You are currently offline, waiting for your internet to reconnect

Explanation of the Three-Way Handshake via TCP/IP

Support for Windows XP has ended

Microsoft ended support for Windows XP on April 8, 2014. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article was previously published under Q172983
SUMMARY
This article is intended for audiences who are familiar with TransmissionControl Protocol/Internet Protocol (TCP/IP) and discusses the process ofthe TCP three-way handshake that occurs between a client and server wheninitiating or terminating a TCP connection.

For additional information on TCP/IP, please see the following white paperavailable on the Microsoft anonymous ftp server:
File Name: Tcpipimp2.doc
Location : ftp://ftp.microsoft.com/bussys/winnt/winnt-docs/papers/ "Microsoft Windows NT 3.5/3.51/4.0: TCP/IP Implementation Details TCP/IP Protocol Stack and Services, Version 2.0"
MORE INFORMATION
The Transmission Control Protocol (TCP) level of the TCP/IP transportprotocol is connection-oriented. Connection-oriented means that, before anydata can be transmitted, a reliable connection must be obtained andacknowledged. TCP level data transmissions, connection establishment, andconnection termination maintain specific control parameters that govern theentire process. The control bits are listed as follows:
URG: Urgent Pointer field significant
ACK: Acknowledgement field significant
PSH: Push Function
RST: Reset the connection
SYN: Synchronize sequence numbers
FIN: No more data from sender
There are two scenarios where a three-way handshake will take place:
  • Establishing a connection (an active open)
  • Terminating a connection (an active close)
The following sample information was obtained from a Network Monitorcapture. Network Monitor is a protocol analyzer that can be obtained fromMicrosoft Systems Management Server.

Establishing a Connection

The following sequence shows the process of a TCP connection beingestablished:

Frame 1:

As you see in the first frame, the client, NTW3, sends a SYN segment (TCP....S.). This is a request to the server to synchronize the sequencenumbers. It specifies its initial sequence number (ISN), which isincremented by 1, 8221821+1=8221822, and that is sent to the server. Toinitialize a connection, the client and server must synchronize eachother's sequence numbers. There is also an option for the Maximum SegmentSize (MSS) to be set, which is defined by the length (len: 4). This optioncommunicates the maximum segment size the sender wants to receive. TheAcknowledgement field (ack: 0) is set to zero because this is the firstpart of the three-way handshake.
1    2.0785 NTW3 --> BDC3 TCP ....S., len: 4, seq: 8221822-8221825, ack: 0,win: 8192, src: 1037  dst:  139 (NBT Session)  NTW3 -->  BDC3 IPTCP: ....S., len: 4, seq: 8221822-8221825, ack: 0, win: 8192, src: 1037dst:  139 (NBT Session)   TCP: Source Port = 0x040D   TCP: Destination Port = NETBIOS Session Service   TCP: Sequence Number = 8221822 (0x7D747E)   TCP: Acknowledgement Number = 0 (0x0)   TCP: Data Offset = 24 (0x18)   TCP: Reserved = 0 (0x0000)   TCP: Flags = 0x02 : ....S.      TCP: ..0..... = No urgent data      TCP: ...0.... = Acknowledgement field not significant      TCP: ....0... = No Push function      TCP: .....0.. = No Reset      TCP: ......1. = Synchronize sequence numbers      TCP: .......0 = No Fin   TCP: Window = 8192 (0x2000)   TCP: Checksum = 0xF213   TCP: Urgent Pointer = 0 (0x0)   TCP: Options         TCP: Option Kind (Maximum Segment Size) = 2 (0x2)         TCP: Option Length = 4 (0x4)         TCP: Option Value = 1460 (0x5B4)   TCP: Frame Padding00000:  02 60 8C 9E 18 8B 02 60 8C 3B 85 C1 08 00 45 00   .`.....`.;....E.00010:  00 2C 0D 01 40 00 80 06 E1 4B 83 6B 02 D6 83 6B   .,..@....K.k...k00020:  02 D3 04 0D 00 8B 00 7D 74 7E 00 00 00 00 60 02   .......}t~....`.00030:  20 00 F2 13 00 00 02 04 05 B4 20 20                .........				
Frame 2:

