Boot to your DOS diskette with the IPX/SPX for the 3COM drivers and load the drivers and login to the server. GHOST in your personal Windows 98 image from your home directory. Note that the server while robust may balk at GHOST’s greediness for data and only allow about four systems to attach at the same time. So we will proceed row by row.

Once the GHOST operation is complete, reboot to the diskette, reattach to the server and change to the TOOLS directory, copy the file PORTSCAN.EXE to another floppy disk. Turn off the PC.

Install the 3COM NIC drivers using TCP/IP manually configured so that your system will use IP address: 10.10.10.x where x is your system’s station number. Set the subnet mask to 255.255.255.0 and set your default gateway to be the same as your IP address. Install the server component for Windows 98 (File and Print Sharing.)

The usual payload of an IP packet is either a TCP packet or a UDP packet. These are the two primary data carrying transport layer protocols used by the TCP/IP protocol suite. Transmission Control Protocol features the handling of breaking up large streams of data (like the Ghost image file) into a numbered and ordered series of packets that can be reassembled by the TCP protocol driver at the other end. TCP can establish a connection between two machines and provides the following facilities to higher layers:

	Data streaming – Higher layers including end user applications get the impression of an uninterrupted flow of data that they would expect from a local source (like Ghost reading an image file from a local drive as opposed to a distant, networked one)
	Reliability – Higher layers are assured a high quality stream of data because TCP receivers will send Acknowledgements of received data, if senders don’t get an acknowledgement in a timeout period they will retransmit the data.
	Flow Control – TCP is designed such that the receiver can request that the sender slow down or speed up depending on the response times of the higher layers. Both sides will also make these adjustments when too many retransmits and unacknowledged packets are occurring.
	Multiplexing – TCP allows for more than one higher layer to use it simultaneously. This makes it possible for the system to support more than one copy of the same service as well as different services all at the same time. (Having two web browsers open while downloading a file.)
	Sockets/Connections – TCP will initiate a connection, establish a connection, and tear down a connection. These connections ensure that both sides take an active role in the maintenance of each of the listed features here. That is, both sender and receiver participate in the initiation and establishment of the connection, its maintenance and ultimate tear down.
	Full Duplex – TCP supports full duplex mode of operation so that the receiver can actively acknowledge received data and request adjustments to transmission rates, for example.

TCP is therefore a connection oriented protocol in which quite a lot of Session Layer-like activity takes place. In fact, at the connectivity level the session layer is practically unnecessary since the problems were solved by the TCP layer long before the OSI model became accepted. Since the OSI model’s acceptance, the session layer has been introduced and supported but it is TCP that handles the vast majority of what we would call "connectivity sessions".

The structure of a TCP packet is as follows:

The meaning of each of these packet fields follow:

	Source Port – A TCP identifier number that when used in conjunction with the Source IP address forms the identifier in the form: w.x.y.z:port. The source and destination identifier pair in the form: + form the connection or the socket of a TCP transaction.
	The target port number on this receiving system. (see the explanation of the source port above)
	32-bit sequence number – specifies which byte the start byte of the data in this packet should be within the entire stream. I.e. If the previous packet had contained 1200 bytes and was the first of the transmission, then this field would hold the value 1200, meaning that the first byte in this packet is byte #1200 of the entire transmission (the first byte in the first packet is byte # 0.)
	32-bit Acknowledgement number – Used by the receiver in the acknowledgement packet for the current packet. So this system would respond to this packet by reversing the port numbers and if this packet had contained 1200 more bytes of data, this field would read 2401 indicating “I have already received 2400 bytes and am expecting the 2401st next.”
	Header Length – A 4-bit number that expresses how many 32-bit double words in size the TCP header is. Since the options field is variable in length, this field is critical to the functionality of the packet. Without it, TCP would not know where the header ends and the data begins. Minimum TCP header = 20 bytes, or 5 dwords.
	The next 6 bits are reserved
	The next 6 bits each have a name and meaning as follows: U = Urgent, consider this packet as more important than any other not marked Urgent (process it first.) A = Acknowledge, this packet is acknowledging successful reception of data (the receivers packets back to the sender of data set this bit and the 32-bit Acknowledgement number above has meaning in this case.) P = Push, The sender indicates to the receiver that the upper level processes have invoked this operation (may indicate a data flow change is imminent.) R = Reset, the upper level processes on the sender have reset the connection, the connection will be lost and have to be reestablished, S = SYN (short for synchronize), used to request the establishment of a connection or socket, F = FIN (short for Finalize) used to tear down an established connection or socket.
	16-bit Advertised Window Size – This number is used by the receiver within the acknowledge packet to adjust how many bytes the sender may have out on the wire unacknowledged and still feel free to continue transmitting. The receiver reviews this field in the packet of the sender and compares it with the current conditions of the receive buffer of this socket. This constitutes the “sliding window” of TCP and is how both sides can adjust the throughput of the connection up or down based on transient conditions in the upper or lower layers of the system.
	16-bit TCP Checksum – The entire header and all data in the packet are used to generate this checksum which is then inserted here. The receiver uses the same math to generate the value again from the header and data of the packet and compares what it calculated with the actual value found here. If they differ, then the packet has been damaged or spuriously modified and an urgent response will be made to retransmit the packet.
	16-bit Urgent Pointer – indicates the location and nature of the problem within the current connection or socket. Works in conjunction with the Options fields.
	Options – There are many possible options. During the establishment of a connection in which a sender is about to transmit a file to the receiver, the receiver can indicate the largest possible stream that it will accept. TCP over DOS in a file transfer might indicate a value slightly smaller than 2GB, a file larger than this will not fit on a FAT16 partition.
	Data – The actual data being sent in this packet. This is an optional field since the receiver will not need to send data back to the sender only acknowledgements.

