Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 51 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
51
Dung lượng
863,24 KB
Nội dung
223 Chapter 11 Transmission Control Protocol (TCP) Connections In this chapter: The TCP Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 TCP Connection Establishment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 TCP Half-Open Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 TCP Connection Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 TCP Connection Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 TCP Connection Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 TCP Connection States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 TCP is a connection-based protocol. Before data can flow on a TCP connection, the connec- tion must be formally established through a handshake process. To gracefully stop the flow of data on a TCP connection and release the resources of the connection, it must be terminated through a similar handshake process. This chapter describes the details of TCP connection establishment and termination and the states of a TCP connection. The TCP Connection A TCP connection is a bidirectional, full-duplex logical circuit between two processes (Appli- cation Layer protocols) in an IP internetwork. The TCP connection’s endpoints are identified by an [IP address, TCP port] pair. The connection is uniquely identified by both endpoints: [IP address 1, TCP port 1, IP address 2, TCP port 2]. TCP uses those four numbers to demultiplex the data portion of the TCP segment to the proper Application Layer process. A TCP connection can be visualized as a bidirectional data pipe containing two logical pipes between the two TCP peers, as Figure 11-1 illustrates. One logical pipe is used for outbound data and the other logical pipe is used for inbound data (relative to the TCP peer). The out- bound data pipe for one TCP peer is the inbound data pipe for the other TCP peer. 224 Part III: Transport Layer Protocols Figure 11-1 A TCP connection showing both inbound and outbound logical pipes TCP connections are: ■ Established through a handshake process in which both TCP peers agree to create a TCP connection. ■ Optionally maintained through a periodic keepalive process that ensures that both TCP peers are active on the connection. ■ Terminated through a handshake process in which both TCP peers agree to close the TCP connection. TCP connections can also be reset by either TCP peer. TCP Connection Establishment To create a TCP connection over which full-duplex data can begin to flow, each TCP peer must obtain the following information from the other TCP peer: ■ The starting sequence number for data sent on the inbound pipe ■ The maximum amount of data that can be sent on the outbound pipe before waiting for an acknowledgment (the receive window size of the other TCP peer) ■ The maximum segment size (MSS) that can be received ■ The TCP options that are supported This information is learned through an exchange of three TCP segments called the TCP con- nection establishment process, or the TCP three-way handshake. To create a TCP connection, a listening TCP peer must allow a TCP connection, and an initiat- ing TCP peer must initiate a TCP connection. The listening TCP peer issues a passive OPEN function call to permit incoming connection requests on a specific port number. This function call does not create any TCP traffic. The initiating TCP peer issues an active OPEN function call, which creates and sends the first segment of the TCP three-way handshake. Figure 11-2 displays the TCP connection establishment process, showing the three TCP seg- ments that are exchanged and the information in the TCP header that is vital to the connec- tion establishment. Prior