Network Traffic Analysis for IR: TCP Protocol with Wireshark

Introduction to TCP

The Transmission Control Protocol (TCP) is one of the most commonly-used protocols on the internet. Unlike the User Datagram Protocol (UDP), TCP is not a “fire and forget” protocol. TCP tracks the packets that are sent, confirms that they are received and retransmits copies if necessary.

As a result, TCP is ideally suited to applications that need a high level of reliability in their communications channels. A common use of TCP is carrying hypertext transfer protocol (HTTP) packets that make requests for and serve web pages.

TCP in Wireshark

TCP differs from other protocols since it is intended to provide reliable data transfer. As a result, a TCP communication is very formalized, using several different types of packets denoted by different TCP flags. A TCP communications channel is set up using the TCP handshake and provides a number of guarantees to the sender and recipient.

TCP flags

One of the primary differentiators between TCP and UDP packet is the use of flags in TCP. Like ICMP types and codes, TCP flags describe the purpose of the packet. The TCP flags are:

  • SYNchronization: Request a connection
  • ACKnowledgement: Acknowledges receipt of a packet
  • FINish: Gracefully closes a connection
  • ReSeT: Immediately terminates a connection
  • PuSH: Tells recipient to immediately process a packet (instead of buffering)
  • URGent: Process a packet before all other packets

Different types of packets are used at different times within the TCP session. Some are intended to be used a set time during the connection (like SYN and FIN), others are used throughout (like ACK) and the rest are used only in unusual scenarios (RST, PSH and URG).

TCP connections and use of flags is very formulaic. However, it is possible to abuse flags. A common reason to abuse flags is in scanning since different operating systems (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/zMUoFJWpa1o/