1 00:00:00,000 --> 00:00:00,520 2 00:00:00,520 --> 00:00:03,520 I thought it'd be fun for us to take a look using Wireshark 3 00:00:03,520 --> 00:00:08,250 at the actual three-way handshake in process by TCP. 4 00:00:08,250 --> 00:00:10,390 And so to do that, here I've got a computer 5 00:00:10,390 --> 00:00:11,700 with some packet captures. 6 00:00:11,700 --> 00:00:14,630 We'll open that up, and let's open up a packet capture that 7 00:00:14,630 --> 00:00:16,900 include some HTTP traffic. 8 00:00:16,900 --> 00:00:19,540 And we'll focus here on packet number one. 9 00:00:19,540 --> 00:00:21,130 And even before we start expanding 10 00:00:21,130 --> 00:00:23,380 the details of the transport layer right here, 11 00:00:23,380 --> 00:00:26,750 take a look over here in the info column. 12 00:00:26,750 --> 00:00:29,510 Here, it's actually showing us the initial packet 13 00:00:29,510 --> 00:00:31,300 is a synchronization request. 14 00:00:31,300 --> 00:00:33,530 Then it's showing us that there is a SYN-ACK-- 15 00:00:33,530 --> 00:00:35,040 that's a response back-- 16 00:00:35,040 --> 00:00:36,560 which includes the acknowledgment 17 00:00:36,560 --> 00:00:39,476 of the previous SYN request and the SYN request of its own. 18 00:00:39,476 --> 00:00:40,850 And then the third element, which 19 00:00:40,850 --> 00:00:42,399 is the final acknowledgment. 20 00:00:42,399 --> 00:00:44,690 So this is a perfect overview of a three-way handshake. 21 00:00:44,690 --> 00:00:46,190 We have a synchronization request, 22 00:00:46,190 --> 00:00:48,590 we have a SYN-ACK, and then a final ACK. 23 00:00:48,590 --> 00:00:51,590 So let's focus on the very first segment in our TCP 24 00:00:51,590 --> 00:00:52,700 three-way handshake. 25 00:00:52,700 --> 00:00:55,610 And we'll expand the TCP information here. 26 00:00:55,610 --> 00:00:57,650 We'll also expand the flags. 27 00:00:57,650 --> 00:01:01,100 So as part of the TCP information-- in this segment, 28 00:01:01,100 --> 00:01:03,140 it has the source port where it's coming from, 29 00:01:03,140 --> 00:01:05,170 the destination well-known port of 80, 30 00:01:05,170 --> 00:01:08,860 and it's also showing us a relative sequence number. 31 00:01:08,860 --> 00:01:12,080 And it's currently set to a relative sequence number of 0 32 00:01:12,080 --> 00:01:13,820 because this is our first message 33 00:01:13,820 --> 00:01:15,170 in the three-way handshake. 34 00:01:15,170 --> 00:01:15,830 But you know what I'd like to do? 35 00:01:15,830 --> 00:01:16,413 Let's do this. 36 00:01:16,413 --> 00:01:18,890 Let's right click, and I'm going to go in here 37 00:01:18,890 --> 00:01:22,520 in Wireshark to Protocol Preferences, and let's go ahead 38 00:01:22,520 --> 00:01:25,640 and I want to turn off the relative sequence numbers. 39 00:01:25,640 --> 00:01:28,292 That way, we can see the actual real numbers and not 40 00:01:28,292 --> 00:01:29,750 just the relationship to where they 41 00:01:29,750 --> 00:01:31,080 are in the three-way handshake. 42 00:01:31,080 --> 00:01:34,100 So we'll go ahead and take off relative sequence numbers. 43 00:01:34,100 --> 00:01:35,640 Then we can see the full numbers. 44 00:01:35,640 --> 00:01:36,890 So a few things we can notice. 45 00:01:36,890 --> 00:01:38,900 In the flags, in this TCP header, 46 00:01:38,900 --> 00:01:41,390 that little bit representing the synchronization flag, 47 00:01:41,390 --> 00:01:42,464 is set to an on. 48 00:01:42,464 --> 00:01:43,880 And that's how the receiving side, 49 00:01:43,880 --> 00:01:45,590 who receives this segment of data, 50 00:01:45,590 --> 00:01:47,450 realizes that it's a SYN request. 51 00:01:47,450 --> 00:01:49,910 Also as part of this TCP header information, 52 00:01:49,910 --> 00:01:57,290 we have a sequence number, which is 951,057,939. 53 00:01:57,290 --> 00:01:59,600 And at the moment, there is no acknowledgment number 54 00:01:59,600 --> 00:02:02,640 because this is our first of our three-way handshake. 55 00:02:02,640 --> 00:02:04,040 So I've got a question for you-- 56 00:02:04,040 --> 00:02:06,140 if this is the initial sequence number that's 57 00:02:06,140 --> 00:02:10,160 being offered, if the other side sends an acknowledgment, 58 00:02:10,160 --> 00:02:11,900 what would the acknowledgment number be? 59 00:02:11,900 --> 00:02:13,904 And you're saying, Keith, I got this. 60 00:02:13,904 --> 00:02:15,320 The acknowledgment number is going 61 00:02:15,320 --> 00:02:18,980 to be the sequence number plus 1 during the three-way handshake. 62 00:02:18,980 --> 00:02:20,610 And that would be absolutely correct. 