to segment 1, TCP Peer 2 issued a passive OPEN to receive TCP connection requests. TCP Peer 1 issues an active OPEN and creates segment 1. Segments 2 and 3 complete the connection establishment process. The vertical arrows show the passage of time during the connection establishment process. TCP Peer 1 TCP Peer 2 Outbound Inbound Inbound Outbound Chapter 11: Transmission Control Protocol (TCP) Connections 225 Figure 11-2 The TCP connection establishment process, showing the exchange of three TCP segments Segment 1: The Synchronize (SYN) Segment TCP Peer 1 sends the first TCP segment, known as the SYN segment, to TCP Peer 2. The SYN segment establishes TCP connection parameters, such as the Initial Sequence Number (ISN) that TCP Peer 1 uses. The SYN segment as sent by a computer running Windows Server 2008 or Windows Vista contains the following fields in the TCP header: ■ Destination Port Set to the TCP port number of the passive OPEN on TCP Peer 2. For typical TCP connections, the destination port in the SYN segment is a well-known TCP port in the range of 1 to 1023. ■ Source Port Set to the local TCP port number of the active OPEN on TCP Peer 1. For typical TCP connections, the source port is a dynamically allocated port. ■ Sequence Number Set to the ISN for data to be sent by TCP Peer 1 for the outbound data pipe (ISN1 in Figure 11-2). A TCP peer running Windows Server 2008 or Windows Vista chooses the ISN based on a startup-derived, 2048-bit random key and an RC4- based random number to reduce the predictability of the next TCP connection’s ISN. ■ Acknowledgment Number Set to 0. Because the Acknowledgment (ACK) flag is not set, the Acknowledgment Number field is not significant. Only after a TCP peer learns the sequence number for inbound data on the connection can the ACK flag be set and the Acknowledgment Number field set to the appropriate value. ■ SYN Flag Indicates that the segment contains the ISN for data sent by TCP Peer 1. 1 2 3 SYN, Seq=ISN1, Ack=0, Window=default MSS, TCP Window Scale, and SACK-Permitted options SYN-ACK, Seq=ISN2, Ack=ISN1+1, Window=default MSS, TCP Window Scale, and SACK-Permitted options ACK, Seq=ISN1+1, Ack=ISN2+1, Window=default ISN1=Initial Sequence Number for TCP Peer 1 ISN2=Initial Sequence Number for TCP Peer 2 TCP Peer 1 Seq=ISN1 Seq=ISN2 Ack=ISN1+1 Seq=ISN2+1 Ack=ISN1+1 Seq=ISN1+1 Ack=ISN2+1 TCP Peer 2 226 Part III: Transport Layer Protocols ■ Window Set to an application-specified value or an operating system default value, indicating an initial value for the maximum amount of data that TCP Peer 1 can receive. ■ MSS in the MSS TCP Option Set to the maximum-sized TCP segment that TCP Peer 1 can receive. ■ Window scaling factor in the TCP Window Scale TCP Option Included to indicate that TCP Peer 1’s advertised window size has a specified scaling factor. ■ Selective Acknowledgment (SACK)-Permitted TCP Option Included to indicate that TCP Peer 1 can receive and interpret the SACK option included in TCP segments that TCP Peer 2 sends. The following Network Monitor 3.1 trace (Frame 1 of Capture 11-01, included in the \Captures folder on the companion CD-ROM) shows a SYN segment for a Hypertext Transfer Protocol (HTTP) session: Frame: + Ethernet: Etype = Internet IP (IPv4) + Ipv4: Next Protocol = TCP, Packet ID = 5779, Total IP Length = 52 - Tcp: Flags=.S , SrcPort=49160, DstPort=HTTP(80), Len=0, Seq=1173532065, Ack=0, Win=8192 (scale factor not found) SrcPort: 49160 DstPort: HTTP(80) SequenceNumber: 1173532065 (0x45F2ADA1) AcknowledgementNumber: 0 (0x0) + DataOffset: 128 (0x80) - Flags: .S CWR: (0 ) CWR not significant ECE: (.0 ) ECN-Echo not significant Urgent: ( 0 ) Not Urgent Data Ack: ( 0 ) Acknowledgement field not significant Push: ( 0 ) No Push Function Reset: ( 0 ) No Reset Syn: ( 1.) Synchronize sequence numbers Fin: ( 0) Not End of data Window: 8192 (scale factor not found) Checksum: 34599 (0x8727) UrgentPointer: 0 (0x0) - TCPOptions: - MaxSegmentSize: type: Maximum Segment Size. 2(0x2) OptionLength: 4 (0x4) MaxSegmentSize: 1460 (0x5B4) + NoOption: - WindowsScaleFactor: type: Window scale factor. 