Getting Familiar With TCP and Its Behaviors

  • by

In this post I am going to detail some questions and answers related to the TCP protocol to get you more familiar with how it works.

TCP Core Principals

What is the IP protocol for TCP?

Ip protocol 6 is TCP.

In the TCP header, what is the offset used for?

This field is used to indicate where the payload/data begins.

What are all of the 10 fields in the TCP header?

  • Source port
  • destination port
  • sequence number
  • ack number
  • offset
  • tcp flags
  • receive window
  • checksum
  • urgent point
  • tcp options

The Handshake

In the TCP 3 way handshake, describe who sends which packet:

  • Syn
  • SynAck
  • Ack

The options of who sends the packet:

  • Client or server
    • x sends x
    • x sends x
    • x sends x
  • Client sends Syn
  • Server sends Syn Ack
  • Client Sends Ack
tcp handsake

The Flags

How many TCP flags are there?

8 flags

What is the purpose of the TCP SYN FLAG?

SYN- The Synchronize flag is used to synchronize sequence numbers, and exchange TCP options to bring up a new connection.

What is the purpose of the TCP ACK FLAG?

ACK – The Acknowledgement flag is used to tell the TCP stack that we are acknowledging sequences of data in this packet (among other things).

What is the purpose of the TCP FIN FLAG?

FIN- The Fin flag is used by applications and the TCPIP stack to gracefully shut down a connection and begin to release resources if possible.

What are the 2 purposes of the TCP CWR FLAG?

  1. This flag which is usually accompanied by the ECN ECHO (ECE) flag in a SYN packet let’s the receiver know this TCP host is ECN capable. 
  2. It is also used to indicate to the receiver that we got their TCP ECE flag in the last ack and we lowered our congestion window.

What is the purpose of the TCP NS FLAG?

It has no purpose it’s experimental.

What are the 2 purposes of the TCP ECE FLAG?

  1. It’s usually sent with the CWR flag during SYN to let the other TCP host know we support ECN.
  2. If the IP header is marked with congestion encountered (CE) in the IP ECN bits, then this host sets the TCP ECE flag in a TCP ack back to the original sender to let them know they should reduce their congestion window.

What is the main difference about using the urgent flag vs push flag in TCP?

The urgent flag should not be used, it’s being deprecated. The urgent pointer flag tells the TCP stack to look at the urgent pointer field for directions to where the urgent sequence is. Hardly ever used, and is not recommended to be used. Also urgent is used by an app to let the other host’s TCP/IP stack know not to buffer the traffic, while push is used by applications for the current host’s TCP/IP stack to not buffer traffic and send it out immediately.

The push flag is used by an application to let the local TCP stack know that this data shouldn’t be stored in the buffer and should go out to the destination immediately. 

What is the purpose of the TCP RST FLAG? Who sends them?

To close a TCP connection without fins. It is a form of closing a connection that is not as graceful as the FIN.
Hosts can send a TCP RST to signal a port is not open, a connection is closed, or firewalls can do it on their behalf.

What is the purpose of the TCP FIN FLAG?

FIN- The Fin flag is used by applications and the TCPIP stack to gracefully shut down a connection and begin to release resources if possible.

TCP Port Operations

Listening Or Closed?

How does a port scanner determine if a host is listening on TCP port 80?

It will try to do a tcp 3 way handshake with the server on the specific port, if it receives a syn+ack, the port is open, if he gets back a tcp rst flag packet then it’s closed.

TCP Behavior With IP MTU

In IPv4 to get the TCP MSS we subtract 40 from the IP MTU.
In IPv6 how many bytes do we subtract to get the TCP MSS?

60 = (IPv6 header is 40) + (TCP header is 20) 

Same VLAN MTU Issues

If we have two hosts in the same vlan, but one has an IP MTU of 1500 and the other has an IP MTU of 1400, what behavior do we expect to see with different protocols like TCP, UDP, ICMP?

The hosts will be able to communicate via TCP with no fragmentation because they negotiate the lowest MSS. 
For UDP and ICMP as long as the DF bit isn’t required that traffic will be fragmented by the host while outgoing as needed.

TCP Bandwidth Delay Product, Bytes In Flight and more

In TCP, what is a zero window?

This is what a client usually sends back to the server if its receive buffer is full and cannot take anything until it processes it. It is a message to the sender to stop sending data. When the client is ready, he will send a new window update packet.

In TCP, what does the BDP give us?

The maximum bytes in flight/transit we can have for this link due to its BW + latency.

What is the relation of TCP’s BDP and Bytes in flight?

The BDP is the theoretical max bytes in flight a link can have based on the BW + latency. Thus if you are troubleshooting a connection you’d want the bytes in flight to be just as high or close to the link’s BDP.

TCP Send Window

In TCP, what 3 factors limit the send window ? Excluding the receive window.

