Detailed explanation of the "three-way handshake" and "four-way wave" of TCP connection

1. TCP connection

In the process of sending and returning data between the client and the server, something called a TCP connection needs to be created;

Since TCP does not have the concept of connection, there are only requests and responses. Both requests and responses are data packets. They are connected through a connection-like channel created by TCP, which is initiated by the client and received by the server. This connection can be maintained all the time, and the http request is sent based on this connection.

Multiple http requests can be sent on one TCP connection, and the mode is different for different versions.

In HTTP/1.0, the TCP connection is created synchronously when the http request is created. The http request is sent to the server, and after the server responds, the TCP connection is closed.

HTTP/1.1 can declare that the connection is always maintained in some way, and after one request is transmitted, another request can be transmitted. The advantage of this is that the process of creating a TCP connection requires the consumption of a "three-way handshake", which means three network transmissions.

If the TCP connection is maintained, the second request will not incur the "three-way handshake" overhead. In HTTP/2, HTTP requests can be transmitted concurrently in the same TCP connection.

2. Introduction to TCP message format

The more important fields are:

(1) Sequence number: Sequence number, occupies 32 bits, is used to identify the byte stream sent from the TCP source to the destination. The initiator marks this when sending data.

(2) Acknowledgement number: Ack sequence number, occupies 32 bits. The acknowledgment sequence number field is valid only when the ACK flag is 1, Ack=Seq+1.

(3) Flags: There are 6 flags in total, namely URG, ACK, PSH, RST, SYN, FIN, etc. The specific meanings are as follows:

• URG: The urgent pointer is valid.
• ACK: Confirm that the sequence number is valid.
• PSH: The receiver should hand over this message to the application layer as soon as possible.
• RST: Reset the connection.
• SYN: Initiate a new connection.
• FIN: Release a connection.

It should be noted that:

• Do not confuse the confirmation number Ack with the ACK in the flag bit.
• The confirmer's Ack = the initiator's Seq + 1, and the two ends are paired.

3. TCP's Three-Way Handshake 1. Detailed explanation of the "Three-Way Handshake"

The so-called three-way handshake is the establishment of a TCP connection. This connection must be actively opened by one party and passively opened by the other party.

The following is an illustration of a client actively initiating a connection:

The client that actively opened the connection before the handshake ends the CLOSED phase, and the server that passively opened the connection also ends the CLOSED phase and enters the LISTEN phase. Then the "three-way handshake" begins:

(1) First, the client sends a TCP message to the server, where:

• The flag bit is SYN, which means "request to establish a new connection";
• The sequence number is Seq=X (X is usually 1);
• The client then enters the SYN-SENT phase.

(2) After the server receives the TCP message from the client, it ends the LISTEN phase and returns a TCP message, which includes:

• The flags are SYN and ACK, which means "confirm that the client's message Seq number is valid, the server can normally receive the data sent by the client, and agrees to create a new connection" (that is, tell the client that the server has received your data);
• The sequence number is Seq=y;
• The confirmation number is Ack=x+1, which means that the client's sequence number Seq is received and its value is increased by 1 as the value of its own confirmation number Ack; then the server enters the SYN-RCVD phase.

(3) After the client receives the TCP message from the server confirming the receipt of the data, it is clear that the data transmission from the client to the server is normal, and the SYN-SENT phase ends. The last TCP message is returned. Among them:

• The flag bit is ACK, which means "confirmation of receiving the signal from the server agreeing to connect" (that is, telling the server, I know you have received the data I sent);
• The sequence number is Seq=x+1, which means that the confirmation number Ack from the server is received and its value is used as its own sequence number value;
• The confirmation number is Ack=y+1, which means that the server-side sequence number Seq is received and its value is added by 1 as the value of its own confirmation number Ack;
• The client then enters the ESTABLISHED phase.
• After the server receives the TCP message "Confirmation of receipt of server data" from the client, it is clear that the data transmission from the server to the client is normal. The SYN-SENT phase ends and enters the ESTABLISHED phase.
• In the TCP messages transmitted between the client and the server, the values ​​of the confirmation number Ack and the sequence number Seq of both parties are calculated based on each other's Ack and Seq values, which ensures the continuity of TCP message transmission. Once a TCP message sent by one party is lost, the "handshake" cannot continue, thus ensuring the smooth completion of the "three-way handshake".
• After that, the client and server carry out normal data transmission.

This is the "three-way handshake" process.

2. The dynamic process of the "three-way handshake"

3. Popular understanding of the “three-way handshake”

For example, compare the client to a boy and the server to a girl. Use their interaction to illustrate the "three-way handshake" process:

(1) The boy liked the girl, so he wrote a letter to her, telling her: I love you, please go out with me! After writing the letter, the boy waited anxiously because he didn’t know whether the letter could be successfully delivered to the girl.

(2) After receiving the boy's love letter, the girl was overjoyed. It turned out that they were in love with each other! So she wrote a letter to the boy: I received your love letter and I understand your feelings. In fact, I like you too! I am willing to date you!;

After writing the letter, the girl waited anxiously because she didn't know whether the reply could be successfully conveyed to the boy.

(3) The boy was very happy after receiving the reply, because the girl had received the love letter he had sent, and from the reply he knew that the girl liked him and was willing to date him. Then the boy wrote another letter to the girl, saying: I have received your thoughts and letter, thank you, and I love you!

After the girl received the boy's reply, she was also very happy because the boy received the love letter she sent. Thus, both the boy and the girl knew each other's feelings, and then they communicated happily~~

This is the popular version of the "three-way handshake", during which a total of three letters are exchanged, which is the "three-way handshake" to confirm whether the data transmission channels in both directions are normal.

4. Why do we need a third handshake?

This is to prevent the server from opening some useless connections to increase server overhead and to prevent invalid connection request segments from being suddenly transmitted to the server, thus causing errors.

Since network transmission has delays (it has to pass through network optical fibers and various intermediate proxy servers), during the transmission process, for example, the client initiates a SYN=1 request to create a connection (the first handshake).

If the server directly creates this connection and returns a data packet containing SYN, ACK, and Seq to the client, this data packet is lost due to network transmission reasons. After the loss, the client has not received the data packet returned by the server.

The client may set a timeout, and close the connection creation request when the time expires. If the client re-issues the connection creation request, the server will not know about it. If there is no third handshake to tell the server that the client can receive the data transmitted by the server,

The server does not know whether the client has received the information returned by the server.

This process can be understood as:

In this way, there is no request to create or close the connection port on the server side, and the server side port is always open. When the client reissues a request due to timeout, the server will reopen a port connection. Then the previous port on the server side that did not receive the request data will be always open. In the long run, there will be too many such ports, which will cause serious waste of server-side overhead.

Another situation is that the request information sent by an invalid client is transmitted to the server for some reason. The server thinks it is a valid request sent by the client and an error occurs after receiving it.

Therefore, we need the "third handshake" to confirm this process, so that the client and server can promptly detect the failure of connection creation due to network problems, so that the server port can be closed without waiting.

It can also be understood in this way: the "third handshake" is the client sending data to the server. This data is to tell the server whether the client has received the data sent by the server during the "second handshake". If the data sent is "received" information, the server will establish a TCP connection normally after receiving it. Otherwise, the TCP connection fails to be established and the server closes the connection port. This reduces server overhead and errors caused by receiving invalid requests.

5. Packet capture verification

The following are some data packets captured by the packet capture tool, which can be used to analyze the TCP three-way handshake:

The figure shows the "three-way handshake" process of a complete TCP connection. In 52528 -> 80, 52528 is the local (client) port and 80 is the server port. The three round trips between port 80 and port 52528 are the "three-way handshake" process.

• Note that the TCP message sent by the client in the "first handshake" uses [SYN] as the flag bit, and the client sequence number Seq=0;
• Next, in the "second handshake", the TCP message returned by the server uses [SYN, ACK] as the flag bit; and the server sequence number Seq = 0; the confirmation number Ack = 1 (the value of the client sequence number Seq in the "first handshake" + 1);
• Finally, in the "third handshake", the client sends a TCP message to the server with [ACK] as the flag bit; the client sequence number Seq = 1 (the value of the server confirmation number Ack in the "second handshake"); the confirmation number Ack = 1 (the value of the server sequence number Seq in the "second handshake" + 1).

This completes the "three-way handshake" process, which is consistent with the results of the previous analysis.

4. TCP's Four-Way Wavehand

1. Introduction

We are all familiar with the "three-way handshake" because it is relatively simple, but we don't often hear about the "four-way handshake", and even if we have heard of it, we may not be able to explain its specific process in detail.

Below we will give you a detailed, intuitive and complete introduction to the "four waves" process.

