How TCP protocol works

The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite which provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network.

TCP is connection-oriented, and a connection between client and server is established before data can be sent. The server must be listening (passive open) for connection requests from clients before a connection is established.

The TCP 3-way handshake is a process used to establish a TCP connection between a client and a server. This handshake is essential for setting up a reliable connection where both parties acknowledge the receipt of packets. It involves three steps:

  • SYN packet;

  • SYN-ACK packet;

  • ACK packet;

The SYN packet characteristics

Purpose: The primary purpose of the SYN packet is to initiate a connection between a client and a server. It signals the intent to establish communication and synchronize sequence numbers between the two parties.

Sequence Number: The SYN packet contains an initial sequence number (ISN) that is chosen randomly and it is used to order bytes in the data stream. The sequence number in TCP is a 32-bit field, which means it can range from 0 to 4,294,967,295.

TCP Header Information: In the TCP header of the SYN packet, the SYN flag is set to 1 (other flags are set to 0). The SYN packet also contains other standard TCP header information, such as source and destination port numbers, window size, and checksum.

No Data Payload: The SYN packet doesn't carry any application data.

Response Expectation: After sending a SYN packet, the sender expects a SYN-ACK response from the receiver. This confirms that the receiver is ready to establish a connection.

SYN packet analyzed via Wireshark:

The SYN-ACK packet characteristics

Purpose: The SYN-ACK packet is sent by the server in response to the SYN packet received from the client. It acknowledges (ACK) the receipt of the SYN packet from the client and it also indicates the server's willingness to establish a connection and synchronize its sequence numbers with the client.

Sequence and Acknowledgment Numbers:

  • Sequence Number (SYN): The server includes its initial sequence number (ISN) in the SYN-ACK packet. This number is used for sequencing the bytes sent from the server to the client.

  • Acknowledgment Number (ACK): It is the initial sequence number (ISN) of the client received in the SYN packet plus 1. If the client's ISN was 0, the acknowledgment number would be 0+1=1.

TCP Header Information: Two flags are set in the TCP header of the SYN-ACK packet:

  • The SYN flag is set to 1, indicating it's part of the connection establishment process.

  • The ACK flag is set to 1, acknowledging the receipt of the SYN packet from the client.

  • Like the SYN packet, the SYN-ACK packet also contains standard TCP header information such as source and destination port numbers, window size, and checksum.

No Data Payload: Similar to the SYN packet, the SYN-ACK packet typically does not carry any application data. Its role is purely for establishing and configuring the connection parameters.

SYN-ACK packet analyzed via Wireshark:

The ACK packet characteristics

Purpose: The client's ACK packet to the server's SYN-ACK is essential for completing the 3-way handshake. It confirms that both parties have received each other's initial sequence numbers and are ready to start the actual data transfer.

Once the ACK is sent and received, the TCP connection is considered established, and the client and server can begin the data transmission phase.

Acknowledgment Number: The ACK packet contains an acknowledgment number set to one more than the initial sequence number (ISN) sent by the server in its SYN-ACK packet. If the server's ISN was 31, the acknowledgment number would be 31+1=32. This acknowledges all bytes up to and including the server's SYN byte.

Sequence Number: It is usually the initial sequence number sent by the client in the SYN packet, incremented by one (to account for the SYN byte). It is the next sequence number the client expects to use in the data transfer phase.

TCP Header Information: The ACK flag is set to 1, indicating that this is an acknowledgment packet, and other flags, particularly the SYN flag, are set to 0, differentiating this packet from the initial SYN and SYN-ACK packets. The packet includes standard TCP header information like source and destination port numbers, window size (indicating how much data the client is willing to receive), and a checksum for error-checking.

No Data Payload (Typically): While the ACK packet typically does not carry any application data, it can start carrying application data from this point on, depending on the implementation.

ACK packet analyzed via Wireshark:

Window Size

The window size in a TCP 3-way handshake is a crucial element of TCP's flow control mechanism. It specifies the amount of data (in bytes) that a sender is allowed to transmit without receiving an acknowledgment for the previously sent data. Also, it ensures that the receiver is not overwhelmed by too much data at once.

Window Size in detail

  1. During the 3-way handshake, both the client and server inform each other of their respective window sizes. The client sends its initial window size in the SYN packet. The server responds with its own window size in the SYN-ACK packet.

  2. The sender can send multiple segments of data without waiting for an acknowledgment, but the total size of these unacknowledged segments cannot exceed the window size. Once the data within the window is acknowledged, the window slides forward, allowing the transmission of additional data.

  3. The window size is not static; it can change during a TCP session.

  4. TCP uses a mechanism like the Window Scaling (for large window sizes) algorithm to adjust the window size dynamically based on network conditions. With Window Scaling, the effective window size can be much larger.

  5. The sequence numbers in TCP track the bytes of data being transmitted, not the segments themselves. If a segment starts with sequence number 1 and carries 531 bytes of payload, the next segment's data would start with sequence number 532.

Acknowledgment Types

  1. Cumulative Acknowledgments: TCP uses cumulative acknowledgments by default. This means that an acknowledgment (ACK) packet sent by the server can acknowledge receipt of multiple segments at once. For example, if the client sends segments 1, 2, and 3, and all are received successfully by the server, the server might send an ACK for segment 3, which implicitly acknowledges the receipt of segments 1 and 2 as well.

    If some of the segments get lost on the way, the 6th segment in the example above, then the server understands that segments are inconsistent and sends ACK only for the 5th segment and discards the 7th segment. The client receives ACK only for the 5th segment, resends the 6th and 7th segments, and adds a new segment with new data.

  2. Selective Acknowledgments (SACK): TCP also supports Selective Acknowledgment (SACK), which allows the receiver to acknowledge non-contiguous blocks of data. This is useful in case of packet loss, where the receiver can inform the sender about all segments that were received successfully, leading to retransmission of only the missing segments. It is effective for large window sizes but requires additional header fields. For example, let's assume that the window size is 6 segments and the client sends 6 segments of data. However, the 3rd and 5th segments are lost. Server receives 4 segments only and sends ACKs for the segments 1, 2, 4, 6. Then, the client receives ACKs and resends segments 2920, 5840 and adds 4 extra segments with new data.


  1. How TCP really works

  2. Transmission Control Protocol (TCP)

  3. TCP sliding window

  4. RFC 793