N10-009

Obj 1.4 | Ch. 2

17 slides

TCP/IP

The Backbone of Reliable Communication
How a single keystroke triggers a symphony of protocols

17 Slides

Obj 1.4

Chapter 2

Network+ N10-009

The Scenario

You type https://www.hexworth.com into your browser and press Enter. Let's trace exactly what TCP does to make that page load.

N10-009

Slide 2 of 17

Foundation

The Problem TCP Solves

Scenario

You pressed Enter. Your browser needs to talk to a server 3,000 miles away. But IP is unreliable — packets can be lost, duplicated, arrive out of order, or get corrupted.

IP Alone

Best-effort delivery only
No confirmation of receipt
Packets lost silently
No guaranteed ordering
No duplicate detection
"Fire and forget"

TCP + IP

Guaranteed delivery
Acknowledgment for every segment
Automatic retransmission on loss
In-order reassembly
Duplicate detection
Full error recovery

Key Insight

TCP doesn't replace IP. It rides on top of it, operating at Layer 4 (Transport) while IP operates at Layer 3 (Network). TCP adds reliability to IP's raw delivery.

N10-009

Slide 3 of 17

Header Anatomy

TCP Header — The Control Center

Every TCP segment begins with a 20-byte minimum header. Click any field to learn what it does in our scenario.

Source Port

16 bits

Destination Port

16 bits

Sequence Number

32 bits

Acknowledgment Number

32 bits

Offset / Reserved / Flags

16 bits

Window Size

16 bits

Checksum

16 bits

Urgent Pointer

16 bits

Select a field above to see its details.

N10-009

Slide 4 of 17

Control Bits

TCP Flags — The Signal System

Six 1-bit flags control the lifecycle of a TCP connection. Click any flag to see its role.

SYN and ACK are highlighted — they appear in the three-way handshake you're about to see.

SYN

Synchronize

ACK

Acknowledge

FIN

Finish

RST

Reset

PSH

Push

URG

Urgent

Click a flag above to learn what it does.

Exam Note

Flags are set as individual bits in the TCP header. A packet can have multiple flags set simultaneously — SYN-ACK is the most common example, used in the second step of the handshake.

N10-009

Slide 5 of 17

Connection Establishment

The Three-Way Handshake

Client

Your Browser

192.168.1.10

CLOSED

SYN

Seq=0, SYN flag set

SYN-ACK

Seq=0, Ack=1, SYN+ACK flags

ACK

Seq=1, Ack=1, ACK flag

Server

www.hexworth.com

93.184.216.34

LISTEN

N10-009

Slide 6 of 17

Data Transfer

Sequence Numbers and Acknowledgments

Scenario — Now

Connection is established. Your browser sends the HTTP GET request for hexworth.com. TCP assigns every byte a unique sequence number so the server can reassemble them perfectly.

Client sends
Seq=1, 500 bytes

→

Server receives 500 bytes

Client waits for ACK

←

Server ACKs
Ack=501

Client sends
Seq=501, 500 bytes

→

Server receives next 500 bytes

Client waits for ACK

←

Server ACKs
Ack=1001

Core Rule

The ACK number always tells the sender: "I received everything up to this byte. Send me the next one." Ack=501 means bytes 1-500 were received — now send byte 501.

Exam Note

Sequence numbers track bytes, not packets. This is a common exam trap. A 500-byte segment advances the sequence number by 500, not by 1.

N10-009

Slide 7 of 17

Flow Control

Flow Control — Window Size

Scenario — Now

The server is responding with hexworth.com's content. But the server's application is slower than your gigabit connection. TCP prevents your browser from overwhelming it.

The Window Size field in the TCP header tells the sender how much data the receiver can accept at once. It acts as a flow valve — the receiver controls the rate.

Normal
(64 KB)

64 KB window — send freely

64,000

Busy
(32 KB)

Receiver getting full — slow down

32,000

Overloaded
(8 KB)

Almost full — nearly stop

8,000

Sliding Window

TCP uses a sliding window — the sender doesn't wait for each ACK before sending more. It can have up to one window's worth of unacknowledged data "in flight" at any time. As ACKs arrive, the window slides forward.

Window Size = 0

If the receiver sends a window size of 0, the sender must stop completely and wait for a window update. This means the receiver's buffer is full.

N10-009

Slide 8 of 17

Protocol Comparison

TCP vs UDP

Property	TCP	UDP
Connection	Connection-oriented (handshake required)	Connectionless (no handshake)
Reliability	Guaranteed delivery with ACKs	Best effort, no guarantees
Ordering	In-order delivery	May arrive out of order
Speed	Slower (overhead from headers and ACKs)	Faster (minimal header, no ACKs)
Error Recovery	Retransmission on loss	None — application must handle
Use Cases	HTTP, HTTPS, FTP, SSH, SMTP, IMAP	DNS, DHCP, VoIP, video streaming, TFTP

TCP = Certified Mail

Requires signature on delivery. Slower. You know it arrived. Used when every byte matters.