In the second frame, the server, BDC3, sends an ACK and a SYN on thissegment (TCP .A..S.). In this segment the server is acknowledging therequest of the client for synchronization. At the same time, the server isalso sending its request to the client for synchronization of its sequencenumbers. There is one major difference in this segment. The servertransmits an acknowledgement number (8221823) to the client. Theacknowledgement is just proof to the client that the ACK is specific to theSYN the client initiated. The process of acknowledging the client's requestallows the server to increment the client's sequence number by one and usesit as its acknowledgement number.
2   2.0786 BDC3 --> NTW3  TCP .A..S., len: 4, seq: 1109645-1109648, ack:8221823, win: 8760, src: 139 (NBT Session)  dst: 1037 BDC3 --> NTW3  IPTCP: .A..S., len:    4, seq:   1109645-1109648, ack:   8221823, win: 8760,src:  139 (NBT Session)  dst: 1037   TCP: Source Port = NETBIOS Session Service   TCP: Destination Port = 0x040D   TCP: Sequence Number = 1109645 (0x10EE8D)   TCP: Acknowledgement Number = 8221823 (0x7D747F)   TCP: Data Offset = 24 (0x18)   TCP: Reserved = 0 (0x0000)   TCP: Flags = 0x12 : .A..S.      TCP: ..0..... = No urgent data      TCP: ...1.... = Acknowledgement field significant      TCP: ....0... = No Push function      TCP: .....0.. = No Reset      TCP: ......1. = Synchronize sequence numbers      TCP: .......0 = No Fin   TCP: Window = 8760 (0x2238)   TCP: Checksum = 0x012D   TCP: Urgent Pointer = 0 (0x0)   TCP: Options         TCP: Option Kind (Maximum Segment Size) = 2 (0x2)         TCP: Option Length = 4 (0x4)         TCP: Option Value = 1460 (0x5B4)   TCP: Frame Padding00000:  02 60 8C 3B 85 C1 02 60 8C 9E 18 8B 08 00 45 00   .`.;...`......E.00010:  00 2C 5B 00 40 00 80 06 93 4C 83 6B 02 D3 83 6B   .,[.@....L.k...k00020:  02 D6 00 8B 04 0D 00 10 EE 8D 00 7D 74 7F 60 12   ...........}t`.00030:  22 38 01 2D 00 00 02 04 05 B4 20 20               "8.-......				
Frame 3:

In the third frame, the client sends an ACK on this segment (TCP .A....).In this segment, the client is acknowledging the request from the serverfor synchronization. The client uses the same algorithm the serverimplemented in providing an acknowledgement number. The client'sacknowledgment of the server's request for synchronization completes theprocess of establishing a reliable connection, thus the three-wayhandshake.
3   2.787 NTW3 --> BDC3  TCP .A...., len: 0, seq: 8221823-8221823, ack:1109646, win: 8760, src: 1037  dst:  139 (NBT Session)  NTW3 --> BDC3  IPTCP: .A...., len:    0, seq:   8221823-8221823, ack:   1109646, win: 8760,src: 1037  dst:  139 (NBT Session)   TCP: Source Port = 0x040D   TCP: Destination Port = NETBIOS Session Service   TCP: Sequence Number = 8221823 (0x7D747F)   TCP: Acknowledgement Number = 1109646 (0x10EE8E)   TCP: Data Offset = 20 (0x14)   TCP: Reserved = 0 (0x0000)   TCP: Flags = 0x10 : .A....      TCP: ..0..... = No urgent data      TCP: ...1.... = Acknowledgement field significant      TCP: ....0... = No Push function      TCP: .....0.. = No Reset      TCP: ......0. = No Synchronize      TCP: .......0 = No Fin   TCP: Window = 8760 (0x2238)   TCP: Checksum = 0x18EA   TCP: Urgent Pointer = 0 (0x0)   TCP: Frame Padding00000:  02 60 8C 9E 18 8B 02 60 8C 3B 85 C1 08 00 45 00   .`.....`.;....E.00010:  00 28 0E 01 40 00 80 06 E0 4F 83 6B 02 D6 83 6B   .(..@....O.k...k00020:  02 D3 04 0D 00 8B 00 7D 74 7F 00 10 EE 8E 50 10   .......}t....P.00030:  22 38 18 EA 00 00 20 20 20 20 20 20               "8....				

Terminating a Connection

Although the three-way handshake only requires three packets to betransmitted over our networked media, the termination of this reliableconnection will necessitate the transmission of four packets. Because a TCPconnection is full duplex (that is, data can be flowing in each directionindependent of the other), each direction must be terminated independently.

Frame 4:

In this session of frames, you see the client sending a FIN that isaccompanied by an ACK (TCP .A...F). This segment has two basic functions.First, when the FIN parameter is set, it will inform the server that it hasno more data to send. Second, the ACK is essential in identifying thespecific connection they have established.
4   16.0279 NTW3 --> BDC3 TCP .A...F, len: 0, seq: 8221823-8221823,ack:3462835714, win: 8760, src: 2337  dst: 139 (NBT Session)  NTW3 --> BDC3IPTCP: .A...F, len:   0, seq: 8221823-8221823, ack:  1109646, win: 8760, src:1037  dst:  139 (NBT Session)   TCP: Source Port = 0x040D   TCP: Destination Port = NETBIOS Session Service   TCP: Sequence Number = 8221823 (0x7D747F)   TCP: Acknowledgement Number = 1109646 (0x10EE8E)   TCP: Data Offset = 20 (0x14)   TCP: Reserved = 0 (0x0000)   TCP: Flags = 0x11 : .A...F      TCP: ..0..... = No urgent data      TCP: ...1.... = Acknowledgement field significant      TCP: ....0... = No Push function      TCP: .....0.. = No Reset      TCP: ......0. = No Synchronize      TCP: .......1 = No more data from sender   TCP: Window = 8760 (0x2238)   TCP: Checksum = 0x236C   TCP: Urgent Pointer = 0 (0x0)00000:  00 20 AF 47 93 58 00 A0 C9 22 F5 39 08 00 45 00   . .G.X...".9..E.00010:  00 28 9B F5 40 00 80 06 21 4A C0 5E DE 7B C0 5E   .(..@...!J.^.{.^00020:  DE 57 09 21 05 48 0B 20 96 AC CE 66 AE 02 50 11   .W.!.H. ...f..P.00030:  22 38 23 6C 00 00                                 "8#l..				
Frame 5:

In this frame, you do not see anything special except for the serveracknowledging the FIN that was transmitted from the client.
5    16.0281 BDC3 --> NTW3 TCP .A...., len:    0, seq: 1109646-1109646,ack: 8221824, win:28672, src: 139  dst: 2337 (NBT Session) BDC3 -->  NTW3IPTCP: .A...., len:    0, seq: 1109646-1109646, ack: 8221824, win:28672, src:139  dst: 2337 (NBT Session)   TCP: Source Port = 0x040D   TCP: Destination Port = NETBIOS Session Service   TCP: Sequence Number = 1109646 (0x10EE8E)   TCP: Acknowledgement Number = 8221824 (0x7D7480)   TCP: Data Offset = 20 (0x14)   TCP: Reserved = 0 (0x0000)   TCP: Flags = 0x10 : .A....      TCP: ..0..... = No urgent data      TCP: ...1.... = Acknowledgement field significant      TCP: ....0... = No Push function      TCP: .....0.. = No Reset      TCP: ......0. = No Synchronize      TCP: .......0 = No Fin   TCP: Window = 28672 (0x7000)   TCP: Checksum = 0xD5A3   TCP: Urgent Pointer = 0 (0x0)   TCP: Frame Padding00000:  00 A0 C9 22 F5 39 08 00 02 03 BA 84 08 00 45 00   ...".9........E.00010:  00 28 D2 82 00 00 3F 06 6B BD C0 5E DE 57 C0 5E   .(....?.k..^.W.^00020:  DE 7B 05 48 09 21 CE 66 AE 02 0B 20 96 AD 50 10   .{.H.!.f... ..P.00030:  70 00 D5 A3 00 00 90 00 01 00 86 00               p...........				
Frame 6:

After receiving the FIN from the client computer, the server will ACK. Eventhough TCP has established connections between the two computers, theconnections are still independent of one another. Therefore, the servermust also transmit a FIN (TCP .A...F) to the client.
6   17.0085 BDC3 --> NTW3 TCP .A...F, len: 0, seq: 1109646-1109646, ack:8221824, win:28672, src: 139 dst: 2337 (NBT Session) BDC3 -->  NTW3   IPTCP: .A...F, len:  0, seq: 1109646-1109646, ack: 8221824, win:28672, src:139  dst: 2337 (NBT Session)   TCP: Source Port = 0x0548   TCP: Destination Port = 0x0921   TCP: Sequence Number = 1109646 (0x10EE8E)   TCP: Acknowledgement Number = 8221824 (0x7D7480)   TCP: Data Offset = 20 (0x14)   TCP: Reserved = 0 (0x0000)   TCP: Flags = 0x11 : .A...F      TCP: ..0..... = No urgent data      TCP: ...1.... = Acknowledgement field significant      TCP: ....0... = No Push function      TCP: .....0.. = No Reset      TCP: ......0. = No Synchronize      TCP: .......1 = No more data from sender   TCP: Window = 28672 (0x7000)   TCP: Checksum = 0xD5A2   TCP: Urgent Pointer = 0 (0x0)   TCP: Frame Padding00000:  00 A0 C9 22 F5 39 08 00 02 03 BA 84 08 00 45 00   ...".9........E.00010:  00 28 D2 94 00 00 3F 06 6B AB C0 5E DE 57 C0 5E   .(....?.k..^.W.^00020:  DE 7B 05 48 09 21 CE 66 AE 02 0B 20 96 AD 50 11   .{.H.!.f... ..P.00030:  70 00 D5 A2 00 00 02 04 05 B4 86 00               p...........				
Frame 7:

