1. TCP Baotou structure

1. Source port 、 Target port : A process on a computer communicates with other processes through a computer port , And a computer port Only one process can occupy a certain time , So by specifying the source port and the target port , You can know which two processes need to be connected Letter . Source port 、 The target port is in 16 Bit means , It can be estimated that the number of computer ports is 2^16 individual , namely 65536

2. Serial number : Represents the number of the first byte of the data sent by this section . stay TCP Each byte of the stream of bytes transferred in the connection is numbered sequentially . Because the serial number consists of 32 Who said , So every 2^32 Bytes , And then there's a serial number loop , Again from 0 Start , The function is to solve the disorder of data packets in network transmission

3. Confirmation no. : Indicates that the receiver expects to receive the first byte data of the next message segment from the sender . That is to tell the sender : I hope you （ Refers to the sender ） The number of the first byte of the data to be sent next time is the confirmation number , After the sender receives the acknowledgement , It indicates that all packets before this sequence number have been successfully received , The function is to confirm whether the data packet is lost during transmission

4. Data migration : Express TCP The first length of a message segment , common 4 position , because TCP The first part contains a variable length option section , You need to specify this TCP How long is the segment . It points out that TCP Data starting distance of message segment TCP How far is the beginning of the message segment . The unit of this field is 32 position ( namely 4 The unit of calculation is bytes ),4 Bit binary maximum representation 15, So the data offset is yes TCP The first one is the biggest 60 byte

Control bits

1. URG： Indicates whether the data sent in this newspaper paragraph contains emergency data . The following emergency pointer field (urgent pointer) only Be worthy of URG=1 Only when effective

2. ACK： Indicates whether the previous confirmation number field is valid . Only when ACK=1 when , The previous confirmation number field is valid .TCP Regulations , After the connection is established ,ACK It has to be for 1, belt ACK logo TCP A message segment is called an acknowledgment segment

3. PSH： Prompt the receiving application to immediately start from TCP Read data from receive buffer , Make room for receiving subsequent data . Such as Fruit 1, It means that the other party should submit the data to the upper application immediately , Instead of caching , If the application does not receive Read the data of , It will stay in TCP In the receive buffer

4. RST： If you receive one RST=1 Message of , This indicates that there is a serious error in the connection with the host ( If the host computer crashes ), Connection must be released , Then reestablish the connection . Or the data sent to the host last time has a problem , Host refused to respond , belt RST logo TCP A segment of a message is called a reset segment

5. SYN： Use... When establishing a connection , Used to synchronize serial numbers . When SYN=1,ACK=0 when , Indicates that this is a message segment requesting connection ; When SYN=1,ACK=1 when , Indicates that the other party agrees to establish a connection .SYN=1, This is a message requesting or agreeing to establish a connection . Only in the first two handshakes SYN It's set to 1, logo TCP A message segment is called a synchronous message segment

6. FIN： Indicates that the local terminal of the other party is about to close the connection , Mark whether the data has been sent . If FIN=1 , That is, to tell the other party :“ My data has been sent , You can release the connection ”, belt FIN logo TCP A message segment is called an end message segment

Window size : Indicates the amount of data that the other party is allowed to send now , That is to say, tell each other , Starting from the confirmation number of this paragraph, the other party is allowed to The amount of data sent , At this point , need ACK Only after confirmation can we continue to transmit the following data , from Window size value * Window size scaling factor( This value is in the three handshake phase TCP Options Window scale It was negotiated that ) Get this value

The checksum : Provides additional reliability

Pointer to an emergency : Mark the position of emergency data in the data field

Options section : The maximum length can be determined by TCP The length of the head is calculated .TCP The length of the first part is used 4 Who said , The option section is the longest by :(2^4-1)*4-20=40 byte

TCP Baotou common options :

1. Maximum segment length MSS(Maximum Segment Size), Usually 1460 byte

Indicate that you expect the other party to send TCP The length of the data field in the message segment . such as :1460 byte . Length of data field plus On TCP The length of the head is equal to the whole TCP The length of the message segment .MSS It should not be set too large or too small . If too Small , In extreme cases ,TCP The message segment only contains 1 Bytes of data , stay IP The cost of datagram transmitted by layer is at least 40 byte ( Include TCP The header and IP The header of the datagram ). such , The utilization rate of the network will not exceed 1/41. if TCP The message segment is very Long , So in IP Layer transmission may be divided into multiple short data slices . At the destination, each received short data message shall be assembled Become the original TCP Message segment . In case of transmission error, retransmission is required , All of these will increase the cost . therefore MSS As far as possible Big , As long as IP Layer transport does not need to be further fragmented . During connection establishment , Both sides put what they can support MSS write in This field . MSS Only in SYN In the message . namely :MSS Appear in the SYN=1 In the message segment of MTU and MSS Value the relationship between :MTU=MSS+IP Header+TCP Header
The final communication between the two parties MSS value = smaller MTU-IP Header-TCP Header