3(0x3) Length: 3 (0x3) ShiftCount: 2 (0x2) + NoOption: + NoOption: + SACKPermitted: type: SACK permitted. 4(0x4) OptionLength: 2 (0x2) Chapter 11: Transmission Control Protocol (TCP) Connections 227 Segment 2: The SYN-ACK Segment After receipt of the SYN segment, TCP Peer 2 sends the second TCP segment known as the SYN-ACK segment to TCP Peer 1. The SYN-ACK segment establishes TCP connection param- eters that TCP Peer 2 uses, such as the ISN, and acknowledges TCP connection parameters used by TCP Peer 1. The SYN-ACK segment as sent by a computer running Windows Server 2008 or Windows Vista contains the following fields in the TCP header: ■ Destination Port Set to the Source Port of the SYN segment. ■ Source Port Set to the local TCP port number of the passive OPEN on TCP Peer 2 as indicated by the Destination Port number of the SYN segment. ■ Sequence Number Set to the ISN for data to be sent by TCP Peer 2 for the outbound data pipe (ISN2 in Figure 11-2). ■ Acknowledgment Number Set to the value of the TCP Peer 1’s ISN plus 1 (ISN1 + 1). To provide acknowledgement of the receipt of the SYN segment, TCP acts as if the SYN flag occupies a single byte of the sequence space of Peer 1. The acknowledgment number is the next byte in the byte stream that TCP Peer 2 expects to receive. If the SYN flag acts as a single byte of nondata, the next byte that TCP Peer 2 expects to receive is actual data, and must therefore begin with ISN1 + 1. ■ SYN Flag Indicates that the segment contains the ISN for data sent by TCP Peer 2. ■ ACK Flag Indicates that the Acknowledgment Number field is significant. ■ Window Set to an application-specified value or an operating system default value, indicating an initial value for the maximum amount of data that TCP Peer 2 can receive. ■ MSS in the MSS TCP Option Set to the maximum-sized TCP segment that TCP Peer 2 can receive. ■ Window scaling factor in the TCP Window Scale TCP Option Included to indicate that TCP Peer 2’s advertised window size has a specified scaling factor. ■ SACK-Permitted TCP Option Indicates that TCP Peer 2 can receive and interpret the SACK option included in TCP segments that TCP Peer 1 sends. The following Network Monitor 3.1 trace (Frame 2 of Capture 11-01, included in the \Captures folder on the companion CD-ROM) shows a SYN-ACK segment for an HTTP session (continued from the previous SYN segment): Frame: + Ethernet: Etype = Internet IP (IPv4) + Ipv4: Next Protocol = TCP, Packet ID = 1045, Total IP Length = 52 - Tcp: Flags=.S A , SrcPort=HTTP(80), DstPort=49160, Len=0, Seq=2269857730, Ack=1173532066, Win=8192 (scale factor not found) SrcPort: HTTP(80) DstPort: 49160 SequenceNumber: 2269857730 (0x874B47C2) AcknowledgementNumber: 1173532066 (0x45F2ADA2) + DataOffset: 128 (0x80) 228 Part III: Transport Layer Protocols - Flags: .S A CWR: (0 ) CWR not significant ECE: (.0 ) ECN-Echo not significant Urgent: ( 0 ) Not Urgent Data Ack: ( 1 ) Acknowledgement field significant Push: ( 0 ) No Push Function Reset: ( 0 ) No Reset Syn: ( 1.) Synchronize sequence numbers Fin: ( 0) Not End of data Window: 8192 (scale factor not found) Checksum: 47106 (0xB802) UrgentPointer: 0 (0x0) - TCPOptions: - MaxSegmentSize: type: Maximum Segment Size. 2(0x2) OptionLength: 4 (0x4) MaxSegmentSize: 1460 (0x5B4) + NoOption: - WindowsScaleFactor: type: Window scale factor. 3(0x3) Length: 3 (0x3) ShiftCount: 8 (0x8) + NoOption: + NoOption: - SACKPermitted: type: SACK permitted. 