TCP three-way handshake
Definition
The connection establishment sequence in TCP: the client sends SYN, the server responds SYN-ACK, and the client completes with ACK. The timestamps on these three packets establish the precise time a connection began and are a standard artifact in network investigations.
Related terms
- Beaconing
- Periodic outbound connections from a compromised host to a command-and-control server, typically at regular intervals. The regularity of the interval, measured in...
- DNS query log
- A record maintained by a DNS resolver listing each domain name query, the requesting IP address, the response, and the timestamp. DNS...
- DNS tunnelling
- Encoding data inside DNS queries and responses to exfiltrate information or carry command-and-control traffic through a network that permits DNS but blocks...
- Encapsulation
- The process by which each OSI layer wraps the payload from the layer above it inside its own header (and sometimes trailer)....
- Network flow (NetFlow/IPFIX)
- A summary record of a network conversation, storing source IP, destination IP, source port, destination port, protocol, byte count, and timestamps, without...
- Packet capture (PCAP)
- The interception and recording of network packets as they traverse an interface. The raw data is stored in PCAP format and analysed...
- PCAP (packet capture file)
- A binary file format that stores raw network traffic captured from a network interface. Tools such as Wireshark, tcpdump, and Zeek read...
- Port number
- A 16-bit integer in the TCP or UDP header that identifies the application-layer service at each endpoint. Well-known ports are assigned by...
- Protocol Data Unit (PDU)
- The named unit of data at each OSI layer: a frame at Layer 2, a packet at Layer 3, a segment at...
- Server Name Indication (SNI)
- A TLS extension sent in plaintext in the Client Hello message that identifies the hostname the client intends to reach. SNI is...
Explained in these topics
- Network Protocols and Traffic InterpretationThe sequence SYN, SYN-ACK, ACK that establishes a TCP connection. The initiating host sends SYN; the responding host replies SYN-ACK; the initiator completes w...
- The OSI Model and Protocols for Network InvestigatorsThe connection establishment sequence in TCP: the client sends SYN, the server responds SYN-ACK, and the client completes with ACK. The timestamps on these thr...