TCP 3 Way Handshake Explained (Wireshark Example)

The TCP protocol is an important protocol for everyday communication over the Internet.

As a connection-oriented means of communication, the TCP protocol relies on the formation of a reliable connection before transmitting any data.

The TCP protocol initiates that connection through the use of a three-way digital handshake.

The three-way handshake is also known as a TCP-handshake.

The handshake is utilized as a mechanism to allow for two different devices to negotiate information before transmitting data.

An example of this handshake at work would be someone searching for information using a web browser on a host device.

   
   

   

The host device sends a SYN packet to the search engine server requesting connection.

 

The server then receives the SYN packet sent by the host device and responds with its own SYN-ACK in order to acknowledge receipt to the host device of having received the SYN packet.

 

The host device receives this SYN-ACK from the server and then sends an ACK to acknowledge to the server that the host received the SYN-ACK. The server then receives this ACK sent by the host device and a TCP connection is established.

The SYN, SYN-ACK, and ACK are known as TCP flags or bits. These flags are set in specific ways in an area known as the TCP header. The TCP header contains a variety of information in addition to these flags or bits. The TCP flags are also called bits because each flag can hold up to one bit.

 
SYNSYN-ACKACK
synchronizesynchronize-acknowledgeacknowledge
 

According to Mozilla Developer Glossary, DNS lookup occurs before the TCP 3-way handshake. The TLS handshake happens after the TCP 3-way handshake.

 

DNS lookup is a way to identify numerical IP addresses to their corresponding domain names.

 

The TLS handshake is a handshake comprised of the establishment of cryptographic algorithms and session keys.

 

In order to better understand the TCP 3 way handshake, it is recommended to see the data visually in an application that can analyze network traffic. The Wireshark tool is an excellent tool for this purpose. The tool can be found at https://www.wireshark.org.

 

An example of a Wireshark capture representing the 3 way handshake can be found as a .pcap file at https://wiki.wireshark.org/TCP_3_way_handshaking.md.

 

You may also find this lab at New Mexico State University to be of value in understanding more in depth on the TCP handshake with Wireshark.

     

Below is an image of a Wireshark capture that represents the TCP 3-way handshake.

 
Sources
https://learningnetwork.cisco.com/s/article/tcp-three-way-handshake
https://web.nmsu.edu/~jbeasley/Cisco_Discovery_4-1/courses/en0500000000/en0509000000/en0509010000/en0509010300/en0509010303/cm2942087662/lab
https://wiki.wireshark.org/TCP_3_way_handshaking.md
https://developer.mozilla.org/en-US/docs/Glossary/TCP_handshake
https://www.wireshark.org/
 

Share the post: