TCP Packet after the Handshake

Question

I'm trying to get my head around TCP and parsing the massive RFC isn't helping. I believe I understand the connect and close handshakes, but I can't seem to find anything that summarizes what the actual data stream looks like.

What does a TCP packet look like in between the connect and close handshakes? (particularly the header)

Answer 1

In the usual steady-state case during the connection, the header will have:

• the destination and source ports set appropriately;
• the ACK flag set;
• if the connection is transactional (rather than bulk-transfer) in nature, the PSH flag is also likely to be set;
• the sequence number field is set to the sequence number of the next byte to be sent by this end (counting the data in this packet, if any, as "to be sent");
• the acknowledge field is set to the sequence number of the earliest byte yet to be recieved from the other end;
• the window field shows the remaining space in this end's recieve window - the encoding used depends on whether or not window scaling was negotiated in the initial connection setup.

There is also likely to be a type 8 option field, representing the Time Stamp Option described in RFC1323.

So, for example, during the portion of a HTTP connection in which the server is sending a large amount of data to the client, the client will be sending packets with ACK set, the sequence number field remaining constant, the acknowledge field incrementing by the size of the segments that the server is sending, and the window size somewhere around the size of one segment. The server will be sending packets with ACK set, the sequence number field advancing by the size of the segments being sent, the acknowledge field remaining constant, and the window size at maximum.

I recommend using Wireshark to examine a range of real-world connections.