TCP Talk Series- II

Posted by

In TCP Talk Series – I, we saw the various TCP flags and TCP options. Today, we are going to learn below topics:

TCB : Transmission Control Block

Block of memory space allocated by CPU to maintain state information for a single TCP session. For example if I have 6 TCP session formed then I have 6 TCB blocks allocated for each TCP sessions.
When a TCB is created then it created with SOCKET Information. Socket contains the four pieces of information :


The creation of a TCB can happen in one or the two way :
   Active Open
    Passive Open

    • Clients have many potential applications that could use TCP:FTP, Email, HTTP etc.
    • TCP on client is not created until an Application requests the services of TCP.
    • Client Predetermine elements required for TCP sockets.
    • TCB created utilizing socket information, ISN etc
    • TCP “SYN” transmitted.
    • The ISN is basically a Random number generated to prevent from attacks. (32bits field)

TCP Servers:

  1. Typically designed to only recognise certain TCP applications
  2. TCP created “in advance” to allow capability of listening for any incoming request.
  3. Server Pre-Determines elements required for TCP socket. TCP created implementing partial socket information, ISN etc.
  4. Unspecified Passive Open (Basically a partially open TCB session)
  5. Creating a TCB when session initiates that is Active Open, creating a TCB partially before the session that is Passive Open.

R1#sh tcp tcb
tty2, virtual tty from host
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255
Local host:, Local port: 23         |  >>>>>>>>>>>>>>>>>>>>>  SOCKET INFO
Foreign host:, Foreign port: 24449 _|
Connection tableid (VRF): 0
Maximum output segment queue size: 20

What is “Finite State Machine”

Protocols must move from Start-to-finish in smooth predictable ways.
A FSM is a diagram that graphically displays this process.

Composed of :

  • STATES : The current status of a protocol
  • TRANSITIONS : Moving from one state to another (usually indicated by lines or arrows)
  • EVENTS : Something that happened (a trigger) to initiate the transition
  • ACTION : The response to an event prior to transition.


FSM is of two Parts :



Screen Shot 2017-10-26 at 8.32.20 AM


  • LISTEN       : Represents waiting for a connection request from any remote TCP and port.
  • SYN-SENT     : Represents waiting for a matching connection request after having sent a connection request
  • SYN-RECEIVED : Represents waiting for a confirming connection request ACK after having both received and sent connection request


Screen Shot 2017-10-26 at 8.32.31 AM

NOTE : In FIN WAIT-1 We have two Events can happen FIN-WAIT-2 and CLOSING

  • MSL          : Maximum Segment Life time.
  • TIME-WAIT    :
    • TIME-WAIT State waits twice the length of another timer. Which is MSL.
    • MSL is 2 minutes default. So that TIME-WAIT is 4 min.
    • Vendors chose it for their own timers. They don’t wait till 4 min.
    • Represents an open connection, data received can be delivered to the user.
    • The normal state for the data transfer phase of the connection
  • FIN-WAIT-1   :
    • Represents waiting for a connection termination request from the remote TCP, or an ACK of the connection termination request previously request.
  • FIN-WAIT-2   :
    • Waiting for a connection termination request from the remote TCP.
    • TCP has sent a FIN and remote end has ACK it.
    • Unless a half closed being performed, the TCP must wait for the application on the other end to recongnise that it has received an EOL notification and close its connection.
    • If the connection is idle when the timer expires, TCP moves the connection into the CLOSED state.
  • CLOSE-WAIT   :
    • Waiting for a connection termination request from the local router.
    • ONE side sent a FIN packet and consider the connection closed.
    • Note: “TCP DIAGRAM” : There is no way to go back to data transfer, once the connection is in close state.
  • CLOSING      : Waiting for a connection termination request ACK from the remote TCP.
  • LAST-ACK     : Represents waiting for an ACK of the connection termination request previously sent to the remote TCP ( Which includes an ACK of its connection termination request)


Screen Shot 2017-10-26 at 8.32.06 AM

The only difference with Three Way Handshake is that, we have SYN + ACK. Here we receive the SYN and Send the ACK.


The Main objective of three way handshake is :

Initial contact and proof of existence
   Sequence Number Synchronisation (Three Way Handshake is a Bidirectional communication, and they have two different sets of Sequence Number)
Exchange Parameters

SEQUENCE NUMBER: Basically randomly generated. And when we capture the packet in Wireshark. It showed as “0”. But in order to view it correctly what is the exact SEQ Number.

