Transmission Control Protocol (TCP) - 1

What is Transmission Control Protocol (TCP)?

Transmission Control Protocol (TCP) is a network protocol that provides

reliable and steady data transmission between applications. According to the
OSI model, it is located in the 4th layer.

The Features of TCP Protocol

 Ensures the data transmission between the two applications.

 Allows multiple connections.

 There is no data transfer before the connection is established.

 Priority and security definitions can be made for the data sent.

 Makes an error control.

 Provides flow control.

Establishing the TCP Connection (Three-way Handshake)

TCP connection must be established in order to transfer data through the TCP
protocol. The establishment of the TCP connection indicates that the sender
and the recipient are both ready for the data transfer.

The TCP connection established before the data transfer is called “Three-
Way Handshake“. Three-Way Handshake consists of the following steps:

 The sender party who wants to establish the TCP connection sends the
TCP segment set to the “SYN” flag to the recipient side.
  After receiving this segment, the recipient party transmits a TCP
segment set to the “SYN” and “ACK” flags to the sender.

 As a final stage, the sender part of this segment sends the TCP
segment set to the “ACK” flag back to the recipient and the
connection is established.

The image below shows how the TCP connection is established between the
sender and the recipient:

Note: SYN and ACK Flags are 1 bit areas within the TCP protocol Header.
TCP Data Flow and Transmission Reliability

The segments sent in the TCP protocol are in the form of eight-bit data. The
TCP protocol tracks each bit sent and received by marking it. It waits for a
response from the recipient for each piece of data it sends by marking. After
the reply from the recipient, the next piece of data is sent and in the same
way, a response from the recipient is expected for the next piece of data
sent. With this marking system, the TCP protocol ensures the transmission
reliability and transmits the data in a complete and sequential manner.

The TCP protocol sets a random number during connection establishment.

This number is called the “Initial Sequence Number (ISN)”. This number
is used for the first data transfer on the TCP connection. Then, the new
numbers are created by adding the number of bytes sent on this number.
Each of these newly emerged numbers is called a "Sequence Number".The
TCP protocol knows whether the segment is received by the receiver
according to these numbers. For example, in the image below, it is set as
“ISN=0”. After sending the segment in “1024” byte size, the segment
confirmation was transmitted to the sender with the ACK number from the
receiver and the sequence number value was updated. If the segment with
ACK number 1024 did not come from the recipient, data transfer would not
continue and the previously sent TCP segment would be sent again and the
segment with ACK number 1024 would be expected to arrive.
TCP protocol is a network protocol that provides reliable transmission. The
three-way handshake described in the previous topic is one of the
mechanisms that ensure transmission reliability in the TCP protocol. The
main mechanism that ensures the transmission reliability of the TCP protocol
is based on a structure that confirms whether each TCP segment has been
sent or not. Thanks to this systematic segment sending, if there is a TCP
segment that cannot be sent for any reason, that segment is sent again and
delivered to the receiving party. For example, the following image shows how
the TCP protocol behaves in the case of a transmission error:
Terminating TCP Connections

Terminating TCP connections takes place in 4 steps:

1. The party that wants to terminate the TCP connection sends the TCP
segment with the “FIN” flag set to the target device.
2. After receiving the TCP segment, the target device sees that the "FIN"
flag is set and sends the TCP segment with the "ACK" flag set in
response.

3. The target device sends the TCP segment with the “FIN” flag set to the
device that wants to terminate the connection.

4. As the last step, the device that wants to terminate the connection
sends the TCP segment with the "ACK" flag set in response to the
incoming TCP segment and the TCP connection is terminated.
Note: FIN and ACK flags are 1-bit fields in the TCP protocol header. TCP
connections can also be terminated with the “RST” flag. TCP connection
terminated using the RST flag is an immediate and one-sided connection
termination. In other words, the “RST” flag is used to reset the connection.

TCP Connections

TCP connections are frequently used by applications that transmit TCP-based

transmission on the device. Some information about the protocol is used so
that applications can connect with the TCP protocol. Each TCP connection
consists of “Source IP Address-Source Port Number”, “Destination IP
Address-Destination Port Number” information.

What is Port?

