TCP basics

The post is a a reminder on how TCP protocol establishes and drops/closes a connection. It will be useful when you try to understand a tcpdump/capture in Wireshark.

First , everybody knows how a TCP connection starts, right: 3 way-handshake.

TCP options ( optional extension field ) are announced during the 3-way tcp sessions establishment. More on this options you can find on the link at the end of this post.
Typical TCP options in the header are: MSS,SACK,Window Scale, Timestamps.

The normal way to close a TCP connection would be using TCP FIN flag.

The another way to close a TCP connection us using the TCP RST flag.
It is used to refuse an incoming connection.
It is used to restart a connection.
The receiver of a RST segment should also consider the possibility that the application protocol client at the other end was abruptly terminated and did not have a chance to process the data that was sent to it.

Other important things to know are:

  • You issue a SYN, if the server replies RST : it means that the port is close !
  • You issue a SYN, if the server does not reply, or replies with ICMP error : it means that the port is filtered. Likely an IDS / statefull firewall block your request.

Useful resource on TCP protocol :

About the author

Mihai is a Network Aficionado with more than 10 years experience