tcp analysis - first steps - wireshark - tcp... · b5 – tcp analysis - first steps jasper...
TRANSCRIPT
![Page 1: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/1.jpg)
B5 – TCP Analysis - First Steps
Jasper Bongertz, Senior Consultant Airbus Defence and Space
![Page 2: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/2.jpg)
About this presentation file
Since this presentation contains lot of animated slides I decided against converting it to a static PDF and offer that for the Sharkfest retrospective page. Instead, you get the PPT, so you can watch stuff happen in presentation mode.
Use the slides in your own trainings if you like. If you do, don‘t forget to mention where you got them from – it was a lot of work creating these
Cheers,
Jasper
![Page 3: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/3.jpg)
Agenda
• Basics of managing Data Transfers
• The Sliding Window
• Packet Loss - „when Things go wrong“
![Page 4: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/4.jpg)
Basics of managing Data Transfers
![Page 5: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/5.jpg)
Basics of managing data transfers
1. Application data is segmented in small chunks before transfer
Data
![Page 6: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/6.jpg)
Basics of managing data transfers
2. Sucessful Transfer of segmented data is not guaranteed by the physical network...
![Page 7: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/7.jpg)
3
Basics of managing data transfers
3. ...so let‘s number those segments and confirm which ones are received...
1 2 3 4 5
1 2 3
![Page 8: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/8.jpg)
Basics of managing data transfers
• Question: is numbering the packets good enough to ensure everything is fine?
• Answer: unfortunately not... • ...because we only know a certain segment was
received, but not if it was complete
![Page 9: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/9.jpg)
Basics of managing data transfers
How about this?
Can we improve that further?
#1 Len 100
Got #1 Len 100
![Page 10: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/10.jpg)
Basics of managing data transfers
So let‘s see how TCP does it:
The confirmation is the number of continuous bytes received (meaning: no gaps)
Start at 0 Len 100
Got 100
Start at 100
Len 100
Got 200
![Page 11: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/11.jpg)
TCP Sequence and Acknowledge
• The „Start at“ number is called „Sequence Number“
• The „Got it“ number is called „Acknowledgement“
• This is how it looks like in Wireshark:
• So what‘s the correct ACK number?
![Page 12: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/12.jpg)
TCP Session Start
• Before exchanging data, TCP needs to establish the session • „Three Way Handshake“: SYN -> SYN/ACK -> ACK
• ** Special rule: SYN flags count as 1 byte! **
Sharkfest 2014
![Page 13: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/13.jpg)
It‘s Wireshark time
• First, let‘s turn of TCP reassembly:
Sharkfest 2014
![Page 14: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/14.jpg)
Demo
![Page 15: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/15.jpg)
Initial Sequence Numbers
• Wireshark displays „Relative Sequence Numbers“ by default
• In reality, the initial sequence number is random
• It can be anything between 0 and 232:
• 0 - 4294967296
![Page 16: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/16.jpg)
Relative Sequence Numbers
• You can turn them on and off in the TCP preferences:
Sharkfest 2014
![Page 17: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/17.jpg)
Sequence Numbers – The Rules
1. Each TCP sequence starts with random number
2. It is increased by 1 for each byte transmitted
3. SYN and FIN flags count as 1 Byte („Phantom Byte“)
Sharkfest 2014
![Page 18: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/18.jpg)
Okay, let‘s see...
Sharkfest 2014
SYN, SeqNo = 100,000
SYN, SeqNo = 500,000 ACK, AckNo = 100,001
ACK, SeqNo = 100,001 AckNo = 500,001
80 Byte Data SeqNo = 100,001
ACK, SeqNo = 500,001 AckNo = 100,081
![Page 19: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/19.jpg)
Additional things to consider
• Every direction tracks its own sequence number
• Relative sequence numbers can fool you because they may look similar for both directions
Sharkfest 2014
![Page 20: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/20.jpg)
The Sliding Window
Sharkfest 2014
![Page 21: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/21.jpg)
Positive Ack with Retransmission
• It is not very efficient to send single packets back and forth:
Sharkfest 2014
3 1 2 3 4 5
1 2 3
![Page 22: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/22.jpg)
Start at 100
Len 100
Instead, send more...
Sharkfest 2014
Send me a maximum of 200 bytes at
once!
Start at 0 Len 100
Got 200
![Page 23: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/23.jpg)
Start at 300
Len 100
Instead, send more...
Sharkfest 2014
Send me a maximum of 200 bytes at
once!
Start at 200
Len 100
Got 400
![Page 24: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/24.jpg)
Demo
![Page 25: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/25.jpg)
TCP Window Size
• The TCP window size is very important as a speed and congestion factor
• Look for „Calculated Window Size“ to read the current value
Sharkfest 2014
![Page 26: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/26.jpg)
Insufficient TCP window size
• A small window can slow down the transmission:
Sharkfest 2014
HTTP GET Winsize=4k
ACK
Waiting for the ACK
![Page 27: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/27.jpg)
Performance Problems
• The TCP Window is a great help for locating congested servers and clients
• If a computer sends very low window sizes, or window sizes of zero, it may be in trouble • Hardware apparently not fast enough to cope with
incoming packets
• Exceptions: • Reset Packets -> always has window size of zero
• Busy servers that do not receive much, e.g. Newstickers often have low window sizes
Sharkfest 2014
![Page 28: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/28.jpg)
Packet Loss – When things go wrong
Sharkfest 2014
![Page 29: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/29.jpg)
Start at 100
Len 100
First, everything looks good
Sharkfest 2014
Send me a maximum of 200 bytes at
once!
Start at 0 Len 100
Got 200
![Page 30: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/30.jpg)
Start at 300
Len 100
Then something goes wrong...
Sharkfest 2014
Start at 200
Len 100
Got 200
![Page 31: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/31.jpg)
Retransmission
Sharkfest 2014
Start at 200
Len 100
Got 400
![Page 32: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/32.jpg)
Demo
![Page 33: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/33.jpg)
TCP Retransmissions
• Retransmissions happen in every network
• Different ways to trigger a retransmission: • By time out
• By Triple Duplicate ACK
• By Selective Acknowledgement (SACK)
• Most important aspect: • How much time do they cost?
Sharkfest 2014
![Page 34: TCP Analysis - First Steps - Wireshark - TCP... · B5 – TCP Analysis - First Steps Jasper Bongertz, Senior Consultant ... •This is how it looks like in Wireshark: •So what‘s](https://reader035.vdocuments.mx/reader035/viewer/2022062402/5b8a86df7f8b9a49258b4bb5/html5/thumbnails/34.jpg)
Thanks! Questions?
eMail: [email protected]
Blog: blog.packet-foo.com
Twitter: @packetjay
Sharkfest 2014