tcpip a mammoth description, short and easy-everything u want to know.txt

黑客培训教程

Some common flags of TCP are-:

RST [RESET]- Resets the connection.
PSH [PUSH]  - Tells receiver to pass all  queued data  to the application running.
FIN [FINISH] - Closes connection following the 4 step process.
SYN Flag      - means that the machine sending this flag wants to establish a three way handshake i.e.
                        a TCP connection. The receiver of a SYN flag usually responds with an ACK message.

So now we are in a position to represent a three way TCP Handshake:

A    <---SYN--->          B
A     <---SYN/ACK?  B
A     <---ACK--->         B

A sends a SYN flag to B saying  " I want to establish a TCP connection", B responds to the SYN with the
ACK to the SYN flag. A again responds to the ACK sent by B with another ACK.

Read RFC 793 for further in depth details about the TCP protocol.

The User Datagram Protocol or the UDP Protocol

The User Data protocol or the UDP is yet another protocol which is a member of the Transport Layer. TCP
is the standard protocol used by all systems for communications. TCP is used to break down the data to be
transported into smaller datagrams, before they (the datagrams) are sent across a network. Thus we can say
that TCP is used where more than a single or multiple datagrams are involved.

Sometimes, the data to be transported is able to fit into a single datagram. We do not need to break the data
into smaller datagrams as the size of the data is pretty small. The perfect example of such data is the DNS
system. To send out the query for a particular domain name, a single datagram is more than enough. Also
the IP that is returned by the Domain Name  Server does not require more than one datagram for
transportation. So in such cases instead of making use of the complex TCP protocol, applications fall back
to the UDP protocol.

The UDP protocol works almost the way TCP works. But the only differences being that TCP breaks the
data to be transferred into smaller chunks, does sequencing by inserting  a sequence number in the header
and no error control. Thus we can conclude by saying that the UDP protocol is an unreliable protocol with
no way to confirm that the data has reached the destination.

The UDP protocol does insert a USP header to the single datagram it is transporting. The UDP header
contains the Source and Destination IP Addresses and Port Numbers and also the Checksum value. The
UDP header is comparatively smaller than the TCP Header.

It is used by those applications where small chunks of data are involved. It offers services to the User's
Network Applications like NFS(Network File Sharing) and SNMP.

Read RFC 768 for further in depth details about the UDP protocol.

THE NETWORK LAYER

The IP Protocol

Both the TCP and the UDP protocols, after inserting the headers to the datagram(s) given to them pass
them to the Internet Protocol or the IP Protocol.  The main job of the IP protocol is to find a way of
transporting the datagrams to the destination receiver. It does not do any kind of error checking.

The IP protocol too adds it's own IP Header to each datagram. The IP header contains the source and
destination IP addresses, the protocol number and yet another checksum. The IP header of a particular
datagram looks like-:

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |Version|  IHL  |Type of Service|          Total Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |         Identification        |Flags|      Fragment Offset    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Time to Live |    Protocol   |         Header Checksum       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       Source Address                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Destination Address                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  TCP header info followed by the actual data being transferred|
   |                                                               |


The Source and destination IP addresses and needed so that?well it is obvious isn't it? The Protocol
number is added so that the IP protocol knows to which Transport Protocol the datagram has to be passed.
You see various Transport Protocols are used like for example TCP or UDP. So this protocol number is
inserted to tell IP the protocol to which the datagram has to be passed.

It too inserts it's own Checksum value which is different from the Checksum Value inserted by the
Transport Protocols. This Checksum has to be inserted as without it the Internet Protocol will not be able to
verify if the Header has been damaged in the transfer process and hence the datagram might reach a wrong
destination. The Time to Live field specifies a value which is decreased each time the datagram passes
through a network. Remember Tracert?

The Internet Protocol Header contains other fields as well, but they are quite advanced and cannot be
included in a manual which gives an introduction to the TCP\IP protocol. To learn more about the IP
protocol read RFC 791.

The Internet Control Message Protocol or the ICMP

The ICMP protocol allows hosts to transfer information on errors that might have occurred during the data
transfer between two hosts.  It is basically used to display error messages about errors that might occur
during the data transfer. The ICMP is a very simple protocol without any headers. It is most commonly
used to diagnose Network Problems. The famous utility PING is a part of the ICMP protocol. ICMP
requests do not require the user or application to mention any port number as all ICMP requests are
answered by the Network Software itself. The ICMP protocol too handles only a single datagram. That's
why we say in PING only a single datagram is sent to the remote computer. This protocol can remote many
network problems like Host Down, Congested Network etc

Read RFC 792 for further in depth details about the ICMP protocol.

The Link Layer

Almost all networks use Ethernet. Each machine in a network has it's own IP address and it's Ether
Address. The Ether Address of a computer is different than it's IP address. An Ether Address is a 42 bit
address while the IP address is only a 32 bit address. A Network must know which computer to deliver the
datagram to. Right? For this the Ether Header is used.

The Ether Header is a 14 octet header that contains the Source and Destination Ethernet address, and a type
code. Ether too calculates it's own Checksum value. The Type code relates to the protocol families to be
used within the Network. The Ether Layer passes the datagram to the protocol specified by this field after
inserting the Ether Header. There is simply no connection between the Ethernet Address and the IP address
of a machine. Each machine needs to have a Ethernet to IP address translation table on its hard disk.

