This is a 5-part series on the most practical things you need to know about TCP. These topics were selected because they are the most frequently asked from readers and customers that have needed help with Protocol Analysis. Ok, now on with the article.
The network is slow. Ok, we’ve all heard it a million times. But what is the real problem?
Oftentimes when going in to troubleshoot a slow application, we find the network guys pointing fingers to the application guys, and the app guys pointing at the network guys. In several cases though, the root problem can be found in the transport layer, which neither team really wants to own up to. So in this article series we are going to discuss the details behind several TCP topics, why you care, and how you find these problems on your network.
In the 5 part series we will cover:
The TCP Connection
The TCP Window
Sequence and Acknowledgement Numbers
Connection Teardown (Expected and Unexpected)
The TCP Connection
In order for data to move between two machines using TCP, they must first establish a connection, sometimes also referred to as a socket. A connection is established by a three way handshake, involving a unique port on each machine. If a client is connecting to a server, it will open one of its ports – a dynamic port – and send a connection request to the server’s IP, with a specific server port. If this connection gets established, the client and server must continue to use this IP:Port paring to communicate.
The three way handshake is very simple, and can tell you quite a bit about the underlying network as well. Below is a bounce chart taken from ClearSight which does a great job of displaying the packets involved.
The first packet is the client sending a SYN to the server. The client will inform the server which sequence number it is using to start on. (Sequence number A) Note: Wireshark typically starts these numbers off at zero automatically. This makes it easier to see how much data has been transferred over the connection.
The server replies with a SYN-ACK packet. In the TCP header, the server will choose its own sequence number (B) and will acknowledge the client’s sequence number by returning A+1 in the ACK field.
Last, the client sends an ACK back to the server. The sequence number is set to A+1 and the acknowledgement number is set to B+1
Why we care about the TCP Connection
Bottom line, if there are problems in the connection setup, this will result in no or slow application performance. If there is packet loss at this stage, TCP will take up to 3 seconds to retransmit, delaying the connection. Use the TCP connection info as a benchmark for network roundtrip time when troubleshooting application performance problems.
In the next article we will look into the header flags and define them one at a time. We will discuss when you should see them, and when they may be a symptom of a problem. If you have any questions, comments, answers, or other TCP topics you would like to see, shoot me an email! Thanks for tuning in.