2. The window expands Window Scale

To expand the window , because TCP The length of the window size field in the header is 16 position , So the maximum number it represents is 65535. But with Communication with large delay and bandwidth will be generated ( Such as satellite communication ), Larger windows are needed to meet performance and throughput , So produce This window expansion option is

3. Time stamp Timestamps

It can be used to calculate RTT( Round trip time ), The sender sends TCP When the message , Put the current time value into the timestamp field , The receiving party When the confirmation message is sent after receiving , Copy the value of this timestamp field into the acknowledgement message , When the sender receives the confirmation message, it can To calculate the RTT. It can also be used to prevent rewinding the serial number PAWS, It can also be used to distinguish different messages with the same serial number . because Use... For serial number 32 To represent , Every time 2^32 A serial number will produce a loopback , Then it is easy to distinguish the same order by using the timestamp field Different messages with column numbers

2 Three handshakes

2.1 The illustration

2.2 Use tcpdump and wireshark Interpreting the process of three handshakes

In actual production, we can directly use wireshark Take a look at it TCP Communication process of , Used in this article tcpdump and wireshark combination , I want to demonstrate it in passing tcpdump, After all, most of what we use in production is Linux The server , View simple network problems , Using command line mode tcpdump Maybe more .
centos8 Server side http The service information is as follows

[[email protected] ~]#hostname -I | awk '{print $2}'
10.0.0.11
[[email protected] ~]# yum -y install httpd
[[email protected] ~]# yum -y install tcpdump      #  Need configuration  epel  Source 

# epel  The source configuration is as follows 
[[email protected] ~]#cat /etc/yum.repos.d/epel.repo
[epel]
name=epel
baseurl=https://mirrors.tuna.tsinghua.edu.cn/epel/$releasever/Everything/x86_64
gpgcheck=0
enabled=1
[[email protected] ~]#

centos7 Client machine information for

[[email protected] ~]# hostname -I|awk '{print $2}'
10.0.0.12
[[email protected] ~]#

stay centos8 Use on the machine tcpdump Grab the bag

[[email protected] ~]#tcpdump -i eth1 -nn -c5 tcp port 80 -w tcp.pcap
dropped privs to tcpdump
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
5 packets captured
11 packets received by filter
0 packets dropped by kernel
[[email protected] ~]#

stay cetons7 On the machine centos8 Of http service

[[email protected] ~]# curl 10.0.0.11

because httpd Service use TCP Protocol communication , therefore , First, three handshakes are required
Will be preserved tcp.pcap Download the file to the desktop , Use wireshark open （ file – open ） that will do

TCP The first handshake

TCP The second handshake

TCP The third handshake

The client requests a web page （ send out GET request ）

The server responds to the content

3 Four waves

 Four waves to close the connection , The purpose of closing the connection ： Prevent data loss ; Interact with the application layer 

The four waves are divided into two situations

client （ Back server ） Active disconnection

The client and server are disconnected at the same time

3.1 The client actively disconnects

3.2 The client and server are disconnected at the same time

3.3 Use tcpdump and wireshark Interpret the process of four waves

This only shows the case that the client actively disconnects

The experimental environment remains the same , Just for the convenience of this demonstration, we use ssh Log in and back out to demonstrate the process of four waves （ We only consider normal communications ）

Server side centos8 Grab the bag

[[email protected] ~]#tcpdump -i eth1 -nn tcp port 22 and host 10.0.0.12 -w tcp_wave.pcap
dropped privs to tcpdump
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
^C66 packets captured
66 packets received by filter
0 packets dropped by kernel
[[email protected] ~]#

centos7 Client login centos8 Server side , Then back out to demonstrate TCP The process of waving four times

[[email protected] ~]# ssh [email protected]
[email protected]'s password:
Last login: Tue Apr 20 09:59:38 2021 from 10.0.0.12
[[email protected] ~]#exit
logout
Connection to 10.0.0.11 closed.
[[email protected] ~]#

TCP First wave

TCP Second wave

TCP Third wave

TCP Fourth wave

4 TCP Frequently asked questions

4.1 Please describe TCP and UDP The differences, advantages and disadvantages of messages ？

4.2 Why TCP agreement ？TCP Which floor do you work on ？

IP Layers are unreliable , It does not guarantee on-demand, sequential delivery of network packets , Nor does it guarantee the integrity of the data in the network packet .

