Mastering TCP State Machine: From LISTEN to TIME_WAIT Explained

1. TCP States Overview

Before understanding TCP, familiarize yourself with useful Linux commands: netstat -nat – shows the count of each TCP state. lsof -i:port – displays open sockets on a specific port. sar -n SOCK – monitors the number of TCP connections. tcpdump -iany tcp port 9000 – captures traffic on port 9000.

Common network testing tools include ping (latency, loss, TTL), traceroute, pathping, mtr, and nslookup.

LISTENING indicates a server socket is waiting for incoming connections. Services open ports (e.g., HTTP on 80, FTP on 21) and the port remains in LISTENING until a client connects.

SYN‑SENT is the client state after sending a SYN to initiate a connection. It quickly moves to ESTABLISHED if the handshake succeeds.

The socket is actively attempting to establish a connection.

SYN‑RECEIVED is the server state after receiving a SYN and replying with SYN‑ACK. A surge of SYN‑RECEIVED may indicate a SYN‑Flood DoS attack.

ESTABLISHED means data can be exchanged. Excessive ESTABLISHED entries often point to half‑closed connections or missing FIN packets.

FIN‑WAIT‑1 and FIN‑WAIT‑2 are client states during active close; CLOSE‑WAIT , LAST‑ACK , CLOSING , TIME‑WAIT , and CLOSED describe the server side and final termination steps.

The socket is closed, and the connection is shutting down.

TIME‑WAIT lasts for 2 MSL to ensure delayed packets are discarded before the socket can be reused.

2. TCP State Transition Diagram

The diagram (shown below) illustrates client and server state machines. Client path: CLOSED → SYN‑SENT → ESTABLISHED → FIN‑WAIT‑1 → FIN‑WAIT‑2 → TIME‑WAIT → CLOSED. Server path: CLOSED → LISTEN → SYN‑RECEIVED → ESTABLISHED → CLOSE‑WAIT → LAST‑ACK → CLOSED.

3. Three‑Way Handshake

1) Client sends SYN (state SYN‑SENT). 2) Server replies with SYN‑ACK (state SYN‑RECEIVED). 3) Client sends ACK, both sides enter ESTABLISHED.

Example tcpdump output shows the three packets with sequence and acknowledgment numbers.

4. Four‑Way Termination

Because TCP is full‑duplex, each direction must be closed separately:

Client sends FIN (FIN‑WAIT‑1).

Server ACKs the FIN (CLOSE‑WAIT).

Server sends its own FIN (LAST‑ACK).

Client ACKs the server FIN (TIME‑WAIT) and finally moves to CLOSED.

5. Simultaneous Open and Close

Simultaneous open occurs when both ends send SYN; the connection is established after four exchanges. Simultaneous close happens when both sides send FIN, leading to CLOSING and then TIME‑WAIT.

6. TCP Flags

Important flags: SYN (connection start), FIN (connection end), ACK (acknowledgment), PSH (push data), RST (reset). Combinations such as SYN‑ACK indicate a response to a connection request.

7. Handling Unexpected Disconnections

When a client crashes without proper FIN, the server may see half‑open sockets. Solutions include implementing heartbeat messages or enabling TCP keep‑alive.

Keep‑alive sends periodic probes; if no ACK is received after a configurable number of attempts, the socket is considered dead.

System‑wide keep‑alive parameters can be tuned in /etc/sysctl.conf:

net.ipv4.tcp_keepalive_intvl = 20

net.ipv4.tcp_keepalive_probes = 3

net.ipv4.tcp_keepalive_time = 60

8. Common Linux errno Values for Sockets

22 – Invalid argument (e.g., malformed IP).

101 – Network unreachable.

111 – Connection refused.

115 – Operation now in progress (non‑blocking socket).