Transmission Control Protocol (TCP)

introductiontonetworking intro_to_network_traffic_analysis packetsframes wireshark

Transmission Control Protocol (TCP) is a trustworthy protocol to ensure that the data sent is properly received, and in the correct order. If there is an error, the message is sent again.

  • connection-based 🀝: a prior connection is established
  • stateful 🐡: information about the session is kept
  • flow-control 🐌: the sender can slow down the transmission rate

It's used when quality is more important than speed.

🐊️ Port: N/A

πŸ—ΊοΈ Used by: ssh, ftp, http...

✍️ TCP PDUs are called segments.

TCP messages all have a flag according to they type:

  • 1: F=FIN
  • 2: S=Syn
  • 4: R=Reset
  • 8: P=Push
  • 16: A=Ack
  • ...

TCP three-way handshake πŸ“Œ

Using TCP, we establish a session between two machines A and B. A start with a SYN. B replies with SYN, ACK. A receives SYN, ACK, and replies with ACK. The closing handshake is the same with FIN.

There are sequence numbers and ack numbers on every message. The first SYN has a random value $a$. The second SYN has a random value $b$, while the ACK has the value $a+1$. The final ACK has the value $b+1$.


  • 2 bytes for the "source port"
  • 2 bytes for the "destination port"
  • 4 bytes for the "sequence number" (seq)
  • 2 bytes for the "acknowledgment number" (ack)
  • 4 bits for the "offset"
  • 3 bits that are "reserved" (000)
  • 9 bits for the "flag"
  • 2 bytes for the "frame/windows" (cadre)
  • 2 bytes for the "checksum"
  • 2 bytes for the "urgent pointer"
  • 0 to 40 bytes for "options" (optional)

TCP vulnerabilities

  • SYN Flood Attack

πŸ‘‰ An attacker send mass SYN requests creating many half-open connections and slowing down the target. πŸ’₯ DoS ➑️ Limit-rate the number of SYN packets accepted per second.

  • TCP Reset Attack

πŸ‘‰ An attacker send RST to terminate legitimate connections to disrupt service. ➑️ Protect TCP connections (ex: filters, encryption...).

  • TCP Session Hijacking

πŸ‘‰ An attacker steal a session by stealing or guessing the session ID. ➑️ Use encryption, timeouts, forbid many active sessions...