TCP and UDP, 123 things you need to know (TCP)

Preface

As a network operation and maintenance personnel, it is necessary to be familiar with TCP and UDP. TCP and UDP are two generals belonging to the TCP/IP protocol family. Since the birth of TCP/IP, they have experienced decades of development. It can be said that no matter how the world changes, no matter how much the sea has changed, no matter whether it is traditional Internet or mobile Internet, they are inseparable from them, now and for a long time to come.

Since it is named 123, I don’t want to use too many terms to explain them. I want to explore the doorway with you through my actual cases. Let’s talk about TCP first

TCP

TCP, the full name of which is Transmission Control Protocol, is translated into Chinese as Transmission Control Protocol. The web pages that everyone browses every day, whether they are opened on mobile phones or computers, all use the TCP protocol to transmit data. TCP is a connection-oriented protocol (explained later).

Let's understand TCP through a small example. I rented a cloud server to provide web services. After all the configurations were completed, I found that I could not open the web pages on the server from my host, but other web pages could be opened normally.

Before we talk about case solutions, let's first clarify a few concepts about TCP: ports and three-way handshakes.

Port: To put it bluntly, when we access a web page, we are actually accessing an application running on the server, and when we communicate with the application, we need to use a port. For example, the http protocol used to open a web page uses port 80 by default, and https (the encrypted version of http) uses port 443 by default.

Three-way handshake: TCP is a connection-oriented protocol. For example, to open a web page, you need to establish a connection with the web server first. The process of establishing this connection is called a three-way handshake.

Three-way handshake

Three-way handshake

I used the packet capture software (wireshark in Windows and tcpdump in Linux) to obtain three message data. Let's analyze them in detail.

• The first message: 192.168.253.4 (host) sends a message with the flag SYN (Synchronize Sequence Numbers) to the port 80 of the server whose target IP starts with 140. Translated into vernacular, the host tells the server, I am ready to communicate with your port 80, please send me the web page data I want to access. (The first handshake)
• The second message: The server sends a message with the SYN, ACK (Acknowledge) flag set to the host. This means that the server has received the connection request from the host. If you send a confirmation message, I will give you the data. (Second handshake)
• The third message: The host sends a message with the ACK flag set to the server. To put it simply, the host tells the server that it has received a message from you asking it to send a confirmation message, and now it is sending the confirmation flag to you. (The third handshake)
• When the server receives the third message, the connection between the host and the server is established. Then the server can transmit the web page data to the host and display the content on the host's browser.

With the understanding of the concept, we start to deal with the problem. First, we need to determine whether there is a problem with the communication between me and the server. The easiest way is to use the ping server IP command to test and find that the communication between me and the server is ok.

Then on the server (centos 7), use the netstat -na command to check whether port 80 (the standard port for web services) is open, and find that there is no problem.

The network is connected and the application service is normal, but the server webpage cannot be opened. Use wireshark to view the communication process and confirm which step has the problem.

Problem message

Don't be scared by the English in the picture. We only need to focus on a few places to locate the problem. Let's do it step by step.

As mentioned earlier, HTTP uses the TCP protocol to transmit data. The TCP protocol requires that any party that wants to communicate with the other party must first establish a connection, which is a three-way handshake.

In the above figure, if you look carefully, only the host (192.168.88.127) sent a message with the SYN flag to the 140 server, but did not receive a message returned by the server. Because the host did not receive the return message from the server, it automatically enabled the retransmission mechanism and sent several messages with the SYN flag to the host in succession. In fact, it was a request to establish a connection, but it was like throwing meat buns at a dog - there was no return. One possibility is that there was a problem with the server application and there was no response. Another possibility is that the server did not receive the connection establishment message sent by the host at all.

Because we have confirmed that the server application status is normal, we will focus on the server-side receiving message. Capture packets on both the server and host sides to see if we can capture messages from the host.

 //The server uses the Linux system and tcpdump software is used to capture packets. -port 80 means to capture packets with port 80, src host means to capture packets with source address 192.168.88.127, and means that both conditions must be met at the same time.
 $ tcpdump -port 80 and src host 192.168.88.127 -nn

By capturing packets, we found that when the host sent a connection request, the server did not capture any message from the host 192.168.88.127 accessing the server port 80, which means that the three-way handshake could not be completed, let alone data transmission. Because the ping command could ping the server from the host before, it means that the network is unobstructed.

In this case, it is likely that the firewall policy is blocking the message, so check the host firewall policy immediately.

 //In centos 7 environment  
 $ systemctl status firewalld

Firewall Status

Check firewall status

The Active status of the firewall was found to be inactive, indicating that the firewall was not enabled. What blocked the message? The final result was still the firewall policy. The firewall security policy provided by the cloud server provider blocked external access requests to port 80 by default. After modifying the policy to allow access to port 80, a connection was finally established with the server (three-way handshake) and the web page opened normally.

TCP is one of the most important protocols in the TCP/IP protocol family. Understanding its operating mechanism is of great help in improving the efficiency of operation and maintenance. This short article is just to make everyone clear about the concept of TCP and its importance. The road to learning is long, and we have just started.