TCP Header

TCP (Transmission Control Protocol) is a reliable transport protocol as it establishes a connection before sending any data and everything that it sends is acknowledged by the receiver. In this lesson we will take a closer look at the TCP header and its different fields. Here’s what it looks like:

TCP Header

Let’s walk through all these fields:

  • Source port: this is a 16 bit field that specifies the port number of the sender.
  • Destination port: this is a 16 bit field that specifies the port number of the receiver.
  • Sequence number: the sequence number is a 32 bit field that indicates how much data is sent during the TCP session. When you establish a new TCP connection (3 way handshake) then the initial sequence number is a random 32 bit value. The receiver will use this sequence number and sends back an acknowledgment. Protocol analyzers like wireshark will often use a relative sequence number of 0 since it’s easier to read than some high random number.
  • Acknowledgment number: this 32 bit field is used by the receiver to request the next TCP segment. This value will be the sequence number incremented by 1.
  • DO: this is the 4 bit data offset field, also known as the header length. It indicates the length of the TCP header so that we know where the actual data begins.
  • RSV: these are 3 bits for the reserved field. They are unused and are always set to 0.
  • Flags: there are 9 bits for flags, we also call them control bits. We use them to establish connections, send data and terminate connections:
    • URG: urgent pointer. When this bit is set, the data should be treated as priority over other data.
    • ACK: used for the acknowledgment.
    • PSH: this is the push function. This tells an application that the data should be transmitted immediately and that we don’t want to wait to fill the entire TCP segment.
    • RST: this resets the connection, when you receive this you have to terminate the connection right away. This is only used when there are unrecoverable errors and it’s not a normal way to finish the TCP connection.
    • SYN: we use this for the initial three way handshake and it’s used to set the initial sequence number.
    • FIN: this finish bit is used to end the TCP connection. TCP is full duplex so both parties will have to use the FIN bit to end the connection. This is the normal method how we end an connection.
  • Window: the 16 bit window field specifies how many bytes the receiver is willing to receive. It is used so the receiver can tell the sender that it would like to receive more data than what it is currently receiving. It does so by specifying the number of bytes beyond the sequence number in the acknowledgment field.
  • Checksum: 16 bits are used for a checksum to check if the TCP header is OK or not.
  • Urgent pointer: these 16 bits are used when the URG bit has been set, the urgent pointer is used to indicate where the urgent data ends.
  • Options: this field is optional and can be anywhere between 0 and 320 bits.

To see these fields in action, it’s best to play around with wireshark. Here’s an example of the first part of the TCP three way handshake. I highlighted all the fields:

Wireshark Capture TCP Fields

Above you can see the source and destination port. The sequence number is 0 but wireshark tells us that this is a relative sequence number. In reality, it’s something else. You can see the SYN bit has been set in the flags, the window size, checksum, urgent pointer and options.

TCP is a complex protocol but hopefully this lesson has helped to understand what the TCP header looks like. If you have any questions, feel free to leave a comment in our forum.

Tags: ,

Forum Replies

  1. Amruta,
    This has to do with how the sequence number is incremented during the TCP session. Let’s say Client A is requesting 900 Bytes of data from Server 1. Once Server 1 starts to send the actual data to Client A, the length of the payload of what is being sent directly influences the next sequence number.

    So, let’s say the current Sequence number is 1, and the Server sends Client A, 300 Bytes. This means the sequence number will now be 301 (the original sequence number plus the amount of data in the payload that was just sent). Now, let’s say, after Clien

    ... Continue reading in our forum

  2. Hello Manami

    To understand the function of the PSH flag, it is important to first understand how TCP buffers data. TCP operates at layer four of the OSI model. To allow applications to read from and write to a TCP session, buffers are implemented on both sides of a TCP connection in both directions.

    Buffers allow for more efficient transfer of data when sending multiple segments of maximum size, such as when sending a large file. TCP will wait until a segment reaches its maximum size before sending it on its way. There are however some applications where this

    ... Continue reading in our forum

  3. Hello Mohammad

    When a TCP session is in progress, the sequence numbers are used to keep track of the number of bytes that have been transmitted within the session. When 100 bytes are sent from host A to host B, host B will respond with an ACK that is incremented by 100. If this is the beginning of the transaction and we started with a sequence number of 0, then the ACK that host B will send will be 100 indicating that the amount of data that has been received so far is 100 bytes.

    During the three way handshake, the first SYN packet is sent with an initial seq

    ... Continue reading in our forum

  4. Hello Hussein.

    First of all the sequence number doesn’t indicate how much data is sent, but the difference between the original sequence number and the acknowledgement number sent back to the reciever indicates the amount of data that has been sent in one window.

    Your first two questions have to do with something called windowing which is a flow control mechanism of TCP. Specifically, when a TCP session begins, the sequence number is chosen randomly. For example, let’s say the initial sequence number is 100588. During the initial handshake, the window size i

    ... Continue reading in our forum

  5. Hello Hussein

    Unfortunately there isn’t. Because the window size is always going to be much much smaller than the largest available sequence number, it will never reset to zero within a single segment. Segments are always many many orders of magnitude smaller. Only the hosts between them keep track of when the counter resets to zero. Even when it does, they only detect it at that specific segment. Once the segment is received and acknowledged, there is no need to keep track of the resetting of the counter from the host’s point of view.

    If you want to keep

    ... Continue reading in our forum

48 more replies! Ask a question or join the discussion by visiting our Community Forum