Why Does TCP Need a Three‑Way Handshake? A Real‑World Analogy Explained

Background

In a fictional long‑distance relationship, the couple experiences frequent video‑call freezes and repeatedly asks each other, "Can you hear me?" to confirm the audio is working, highlighting the need for a simple mutual confirmation method.

Solution

The story is used to explain why TCP (Transmission Control Protocol) establishes connections with a three‑way handshake instead of two or four exchanges. TCP is a reliable transport‑layer protocol (IP protocol number 6) that cannot guarantee absolute reliability, but the handshake satisfies basic reliability requirements.

Analogy: making a phone call involves three steps, mirroring the client‑server communication.

Proposed protocol for the couple:

Either party can initiate a check when the network seems bad.

If no reply is received within 5 seconds, the network is considered down.

After a 1‑minute router reset, the check can be retried.

When the initiator asks "1+1 equals?", the responder replies "2" and then asks their own question. Successful exchange confirms both parties can hear each other.

Four‑Way Termination

To close a TCP connection, the client sends a FIN, the server acknowledges with ACK, then the server sends its own FIN, and finally the client acknowledges with another ACK. This four‑packet exchange ensures all data is transmitted before the socket is fully closed.

Images illustrate the FIN/ACK sequence.

TCP Packet Format

The TCP header includes fields such as:

Sequence number (Seq): 32‑bit identifier of the byte stream.

Acknowledgment number (Ack): valid when the ACK flag is set; Ack = Seq+1.

Flags: URG, ACK, PSH, RST, SYN, FIN, each with specific meanings.

Key notes: do not confuse the Ack field with the ACK flag; the acknowledgment number equals the sender’s request number plus one.

Three‑Way Handshake

1. First handshake : Client sends SYN with a random sequence J and enters SYN_SENT.

2. Second handshake : Server receives SYN, replies with SYN+ACK, sets Ack = J+1, chooses its own sequence K, and enters SYN_RCVD.

3. Third handshake : Client acknowledges with ACK, Ack = K+1, and both sides move to ESTABLISHED, allowing data transfer.

Images show the handshake flow.

SYN Attack

During the handshake, a server may hold half‑open connections (SYN received, ACK not yet received). An attacker can flood the server with forged SYN packets, exhausting the connection queue and causing denial of service.

# netstat -nap | grep SYN_RECV

Four‑Way Termination Details

1. Client sends FIN, enters FIN_WAIT_1.

2. Server replies with ACK, enters CLOSE_WAIT.

3. Server sends its own FIN, enters LAST_ACK.

4. Client acknowledges with ACK, enters TIME_WAIT, then the server moves to CLOSED.

Images depict both single‑side and simultaneous close scenarios.

Additional Notes

Typical interview questions include describing the three‑way handshake, the four‑way termination, and why connection establishment uses three steps while termination uses four.