Tech tips

TCP Header (Flags – Fin & Reset) # 2.6

Welcome to Blog Post  # 7

What you get by achieving your goals is not as important as what you become by achieving your goals.-Zig Ziglar

In this, we will discuss TCP Flags “FIN” & “RST”

Key Takeaway :

  • TCP FIN Flag
  • TCP RST Flag

1. TCP FIN Flag

FIN flag use for Connection Termination.

The FIN Flag is just like the SYN Flag, which occupies 1 Byte of Sequence Number space. The advertised window appears 1 Byte smaller because TCP allows room for 1 Byte of Sequence Number occupied by FIN Flag.

TCP FIN is called a TCP Oderly release that goes from the client to server and server to the client.

When one side sends FIN, this means “I am done”. Received everything, now it’s time to shut down the connection. Another side also sends FIN, now both the side terminate the connection. This is an orderly shutdown.

TCP connection specifically has a timer open, and if after a certain amount of activity or idle or even the application itself trigger, this connection is done its usefulness is completed. Now we want to shut the connection.

2. TCP RST Flag

In contrast to RST (Reset). TCP reset can happen at any point in time this is an abortive release. This is where we see an abrupt disconnect happen.

This can happen with the first connection of TCP Handshake.

2.1 Example :

The client sends the SYN for Port 23, the server is not listening to port 23, it sends a RESET Flag. This is not the only place where TCP Reset the connection, it can also happen anywhere along with the TCP connection.

TCP Reset is not the orderly release of connection shutdown, rather one side of the other aborted the connection abruptly.


In this PCAP, after the SYN, the server reset the connection immediately. Check the TTL value this Reset sent by the firewall. Instead of the actual end device.

TTL 58, this is the unrouted packet. This packet not even gets to the server. Coming from a firewall to support user going through it. So the firewall Reset the new connection.

Client send FIN to the server, we see that happen after inactivity.

So could be the client-side what needs to send, whatever data to be received we are good to go and now we are going to send Reset to tear down.

This is basically TCP cleaning up the connection.

2.2 Connection Request to Non-Existence Port :

A common cause for generating a Reset is when a connection request arrives and no process is listening on the destination port.

In the case of UDP, an ICMP port unreachable was generate when a datagram arrives for a destination port that was not in the use. TCP uses reset instead.

2.3 Aborting a Connection

The normal way to terminate a connection, from one side is FIN. This is Orderly Release. As FIN is sent after all previously queue data release and there is no loss of data.

It’s also possible to abort a connection by sending a reset instead of FIN. This is an abortive release.

2.4 Detecting Half Open Connection :

A TCP connection is said to be half-open if one end close or abort the connection without the knowledge of the other end.

As long as there is no attempt to transfer data across a half-open connection, the end that’s still up won’t detect that the other end has crashed.


Comment here