Mastering TCP States: From Handshake to Connection Teardown

1. TCP States Overview

Before exploring TCP, familiarize with useful Linux commands:

netstat -nat

– show count of each TCP state.

lsof -i:port

– list open sockets on a port.

sar -n SOCK

– display number of TCP connections.

tcpdump -iany tcp port 9000

– capture traffic on port 9000.

ping

,

traceroute

,

pathping

,

mtr

,

nslookup

– common network diagnostics.

Key TCP states include LISTENING, SYN‑SENT, SYN‑RECEIVED, ESTABLISHED, FIN‑WAIT‑1, FIN‑WAIT‑2, CLOSE‑WAIT, CLOSING, LAST‑ACK, TIME‑WAIT, and CLOSED. Each state reflects a specific step in the three‑way handshake, data transfer, or four‑way termination.

2. State Transition Diagrams

Two diagrams illustrate client‑side and server‑side state machines. The client typically follows:

CLOSED → SYN‑SENT → ESTABLISHED → FIN‑WAIT‑1 → FIN‑WAIT‑2 → TIME‑WAIT → CLOSED

The server follows:

CLOSED → LISTEN → SYN‑RECEIVED → ESTABLISHED → CLOSE‑WAIT → LAST‑ACK → CLOSED

Additional transitions such as SYN‑SENT → SYN‑RECEIVED, LISTEN → SYN, and simultaneous open/close are also described.

3. Three‑Way Handshake

Connection establishment proceeds as:

Client sends SYN (state SYN‑SENT).

Server replies with SYN‑ACK (state SYN‑RECEIVED).

Client sends ACK, both sides enter ESTABLISHED.

Example

tcpdump

output demonstrates the packet exchange.

4. Four‑Way Termination

Termination requires four segments:

Client sends FIN (FIN‑WAIT‑1).

Server ACKs the FIN (CLOSE‑WAIT).

Server sends its own FIN (LAST‑ACK).

Client ACKs the server’s FIN and enters TIME‑WAIT before moving to CLOSED.

TIME‑WAIT persists for 2 MSL to ensure delayed packets are discarded.

5. Common Issues and Mitigations

Excessive SYN‑SENT or SYN‑RECEIVED may indicate SYN flood attacks; excessive ESTABLISHED or CLOSE‑WAIT can result from half‑open connections or client crashes. Adjust kernel parameters such as

net.ipv4.tcp_synccookies

,

tcp_tw_reuse

,

tcp_tw_recycle

, and

tcp_fin_timeout

to alleviate resource exhaustion.

6. Keepalive and Heartbeat

When a peer disconnects abruptly, the socket may remain in a half‑open state. Implementing keepalive (system‑wide via

/etc/sysctl.conf

or application‑level heartbeat) helps detect dead peers and close stale sockets.

7. Linux errno Reference

Common socket error codes:

22 – Invalid argument.

101 – Network unreachable.

111 – Connection refused.

115 – Operation now in progress (non‑blocking timeout).