Ports are the communication points that applications use to communicate

with each other. Many services can exist on a server at the same time. Port
numbers make the incoming requests clear and tell us which services they
belong to. The port is essentially a number which can take a value between
“0-65535”. Some port numbers are used by some protocols by default. Port
numbers and IP addresses form the socket address. For instance, the
expression “192.168.5.100:8080”(IP_Address:Port_Number) contains two
separate pieces of information separated by “:”

 IP Address

 Port Number

Default TCP Ports

Below are examples of default ports for the most well-known protocols:

 FTP : 21

 SSH : 22

 Telnet : 23

 SMTP : 25

 DNS : 53

 HTTP : 80

 POP3 : 110

 SMB : 445
You can reach further information regarding Default TCP Ports at the
following link:

Default
Ports: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

In this part of the training, we have covered the basics of the TCP protocol,
its features, how the TCP connections are established and terminated, as well
as the TCP data flow reliability. We will continue covering the TCP protocol in
the next chapter of our training.

Transmission Control Protocol (TCP) - 2

TCP Protocol Header

There are many protocol-specific data fields in the header of the TCP
protocol. These data fields contain all the information required by the TCP
protocol. The following image shows the header and fields of the TCP
protocol:
Each field is briefly explained in the following headings:

Source Port Number

“Source Port Number ” is the field that the port number of the sender is
included. It is “16 bits” long.

Destination Port Number

“Destination Port Number ” is the field that the port number of the
recipient is included. It is “16 bits” long.

Sequence Number
“Sequence Number” field is the number used to track the transmissions of
TCP segments. If the "SYN" flag is set in the TCP segment, this number is the
"Initial Sequence Number" value. It is "32 bits" long.

Acknowledgement Number

“Acknowledgement Number ” field is a value that indicates up to which

byte the transmission of the sent segments is made. It is "32 bits" long.

Header Length (HLEN)

“Header Length” is the field that holds the value of the TCP header length.
It is “4 bits” long.

Reserved

It is the field reserved for future use. It is “3 bits” long.

Control Flags

“Control Flags” is the field where the values of the flags are kept. Each flag
is "1 bit" long. Setting a flag means that it takes the value "1" in binary. In
total, this field is “9 bits” long.

 SYN: It is the flag used to initiate TCP connections.

 ACK: It is the confirmation flag that indicates that the packets are
transmitted. It also indicates to confirm the connection setup.

 FIN: It is the flag used to terminate the TCP connection in a controlled

manner.

 RST: It is the flag used to terminate the TCP connection unilaterally

and abruptly. It is used to reset the connection.
  PSH: It is the flag set in the packets where the data is sent to the
target application.

 URG: It is the flag used to notify that there is urgent and priority data.

Window Size

“Window Size” field is where the maximum data size of the recipient’s
buffer capacity is defined. It is “16 bits” long.

Checksum

“Checksum” is the field that controls whether the integrity of the TCP
segment is intact during the transmission. It has hexadecimal value and it is
“16 bits” long.

Urgent Pointer

The “Urgent Pointer” field is a value that indicates up to which data the
urgent bytes are. It indicates up to which data the urgent bytes are. In order
to use this field, the "URG" flag must be set. It is “16 bits” long.

Options

“Options” is the field created to use various TCP protocol additional

features. There is no obligation to use. It has no fixed length.

Establishing a TCP Connection with Netcat

It is possible to establish a TCP connection between devices via the
command line with the “Netcat” tool. Netcat tool is a tool that comes pre-
installed on Linux systems and is used with the "nc" command. The following
example will use two different Linux command lines. For example, let's set
up the TCP connection:

Note: In this example, port 5555 is used, a different port number can be
used optionally.

First of all, let's open the netcat tool in the “listen” mode to listen to the
packets coming to the TCP 5555 port:

As seen in the image above, the target to which we will establish the TCP
connection with the command "sudo nc -lvp 5555" has been successfully
put into listen mode.

The meanings of the parameters applied in the command are as follows:

The following command is applied on the other linux command line to start
the connection:

Command : sudo nc 192.168.216.128 5555

The connection will be established successfully after you apply the above
command unless there are network communication problems. After the
connection is established, each typed character or word is transmitted to the
target. For example, let's send it by typing "Hello My Friend":
As seen in the image above, the message was transmitted to the target
system and displayed on the command line as in the image below.

TCP Protocol Review with Wireshark

There are some tools with a graphical user interface (GUI) that allow network
packets to be examined in detail. One of these tools is the "Wireshark" tool.

You can download the Wireshark tool from the following address:

Wireshark: https://www.wireshark.org/download.html

Let's see each field of the TCP protocol described above via wireshark:
As you see in the image above, the fields of the TCP protocol have been
successfully seen over the wireshark tool.

Note: You can access the PCAP file in the example from the "Course Files"
area at the end of the course.

We have covered the basics of TCP protocol header, the TCP connection
setup with Netcat and the examination of the TCP protocol on Wireshark are
mentioned in this part of the training. We will be covering “User Datagram
Protocol (UDP)” in our next chapter.

User Datagram Protocol (UDP)

What is User Datagram Protocol (UDP)?

User Datagram Protocol (UDP) is another network protocol that provides data
transmission between applications. It is located in the 4th layer of the OSI
model. Unlike the TCP protocol, the UDP protocol does not provide
transmission reliability.

Features of the UDP Protocol

 It does not require connection setup before transmission.

 It provides a fast transmission.

 It does not guarantee that the data will be transmitted.

 It contains less information in the header structure.

 It is often used by video applications and real-time applications.

 It doesn't do error checking.

 It doesn't handle flow control.

UDP Connections

UDP connections are frequently used by applications that transmit data via
UDP. In order for applications to connect with the UDP protocol, some
information about the protocol is used. Each UDP connection consists of
“Source IP Address-Source Port Number”, “Destination IP Address-
Destination Port Number” information.

Note: You can find the explanation about the port concept from the
previous TCP domain.

Default UDP Ports

Below are examples of default ports for the most well-known protocols:

 DNS : 53

 DHCP : 67,68

 SNMP : 161,162

A larger list of default UDP ports can be found at:

Default
Ports : https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

UDP Protocol Header

The fields in the UDP protocol header are much less than other network
protocols. The following image shows the headers and fields of the UDP
protocol:
Source Port Number

It is the field that contains the port number of the sender. It is “16 bits” long.

Destination Port Number

It is the field that contains the port number of the recipient. It is “16 bits”
long.

Length

It is the field that contains the total length of the header and data of the UDP
segment. It is “16 bits” long.

Checksum
The “Checksum” field contains the hexadecimal value that allows checking
whether the integrity of the UDP segment is intact during transmission.
Unlike the TCP protocol, this field is not required. It is “16 bits” long.

UDP Protocol Review with Wireshark

There are some tools with a graphical user interface (GUI) that allow network
packets to be examined in detail. One of these tools is the "Wireshark" tool.

You can download the Wireshark tool from the following this link..

Let's see each field of the UDP protocol described above via wireshark:

Note: You can access the PCAP file in the example from the "Course Files"
area at the end of the course.
As you see in the image above, the fields of the UDP protocol have been
displayed successfully through the Wireshark tool.

We have learned what the UDP protocol is, its features and the fields in the
UDP protocol header in this part of the training and we will cover the “DNS
Protocol” in next chapter of our training.

Domain Name System (DNS) - 1

What is DNS Protocol?

In the early times of the internet the hostnames were located in the “Hosts”
files in the central servers. The IP address of a computer with a known
hostname used to be found through this file. With the increased amount of
domains on the internet over time, the size of the hosts file increased
gradually. The uploading of this file to computers over the network was
difficult in many aspects and that led to the creation of the DNS protocol as a
solution to this problem. Today, the hosts file is still included in computers
and can be used.

Note: The location of the hosts file on Windows and Linux and the structure
of this file are described in the following sections.

Each website has an IP address and we need to know the IP address of the
website we need to connect to. There are so many websites and it is not
possible to remember the IP addresses of these websites. Another reason for
it is that the format of the IP addresses is not easy to remember. Therefore,
the DNS is used as a protocol that is responsible for the IP address and
hostname matching and transformations.

The DNS protocol finds the IP address of the hostname we need to connect
to. For example, if you want to access to “Letsdefend.io” via browser, our
system needs to know the IP address of letsdefend.io which will be handled
by the DNS protocol.

What is Domain and Subdomain?

“Domain” is an address used to access websites on the internet that has

certain hierarchical structures.

