I still remember four years ago, one of our internal instructor Barry from Seattle to deliver training session, he mentioned three-way handshake is used as one of the technical questions to judge the technical skills of the interviewee in the most technical job interview.
Also, as an IT professional guy, I cannot emphasize enough how important it is to remember and understand these two processes as common sense in your mind since other people use this question to judge your IT skills.
The three-way handshake as one of the fundamental knowledge you should know and understand. Your solid technical skills are built on the fundamental knowledge, with the time go on, the simple technical knowledge will merge together to put you to an upper layer and form a better you.
The TCP Open refers to the actions performed by the TCP layer of a host wishing to open a communications channel to another host using the TCP protocol. The TCP Open performs the three-way handshake using the SYN and ACK connection flags.
The TCP Open has two purposes:
■ To exchange initial sequence numbers
■ To negotiate TCP options
After two stations open a TCP session and transfer their respective data, they must close the TCP session to release the reserved buffer space that was allocated for that connection. When a host wishes to close a TCP session, it uses the FIN flag. The TCP Close is very similar to the TCP Open, although you sometimes may see it occur in four frames instead of only three. The key to recognizing a TCP Close is to watch for the FIN flag being set and also for the sequencing and acknowledgment values, just as you did when you analyzed the TCP Open.
There is another TCP state that you may sometimes see, called the TCP Half-Close. Normally, when a host receives a FIN segment it responds with a FIN to close its side of the connection. This occurrence is called an orderly release. The Half-Close occurs when a host sends another host a FIN segment requesting that the TCP session be closed. Normally, the receiving station acknowledges the close request and also sends a FIN segment to close its session. But sometimes hosts never close their side of the connection. By not doing so they waste buffer space that could be used for other TCP connections. Some TCP implementations actually support a call that allows an application to close one-half of the connection if it has no more data to send. Hosts closing their half of a TCP connection can still receive data and acknowledge data sent to them, but they can no longer send data because the host at the other side of the connection most likely terminated their connection and reserved buffer space on receipt of the FIN segment.
Real packet analysis:
1100 17.873273 10.111.181.95 → 10.111.176.255 0 0 0 TCP 52651→88 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 SACK_PERM=1 TSval=9337156 TSecr=0
1101 17.873424 10.111.176.255 → 10.111.181.95 0 1 0 TCP 88→52651 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 TSval=615554345 TSecr=9337156
1102 17.873445 10.111.181.95 → 10.111.176.255 1 1 0 TCP 52651→88 [ACK] Seq=1 Ack=1 Win=131712 Len=0 TSval=9337156 TSecr=615554345
1103 17.873499 10.111.181.95 → 10.111.176.255 1 1 1409 KRB5 TGS-REQ
1104 17.874655 10.111.176.255 → 10.111.181.95 1 1410 1436 KRB5 TGS-REP
1105 17.874700 10.111.181.95 → 10.111.176.255 1410 1437 0 TCP 52651→88 [FIN, ACK] Seq=1410 Ack=1437 Win=131712 Len=0 TSval=9337156 TSecr=615554345
1106 17.874832 10.111.176.255 → 10.111.181.95 1437 1411 0 TCP 88→52651 [ACK] Seq=1437 Ack=1411 Win=66560 Len=0 TSval=615554345 TSecr=9337156
1107 17.874863 10.111.176.255 → 10.111.181.95 1437 1411 0 TCP 88→52651 [RST, ACK] Seq=1437 Ack=1411 Win=0 Len=0
TCP close used three stage instead of four.
Referenced Links and documents:
Copied some paragraphs from page 185,192-193 of <TCP/IP Analysis and Troubleshooting Toolkit>