Why Does TCP Need a Three‑Way Handshake? A Simple Analogy Explained

Background

After more than a year of long‑distance video calls with his girlfriend, the author noticed frequent audio freezes caused by poor network conditions, leading to repetitive confirmations like “Can you hear me?” and “Can you hear me now?”.

Problem

Both parties need a simple, reliable way to confirm that each can hear the other without endless back‑and‑forth checks.

Solution (TCP Analogy)

The author draws an analogy to TCP’s three‑way handshake, explaining why three messages are required to establish a reliable connection. TCP (Transmission Control Protocol) is a reliable transport‑layer protocol (IP protocol number 6). In everyday terms, a phone call involves an initial request, an acknowledgment, and a final confirmation, mirroring the SYN, SYN‑ACK, and ACK sequence.

Applying this to the video‑chat scenario, the participants agree on a simple protocol:

Either side can initiate a “Are you hearing me?” query when network quality seems poor.

If no reply is received within 5 seconds, the network is considered broken.

If a reply arrives, both confirm they can hear each other and then continue the conversation.

This mirrors the three‑step handshake: the initiator sends a query (SYN), the responder replies (SYN‑ACK), and the initiator acknowledges (ACK), confirming bidirectional audio.

Four‑Way Handshake (Connection Termination)

To close a TCP connection, four messages are needed to ensure all data is transmitted. The steps are:

Client sends FIN to close its sending direction.

Server acknowledges with ACK (FIN‑WAIT_1 → CLOSE_WAIT).

Server sends its own FIN.

Client acknowledges with ACK, entering TIME_WAIT, and the server moves to CLOSED.

This guarantees that both sides have finished sending data before the socket is fully closed.

TCP Packet Format

The TCP header includes several important fields:

Seq : 32‑bit sequence number identifying the byte stream.

Ack : 32‑bit acknowledgment number (valid when ACK flag is set), typically Seq+1.

Flags : URG, ACK, PSH, RST, SYN, FIN, each with specific meanings (urgent pointer, acknowledgment, push data, reset connection, synchronize, finish).

Note: Do not confuse the ACK flag with the acknowledgment number field.

Three‑Way Handshake Details

1. First handshake : Client sends SYN with a random sequence number J and enters SYN_SENT state.

2. Second handshake : Server receives SYN, replies with SYN‑ACK, sets its own sequence number K, acknowledges J+1, and enters SYN_RCVD state.

3. Third handshake : Client acknowledges with ACK (ack=K+1), establishing the connection; both sides move to ESTABLISHED state.

SYN Attack

During the handshake, the server may have many half‑open connections (SYN received, ACK not yet received). An attacker can flood the server with forged SYN packets from random IPs, causing the server’s pending‑connection queue to fill and legitimate connections to be dropped, resulting in a denial‑of‑service condition. Detection can be as simple as checking for many sockets in SYN_RECV state, e.g.,

netstat -nap | grep SYN_RECV

.

Four‑Way Termination Details

The termination process mirrors the handshake but in reverse, ensuring each direction is closed independently because TCP is full‑duplex. Active close sends FIN, passive side acknowledges, then the passive side sends its own FIN, and finally the original side acknowledges.