One of the most important, yet least understood, TCP concepts, is the three-way handshake. A TCP handshake initiates the connection and sets up the parameters. No data is exchanged until this process is complete. Similar to the handshake is the teardown, when the two endpoints exchange a series of Finish (FIN) packets, that indicates the session is complete.

In this chapter we'll take a more detailed look at the handshake and resultant socket creation. So that you can home in on a single TCP stream, we'll take a large capture, subset, mark and filter the packets, so we can examine the TCP handshake. As you traverse the chapter, you'll have a greater understanding of the TCP options exchanged during the handshake.  You'll learn what they mean and why they are required to have a conversation on today's networks. In addition, you'll see how you can easily modify protocol preferences, such as analyze TCP sequence numbers with a simple right click. Finally, we will examine the TCP teardown process and see how the FIN flag indicates the end of data transmission.

This chapter will address all of this by covering the following:

• Dissecting the three-way handshake
• Discovering TCP options
• Understanding TCP protocol preferences
• Identifying a TCP teardown