The reliability of data packets in the network needs its upper layer （ Transport layer ） To be responsible for

4.3 What is? TCP Connect ？

Simply speaking TCP The connection consists of three parts ：socket + Serial number + Window size

socket： from IP Address + The port number consists of
Serial number ： Used to solve the packet disorder problem
Window size ： The purpose is to control the flow , Speed limit, etc

4.4 How to uniquely identify a TCP Connect ？

answer ：TCP A quintuple can uniquely identify a connection , The five tuples include the following ：

agreement

Source IP

Source port

Purpose IP

Destination port

Source address and destination address fields （32 position ） Is in IP In the head , Used for communication between hosts

Source port and destination port fields （16 position ） Is in TCP In the head , Used for process to process communication

4.5 TCP What are the optimization parameters

4.6 TCP Why do I need three handshakes ？ Why not twice ？ How about four times ？

The three message handshake is mainly used to prevent failure （ Serial number timeout or expiration ） The connection request message segment of is suddenly sent to , So there's a mistake .

The client and server communicate in both directions , If it's two handshakes , Only one party's initial serial number can be successfully received by the other party , There is no way to ensure that the initial serial number of the other party can be confirmed

Four handshakes are actually OK , But the server side can ACK and SYN Send it to the client together , The initialization sequence numbers of both parties can also be synchronized , Establish a reliable connection , So there is no need to add a communication overhead

4.7 TCP Why do you need to wave four times ？ Why not three times ？

The client and server communicate in both directions , The client sends... To the server FIN when , It just means that the client has no data to send , It does not mean that the server has no data to send , At this point, the client can still accept data

The server received... From the client FIN After the message , Reply to one ACK Reply message , Consent to disconnect

At this time, the server may still have data to send and process , When the server has no data to send , Will send a FIN Message to client , Client received FIN After the message , Reply to one ACK Reply message , Consent to disconnect

As we can see above ,TCP The process of waving cannot be like shaking hands , take FIN and ACK Messages are sent together , So you can't use three waves , But four waves

4.8 Can you carry data during handshake ？

The third handshake can carry data , The first two handshakes are not allowed to carry data

4.9 SYN The attack is to occupy the specific resources of the server ,SOCKET Is it connected ？

Semi connected queues , You can control the queue size by modifying the kernel parameters

#  The maximum number of packets received by the kernel 
net.core.netdev_max_backlog
#  increase ⼤ Semi connected queues 
net.ipv4.tcp_max_syn_backlog = 1024
#  increase  somaxconn
echo 1024 > /proc/sys/net/core/somaxconn
#  increase ⼤ Application's  backlog  Of ⽅ type , With  Nginx  For example 
server {
   listen 80 default backlog=1024;
   server_name localhost;
   ......
}
#  Reduce  SYN+ACK  Number of retransmissions 
#  Connect each  SYN_RECV  when , If it fails , The kernel also automatically retries , And the default number of retries is  5  Time 
net.ipv4.tcp_synack_retries = 1
#  Turn on  tcp_syncookies  function 
net.ipv4.tcp_syncookies = 1

TCP SYN Cookies It's also a special defense SYN Flood The way to attack .SYN Cookies Based on connection information （ Include source address 、 Source port 、 Destination address 、 Destination port, etc ） And an encryption seed （ Such as system startup time ）, Calculate a hash value （SHA1）, This hash value is called cookie.

then , This cookie It's used as a serial number , To answer SYN+ACK package , And release the connection state . When the client sends the last of the three handshakes ACK after , The server will compute the hash again , Confirm that it was last returned SYN+ACK The return package of , To enter TCP Connection state of .

thus , Turn on SYN Cookies after , There is no need to maintain the semi open connection state , Then there is no limit on the number of semi connections .

4.10 The server has a large number of TIME_WAIT state ？ Why is that? ？ How to solve ？

TIME_WAIT yes TCP During the four waves , The party who actively disconnects will only be in a state after the third wave

It is an essential condition in normal waving , as a result of ：

Prevent old packets from being received due to network reasons
Ensure that the passive disconnected party can correctly receive ACK So as to close the connection normally
If the server has a large number of TIME_WAIT, First, the server actively disconnected the connection , Too much TIME_WAIT A large amount of memory and port resources will be used temporarily , As a result, the server can no longer process new connection requests

