Understanding TCP Packet Structure, Three‑Way Handshake and Four‑Way Termination

TCP Packet Format

TCP provides a connection‑oriented reliable byte‑stream service. The TCP header is typically 20 bytes when no optional fields are present.

Field Analysis

Source Port: identifies the return address together with the IP address.

Destination Port: identifies the receiving application on the host.

Sequence Number: the number of the first byte in the segment; ensures ordered delivery of the byte stream.

Acknowledgment Number: the next expected byte; valid only when the ACK flag is set.

Header Length/Data Offset: a 4‑bit field indicating where the data begins; maximum header length is 60 bytes.

Reserved: 6 bits reserved for future use, currently set to zero.

Control flags (URG, ACK, PSH, RST, SYN, FIN) each provide a specific function.

URG: urgent pointer is valid, indicating urgent data.

ACK: acknowledgment number is valid; required for reliable delivery.

PSH: push function for interactive communication.

RST: reset the connection on serious error.

SYN: synchronize sequence numbers during connection setup.

FIN: graceful connection termination.

Window: 16‑bit size of the receive buffer, used for flow control.

Checksum: 16‑bit checksum covering header and data.

Urgent Pointer: valid when URG is set; points to the last urgent byte.

Options and Padding: e.g., Maximum Segment Size (MSS); padding aligns the header to a 32‑bit boundary.

Data: optional payload; may be absent in pure control segments.

Three‑Way Handshake

Client sends a SYN packet (seq = x) and enters SYN_SENT state.

Server replies with SYN+ACK (ack = x+1, seq = y) and enters SYN_RECV state.

Client sends an ACK (ack = y+1); both sides transition to ESTABLISHED and data transfer can begin.

No data is exchanged during the handshake; only after the connection is established can payload be transmitted.

Why Three Handshakes?

Three steps prevent stale SYN packets—sent earlier but delayed by the network—from being mistaken for new connection requests, which would waste server resources.

A two‑handshake approach cannot distinguish such delayed duplicates, while adding a fourth handshake would not significantly improve reliability and is unnecessary.

Four‑Way Termination

Client sends FIN (seq = u) to stop sending data and enters FIN_WAIT_1.

Server acknowledges with ACK (ack = u+1) and enters CLOSE_WAIT. The server may still send remaining data.

Server sends its own FIN (seq = w) and enters LAST_ACK, waiting for the client’s final ACK.

Client acknowledges with ACK (ack = w+1) and enters TIME_WAIT, staying for 2 MSL before moving to CLOSED.

Why Wait 2 MSL?

The wait guarantees that the final ACK reaches the server in case it was lost and allows any delayed packets from the closed connection to expire from the network, preventing them from being interpreted as part of a new connection.

Why Connection Setup Uses Three Handshakes but Teardown Uses Four?

During setup the server can combine SYN and ACK in a single segment, closing both directions simultaneously. During teardown each side must close its own direction, requiring separate FIN and ACK segments, which results in four distinct steps.