When a TCP connection is complete, TCP tears down the connection by exchanging a series of FIN packets, closing the port and refusing any more requests to communicate. Let's walk through the entire process.
When two hosts are communicating, a TCP conversation goes through several stages:
- TCP starts with a (three-way) handshake to set up the session. In many cases, there are additional header options that outline and further define the parameters of the conversation.
- During the conversation, TCP monitors the communication and acknowledges all data received to ensure complete delivery of the data.
- Once the conversation is over, TCP ends the session with an exchange of FIN packets between the two endpoints, which indicates that the session is complete.
Let's now take a look at how session teardown is represented in Wireshark.
In the Flows312.pcapng capture, packets 6, 7, 8, and 9 represent the session teardown, as shown here:
To close the session, TCP uses a FIN flag, as shown in the following screenshot, which indicates that there is no more data:
To completely close a connection, TCP progresses from an established state to FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT, and then CLOSED, as stated in RFC 793.
TCP will wait until both sides have said their final goodbyes and have sent a FIN packet, and then the operating system will close the socket. Any future attempts at communicating will be refused.