How TCP connection works

This post describes how to see TCP connection establishment and termination as packets using tcpdump on linux.

Preparing
Install the following commands on our linux.

tcpdump
nc
telnet
netstat

Table of Contents

Start a TCP connection establishment

Start TCP connection using nc command with l,k option.
Open another terminal and verify 12345 port is listening using netstat command.

$ nc -lk 12345

Get Your Free Linux training!

Join our free Linux training and discover the power of open-source technology. Enhance your skills and boost your career! Learn Linux for Free!

$ netstat -anp | grep 12345
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN /nc

Open a Listening port on Linux

Start TCP client and establish a connection

Start TCP client using telnet to establish TCP connection with TCP server of step 1.
Open another terminal and verify nc process and telnet are establishing connection using netstat command.
Terminate TCP client with type “Ctrl+[” and “quit” on telnet. Then Connection is close.

$ telnet 127.0.0.1 12345
Trying 127.0.0.1…
Connected to 127.0.0.1.
Escape character is ‘^]’.

$ netstat -anp | grep 12345
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN /nc
tcp 0 0 127.0.0.1: 127.0.0.1:12345 ESTABLISHED /telnet
tcp 0 0 127.0.0.1:12345 127.0.0.1: ESTABLISHED /nc

$ telnet 127.0.0.1 12345
Trying 127.0.0.1…
Connected to 127.0.0.1.
Escape character is ‘^]’.
^]
telnet> quit
Connection closed.
$

5 ways to Check a remote port is open in Linux

Capture TCP 3-Way Handshake as TCP connection establishment

Verify TCP server that start at step 1 listen 12345 port.
Perform tcpdump with specify local interface and port 12345 as follows.
Start TCP client using telnet to establish TCP connection with TCP server of step
Verify tcpdump output as follows.

$ netstat -anp | grep 12345
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN /nc

$ sudo tcpdump -i lo -nnn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes

$ telnet 127.0.0.1 12345
Trying 127.0.0.1…
Connected to 127.0.0.1.
Escape character is ‘^]’.

HH:mm:ss.SSSSSS IP 127.0.0.1. > 127.0.0.1.12345: Flags [S], seq …
HH:mm:ss.SSSSSS IP 127.0.0.1.12345 > 127.0.0.1.: Flags [S.], seq …
HH:mm:ss.SSSSSS IP 127.0.0.1. > 127.0.0.1.12345: Flags [.], ack …

The tcpdump packet format is as follows:

timestamp IP source IP.port destination > IP.port: flags

First line means a SYN packet as “[S]” flag that telnet sent to TCP server.
Second line means SYN + ACK packet as “[S.]” flag that TCP server sent to telnet.
Third line means ACK packet as “[.]” flag that TCP server sent to telnet.

Reference:

TCP connection termination

Open another terminal and verify nc process and telnet are establishing connection using netstat command.
Keep tcpdump, and terminate TCP client with type “Ctrl+[” and “quit” on telnet. Then Connection is close.

$ netstat -anp | grep 12345
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN /nc
tcp 0 0 127.0.0.1: 127.0.0.1:12345 ESTABLISHED /telnet
tcp 0 0 127.0.0.1:12345 127.0.0.1: ESTABLISHED /nc

$ telnet 127.0.0.1 12345
Trying 127.0.0.1…
Connected to 127.0.0.1.
Escape character is ‘^]’.
^]
telnet> quit
Connection closed.
$

Verify tcpdump output as follows.

HH:mm:ss.SSSSSS IP 127.0.0.1. > 127.0.0.1.12345: Flags [F.], seq 1,
HH:mm:ss.SSSSSS IP 127.0.0.1.12345 > 127.0.0.1.: Flags [F.], seq 1,
HH:mm:ss.SSSSSS IP 127.0.0.1. > 127.0.0.1.12345: Flags [.], ack 2,

First line means a FIN packet as “[F]” flag that telnet sent to TCP server.
Second line means FIN + ACK packet as “[F.]” flag that TCP server sent to telnet.
Third line means ACK packet as “[.]” flag that TCP server sent to telnet.

Reference: