The TCP three-way handshake (or TCP-handshake) is the method to establish a connection between communicating devices (eg. two computers), over an Internet Protocol (IP) based network. In this handshaking method, three types of messages are exchanged. They are SYN, SYN/ACK and ACK. These messages are used by the communicating devices to negotiate and establish a TCP session. While the handshaking happens, the devices will also exchange information like the TCP socket connection. Once the connection has been established, the data transmission happens next. For example, data can be in the form of HTTP, HTTPS, FTP, Telnet and so forth.
Let's assume that we have two devices, Computer A and Server B. Computer A has an Internet browser application. Server B is a web server that responds to HTTP requests. In order for these two devices to communicate, a TCP session must be established between them even before the HTTP request happens.
- Computer A will first send a SYN data packet over an IP network to Server B to connect to the TCP socket on port 80 (Server B). Server B must have the port open to receive the connection. In this case, we assume that port 80 (the default port for HTTP) is open and listening for connections.
- When the SYN packet from Computer A is received on port 80 (Server B), Server B responds with the SYN/ACK packet.
- Computer A receives the SYN/ACK packet and responds again with an ACK packet.
A session has now been created and Computer A and Server B will communicate and transmit HTTP requests and data.
During communication, the devices use the SYN and ACK messages, along with the Seq (Sequence) numbers so that the flow of the data packets are orderly transmitted and reassembled.
When the communication ends (eg. Computer A closes the browser), there is also a 3-way handshake performed to tear down the TCP socket connection. The process goes this way:
- Computer A sends a FIN/ACK packet.
- Server B responds with an ACK packet and sends a second packet with FIN/ACK messages set to Computer A.
- Computer A receives the FIN/ACK packet and responds with an ACK packet.
The communication has now ended on both sides.
An article on how scans can be performed on open ports based on these TCP flags/messages will be published soon.