Dissecting TCP packets

In this blog:

• Understanding packet capture output.

• Packet content.

• The end?

➡️ See my blog on uncovering network attacks using Wireshark here.

➡️ See my introduction to tcpdump here.

Understanding the output

I will go through the average TCP packet that tcpdump captures.

Typical flags in a tcpdump output ➡️

Typical TCP packet ➡️

The first part is the timestamp of the packet according to the local time ➡️

The next part eth0 shows what interface the packet was captured from ➡️

Source and destination IP addresses are shown next with the port number shown after the first IP address.

IP is the network layer protocol and represents IPv4.

In the case of IPv6, IP6 would be shown ➡️

The flags represent what stage the TCP connection is at ➡️

This one below stands for push-ack. The other flags and their meanings can be found above in the table.

The sequence number is used to identify the packets in a capture and every packet after the first uses the first packet's sequence number to make is easier to follow.

In this example, the sequence is seq 619:795, which means this packet contains bytes 618 to 795 in this capture flow.

The next part is the Ack Number which is sent from the TCP server to acknowledge that the packet has been received and that it is ready for the next bit of data.

In this case, the Ack Number is 1 as this is the side sending the data.

If this was captured on the receiving side (webserver), the Ack Number would signify the next byte of data being sent in this flow (795 in our case).

The window size comes next and refers to the buffer size (bytes) available or remaining in this particular TCP connection.

The buffer available on the receiving side tells the webserver how much data is able to be sent over the wire before the client sends the acknowledgement flag and the connection can continue.

If the buffer size is too low, this indicates that the client is unable to process all the data being sent in time and the server must slow down.

When a buffer size of 0 is advertised by the receiver, the sender stops sending data and starts a persist timer which is used to prevent a deadlock situation wherein the next window size update is lost and the sender has to wait for an update.

When this timer expires, the sender tries to get an ack message and a window size update by sending small packets.

If this continues, the receiver will repeatedly advertise small buffer values which in turn results in a smaller set of data being sent and results in the silly window syndrome which is incredibly inefficient as it sends just a few bytes of data in a TCP segment.

The final part of the TCP packet is the packet length, in bytes.

This is the length of the payload data, in bytes. (The difference between the last and first bytes in the sequence number).

Packet content

Sometimes checking just the packet headers for source/ destination IPs isn't enough to troubleshoot the network and we must check the packet contents in more detail to find what we need.

To view the contents in hex and ASCII, use the flag -X.

To view the contents in just ASCII, use the flag -A. Type ➡️

Sudo tcpdump -i any -c10 -A port 80

This command provides us with the packet contents of a http transmission.

The end?

For my introduction to tcpdump, click here.

If you want to learn more about this command line alternative to Wireshark, visit the tcpdump website.