The solution is to optimize the kernel

#  Increase in  TIME_WAIT  The number of connections in the State  
net.ipv4.tcp_max_tw_buckets = 1048576
#  Increase the size of the connection trace table  
net.netfilter.nf_conntrack_max = 1048576
#  Shorten from  TIME_WAIT_2  To  TIME_WAIT  The timeout of the State  , Let the system release the resources they occupy as soon as possible .
net.ipv4.tcp_fin_timeout = 15
#  Shorten the connection trace table in  TIME_WAIT  Timeout for state connection   , Let the system release the resources they occupy as soon as possible 
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 30
#  Increase the range of local ports  , So that we can support more connections , Improve overall concurrency 
net.ipv4.ip_local_port_range = 10000 65000
#  Increase the maximum number of files that can be allocated by a single process 
fs.nr_open = 1048576
#  Increase the maximum number of file descriptors on the system , Or in the application's  systemd  In profile , To configure  LimitNOFILE
fs.file-max = 1048576
#  Turn on  TIME_WAIT  reusing , such , By  TIME_WAIT  Port occupied by state , It can also be used in new connections , Only for clients 
net.ipv4.tcp_tw_reuse = 1
#   Turn on  TCP  Time stamp （ Use with the above ）
net.ipv4.tcp_timestamps=1
#  Reset timeout connection （ May cause other problems , Use with caution ！！！）
net.ipv4.tcp_max_tw_buckets

Be careful ：net.ipv4.tcp_tw_reuse and net.ipv4.tcp_tw_recycle Rely on a net.ipv4.tcp_timestamps,net.ipv4.tcp_timestamps yes tcp An option for , If you turn it on , Then you can't use tcp Other options for , Include net.ipv4.tcp_syncookies.

4.11 TCP The two sides have established a connection , later ,TCP What if the host where the client process is located suddenly fails ？

TCP The server process can no longer receive TCP Data from the customer process

therefore , There should be measures to make TCP The server process should not wait in vain

TCP There's a survival mechanism , The principle is

TCP Every time the server process receives TCP Data of customer process , Just reset and start the keep alive timer （2 Hour timing ） If... Is not received within the time period of the keep alive timer TCP Data from the customer process , When the keep alive timer expires ,TCP The server process goes to TCP The client process sends a probe message segment , After every 75 Seconds to send . If sent continuously 9 There is still no after detecting message segments TCP The response of the customer process ,TCP The server process thinks TCP The host where the client process is located has failed , Then close the connection

Can be set in the kernel , The default is as follows ：

net.ipv4.tcp_keepalive_time=7200
net.ipv4.tcp_keepalive_intvl=75
net.ipv4.tcp_keepalive_probes=9

4.12 TCP After the customer process sends the last confirmation message , Why not go straight into the closed state ？ But to enter the time waiting state （2MSL Time ）？

Because of the time waiting state and being in this state 2MSL Duration , To ensure that TCP The server process can receive the last TCP Confirm the message segment and enter the closed state

in addition ,TCP The client process is sending the last TCP After confirming message segment , after 2MSL Duration , All message segments generated during the duration of this connection can disappear from the network , So you can make the next new one TCP Connecting , There will be no message segments in the old connection

4.13 How to view TCP The state of , And statistics TCP Total number of states

ss Orders come from iproute package , Instead of netstat,netstat By traversing /proc To get socket Information ,ss Use netlink And kernel tcp_diag Module communication acquisition socket Information , The usage and output results are similar to netstat command

#  see  TCP  The communication status of 
[[email protected] ~]#ss -antp
State           Recv-Q      Send-Q  Local Address:Port  Peer Address:Port
LISTEN          0           128     0.0.0.0:80          0.0.0.0:*           users:(("nginx",pid=767,fd=8),("nginx",pid=766,fd=8))
LISTEN          0           128     0.0.0.0:22          0.0.0.0:*           users:(("sshd",pid=734,fd=4))
LISTEN          0           100     127.0.0.1:25        0.0.0.0:*           users:(("master",pid=849,fd=16))
ESTAB           0           0       10.0.0.11:22        10.0.0.10:49483     users:(("sshd",pid=1281,fd=5),("sshd",pid=1269,fd=5))
LISTEN          0           128     [::]:80             [::]:*              users:(("nginx",pid=767,fd=9),("nginx",pid=766,fd=9))
LISTEN          0           128     [::]:22             [::]:*              users:(("sshd",pid=734,fd=6))
LISTEN          0           100     [::1]:25            [::]:*              users:(("master",pid=849,fd=17))

#  Statistics  TCP  Total number of states 
[[email protected] ~]#ss -antp|awk 'NR>=2{status[$1]++}END{for(i in status){print i"\t"status[i]}}'
LISTEN	6
ESTAB	1
[[email protected] ~]#