 We have a virtual network of three Linux nodes Node 1 and node 2 on the same subnet, node 2 and 3 on a separate subnet so node 2 is the router in our internet and we're going to look at the operation of a simple TCP connection between node 1 and node 3 and we want to look at how that connection is set up, how the data is transferred and the connection is closed. And to do that we're going to use a client server application on 1 and 3 and we'll use netcat NC is the command for short We've seen it in a previous example using netcat in UDP mode. Now we use it in TCP mode TCP is the transport protocol So what we do is we start the netcat server on node 3 and We use NC short for netcat and as a server with netcat We use minus L option to tell it to act as a server and listen on a particular port number And we can choose a port number. I will choose one two three four six. We use one two three four five in UDP We could use the same Generally it needs to be one larger than one thousand and twenty four and less than about sixty five thousand there are some exceptions if the port numbs already in use but this will start netcat as a server and It automatically starts or by default starts in TCP mode So this will start in TCP mode if we want UDP mode We add the minus U option that we want TCP so we don't need any other options We start the netcat server Now we're going to capture the communications between client and server. So let's start capturing now on the router using TCP dump We want to capture on interface ETH one We don't want to convert IP addresses to domain names and we want to write to a file Let's call it nctcp1.pcap and The password is network. So now we're recording everything that goes through node two So now we'll start the client on node one and That should connect to the server on node three and The packets involved in that connection setup should be captured and then we'll exchange the data To start the client on node one we use netcap and client mode We specify the address of the server 192.168.2.21 is node three and The port number used by the server the one we chose on node three We connect and now what we type can be sent So hello node three Let's just see As we type on the client the text is sent to node three and displayed Here is my my new secret If I can spell We're trying to send a secret across the network across the internet from node one to node three We don't want anyone else to see that secret And then we say goodbye So there was some data exchange between node one and node three and And we can close the connection and what we'll do on node one is I'll press control D Control D Gracefully closes that connection and you see that the server automatically closed as well Notice when we use UDP mode we had to separately close the server and client But with TCP because TCP creates its own connection if we close one endpoint It'll automatically close another endpoint. Let's Stop our capture control C to stop our capture on node two. They were 18 packets captured. We have our Capture file on node two. So what we want to do is use filezilla to copy that to my windows host And then we'll look at it in Y-Shark I'll connect to node two download the capture file and Now I'll open that capture file in Y-Shark Here we see the captured packets There are 18 packets note that a few of them are ARP packets Let's just focus on the TCP packets So let's filter out and show just the TCP packets I'll type as a filter TCP And let's have a brief run-through of those remaining 14 TCP packets and see the basics of how TCP works Remember what we did is we sent really four separate messages from client to server I typed in four lines and we'll see in a moment that that correspond to four messages being sent TCP unlike UDP Creates a connection Before we transfer any data So we look at the very first packet sent from node one to node three client to server There's many details about the TCP segment But let's just focus on these Values in the square brackets because they summarize the meaning of this TCP segment in TCP header, there's a series of flags and with one of those flags is set then the meaning Or then then that segment has a particular meaning or purpose And Really we refer to it as some name segment so In this first TCP segment the sin flag is set really we think of this segment as a sin segment Sin or syn is short for synchronize The idea in TCP is that before we transfer data we set up a connection and One aspect of setting up that connection is synchronizing some sequence numbers. We're going to use in the data transfer So this very first segment we see is the let's is the client saying to server Let's synchronize our sequence numbers to set up a connection We'll look at the details of the segment in a moment, but let's just go through the next few frame number two is a TCP segment from Server back to client so it's a response and note the sin flag is set So it's also a sin segment. It's the server saying to the client. Yes Let's or it's saying let's synchronize the sequence numbers in this direction of communications We'll see shortly When we set up a TCP connection, we can send data in both directions client to server server to client So we actually use independent sequence numbers for each direction So the second frame is the server telling the client. Let's synchronize sequence numbers Really it proposes an initial sequence number, but we also see that this Second TCP segment has a second purpose. It's an act or an acknowledgment segment And the act is saying I acknowledge the sin segment that you just sent me So segment one client sends a synchronized segment to the server segment two The server sends a synchronized segment back to the client and That segment is also acknowledging the first sin received The third segment is from the client to the server And it's the client acknowledging the sin received from the server And these first three segments are commonly seen in the setting up of a connection in TCP We see a sin a syn act an act Let's try and illustrate that we have Node one communicating with node three We will not draw node two the router even though the messages go via the router will focus on the the client