What is TCP SYN, ACK, FIN, handshake, teardown, and connection states?

Solution Verified - Updated 5 Aug 2024

---

Environment

• Red Hat Enterprise Linux
• TCP/IP networking

Issue

• What is TCP handshake, teardown, and connection states?
• What are SYN, ACK, FIN in TCP connections?
• In a TCP connection, which is the "client" and which is the "server"?
• In a TCP connection, which side decides to close the connection first?

Resolution

TCP or Transmission Control Protocol is a network protocol designed to provide features to network communication such as:

• Reliability - Did the data I just sent reach its destination? - Is this all the data that has been sent? Is it in the right order?
• Error Detection - Is the data received the same as it was sent, or has the data been corrupted?
• Retransmission - This data I received is no good, it was corrupted in transmission, send it to me again
• Flow Control - I can only receive so much data at once, you can send me less than that amount, but don't send me more than that amount
• Congestion Control - Our network path is flooded, we're getting errors, let's slow down and give the network a chance to recover

The following provides a brief overview of the TCP connection states. It is recommend to follow along with these descriptions using the TCP State Diagram referenced below.

Connection Establishment (SYN)

To start a TCP connection, one system must be listening (the server) and one system must try to make a new connection (the client).

• The client sends a SYN
• The server replies with an ACK to the client's SYN
• The server sends a SYN
• The client replies with an ACK to the server's SYN

The SYN stands for "synchronise" and is part of the way TCP knows how much data has been sent and in what order.

The ACK stands for "acknowledge" and is used to provide reliability that a given piece of data has been received.

These points describe 4 separate steps, but often the middle two steps are combined (SYN, SYN+ACK, ACK) so this is commonly called the "three way handshake".

Connection Established

Once a connection is established, there is no real "client" and "server" anymore, the TCP stream is just a conversation between two participants.

Generally one side will send data, and the other side will reply with one or more ACKs advising that data has been received.

The data is passed into the application which owns the connection, and the application takes the appropriate action.

Connection Teardown (FIN)

The connection teardown is similar to the establishment, in that it requires a handshake with 4 steps.

However, there is still no "client" and "server" in a connection teardown. Either side can end the connection by sending a FIN.

Which side sends the FIN first depends on the behaviour of the application, and may even depend on the data sent back and forth within the application.

• One side sends a FIN and becomes the Active Closer
• The other side replies with an ACK and becomes the Passive Closer
• The Passive Closer sends a FIN
• The Active Closer replies with an ACK

The FIN stands for "finish" and is used to end the connection.

These points describe 4 separate steps, sometimes the middle two steps are combined, sometimes they are not.

The closing of a connection relies on the application to realise the connection is no longer needed, then close it. An application may not constantly check its connections, or need some other condition to be met, or be otherwise busy processing other data, so a delay in closing may be seen.

Example TCP Session

This example shows how a basic web server works.

• Webserver starts on port 80, its connection is in LISTEN state

Application user visits the website http://www.example.com/

• Browser opens a connection by sending SYN - httpd, I want to talk to you.
• Webserver replies with a SYN+ACK - Ok, let's talk. I want to talk to you too.
• Browser replies with ACK - Ok, we are talking now.

The session is now ESTABLISHED

• Browser sends HTTP GET index.html - Send me the file index.html
• Webserver replies with ACK - I have received your request
• Webserver sends contents of webpage - Here is the file you asked for
• Browser replies with ACK - I have received the file you sent

The web browser displays the webpage to the application user

• Webserver sends FIN - I have fulfilled your request, there is nothing more to do (httpd is Active Closer)
• Browser sends ACK - I have received your finishing message (Browser is Passive Closer)
• Browser sends FIN - There is nothing more for me to say at the moment
• Webserver sends ACK - I have received your finishing message

The connection is now CLOSED and gone on the browser, and will remain in TIME_WAIT for a minute or so on the Webserver, then go to CLOSED and disappear.

Web Traffic Note

If attempting to reproduce this, you may not actually see the Webserver close the connection straight away. Web traffic has the concept of Content from en.wikipedia.org is not included.persistent connections which may be used, depending on support for the feature on the client and the server, and how each is configured to handle a specific connection.

For example, if a web browser is configured to use persistent connections, the actual TCP session may not close until the browser tab is closed, or until a timeout (internal to the web browser itself) is reached. If a web server is able to use persistent connections, it may use the feature only when requested by the client, or it may use the feature for every connection by default.

Taking the example of persistent connections into consideration, it is possible to see how the behaviour of applications at both ends of the connection will affect the TCP traffic sent back and forth between the two conversation participants, as well as affecting which end becomes the Active Closer.

Diagnostic Steps

• Content from www.ietf.org is not included.RFC 9293 - Transmission Control Protocol
• Content from en.wikipedia.org is not included.TCP - Wikipedia
• Content from en.wikipedia.org is not included.TCP State Diagram - Wikipedia
• TCP State Diagram from RFC 9293:

Simplified TCP State Diagram

Handshake

Client                [LISTEN] Server

Client    SYN -------->        Server

Client        <-------- ACK    Server

Client        <-------- SYN    Server

Client    ACK -------->        Server

Established

Sender   DATA -------->        Receiver

Sender        <-------- ACK    Receiver

or

Receiver      <-------- DATA   Sender

Receiver    ACK -------->      Sender

Teardown

Active    FIN -------->        Passive

Active        <-------- ACK    Passive

Active        <-------- FIN    Passive

Active    ACK -------->        Passive

Active [TIME_WAIT]    [CLOSED] Passive

      ...60 secs...

Active [CLOSED]

SBR

• Networking
• Services
• Web Services

Product(s)

• Red Hat Enterprise Linux

Components

• httpd
• kernel

Tags

• network
• networking
• network_stack
• tcp

---

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.