Skip to content

TCP: A Closer Look

TCP, as a fundamental protocol, offers options and mechanisms that enhance its functionality across diverse network environments. Understanding these options is crucial for network engineers, security professionals, and system administrators. This primer delves into the key TCP options, such as Maximum Segment Size (MSS), Window Scaling, and Selective Acknowledgments (SACK), as well as essential TCP features like retransmissions, congestion control, and TCP flags. Additionally, it explores the intricacies of TCP window size analysis, padding practices in TCP/UDP, and the implications of TCP options on network performance and security.

tcp-chacho

Common TCP Options

TCP provides several options that enhance its functionality and allow for fine-tuning in various network environments. Understanding these options is crucial for optimizing performance and ensuring robust communication.

1. Maximum Segment Size (MSS)

The Maximum Segment Size (MSS) specifies the maximum segment size that a device is willing to accept, which directly impacts the efficiency of data transfer. MSS values typically vary based on the underlying network's Maximum Transmission Unit (MTU):

What might they tell us?

  • A small MSS (<1400 bytes) often indicates tunneling or VPNs due to encapsulation overhead.
  • A standard MSS (~1460 bytes) suggests a typical Ethernet network without additional encapsulation.
  • A larger MSS (>1460 bytes) points to networks using jumbo frames, commonly seen in high-performance environments.

Filter: MSS Size Variations

tcp.options.mss_val < 1400 or tcp.options.mss_val > 1460

Captures from VMs can cause MSS values from the SYN, ACK to not be honored resulting in larger packets.

To learn more about why this happens, see this post.

2. Window Scale Option

To handle larger amounts of data in high-bandwidth, high-latency networks, the TCP Window Scale option allows TCP to support a larger window size than the default 65,535 bytes. This is crucial for optimizing performance over WAN links.

Filter: Window Scale Option

tcp.options.wscale

Identify TCP connections using the Window Scale option to assess performance in high-bandwidth, high-latency networks.

3. Selective Acknowledgment (SACK)

Selective Acknowledgment (SACK) enables the receiver to acknowledge non-contiguous blocks of data. This option improves performance by reducing the number of retransmissions required when packets are lost, especially in environments with high packet loss.

Filter: Selective Acknowledgment (SACK) Usage

tcp.options.sack_perm or tcp.sack

4. Timestamps

TCP Timestamps are used for round-trip time measurement and protection against wrapped sequence numbers. They enhance TCP performance over high-speed links by providing more accurate timing information.

5. TCP Fast Open (TFO)

TCP Fast Open (TFO) allows data to be sent during the initial SYN packet, reducing latency when opening new connections. This can significantly speed up connection establishment, particularly in web applications.

6. TCP Keepalive

TCP Keepalive is a feature used to check if a connection is still active. It sends small packets periodically to confirm that the connection remains valid, preventing the disconnection of idle connections. This is particularly useful for maintaining long-lived connections in environments with stateful firewalls.

Filter: TCP Keepalive

tcp.flags.ack == 1 and tcp.len == 0

7. TCP Retransmission and Congestion Control

TCP's retransmission mechanism ensures that lost packets are resent, while congestion control algorithms adjust the rate of data transmission based on network conditions. This includes key algorithms like:

  • Slow Start: An initial phase where TCP increases the transmission rate exponentially until packet loss is detected.
  • Congestion Avoidance: After reaching a certain threshold, TCP reduces the transmission rate to avoid congestion.
  • Fast Retransmit: Quickly retransmits lost packets based on duplicate ACKs, improving recovery time.

Filter: TCP Retransmissions

tcp.analysis.retransmission

8. TCP No Delay (Nagle's Algorithm)

Nagle's Algorithm reduces the number of small packets sent over the network by combining a series of small messages into a single packet. Disabling Nagle’s Algorithm (using the TCP_NODELAY option) can reduce latency in interactive applications like online gaming or VoIP, while enabling it can improve network efficiency.

Filter: Nagle's Algorithm (TCP No Delay)

tcp.flags.push == 1
Analyze packets where Nagle's Algorithm is disabled, typically seen in latency-sensitive applications.

