TCP协议

TCP

A -> SYN 敲门有人在吗? -> B
A <- SYN,ACK有人在喔  <- B
A -> ACK ,好的我要东西給你 ->B
A -> ACK,PSH 东西 -> B
A <- ACK 收到 <-B

Step 1 Packet# 1

客户端10.44.124.5向93.184.216.34提出建立连接的申请， 发送数据包+SYN

因为sync包没有实际的数据，所以数据长度为0。Wireshark把sequence number设置为0。

The actual value would be a 32 bit randomly selected number which we humans will find hard to keep up with. From the screenshot you can see the actual SEQ number from the client is 1932704549 (I have also attached the picture which shows the actual 32 bits sequence number below)

Step 2 Packet# 2

In step 2, the server will respond to the client with ACK and SYN bit set. Like step 1, Length of the data is zero, no data is transmitted in this stage. The sequence number is set to 0 (relative) and acknowledges the request of the client for synchronization.  The server sends an acknowledgment of 1 to the client. The ACK is specific to the SYN the client sent. The acknowledge number is set to one more than the receive sequence number.

Step 3 Packet# 3

Finally, the client acknowledges the server’s request for synchronization with ACK 1. The ACK is specific to the SYN the server sent. The acknowledge number is set to one more than the receive sequence number.

TCP标记和他们的意义如下所列：

* F : FIN  - 结束; 结束会话
* S : SYN  - 同步; 表示开始会话请求
* R : RST  - 复位;中断一个连接
* P : PUSH - 推送; 数据包立即发送
* A : ACK  - 应答
* U : URG  - 紧急
* E : ECE  - 显式拥塞提醒回应
* W : CWR  - 拥塞窗口减少

TCP Flags详解：http://www.firewall.cx/networking-topics/protocols/tcp/136-tcp-flag-options.html

• 

tcpdump

sudo tcpdump -i any -s 0 dst port 111 -Z root -w target.pcap

wireshark

ip
tcp

WireShark出现的常见提示 

• TCP Out_of_Order的原因分析： 

一般来说是网络拥塞，导致顺序包抵达时间不同，延时太长，或者包丢失，需要重新组合数据单元，因为他们可能是由不同的路径到达你的电脑上面。 

• TCP Retransmission原因分析： 

很明显是上面的超时引发的数据重传。 

• TCP dup ack XXX#X原因分析： 

就是重复应答#前的表示报文到哪个序号丢失，#后面的是表示第几次丢失。 

• tcp previous segment not captured原因分析 

意思就是报文没有捕捉到，出现报文的丢失。