4(0x4) OptionLength: 2 (0x2) Segment 3: The ACK Segment After receipt of the SYN-ACK segment, TCP Peer 1 sends the third TCP segment, known as the ACK segment, to TCP Peer 2. The ACK segment establishes the final TCP connection param- eters used by TCP Peer 1 and acknowledges TCP connection parameters that TCP Peer 2 uses. The ACK segment, as sent by a computer running Windows Server 2008 or Windows Vista, contains the following fields in the TCP header: ■ Destination Port Set to the Source Port of the SYN-ACK segment. ■ Source Port Set to the local TCP port number of the active OPEN on TCP Peer 1 as indicated by the Destination Port number of the SYN-ACK segment. ■ Sequence Number Set to ISN1 + 1. ■ Acknowledgment Number Set to the value of the TCP Peer 2’s ISN plus 1 (ISN2 + 1). Similar to the SYN-ACK segment, TCP acts as if the SYN flag occupies a single byte of the sequence space of TCP Peer 2. The next byte that TCP Peer 1 expects to receive is actual data, and must therefore begin with ISN2 + 1. ■ ACK Flag Indicates that the Acknowledgment Number field is significant. ■ Window Set to an application-specified value or an operating system default value. This value indicates an initial value for the amount of data that TCP Peer 1 can receive. Chapter 11: Transmission Control Protocol (TCP) Connections 229 The following Network Monitor 3.1 trace (Frame 3 of Capture 11-01, included in the \Captures folder on the companion CD-ROM) shows an ACK segment for an HTTP session (continued from the previous SYN-ACK segment): Frame: + Ethernet: Etype = Internet IP (IPv4) + Ipv4: Next Protocol = TCP, Packet ID = 5780, Total IP Length = 40 - Tcp: Flags= A , SrcPort=49160, DstPort=HTTP(80), Len=0, Seq=1173532066, Ack=2269857731, Win=4380 (scale factor not found) SrcPort: 49160 DstPort: HTTP(80) SequenceNumber: 1173532066 (0x45F2ADA2) AcknowledgementNumber: 2269857731 (0x874B47C3) + DataOffset: 80 (0x50) - Flags: A CWR: (0 ) CWR not significant ECE: (.0 ) ECN-Echo not significant Urgent: ( 0 ) Not Urgent Data Ack: ( 1 ) Acknowledgement field significant Push: ( 0 ) No Push Function Reset: ( 0 ) No Reset Syn: ( 0.) Not Synchronize sequence numbers Fin: ( 0) Not End of data Window: 4380 (scale factor not found) Checksum: 1978 (0x7BA) UrgentPointer: 0 (0x0) Results of the TCP Connection The results of the TCP connection establishment process are as follows: ■ Each TCP peer knows the sequence number of the first byte of data to be sent on the connection (TCP Peer 1’s Acknowledgment Number field is set to TCP Peer 2’s Sequence Number field; TCP Peer 2’s Acknowledgment Number field is set to TCP Peer 1’s Sequence Number field). ■ Each TCP peer knows the MSS that can be sent on the connection. The connection’s MSS is the minimum of the two MSSs advertised by TCP Peer 1 and TCP Peer 2. Path Maximum Transmission Unit (PMTU) Discovery adjusts the initial MSS for the duration of connection. For more information on PMTU Discovery, see Chapter 6, “Internet Control Message Protocol (ICMP).” ■ Each TCP peer knows the other peer’s window size and scaling factor, indicating the maximum amount of data that can be sent without waiting for an ACK and updated window size. Although a large amount of data can be initially sent, TCP peers use the slow start and congestion avoidance algorithms to slowly scale the amount of data sent to avoid congesting the internetwork. For more information, see Chapter 12, “Transmis- sion Control Protocol (TCP) Data Flow.” 230 Part III: Transport Layer Protocols ■ Each TCP peer is aware that the other peer is capable of receiving selective acknowledg- ments using the SACK TCP option. For more information on selective acknowledgment, see Chapter 12. TCP sends three SYN segment retransmissions when attempting