9. TCP/IP Offload Options (TSO, LRO)

Modern network interfaces support offloading TCP/IP processing tasks to the hardware, improving performance. Key offload options include:

  • TCP Segmentation Offload (TSO): Offloads the task of segmenting large blocks of data into TCP packets to the network interface card (NIC).
  • Large Receive Offload (LRO): Combines multiple incoming packets into a single large packet before passing it to the operating system, reducing CPU overhead.

Filter: TCP/IP Offload Options

tcp.analysis.tcp_offload

10. Explicit Congestion Notification (ECN)

Explicit Congestion Notification (ECN) allows end-to-end notification of network congestion without dropping packets. If both endpoints and the network support ECN, it can lead to more efficient congestion handling, particularly in high-bandwidth environments.

Filter: Explicit Congestion Notification (ECN)

tcp.flags.ecn

TCP Flags and Sequences

TCP flags and sequences are fundamental to the protocol, governing how connections are established, maintained, and terminated. Understanding these flags is essential for diagnosing network issues and ensuring secure communication.

Common TCP Flag Combinations

1. SYN

Initiates a TCP connection. It's the first packet in the three-way handshake and is seen at the start of every TCP connection.

2. SYN + ACK

Acknowledges the SYN from the client while sending a SYN to the client, part of the three-way handshake. This combination is essential for establishing a connection.

3. ACK

Acknowledges the receipt of data. This flag is seen throughout the data transfer process and is the most common flag in TCP communications.

4. FIN + ACK

Gracefully closes a TCP connection, with each side sending a FIN and receiving an ACK. This sequence is seen at the end of TCP connections.

5. PSH + ACK

Pushes buffered data to the receiving application immediately, often seen in interactive sessions like Telnet or SSH.

6. RST

Abruptly closes a TCP connection. This flag can be sent if a connection is attempted on a port where no service is listening or to reset a misbehaving connection.

Typical TCP Packet Sequences and Red Flags

Understanding typical TCP packet sequences and identifying potential red flags are crucial for maintaining network security and performance.

1. Standard Three-Way Handshake

  • SYNSYN + ACKACK
    This sequence is typical and should be seen at the start of any TCP connection.

2. Data Transfer

  • PSH + ACK: Data transfer begins after the handshake, with PSH + ACK packets indicating that data is being pushed and acknowledged.
    Typical sequences might look like:
    PSH + ACKPSH + ACKACK → (repeat as data is exchanged).

3. Graceful Connection Termination

  • FIN + ACKACKFIN + ACKACK
    This four-packet exchange is typical when both sides agree to close the connection properly.

When the Sequence of Packets Might Be a Red Flag

1. Out-of-Order Packets in the Handshake

  • Example: SYNSYNSYN + ACKRST
    Multiple SYNs without progressing to SYN + ACK could indicate a SYN flood attack. An unexpected RST after a SYN + ACK might indicate an attempt to prematurely tear down a connection.
Filter: Out-of-Order TCP Packets
tcp.analysis.out_of_order

2. Missing Packets in the Data Transfer Phase

  • Example: SYNSYN + ACKACKPSH + ACKPSH + ACKFIN + ACK
    A FIN + ACK immediately after a few PSH + ACK packets could suggest an unexpected connection termination, possibly due to a crash, attack, or abnormal behavior.

3. FIN Packet Without Data Transfer

  • Example: SYNSYN + ACKACKFIN + ACK
    A FIN + ACK right after the handshake without data exchange might indicate a reconnaissance attempt or half-open connection, which could be part of a port scan.

4. Repeated or Unexpected RST Packets

  • Example: SYNSYN + ACKACKRST
    An RST immediately after the handshake might indicate an attempt to reset the connection maliciously.

5. Multiple FIN + ACK Packets Without Proper ACK

  • Example: FIN + ACKFIN + ACKFIN + ACK
    Multiple FIN + ACK packets without corresponding ACKs could suggest an attempt to keep the connection open artificially, possibly as part of a resource exhaustion attack.

6. PSH + ACK Followed by a FIN or RST Too Quickly

  • Example: PSH + ACKPSH + ACKRST
    A sudden RST after a few PSH + ACK packets could signal an abrupt termination, possibly due to an attack or a crash.

TCP Window Size Analysis

TCP window size analysis provides insights into the flow of data between sender and receiver, helping to diagnose performance issues and detect abnormal behavior.

