The post is a a reminder on how TCP protocol establishes and drops/closes a connection. It will be useful when you try to understand a tcpdump/capture in Wireshark.
First , everybody knows how a TCP connection starts, right: 3 way-handshake.
TCP options ( optional extension field ) are announced during the 3-way tcp sessions establishment. More on this options you can find on the link at the end of this post.
Typical TCP options in the header are: MSS,SACK,Window Scale, Timestamps.
The normal way to close a TCP connection would be using TCP FIN flag.
The another way to close a TCP connection us using the TCP RST flag.
It is used to refuse an incoming connection.
It is used to restart a connection.
The receiver of a RST segment should also consider the possibility that the application protocol client at the other end was abruptly terminated and did not have a chance to process the data that was sent to it.
Other important things to know are:
- You issue a SYN, if the server replies RST : it means that the port is close !
- You issue a SYN, if the server does not reply, or replies with ICMP error : it means that the port is filtered. Likely an IDS / statefull firewall block your request.
Useful resource on TCP protocol :