Beyond the Basics: A Deep Dive into the TCP 3-Way Handshake
At some point in networking, you must have come across the term TCP 3-way handshake. It may look simple at first, but it hides deeper concepts underneath. When learning this topic, you might have learned that TCP is a protocol which ensures reliable data transfer compared to protocols like UDP, which do not guarantee delivery.
The connection begins when the client sends a packet with the SYN flag set.
The server responds with a packet containing SYN + ACK.
The final ACK confirms that both sides have synchronized sequence numbers and the connection is now established.
But wait what is that SYN? What’s that ACK? Is there any other terminology in this handshake process? If these questions come to your mind then you are thinking in the right direction.
SYN and ACK terms are called flags and like these we have 4 more flags other than them, which are as follows : URG, PSH, FIN, RST. We will cover all these in detail.
These flags are present in the TCP header, and each flag occupies 1 bit, not a full byte. Each flag has a predefined position in the bit sequence.
For example:
| Bit Position | Flag | Meaning |
|-------------|------|--------|
| 5 | URG | Urgent |
| 4 | ACK | Acknowledgment |
| 3 | PSH | Push |
| 2 | RST | Reset |
| 1 | SYN | Synchronize |
| 0 | FIN | Finish |
If the bit sequence is 000010, it means the SYN flag is set (SYN = 1), indicating a request to initiate a connection.
Let me tell you a secret that when host sends SYN flag to server, it doesn’t contain any payload(data) most of times except some rare cases. So if I show you a example of packet captured while host trying to send SYN flag to server, you will get some interesting things to know.
Transmission Control Protocol, Src Port: 53557, Dst Port: 80, Seq: 0, Len: 0
Source Port: 53557
Destination Port: 80
[Stream index: 0]
[Conversation completeness: Incomplete (1)]
Sequence Number: 0 (relative sequence number)
Sequence Number (raw): 2048046166
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 0
Acknowledgment number (raw): 0
1010 .... = Header Length: 40 bytes (10)
Flags: 0x002 (SYN)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...0 .... = Acknowledgment: Not set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set
[Expert Info (Chat/Sequence): Connection establish request (SYN)]
.... .... ...0 = Fin: Not set
[TCP Flags: ··········S·]
Window: 64240
[Calculated window size: 64240]
Checksum: 0xb304 [unverified]
Urgent Pointer: 0
Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale
In above example we can notice there is something named sequence number that is 0 (Seq: 0). And I said there is no payload in these packets then what sequence it is denoting ? Answer of this question is it means that my first byte (when I send data later) will start from 0. This can be any number rather than 0 called ISN (Initial Sequence Number) assigned by OS TCP stack. To make debugging easier, tools like Wireshark automatically subtract the ISN from all subsequent packets. This makes the first packet appear as Seq: 0, the next as Seq: 1, and so on.
When you see expressions like SYN = X, SYN = Y + ACK = X + 1, and ACK = Y + 1, they simply represent the exchange of initial sequence numbers between client and server.
Purpose of these sequence numbers are as follows :
· Reliability: The receiver uses the sequence number to detect if a packet is missing.
· Ordering: If Packet 5101 arrives before Packet 5001, the receiver knows to wait and put 5001 first.
· Deduplication: If the receiver gets two packets with Seq: 5001, it knows the second one is a duplicate and discards it.
The TCP 3-way handshake is not just a connection setup mechanism — it is the foundation of reliable communication. Before any data is exchanged, both sides agree on how that data will be tracked, ordered, and verified.
What appears as a simple three-step process actually ensures that communication over an unreliable network becomes predictable and reliable.