TCP - Learn Tech From Zero

4.8 Interpret the fields in protocol headers as related to intrusion analysis

📘Cisco Certified CyberOps Associate (200-201 CBROPS)

TCP (Transmission Control Protocol) Header Overview

TCP is a connection-oriented protocol used for reliable communication between devices over a network. It’s most commonly used for applications like web browsing (HTTP/HTTPS), email (SMTP, IMAP), file transfers (FTP), and remote access (SSH, Telnet).

In intrusion analysis, understanding TCP headers helps us detect things like port scanning, DoS attacks, session hijacking, or unusual connection patterns.

A TCP header has 20 bytes minimum (without options) and contains multiple fields. Let’s go through them.

1. Source Port (16 bits)

What it is: The port number on the device that is sending the TCP segment.
IT example: If a workstation is connecting to a web server, it might use a random high-numbered port (like 49152).
Why it matters in intrusion analysis:
- Detects which application or service initiated the connection.
- Unusual source ports may indicate malware communication or unauthorized services.

2. Destination Port (16 bits)

What it is: The port number on the device receiving the TCP segment.
IT example: A web server listening on port 80 (HTTP) or 443 (HTTPS).
Why it matters in intrusion analysis:
- Helps identify targeted services.
- A high number of SYN requests to multiple destination ports can indicate a port scan.

3. Sequence Number (32 bits)

What it is: A number used to keep track of data order in a TCP session.
IT example: When a large file is being sent via FTP, sequence numbers ensure the receiver assembles the data in the correct order.
Why it matters in intrusion analysis:
- Abnormal or overlapping sequence numbers can indicate TCP hijacking or injection attacks.

4. Acknowledgment Number (32 bits)

What it is: The next sequence number the sender expects from the receiver. It confirms successful receipt of data.
IT example: After receiving a segment from a client, a server sends an acknowledgment so the client knows it arrived.
Why it matters in intrusion analysis:
- Missing or out-of-order ACKs may show dropped or manipulated packets.
- Can help spot man-in-the-middle attacks.

5. Data Offset / Header Length (4 bits)

What it is: Indicates how long the TCP header is. This helps the receiver know where the actual data starts.
IT example: Standard TCP headers are 20 bytes, but optional fields (like timestamps or window scaling) can make it longer.
Why it matters in intrusion analysis:
- Detecting unusually large headers can reveal hidden options used in attacks.

6. Reserved (3 bits)

What it is: Reserved for future use; usually set to 0.
Why it matters:
- Non-zero values could indicate malformed packets or attempts to exploit vulnerabilities.

7. Flags / Control Bits (9 bits)

These control the state of the TCP connection. The main flags are:

Flag	Purpose	Intrusion Analysis Significance
URG	Urgent pointer is valid	Rarely used; suspicious if frequent
ACK	Acknowledgment number is valid	Ensures reliable delivery
PSH	Push data immediately	Could indicate high-frequency data transfers
RST	Reset connection	Frequent RSTs may indicate scanning or attacks
SYN	Start a connection	Used in connection setup; many SYNs can signal SYN flood attack
FIN	End a connection	Abrupt session ending may indicate abnormal behavior
ECE / CWR	Congestion control (TCP options)	Rarely used in intrusions but can indicate traffic manipulation
NS	ECN-nonce concealment protection	Advanced networks; rarely relevant

Key exam point:

SYN, SYN-ACK, ACK are the main sequence in three-way handshake: SYN → SYN-ACK → ACK.

8. Window Size (16 bits)

What it is: Indicates how much data the receiver can accept without overflowing its buffer.
IT example: A web server may advertise a large window size to allow fast file transfer.
Why it matters in intrusion analysis:
- Tiny windows may indicate throttling attacks.
- Zero-window packets may signal DoS attempts.

9. Checksum (16 bits)

What it is: Error-checking field to verify data integrity.
IT example: If a TCP segment gets corrupted in transit, the checksum ensures the receiver detects errors.
Why it matters in intrusion analysis:
- Invalid checksums can indicate packet tampering or malformed packets used by attackers.

10. Urgent Pointer (16 bits)

What it is: Points to urgent data if the URG flag is set.
IT example: Rarely used, but may be used in remote management tools.
Why it matters in intrusion analysis:
- Abnormal use may indicate malware trying to bypass normal traffic inspection.

11. Options (Variable, often 0–40 bytes)

What it is: Optional features like Maximum Segment Size (MSS), timestamps, window scaling.
IT example: A server may advertise an MSS of 1460 bytes for optimized HTTP transfers.
Why it matters in intrusion analysis:
- Attackers sometimes use unusual options to evade firewalls or IDS/IPS.
- TCP fingerprinting often relies on option analysis to detect device type.

TCP Three-Way Handshake Recap

SYN: Client requests connection.
SYN-ACK: Server acknowledges and requests connection.
ACK: Client acknowledges server.

Intrusion analysis tip:

Multiple SYNs without ACKs = possible SYN flood attack.
Out-of-order SYN-ACKs may indicate spoofed IP traffic.

Summary Table for Exam

Field	Key Points for Intrusion Analysis
Source Port	Detect unauthorized services, malware communication
Destination Port	Identify targeted service; detect port scans
Sequence Number	Detect TCP hijacking, abnormal data flow
Acknowledgment Number	Spot missing or manipulated packets
Data Offset	Identify abnormal TCP options
Reserved	Malformed packets may indicate attacks
Flags	Detect SYN floods, RST scans, abnormal sessions
Window Size	Detect DoS, throttling, or abnormal flow
Checksum	Detect tampering or corruption
Urgent Pointer	Rare use; suspicious if abnormal
Options	TCP fingerprinting, evasion techniques

By understanding these fields, you can analyze PCAP files or network logs to detect suspicious TCP activity and potential intrusions.