Mastering TCP: Decode Every Connection State and Diagnose Network Issues

1. TCP States

Before understanding TCP, familiarize yourself with several Linux commands: netstat -nat – shows the count of each TCP state. lsof -i:port – displays open sockets on a specific port. sar -n SOCK – shows the number of TCP connections created. tcpdump -iany tcp port 9000 – captures packets on TCP port 9000.

Common network testing commands: ping – tests reachability, latency, jitter and packet loss (many servers disable ping replies for security). traceroute hostname – traces the route to a host. pathping www.baidu.com – combines ping and traceroute features. mtr – merges ping, nslookup and traceroute capabilities. nslookup – resolves domain names and checks DNS configuration.

LISTENING : a server socket waiting for incoming TCP connection requests. The service must open a socket and set it to LISTEN before a client can connect.

SYN‑SENT : the client has sent a SYN packet and is awaiting a matching response.

The socket is actively attempting to establish a connection. After sending the connection request it waits for a matching response.

SYN‑RECEIVED : the server has received the client’s SYN, replied with SYN‑ACK, and is waiting for the client’s ACK.

If many sockets stay in SYN‑RECEIVED, the server may be under a SYN‑Flood (DoS) attack, where forged SYN packets exhaust resources.

ESTABLISHED : both ends have completed the three‑way handshake and data can be exchanged.

FIN‑WAIT‑1 : the active closer has sent a FIN and is waiting for the remote ACK.

FIN‑WAIT‑2 : after receiving the remote ACK, the socket waits for the remote’s FIN.

CLOSE‑WAIT : the passive closer has received a FIN and sent an ACK; it waits for the application to close.

CLOSING : both sides have sent FINs and are waiting for the final ACK.

LAST‑ACK : the passive closer has sent its FIN and is waiting for the final ACK.

TIME‑WAIT : the socket waits enough time (2 MSL) to ensure the remote FIN is acknowledged and to discard delayed packets.

CLOSED : no connection state; the socket is free.

2. TCP State Transition Diagram

The diagram below shows client and server state transitions. It combines both sides for clarity; each side can be examined separately.

3. TCP Three‑Way Handshake

TCP is connection‑oriented; a connection must be established before data transfer.

First handshake : the client calls connect, the OS assigns a random source port, and sends a SYN packet to the server.

Second handshake : the server replies with SYN‑ACK (its own SYN plus ACK of the client’s sequence).

Third handshake : the client acknowledges with an ACK; both sides enter ESTABLISHED.

Example capture (port 9502):

14:12:45.104687 IP localhost.39870 > localhost.9502: Flags [S], seq 2927179378
14:12:45.104701 IP localhost.9502 > localhost.39870: Flags [S.], seq 1721825043, ack 2927179379
14:12:45.104711 IP localhost.39870 > localhost.9502: Flags [.], ack 1

4. TCP Four‑Way Termination

Because TCP is full‑duplex, each direction must be closed separately:

Client sends FIN (active close) → enters FIN‑WAIT‑1.

Server acknowledges with ACK → server enters CLOSE‑WAIT.

Server sends its own FIN → enters LAST‑ACK.

Client acknowledges with ACK → enters TIME‑WAIT, then CLOSED.

5. Simultaneous Open and Close

Simultaneous open occurs when both ends send SYN at the same time; most BSD‑derived TCP stacks do not support it, resulting in a single connection after four packet exchanges.

Simultaneous close happens when both sides send FINs; the state sequence mirrors the normal four‑step termination.

6. TCP Flags

The FLAGS field contains bits such as SYN, FIN, ACK, PSH, RST, URG. Commonly used flags:

SYN – initiates a connection.

FIN – terminates a connection.

ACK – acknowledges received data or control packets.

PSH – indicates that the segment carries data.

RST – resets a connection.

Combinations like SYN+ACK are used during the handshake; SYN and FIN never appear together.

7. Handling Half‑Open Connections

If a client crashes or loses network connectivity without a proper FIN, the server may see a half‑open socket that blocks recv or send. Solutions include implementing application‑level heartbeats or enabling TCP keep‑alive.

Keep‑alive works by sending periodic probes after a configurable idle period (default 2 hours). If the remote side does not respond after several probes, the socket is closed.

Typical Linux keep‑alive settings (in /etc/sysctl.conf) are:

net.ipv4.tcp_keepalive_intvl = 20
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_time = 60

8. Common Linux errno Values for Sockets

22 – Invalid argument (e.g., malformed IP address).

101 – Network unreachable.

111 – Connection refused.

115 – Operation now in progress (non‑blocking socket without immediate response).

Source: https://blog.csdn.net/hguisu/article/details/38700899