TCP Connection States and Netstat OutputLast reviewed: September 9, 1996Article ID: Q137984 |
The information in this article applies to:
SUMMARYThis article describes TCP connection states and how to read Netstat (NETSTAT.EXE) output. Before data transfer takes place in TCP, a connection must be established. TCP employs a three-way handshake (the details of this can be found in RFC793, Chapter 3: "Functional Specification").
MORE INFORMATION
TCP Connection StatesFollowing is a brief explanation of this handshake. In this context the "client" is the peer requesting a connection and the "server" is the peer accepting a connection. Note that this notation does not reflect Client/Server relationships as an architectural principal.
Netstat OutputThe above TCP connection states can be monitored in a network trace under the TCP flags. It is also possible to determine the status of the connection by running the Netstat utility and looking at the State column. Netstat is shipped with Windows NT, Windows 95, and TCP/IP-32 for Windows for Workgroups. State explanations as shown in Netstat:
State Explanation ------------ -------------------------------------------------------- SYN_SEND Indicates active open. SYN_RECEIVED Server just received SYN from the client. ESTABLISHED Client received server's SYN and session is established. LISTEN Server is ready to accept connection. NOTE: See documentation for listen() socket call. TCP sockets in listening state are not shown - this is a limitation of NETSTAT. For additional information, please see the following article in the Microsoft Knowledge Base: ARTICLE-ID: Q134404 TITLE : NETSTAT.EXE Does Not Show TCP Listen Sockets FIN_WAIT_1 Indicates active close. TIMED_WAIT Client enters this state after active close. CLOSE_WAIT Indicates passive close. Server just received first FIN from a client. FIN_WAIT_2 Client just received acknowledgment of its first FIN from the server. LAST_ACK Server is in this state when it sends its own FIN. CLOSED Server received ACK from client and connection is closed.As an example, consider the following scenario: A socket application has been terminated, but Netstat reports the socket in a CLOSE_WAIT state. This could indicate that the client properly closed the connection (FIN has been sent), but the server still has its socket open. This could be the result of one instance (among all threads or processes) of the socket not being closed. NOTE: It is normal to have a socket in the TIME_WAIT state for a long period of time. The time is specified in RFC793 as twice the Maximum Segment Lifetime (MSL). MSL is specified to be 2 minutes. So, a socket could be in a TIME_WAIT state for as long as 4 minutes. Some systems implement different values (less than 2 minutes) for the MSL. Additional references:
|
KBCategory: kbnetwork kbusage
© 1998 Microsoft Corporation. All rights reserved. Terms of Use. |