Wireshark to check the exact Sequence Number: EDIT >> PREFERENCES >> PROTOCOL >>> TCP >> UNCHECK >>>>>>>>> “RELATIVE SEQ NUMBER”

Filter based on the TCP form a specific Source : ip.addr == && tcp


Now the SEQ Number is actual value.


Screen Shot 2017-10-26 at 8.33.07 AM



 When a new connection are created, an initial sequence number (ISN) generator is employed which selects a new 32 bits ISN. The Generator is bound to a 32 bits clock whose low order bit is incremented roughly every 4 ms. Thus the ISN cycles approximately every 4.55 hours.

Since we assume that segments will stay in the network no more than the Maximum Segment Lifetime (MSL) and that the MSL is less than 4.55 hours we can reasonably assume that ISN will be unique.


All bytes sent up-to-but-not-including-N. A fundamental notion in he design is that every octet of data sent over a TCP connection has a sequence number.
Since every octet is sequenced each of them can be ACK. The ACK mechanism employed is cumulative so that an ACK of sequence number X indicate that all octets up to but not including X have been received. This  mechanism allows for straight-forward duplicate detection in the presence of retransmission.
Number of octets within a segment is that the first data octet immediately following the header is the lowest numbered, and the following octets are number consecutively.

  • Phantom Bytes only add 1 Bytes which contains “SYN” and “FIN” Flag. In ACK phantom bytes is not added.
  • Connection Termination:  
    • The closing TCP initiates the close operation by sending a FIN segment. The complete close operation occurs after both sides have completed the close.
    • The active closer sends a FIN segment specifying the current sequence number, the receiver expects to see. The FIN also includes an ACK for the last data sent in the other direction.
    • The passive closer sends a FIN segment specifying the current sequence number, the receiver expects to see. The FIN also includes an ACK for the last data sent in the other direction.


To complete the close, the final segment contains an ACK for the last FIN.
Note that if a FIN is lost, it is re-transmitted until an ACK for it is received.



Screen Shot 2017-10-26 at 8.33.34 AM

Screen Shot 2017-10-26 at 8.33.44 AM

Each bytes counted in the Sequence Number.
For every two segments we are receiving ACK.

Nagles Algorithm (Most of the devices enabled nagles algo)

Using IPV4 sending one single key press generated TCP/IPv4 packets of about 88 bytes in size (using the encryption and authentication)
20 Bytes of IP header + 20 Bytes of TCP header and 48 Bytes of Data.

These small packets have a relatively high overhead for the network. That is they contain relatively little useful application data compared to the rest of the packet contents.

Such high overload packets are normal not a problem on LANs, because most of LAN are not congested and such packet world not beed atto be carried on wide area network.

NAGLE discuss some PITFALLS and PROBLEMS that can occur as a result of using it with delayed ACK.

The Nagle Algorithm says that when a TCP connection has outstanding data that has not yet been ack small segments cannot be sent until all outstanding data is ack.

Instead small amount of data are collected by TCP and sent in a single segment when an ACK arrives. This procedure effectively forces TCP into stop-and-wait behaviour. It stop sending until an ACK is received for any outstanding data.

The beauty of this  algorithm is that it is self-clocking. The faster the ACK comes back the faster the data is sent.


  • CASE 1 :

NAGLES DISABLED. Transmissions and ACK are intermingled, and the exchange takes 0.58 using 19 packets. Many packets are relatively small (48 Bytes of user data). Pure Ack (Segment with no data) indicate that command output at the server has been preceded by the client.

  • CASE 2:

ENABLES NAGLE ALGO Request are followed in lockstep with responses, and the exchange takes 0.80s using 11 packets.

17The striking difference is the regularity of how the request and responses are ordered and separated by time. As Nagle algorithm forces TCP ti operated in a stop and wait fashion, so that TCP sender cannot proceed until ACK are received.


The effect of the Nagle algorithm stop and wait behaviour can be seen clearly.

There are times when the Nagle Algorithm needs to be turned off. Typical example include cases where as little delay as possible is required.

    Online Game
    Mouse movement or a key stroke

“TCP No Delay” this will disable Nagle Algorithm

To be continued…..

TCP Talk Series:

  1. TCP Talk Series – I
  2. TCP Talk Series – II
  3. TCP Talk Series – III
  4. TCP Talk Series -IV
  5. TCP Talk Series- V


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s