  1. Bytes in transit (limited by BDP)
  2. Congestion Window
  3. Send Buffer Size
tcp send window

Let’s take a closer look at the TCP send window.

With TCP flows, how do bytes in flight restrict our sending?

The bytes in flight is how much data we have sent that has not been acknowledged yet. If we sent 48Kb and the receive window is 64Kb then we can only send 16Kb more until that 48KB is ack’d. The bytes in flight should equal or around the BDP to realize the link’s best transmission rate.

What about interactions with the TCP receive window?

When troubleshooting TCP connections, how should we look at the receive window and how do we read it?

We need to look for the calculated window size in every ack from the receiver. This is how much free buffer space it has and how much data we can send him before he needs to ack us.

tcp window size

TCP Algorithms

What is the difference in how TCP reno vs tahoe behave with regards to slow start?

Reno only goes through slow start at the beginning of the connection, while tahoe will constantly goes through slow start if it experiences congestion.

The infamous Global Sync Issue

Describe TCP global synchronization and its issue.

tcp global sync

As shown above TCP global synchronization is when multiple TCP flows experience congestion at the same time, thus they all drop to their slow start threshold at the same time, and start linearly increasing again.The immediate drop at the same time is probably due to uncontrolled congestion probably caused by output tail drop. 

This leads to periods of ALL the TCP flows dropping down to their slow start threshold at one time, then slowly rising again. This time of slowly rising for ALL TCP flows means that there is bandwidth that is notbeing realized by TCP. 

TCP Options


In TCP options, what is the timestamp? What two fields does it have within?

This option is for TCP hosts to keep track of packets.  It’s also used to calculate RTT.
It has two fields within, the timestamp value (TSVAL) and the timestamp echo reply (TSECR).
The time stamp value is marked by the sender when sending the packet.the time stamp echo reply is marked by the receiver when he sends his ack for this segment.

Segment Size

In TCP options, what is the maximum segment size? When is it sent?

This option is only when the packet is a SYN, it’s for TCP hosts to let the other side know what its biggest TCP payload can be. Then they agree on the smallest of the 2 for the session.

TCP MD5 Auth – The Not Often Used Option

How does the BGP peer send the MD5 hash to the other peer?

People forget TCP is extensible via options. Via TCP option 19, MD5 signature.

bgp tcp md5

Other Options

In TCP options, what is the NOP option?

This option denotes 1 bit padding, it’s used to align the options to a 32bit value for performance.

In TCP Options, what is the End of Options/operations list option?

This option denotes the end of TCP options, it always comes last.

Window Scaling With TCP

In TCP options, what is the window scale? When is it sent?

The Window scale is only used on SYNs and is used to get over the 16 bit limitation of the window size, this option is a multipler for the window size.

TCP Configuration For Control Plane Protocols

Assume we are on the local router and want to clamp the MSS for our BGP sessions to 1360, how do we do this?

This is for CTRL+MGMT plane traffic which BGP falls into.

conf t
ip tcp mss 1360

Basic TCP Attacks

Is the following config enough to prevent a TCP RST DoS on our router?

int g0/1
no ip unreachables

No, it is not because TCP resets are not ICMP unreachables.

Securing BGP From TCP Attacks

Consider the following BGP topology:

bgp tcp attack

These 2 directly connected routers want to form a BGP peering with each other. What should R1’s ACL on its WAN int be configured with to allow only this session and provide maximum security?

ip access-list extended BGP
permit tcp host eq bgp host
permit tcp host host eq bgp

TCP Header Interaction With Fragmented Packets and Router ACLs

How do ACLs on a Cisco Router deal with fragmented traffic?

Regular ACLs can properly match the first fragment with L3+L4, but subsequent fragments will skip matching the L4 header and only use the L3 header of the ACL. Assume we are using the following headers:

fragmented tcp packet


access-list ex FILTER-1
permit tcp any host eq 80
deny tcp any eq 22
deny ip any any

Packet comes in, fragmented, destined to the SSH service on 1.100

The ACL can match the first fragment with L3+L4 so it’s dropped, then the subsequent fragments to 1.100 will be allowed through because the ACL can only check the L3 header.

This is NOT a problem if the ACL is only matching L3 and not L4 headers. You can also specifically deny fragmented traffic like this:

access-list ex FILTER-2
deny ip any any fragments
permit tcp any host eq 80
deny tcp any eq 22
deny ip any any


Operations Of QoS Features Like WRED

Consider the following QoS policy:

policy-map QOS 
class class-default  

What command tuns on weighted random early detection for TCP flows?


The Mysterious ECN Bits

How do the IP ECN bits and TCP ECN bits work together?

Two hosts agree to ECN in the IP and TCP layers. Routers along the path mark the CE bits in the IP header. The receiver sends an ack + TCP ECE flag to the sender to let them know of the congestion. The sender now lowers his congestion window and sets the TCP CWR flag in the next packet destined for the receiver.