Mastering TCP: Understanding States, Handshakes, and Common Issues

1. TCP States

Before understanding TCP, familiarize yourself with several Linux commands:

netstat -nat

– view the number of sockets in each TCP state.

lsof -i:port

– detect open sockets on a specific port.

sar -n SOCK

– show the number of TCP connections created.

tcpdump -iany tcp port 9000

– capture packets on TCP port 9000.

Common network‑testing commands include

ping

,

traceroute

,

pathping

,

mtr

, and

nslookup

.

TCP State Descriptions

LISTENING – the server socket is waiting for incoming connection requests.

SYN‑SENT – the client has sent a SYN packet and is awaiting a matching response.

The socket is actively attempting to establish a connection.

SYN‑RECEIVED – the server has received a SYN, sent a SYN‑ACK, and is waiting for the final ACK.

Many SYN‑RECEIVED entries often indicate a SYN‑Flood (DoS) attack.

ESTABLISHED – data transfer is occurring; both ends have completed the three‑way handshake.

FIN‑WAIT‑1 – the active closer has sent a FIN and is awaiting an ACK.

FIN‑WAIT‑2 – the active closer has received the ACK for its FIN and is waiting for the remote FIN.

Connection is closed, and the socket is waiting for a shutdown from the remote end.

CLOSE‑WAIT – the passive closer has received a FIN and sent an ACK, waiting for the application to close.

CLOSING – both sides have sent FINs and are awaiting the final ACK.

Both sockets are shut down but we still don’t have all our data sent.

LAST‑ACK – the passive closer has sent its FIN and is waiting for the final ACK.

The remote end has shut down, and the socket is closed. Waiting for acknowledgement.

TIME‑WAIT – the active closer waits long enough to ensure the remote side received the final ACK.

The socket is waiting after close to handle packets still in the network.

CLOSED – no connection state; the socket is free for reuse.

The socket is not being used.

2. TCP State Transition Diagram

The diagram shows separate client and server state machines and how they interrelate during connection establishment and termination.

3. Three‑Way Handshake

1) First handshake : the client calls

connect

, the OS assigns a random local port, and sends a SYN packet.

2) Second handshake : the server replies with SYN‑ACK, entering SYN‑RECEIVED .

3) Third handshake : the client acknowledges with ACK, and both sides move to ESTABLISHED .

Example capture (using

tcpdump

on port 9502):

<code>14:12:45.104687 IP localhost.39870 > localhost.9502: Flags [S], seq 2927179378
14:12:45.104701 IP localhost.9502 > localhost.39870: Flags [S.], seq 1721825043, ack 2927179379
14:12:45.104711 IP localhost.39870 > localhost.9502: Flags [.], ack 1</code>

4. Four‑Way Termination

1) The active closer sends FIN (entering FIN‑WAIT‑1 ).

2) The passive side ACKs the FIN (entering CLOSE‑WAIT ).

3) The passive side sends its own FIN (entering LAST‑ACK ).

4) The active side ACKs the second FIN and moves to TIME‑WAIT , eventually reaching CLOSED .

5. Simultaneous Open and Close

When both ends issue an active open, each sends a SYN; the resulting exchange requires four packets before a connection is established. Most BSD‑derived TCP/IP stacks do not support this scenario.

Simultaneous close occurs when both sides send FIN at the same time, leading to a transition through FIN‑WAIT‑1 , CLOSING , and finally TIME‑WAIT .

7. TCP FLAGS

The TCP header contains a FLAGS field with the following bits:

SYN – initiate a connection.

FIN – terminate a connection.

ACK – acknowledge received data.

PSH – push data to the receiving application.

RST – reset the connection.

Combinations such as SYN+ACK indicate a response to a connection request, while SYN+FIN never occur together because they represent opposite actions.

8. Handling Unexpected Disconnects

If a peer crashes or the network drops, the other side may remain in a half‑open state, causing

recv

or

send

to block indefinitely. Solutions include implementing a heartbeat (application‑level keepalive) or enabling the kernel’s TCP keepalive feature.

Typical keepalive configuration (in

/etc/sysctl.conf

):

<code>net.ipv4.tcp_keepalive_intvl = 20
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_time = 60</code>

9. Common Linux errno Values

22 – Invalid argument (e.g., malformed IP address).

101 – Network unreachable.

111 – Connection refused.

115 – Operation now in progress (non‑blocking socket).

Source: https://blog.csdn.net/hguisu/article/details/38700899