A comprehensive, interactive lesson covering TCP architecture, header anatomy, connection management, flow control, and network administrator skills.
1 ยท What is TCP?
TCP (Transmission Control Protocol) is a connection-oriented, reliable transport-layer protocol defined in RFC 793 (1981) and updated by RFC 9293 (2022).
TCP requires a logical connection to be established between endpoints before any data transfer begins โ via the three-way handshake (SYN โ SYN-ACK โ ACK).
Every segment is acknowledged. Unacknowledged segments are retransmitted. Sequence numbers ensure in-order delivery and detect lost or duplicate packets.
The receiver advertises a window size, telling the sender how much data can be buffered at any one time โ preventing buffer overflow at the receiver.
TCP dynamically adjusts the sending rate using algorithms like CUBIC, BBR, and Reno to avoid overwhelming intermediate network devices.
Data can flow in both directions simultaneously. Each direction has its own sequence number space and acknowledgment mechanism.
TCP treats data as a continuous byte stream, not as individual messages. Application boundaries are not preserved โ the application must delimit its own messages.
| Characteristic | TCP Behavior | Relevance |
|---|---|---|
| Protocol Number | IP Protocol 6 | Identifies TCP within IP packets |
| Connection Setup | 3-Way Handshake (SYN, SYN-ACK, ACK) | Adds ~1 RTT before data transfer |
| Teardown | 4-Way Handshake (FIN, ACK, FIN, ACK) or RST | Graceful vs abrupt close |
| Header Size | 20 bytes minimum, up to 60 bytes with options | More overhead than UDP (8 bytes) |
| Sequencing | 32-bit sequence & acknowledgment numbers | Order and reliability assurance |
| Error Detection | 16-bit checksum (header + data + pseudo-header) | Detects corruption in transit |
| Window Size | 16-bit field (up to 65,535 bytes; scaled with options) | Enables flow control |
| Common Ports | HTTP:80, HTTPS:443, SSH:22, FTP:21, SMTP:25 | Port-based multiplexing |
| MSS | Maximum Segment Size negotiated in SYN options | Avoids IP fragmentation |
| TIME_WAIT | 2 ร MSL (typically 60โ240 sec) after close | Prevents stale packets entering new connections |
Every webpage request uses TCP. HTTP/1.1 uses persistent connections; HTTP/2 multiplexes streams over a single TCP connection.
All major email protocols rely on TCP for guaranteed delivery of messages between mail servers and clients.
TCP ensures that remote shell commands are delivered in order โ critical when sequence matters for configuration changes.
File integrity depends on TCP's reliability โ a single bit error in a database file could be catastrophic.
Database queries and transactions require ordered, reliable delivery. Most RDBMS clients use TCP natively.
Many VPN implementations encapsulate tunneled traffic over TCP for firewall traversal, though UDP is often preferred for performance.
Network administrators use Wireshark to capture, dissect, and troubleshoot TCP sessions. Key filters include:
tcp.flags.syn == 1 โ Show SYN packets only
tcp.flags.reset == 1 โ Find RST resets (abnormal closes)
tcp.analysis.retransmission โ Identify retransmissions
tcp.stream eq 0 โ Follow a specific TCP stream
tcp.port == 443 โ Filter HTTPS traffic
The "TCP Stream" follow feature reconstructs the raw byte stream for deeper analysis of application data.
Stateful firewalls track TCP connection state. Admins must understand:
โข Established sessions โ allow return traffic without explicit inbound rules
โข SYN floods โ DoS attack using half-open connections (SYN_RCVD state)
โข RST injection attacks โ adversarial TCP resets disrupting legitimate sessions
โข Port-based ACLs โ matching on source/destination port, flags
โข TCP state inspection โ only permit packets matching known-good connection state
Linux/Windows admins tune TCP kernel parameters for high-throughput networks:
net.core.rmem_max โ Maximum receive socket buffer
net.ipv4.tcp_window_scaling โ Enable Window Scaling option
net.ipv4.tcp_congestion_control โ Algorithm: cubic, bbr, reno
net.ipv4.tcp_tw_reuse โ Reuse TIME_WAIT sockets
net.ipv4.tcp_syn_backlog โ Queue size for half-open connections
For high-bandwidth, long-delay links (BDP = Bandwidth ร RTT), increasing the window size is critical to fill the "pipe."
SYN Flood: Attacker sends many SYN packets with spoofed IPs. Server fills its backlog with SYN_RCVD entries. Mitigation: SYN cookies, rate limiting.
Session Hijacking: Attacker predicts sequence numbers and injects segments into an established session.
RST Attack: Injecting forged RST packets to terminate legitimate connections (used in censorship and DoS).
Land Attack: SYN packet with source IP = destination IP, causing OS confusion.
