How TCP Seq and ACK works for open, data transfer and close?


On daily basis, no matter you are an end user or an IT guys working in the field, you need to touch it transparently or non-transparently. Let’s do some fundamental dirty work about knowing deep about the sequence number, ACK, how ACK send out from receiver to sender calculated.

Knowledge Prerequisite:

TCP segments are sent as internet datagrams.



ISN: 32 bits

The Initial Sequence Number.  The first sequence number used on a connection, (either ISS or IRS). Selected on a clock based procedure.When new connections are created, an initial sequence number (ISN) generator is employed which selects a new 32 bit ISN.  The generator is bound to a (possibly fictitious) 32 bit clock whose low order bit is incremented roughly every 4 microseconds.  Thus, the ISN cycles approximately every 4.55 hours. Since we assume that segments will stay in the network no more than the Maximum Segment Lifetime (MSL) and that the MSL is less than 4.55 hours we can reasonably assume that ISN’s will be unique. Sequence Number:  32 bitsThe sequence number of the first data octet in this segment (except when SYN is present). If SYN is present the sequence number is the initial sequence number (ISN) and the first data octet is ISN+1. Acknowledgment Number:  32 bitsIf the ACK control bit is set this field contains the value of the next sequence number the sender of the segment is expecting to receive.  Once a connection is established this is always sent.


SYN: 1 bit

SYN is one of the control bits used for synchronize  sequence numbers. For a connection to be established or initialized, the two TCPs must synchronize on each other’s initial sequence numbers.  This is done in an exchange of connection establishing segments carrying a control bit called “SYN” (for  synchronize) and the initial sequence numbers. As a shorthand, segments carrying the SYN bit are also called “SYNs”.


FIN: 1 bit

No more data from senderClosing a Connection – CLOSE is an operation meaning “I have no more data to send.”  The notion of closing a full-duplex connection is subject to ambiguous interpretation, of course, since it may not be obvious how to treat the receiving side of the connection.  We have chosen to treat CLOSE in a simplex fashion.  The user who CLOSEs may continue to RECEIVE until he is told that the other side has CLOSED also.  Thus, a program could initiate several SENDs followed by a CLOSE, and then continue to RECEIVE until signaled that a RECEIVE failed because the other side has CLOSED.  We assume that the TCP will signal a user, even if no RECEIVEs are outstanding, that the other side has closed, so the user can terminate his side gracefully.  A TCP will reliably deliver all buffers SENT before the connection was CLOSED so a user who expects no data in return need only wait to hear the connection was CLOSED successfully to know that all his data was received at the destination TCP.  Users must keep reading connections they close for sending until the TCP says no more data.




To establish and complete a TCP connection, the following events  usually take place:


  1. The active opener (normally called the client) sends a SYN segment (i.e., a TCP/IP packet with the SYN bit field turned on in the TCP header) specifying the port number of the peer to which it wants to connect and the client’s
  2. The server responds with its own SYN segment containing its initial sequence number (ISN(s)). This is segment 2. The server also acknowledges the client’s SYN by ACKing ISN(c) plus 1. A SYN consumes one sequence number and is retransmitted if lost.
  3. The client must acknowledge this SYN from the server by ACKing ISN(s) plus 1. This is segment 3.


The purposes of three way handshake are to let each end of the connection know that a connection is starting

The first SYN is active open. typically a client, the other end receives first SYN and sends the next SYN. performs a passive open. typically a server.


Usually a close operation starts with an application indicating its desire to terminate its connection (e.g., using the close() system call). The closing TCP initiates the close operation by sending a FIN segment (i.e., a TCP segment with the FIN bit field set). The complete close operation occurs after both sides have completed the close:


  1. The active closer sends a FIN segment specifying the current sequence number the receiver expects to see (K in Figure 13-1). The FIN also includes an ACK for the last data sent in the other direction (labeled L in Figure 13-1).
  2. The passive closer responds by ACKing value K + 1 to indicate its successful receipt of the active closer’s FIN. At this point, the application is notified that the other end of its connection has performed a close. Typically this results in the application initiating its own close operation. The passive closer then effectively becomes another active closer and sends its own FIN. The sequence number is equal to L.
  3. To complete the close, the final segment contains an ACK for the last FIN. Note that if a FIN is lost, it is retransmitted until an ACK for it is received.


Real Practice:

TCP open and Close:


filters that I used to get this special process out:

“tcp.flags.fin eq 1 || tcp.flags.syn eq 1 || tcp.flags.ack eq 1 || tcp.flags.push eq 1”

“ eq 4”



Connection Set-up:


Data Transfer:


Connection Close:



Special rules apply to TCP connection setup and connection close, so it is different to refer those two process compared with data transfer process.


TCP Open:

Client to Server:  SYN, Seq=ISN(c)

Server to client:  SYN + ACK, Seq=ISN(s),ACK=ISN(c)

Client to Server: ACK, Seq=ISN(c)+1, ACK=ISN(s)+1


TCP Close:

Client to Server:  FIN + ACK, Seq=K, ACK=L

Server to client:  ACK, Seq=L, ACK=K+1

Server to client:  FIN + ACK, Seq=L, ACK=K+1

Client to Server: ACK, Seq=K, ACK=L+1


Data Transfer:

TCP also uses the sequence and acknowledgment fields to track the receipt of data.

For each byte received by a host it will add one to the sender’s sequence number and send it back in an acknowledgment packet.


Simple situation:

How to calculate:  Seq=1 + Len=0 = Next frame Ack=1


More complex situation: First three frames c2s 1st  Seq=1 + Len=0 + 2nd Len=1448 + 3rd Len=424 = Last s2c reply ACK = 1873



Another real practice:




Referenced Links and documents:

Wireshark: Transmission Control Protocol (TCP)

Current RFC:


Other Information:

  • TCP.IP.Illustrated.Volume.1.2nd.Edition
  • TCP/IP Analysis and Troubleshooting Toolkit


Leave a Reply

Your email address will not be published. Required fields are marked *