Enhance your Career in Networking With IPinBits!!!​

TCP-Header , lets check what’s inside

This blog will explain all the components of TCP-header, including all the flags along with Wireshark.


  • TCP is the layer 4 protocol, also known as transport protocol, which forms, maintains, re-transmit, acknowledge data end to end.
  • Data correction and re-transmission happens only at this layer. It provides end to end error free transmission of data.
  • TCP is reliable protocol, you can count on it, it will always deliver unlike UDP, but there are certain advantages and disadvantages to it.
  • Advantages are like, if has acknowledgment mechanism so data delivered is guaranteed, but since it has acknowledgement mechanism on links which has degradation this can be a real problem.
  • For services like Voice over IP, video they cannot wait for re-transmission, data needs to be delivered to the other end without delay or very less drop rates, so in such scenarios TCP is not suitable, here UDP will be more productive since its main purpose is to transfer data quickly without any acknowledgements.

Let’s continue now with TCP Header.

Let’s check all the fields one by one with header and Wireshark captures:

The above capture is taken from my laptop where I have opened a webpage to https://www.cisco.com

  1. Source Port: This is a 16-bit field indicating the source port number of the sender device in the above capture its 61955. Anything above 1-1023, since 1-1023 are reserved for valid IP applications.
  2. Destination Port: This is also a 16-bit field indicating the destination port number of the receiver device in the above capture its 443(which means its https:\request). Generally its the port number on which the application is ported ( For ex: http : 80 https : 443, telnet : 20/21 , ssh : 22)
  3. Sequence Number: This field is 32 bits value, indicates the sequence of packet, which is used to re-assemble the entire packet at the other end if the sequence is out of order. Whenever a TCP-3-way handshake is established, the sender will initiate a session with any random 32-bit sequence number, but in packet captures you will see relative sequence numbers for ease of reading.
  4. Acknowledgement: This is again a 32-bit field, used for acknowledging the source, the receiver will increment the value of the sequence number by 1, indicating I have received the current segment, and asking for next segment. For example: if the current sequence number 9(9/1000), then the receiver will acknowledge as 10/1000, which does two purpose, acknowledgement and asking for the next segment.
  5. DO/HLEN: This is 4-bit field indicating the length of your TCP header. It specifies the start of the data, from where the actual data begins.
  6. RSV: RSV is a 3-bit field reserved, not used anywhere and will be set to 0 always.
  7. Flags: There are 9 flags in TCP header, used for different individual purposes. Let’s check each and every flag in details:
  • SYN: Used to start 3-way handshake and begin initial sequence to the communications. Only send in the first packet which is sent to the receiver.
  • ACK: As the name suggests, used for acknowledgement, it is set 1 on receiving the packet and sent to the sender, also used in 3-way handshake.
  • FIN: Fin stands for finish, i.e. terminating the session once the final packet arrives and there is no more data to be sent by the host, used by sender just like TCP-SYN flag but this is used to gracefully terminate the session and making the reserves free, for more reference please refer to TCP 3-way termination blog.
  • RST: Its similar to FIN flag, but here the session is terminated instantly before waiting for the final packet, it is generally set when the receiver is not expecting the particular packet from the host, and thinks there is some sort of issue in the on-going TCP connection.
  • PUSH: Push as the name suggest push the packet immediately by the application to the end user, before even waiting to re-form the entire TCP segment. In short it tells the receiver to deliver and process the packets without keep them in waiting queue or buffering.
  • URG: Urgent is a type of pointer flag like in QOS, this packet which is set as URG should be delivered and preferred over all the other packets. If URG is set, the data should be immediately process and sent to the application layer even if there are any other packets in the queue.
  • ECN-ECHO: ECN is used to indicate network congestion to TCP Sender. If ECN =1, TCP peer is ECN capable, if ECN=0, then in the IP header, in the TOS field, there is field called IP ECN, which indicates congestion in the network, so transfer data accordingly. Reference RFC: https://tools.ietf.org/html/rfc3168
  • CWR (Congestion Window Reduced):  CWR is like an acknowledgement to the congestion whenever, host receives a packet with ECE(ECN=1), it will acknowledge that with CWR=1.
  • Nonce: The nonce sum flag is still an experimental flag used to help protect against accidental malicious concealment of packets from the sender. Reference RFC: https://tools.ietf.org/html/rfc3540

8) Window:

  • Window is a 16-bit field which indicates that how much bytes of data is the end receiver capable of receiving, this is automatically negotiated between the devices depending on many factors like underlying technologies, bandwidth, congestion etc.
  • This is also termed as sliding/slotted windowing or TCP windowing.
  • The window size can be increased or decreased depending upon the factors mentioned above.
  • As you can see below in the packet capture, WS gets changed and it keeps on changing, so it can be either fixed or sliding, below is example of sliding, PC or hosts negotiates one value on which they both agree and the data transfer happens.
  1. Checksum: Checksum again it is 16-bit field, which is used to confirm if the TCP header is ok or corrupted.
  2. Urgent Pointer: The urgent pointer is only used, where URG bit was set, this pointer is used to point the end of the data sequence in which URG bit was enabled, which means end of urgent data.
  3. Options: 32-bit optional field and it is Variable 0–320 bits, in units of 32 bits.

This is all about TCP header, if you have any question or any queries please comment and let us know we will assist you.

Related blog posts