How TCP connection works

Updated: Oct 1

This post describes how to see TCP connection establishment and termination as packets using tcpdump on linux.

Preparing Install the following commands on our linux.

  • tcpdump

  • nc

  • telnet

  • netstat



Start a TCP connection establishment

  1. Start TCP connection using nc command with l,k option.

  2. Open another terminal and verify 12345 port is listening using netstat command.


$ nc -lk 12345

$ netstat -anp | grep 12345
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN /nc

Open a Listening port on Linux


Start TCP client and establish a connection

  1. Start TCP client using telnet to establish TCP connection with TCP server of step 1.

  2. Open another terminal and verify nc process and telnet are establishing connection using netstat command.

  3. Terminate TCP client with type "Ctrl+[" and "quit" on telnet. Then Connection is close.



$ telnet 127.0.0.1 12345
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
$ netstat -anp | grep 12345
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN /nc
tcp 0 0 127.0.0.1: 127.0.0.1:12345 ESTABLISHED /telnet
tcp 0 0 127.0.0.1:12345 127.0.0.1: ESTABLISHED /nc

$ telnet 127.0.0.1 12345
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
$

5 ways to Check a remote port is open in Linux




Capture TCP 3-Way Handshake as TCP connection establishment

  1. Verify TCP server that start at step 1 listen 12345 port.

  2. Perform tcpdump with specify local interface and port 12345 as follows.

  3. Start TCP client using telnet to establish TCP connection with TCP server of step

  4. Verify tcpdump output as follows.

$ netstat -anp | grep 12345
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN /nc

$ sudo tcpdump -i lo -nnn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
$ telnet 127.0.0.1 12345
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
HH:mm:ss.SSSSSS IP 127.0.0.1. > 127.0.0.1.12345: Flags [S], seq ...
HH:mm:ss.SSSSSS IP 127.0.0.1.12345 > 127.0.0.1.: Flags [S.], seq ...
HH:mm:ss.SSSSSS IP 127.0.0.1. > 127.0.0.1.12345: Flags [.], ack ...


The tcpdump packet format is as follows:


timestamp IP source IP.port destination > IP.port: flags

  • First line means a SYN packet as "[S]" flag that telnet sent to TCP server.

  • Second line means SYN + ACK packet as "[S.]" flag that TCP server sent to telnet.

  • Third line means ACK packet as "[.]" flag that TCP server sent to telnet.


Reference:



TCP connection termination

  1. Open another terminal and verify nc process and telnet are establishing connection using netstat command.

  2. Keep tcpdump, and terminate TCP client with type "Ctrl+[" and "quit" on telnet. Then Connection is close.


$ netstat -anp | grep 12345
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN /nc
tcp 0 0 127.0.0.1: 127.0.0.1:12345 ESTABLISHED /telnet
tcp 0 0 127.0.0.1:12345 127.0.0.1: ESTABLISHED /nc
$ telnet 127.0.0.1 12345
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
$

Verify tcpdump output as follows.


HH:mm:ss.SSSSSS IP 127.0.0.1. > 127.0.0.1.12345: Flags [F.], seq 1,
HH:mm:ss.SSSSSS IP 127.0.0.1.12345 > 127.0.0.1.: Flags [F.], seq 1,
HH:mm:ss.SSSSSS IP 127.0.0.1. > 127.0.0.1.12345: Flags [.], ack 2,

  • First line means a FIN packet as "[F]" flag that telnet sent to TCP server.

  • Second line means FIN + ACK packet as "[F.]" flag that TCP server sent to telnet.

  • Third line means ACK packet as "[.]" flag that TCP server sent to telnet.


Reference:



25 views