networking protocols

TCP (TCP)

tcp protocols transport-layer networking-fundamentals
Plain English

TCP is like sending a letter via certified mail. Before any data is sent, both sides agree to communicate (a “handshake”). Every piece of data gets a tracking number, the receiver confirms receipt, and anything lost in transit gets resent automatically. This makes TCP reliable but slightly slower than alternatives that skip these guarantees.

Technical Definition

Transmission Control Protocol (TCP), defined in RFC 793, is a connection-oriented, reliable transport protocol operating at Layer 4 of the OSI model. TCP provides:

  • Reliable delivery: every segment is acknowledged; unacknowledged segments are retransmitted
  • Ordered delivery: sequence numbers ensure data arrives in the correct order
  • Flow control: the receiver advertises a window size limiting how much data the sender can transmit before waiting for acknowledgment
  • Congestion control: algorithms (slow start, congestion avoidance, fast retransmit, fast recovery) dynamically adjust transmission rate to prevent network overload

Three-way handshake (connection establishment):

  1. Client sends SYN (synchronize) with initial sequence number
  2. Server responds with SYN-ACK (synchronize-acknowledge)
  3. Client sends ACK (acknowledge), connection is now ESTABLISHED

Four-way teardown (connection termination):

  1. Initiator sends FIN
  2. Receiver sends ACK
  3. Receiver sends FIN
  4. Initiator sends ACK

TCP header fields include: source/destination port (16 bits each), sequence number (32 bits), acknowledgment number (32 bits), flags (SYN, ACK, FIN, RST, PSH, URG), window size, and checksum.

Common TCP ports: 22 (SSH), 25 (SMTP), 53 (DNS zone transfers), 80 (HTTP), 443 (HTTPS), 3306 (MySQL), 5432 (PostgreSQL).

ClientServer1. SYNseq=1002. SYN-ACKseq=300, ack=1013. ACKack=301Connection Established

Inspecting TCP connections 

# View active TCP connections (Linux)
$ ss -tnp
State   Recv-Q  Send-Q  Local Address:Port   Peer Address:Port  Process
ESTAB   0       0       192.168.1.10:54312   93.184.216.34:443  users:(("firefox",pid=2341))
ESTAB   0       0       192.168.1.10:22      10.30.30.5:49821   users:(("sshd",pid=1892))

# Capture TCP handshake with tcpdump
$ sudo tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn|tcp-ack) != 0' -c 6
12:00:01 IP 192.168.1.10.54312 > 93.184.216.34.443: Flags [S], seq 1000
12:00:01 IP 93.184.216.34.443 > 192.168.1.10.54312: Flags [S.], seq 3000, ack 1001
12:00:01 IP 192.168.1.10.54312 > 93.184.216.34.443: Flags [.], ack 3001
In the Wild

TCP carries the majority of internet traffic: every web page (HTTP/HTTPS), every email (SMTP), every file transfer (FTP/SFTP), and every SSH session runs on TCP. When engineers say “open port 443,” they mean “allow TCP connections on port 443.” TCP’s reliability guarantees come with overhead (handshake latency, retransmission delays), which is why latency-sensitive applications like video streaming, gaming, and DNS lookups use UDP instead. Tools like ss, netstat, and tcpdump are the standard utilities for inspecting TCP state and diagnosing connection issues. HTTP/3 (QUIC) moves web traffic to UDP with its own reliability layer, addressing TCP’s head-of-line blocking problem.

← Back to Dictionary