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       Ethernet destination address (first 32 bits)                                         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Ethernet dest (last 16 bits)          |Ethernet source (first 16 bits)              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       Ethernet source address (last 32 bits)                                                 |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |        Type code                                                                                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  IP header, then TCP header, then your data                                            |
   |                                                                                                                   |
   |                                                                                                                   |
   |                           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       Ethernet Checksum                                                             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Address Resolution Protocol or ARP

Data before being transmitted across the Internet or across a local network is broken down into smaller
Packets which are suitable for transfer over the net. These packets have the Source and Destination IP's but
for the transfer to take place the suitable Hardware Addresses or the MAC addresses must also be known.
That is where ARP comes in.

To get the Hardware MAC addresses, ARP or Address Resolution Protocol sends a request message. The
Router replies with the Hardware Address. It is similar to the DNS and it too has a cache. This cache can be
a bit vulnerable as a Hacker could forge a connection from a remote machine claiming to be one of the
cached locations. So we can conclude that ARP translates IP's into Ethernet Addresses. One thing to
remember about ARP is that it only translates outgoing packets.

There is also something called the RARP which is an abbreviation for Reverse Address Resolution  
Protocol, which like the name says does exactly reverse of what ARP does.

There is simply no algorithm to get the Ethernet Address from the IP Address. To carry out such
translations, each computer has a file which has a table with rows for each computer and two columns for
their corresponding IP address and Ethernet Address. The File is somewhat like the following-:

                                     Internet Protocol Address                         Ethernet Address
Computer Name              xxx.xy.yy.yx                                           08-00-39-00-2F-C3

Say there are a system in a Network (A) and an unidentified system (B) contacts it. Now A only knows the
IP address of B. Now A will first try to identify whether B is the same network so that it can directly
communicate via Ethernet. So it will first check the IP to MAC address translation table which it has. If it
finds the IP in the table then well and good and A will establish a connection with B via Ethernet.

On the Other hand if A does not find any match for the specific IP, it will send out a request in the form of
a 'Broadcast'. All computers within the Network will receive this broadcast and will search their own IP to
MAC translation table and will reply with the necessary MAC address. A basic difference between an Ip
address and MAC address is that an IP is the form xxx.xxx.xxx.xxx and a MAC address is in the form
xx:xx:xx:xx:xx:xx and one is 32 bit while the other is 40 bit.

Read RFC 826 for further in depth details about the ARP protocol.

Application Layer

Till now  you  have learnt  how data is broken down into smaller chunks, and transferred to the destination,
where the chunks are rearranged. But there is yet another aspect to a successful data transfer process, which
we have not discussed yet: The Application Protocols and the Application Layer itself. A host which
receives datagrams has many applications or services (daemons) running which are ready to establish a
TCP connection and accept a message. Datagrams travelling on the Internet must know which application
they have to establish connection with, which application they have to send the message to. A typical web
server will have the FTP daemon, the HTTP daemon, the POP daemon, and the SMTP daemon running.
Wouldn't the datagrams get confused as to which daemon to send the message to.

For the datagrams to know which computer to send the message to, we have IP addresses. The datagram
knows what daemon or application to send the message to by the Port Number attached to the IP address of
the Destination. A TCP address is actually fully described by 4 numbers; The IP address of the Source and
Destination and the TCP Port Numbers of each end to which data is to be sent. These numbers are found in
the TCP Header.

To make it simpler to understand I have included an excerpt from the Net Tools Chapter:

What is all the hype about socket programming? What exactly are sockets?

TCP\IP or Transmission Control Protocol\ Internet Protocol is the language or the protocol used by
computers to communicate with each other over the Internet. Say a computer whose IP address is
99.99.99.99 wants to communicate with another machine whose IP address is 98.98.98.98 then would will
happen?

The machine whose IP is 99.99.99.99 sends a packet addressed to another machine whose IP is
98.98.98.98. When 98.98.98.98 receives the packet then it verifies that it got the message by sending a
signal back to 99.99.99.99.But say the person who is using 99.99.99.99 wants to have simultaneously  more
than one connections to 98.98.98.98.....then what will happen? Say 99.99.99.99 wants to connect to
the FTP daemon and download a file by FTP and at the same time it wants to connect to 98.98.98.98's
website i.e. The HTTP daemon. Then 98.98.98.98. will have 2 connects with 99.99.99.99 simultaneously.
Now how can 98.98.98.98.distinguish between the two connections...how does 98.98.98.98. know which
is for the FTP daemon and which for the HTTP daemon? If there was no way to distinguish between the
two connections then they would both get mixed up and there would be a lot of chaos with the message
meant for the HTTP daemon going to the FTP daemon. To avoid such confusion we have ports. At each
port a particular service or daemon is running by default. So now that the 99.99.99.99 computers knows
which port to connect to, to download a FTP file and which port to connect to, to download the web page,
it will communicate with the 98.98.98.98 machine using what is known as the socket pair which is a
combination of an IP address and a Port. So in the above case the message which is meant for the FTP
daemon  will be addressed to 98.98.98.98 : 21 (Notice the colon and the default FTP port suceeding it.).
So that the receiving machine i.e. 98.98.98.98 will know for which service this message is meant for and to