UDP = Postcard

Fast, no confirmation. You don't know if it arrived. Used when speed matters more than perfection.

Exam Trap

DNS normally uses UDP port 53 for speed (small queries fit in one packet). But DNS zone transfers use TCP port 53 because zone data is large and must be complete.

N10-009

Slide 9 of 17

Port Numbers

Common TCP Ports

Well-Known: 0 – 1023

Registered: 1024 – 49151

Dynamic / Ephemeral: 49152 – 65535

20/21

FTP

File Transfer Protocol. 20=data, 21=control

22

SSH

Secure Shell. Encrypted remote access

23

Telnet

Legacy remote shell. Cleartext — never use

25

SMTP

Simple Mail Transfer. Server-to-server email

53

DNS

TCP for zone transfers (UDP for queries)

80

HTTP

Hypertext Transfer Protocol. Unencrypted

110

POP3

Post Office Protocol. Download and delete

143

IMAP

Internet Message Access. Sync mail

443

HTTPS

HTTP over TLS. Used for hexworth.com

587

SMTPS

SMTP Submission with STARTTLS

993

IMAPS

IMAP over TLS

3389

RDP

Remote Desktop Protocol. Windows GUI remote

N10-009

Slide 10 of 17

State Machine

TCP Connection States

TCP tracks the current status of every connection. These states appear in netstat output.

CLOSED

→

SYN sent

SYN-SENT

→

SYN-ACK rcvd

ESTABLISHED

LISTEN

→

SYN rcvd

SYN-RECEIVED

→

ACK rcvd

ESTABLISHED

→

FIN sent

FIN-WAIT-1

→

ACK rcvd

FIN-WAIT-2

→

FIN rcvd

TIME-WAIT

→

2xMSL timer

CLOSED

ESTABLISHED

→

FIN rcvd

CLOSE-WAIT

→

FIN sent

LAST-ACK

→

ACK rcvd

CLOSED

Exam Note

TIME-WAIT lasts 2x MSL (Maximum Segment Lifetime, typically 60 seconds each = 2 minutes total). This ensures all delayed packets from the old connection expire before a new one starts. Large numbers of TIME-WAIT sockets in netstat indicate high connection churn — normal for busy web servers.

N10-009

Slide 11 of 17

Connection Termination

The Four-Way Teardown

Scenario — Closing

hexworth.com loaded successfully. You close the browser tab. TCP gracefully shuts down the connection using a four-step process, ensuring both sides finish sending.

1

FIN

Client → Server. "I'm done sending data. Sending my FIN." Client enters FIN-WAIT-1 state.

2

ACK

Server → Client. "I got your FIN. But I might still have data to send." Server enters CLOSE-WAIT. Client enters FIN-WAIT-2.

3

FIN

Server → Client. "I'm also done. Sending my FIN." Server enters LAST-ACK state.

4

ACK

Client → Server. "Got it. Entering TIME-WAIT." After 2x MSL (~2 min), client moves to CLOSED.

Why Four Steps?

Unlike the handshake where SYN and ACK are combined, the teardown is split because both sides must independently finish sending. Steps 2 and 3 can be combined if the server has no remaining data — this produces a three-step teardown in practice.

TIME-WAIT Purpose

The client waits 2x MSL before releasing the port. This ensures any stray packets from the old connection expire before a new connection reuses the same port pair. MSL is typically 30-60 seconds, so TIME-WAIT is 1-2 minutes.

N10-009

Slide 12 of 17

Reliability Mechanism

TCP Retransmission

Scenario — Packet Loss

While hexworth.com was loading, a router somewhere on the path dropped one of your packets. TCP detects this silently and retransmits without you ever noticing.

t=0.000s

→

Client sends Seq=1001, 500 bytes of data

t=0.005s

✗

LOST — Router drops packet (congestion, faulty link)

t=0.005s

...

No ACK arrives. RTO timer counting down...

t=0.210s

!

RTO EXPIRED — Retransmission timer fires

t=0.210s

→

Client RETRANSMITS Seq=1001 (identical segment)

t=0.240s

←

Server ACKs: Ack=1501 — "Got all 500 bytes, send 1501 next"

t=0.240s

✓

Recovery complete. Transfer continues normally.

RTO — Retransmission Timeout

TCP calculates the RTO dynamically based on measured round-trip time (RTT). The formula uses SRTT (smoothed RTT) plus a variance factor. Initial RTO is typically 1 second. After each retransmission, RTO is doubled (exponential backoff) up to a maximum.

N10-009

Slide 13 of 17

Congestion Management

Congestion Control

Scenario — High Traffic

The Internet is busy. Multiple routers are dropping packets. TCP detects this through missing ACKs and backs off to avoid making congestion worse.

1

2

4

8

9

10

11

12

13

1

2

4

6

7

Slow Start (exponential)

Congestion Avoidance (linear)

Loss

Recovery

Slow Start

Starts cwnd at 1 MSS. Doubles every RTT until ssthresh is reached. Despite the name, growth is exponential — it's only "slow" compared to sending at full speed immediately.

