Solved

TCP Sequence Numbers Past 0xffffffff?

Posted on 2008-06-18
11
842 Views
Last Modified: 2013-11-05
Hi Experts,

This question is directly related to the TCP protocol. I have had no luck discoving what happens to the next generated TCP sequence number that would be greater than 0xffffffff. Does it wrap back around starting from 0?

For example, say the current sequence number is 0xfffffffa and the next pack sent contains 10 Bytes of data, would the next sequence number then be 0x00000004? Or does the connection reset before this can occur?

When the reciever recieves a packet containing the RST flag, does it genereate new sequence numbers, or does the connection have to be reestablished via the 3 way handshake? If the three way handshake occurs does the application controlling the stream then have to resend all initial login data ect, or does the recieving application continue on as if the connection was never reset? Is the RST process transparent to the application?

I know this is a very complex question, but hopefully someone or multiple experts can produce the multiple answers needed to solve this question.

Thanks,
Brandon
0
Comment
Question by:bdunz19
  • 4
  • 4
  • 3
11 Comments
 
LVL 11

Accepted Solution

by:
rowansmith earned 250 total points
ID: 21819207
The sequence number is incremented by 1 for every byte sent.  When you increment 0xffffffff by 1 you get 0x00000000.

That's all, there is no teardown or rebuild of the circuit, no syns are sent, no resets, the unsigned 32-bit long is simply incremented by 1.

There is no magic here :-)

So yes as per what you have said:

say the current sequence number is 0xfffffffa and the next pack sent contains 10 Bytes of data, the next sequence number will be 0x00000004.


-Rowan

 
0
 
LVL 4

Assisted Solution

by:CCIE8122
CCIE8122 earned 250 total points
ID: 21819290
The answers to your (TCP) questions are all outlined in the TCP RFC, RFC 793.

Per section 3.1, the TCP sequence number field is a 32-bit field.  Accordingly, allowed values are 0x0 through 0xFFFFFFFF.  Per section 3.3, sequence numbers will wrap.

RST is only sent when data being received from sender is unacceptable or not pursuant to a legitimately open TCP conn.  Per section 3.4, RST is only sent when it is *clear* that the data we are receiving is not intended for us.  Based on the fact that the seq field is modulo 2^32 wrapping to 0, arriving at a 0xFFFFFFFF seq would not qualify.  Examples that would are covered in section 3.4.  In fact (with the exception of the SYN_SENT state), RSTs are only accepted and processed if the seq field is valid!

After termination of any connection, due to RST or otherwise, both ends abort the connection, revert to listen state, and require 3-way SYN/ACK handshake to establish a new connection.

The answer to your question regarding login info, etc. is more of an application question.  It depends on the application -- specifically, it depends at least on how sloppy the app coder was.  Ideally, if the conn is closed, upon opening of a new connection login credentials *should* be required anew.  Any state from previous connections that is cached would be a security risk.  When TCP closes a connection, it will pass that information on to higher layers.  The application should respond accordingly if it was written properly (read: so as to be secure).

Finally, the RST _process_ is completely transparent to both higher (application) and lower (data-link, network) layers.  None of the other layers know what is going on at layer 4.  That is the beauty of the layered model, which allows any protocols at a higher layer to interoperate across the transport without requirement to understand that transport.  That said, however, again, realize that the transport layer is absolutely going to convey to the application "hey, i have just closed this connection, you are done here."  It just wont necessarily inform the application the dirty details of how or why the connection closed.

HTH

kr
0
 
LVL 4

Author Comment

by:bdunz19
ID: 21819558
Thank you both for your responses! Just to clarify in reguard to the sequence numbers, CCIE8122 you say that the sequence numbers are module 0xffffffff, that being the case then when the number reaches 0xffffffff you will have a value of 0, correct? So my example was wrong, the result of 10 Bytes of data from current sequence of 0xfffffffa would be 0x00000005?

CCIE8122: In response to the RST, you are saying that at the socket layer, the application sees this as if the connection was closed by the remote computer? Which would require the application code to establish a new connection to the remote listening computer correct? If this is correct then I am thankful that I do not have to worry about handling intercepting the RST for this stream as the information I am looking to track requiers the information on the first data packet after an established connection (the device passes it's MAC which we need to intercept on the first packet).

So if my understanding is correct, the preticted sequence numbers will never be modified other than expected (ie next predicted seq number) throughout an established connection?

