segment with +-( . ,, *C/ . ,, I+( 5s Initial Sequence Num er), Ackn!wledgment Num er . 200, (2000 4 ,, the ne!t sequence e!pecting fro% #evice *). that acknowledges receipt of #evice 5s I+(, 7ith flags set as

+tep 3. #evice * sends a TCP segment to #evice nu%"er #evice * e!pecting fro% #evice )

+-( . 0, *C/ . ,, +e1uence nu%"er . 200,, Ackn!wledgment num er . 600, (6000 4 ,, the ne!t se1uence

This handshaking techni1ue is referred to as the Three$way handshake or +-(, +-($*C/, *C/. *fter the three$way handshake, the connection is open and the participant co%puters start sending data using the
sequence and ackn!wledge num ers.

-ou have learned what is TCP three way hand shake (3 way handshake), the three steps of a TCP three way handshake and how two TCP devices synchronize. Click 8(e!t8 to continue.

In this lesson, you will learn the ter%s 8TCP 7indow8, 8TCP +liding 7indow8 and how 8TCP +liding 7indow8 works.

"hat is a TCP "ind!w#

* TCP window is the a%ount of unacknowledged data a sender can send on a particular connection "efore it gets an acknowledg%ent "ack fro% the receiver, that it has received so%e of the data.

TCP Sliding "ind!w

The working of the TCP sliding window %echanis% can "e e!plained as "elow. The sending device can send all packets within the TCP wind!w si$e (as specified in the TCP header) without receiving an ACK, and should start a ti%eout ti%er for each of the%. The receiving device should acknowledge each packet it received, indicating the se1uence nu%"er of the last well$ received packet. *fter receiving the ACK fro% the receiving device, the sending device slides the window to right side.

In this case, the sending device can send up to 6 TCP Segments without receiving an acknowledge%ent fro% the receiving device. *fter receiving the acknowledge%ent for +eg%ent , fro% the receiving device, the sending device can slide its window one TCP Segment to the right side and the sending device can trans%it seg%ent 9 also. If any TCP +eg%ent lost while its :ourney to the destination, the receiving device cannot acknowledge the sender. Consider while trans%ission, all other +eg%ents reached the destination e!cept +eg%ent 3. The receiving device can acknowledge up to +eg%ent 2. *t the sending device, a ti%eout will occur and it will re$trans%it the lost +eg%ent 3. (ow the receiving device has received all the +eg%ents, since only +eg%ent 3 was lost. (ow the receiving device will send the ACK for +eg%ent 6, "ecause it has received all the +eg%ents to +eg%ent 6.
Ackn!wledgement %ACK& for +eg%ent 6 ensures the sender the receiver has succesfully received all the +eg%ents

up to 6.
TCP uses a "yte level nu%"ering syste% for co%%unication. If the se1uence nu%"er for a TCP seg%ent at any

instance was 6000 and the +eg%ent carry 600 "ytes, the se1uence nu%"er for the ne!t +eg%ent will "e 600046004,. That %eans TCP segment only carries the se1uence nu%"er of the first "yte in the seg%ent. The "ind!w si$e is e!pressed in nu%"er of "ytes and is deter%ined "y the receiving device when the connection is esta"lished and can vary later. -ou %ight have noticed when transferring "ig files fro% one 7indows %achine to another, initially the ti%e re%aining calculation will show a large value and will co%e down later.

7e have four catagories in a"ove e!a%ple. ,) 2) 3) ;) ytes already sent and acknowledged (upto yte 20).

ytes sent "ut not acknowledged ( ytes 2,$2;). ytes the receiver is ready to accept ( ytes 26$2<). ytes the receiver is not ready to accept ( yte 2= onwards). ytes sent "ut not acknowledged and ytes the receiver is ready to accept (>sa"le

The +end 7indow is the su% of 7indow).

* visual de%o of TCP +liding 7indow %echanis% can "e viewed here. In this lesson, you have learned what is a TCP 7indow, and how TCP +liding 7indow %echanis% works. Click 8(e!t8 to continue.