“Subdomain” are the sub-sites under the main domain. Hierarchically

subdomain is located on the left side of the main domain address it is
separated form it with a “.” (dot). For example, the image below shows
domain and subdomain:
Top-Level Domains

Top-Level Domain (TLD) is the extensions added to the domain names. They
are separated and determined in accordance with certain purposes to the
right of the internet addresses. For example, some of the most well-known
TLDs are as in the image below:
The are a lot of different TLDs for different use and purposes. You can get
more detailed information about TLDs and types at the following page.

You can see the list of the TLDs at the following page.

Features of the DNS Protocol

 The DNS protocol is located in the 7th layer (Application Layer)

according to the OSI model.

 It uses the UDP protocol in the transport layer.

 DNS consists of a hierarchical structure.

 DNS has a mechanism that works using distributed databases.

 Each organization has its own DNS servers to enable devices to

communicate with each other within its own computer network.

 DNS Server usually uses the UDP 53 port.

DNS Protocol Working Logic

When we want to connect to a website a number of highly systematic

transactions occur within seconds. These are the DNS protocol and DNS
servers related transactions. The DNS protocol uses DNS servers to perform
its tasks. DNS Server keeps the Hostname-IP address information of websites
and responds to the DNS queries for this information. In this way, the IP
address of the website in the query is transmitted to provide network
communication. When the DNS protocol cannot perform the task, the
communication of the devices with each other is interrupted, and therefore,
the DNS protocol is of great importance for communication.

The below image shows the flow of how a system acquires the IP address
information through DNS to access the “Letsdefend.io” website.
Below are the details of every single numbered steps:

1. The computer sends the DNS query to the DNS Server, which is
registered on itself. If it has been accessed to “Letsdefend.io”
previously, the IP address of this website may already be found in the
DNS server. If so, IP address information is obtained from the DNS
Server.

2. If “Letsdefend.io” was not accessed before, DNS Server cannot find the
IP address information and contacts the “Root DNS Server” in order to
detect the authorized DNS Server of “Letsdefend.io”.

3. The “Root DNS Server'' tries to determine the “Primary DNS Server”
which belongs to "Letsdefend.io" from the database. After the “Primary
DNS Server” IP address is determined, it is transmitted to the previous
DNS server.

4. The DNS Server, which is registered on the computer, obtains the

“Primary DNS Server” address, which belongs to "Letsdefend.io", then
sends a DNS query to detect the IP address of the "Letsdefend.io"
domain.

5. The DNS query reaches to the “Primary DNS Server” which belongs to
“Letsdefend.io" and this DNS query is replied.

6. The DNS Server, which is registered on the computer, sends the IP

address of "Letsdefend.io" to the querying system that needs to access
 to "Letsdefend.io". The computer with the IP address can now contact
the target as it has already obtained the information required to access
the target website.

Types of DNS Records

There are a lot of different forms and variations of DNS records that are
registered on the DNS servers. Some of these registration types are as in the
image below:

You can get more detailed information about the types of DNS records at the
following page:

https://en.wikipedia.org/wiki/List_of_DNS_record_types
DNS Protocol Review with Wireshark

There are some tools with a graphical user interface (GUI) that allow network
packets to be examined in detail. One of these tools is the "Wireshark" tool.

You can download Wireshark at the following page.

An example DNS query and response is shown below through Wireshark:

Note: You can access the PCAP file in the example from the "Course Files"
area at the end of the course.
As seen in the image above, a DNS query was made to find the IP address of
the "letsdefend.io" website. DNS record type is of type "A". Let's see the
response returned to the DNS query:

As seen in the image above, the DNS query was responded and the IP
addresses of the "letsdefend.io" address were found.

Note: You can access the PCAP file in the example from the "Course Files"
area at the end of the course.
We have covered the basics of DNS protocols, its features, and how it works
as well as a review of the DNS protocol on Wireshark in this part of our
training. We will keep learning on the DNS protocol in the next part of our
training.

Domain Name System (DNS) - 2

Hosts File

The hosts file is a registry file included with Windows and Linux. It is possible
to use the hosts file, which was used before the DNS protocol was developed,
in today's current operating systems as well. In DNS queries made over the
system, the contents of the hosts file is checked first. If a record related to
the address in the query is in the hosts file, it means that this record is valid.

