By Golden_Eternity
June 16, 2001
When a TCP connection is established between the client and web server, they first need to negotiate the connection. This is done via a three-way hand shake. An initial message from the client (SYN), a response from the server (SYN/ACK), and a final message from the client (ACK). This process is used to establish parameters like what port numbers will be used and what synchronization numbers will be used by each side to ensure proper delivery of messages.
The SYN message takes its name from the TCP flag, Synchronize.
18:02:47.540000 10.0.0.2.1061 > 161.58.243.241.80: S [tcp sum ok] 2024485176:2024485176(0) win 5840 <mss 1460,sackOK,timestamp 62577060 0,nop,wscale 0> (DF) (ttl 64, id 59548, len 60)
| 0x0000 | 4500 | 003c | e89c | 4000 | 4006 | b2f1 | 0a00 | 0002 | E..<..@.@....... |
| 0x0010 | a13a | f3f1 | 0425 | 0050 | 78ab | 3138 | 0000 | 0000 | .:...%.Px.18.... |
| 0x0020 | a002 | 16d0 | 0652 | 0000 | 0204 | 05b4 | 0402 | 080a | .....R.......... |
| 0x0030 | 03ba | d9a4 | 0000 | 0000 | 0103 | 0300 | ............ |
IP Layer -
45 - IP Version / Header Length (IPv4, 5)
00 003c - Length (60)
e89c - Fragment ID (59548)
40 - IP Flags (Do Not Fragment, Last Fragment)
00 - Fragment Offset (0)
40 - Time To Live (64)
06 - IP Protocol Type (06/TCP)
b2f1 - IP Checksum (45809)
0a00 0002 - Source IP Address (10.0.0.2)
a13a f3f1 - Destination IP Address (161.52.243.241)
TCP Layer -
| 0x0010 | 0425 | 0050 | 78ab | 3138 | 0000 | 0000 | .:...%.Px.18.... | ||
| 0x0020 | a002 | 16d0 | 0652 | 0000 | 0204 | 05b4 | 0402 | 080a | .....R.......... |
| 0x0030 | 03ba | d9a4 | 0000 | 0000 | 0103 | 0300 | ............ |
0425 - Source Port (1061)
0050 - Destination Port (80)
78ab 3138 - Sequence Number (2024485176)
0000 0000 - Acknowledgement Number (0)
a - Data Offset (Header Length 10)
0 - Reserved
02 - Control Bits, TCP Flags (SYN)
There are six control bits. If the bit is set (1), that means the flag is on. The bits are as follows:
| Urgent | Acknowledgement | Push | Reset | Syn | Fin | |
| Hex Value | 20 | 10 | 8 | 4 | 2 | 1 |
16d0 - Window (5840)
0652 - Checksum (1618)
0000 - Urgent Pointer
TCP Options -
0204 - Options (Kind 2, Length 4 - Maximum Segment Size)
This option allows the sender to transmit the maximum segment size it can receive. This is only valid in the initial connection request (i.e., when SYN is set). Since this is set, the next two bytes will be the MSS.
05b4 - Maximum Segment Size (1460)
0402 - Options (Kind 4, Length 2 - Selective Acknowledgement Permitted) (See
RFC 1072)
080a - Options (Kind 8, Length 10 - Timestamp) (See RFC 1323)
03ba d9a4 - Timestamp (62577060) (See RFC 1072)
0000 0000 0103 - Options (Kind 1, Length 3 - No Operation) (See RFC 793)
0300 - Options (Kind 3, Length 0 - Window Scale 0) (See RFC 1072)
As the second part of a three-way handshake, the server responds to the client. The message the server sends contains an acknowledgement of the original message's arrival, and its own synchronization numbers.
18:02:47.630000 161.58.243.241.80 > 10.0.0.2.1061: S [tcp sum ok] 1426552139:1426552139(0) ack 2024485177 win 17520 <mss 1460> (DF) (ttl 42, id 35144, len 44)
| 0x0000 | 4500 | 002c | 8948 | 4000 | 2a06 | 2856 | a13a | f3f1 | E..,.H@.*.(V.:.. |
| 0x0010 | 0a00 | 0002 | 0050 | 0425 | 5507 | 754b | 78ab | 3139 | .....P.%U.uKx.19 |
| 0x0020 | 6012 | 4470 | 3bcc | 0000 | 0204 | 05b4 | `.Dp;....... |
IP Layer -
45 - IP Version / Header Length (IPv4, 5)
00 002c - Length (44)
8948 - Fragment ID (35144)
40 - IP Flags (Do Not Fragment, Last Fragment)
00 - Fragment Offset (0)
2a - Time To Live (42)
06 - IP Protocol Type (06/TCP)
2856 - IP Checksum (10326)
a13a f3f1 - Source IP Address (161.52.243.241)
0a00 0002 - Destination IP Address (10.0.0.2)
TCP Layer -
0050 - Source Port (80)
0425 - Destination Port (1061)
5507 754b - Sequence Number (1426552139)
78ab 3139 - Acknowledgement Number (2024485177)
Note that the acknowledgement is 1 greater than the Sequence Number from the SYN packet, which was 2024485176. The server is acknowledging the arrival of the last message by stating its readiness to receive the next packet (...5177).
6 - Data Offset (Header Length 6)
0 - Reserved
12 - Control Bits, TCP Flags (SYN, ACK)
4470 - Window (17520)
3bcc - Checksum (15308)
0000 - Urgent Pointer
TCP Options -
0204 - Options (Kind 2, Length 4 - Maximum Segment Size)
This option allows the sender to transmit the maximum segment size it can receive. This is only valid in the initial connection request (i.e., when SYN is set). Since this is set, the next two bytes will be the MSS.
05b4 - Maximum Segment Size (1460)
ACK -
Finally, the client acknowledges the server's sequence number. This marks the end of the three-way handshake. The TCP connection is now open, and data can be transmitted by the respective applications.
18:02:47.630000 10.0.0.2.1061 > 161.58.243.241.80: . [tcp sum ok] 2024485177:2024485177(0) ack 1426552140 win 5840 (DF) (ttl 64, id 59549, len 40)
| 0x0000 | 4500 | 0028 | e89d | 4000 | 4006 | b304 | 0a00 | 0002 | E..(..@.@....... |
| 0x0010 | a13a | f3f1 | 0425 | 0050 | 78ab | 3139 | 5507 | 754c | .:...%.Px.19U.uL |
| 0x0020 | 5010 | 16d0 | 8129 | 0000 | 0000 | 0000 | 0000 | P....)....... |
IP Layer -
45 - IP Version / Header Length (IPv4, 5)
00 0028 - Length (40)
e89d - Fragment ID (59549)
40 - IP Flags (Do Not Fragment, Last Fragment)
00 - Fragment Offset (0)
40 - Time To Live (64)
06 - IP Protocol Type (06/TCP)
b304 - IP Checksum (45828)
0a00 0002 - Source IP Address (10.0.0.2)
a13a f3f1 - Destination IP Address (161.52.243.241)
TCP Layer -
0425 - Source Port (1061)
0050 - Destination Port (80)
78ab 3139 - Sequence Number (2024485177)
5507 754c - Acknowledgement Number (1426552140)
Note that the Sequence Number is the same number that was acknowledged in the SYN/ACK packet. The acknowledgement had stated that the server was ready to receive the message with this Sequence Number.
Likewise, the acknowledgement in this message is 1 greater than the Sequence Number from the SYN/ACK packet, which was 1426552139. The server is acknowledging the arrival of the last message by stating its readiness to receive the next packet.
5 - Data Offset (Header Length 5)
0 - Reserved
10 - Control Bits, TCP Flags (ACK)
16d0 - Window (5840)
8129 - Checksum (33065)
0000 - Urgent Pointer
TCP Options -
0000 0000 0000 - Options (End of Options List (i.e., Padding))
End TCP Handshake