TCP/IP Basics - III

Continuing from the last blog about TCP/IP, in this blog I will cover the basics of TCP and a little bit about UDP. I will also look into some commands such as telnet and some great utilities like wireshark.

How TCP Works?
In broad steps, here is how TCP works-
  • Client tells the server to establish a session
  • Server confirms that its ready to receive data
  • Client sends server packets of data.
  • For each packet that server receives, server confirms the receipt of the packet.
  • If a packet is not received, after a timeout period client resends that packet.
  • Once the transmission is complete the session is closed
In case of UDP, the client and server don't establish a session. Client starts sending data packets to the server and there is no way of knowing if the packets are lost. Hence, UDP is good for communication where if an intermittent packet is lost, it doesn't need to be resent. For ex. video communication. By the time it will be realized that the packet is lost, in case of video communication, it might be too late or useless to send that packet back. However, in case of webpages a missing packet would mean that the web site wont work correctly and hence all the packets must be sent, in which case TCP should be used.
We can use the command telnet to establish a connection with the server at a given port and communicate with the server. We can also use a free tool named nmap to do port scanning. This utility will tell which ports are open on a given server. Here is a screenshot of running the command nmap -

Another great command to help see all the port info is netstat. netstat displays port statistics and current TCP/IP network connections associated with each process that is currently running.

A firewall defines what connections are allowed in and what connections are not. We can use the "Windows Firewall with Advanced Security" in vista or above to configure the firewalls. In the "windows firewall properties" we have 3 different areas in domain, public and private. Generally, all the profiles should have similar configuration. We can control the inbound, outbound connections and the logging mechanism via these properties.
We can also configure and create rules. If we go to inbound rules and create new rule, we can create the rule by program or port or by custom rules. If we create a rule by port, it will give us the option to choose the protocol (TCP/UDP) and port. Similarly, other types and outbound rules can be configured.

Wireshark is a great tool to inspect all the network traffic flowing through a computer's network adapter. First we have to choose the network adapter on which we want to do the inspection. This can be done via capture -> Interfaces. Now, let's say we want to do a nslookup on for Name Servers (type = NS) as we had discussed in the previous blogs. 
In wireshark, we can set the filter as dns and run the above query. We can see two rows - one being the request and other being the response.
At the bottom of wireshark UI, we have more details about these two operations.
Now lets say we want to find out what all TCP packets were involved when we  visit the site First, we find the IP address of this site by using nslookup. Then in wireshark, we click on the expressions button and navigate to the IPv4 field name. Here we select the ip.dst - Destination field and set the expression as ip.dst == <ipaddress>. Now, in the browser, navigate to and then in wireshart stop the live capture. You should now see a lot of rows in the wireshark UI. Right click on one of the rows and click "follow TCP stream". You should now see a window similar to this with the whole communication -