Thanks again,
Brandon
0
 
LVL 11

Assisted Solution

by:rowansmith
rowansmith earned 250 total points
ID: 21820028
No, when the number reaches 0xFFFFFFFF you will have the number 0xFFFFFFFF when you +1 you will have the number 0  The range of a unsigned 32-bit number is 0x0 to 0xFFFFFFFF. So 0xFFFFFFFF + 10 = 0x00000004.

The sequence numbers will never be modifed, infact TCP relies on them being in sequence.

When the application attempts to read or write a socket that has been closed the OS responds with a EOF (End Of File) it is up to the application to manage this - e.g., re-establish the connection, report an error, exit, etc etc

All network management analysis programs I have used hide the actual sequence number and instead display these numbers as if they started at 0, this makes troubleshooting substantially easier.  This is probably an option somewhere that can be turned off but I have never needed to see the actual sequence number.
0
 
LVL 11

Expert Comment

by:rowansmith
ID: 21820045
oops that should be 0xfffffffa + 10 = 0x00000004
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 4

Author Comment

by:bdunz19
ID: 21820213
Hey Rowansmith,

Thanks for your response. The thing that worries me is like you said unsinged integers are 32 bits (I'm a C++ programmer), and it would make sense that TCP would utilize the full 32 bits, but CCIE8122 made the comment: "based on the fact that seq number is modulo 2^32 wrapping to 0, arriving at 0xFFFFFFFF would not qualify." This is the issue I am looking at as our application has to be 100% percise on predicting the following sequence number otherwise we loose track of the device's communications.

The rfc 793 in section 3.3 says "all aritmatic dealing with sequence numbers must be performed modulo 2**32."


Haha, never mind... After looking at that quote I just realized 2^32 is not 0xffffffff but is instead 0x100000000, which 0xffffffff mod 0x100000000 = 0xffffffff! Thanks for getting me to question that Rowansmith!
0
 
LVL 4

Author Comment

by:bdunz19
ID: 21820230
I'll leave this open for another day in case you guys have anymore comments on this subject. I really feel this would be a great resource for anyone else who needs detailed information on this subject. I had a hard time finding anything on the internet other than the rfc that talks about the details of TCP sequence numbers.
0
 
LVL 4

Assisted Solution

by:CCIE8122
CCIE8122 earned 250 total points
ID: 21823830
bdunz -- just to clarify my statement:

"Per section 3.4, RST is only sent when it is *clear* that the data we are receiving is not intended for us. Based on the fact that the seq field is modulo 2^32 wrapping to 0, arriving at a 0xFFFFFFFF seq would not qualify."

That is, RST is only sent when the data we receive is not expected.  Since the seq field wraps to 0, arriving at a seq of 0xFFFFFFFF would not qualify as receiving unexpected data, and therefore no RST is sent.  0xFFFFFFFF is a valid seq which -- when incremented by 0x1 -- wraps to 0x0.
0
 
LVL 4

Expert Comment

by:CCIE8122
ID: 21823927
also, there is of course a diff between "2^32" and "modulo 2^32."  the former is as you state 0x100000000, the latter is the set of 2^32 integers beginning at 0x0 and ending at 0xFFFFFFFF.  Thus, even though there are 0x100000000 numbers in the set, the 0x100000000th number is 0xFFFFFFFF, not 0x100000000, since 0x0 (not 0x1) is the first number.  

This is an easy thing to mess up on -- a perfect example is the computing argument for 2001 (not 2000) being the beginning of the new millennium.  There existed no Anno Domini 0, therefore AD 1 to AD 1000 are a set of 1000 years (one millennium), and 1001 to 2000 are the second millennium, with Jan 1, 2001 commencing the third.

kr
0
 
LVL 4

Expert Comment

by:CCIE8122
ID: 21823963
Even Jerry indicated incorrectly to Newman: "as everyone knows, since there was no year zero, the millennium doesn't begin until the year two-thousand and one.  Which would make your party, one year late, and thus, quite lame."

He should have said "one year early."
0
 
LVL 4

Author Comment

by:bdunz19
ID: 21827806
Thanks for the followups added to this conversation CCIE8122! I think this will really help other in the future.

Thanks again for your clarification as it did confuse me at first.

Well, I think we probably exhausted this subject so I'll close it out and allocate the points.

You guys rock!
Brandon
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now