BestHub
Sign in
Fundamentals 10 min read

Why Does TCP Need a Three‑Way Handshake? A Real‑World Analogy Explained

Using a quirky long-distance video-chat scenario, the article illustrates how TCP’s three-way handshake and four-way termination work, explains the purpose of each packet exchange, details TCP header fields, and even covers SYN-flood attacks, turning everyday communication glitches into networking fundamentals.

Efficient Ops
Efficient Ops
Efficient Ops
Why Does TCP Need a Three‑Way Handshake? A Real‑World Analogy Explained

Background

In a long-distance relationship, the couple tries to maintain daily video calls, but network glitches cause audio/video freeze, leading to repeated “Can you hear me?” confirmations.

Problem

Frequent network interruptions make it hard to quickly verify that both parties can hear each other.

Solution

Why TCP uses a three-way handshake

TCP (Transmission Control Protocol) is a reliable transport-layer protocol (IP protocol number 6). The three-way handshake ensures both ends agree on initial sequence numbers and that the connection is ready for data transfer.

Analogy: a phone call where each side asks “Can you hear me?” until confirmation is received.

Proposed simple protocol: one side sends a “1+1=?” query; the other replies “2, 2+2=?” etc., confirming audio reception.

Three-Way Handshake Steps

Client sends SYN with initial sequence number J (SYN_SENT).

Server replies with SYN‑ACK, acknowledges J+1, and chooses its own sequence number K (SYN_RCVD).

Client sends ACK acknowledging K+1, establishing the connection (ESTABLISHED).

Four-Way Termination

Client sends FIN, entering FIN_WAIT_1.

Server acknowledges FIN (ACK), entering CLOSE_WAIT.

Server sends its own FIN, entering LAST_ACK.

Client acknowledges the server’s FIN, entering TIME_WAIT, then both sides close.

TCP Header Fields

Seq: 32-bit sequence number.

Ack: 32-bit acknowledgment number (valid when ACK flag is set).

Flags: URG, ACK, PSH, RST, SYN, FIN.

SYN Flood Attack

Attackers send massive forged SYN packets with spoofed source IPs, causing the server to allocate half-open connections and exhaust its backlog, leading to denial-of-service.

Detection: many half-open connections with random source IPs; mitigation can be done with

netstat -nap | grep SYN_RECV

.

Interview Questions

Explain the three-way handshake and four-way termination.

Why does connection establishment require three steps while termination needs four?

Three-way handshake diagram
Three-way handshake diagram
Four-way termination diagram
Four-way termination diagram
Original article sourced from the “Python运维圈” public account.
TCPthree-way handshakenetwork fundamentalsfour-way terminationSYN flood
Efficient Ops
Written by

Efficient Ops

This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment