top of page

Normal TCP operation and its states


Transmission control protocol (TCP) is a network communication protocol designed to send data packets over the Internet. TCP is a transport layer protocol in the OSI layer and is used to create a connection between remote computers by transporting and ensuring the delivery of messages over supporting networks and the Internet.

TCP states

  • CLOSED: There is no connection.

  • LISTEN: The local end-point is waiting for a connection request from a remote end-point i.e. a passive open was performed.

  • ESTABLISHED: The third step of the three-way connection handshake was performed. The connection is open.

  • FIN-WAIT-1: The first step of an active close (four-way handshake) was performed. The local end-point has sent a connection termination request to the remote end-point.

  • CLOSE-WAIT: The local end-point has received a connection termination request and acknowledged it e.g. a passive close has been performed and the local end-point needs to perform an active close to leave this state.

  • FIN-WAIT-2: The remote end-point has sent an acknowledgement for the previously sent connection termination request. The local end-point waits for an active connection termination request from the remote end-point.

  • LAST-ACK: The local end-point has performed a passive close and has initiated an active close by sending a connection termination request to the remote end-point.

  • CLOSING: The local end-point is waiting for an acknowledgement for a connection termination request before going to the TIME-WAIT state.

  • TIME-WAIT: The local end-point waits for twice the maximum segment lifetime (MSL) to pass before going to CLOSED to be sure that the remote end-point received the acknowledgement.

Tcpdump output for a normal connection establishment and termination.

On hostC1 telnet to the discard server on hostC2 then close the connection by pressing control ] and then type quit

1) 13:46:55.236424 IP (tos 0x10, ttl 64, id 18693, offset 0, flags [DF], proto TCP (6), length 60)

10.1.3.1.42878 > 10.1.3.2.9: Flags [S], cksum 0x9ab9 (correct), seq 3073505714, win 23168, options [mss 1460, nop,wscale 3,nop,nop,TS val 516947 ecr 0], length 0

2)13:46:55.236462 IP (tos 0x0, ttl 64, id 18691, offset 0, flags [DF], proto TCP (6), length 60)

10.1.3.2.9 > 10.1.3.1.42878: Flags [S.], cksum 0x8dc2 (correct), seq 1818595437, ack 3073505715, win 23168, options [mss 1460, nop,wscale 3,nop,nop,TS val 3203223845 ecr 516947], length 0

3)13:46:55.236464 IP (tos 0x10, ttl 64, id 18694, offset 0, flags [DF], proto TCP (6), length 52)

10.1.3.1.42878 > 10.1.3.2.9: Flags [.], cksum 0x08ba (correct), seq 3073505715, ack 1818595438, win 2896, options [nop,nop,TS val 516947 ecr 3203223845], length 0

4)13:48:23.548831 IP (tos 0x10, ttl 64, id 18695, offset 0, flags [DF], proto TCP (6), length 52)

10.1.3.1.42878 > 10.1.3.2.9: Flags [F.], cksum 0xb1df (correct), seq 3073505715, ack 1818595438, win 2896, options [nop,nop,TS val 604715 ecr 3203223845], length 0

5)13:48:23.549558 IP (tos 0x0, ttl 64, id 18692, offset 0, flags [DF], proto TCP (6), length 52)

10.1.3.2.9 > 10.1.3.1.42878: Flags [.], cksum 0x5b06 (correct), seq 1818595438, ack 3073505716, win 2896, options [nop,nop,TS val 3203311613 ecr 604715], length 0

6)13:48:23.549838 IP (tos 0x0, ttl 64, id 18693, offset 0, flags [DF], proto TCP (6), length 52)

10.1.3.2.9 > 10.1.3.1.42878: Flags [F.], cksum 0x5b04 (correct), seq 1818595438, ack 3073505716, win 2896, options [nop,nop,TS val 3203311614 ecr 604715], length 0

7)13:48:23.549857 IP (tos 0x10, ttl 64, id 18696, offset 0, flags [DF], proto TCP (6), length 52)

10.1.3.1.42878 > 10.1.3.2.9: Flags [.], cksum 0x5b04 (correct), seq 3073505716, ack 1818595439, win 2895, options [nop,nop,TS val 604716 ecr 3203311614], length 0

[if !supportLineBreakNewLine] [endif]

Discussion:

Frame 1 is the SYN segment from the hostC1 which occupies sequence number 3073505714.

Frame 2 is the SYN+ACK from the hostC2 which occupies sequence number 1818595437.

Frame 3 is the ACK of the frame 2.

Frame 1, 2 and 3 is the 3 way handshake.

Frame 4 is the FIN + ACK from hostC1 which occupies sequence number 3073505715.

Frame 5 is the ACK of the FIN in frame 4. The connection is half – closed.

Frame 6 is the FIN + ACK from the hostC2 which occupies sequence number 1818595438.

Frame 7 is the ACK of the FIN in frame 6.


bottom of page