to establish a TCP connec- tion. The retransmission time-out (RTO) is doubled between each retransmission. With the initial RTO of 3 seconds and two retransmissions of the SYN segment, it takes 21 seconds to time out a TCP connection attempt (initial SYN, wait 3 seconds, first retransmitted SYN, wait 6 seconds, second transmitted SYN, wait 12 seconds). For an example of this behavior, see Network Monitor trace Capture 11-02, included in the \Captures folder on the companion CD-ROM. Note TCP in Windows Server 2008 and Windows Vista no longer supports the TcpMaxConnectRetransmissions and TcpNumConnections registry values. TCP Half-Open Connections A TCP half-open connection, shown in Figure 11-3, is a TCP connection that has not completed the connection establishment process. A SYN segment has been received and a SYN-ACK has been sent, but the final ACK has not been received. Until the final ACK is received, data cannot be sent on the connection. Figure 11-3 A TCP half-open connection showing the SYN segment and retransmissions of the SYN-ACK segment 1 2 3 . . . SYN, Seq=ISN1, Ack=0, Window=default MSS, TCP Window Scale, and SACK-Permitted options SYN-ACK, Seq=ISN2, Ack=ISN1+1, Window=default MSS, TCP Window Scale, and SACK-Permitted options (Retransmission) SYN-ACK, Seq=ISN2, Ack=ISN1+1, Window=default MSS, TCP Window Scale, and SACK-Permitted options TCP Peer 1 Seq=ISN1 Seq=ISN2 Ack=ISN1+1 TCP Peer 2 Chapter 11: Transmission Control Protocol (TCP) Connections 231 Although the SYN-ACK segment contains no data, TCP acts as if the SYN flag occupies a single byte of the sequence space and is treated as data. Therefore, TCP retransmission and time-out behaviors used for recovering from lost data are used to recover from a lost SYN-ACK segment. In the case of retransmitting a SYN-ACK segment, the default time-out is 3 seconds and the SYN-ACK is retransmitted twice, doubling the time-out period for each retransmis- sion. Therefore, the first SYN-ACK is sent, 3 seconds later the first retransmission is sent, and 6 seconds later the second retransmission is sent. After waiting 12 seconds for a response to the final retransmission, the connection is abandoned and the memory and the connection’s internal table entries are released. A total of 21 seconds elapse from the time the first SYN- ACK is sent until the connection is abandoned. The SYN Attack The SYN attack is a denial-of-service attack that exploits the retransmission and time-out behavior of the SYN-ACK to create a large number of half-open connections. Depending on the TCP/IP protocol implementation, a large number of half-open connections could do any of the following: ■ Use all available memory. ■ Use all possible entries in the TCP Transmission Control Block (TCB), an internal table used to track TCP connections. Once the half-open connections use all the entries, further connection attempts are responded to with a TCP connection reset. TCP connection resets are discussed in the section “TCP Connection Reset,” later in this chapter. ■ Use all available half-open connections. After all the half-open connections are used, further connection attempts are responded to with a TCP connection reset. To create a large number of TCP half-open connections, malicious users send a large number of SYN segments from a spoofed IP address and TCP port number. The spoofed IP address and TCP port number are for a process that does not respond to the SYN- ACKs being sent by the attacked host. SYN attacks typically are used to render Internet servers inoperative. To see a SYN attack in progress on a computer running Windows Server 2008 or Windows Vista, use the Netstat.exe tool at a command prompt to display the active TCP connections. For example: c:\>netstat -n -p tcp Active Connections