Understanding TCP Protocol: Header Fields, Three‑Way Handshake, and Four‑Way Teardown

TCP (Transmission Control Protocol) is a connection‑oriented, reliable data transport protocol that ensures ordered delivery and integrity of bytes through sequence numbers, acknowledgments, and checksums.

Header fields

Source Port : 16‑bit port number of the sending application.

Destination Port : 16‑bit port number of the receiving application.

Sequence Number : 32‑bit number indicating the first byte of data in the segment; during the SYN handshake it carries the Initial Sequence Number (ISN).

Acknowledgment Number : 32‑bit number indicating the next expected byte from the peer.

Data Offset : 4‑bit field that specifies the size of the TCP header.

Reserved : 4‑bit field, must be zero.

Flags : CWR, ECE, URG, ACK, PSH, RST, SYN, FIN – each controlling specific connection behavior.

Window Size : 16‑bit field used for flow control.

Checksum : 16‑bit field covering a pseudo‑header, the TCP header and data.

Urgent Pointer : 16‑bit field valid only when URG is set.

Options : variable‑length field, length must be a multiple of 32 bits.

Three‑way handshake (connection establishment)

Client sends SYN with sequence number x (state SYN_SENT).

Server replies with SYN + ACK , sequence y , acknowledgment x+1 (state SYN_RECV).

Client sends ACK with sequence x+1 , acknowledgment y+1 (connection established).

Wireshark can be used to capture and verify the three‑way handshake.

Why three handshakes?

They provide information symmetry—each side confirms its ability to send and receive—and prevent “half‑open” or “dirty” connections caused by timeout.

Four‑way handshake (connection termination)

Side A sends FIN (seq u ), enters FIN_WAIT_1.

Side B acknowledges with ACK (seq v , ack u+1 ), enters CLOSE_WAIT.

A receives ACK, moves to FIN_WAIT_2, waits for B’s FIN .

B sends FIN + ACK (seq w , ack u+1 ), enters LAST_ACK.

A acknowledges with ACK (seq u+1 , ack w+1 ), enters TIME_WAIT.

After 2 MSL, A closes; B closes after receiving the final ACK.

The TIME_WAIT state ensures delayed packets do not interfere with new connections and allows the passive side to reach CLOSED safely.

The CLOSE_WAIT state indicates the passive side has received a FIN and is waiting for the application to close.

正在 Ping www.a.shifen.com [183.232.231.174] 具有 32 字节的数据:
来自 183.232.231.174 的回复: 字节=32 时间=16ms TTL=54
来自 183.232.231.174 的回复: 字节=32 时间=16ms TTL=54
来自 183.232.231.174 的回复: 字节=32 时间=16ms TTL=54

Ping 统计信息:
    数据包: 已发送 = 3，已接收 = 3，丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
    最短 = 16ms，最长 = 16ms，平均 = 16ms

ip.src_host == "183.232.231.174" or ip.dst_host == "183.232.231.174" and tcp