TCP State Diagram

Every TCP connection begins in a CLOSED state—nothing exists, no resources allocated, no communication possible. Through establishment, data transfer, and termination, the connection traverses various states, ultimately returning to CLOSED. This circular journey is the fundamental rhythm of TCP communication.

In this final page of our TCP state diagram exploration, we'll complete the picture by examining the passive closer's termination states (CLOSE_WAIT and LAST_ACK), understand what the CLOSED state truly represents, and synthesize our understanding into a comprehensive view of the complete TCP state machine. We'll also address common issues that arise from state mismanagement and establish best practices for robust connection handling.

By the end of this page, you'll have a complete mental model of TCP connection lifecycles—from birth through death and back to potential rebirth—enabling you to debug, optimize, and reason about TCP behavior in any context.

We've examined the active closer's journey (ESTABLISHED → FIN_WAIT_1 → FIN_WAIT_2 → TIME_WAIT → CLOSED). Now let's examine the other side—the endpoint that receives the first FIN.

CLOSE_WAIT: Waiting for Application to Close

Entry: Receive FIN from peer while in ESTABLISHED; send ACK

Meaning: The peer has finished sending, but our application hasn't called close() yet.

Duration: Entirely controlled by our application—how long until it calls close()?

This state is fundamentally different from the active closer's states because:

• FIN_WAIT states are kernel-controlled (waiting for network events)
• CLOSE_WAIT is application-controlled (waiting for close() call)

    Active Closer                    Passive Closer (You)
    ─────────────                    ───────────────────
    ESTABLISHED                      ESTABLISHED
         │                                │
         │ ────── FIN ──────────────────▶ │
    FIN_WAIT_1                            │
         │                                │ recv() returns 0
         │                                │ (EOF indicator)
         │ ◀────── ACK ─────────────────  │
    FIN_WAIT_2                       CLOSE_WAIT
         │                                │
         │                           (Application processes
         │                            remaining data)
         │                                │
         │                           close() called
         │ ◀────── FIN ─────────────────  │
         │                           LAST_ACK
    TIME_WAIT                             │
         │ ────── ACK ──────────────────▶ │
         │                            CLOSED

What Happens in CLOSE_WAIT

From the application's perspective:

1. recv() returns 0 (EOF)—peer has closed their side
2. Application knows no more data is coming from peer
3. Application may still have data to send (and should send it now)
4. Application eventually calls close() (or shutdown(SHUT_WR))

If the application ignores the EOF and never closes:

• Socket remains in CLOSE_WAIT forever
• Kernel cannot clean it up (application still owns the fd)
• This is a resource leak

LAST_ACK: Awaiting Final Acknowledgment

Entry: Application calls close(); kernel sends FIN

Meaning: We've sent our FIN, waiting for peer's ACK

Duration: Brief—typically one RTT

LAST_ACK to CLOSED

When the final ACK arrives:

1. Transition to CLOSED
2. Kernel releases all socket resources
3. File descriptor becomes invalid
4. Connection completely terminated

Note: The passive closer goes directly to CLOSED—no TIME_WAIT needed. TIME_WAIT is only on the side that sends the first FIN (the active closer). The passive closer's final segment was FIN, and the peer's ACK is sufficient confirmation.

The CLOSED state is a bit of a philosophical concept in TCP—it represents the absence of a connection rather than a connection in a particular state. A socket in CLOSED state isn't really a socket at all; it's the condition before creation or after destruction.

What CLOSED Means

Before connection:

• No socket exists
• No kernel resources allocated
• The 4-tuple (source IP, source port, dest IP, dest port) is not tracked

After connection:

• Socket has been destroyed
• All kernel resources freed
• Port available for reuse (subject to TIME_WAIT if active closer)
• File descriptor invalid (closed or reused)

Resource Cleanup at CLOSED

When a connection reaches CLOSED, the kernel:

1. Releases memory — Socket structures, buffers, queues freed
2. Closes file descriptor — If application hadn't already
3. Updates statistics — Connection counts, traffic metrics
4. Frees port — Local port available for new connections
5. Removes from tables — Connection tracking, NAT tables, etc.

Observing CLOSED State

You generally cannot observe CLOSED state:

# This shows existing connections, not CLOSED ones
ss -tan
netstat -tan

# CLOSED connections are gone - nothing to show

The only way to "see" CLOSED is by not seeing the connection in state listings.