The client responds in the same format as the server, by ACKing theserver's FIN and incrementing the sequence number by 1.
7   17.0085 NTW3 --> BDC3 TCP .A...., len: 0, seq: 8221824-8221824, ack:1109647, win: 8760, src: 2337  dst: 139 (NBT Session) NTW3 --> BDC3 IPTCP: .A...., len:    0, seq: 8221824-8221824, ack: 1109647, win: 8760, src:2337  dst: 139   (NBT Session)   TCP: Source Port = 0x0921   TCP: Destination Port = 0x0548   TCP: Sequence Number = 8221824 (0x7D7480)   TCP: Acknowledgement Number = 1109647 (0x10EE8F)   TCP: Data Offset = 20 (0x14)   TCP: Reserved = 0 (0x0000)   TCP: Flags = 0x10 : .A....      TCP: ..0..... = No urgent data      TCP: ...1.... = Acknowledgement field significant      TCP: ....0... = No Push function      TCP: .....0.. = No Reset      TCP: ......0. = No Synchronize      TCP: .......0 = No Fin   TCP: Window = 8760 (0x2238)   TCP: Checksum = 0x236B   TCP: Urgent Pointer = 0 (0x0)00000:  00 20 AF 47 93 58 00 A0 C9 22 F5 39 08 00 45 00   . .G.X...".9..E.00010:  00 28 BA F5 40 00 80 06 02 4A C0 5E DE 7B C0 5E   .(..@....J.^.{.^00020:  DE 57 09 21 05 48 0B 20 96 AD CE 66 AE 03 50 10   .W.!.H. ...f..P.00030:  22 38 23 6B 00 00                                 "8#k..				
The client ACKing the FIN notification from the server identifies agraceful close of a TCP connection.
REFERENCES
For additional information on ICMP:
Please see the following article in the Microsoft Knowledge Base:
170292 Internet Control Message Protocol (ICMP) Basics
-or-
Obtain RFC 793.
RFCs may be obtained through the Internet as follows:

Paper copies of all RFCs are available from the NIC, either individually oron a subscription basis (for more information contact NIC@NIC.DDN.MIL).Online copies are available through FTP or Kermit from NIC.DDN.MIL asrfc/rfc####.txt or rfc/rfc####.PS (#### is the RFC number without leadingzeros).
Properties

Article ID: 172983 - Last Review: 02/12/2010 09:27:02 - Revision: 4.0

Windows Server 2008 Standard, Windows Server 2008 Enterprise, Windows Server 2008 Datacenter, Windows Server 2008 for Itanium-Based Systems, Microsoft Windows Server 2003, Datacenter Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows XP Professional, Microsoft Windows XP Home Edition, Microsoft Windows XP Tablet PC Edition, Microsoft Windows XP Media Center Edition 2005 Update Rollup 2, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Professional Edition, Microsoft Windows 2000 Datacenter Server, Microsoft Windows 2000 Server, Windows Vista Business, Windows Vista Business 64-bit Edition, Windows Vista Enterprise, Windows Vista Enterprise 64-bit Edition, Windows Vista Home Basic, Windows Vista Home Basic 64-bit Edition, Windows Vista Home Premium, Windows Vista Home Premium 64-bit Edition, Windows Vista Ultimate, Windows Server 2008 Foundation, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Standard, Windows Web Server 2008 R2, Windows 7 Enterprise, Windows 7 Home Basic, Windows 7 Home Premium, Windows 7 Professional, Windows 7 Ultimate

  • kbinfo kbnetwork KB172983
Feedback
y>/body>