Congestion Avoidance

After ssthresh, increases by 1 MSS per RTT (linear). On packet loss: ssthresh = cwnd/2, then restart. This is TCP's main self-throttling mechanism on the Internet.

N10-009

Slide 14 of 17

Packet Analysis

TCP in Wireshark

This is what Wireshark captures when your browser connects to hexworth.com on port 443. You can see the complete handshake before TLS negotiation begins.

No.

Time

Source

Destination

Proto

Info

1

0.000

192.168.1.10

93.184.216.34

TCP

49201→443 [SYN] Seq=0 Win=64240

2

0.024

93.184.216.34

192.168.1.10

TCP

443→49201 [SYN, ACK] Seq=0 Ack=1 Win=65535

3

0.025

192.168.1.10

93.184.216.34

TCP

49201→443 [ACK] Seq=1 Ack=1 Win=64240

4

0.026

192.168.1.10

93.184.216.34

TLS

Client Hello (SNI: www.hexworth.com)

5

0.048

93.184.216.34

192.168.1.10

TLS

Server Hello, Certificate, Server Hello Done

6

0.050

192.168.1.10

93.184.216.34

TCP

49201→443 [ACK] Seq=518 Ack=2847 Win=63393

Green rows = SYN (connection init)
Cyan rows = SYN-ACK (server response)
Gray rows = ACK (acknowledgments)
White rows = application data (TLS here)

Exam Tip

On the exam, you may need to identify which step of the handshake a captured packet belongs to. Look at the flags: SYN only = step 1, SYN+ACK = step 2, ACK only = step 3.

N10-009

Slide 15 of 17

Diagnostics

TCP Troubleshooting

Scenario — Something Broke

hexworth.com stops loading. You need to diagnose why. TCP behavior tells you exactly what went wrong — if you know what to look for.

SYN sent — no SYN-ACK received

Firewall blocking the port, service not running, wrong IP/port, host unreachable

Diagnose: telnet <host> <port> — Wireshark filter: tcp.flags.syn==1

RST received after SYN

Port is closed — service is not listening. A process previously ran there but was stopped.

Diagnose: netstat -an | grep <port> — ss -tlnp

High retransmissions visible

Packet loss in the path — congested router, faulty cable or NIC, wireless interference

Diagnose: Wireshark filter: tcp.analysis.retransmission — ping for loss

Window size drops to zero

Receiver's buffer is full — application not reading fast enough, resource exhaustion

Diagnose: Wireshark: tcp.window_size==0 — check receiver app health

FIN sent without all data

Application terminated prematurely, timeout, crash, or intentional forced close

Diagnose: Application logs — check for abrupt process termination

Many TIME-WAIT sockets

High connection churn — normal for busy web servers. Can exhaust ports under extreme load.

Diagnose: netstat -an | grep TIME_WAIT | wc -l

N10-009

Slide 16 of 17

Exam Preparation

Key Exam Points — N10-009 Obj 1.4

01

TCP = Connection-oriented, reliable, ordered delivery. Operates at Layer 4 (Transport).

02

Three-way handshake: SYN → SYN-ACK → ACK. Required before any data transfer.

03

Four-way teardown: FIN → ACK → FIN → ACK. Both sides must independently close.

04

Know your ports: 20/21 FTP, 22 SSH, 23 Telnet, 25 SMTP, 53 DNS, 80 HTTP, 110 POP3, 143 IMAP, 443 HTTPS.

05

Six flags: SYN, ACK, FIN, RST, PSH, URG. Know when each is used.

06

Sequence numbers track bytes, not packets. ACK = "next byte I expect."

07

Window size controls flow. Window = 0 means stop sending completely.

08

DNS: UDP port 53 for queries, TCP port 53 for zone transfers. Common exam trap.

09

RST after SYN = port closed. No response = firewall or host unreachable.

10

TIME-WAIT = 2x MSL (~2 min). Prevents old packets from poisoning new connections.

N10-009

Slide 17 of 17

Module Complete

From Keystroke to Loaded Page

Every time you type a URL and press Enter, TCP silently orchestrates hundreds of coordinated steps. It establishes trust, tracks every byte, recovers from loss, and gracefully closes when done. This entire process took under one second.

Browser

→

DNS Lookup

→

SYN

→

SYN-ACK

→

ACK

→

TLS Handshake

→

HTTP GET

→

200 OK

→

FIN / ACK

→

CLOSED

Objectives Covered

N10-009 Objective 1.4
TCP header structure and flags
Three-way handshake and teardown
Flow control and congestion control
Common TCP ports
TCP troubleshooting techniques

Key Takeaways

TCP rides on top of IP at Layer 4
Reliability comes from ACKs + retransmission
Handshake = 3 steps, teardown = 4 steps
Window size = receiver-controlled flow
Know your ports — they appear on every exam