TCP 3 Way Hand Shake Explained - With Wireshark Packet Capture

TCP and UDP are the L4 of the OSI Model which is the Transport Layer. TCP is known as the Transmission control protocol, which is a connection oriented high reliable protocol (eg: HTTP, SSH, HTTPS etc)

TCP works in a 3way Hand Shake model for providing the connection oriented, high reliable communication

--> SYN>SYN ACK>ACK

1. Capturing a HTTPS Packet with Wireshark to Explain the same.
2. Start the Wireshark in KALI Linux.
3. Open up the Browser and Hit https://google.com
4. Stop the Wireshark tool, and you will see that a lot of TCP protocol being captured in the tool
5. Let's deep dive the packet details
6. TCP SYN PACKET DETAILS
7. TCP SYN ACK PACKET DETAILS
8. TCP ACK PACKET DETAILS

SRC PORT = Source Port from the client Machine to establish the TCP Connection

DST PORT = Destination Port from the server Machine to establish the TCP connection

SEQ = 0, is the sequence number set in the TCP Header

FLAGS = 0x002 which states that it is a SYN Packet

FLAGS = 0x012 which states that it is a SYN ACK Packet

FLAGS = 0x010 which states that it is a ACK Packet

HTTP with TLS to Form HTTPS

1. Client Hello --> The first message that will be send by the client to the server
2. We will deep dive into the Client Hello Message:
3. Content Type = 22, which means that this is a handshake message, TLS Version = 1.0 which means the negotiation is happening on TLS1.0 V, Hand Shake Protocol is Client Hello, which sates this is a hello message send by the client
4. Cipher Suit List in the TCP security will give the details of the Cipher Suit configured in the client Machine

5. Server Hello --> The first message that will be send by the server to the client

6. We will deep dive into the Server Hello Message:

7. Content Type = Server Hello, which means that this is a handshake message, TLS Version = 1.2 which means the server will communicate on TLS 1.2 V, Hand Shake Protocol is Server Hello, which sates this is a hello message send by the server.

8. Cipher Suite = TLS_AES_128_GCM_SHA256 (0x1301)

In the TLS_AES_128_GCM_SHA256 cipher suite, the key exchange algorithm that is typically used is ECDHE (Elliptic Curve Diffie-Hellman Ephemeral)

Elliptic Curve Diffie-Hellman Ephemeral is an example of an asymmetric key exchange algorithm used in TLS. It allows the client and server to agree upon a shared secret over an insecure channel without exchanging the secret directly. Ephemeral means that a new key is generated for each session, enhancing security.

AES_128_GCM: After the key exchange, AES with a 128-bit key in GCM (Galois/Counter Mode) is used for symmetric encryption and authentication of the data exchanged between the client and server.

SHA256: SHA-256 is used as the hash function in the HMAC (Hash-based Message Authentication Code) used with GCM mode to provide integrity and authenticity of the data.