Understanding TCP: Three-Way Handshake, Four-Way Teardown, TIME‑WAIT, and HTTP/2

Hello, I’m Tom.

This article shares common TCP networking knowledge that frequently appears in daily work and interviews.

What are the functions of the OSI seven‑layer model?

Application layer: interface between users and the network (e.g., HTTP, FTP, SMTP, TELNET).

Presentation layer: data representation, security, compression.

Session layer: establishes and manages sessions between hosts.

Transport layer: defines protocol ports, flow control, error checking; protocols include TCP and UDP.

Network layer: routing algorithms and logical addressing; protocols include IP and ICMP.

Data link layer: frames data from the physical layer and vice versa.

Physical layer: establishes, maintains, and terminates physical connections; transmits bits.

What fields are in a TCP segment header?

Source port, destination port (2 bytes each).

Sequence Number (4 bytes).

Acknowledgement Number (4 bytes).

Data offset (header length, 4 bytes).

Six flag bits: URG, ACK, PSH, RST, SYN, FIN.

Window size (4 bytes) for flow control.

Checksum (2 bytes) for error detection.

Urgent pointer (2 bytes) for urgent data.

TCP three‑way handshake process

1️⃣ Client sends SYN (seq = x) and enters SYN_SEND state.

2️⃣ Server replies with SYN‑ACK (seq = y, ack = x+1) and enters SYN_RCV state.

3️⃣ Client sends ACK (ack = y+1) and enters ESTABLISHED; server also enters ESTABLISHED upon receiving the ACK.

Why three handshakes instead of two or four?

With only two handshakes, the server could think the connection is established even if the client never receives the SYN‑ACK, wasting resources. Three handshakes are the minimal steps required to reliably establish a TCP connection.

TCP four‑way termination process

1️⃣ Client sends FIN to close its sending side.

2️⃣ Server acknowledges with ACK, entering half‑close state (client‑to‑server closed, server‑to‑client may still send).

3️⃣ Server sends FIN to close its sending side.

4️⃣ Client acknowledges with ACK and enters TIME‑WAIT state; after waiting 2 × MSL, it moves to CLOSED.

Why four handshakes?

TCP is full‑duplex; each direction must be closed independently, so four steps separate the two shutdown processes.

Why does the client stay in TIME‑WAIT for 2 MSL?

MSL is the maximum segment lifetime. Waiting 2 MSL ensures the final ACK reaches the server and that all packets from the connection have expired, preventing old packets from affecting future connections.

How many connections can an 8 GB memory server maintain?

Assuming 4 KB send and receive buffers plus socket descriptor overhead, each TCP connection consumes about 8 KB. Thus, 8 GB ÷ 8 KB ≈ 1 048 576 connections (≈ 1 million long‑lived connections).

What is packet fragmentation (拆包) and reassembly?

Because transport‑layer packets cannot be too large, data is split into multiple TCP segments based on buffer size; the receiver reassembles the segments back into the original data.

What is packet coalescing (粘包)?

To avoid sending many small packets, TCP may combine multiple small messages into a single segment; the receiver then splits the segment back into individual messages.

What is the purpose of a buffer?

A buffer is a memory area that temporarily stores data when the NIC cannot process packets fast enough, allowing data to be queued for transmission or reception.

How does TCP guarantee ordered delivery?

Each byte is assigned a cumulative Sequence Number; the receiver uses these numbers to reorder segments that may arrive out of order.

How does TCP detect and recover from packet loss?

The receiver sends an Acknowledgement Number (ACK) indicating the next expected byte; missing ACKs trigger retransmission.

What is MSS?

MSS (Maximum Segment Size) is an optional TCP header field that defines the largest segment size; it must be negotiated by both ends.

How does TCP control transmission speed?

Through the sliding window mechanism: the window size (sent‑but‑unacknowledged and not‑yet‑sent data) determines how much data can be in flight. Larger windows increase throughput but also increase potential loss.

Differences among HTTP 1.0, 1.1, and 2.0

HTTP 1.0: short‑lived connections; a new TCP connection for each request.

HTTP 1.1: persistent connections; multiple requests reuse the same connection.

HTTP 2.0: binary framing, multiplexing, header compression (HPACK), and server push, improving throughput and reducing latency.

Difference between HTTP and HTTPS

HTTPS = HTTP + SSL/TLS. HTTP uses cleartext on port 80; HTTPS adds SSL/TLS encryption and certificate verification on port 443.

Why is HTTP designed as a stateless protocol?

Statelessness simplifies scaling, routing, and load balancing because servers do not retain per‑client state. State is carried by client‑side mechanisms such as cookies.

HTTPS handshake flow

Client sends a request indicating supported hash algorithms.

Server returns its digital certificate (public key).

Client validates the certificate.

Client generates a symmetric key, encrypts it with the server’s public key, and sends it.

Server decrypts the symmetric key with its private key.

Both sides use the symmetric key for encrypted communication.

Symmetric vs. asymmetric encryption

Symmetric: same key for encryption and decryption; fast (e.g., AES, DES).

Asymmetric: public‑private key pair; public key encrypts, private key decrypts (e.g., RSA, DSS).

What tool is used for TCP packet capture?

Wireshark – a widely used network protocol analyzer supporting hundreds of protocols, real‑time capture, offline analysis, and multiple operating systems.