Teardrop Attack: Overlapping IP/TCP fragments that crash vulnerable stacks on reassembly.
ss -tnp โ Show all TCP sockets, numeric, with process info
ss -tnlp โ Show listening TCP ports
ss state established โ Show only ESTABLISHED connections
netstat -an | grep TIME_WAIT โ Count TIME_WAIT sockets
ss -s โ Socket summary statistics
tcpdump -i eth0 tcp port 80 โ Capture HTTP TCP traffic
Monitoring TCP connection counts and states is critical for diagnosing server overload, SYN flood attacks, or application bugs causing connection leaks.
2 ยท TCP Header Anatomy
The TCP header is a minimum of 20 bytes (160 bits). Each field serves a specific role in reliable, ordered delivery.
3 ยท TCP Connection Lifecycle
TCP connections go through a structured setup, data transfer, and teardown process.
Client โ Server: SYN=1, Seq=100 (ISN). "I want to connect. My starting sequence number is 100."
Server โ Client: SYN=1, ACK=1, Seq=300 (server ISN), Ack=101. "Got it. My starting sequence is 300. I acknowledge byte 101."
Client โ Server: ACK=1, Seq=101, Ack=301. "Acknowledged! Connection established. Data transfer may now begin."
ss -s and look for large numbers of connections in the SYN_RCVD state.
Client โ Server: FIN=1, Seq=X. "I have no more data to send. Initiating graceful close."
Server โ Client: ACK=1, Ack=X+1. "Got your FIN. I may still have data to send โ half-close state."
Server โ Client: FIN=1, Seq=Y. "Now I'm done too. Closing my side."
Client โ Server: ACK=1, Ack=Y+1. "Received. Client enters TIME_WAIT for 2รMSL before fully closing."
Simulated Wireshark packet list showing a complete TCP connection to port 80:
4 ยท TCP State Machine
TCP maintains connection state using a finite state machine. Click any state to learn more.
No connection exists
Waiting for connection
SYN sent, awaiting SYN-ACK
SYN received, sent SYN-ACK
Connection open, data flows
FIN sent, awaiting ACK
Our FIN ACKed, wait for peer FIN
Peer FIN received, waiting to close
Both sides sent FIN simultaneously
Waiting for our FIN to be ACKed
Waiting 2รMSL before CLOSED
5 ยท Flow Control & Congestion Control
TCP dynamically adapts to receiver capacity and network conditions to maximize throughput without causing harm.
Begins with a congestion window (cwnd) of 1 MSS. cwnd doubles each RTT until it reaches the slow-start threshold (ssthresh) or packet loss occurs. Despite the name, exponential growth is fast.
Once cwnd reaches ssthresh, it grows linearly (additive increase) โ by 1 MSS per RTT โ until congestion is detected. This is the AIMD (Additive Increase, Multiplicative Decrease) phase.
On packet loss (timeout): ssthresh = cwnd/2, cwnd = 1 MSS. On triple duplicate ACK (fast retransmit): ssthresh = cwnd/2, cwnd = ssthresh. Less aggressive than timeout response.
When 3 duplicate ACKs are received for the same sequence number, TCP retransmits the missing segment immediately โ without waiting for the retransmission timer to expire.
Grows cwnd as a cubic function of time since last congestion event. Better for high-bandwidth, high-latency networks (long fat networks). Less aggressive on short RTT paths.
Bottleneck Bandwidth and Round-trip propagation time. Models the network path to estimate available bandwidth โ doesn't rely on packet loss as signal. Widely used in YouTube/Google services.
6 ยท TCP Header Builder
Construct a TCP segment header. As you modify fields, the hex output and visual representation update in real time.
Common flag presets:
7 ยท TCP vs UDP
Understanding when to use TCP versus UDP is a critical skill for network administrators and application developers.
| TCP โ Transmission Control Protocol | |
|---|---|
| Connection | Connection-oriented |
| Reliability | Guaranteed delivery |
| Ordering | In-order delivery |
| Header | 20โ60 bytes |
| Speed | Lower (overhead) |
| Flow Control | Yes (sliding window) |
| Congestion Control | Yes (CUBIC, BBR) |
| Use Cases | HTTP, SSH, FTP, SMTP, DB |
| UDP โ User Datagram Protocol | |
|---|---|
| Connection | Connectionless |
| Reliability | Best-effort |
| Ordering | Not guaranteed |
| Header | 8 bytes only |
| Speed | Higher (minimal overhead) |
| Flow Control | No |
| Congestion Control | No (app responsibility) |
| Use Cases | DNS, VoIP, Gaming, QUIC, Video |
8 ยท Knowledge Check
Test your understanding of TCP concepts. Click an answer to see instant feedback.