Understanding TCP Window Size

The TCP window size represents the amount of data that a receiver is willing to accept at one time. Consistent window sizes are typical, while erratic changes can signal potential problems.

1. Normal TCP Window Behavior

  • Steady Window Size: In stable network conditions, the window size may remain relatively steady, allowing the sender to transmit data continuously without frequent pauses.
  • Gradual Decrease: The window size might decrease gradually as the receiver's buffer fills up and then increase again after the receiver processes the data and frees up space.

2. Erratic Window Size Changes

  • Sudden Drops: If the window size drops suddenly from a large value to a very small one, it may indicate that the receiver's buffer has filled up unexpectedly, possibly due to a sudden spike in data processing demands or a bottleneck.
  • Frequent Fluctuations: If the window size fluctuates up and down frequently and without clear correlation to the data flow, it could suggest underlying network issues, such as congestion, or problems at the receiver, such as CPU or memory constraints.
  • Zero Window: A zero window size indicates that the receiver is currently unable to accept any more data, effectively pausing the data transfer until the window size is increased again. If this happens frequently or for extended periods, it may point to serious resource constraints on the receiver.
Filter: Zero Window Size

tcp.window_size == 0
Identify instances where the receiver cannot accept more data, indicating potential performance issues or resource constraints.

Causes of Erratic Window Size Changes

1. Receiver-Side Issues

  • Buffer Overflow: The receiver's buffer may overflow if it's unable to process incoming data fast enough, causing the window size to decrease suddenly. This could be due to high CPU usage, insufficient memory, or a poorly optimized application.
  • Application Latency: If the application reading the data from the TCP stack is slow or experiences latency, the buffer might fill up faster than it can be emptied, leading to erratic window sizes.

2. Network Congestion

  • Congested Links: Network congestion can cause packet delays or loss, which might lead to the receiver advertising a smaller window size as it struggles to process incoming data in a timely manner.
  • Delayed Acknowledgments: If acknowledgments are delayed due to network issues, the sender might overestimate the receiver's ability to handle more data, leading to sudden adjustments in the window size.

3. Middleboxes or Network Devices

  • Firewalls/Load Balancers: Middleboxes like firewalls, load balancers, or NAT devices might alter or interfere with TCP traffic, leading to unexpected changes in window sizes. Some devices may buffer or delay packets, causing the receiver's buffer to fill up unexpectedly.
  • Traffic Shaping: Some network devices implement traffic shaping or rate-limiting, which can cause variations in the perceived available bandwidth, indirectly affecting the window size.

4. Security Considerations

  • TCP Window Manipulation Attacks: Attackers might intentionally manipulate window sizes to disrupt communication or degrade performance. For example, a TCP window size manipulation attack might involve sending spoofed TCP segments with altered window sizes to confuse the sender and disrupt normal data flow.
  • Man-in-the-Middle (MitM) Attacks: In a MitM attack, an attacker might intercept and modify TCP packets, including the window size, causing erratic behavior in the communication flow.

Example of Erratic Window Size in Packet Analysis

Imagine you're analyzing a TCP session, and you observe the following pattern:

  1. Packet 1: Source port 5000 → Destination port 80, Window Size: 65,535 (normal, full window).
  2. Packet 2: Source port 5000 → Destination port 80, Window Size: 32,768 (sudden drop to half capacity).
  3. Packet 3: Source port 5000 → Destination port 80, Window Size: 65,535 (back to full size).

This inconsistent change could indicate issues such as:

  • Receiver Buffering: The receiver might be struggling to process incoming data fast enough, leading to fluctuating window sizes.
  • Network Congestion: The window size might change due to congestion control mechanisms.

Diagnosing and Responding to Erratic Window Sizes

1. Monitoring and Logging

Set up network monitoring tools to log window size changes and alert on significant or unusual patterns.

2. Receiver Performance

Check the performance metrics of the receiver, such as CPU usage, memory consumption, and application logs, to identify any resource constraints or bottlenecks.

3. Network Analysis

Investigate potential congestion points, analyze packet loss, and review the configuration of network devices like firewalls or load balancers that might be affecting traffic.

4. Security Audits

Consider conducting a security audit to check for potential attacks or misconfigurations that could lead to TCP window manipulation.

