full screen background image

Analysing TCP Headers using Wireshark

From Wikipedia

TCP is used mostly by various applications available by internet, including the World Wide Web (WWW), E-mail, File Transfer Protocol, Secure Shell, peer file, and streaming media applications.

3 Way Handshakes

 The handshaking process usually takes place in order to establish rules for communication when a computer sets about communicating with a foreign device. When a computer communicates with another device like a modem, printer, or network server, it needs to handshake with it to establish a connection.

  • Client sends a TCP packet to the server with the SYN flag
  • Server responds to the client request with the SYN and ACK flags set.
  • Client completes the connection by sending a packet with the ACK flag set

Structure of TCP segment

 Transmission Control Protocol accepts data from a data stream, splits it into chunks, and adds a TCP header creating a TCP segment. A TCP segment only carries the sequence number of the first byte in the segment.

A TCP segment consists of a segment header and a data section. The TCP header contains 10 mandatory fields, and an optional extension field.

Source PortThe 16-bit source port number, Identifies the sending port.
Destination PortThe 16-bit destination port number. Identifies the receiving port
Sequence NumberThe sequence number of the first data byte in this segment. If the SYN control bit is set, the sequence number is the initial sequence number (n) and the first data byte is n+1.
Acknowledgment NumberIf the ACK control bit is set, this field contains the value of the next sequence number that the receiver is expecting to receive.
Data OffsetThe number of 32-bit words in the TCP header. It indicates where the data begins.
ReservedSix bits reserved for future use; must be zero.
FlagsCWR, ECE, URG, ACK, PSH, RST, SYN, FIN
WindowUsed in ACK segments. It specifies the number of data bytes, beginning with the one indicated in the acknowledgment number field that the receiver (the sender of this segment) is willing to accept.
ChecksumThe 16-bit one’s complement of the one’s complement sum of all 16-bit words in a pseudo-header, the TCP header, and the TCP data. While computing the checksum, the checksum field itself is considered zero.
Urgent PointerPoints to the first data octet following the urgent data.Only significant when the URG control bit is set.
OptionsJust as in the case of IP datagram options, options can beeither:

– A single byte containing the option number

– A variable length option in the following format

PaddingThe TCP header padding is used to ensure that the TCP header ends and data begins on a 32 bit boundary.  The padding is composed of zeros. 

 

Different Types of TCP flags

TCP flags are used within TCP header as these are control bits that specify particular connection states or information about how a packet should be set. TCP flag field in a TCP segment will help us to understand the function and purpose of any packet in the connection.

List of flags Description
CWRCongestion Window Reduced (CWR) flag is set by the sending host to shows that it received a TCP segment with the ECE flag set
ECE ECN-Echo indicate that the TCP peer is ECN capable during 3-way handshake
URGIndicates that the urgent pointer field is significant in this segment.
ACKIndicates that the acknowledgment field is significant in this segment.
PSHPush function to transfer data
RSTResets the connection.
SYNSynchronizes the sequence numbers.
FINNo more data from sender.

Analysis TCP packet using Wireshark

As you have read above “structure of TCP segment” and its “field” now we are going to elaborate it with the help of Wireshark. We hope that reader must be aware with the 7 layers of OSI model, so that TCP packet analysis will be more cleared.

From given below image you can see we had sniffed the network in order to capture TCP packets, it is clearly showing: time, source IP, destination IP, Protocol, length of packets and information.

As I had told above if you are aware of OSI model then you can see it has shown three layers of OSI: layer 2 (Ethernet), layer 3 (Internet Protocol version 4), layer 4 (Transmission Control Protocol (TCP)).

Now let’s analysis layer 4 and compare above theory with given below image. You can see I have underline all fields of TCP segment. Now read following information of TCP packets.

Source Port: 58302

Destination Port: 80

Sequence number: 0

Acknowledgment number: 0

Flags: SYN

Window size value: 29200

Checksum: unverified

Urgent Pointer: 0

Option: 20 bytes

The SYN (synchronize) flag is the TCP packet flag which is set to start a TCP connection for “3 way handshakes” and  the Sequence number and Acknowledgment number are 0.

From given below image you can see expanded field for flags is showing only 1 flag SYN is set between source port and Destination port rest flags are not set at this moment. Hence the control bits will get 1 for that sets flag in TCP connection otherwise it remains zero.

Packets setting the SYN flag can also be used to perform a SYN flood and a SYN scan.

As I had explain above in three way handshakes first client request with SYN flag after that Server responds to the client request with the SYN and ACK flags set, and from following information we observe same sequence of packet transferring between client and server and as well as the Sequence number is 0 & Acknowledgment number is 1.

Source Port: 58302

Destination Port: 80

Sequence number: 0

Acknowledgment number: 1

Flags: SYN, ACK

Window size value: 42408

Checksum: unverified

Urgent Pointer: 0

Option: 12 bytes

From expanded field of flags you can observe that this time 2 flags SYN and ACK are set rest are remain unset or say zero and control bit is set 1-1 for both flag. This is the 2nd step for “3 way handshake”.

From following information we found this time the Sequence number & Acknowledgment number are 1 and Client completes the connection by sending a packet with the ACK flag set. Now TCP connection has be established between client and server.

Source Port: 58302

Destination Port: 80

Sequence number: 1

Acknowledgment number: 1

Flags: ACK

Window size value: 229

Checksum: unverified

Urgent Pointer: 0

Option: 12 bytes

From given below image you can observer that the control bit is 1 for acknowledgement flag  and this is the third step required for “3 way handshake” between source port and destination port.

Once TCP 3 ways handshake connection established then data can transfer between client and server as you can see from last image it has shown 7th layer for Hypertext Transfer Protocol also for data transferring.

Source Port: 58302

Destination Port: 80

Sequence number: 1

Acknowledgment number: 1

Flags: PUSH, ACK

Window size value: 229

Checksum: unverified

Urgent Pointer: 0

Option: 12bytes

The use of push function and the PUSH flag is to move forward the data from the sending user to the receiving user. In order to permit applications to read from and write to this socket at any time, buffers are implemented on both sides of a TCP connection.

Here you can observe that control bit set to 1 for PUSH and ACK flag as a result a new layer get open for data transferring between sender application and receiver application.

Now when transfer data packet explored we found http header details like:

Host: google.com

User-Agent: Mozilla/5.0

At last the different types of cookie that you can observe in given below image.

 

 

Πηγή : hackingarticles



Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Part-Time Hacker || Child Pornography & Sexual Abuse Combat


Leave a Reply