Proto Local Address Foreign Address State TCP 127.0.0.1:1030 127.0.0.1:1032 ESTABLISHED TCP 127.0.0.1:1032 127.0.0.1:1030 ESTABLISHED TCP 131.107.1.5:21 192.168.0.1:1025 SYN_RECEIVED TCP 131.107.1.5:21 192.168.0.1:1026 SYN_RECEIVED TCP 131.107.1.5:21 192.168.0.1:1027 SYN_RECEIVED 232 Part III: Transport Layer Protocols TCP 131.107.1.5:21 192.168.0.1:1028 SYN_RECEIVED TCP 131.107.1.5:21 192.168.0.1:1029 SYN_RECEIVED TCP 131.107.1.5:21 192.168.0.1:1030 SYN_RECEIVED TCP 131.107.1.5:21 192.168.0.1:1031 SYN_RECEIVED TCP 131.107.1.5:21 192.168.0.1:1032 SYN_RECEIVED TCP 131.107.1.5:21 192.168.0.1:1033 SYN_RECEIVED TCP 131.107.1.5:21 192.168.0.1:1034 SYN_RECEIVED TCP 131.107.1.5:21 192.168.0.1:1035 SYN_RECEIVED This is an example of a SYN attack. There are a number of TCP connections in the SYN_ RECEIVED state, and the foreign address is a spoofed private address with incrementally increasing TCP port numbers. The SYN_RECEIVED is the state of a TCP connection that has received a SYN, sent a SYN-ACK, and is waiting for the final ACK. TCP connection states are discussed in detail in the “TCP Connection States” section of this chapter. TCP in Windows Server 2008 and Windows Vista use SYN attack protection to prevent a SYN attack from overwhelming the computer. Note TCP in Windows Server 2008 and Windows Vista no longer supports the TcpMaxConnectResponseRetransmissions, SynAttackProtect, TcpMaxHalfOpen, and TcpMaxHalfOpenRetried registry values. TCP Connection Maintenance A TCP connection can optionally be maintained through the periodic exchange of a TCP keepalive segment, which is an ACK segment containing no data. The Sequence Number field in the TCP header of the keepalive segment is set to 1 less than the current sequence number for the outbound data stream. For example, if a TCP peer’s next byte of data is 18745323, the TCP keepalive sent by the TCP peer has the Sequence Number field set to 18745322. After receiving this ACK segment, the other TCP peer sends back an ACK segment with the Acknowledgment Number field set to the next byte that it expects to receive. In this example, the TCP peer sends an ACK segment with the Acknowledgment Number field set to 18745323. This simple exchange confirms that both TCP peers are still participating in the TCP connection. Figure 11-4 shows the TCP keepalive. TCP keepalives for TCP/IP for Windows Server 2008 and Windows Vista are disabled by default. If enabled through the use of the setsockopt() Windows Sockets function, a keepalive segment is sent every two hours by default, as controlled by the KeepAliveTime registry value. Even if enabled, other upper layer protocols such as NetBIOS send their own keepalive. If the keepalive interval that the upper layer protocol uses is less than the TCP [...]... sent by the FTP server: Frame: + Ethernet: Etype = Internet IP (IPv4) + Ipv4: Next Protocol = TCP, Packet ID = 105 26, Total IP Length = 40 - Tcp: Flags= A , SrcPort=1 162 , DstPort=FTP control(21), Len=0, Seq=39281 165 97, Ack=103 568 90 56, Win=17234 (scale factor not found) SrcPort: 1 162 DstPort: FTP control(21) SequenceNumber: 39281 165 97 (0xEA224D75) AcknowledgementNumber: 103 568 90 56 (0x3DBB5C60) + DataOffset:... Windows Server 2008 or Windows Vista-based TCP peer will typically advertise much larger receive window sizes than a Windows XP or Windows Server 2003-based TCP peer This allows the TCP peer sending data to the Windows Server 2008 or Windows Vista-based TCP peer to fill the pipe between the TCP peers by sending more TCP data segments without having to wait for an ACK (subject to TCP congestion control)... less capacity TCP/ IP for Windows Server 2008 and Windows Vista uses the Nagle algorithm by default The Nagle algorithm is disabled through the TCP_ NODELAY Windows