Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

TCP: How are the seq / ack numbers generated?

I am currently working on a program which sniffs TCP packets being sent and received to and from a particular address. What I am trying to accomplish is replying with custom tailored packets to certain received packets. I've already got the parsing done. I can already generated valid Ethernet, IP, and--for the most part--TCP packets.

The only thing that I cannot figure out is how the seq / ack numbers are determined.

While this may be irrelevant to the problem, the program is written in C++ using WinPCap. I am asking for any tips, articles, or other resources that may help me.

like image 766
xian Avatar asked Mar 28 '09 14:03

xian


People also ask

How are ACK numbers determined?

The acknowledgement number is the sequence number of the next byte the receiver expects to receive. The receiver ack'ing sequence number x acknowledges receipt of all data bytes less than (but not including) byte number x.

How are TCP sequence numbers generated?

TCP is a stream transport protocol. To ensure connectivity, each byte to be transmitted is numbered. During connection establishment, each party uses a Random number generator to create an initial sequence number (ISN), which is usually different in each direction.

How does TCP seq and ACK work?

TCP Sequence and Acknowledgement Numbers Explained The seq number is sent by the TCP client, indicating how much data has been sent for the session (also known as the byte-order number). The ack number is sent by the TCP server, indicating that is has received cumulated data and is ready for the next segment.


7 Answers

When a TCP connection is established, each side generates a random number as its initial sequence number. It is a strongly random number: there are security problems if anybody on the internet can guess the sequence number, as they can easily forge packets to inject into the TCP stream.

Thereafter, for every byte transmitted the sequence number will increment by 1. The ACK field is the sequence number from the other side, sent back to acknowledge reception.

RFC 793, the original TCP protocol specification, can be of great help.

like image 126
DGentry Avatar answered Oct 02 '22 04:10

DGentry


I have the same job to do. Firstly the initial seq# will be generated randomly(0-4294967297). Then the receiver will count the length of the data it received and send the ACK of seq# + length = x to the sender. The sequence will then be x and the sender will send the data. Similarly the receiver will count the length x + length = y and send the ACK as y and so on... Its how the the seq/ack is generated...

If you want to show it practically try to sniff a packet in Wireshark and follow the TCP stream and see the scenario...

like image 40
zainee khan Avatar answered Oct 02 '22 03:10

zainee khan


If I understand you correctly - you're trying to mount a TCP SEQ prediction attack. If that's the case, you'll want to study the specifics of your target OS's Initial Sequence Number generator.

There were widely publicized vulnerabilties in pretty much all the major OS's wrt their ISN generators being predictable. I haven't followed the fallout closely, but my understanding is that most vendors released patches to randomize their ISN increments.

like image 27
Mark Brackett Avatar answered Oct 02 '22 04:10

Mark Brackett


Seems that the rest of the answers explained pretty much all about where to find detailed and official information about ACK's, namely TCP RFC

Here's a more practical and "easy understood" page that I found when I was doing similar implementations that may also help TCP Analysis - Section 2: Sequence & Acknowledgement Numbers

like image 34
Milan Avatar answered Oct 02 '22 04:10

Milan


RFC 793 section 3.3 covers sequence numbers. Last time I wrote code at that level, I think we just kept a one-up counter for sequence numbers that persisted.

like image 40
John Ellinwood Avatar answered Oct 02 '22 05:10

John Ellinwood


These values reference the expected offsets of the start of the payload for the packet relative to the initial sequence number for the connection.

Reference

Sequence number (32 bits) – has a dual role If the SYN flag is set, then this is the initial sequence number. The sequence number of the actual first data byte will then be this sequence number plus 1. If the SYN flag is not set, then this is the sequence number of the first data byte

Acknowledgement number (32 bits) – if the ACK flag is set then the value of this field is the next expected byte that the receiver is expecting.

like image 38
tvanfosson Avatar answered Oct 02 '22 03:10

tvanfosson


Numbers are randomly generated from both sides, then increased by number of octets (bytes) send.

like image 40
Kazimieras Aliulis Avatar answered Oct 02 '22 04:10

Kazimieras Aliulis