63 00:02:20,610 --> 00:02:22,600 So in the next packet for the acknowledgment, 64 00:02:22,600 --> 00:02:26,330 we would expect to see these last three numbers as a 940, 65 00:02:26,330 --> 00:02:28,410 with all the previous numbers being the same. 66 00:02:28,410 --> 00:02:30,500 So let's take a look at the next segment, which 67 00:02:30,500 --> 00:02:33,500 is the response, and that's right here in entry number two. 68 00:02:33,500 --> 00:02:36,620 So with that selected and the TCP information being expanded, 69 00:02:36,620 --> 00:02:37,730 the source port is 80. 70 00:02:37,730 --> 00:02:40,130 It's coming from the server, going to the destination 71 00:02:40,130 --> 00:02:41,570 port of 3372-- 72 00:02:41,570 --> 00:02:43,340 that's the one the client used initially 73 00:02:43,340 --> 00:02:45,140 when it started a three-way handshake, as 74 00:02:45,140 --> 00:02:46,310 far as a port number. 75 00:02:46,310 --> 00:02:48,740 And now as we take a look at the acknowledgment number. 76 00:02:48,740 --> 00:02:49,700 Look at this. 77 00:02:49,700 --> 00:02:51,320 As we look at that number, that's 78 00:02:51,320 --> 00:02:55,480 the initial sequence number from the other computer plus 1. 79 00:02:55,480 --> 00:02:59,660 So it's 951,057,940. 80 00:02:59,660 --> 00:03:02,930 The sequence number sent from the other side ended in 939, 81 00:03:02,930 --> 00:03:06,800 so we're upping it by one to 940 during the three-way handshake. 82 00:03:06,800 --> 00:03:10,160 And we'll also notice that the acknowledgment bit is on, 83 00:03:10,160 --> 00:03:12,170 which indicates that this segment of data 84 00:03:12,170 --> 00:03:13,670 includes an acknowledgment. 85 00:03:13,670 --> 00:03:15,440 And there's the acknowledgment number. 86 00:03:15,440 --> 00:03:17,390 The other item that's also very important 87 00:03:17,390 --> 00:03:20,120 about the second message in our three-way handshake 88 00:03:20,120 --> 00:03:23,150 is that the server wants to synchronize with the other side 89 00:03:23,150 --> 00:03:23,850 as well. 90 00:03:23,850 --> 00:03:25,850 So what the server is doing, the server has also 91 00:03:25,850 --> 00:03:28,370 set the synchronization bit to on, indicating, 92 00:03:28,370 --> 00:03:30,500 hey, there's a synchronization request here. 93 00:03:30,500 --> 00:03:34,790 And the server is also including its own sequence number, which 94 00:03:34,790 --> 00:03:40,040 in this capture is 290,218,379. 95 00:03:40,040 --> 00:03:42,500 So the question I have for you, once again, is, 96 00:03:42,500 --> 00:03:45,560 if the other side sends an acknowledgment, 97 00:03:45,560 --> 00:03:48,140 what would the acknowledgment be coming back 98 00:03:48,140 --> 00:03:50,494 from the other side? 99 00:03:50,494 --> 00:03:52,160 And now having looked at it a few times, 100 00:03:52,160 --> 00:03:54,320 you might say, well during the three-way handshake, 101 00:03:54,320 --> 00:03:55,850 we're going to take the sequence number 102 00:03:55,850 --> 00:03:57,433 and the acknowledgment number is going 103 00:03:57,433 --> 00:03:59,521 to be that sequence number plus 1. 104 00:03:59,521 --> 00:04:01,520 And you'd be absolutely right, and we don't have 105 00:04:01,520 --> 00:04:03,410 to go too far to verify that. 106 00:04:03,410 --> 00:04:05,840 Let's go down to our third message here. 107 00:04:05,840 --> 00:04:09,230 In this header, there is a bit in the on position regarding 108 00:04:09,230 --> 00:04:13,190 acknowledgment, indicating that this TCP information includes 109 00:04:13,190 --> 00:04:14,166 an acknowledgment. 110 00:04:14,166 --> 00:04:16,290 And if you dig a look at the acknowledgment number, 111 00:04:16,290 --> 00:04:22,490 it is this one right here, which is 290,218,380, 112 00:04:22,490 --> 00:04:24,710 which is perfect because the sequence number we got 113 00:04:24,710 --> 00:04:27,470 from the other side was 379. 114 00:04:27,470 --> 00:04:30,020 So by incrementing the other sides by one and sending it 115 00:04:30,020 --> 00:04:32,750 back during this three-way handshake, the other side-- 116 00:04:32,750 --> 00:04:33,980 the server, in this case-- 117 00:04:33,980 --> 00:04:36,110 is going to know, great, my sequence numbers 118 00:04:36,110 --> 00:04:37,970 are now synchronized with the other party. 119 00:04:37,970 --> 00:04:40,580 And now, going forward, they can use acknowledgments 120 00:04:40,580 --> 00:04:43,820 and sequence numbers to verify that all the data was 121 00:04:43,820 --> 00:04:46,160 successfully delivered in either direction 122 00:04:46,160 --> 00:04:48,200 by using the connection oriented features, 123 00:04:48,200 --> 00:04:50,480 including three-way handshakes and sequence numbers 124 00:04:50,480 --> 00:04:55,130 and acknowledgments courtesy of the TCP transport protocol. 125 00:04:55,130 --> 00:04:57,410 I hope this has been informative for you, 126 00:04:57,410 --> 00:05:01,030 and I'd like to thank you for viewing.