Sockets option Developers should disable the Nagle algorithm only when the immediate sending of multiple small segments is required To improve performance of file locking and manipulation, a computer running Windows Server 2008 or Windows Vista... that the FTP server sent in response to a FIN-ACK sent by the FTP client: Frame: + Ethernet: Etype = Internet IP (IPv4) + Ipv4: Next Protocol = TCP, Packet ID = 57338, Total IP Length = 40 - Tcp: Flags= A , SrcPort=FTP control(21), DstPort=1 162 , Len=0, Seq=103 568 90 56, Ack=39281 165 98, Win=17448 (scale factor not found) SrcPort: FTP control(21) DstPort: 1 162 SequenceNumber: 103 568 90 56 (0x3DBB5C60) AcknowledgementNumber:... its outbound pipe: Frame: + Ethernet: Etype = Internet IP (IPv4) + Ipv4: Next Protocol = TCP, Packet ID = 10527, Total IP Length = 40 Chapter 11: Transmission Control Protocol (TCP) Connections 237 - Tcp: Flags=F A , SrcPort=1 162 , DstPort=FTP control(21), Len=0, Seq=39281 165 97, Ack=103 568 90 56, Win=17234 (scale factor not found) SrcPort: 1 162 DstPort: FTP control(21) SequenceNumber: 39281 165 97 (0xEA224D75)... default, TCP/ IP for Windows Server 2008 and Windows Vista uses an acknowledgment delay of 200 ms (0.2 seconds), which can be configured per interface by the TcpDelAckTicks registry setting TcpDelAckTicks Location:HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet \Services\ Tcpip\Parameters Chapter 12: Transmission Control Protocol (TCP) Data Flow 247 \Interfaces\InterfaceGUID Data type: REG_DWORD Valid range: 0 -6. .. closed by an FTP server: Chapter 11: Transmission Control Protocol (TCP) Connections 235 Frame: + Ethernet: Etype = Internet IP (IPv4) + Ipv4: Next Protocol = TCP, Packet ID = 57337, Total IP Length = 40 - Tcp: Flags=F A , SrcPort=FTP control(21), DstPort=1 162 , Len=0, Seq=103 568 9055, Ack=39281 165 97, Win=17448 (scale factor not found) SrcPort: FTP control(21) DstPort: 1 162 SequenceNumber: 103 568 9055 (0x3DBB5C5F)... window scaling by default, allowing up to a 16- megabyte (MB) maximum receive window size As the data flows over the connection, the TCP stack monitors the connection, measures its current BDP and application receive retrieve rate, and adjusts the receive window size to optimize throughput TCP in Windows Server 2008 and Windows Vista no longer uses the TCPWindowSize registry value Receive Window Auto-Tuning... old connection’s TCP segments in transit are not confused with a new connection’s TCP segments The RFC 793 recommended value for the MSL is two minutes For Windows Server 2008 and Windows Vista with Service Pack 1, TCP connections in the TIME WAIT state are controlled by the following registry value: TcpTimedWaitDelay Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\ Tcpip\Parameters Data... client application and a host that is not an FTP server Frame 1 is a SYN segment to the FTP control port; Frame 2 is the connection reset Frame 1 Frame: + Ethernet: Etype = Internet IP (IPv4) + Ipv4: Next Protocol = TCP, Packet ID = 10535, Total IP Length = 48 - Tcp: Flags=.S , SrcPort=1 164 , DstPort=FTP control(21), Len=0, Seq=4 065 871748, Ack=0, Win= 163 84 (scale factor not found) SrcPort: 1 164 DstPort: FTP . CD-ROM. Note TCP in Windows Server 2008 and Windows Vista no longer supports the TcpMaxConnectRetransmissions and TcpNumConnections registry values. TCP Half-Open Connections A TCP half-open. Etype = Internet IP (IPv4) + Ipv4: Next Protocol = TCP, Packet ID = 5780, Total IP Length = 40 - Tcp: Flags= A , SrcPort=49 160 , DstPort=HTTP(80), Len=0, Seq=1173532 066 , Ack=2 269 857731, Win=4380. = Internet IP (IPv4) + Ipv4: Next Protocol = TCP, Packet ID = 1045, Total IP Length = 52 - Tcp: Flags=.S A , SrcPort=HTTP(80), DstPort=49 160 , Len=0, Seq=2 269 857730, Ack=1173532 066 , Win=8192