2

TCP connection termination is performed by the four-way handshake, as shown below (the image is taken from here).

Four-way handshake

I tried to verify it on Cisco Packet Tracer. With the following topology, I captured some packets (shown below) by initiating a http request.

Capturing packets on Cisco Packet Tracer

By analyzing the last four tcp packets (tcp connection termination), I got this:

enter image description here

It looks like a three-way handshake. Please explain it.

I was wondering if the request packet from Sever to PC (label in 2) carries additional ACK information (piggybacking ACKs)? If yes, how do I know if a packet is piggybacking?

  • The sources for the diagrams is not clear beyond the first one. The second looks like a screenshot (but not a complete one?), and the source of the third is completely unclear. – Slartibartfast Oct 15 '19 at 04:08
  • 1
    It is perfectly legal, and very common to combine the ACK and FIN in the second and third steps. That happens all the time, especially in the four-way handshake to start a connection that is almost always three steps: SYN, ACK/SYN, ACK. The same thing can happen in the closing of a connection when both sides are done sending: FIN, ACK/FIN, ACK. – Ron Maupin Oct 15 '19 at 04:39
  • 1
    The TCP closure mirrors the TCP opener. The opener is a SYN and an ACK in one direction, then a SYN and an ACK in the other direction -- four total events, but the "middle part" (the first ACK and the second SYN) happen in the same packet, hence the three way handshake. This answer describes it in more detail, and I think that will help you see the four way closure in your last screenshot. – Eddie Oct 15 '19 at 05:44
  • 1
    @Eddie, the reference link is quite helpful, thx. – SparkAndShine Oct 15 '19 at 07:35

2 Answers2

2

This looks like a four-way handshake where the server was done sending data to the client before the client closed its half of the connection.

The server performed a shortcut where it used the same packet to signal confirmation of the shutdown of the client's connection to the server (ACK) and initiate shutdown of the server's connection to the client (FIN).

I could be wrong, and I'm a little curious about the sequence numbers in the third diagram, but I'm not sure where the confusion lies either.

Note that if the client had made a request for a large (e.g. 500MB) file and then immediately closed its side of the connection, you would see the four-way closure more clearly, and it would look like:

C -> FIN -> S
C <- ACK <- S
C <- [DATA] <- S (lots of these)
C <- FIN <- S
C -> ACK -> S (Final ACK, connection closed)

I hope that helps

Slartibartfast
  • 316
  • 1
  • 5
1

It's called a four-way handshake since each side signals a FIN and expects an ACK.

The side receiving the first FIN usually combines both flags in a single segment, just like in your simulation.

Zac67
  • 84,333
  • 4
  • 69
  • 133