Why Does TCP Need a Three‑Way Handshake? A Simple Analogy Explained

Background

After more than a year of long‑distance relationship, the author proposes a nightly video call to keep the connection alive, but network glitches often cause the video to freeze and the audio to drop.

Problem

When the network quality deteriorates, both parties repeatedly ask each other, “Can you hear me?” leading to a tedious back‑and‑forth confirmation loop.

Solution

The situation is used as an analogy to explain why TCP establishes a connection with a three‑way handshake and terminates it with a four‑step process.

TCP Three‑Way Handshake

TCP (Transmission Control Protocol) is a reliable transport‑layer protocol (IP protocol number 6). The three‑way handshake ensures both ends agree on initial sequence numbers and that the connection is ready for data transfer.

The handshake can be visualized as a phone conversation:

TCP Packet Format

Key fields include:

Seq : 32‑bit sequence number identifying the byte stream.

Ack : 32‑bit acknowledgment number (valid only when the ACK flag is set); Ack = Seq + 1.

Flags : URG, ACK, PSH, RST, SYN, FIN – each with a specific meaning.

TCP Flags

URG : urgent pointer is valid.

ACK : acknowledgment number is valid.

PSH : push – deliver data to the application promptly.

RST : reset the connection.

SYN : synchronize – initiate a new connection.

FIN : finish – close a connection.

Three‑Way Handshake Steps

First handshake: Client sends a packet with SYN=1 and a random sequence number J, entering SYN_SENT state.

Second handshake: Server receives the SYN, replies with SYN=1 and ACK=1, ack=J+1, and its own random sequence number K, entering SYN_RCVD state.

Third handshake: Client acknowledges with ACK=1, ack=K+1; both sides transition to ESTABLISHED state, and data transfer can begin.

SYN Attack

During the handshake, the server’s half‑open state (after sending SYN‑ACK but before receiving ACK) can be abused. An attacker floods the server with forged SYN packets from spoofed IP addresses, exhausting the backlog queue and causing a denial‑of‑service.

<code># netstat -nap | grep SYN_RECV</code>

Four‑Way Termination

Closing a TCP connection requires four packet exchanges because the connection is full‑duplex; each direction must be closed independently.

First: Client sends FIN, entering FIN_WAIT_1 .

Second: Server acknowledges with ACK, entering CLOSE_WAIT .

Third: Server sends its own FIN, entering LAST_ACK .

Fourth: Client acknowledges with ACK, entering TIME_WAIT ; server moves to CLOSED .

If both sides initiate closure simultaneously, the sequence interleaves, but the total number of packets remains four.

Interview Questions

What is the three‑way handshake and how does it work?

Why does establishing a TCP connection require three steps while terminating it requires four?