Note: The location of the hosts file in Windows is: "C:\Windows\System32\

drivers\etc\hosts", in Linux it is "/etc/hosts".

For example, let's practice the situations where the record is and is not
included in the hosts file for the connection to the "letsdefend.io" address.

The contents of the hosts file are as follows if the record is not included:
As seen in the image above, there are no active records in the hosts file.

Note: Lines starting with the “#” sign in the hosts file are comment lines.

Let's try to access the "letsdefend.io" address via the browser:

As seen in the image above, the "letsdefend.io" website has been accessed
successfully.

Let's add a new record to the hosts file and forward the DNS requests made
to the "letsdefend.io" address to our localhost address. For this, the hosts file
should be edited as follows:
As seen in the image above, a new record has been added and the file has
been saved.

Note: It is necessary to have the administrator privileges to make changes

on the Hosts file.

After this change, let's try to access the "letsdefend.io" address via the
browser:
As seen in the image above, although we tried to access the "letsdefend.io"
address via the browser, we reached the page of the web server in our own
locale. It is the registry in the hosts file that causes this.

Making a DNS Query with Dig

The Dig tool allows to make DNS queries which works from the command line
on Linux. For example, let's query DNS with the Dig tool:
As can be seen in the image above, the DNS query has been completed
successfully and the response has been returned.

For those who do not have access to the Linux command line, there is an
online implementation of the dig tool:

Dig Online: https://www.digwebinterface.com/

For example, let's do the previous practice over the Dig online service:
As seen in the image above, the DNS query has been successfully applied
with the online dig service and the response has been received.

Making a DNS Query with Nslookup

Another tool that can make DNS queries is the "nslookup" tool. This tool can
work on both Windows and Linux command lines. For example, let's do a
DNS query using the nslookup tool:
As seen in the image above, the DNS query has been completed successfully
and the response has been returned.

We have covered the hosts file and the applications that help implement DNS
queries. We will talk about the “Telnet Protocol” in the next part of the
training.

Domain Name System (DNS) - 2

Hosts File

The hosts file is a registry file included with Windows and Linux. It is possible
to use the hosts file, which was used before the DNS protocol was developed,
in today's current operating systems as well. In DNS queries made over the
system, the contents of the hosts file is checked first. If a record related to
the address in the query is in the hosts file, it means that this record is valid.

Note: The location of the hosts file in Windows is: "C:\Windows\System32\

drivers\etc\hosts", in Linux it is "/etc/hosts".

For example, let's practice the situations where the record is and is not
included in the hosts file for the connection to the "letsdefend.io" address.

The contents of the hosts file are as follows if the record is not included:

As seen in the image above, there are no active records in the hosts file.

Note: Lines starting with the “#” sign in the hosts file are comment lines.
Let's try to access the "letsdefend.io" address via the browser:

As seen in the image above, the "letsdefend.io" website has been accessed
successfully.

Let's add a new record to the hosts file and forward the DNS requests made
to the "letsdefend.io" address to our localhost address. For this, the hosts file
should be edited as follows:
As seen in the image above, a new record has been added and the file has
been saved.

Note: It is necessary to have the administrator privileges to make changes

on the Hosts file.

After this change, let's try to access the "letsdefend.io" address via the
browser:
As seen in the image above, although we tried to access the "letsdefend.io"
address via the browser, we reached the page of the web server in our own
locale. It is the registry in the hosts file that causes this.

Making a DNS Query with Dig

The Dig tool allows to make DNS queries which works from the command line
on Linux. For example, let's query DNS with the Dig tool:
As can be seen in the image above, the DNS query has been completed
successfully and the response has been returned.

For those who do not have access to the Linux command line, there is an
online implementation of the dig tool:

Dig Online: https://www.digwebinterface.com/

For example, let's do the previous practice over the Dig online service:
As seen in the image above, the DNS query has been successfully applied
with the online dig service and the response has been received.

Making a DNS Query with Nslookup

Another tool that can make DNS queries is the "nslookup" tool. This tool can
work on both Windows and Linux command lines. For example, let's do a
DNS query using the nslookup tool:
As seen in the image above, the DNS query has been completed successfully
and the response has been returned.

We have covered the hosts file and the applications that help implement DNS
queries. We will talk about the “Telnet Protocol” in the next part of the
training.