TCP THREE-WAY HANDSHAKE

Well, I consider this is an important step that all our network engineer or IT professionals must be aware of. Why do you think? Let us say it is one of the steps to look in troubleshooting a network connection scenario.
In a TCP handshake process, we will look into few headers of packets that are exchanged between source and destination. Also, to note before we begin with this topic it is really important to go through the topic of Ethernet header, IP header, TCP Header, MSS and MTU. This is a pre-requisite before you can understand this topic much better.
We can find the understanding of this document in RFC too. Such as RFC793, RFC826.

Let us begin step by step
Handshake is an exchange of information between any two devices that sets up the parameters of the conversation.
SYN – stands for Synchronization.
SYN-ACK – stands for Synchronization Acknowledgement
ACK – stands for acknowledgement.
TCP three-way handshake is an agreement that takes place between two compute devices on a network and the agreement basically states that if both end of the devices are ready to send and receive data communication. They exchange parameters with each other before a reliable communication channel can be formed. In this they negotiate TCP window size, MSS value.

Setting The Stage:
When we browse a webpage (this is an example) and the webpage that loads in front of our screen loads it within seconds (that depends on how fast is your Internet connection speed), irrespective of this, the agreement between the two devices first takes place on three-way handshake process and let us assume the AND process, DNS, ARP lookup has taken place already before both the two machines can start communicating on three-way handshake. The three-way handshake process is important to establish a reliable connection between the two machines on the network.
So from my machine if I try and access www.ratnavoidentity.com and as mentioned earlier I am assuming that DNS, AND process and ARP lookup is already completed and I am now aware where my destination server is and its respective IP address to reach till the webpage, I will send the destination server a TCP SYN packet. The user or the client machine will now choose a random initial sequence number and will send the TCP SYN Packet.
Please refer to the diagram below.

The client sends a SYN packet with an initial sequence number set as 1 to the destination along with other TCP flag being set and options.

The server responds to client for the SYN packet with a SYN-ACK and sequence number marked in its packet as 1. This means server is acknowledging the client with SYN-ACK and for the SEQ-1 and sends an incremented sequence number say for example SEQ-1 +1 in the same reply packet. This helps identifying that the server did receive my SYN packet and replied with the correct sequence number. The server will also send its own random sequence number for example: SEQ-2

The client machine once receives the SYN-ACK packet from the server it will check the SEQ number and from the incremented value of its own sequence number it understands that the server is able to acknowledge with the right packet. It also sees that the server has also send its own random sequence number in the packet, so the server will now respond to the server with an ACK packet and with an incremented Seq-2 +1 in its ACK packet. This helps the server understand that the client machine is able to respond back with the right sequence number.

Please note that apart from these sequence number there is WS and MSS value which also gets negotiated. Also the destination port is also checked by the port whether the end destination is in LISTENING state or not, once the server receives the SYN packet from the client. Say suppose the client is trying to fetch the webpage (https://www.ratnavoidentity.com) which is hosted on web server and the port used for this communication is 443. If 443 is not in LISTENING state on the Web server then the server will not send a SYN-ACK back to client, it will rather send a RESET packet.

Here
WS = Window Size
MSS = Maximum Segment Size

Finally with this exchange the TCP three-way handshake is completed, and a reliable communication is established. From this point onwards TLS handshake and data communication is exchanged between the two machines.
I am showing you here how the TCP handshake looks like in real-time using a Wireshark.

The section marked in yellow boxes are the communication packets for a three-way handshake between a source and a destination.
Let us see the SYN packet and the sequence number send by the source/client/user machine while trying to establish a reliable communication in the three-way handshake process.

Now the server replies to client by incrementing the SEQ number by 1 in its SYN-ACK packet. It also sends its own sequence number. We are checking these values based on the actual sequence number value set by the Operating System and not the ones that Wireshark does to the packet and its within [] brackets.

Once the client receives the SYN-ACK from the server, it will now send a ACK by incrementing the value of the server’s sequence number. You can see here the client also increments the value of the sequence number send by server (688504567) by 1 i.e., 688504568 and it sends its own next sequence number i.e., 289303105 that the server is expecting.

Note: After the three-way handshake completes, these values will not always increment by a value of 1, but rather it depends on the size of payload(refer to TCP segement in the Wireshark sample) it will start updating its sequence numbers by adding the value. If you see above the server (in this case 103.243.32.90) is responding with an acknowledgement number# 289304870 which is 289303105 (previous client’s sequence number) + 1765 (TCP segment length).

TCP segment length is the actual size of the TCP payload data in a single TCP segment — i.e., how many bytes of real data are being transmitted.

The filter that I used here in Wireshark sample screenshot, this profile you can download from my github account, click here, and use it or you can customize further as per your use.

So, this is it for now. I hope this has helped you.