TCP is the transmission control protocl, a reliable layer 4 protocol. TCP uses three-way handshake to create reliable connections accross a network. TCP can reorder segments that arrive out of order, and retransmit missing segments.
Key TCP Headers
- Source and destination port
- Sequence and Acknowledgement numbers – keep full-duplex communication in sync
- TCP Flags
- Window Size – Amount of data that may be sent before receiving acknowledgement
TCP connects from a source to destination port.
- Reserved – 1023 or lower – Well known ports. Most OS requires super privileges to open a reserved port
- Ephermeral – 1024-65535
A socket is a combination of an IP address and a TCP/UDP port. A socket pair describes a unique connection between two nodes: a source port, source IP, destination port and destination IP. A socket starts at the “listening” state and transitions to “established” during a connection.
- URG : Packet Contains Urgent Data
- ACK : Ackknowledge received data
- PSH : Push data to application layer
- RST : Reset (tear down) a connection
- SYN : Syncronize a connection
- FIN : Finis a connection (gracefully)
- CWR : Congestion Window Reduced
- ECE : Explicit Congestion notification Echo
- NS : Nonce Sum
TCP uses a three way handshake to establish a reliable connection.
Server choeses an intial sequence number on the first SYN and the server chooses it’s own sequence number during the SYN-ACK. And both sides acknowledges each other’s sequence number by incrementing it – the acknowledgment number. This is used to detect missing and out of order packets. Once a connection is established ACKs follow for each segment (PSH of data) and the connection ends in a RST or FIN.
User datagram protocol a layer 4 protocol that is simpler and faster than TCP. It is connectionless: no handshake, no session and no reliability. It’s headers contain source port, destination port, length and checksum.
Internet Control message protocol is a helper protocol that helps layer 3. It has no ports but uses types and codes.
Ping sends ICMP requests to a node and listens to replies. It can be used to map networks. An unanswered ping does not mean a host is down due to firewalls and filters.
Traceroute uses ICMP Time exceeded messages to trace the network. By sending a incrementing packets with TTL starting with 1 until the final destination is reached, on each iteration the routing hop will decrement the TTL and respond with a time exceeded message, allowing you to identify all the routers along the path.
– Cisco and UNIX variants sends UDP packets outbound
– Windows tracrt sends icmp packets outbound
Application Layer TCP/IP Protocols and Concepts
Telnet provides terminal emulation over a network and listens on port 23. It is conisdered weak as it provides no confidentiality and integrity. SSH is the recommended replacement.
File transfer protocol used to transfer files to and from servers. It has no confidentiality or integrity.
- Active FTP – client:1025 to server:21 (Control connection) and server:20 to client:1026 (data connection) – breaks classic client/server data flow and is blocked by most FWs)
- Passive FTP – client:1025 to serevr:21 (Control connection) and client:1026 to server:1025 (data connection) – FTP server tells the client which data port to connect to (FW listens and opens outgoing port) and is likely to pass FWs cleanly
Trival file transfer protocol utilizes UDP on port 69 used for transfer of router configs or boostrapping via network by diskless workstations. It does not utilize authentication, confidentiality or integrity.
Secure shell was a designed as secure replacement for TFTP and FTP. SSH includes SFTP and SCP and can tunnel other protocols. It listens on port 22. SSHv1 was vulernabile to MiTM attacks so SSHv2 is now the recommended version.
SMTP, POP, and IMAP
- SMTP – Simple mail transfer protocol used to transfer email between servers. Listens on port 25
- POPv3 – Post Office Protocol are is used for client server email access using TCP port 110
- IMAP – Internet message access protocol used for client server email access using TCP port 143