2. Detailed explanation of “Four Waves”

The so-called four waves are the release (release) of the TCP connection. The release of the connection must be actively released by one party and passively released by the other party. The following is an illustration of the client actively initiating the release of the connection:

The client that actively releases the connection before waving ends the ESTABLISHED phase. Then the "four wavings" begin:

(1) First, the client wants to release the connection and sends a TCP message to the server, where:

• The flag bit is FIN, which means "request to release the connection";
• The sequence number is Seq=U;
• The client then enters the FIN-WAIT-1 phase, which is the half-close phase, and stops sending data from the client to the server, but the client can still receive data transmitted from the server.

Note: What is not sent here is the data transmitted during the normal connection (non-confirmation message), not all data, so the client can still send an ACK confirmation message.

(2) After receiving the TCP message from the client, the server confirms that the client wants to release the connection. Then the server ends the ESTABLISHED phase, enters the CLOSE-WAIT phase (semi-closed state) and returns a TCP message, in which:

• The mark bit is ACK, which means "receive the request to release the connection sent by the client";
• The sequence number is Seq=V;
• The confirmation number is Ack=U+1, which means that based on the received client message, the sequence number Seq value is increased by 1 as the value of the confirmation number Ack of this message;
• The server then begins to prepare to release the connection from the server to the client.

After the client receives the TCP message sent from the server, it confirms that the server has received the release connection request sent by the client. Then the client ends the FIN-WAIT-1 phase and enters the FIN-WAIT-2 phase.

The first two "waves" let the server know that the client wants to release the connection, and also let the client know that the server understands its request to release the connection. Therefore, it can be confirmed that the connection from the client to the server is closed.

(3) After the server sends the ACK message, it goes through the CLOSED-WAIT phase and is ready to release the connection from the server to the client. It sends another TCP message to the client, in which:

• The flag bit is FIN, ACK, which means "ready to release the connection." Note: The ACK here is not a confirmation message to confirm receipt of the server message.
• The sequence number is Seq=W;
• The confirmation number is Ack=U+1, which means that based on the message received from the client, the sequence number Seq value is increased by 1 as the value of the confirmation number Ack of this message.

The server then ends the CLOSE-WAIT phase and enters the LAST-ACK phase, and stops sending data from the server to the client, but the server can still receive data transmitted from the client.

(4) The client receives the TCP message sent from the server, confirming that the server is ready to release the connection, ends the FIN-WAIT-2 phase, enters the TIME-WAIT phase, and sends a message to the server, including:

• The flag bit is ACK, which means "received a signal from the server that it is ready to release the connection."
• The sequence number is Seq=U+1, which means that based on the message received from the server, the confirmation number Ack value is used as the sequence number value of this segment of the message.
• The confirmation number is Ack=W+1, which means that based on the message received from the server, its sequence number Seq value is used as the confirmation number of this message.
• The client then starts waiting for 2MSL in the TIME-WAIT phase

Why does the client have to wait for 2MSL? See below.

After the server receives the TCP message sent from the client, it ends the LAST-ACK phase and enters the CLOSED phase, thus formally confirming the closure of the connection from the server to the client.

After the client waits for 2MSL, the TIME-WAIT phase ends and enters the CLOSED phase, thus completing the "four waves".

The last two waves let the client know that the server is ready to release the connection, and the server also knows that the client knows that it is ready to release the connection. Therefore, it can be confirmed that the connection from the server to the client is closed, thus completing the "four waves".

Like the "three waves", in the TCP messages transmitted between the client and the server, the values ​​of the confirmation number Ack and sequence number Seq of both parties are calculated based on each other's Ack and Seq values. This ensures the continuity of TCP message transmission. Once the TCP message sent by one party is lost, it will not be able to continue "waving", thus ensuring the smooth completion of the "four waves".

3. Popular understanding of “four waves”

For example, compare the client to a boy and the server to a girl, and use their breakup to illustrate the "four waves" process.

• "The First Wave": As time goes by, the boy finds that the girl has become the person he hates. He can no longer tolerate it, so he decides to break up and writes a letter to tell the girl.
• "The second wave": After receiving the letter, the girl knew that the boy wanted to break up with her. She was furious and cursed in her heart: Who do you think you are? You were not like this at the beginning! So she immediately wrote a letter to the boy: Break up, break up, give me some time, I will pack up your things and return them all to you! After receiving the girl's first letter, the boy realized that the girl knew that she wanted to break up with him. Then he waited for the girl to pack up her things.
• "The third wave": A few days later, the girl packed up the things the boy had given her, and wrote to the boy again: I have packed up your things, take them away quickly, and from now on, we are done with each other!
• "The fourth wave": After the boy received the second letter from the girl, he knew that the girl had packed her things and they could officially break up, so he wrote to the girl again and told her: I know, I will get it back right away!