Padding in TCP and UDP

Padding is used in various protocols to meet alignment requirements, ensure consistent packet sizes, and obscure the true nature of the traffic. Understanding when and why padding is used can provide insights into network behavior and potential security risks.

Common Protocols and Padding Practices

1. Protocols That Use Padding

  • IPsec: Often pads packets to align with block sizes required by encryption algorithms.
  • SSL/TLS: Pads to maintain consistent block sizes for encryption, making traffic analysis more difficult.
  • Ethernet (IEEE 802.3): Requires frames to be at least 64 bytes long, so padding is added to shorter packets.

2. Protocols That Typically Do Not Use Padding

  • HTTP/HTTPS: Usually, there is no padding unless it's part of an underlying encrypted protocol like TLS.
  • FTP: Does not pad data, as file transfer sizes are typically large and do not need alignment.
  • SMTP: Similar to FTP, it does not require padding, as emails can vary greatly in size.

Is Padding Used in UDP?

UDP (User Datagram Protocol) typically does not include padding in the traditional sense that TCP might use. However, padding can occur in UDP packets in certain circumstances:

1. Protocol-Specific Requirements

Some higher-level protocols that use UDP may require padding for alignment purposes, especially if the underlying data structure requires specific byte alignment (e.g., some custom protocols or encrypted data streams).

2. Security Considerations

Padding might be used in UDP-based protocols to obscure the true length of the payload, particularly in encrypted communications. For example, some VPN protocols or tunneling methods that rely on UDP might add padding to ensure consistent packet sizes, making traffic analysis more difficult.

3. Network Device Requirements

Occasionally, padding might be added by network devices or interfaces to meet minimum frame sizes required by the hardware (e.g., Ethernet frames).

Padding as a Potential Indicator of Obfuscation

Padding is typically added to meet alignment requirements, encrypt data, or ensure consistent packet sizes. However, when padding appears unexpectedly or in unusual amounts, it may indicate an attempt to obscure the nature of the traffic:

1. Padding in TCP Packets

  • Expected Use: TCP segments generally do not require padding unless used with encryption protocols like SSL/TLS. In these cases, padding ensures the encrypted blocks align with the cipher's block size.
  • Unusual Example: If you see TCP segments with excessive padding in what should be standard HTTP traffic (plain text), this could indicate an attempt to hide the actual content, possibly suggesting the use of non-standard encryption or obfuscation tools.
Filter: TCP Padding
tcp.padding

2. Padding in UDP Packets

  • Expected Use: UDP typically does not use padding, but some protocols (like IPsec over UDP, certain VPNs, or custom applications) might add padding.
  • Unusual Example: Detecting a UDP stream where all packets are exactly the same size, even though the application or protocol typically varies in payload size, could indicate obfuscation.

3. Excessive Padding in Encrypted Traffic

  • Expected Use: Encrypted traffic often uses padding to fit data into the block size required by the encryption algorithm (e.g., AES in CBC mode).
  • Unusual Example: If the padding is disproportionate to the payload size, this might suggest an attempt to obscure the actual size of the data being transmitted.

4. Padding in Network Tunnels

  • Expected Use: Network tunneling protocols might use padding to align packets with the MTU of the underlying network.
  • Unusual Example: If you observe tunneled traffic with significant amounts of padding, especially where the padding is inconsistent or unnecessary, this might indicate an attempt to hide something, such as covert communication or unauthorized data.

5. Padding for Avoiding IDS/IPS Detection

  • Expected Use: Attackers might pad packets to alter their signature and avoid detection by IDS/IPS systems.
  • Unusual Example: Padding is added to packets to alter byte patterns so they no longer match known signatures used by IDS/IPS systems.

Summary of Indicators of Obfuscation via Padding

  • Uniformly Sized Packets: When you see traffic with all packets padded to the same size regardless of the payload, it could indicate obfuscation attempts.
  • Inconsistent Padding: If padding is applied inconsistently within the same session or application flow, it might be an attempt to confuse security mechanisms or hide the true nature of the traffic.
  • Padding in Unexpected Protocols: Padding appearing in protocols that don’t typically require it (e.g., simple UDP-based applications) can be a red flag for obfuscation.

Packet Anonymizer Tools

WireEdit - Mac and Windows (paid)

Packet Builder - Windows

TraceWrangler - Windows