Mastering TCP: Understanding States, Handshakes, and Common Pitfalls

1. TCP States

Before understanding TCP, learn some Linux commands to view TCP status: netstat -nat – shows the number of connections in each TCP state. lsof -i:port – displays open sockets for a specific port. sar -n SOCK – shows the number of TCP connections created. tcpdump -iany tcp port 9000 – captures packets for TCP port 9000.

Common network‑testing commands: ping – tests reachability, latency, jitter and packet loss (many servers disable ping replies for security). traceroute hostname – traces the route to a host. pathping www.baidu.com – combines ping and traceroute features. mtr – merges ping, nslookup and traceroute information. nslookup – resolves domain names and checks DNS configuration.

TCP listening state (LISTENING) indicates a service is ready to accept connections; for example, a web server listens on port 80 and an FTP server on port 21. Closing unnecessary listening ports improves security.

2. TCP State Transition Diagram

The diagram below shows both server‑side and client‑side state transitions. Understanding each state and its transitions is essential for troubleshooting.

Client state flow:

CLOSED → SYN_SENT → ESTABLISHED → FIN_WAIT_1 → FIN_WAIT_2 → TIME_WAIT → CLOSED

. Server state flow:

CLOSED → LISTEN → SYN_RECEIVED → ESTABLISHED → CLOSE_WAIT → LAST_ACK → CLOSED

.

3. TCP Three‑Way Handshake

The client initiates a connection with connect(), sending a SYN packet (state SYN_SENT). The server replies with SYN+ACK (state SYN_RECEIVED). The client acknowledges with ACK, and both sides enter ESTABLISHED, allowing data exchange.

The socket is actively attempting to establish a connection.

Typical packet capture:

Client SYN:

IP localhost.39870 > localhost.9502: Flags [S], seq 2927179378

Server SYN+ACK:

IP localhost.9502 > localhost.39870: Flags [S.], seq 1721825043, ack 2927179379

Client ACK:

IP localhost.39870 > localhost.9502: Flags [.], ack 1

4. TCP Four‑Way Termination

Termination is half‑close; each direction must be closed separately.

FIN‑WAIT‑1: active close sends FIN.

FIN‑WAIT‑2: after receiving ACK for FIN.

CLOSE_WAIT: passive close receives FIN and sends ACK.

LAST_ACK: after application closes, sends FIN and waits for ACK.

TIME_WAIT: ensures the final ACK is received and prevents delayed packets from interfering with new connections (2 MSL wait).

CLOSED: socket is no longer used.

The socket is waiting after close to handle packets still in the network.

Excessive TIME_WAIT sockets can be mitigated by kernel parameters such as net.ipv4.tcp_tw_reuse=1 and net.ipv4.tcp_tw_recycle=1.

5. Simultaneous Open and Close

Simultaneous open (both sides send SYN) is rarely supported; simultaneous close (both sides send FIN) follows the same four‑packet exchange.

6. TCP Flags

Important flags:

SYN – initiates a connection.

FIN – terminates a connection.

ACK – acknowledges received data.

PSH – indicates data payload.

RST – resets a connection.

7. Handling Unexpected Disconnections

When a peer crashes or the network drops, the connection becomes half‑open. Applications can detect this using keepalive mechanisms:

Application‑level heartbeat threads that periodically send a probe and expect an ACK.

TCP keepalive (kernel‑level) which sends keep‑alive packets after a configurable idle period.

Typical keepalive settings in /etc/sysctl.conf:

net.ipv4.tcp_keepalive_time = 60

net.ipv4.tcp_keepalive_intvl = 20

net.ipv4.tcp_keepalive_probes = 3

When keepalive probes fail, the socket becomes readable and recv() returns –1 with errno=ETIMEDOUT, indicating the connection is dead.

8. Common Linux errno Values for TCP

22 – Invalid argument (e.g., malformed IP address).

101 – Network unreachable.

111 – Connection refused.

115 – Operation now in progress (non‑blocking socket).