It can be seen from the structure of the TCP packet that the two systems can request the establishment of a connection or socket. They maintain the connection including feedback between the two TCP protocol layers on the two remote systems and they can verify reliability of the transmission and control the data flow based on network and upper layer conditions speeding the transmission up or slowing it down.

From this illustration it can be seen how the Transport layer stays in continual full duplex communication. What is not readily evident is that this is a virtual full duplex connection. The physical NIC’s may be connected on a 10Base5 network that is not capable of supporting full duplex communication in that only one NIC at a time can transmit. The Transport layer’s “full duplex connection” is then a virtual one. This is accomplished by buffering packets into temporary holding areas in RAM occupied by the driver. If the transmission begins to threaten to overload the buffer, TCP can transmit a packet that will indicate a smaller advertised Window size. This will cause the system that is actively sending a large file, for example, to reduce the number of unacknowledged bytes that are out on the network, effectively slowing the transmission down. Conversely, if the local system is retrieving the incoming data from the buffer with ease, this system will send a packet to the transmitting system indicating a larger advertised window size. The transmitting system will then increase the size and number of packets that it is transmitting raising the number of unacknowledged bytes out on the network.

Detection of Open Transport Layer Sockets. The key to the detection of an open layer socket is to know what transmission it is expecting. At the transport layer sockets can be opened on a system that “listen” for packets intended for the system including broadcasts. If a spurious user knows about the existence of these open ports and how to get them to respond to a request then the system can be compromised. This is in fact exactly how hackers and worms compromise systems. Included with the operating system there are several commandline utilities that get copied to the system when the TCP/IP protocol driver stack is installed on a system. One of them can be used for the purposes of displaying open ports. However, this was invented by the OS designers and will not list open ports that they themselves were unaware of at design time of the OS.

For this third party utilities are needed. Once you have your system configured with the proper NIC drivers and the TCP/IP protocol stack execute the program PORTSCAN.EXE. This is a simple program that can display the open ports on remote systems. Note which ports are open on the Windows 98 systems as they are normally configured in the class.

TCP identifies a particular socket by the local IP/Port + Remote IP/Port number set. This means that the TCP layer must be aware of the IP’s of the local and remote machines used in the packet. This information is not available to the TCP layer through its own packet. Therefore it must “cheat” in order to get this information. As a result of this, the TCP layer is not modular at all but is permanatly bound to the IP layer below it such that the two cannot be separated and still remain functional – this is in complete exception to the intent of the OSI model.

Certain Port numbers are always used to initiate a certain type of activity in TCP/IP. These are called the Well Known Ports and are as follows:

None of the services is forced to use the ports but they usually initiate contact with remote machines using the well known port to begin with and may change to another port thereafter. Most of the services use not only TCP but also UDP which is a far simpler transport layer protocol than TCP. UDP or Universal Datagram Protocol for example does not establish structured seesions that consist of a request for a connection or socket, followed by an acknowledgement of the request, followed by the conversation, followed by a request to tear down the socket, followed by an acknowledgement of this. Instead, UDP sends a series of packets that can be reconstructed into the original large piece of data toward the target IP machine in UDP packets with no socket request, no feedback/flow control mechanism and no data reception acknowledgement mechanisms at all. The UDP stream can be reconstructed from many fragmented packets, and the receiving system can request a lost packet from the sender, but UDP supports none of the other transport layer functions of TCP.

Most services in the well known ports list use both TCP and UDP during the course of their operations. Some start a communication with a UDP packet exchange and then move up to TCP. Others start a data exchange in TCP and then settle it with a UDP exchange. Other services run both types of communication simultaneously.