Two types of three way handshake (Connection Setup and Close)



I still remember four years ago, one of our internal instructor Barry from Seattle to deliver training session, he mentioned three-way handshake is used as one of the technical questions to judge the technical skills of the interviewee in the most technical job interview.

Also, as an IT professional guy, I cannot emphasize enough how important it is to remember and understand these two processes as common sense in your mind since other people use this question to judge your IT skills.

The three-way handshake as one of the fundamental knowledge you should know and understand. Your solid technical skills are built on the fundamental knowledge, with the time go on, the simple technical knowledge will merge together to put you to an upper layer and form a better you.


Knowledge Prerequisites:

TCP Open:

The TCP Open refers to the actions performed by the TCP layer of a host wishing to open a communications channel to another host using the TCP protocol. The TCP Open performs the three-way handshake using the SYN and ACK connection flags.

The TCP Open has two purposes:
■ To exchange initial sequence numbers
■ To negotiate TCP options

TCP Close:

After two stations open a TCP session and transfer their respective data, they must close the TCP session to release the reserved buffer space that was allocated for that connection. When a host wishes to close a TCP session, it uses the FIN flag. The TCP Close is very similar to the TCP Open, although you sometimes may see it occur in four frames instead of only three. The key to recognizing a TCP Close is to watch for the FIN flag being set and also for the sequencing and acknowledgment values, just as you did when you analyzed the TCP Open.


There is another TCP state that you may sometimes see, called the TCP Half-Close. Normally, when a host receives a FIN segment it responds with a FIN to close its side of the connection. This occurrence is called an orderly release. The Half-Close occurs when a host sends another host a FIN segment requesting that the TCP session be closed. Normally, the receiving station acknowledges the close request and also sends a FIN segment to close its session. But sometimes hosts never close their side of the connection. By not doing so they waste buffer space that could be used for other TCP connections. Some TCP implementations actually support a call that allows an application to close one-half of the connection if it has no more data to send. Hosts closing their half of a TCP connection can still receive data and acknowledge data sent to them, but they can no longer send data because the host at the other side of the connection most likely terminated their connection and reserved buffer space on receipt of the FIN segment.



Real packet analysis:

TCP close used three stage instead of four.



Referenced Links and documents:

Copied some paragraphs from page 185,192-193 of <TCP/IP Analysis and Troubleshooting Toolkit>

Leave a Reply

Your email address will not be published. Required fields are marked *