OPERATOR REFERENCE · LAYER 4

Layer 4 Field Reference
TCP, UDP & Port Behavior

TCP vs UDP → ports → header → handshake → windowing → teardown → connection walkthrough
CLIENT · ephemeral port 51402
TCP 3-way handshake
SERVER · listening port 443
01 TCP vs UDP
PropertyTCPUDP
ConnectionConnection-oriented (handshake first)Connectionless — just send
ReliabilityGuaranteed delivery, retransmits lost segmentsBest-effort, no retransmission
OrderingIn-order delivery via sequence numbersNo ordering guarantee
Flow controlSliding window, congestion controlNone built in
OverheadHigher — header + handshake + ACKsLower — minimal header
Header size20–60 bytes8 bytes
Typical useWeb (HTTPS), SSH, email, file transferDNS, VoIP, video streaming, DHCP
02 Port Ranges & Common Ports
0

Well-Known

0–1023 — reserved for standard services (HTTP, SSH, DNS). Require root/admin to bind on most systems.

R

Registered

1024–49151 — assigned to specific applications (e.g. 3306 MySQL, 8080 alt-HTTP), not reserved by the OS.

E

Dynamic / Ephemeral

49152–65535 — assigned temporarily by the OS as the source port for outbound client connections.

PortProtocolTransport
20 / 21FTP (data / control)TCP
22SSHTCP
23TelnetTCP
25SMTPTCP
53DNSTCP/UDP
67 / 68DHCP (server / client)UDP
80HTTPTCP
123NTPUDP
161 / 162SNMP (poll / trap)UDP
179BGPTCP
443HTTPSTCP
3389RDPTCP
03 TCP Header (Key Fields)
Src Port2 B
Dst Port2 B
Sequence Number4 B
Acknowledgment Number4 B
FlagsSYN·ACK·FIN·RST·PSH·URG
Window Size2 B
Checksum2 B
Options + Datavariable
port addressing
ordering / reliability
control flags
flow control
integrity
payload
04 TCP Flags
FlagMeaning
SYNSynchronize — initiates a connection, proposes an initial sequence number
ACKAcknowledges receipt of data or a SYN — set on almost every segment after the handshake
FINFinish — sender has no more data, begins graceful teardown
RSTReset — abruptly terminates, usually because the port is closed or the connection is invalid
PSHPush — tells the receiver to hand data to the application immediately, don't buffer
URGUrgent — marks urgent data in the segment (rarely used today)
05 Three-Way Handshake
CLIENT SERVER SYN seq=x SYN-ACK seq=y, ack=x+1 ACK ack=y+1 connection ESTABLISHED — data transfer begins
06 Data Transfer, Windowing & Teardown
#

Sequence & Ack Numbers

Every byte sent is numbered. ACK confirms "received everything up to this byte" — missing bytes trigger retransmission.

Sliding Window

Receiver advertises how many unacknowledged bytes it can buffer — sender throttles to match, preventing overload.

MSS

MSS

Maximum Segment Size — largest chunk of data per segment, negotiated during the handshake, tied to path MTU.

Graceful Teardown (4-way)

  • 1. Initiator sends FIN
  • 2. Peer ACKs it
  • 3. Peer sends its own FIN
  • 4. Initiator ACKs — connection closed

Abrupt Termination

A single RST immediately kills the connection — no graceful exchange. Common when connecting to a closed port or after a crash/timeout.

07 Sockets
5T

The 5-Tuple

A unique connection is identified by: protocol, source IP, source port, destination IP, destination port. This is what lets a server handle thousands of simultaneous clients on the same listening port.

08 What Happens — Client Connects to a Server
1

OS picks an ephemeral source port

The client application asks the OS to connect; the OS assigns a free source port from the dynamic range (e.g. 51402) to identify this specific connection.

Socket creation
2

SYN sent

Client sends a segment with the SYN flag set and a random initial sequence number (ISN), proposing to open a connection to the server's listening port.

Handshake step 1
3

Server replies SYN-ACK

If the port is open and listening, the server responds with its own SYN plus an ACK of the client's ISN+1. If the port is closed, it instead replies with RST.

Handshake step 2
4

Client ACKs — connection established

Client sends the final ACK. Both sides now have agreed sequence numbers and window sizes — the socket moves to ESTABLISHED state on both ends.

Handshake step 3
5

Data exchanged with sequence/ack tracking

Application data flows in both directions. Each segment increments the sequence number by the bytes sent; each ACK confirms bytes received, triggering retransmission of anything lost.

Reliable transfer
6

Window size adjusts dynamically

As buffers fill or drain, each side updates its advertised window in every segment — this is how TCP self-throttles to match receiver capacity and network conditions.

Flow control
7

Connection torn down

When done, either side initiates the 4-way FIN/ACK exchange (or a RST if something goes wrong) — the socket enters TIME_WAIT briefly on the initiator's side before fully closing.

Teardown
09 UDP Behavior

No Handshake

Sender just transmits — no setup, no session state maintained.

?

No Delivery Guarantee

Lost packets stay lost — the application layer must handle retries if it cares (e.g. DNS retry logic).

Why Use It

Lower latency and overhead — ideal where speed matters more than perfect delivery (voice, video, real-time gaming).

10 Common Layer 4 Faults
SymptomLikely Cause
Immediate RST on connectPort closed / nothing listening on that port
Connection hangs, then times outFirewall silently dropping (filtered), not actively rejecting
Slow transfer, lots of retransmitsPacket loss on the path, MTU/MSS mismatch causing fragmentation
Works on LAN, fails externallyNAT/port-forwarding not mapping the port correctly
Many sockets stuck in TIME_WAITHigh connection churn — often normal, but can exhaust ports under load
CheckCommand
Listening portsnetstat -an / ss -tuln
Active connectionsnetstat -ano
Quick port reachabilitytelnet host port / nc -zv host port
Full port scannmap host
Packet-level detailtcpdump / Wireshark