Preface

During interviews, we are often asked about the three-way handshake and four-way wave process of the TCP protocol. Why do we always like to ask this question?

In fact, many of the protocols we usually use are application layer protocols, such as HTTP protocol, https protocol, DNS protocol, FTP protocol, etc.; and application layer protocols are based on two protocols of the transport layer, that is, TCP protocol and UDP protocol. When we encounter some problems using application layer protocols and need to analyze and locate them, we will need to involve the connection issues of the underlying protocols. Therefore, it is very necessary to master the working principles of these two underlying protocols as a test!

As an unreliable transport layer protocol, the UDP protocol has a relatively simple working process! So let’s focus on the TCP protocol.

Wireshark captures packets and analyzes the TCP protocol. In order to better learn and understand the connection and disconnection process of the TCP protocol, we introduce Wireshark, a packet capture tool that is very suitable for learning network protocols. This packet capture tool can see the detailed information of each layer of network packets in detail.

Three-way handshake process of TCP protocol TCP needs to go through three-way handshake to establish a connection. The specific process is as follows:

So, let’s use the packet capture tool to look at specific cases in this process; the following picture is a message captured by wireshark when accessing an HTTP request. The first three messages are the three-way handshake process of TCP: SYN packet, SYN ACK Packet, ACK message.

Expand for details:

The message of the first handshake is as follows: This is a message initiated by the client to the server to request the establishment of a connection.

You can see that there is a Flags bit in the TCP message:

When the Syn bit is marked as 1, it means that this message is a message requesting a link;

Own sequence number: 0

The message of the second handshake is as follows: This is the message that the server replies to the client to confirm and agree to the connection request.

You can see the Flags bit in the TCP packet:

The Syn bit is also marked as 1, indicating that this message is a message agreeing to establish a link;

The ACK bit is also marked as 1, indicating that it is an acknowledgment message for the previous message;

Sequence number: own sequence number;

acknowledgment number: Indicates the confirmation number of the previous request message, so it is the sequence number of the previous message + 1

The third handshake: is sent by the client to the server and is a confirmation of the previous agreed connection request.

The ACK bit in Flags is marked as 1, indicating that it is an acknowledgment message for the previous message;

Sequence number: own sequence number, based on the previous message + 1;

acknowledgment number: Indicates the acknowledgment number of the previous request message, which is based on the sequence number of the previous message + 1.

At this point, the three-way handshake is complete! Next, start sending HTTP requests.

The four wave processes of TCP protocol

When the data transfer is completed, the connection between the client and the server begins. Disconnecting requires four waves. The specific process is as follows:

Similarly, we use the wireshark tool to analyze the packets in the detailed process:

Let’s also expand and look at the detailed message content:

First wave: When the data transmission ends first (such as the client), it will be the first to initiate a request to end the disconnection:

The Fin bit of the Flags bit is marked 1, indicating that this is a disconnection request message.

At this time, the end we sent this request has stopped sending data! But the data can still be accepted.

The second wave: Confirm the previous disconnection request message. And at the same time, stop accepting data.

Therefore, we can see that the ACK bit of this message is marked as 1, and the acknowledgment number is the sequence number of the previous message + 1, indicating acknowledgment of the previous message.

The third wave: the server has also finished sending data, so it will also initiate a disconnect request.

This is a server that initiates a FIN message and requests to disconnect. At the same time, the server will also stop sending data.

The fourth wave: the client confirms the server's disconnection request.

So this flags bit is the ACK bit marked as 1. At this point, the client also stops accepting data.

At this point, both the server and client have stopped sending and receiving data! Four waves and you're done.