Understanding TCP: From Three‑Way Handshake to Four‑Way Teardown and State Transitions

TCP Overview

TCP is a connection‑oriented, unicast protocol; it does not support multicast or broadcast because each segment contains explicit source and destination IP addresses.

Before data can be exchanged, the two endpoints must establish a connection, and after the exchange they must close it.

Connection Establishment and Termination

The process is divided into three phases for establishing a connection and four phases for terminating it.

Three‑Way Handshake

The server performs a passive open by calling bind , listen , and socket , entering the LISTEN state and waiting for client requests.

The client actively opens a connection with connect , sending a SYN segment (SYN=1) with an initial sequence number seq = x . The client moves to SYN‑SEND .

The server receives the SYN, replies with a SYN‑ACK (SYN=1, ACK=1, ack = x+1 ) and chooses its own initial sequence number seq = y , entering SYN‑RECEIVED .

The client acknowledges the server’s SYN‑ACK with an ACK (ACK=1, seq = x+1 , ack = y+1 ) and reaches the ESTABLISHED state.

The server also receives the final ACK and transitions to ESTABLISHED .

The side that sends the first SYN is considered the client ; the side that receives it is the server .

Establishing a TCP connection requires three segments, while closing it requires four.

Four‑Way Termination

The client initiates closure by sending a FIN segment (FIN=1, seq = u ) and enters FIN‑WAIT‑1 .

The server acknowledges with an ACK (ACK=1, seq = v , ack = u+1 ) and moves to CLOSE‑WAIT .

The client receives the ACK and proceeds to FIN‑WAIT‑2 , waiting to send its own FIN.

The server then sends its FIN (FIN=1, seq = v ) and enters LAST‑ACK .

The client acknowledges the server’s FIN (ACK=1, seq = u+1 , ack = v+1 ) and enters TIME‑WAIT , remaining there for 2 MSL before moving to CLOSED .

The server, after receiving the client’s ACK, transitions to CLOSED .

Either side may initiate closure, though the client usually does so first.

Half‑Open and Half‑Close

A half‑open state occurs when one endpoint closes its side of the connection without notifying the other, leaving the other side unaware of the termination. This can happen if a host crashes or loses power.

Half‑close allows one direction of data flow to be closed while the other direction remains open. The initiator sends a FIN, continues to receive data, and only after receiving the peer’s FIN does it fully close.

In a half‑close, one direction is closed while the opposite direction can still carry data until it is also closed.

Simultaneous Open and Close

In a simultaneous open, both endpoints send SYN segments at the same time, each entering SYN‑SEND. After exchanging SYN‑ACKs, both reach SYN‑RECEIVED and finally ESTABLISHED. This requires four segments instead of three.

Simultaneous close works similarly, with both sides sending FINs concurrently, resulting in an interleaved exchange of four segments.

Initial Sequence Numbers (ISN)

The initial sequence number, called Initial Sequence Number (ISN) , is chosen randomly for each connection. RFCs define it as a 32‑bit counter that increments by one every 4 µs, helping to avoid sequence‑number collisions.

Because a correct four‑tuple (source IP, source port, destination IP, destination port) and matching ISN are required for a connection, spoofing attacks must replicate both, making ISN randomness a key defense.

TCP State Machine

The TCP state diagram includes many states such as CLOSED, LISTEN, SYN‑SENT, SYN‑RECEIVED, ESTABLISHED, FIN‑WAIT‑1, FIN‑WAIT‑2, CLOSE‑WAIT, LAST‑ACK, TIME‑WAIT, CLOSING, and others.

Why would a client in LISTEN send a SYN and become SYN‑SENT? In rare cases like FTP data connections, the client may actively open after the server initiates a transfer.

When a server in SYN‑RECEIVED receives an RST, it returns to LISTEN. An RST is sent when a segment arrives with an unexpected IP/port combination, when a timeout occurs, or when a connection is aborted.

TIME_WAIT State

The side that actively closes the connection enters TIME_WAIT, which lasts for 2 × MSL (Maximum Segment Lifetime). During this period the endpoint may retransmit the final ACK if the peer’s FIN is lost.

MSL is the maximum time a TCP segment can exist in the network, typically about two minutes, though it can be configured per operating system.

After the 2 MSL wait, the connection is fully closed, freeing resources for future connections.