Both sides have their own insistence here.

• From the second letter the girl sent, if she didn't receive a reply from the boy within one day, she would send another letter to urge the boy to come and pick up the things!
• From the time the boy sent the second letter, if he did not receive another letter from the girl within two days, he would think that the girl had received his second letter; if he received another letter from the girl within two days, he would think that the girl had not received his second letter, so he needed to write another letter and wait another two days...

If both parties can receive the letters normally, it only takes at least four letters to completely break up! This is called "four waves".

4. Why does a “handshake” take three times, but a “wave” takes four times?

The reason why TCP only needs a "three-way handshake" to establish a connection is that in the second "handshake" process, the TCP message sent by the server to the client uses SYN and ACK as flags. SYN is the connection request flag, indicating that the server agrees to establish a connection; ACK is an acknowledgment message, indicating that the server has received its request message.

That is, the SYN message establishing the connection and the ACK message confirming the receipt are transmitted in the same "handshake", so the "three-way handshake" is neither too many nor too few, just enough for both parties to clearly communicate each other's information.

The reason why TCP needs to "wave hands four times" when releasing a connection is that the FIN connection release message and the ACK confirmation message are transmitted by the second and third "handshakes" respectively. Why are they transmitted together when establishing a connection, but transmitted separately when releasing a connection?

• When establishing a connection, the passive server ends the CLOSED phase and enters the "handshake" phase without any preparation. It can directly return SYN and ACK messages to start establishing the connection.
• When releasing the connection, the passive server cannot release the connection immediately when it suddenly receives a request from the active client to release the connection, because there is still necessary data to be processed. Therefore, the server first returns an ACK to confirm receipt of the message. After the CLOSE-WAIT phase is completed and it is ready to release the connection, it can return a FIN message to release the connection.

So it's "three handshakes" and "four waves".

5. Why does the client have to wait for 2MSL in the TIME-WAIT phase?

In order to confirm whether the server has received the ACK confirmation message sent by the client

When the client sends the last ACK message, it cannot be sure that the server can receive the message. Therefore, after sending the ACK message, the client will set a timer of 2MSL. MSL refers to Maximum Segment Lifetime: the maximum life cycle of a TCP message during transmission. 2MSL is the maximum length of time that the FIN message sent by the server and the ACK message sent by the client can remain valid.

If the server does not receive the ACK message from the client within 1MSL, it will send a FIN message to the client again.

• If the client receives a FIN message from the server again within 2MSL, it means that the server did not receive the ACK message sent by the client for various reasons. The client sends an ACK message to the server again, the timer is reset, and the 2MSL timing starts again;
• Otherwise, if the client does not receive the FIN message from the server again within 2MSL, it means that the server has received the ACK confirmation message normally, and the client can enter the CLOSED stage and complete the "four waves".

Therefore, the client has to go through the TIME-WAIT phase of 2SML; this is why the client enters the CLOSED phase later than the server.

6. Packet capture verification

The figure shows the "four-wave" process of releasing a complete TCP connection. In 80 -> 55389, assuming that 80 is the local (client) port and 55389 is the server port. The four round trips between port 80 and 55389 are the "four-wave" process.

• The FIN message sent by the client for the first wave to release the connection uses [FIN, ACK] as the flag bit, where the message sequence number Seq=2445; the confirmation number Ack=558;

Note: The ACK in the "third handshake" here does not mean the ACK message indicating confirmation.

• The ACK confirmation message returned by the server at the "second wave" uses [ACK] as the flag bit; the message sequence number Seq=558; the confirmation number Ack=2246;
• The server continues to return the FIN message that agrees to release the connection with [FIN, ACK] as the flag bit; the message sequence number Seq=558; the confirmation number Ack=2246;
• The ACK message sent by the client in the fourth wave uses [ACK] as the flag bit; the message sequence number Seq=2446; the confirmation number Ack=559;

The Seq value in the next "wave" transmission message is equal to the Ack value in the previous "handshake" transmission message;

The acknowledgment number Ack value in the next "wave" transmission message is equal to the sequence number Seq value in the previous "handshake" transmission message;

Therefore, this is a continuous "four-wave" process, which is consistent with the previous analysis.