and server so We have Some set up of a connection where we involve sending Sin segment from client to server Saying I want to synchronize sequence numbers the server sends back an act saying thank you for that sin segment I agree with the value you proposed But it also sends its own Sin segment proposing its own sometimes we write sin plus act This second segment has two purposes Acknowledge the first and propose a new initial sequence number for the direction of communications from client to server Then the third Is This client saying I acknowledge the sin that you just sent me this is Uh, the tcp connection set up sometimes referred to as a three-way handshake It takes three steps to agree upon those values And at that point we say the tcp connection is set up between client and server and now we can start transferring data Let's go back to wireshark and look at the the next segment from client to server PSH is sure for push And in this case we'll common commonly see the push segment meaning Send the data in this segment directly to the application as fast as possible Uh, maybe the simplest way to interpret it or to uh in in this case is that this segment contains data And the best way to confirm that if we look inside the segment We have the ethernet header IP header tcp header and then the actual data And we see down in the the hexadecimal or the binary The ascii interpretation of that data those 12 bytes is the message that I typed in hello node 3 So this is the actual data segment It's uses the push flag But what I interpret this segment as is one containing data and when I draw it I'll illustrate that so there we have a segment going from client to server and That segment contains data And the data in this case was the data one I'll just type data one But it was a hello node what I typed in hello node 3 Coming back to wireshark Note that that data segment also contains an act and this can get a bit confusing And in fact if we look through all the subsequent segments There are acts included And we normally interpret the act as saying thank you for the previous segment you sent me. I now expect some more well It's common that in a tcp implementation will act every segment and just to confirm that We've already received the previous one Even in this case, we haven't received any data yet. We still send an act It takes a lot more time to explain how the acknowledgement numbers and sequence numbers work You you need to study tcp and flow control and congestion control to get the details of that But for now we'll interpret this this fourth segment in our list as a data segment It contained hello node 3 or the first piece of data The next segment from server to client Does not contain any data. We see in wireshark. There's no data field. There's no push segment It's just an act And this is saying from the server. Thank you for the data you just sent me I now expect some more So if we draw that This is an act coming back. There's no data in this segment. It's just a small segment Acknowledging the previous data received And then it continues the next segment from client to server more data. Here is my new secret Then an act Data Containing the password And then an act data act I'll just draw One of those Not all four just draw a second one Let's say data to the second piece of data whatever it was and then That was acknowledged as well And we can continue and as we've got data to to exchange and Although this example doesn't show we can be sending data in the direction from client from server to client tcp allows data to go in both directions doesn't matter who sets up the connection Velocity segments remember I press control d on the client And that triggers The client to initiate the closing of the connection And there's a special fin segment to say I want to finish the connection The client says I want to finish The service says I acknowledge that and I want to finish as well And then the client also finally acknowledges the fin that was sent and We'll draw that We can think that there's fin segment Saying the client wants to finish And it's quite unique in that tcp What can actually happen one side of the The party's communicating can finish and close the connection while the other side can still be sending data. It could be open So you need to actually finish from both sides so The response back was to acknowledge that finish message And for the server to say let's finish from my side as well And the last segment we saw in there was the client sending to the server. I acknowledged the fin segment you just sent me this is closing the connection You'll often see this this typical exchange. Of course, you may see different amounts of data in between the set The three-way handshake and closing connection Uh, but that's a typical Series of packets you may see Let's to finish just go and look at some of those tcp segments in a bit more depth First let's for example choose the sin segment And just look at the tcp header And I'll make a bit more space here. What does the tcp header contain? Some of the things of importance the source port the port number assigned to the client application destination port for the server application A sequence number an acknowledgement number a few other fields the flags One bit values in this case The sin flag was set to one meaning this is a sin segment There was no data in this case In the second segment if we look at the flags both the acknowledgement flag was set and the sins flag was set They're just one bit values meaning this segment has two purposes. It's both acknowledging the previous segment and synchronizing a sequence number And in data the push flag is set And we actually see the data inside that segment So that's a quick illustration of how tcp works We see the connection setup. We see the data transfer and The close of the connection And you'll commonly see those exchanges when you capture other applications which use tcp And the way that we triggered that if we bring it up On the server We ran netcat in tcp mode And as a server using the minus l option and choosing a port number While at the client we ran it in client mode by specifying the address of the server both ip and port number