Mastering TCP: Handshakes, Teardowns, and State Machines Explained

TCP Connection Establishment and Termination

TCP is a connection‑oriented, unicast protocol that requires both endpoints to establish a socket (IP + port) before data exchange and to close the socket after communication.

Three‑Way Handshake

The connection setup proceeds through three stages, often visualized as a three‑step diagram.

The server prepares to accept connections by calling bind, listen, and socket, entering the LISTEN state (passive open).

The client initiates an active open with connect, sending a SYN segment with an initial sequence number seq = x, and moves to SYN‑SEND.

The server acknowledges the SYN, sets its own initial sequence number seq = y, and replies with SYN+ACK, entering SYN‑RECEIVED.

The client acknowledges the server’s SYN+ACK with an ACK (optionally carrying data), moving to ESTABLISHED.

The server also transitions to ESTABLISHED after receiving the client’s ACK.

This three‑way handshake not only confirms that both sides are ready but also exchanges initial sequence numbers and optional TCP options.

The side that sends the first SYN is the client (active open); the side that receives it and replies with SYN+ACK is the server (passive open).

Four‑Way Handshake (Connection Teardown)

After data transfer, either endpoint can close the connection, which requires four segments.

The client sends a FIN (sequence u) and enters FIN‑WAIT‑1.

The server acknowledges the FIN, moves to CLOSE‑WAIT, and sends its own FIN (sequence v).

The client receives the server’s FIN, acknowledges it, and enters FIN‑WAIT‑2.

The client’s final ACK puts it into TIME‑WAIT for 2 MSL before transitioning to CLOSED. The server, after sending its FIN and receiving the client’s ACK, moves to LAST‑ACK and then to CLOSED.

Both sides can initiate closure, but typically the client starts the process.

Half‑Open State

A half‑open connection occurs when one side closes or crashes without notifying the peer, leaving the other side unaware that the connection is no longer usable.

Half‑Close

In a half‑close, only one direction of data flow is terminated. The closing side sends a FIN, continues to receive data, and only after receiving the peer’s FIN does it fully close.

Simultaneous Open and Close

Simultaneous open happens when both endpoints send SYN before receiving the other’s SYN, requiring an exchange of four segments instead of three. Simultaneous close mirrors this, with both sides sending FIN at the same time, leading to interleaved FIN/ACK exchanges.

Initial Sequence Numbers (ISN)

Each side selects a random 32‑bit Initial Sequence Number (ISN) before sending SYN. RFC 793 specifies that ISNs increase by one every 4 µs to avoid reuse and reduce the risk of connection spoofing; encrypting or randomizing ISNs further mitigates attacks.

TCP State Diagram

The TCP state machine includes states such as CLOSED, LISTEN, SYN‑SEND, SYN‑RECEIVED, ESTABLISHED, FIN‑WAIT‑1, FIN‑WAIT‑2, CLOSE‑WAIT, CLOSING, LAST‑ACK, TIME‑WAIT, and others, with transitions triggered by SYN, ACK, FIN, and RST flags.

Key transitions:

LISTEN → SYN‑SEND may occur in rare cases (e.g., active FTP data connections).

SYN‑RECEIVED → RST returns to LISTEN.

RST is sent when a segment’s IP/port does not match any existing socket, indicating an invalid connection.

CLOSING occurs when both sides have sent FIN before receiving the peer’s ACK.

Understanding these transitions helps diagnose connection issues and design robust networked applications.