Part X — TCP State Machine

§ 10 TCP Connection Lifecycle

TCP at wire level and kernel queue level: segment header fields, the 11-state automaton, 3-way open, 4-way close, TIME_WAIT, SYN cookies, RST handling, and the SYN queue versus accept queue.

1. § 10.1 — TCP Segment Header

A TCP segment starts with a 20-byte fixed header. The fields that matter most during interviews are sequence number, acknowledgment number, flags, receive window, checksum, and the SYN-only options that establish MSS, window scaling, SACK, timestamps, and sometimes TCP Fast Open.

FieldSizeWhy it matters
Source / destination port16 + 16Identifies the process endpoints; part of the TCP 4-tuple.
Sequence number32First byte number in this segment; SYN and FIN each consume one number.
Acknowledgment number32Next byte expected from the peer when ACK is set.
Data offset4Header length in 32-bit words; minimum 5, maximum 15.
Flags8 plus NSSYN, ACK, FIN, RST drive connection state; ECE/CWR signal ECN.
Window16Advertised receive window, optionally scaled by WSCALE negotiated in SYN.
Checksum16Covers TCP header, payload, and IP pseudo-header.
Options0-40 bytesMSS, window scale, SACK, timestamps, and TFO cookie space.

SYN Options Walkthrough

Options are TLVs packed after the fixed header. A common SYN advertises MSS, WSCALE, SACK-permitted, and timestamps; only options present in the SYN can be used later on that connection.

2. § 10.2 — TCP 11-State Machine

TCP is easier to reason about as a finite-state machine. Active open starts in SYN_SENT; passive open waits in LISTEN; graceful close splits into active and passive paths; any valid RST can abort straight to CLOSED.

Client and Server Timeline

The normal lifecycle combines a 3-way open and a 4-way close. The side that sends the first FIN normally owns TIME_WAITbecause it must retransmit the final ACK if the peer repeats its FIN.

Minimal C Demo — State Machine Simulator

TCP State Machine Simulator — C Demo
stdin (optional)

Minimal C Demo — RST Window Check

RST / Abort Demo — C Demo
stdin (optional)

3. § 10.3 — Three-Way Handshake and ISN

The client sends SYN(ISN_c), the server replies with SYN+ACK(ISN_s, ISN_c+1), and the client completes with ACK(ISN_s+1). Linux randomizes ISNs from the 4-tuple plus a time-varying secret so that off-path sequence prediction is not practical.

MSS negotiation is asymmetric advertisement but conservative use: each side announces what it can receive, and the sender uses the minimum of peer MSS, local interface limits, and path MTU minus IP plus TCP headers.

Minimal C Demo — 3-Way Packet Trace

3-Way Handshake Packet Trace — C Demo
stdin (optional)

4. § 10.4 — Four-Way Close and TIME_WAIT

A graceful close uses FIN, ACK, FIN, ACK. A FIN consumes one sequence number, and half-close lets one side send EOF while still receiving. After the final ACK, TIME_WAIT lasts 2*MSL to absorb old duplicates and reliably answer a retransmitted final FIN.

  • shutdown(fd, SHUT_WR) sends FIN but keeps the read side open.
  • tcp_fin_timeout limits orphaned FIN_WAIT_2 sockets.
  • SO_LINGER with zero timeout sends RST instead of graceful FIN.
  • tcp_tw_recycle was removed because it broke clients behind NAT.

Minimal C Demo — TIME_WAIT Countdown

TIME_WAIT Countdown — C Demo
stdin (optional)

5. § 10.5 — SYN Flood and SYN Cookies

A SYN flood burns memory in the incomplete connection queue by creating many SYN_RCVD entries that never finish. SYN cookies avoid allocation by encoding enough state into the server ISN and validating it when the ACK returns.

The cookie must fit in 32 bits, so it stores a coarse timer, an MSS code, and keyed hash bits over the 4-tuple. The tradeoff is that options not recoverable from the ACK path may be reduced or disabled during cookie mode.

Minimal C Demo — SYN Flood Simulator

SYN Flood Simulator — C Demo
stdin (optional)

6. § 10.6 — SYN Queue and Accept Queue

Linux has two listener-side queues. The SYN queue holds incomplete handshakes; the accept queue holds complete sockets until the application calls accept(). The second queue is sized by listen(fd, backlog) and clamped by net.core.somaxconn.

If the accept queue is full, Linux normally ignores the final ACK so the client retransmits and the server gets another chance after the app drains the queue. With tcp_abort_on_overflow=1, the server sends RST instead, which fails fast but can amplify transient overload into user-visible errors.

Minimal C Demo — Queue Fill Demo

SYN Queue and Accept Queue Fill — C Demo
stdin (optional)

7. Kernel Source Pointers

  • net/ipv4/tcp_input.c: state processing, ACK handling, RST validation, SACK and PAWS hooks.
  • net/ipv4/tcp_output.c: SYN/FIN/RST construction, retransmit paths, SYN cookie output.
  • net/ipv4/tcp_ipv4.c: listener lookup, request socket handling, IPv4 hashing.
  • net/ipv4/syncookies.c: cookie generation and validation.
  • include/net/tcp_states.h: numeric TCP state constants used by the kernel.

8. Interview Prep

QuestionConcise answer
What triggers CLOSING?Simultaneous close: both sides send FIN before receiving an ACK for their own FIN.
Why does TIME_WAIT last 2*MSL?To drain old duplicate segments and to retransmit the final ACK if the peer repeats its FIN.
How do SYN cookies avoid state allocation?The server encodes timer, MSS code, and a keyed 4-tuple hash into its ISN, then allocates only after a valid ACK returns.
Why drop ACKs on accept queue overflow by default?It gives a temporarily overloaded app another chance to drain the queue before the client retransmits the final ACK.
How does RFC 5961 harden blind RST attacks?Loose in-window RSTs trigger challenge ACKs; only exact sequence matches are accepted immediately in strict behavior.