Understanding TCP Protocol and Packet Analysis with Wireshark

Preface

When you read this article you only see rendered text and images, but the network data exchange is invisible; learning computer network principles can feel abstract, which troubled the author.

Moreover, is the real network data exchange really as depicted in most articles?

These questions motivated the author to explore the nearest protocol, TCP , and see what it looks like.

To "see" TCP , we need the powerful network analysis tool Wireshark .

Wireshark is the most commonly used packet capture and analysis tool on Windows, a sword that makes packet data clear; on Linux, tcpdump can be used.

(There are many network analysis tools, but tools are only means; the goal is what matters.)

First Try: Parsing Each Layer of the Protocol Stack

We can request a website (e.g., xxx.com) in a browser and use Wireshark to visually see the captured packets, which display header information of each network packet.

The capture shows that the main protocol is TCP .

By selecting a packet, we can see detailed information for each layer of the TCP/IP protocol, corresponding to the physical, data‑link, network, and transport layers.

The application layer, if present, appears as the fifth layer, so a total of five layers can be seen.

This corresponds to the classic TCP/IP model.

Application layer

Transport layer

Network layer

Network Interface layer

Further inspection shows that each layer's header fields point to the upper layer, indicating which protocol encapsulates the next.

The data‑link layer shows MAC header information and source/destination MAC addresses.

The IP layer shows the IP header, IPv4 version, source IP, destination IP, packet length, and other fields.

The TCP layer shows the TCP header, which will be detailed later.

Wireshark reveals that each layer has a field pointing to the upper layer, showing the protocol hierarchy.

Because packets are built by adding headers from application down to link layer, the receiver strips them from the bottom up, using those fields to know how to decode each layer.

Thus, network layering works like an ordered division of labor, each layer with its responsibilities, forming a complete packet.

Looking Back at the Real TCP Header Format

Now we examine the actual TCP header format captured in Wireshark .

In the TCP layer we can see key fields:

Source Port and Destination Port – the TCP segment itself does not contain IP addresses; those belong to the IP layer.

The four‑tuple src_ip, src_port, dst_ip, dst_port identifies a TCP connection.

Example: source port 63123, destination port 443 (HTTPS).

The TCP header also contains four important fields:

Sequence Number – packet sequence to handle out‑of‑order delivery.

Acknowledgement Number – confirms receipt, helping avoid packet loss.

Window (Advertised‑Window) – the sliding window for flow control.

Flags – packet state, controlling TCP behavior.

The Flags field includes six bits: ACK, SYN, FIN, URG, PSH, RST, where a value of 1 indicates the flag is set.

The most relevant flags are SYN (connection establishment), ACK (acknowledgement), and FIN (connection termination).

The URG flag indicates an urgent pointer is valid only when URG is set to 1.

Another mandatory field is Checksum , calculated by the sender and verified by the receiver to detect any alteration of the TCP header or data; if the checksum fails, the segment is discarded.

Using Wireshark you can now see exactly what TCP looks like; further exploration can reveal the three‑way handshake and four‑way termination processes.