Abnormal Transitions to CLOSED

Not all paths to CLOSED are graceful:

RST (Reset) Reception:

Any State ─────── Receive RST ─────────▶ CLOSED

An RST immediately terminates the connection:

• No FIN exchange
• No TIME_WAIT
• No graceful handshake
• Possible data loss

Common RST Causes:

• Connection to non-listening port
• Application crash/termination
• Firewall injection
• Host reboot (lost state)
• TCP abort (SO_LINGER with zero timeout)

Let's now synthesize everything into the complete TCP finite state machine. This diagram represents the canonical view from RFC 793, with all possible states and transitions.

The 11 TCP States

State Categories

Connection Establishment (3 states):

• LISTEN, SYN_SENT, SYN_RECEIVED

Data Transfer (1 state):

• ESTABLISHED

Active Close (4 states):

• FIN_WAIT_1, FIN_WAIT_2, CLOSING, TIME_WAIT

Passive Close (2 states):

• CLOSE_WAIT, LAST_ACK

Baseline (1 state):

• CLOSED

Complete State Diagram (ASCII)

                              ┌─────────────────────────────────────┐
                              │                                     │
                              │             CLOSED                  │
                              │                                     │
                              └───────────────┬───────────────────┬─┘
                                    │                             │
                       Passive Open │                             │ Active Open
                       create socket│                             │ send SYN
                                    ▼                             ▼
                              ┌─────────────┐               ┌─────────────┐
                              │   LISTEN    │               │  SYN_SENT   │
                              └──────┬──────┘               └──────┬──────┘
                                     │                             │
                          Rcv SYN    │                             │ Rcv SYN+ACK
                          Snd SYN+ACK│                             │ Snd ACK
                                     ▼                             │
                              ┌─────────────┐                      │
                              │SYN_RECEIVED │◀─────────────────────┤
                              └──────┬──────┘ Rcv SYN, Snd SYN+ACK │
                                     │ Rcv ACK                     │
                                     │                             │
                                     └──────────────┬──────────────┘
                                                    │
                                                    ▼
                                             ┌─────────────┐
                                             │ ESTABLISHED │
                                             └──────┬──────┘
                                    ┌───────────────┴───────────────┐
                         Close      │                               │ Rcv FIN
                         Snd FIN    │                               │ Snd ACK
                                    ▼                               ▼
                              ┌─────────────┐               ┌─────────────┐
                              │ FIN_WAIT_1  │               │ CLOSE_WAIT  │
                              └──────┬──────┘               └──────┬──────┘
                       ┌─────────────┼─────────────┐               │
                Rcv ACK│        Rcv FIN    Rcv FIN+ACK             │ Close
                       │        Snd ACK    Snd ACK                 │ Snd FIN
                       ▼             │           │                 ▼
                ┌─────────────┐      │           │         ┌─────────────┐
                │ FIN_WAIT_2  │      │           │         │  LAST_ACK   │
                └──────┬──────┘      │           │         └──────┬──────┘
                       │             ▼           │                │
                Rcv FIN│      ┌─────────────┐    │                │ Rcv ACK
                Snd ACK│      │   CLOSING   │    │                │
                       │      └──────┬──────┘    │                │
                       │             │ Rcv ACK   │                │
                       │             ▼           ▼                ▼
                       │      ┌─────────────────────┐     ┌─────────────┐
                       └─────▶│     TIME_WAIT      │     │   CLOSED    │
                              └──────────┬──────────┘     └─────────────┘
                                         │ 2MSL Timeout
                                         ▼
                                  ┌─────────────┐
                                  │   CLOSED    │
                                  └─────────────┘

Key Transition Rules

1. Only one path to LISTEN: CLOSED → LISTEN (passive open)
2. Only one path to TIME_WAIT: From FIN_WAIT_1, FIN_WAIT_2, or CLOSING
3. Only active closer enters TIME_WAIT: Passive closer goes directly to CLOSED
4. RST from any state goes to CLOSED: Not shown in diagram for clarity
5. ESTABLISHED is the only data transfer state: All other states are transitional

Understanding the state machine helps diagnose real-world connection problems. Here are the most common issues and their state-based explanations.

The CLOSE_WAIT Leak (Most Common Application Bug)

Symptom: Thousands of connections in CLOSE_WAIT, growing over time

Cause: Application reads EOF (recv returns 0) but never calls close()

Diagnosis:

# Count CLOSE_WAIT sockets
ss -tan state close-wait | wc -l

# Find responsible process
ss -tanp state close-wait

# Watch growth rate
watch -n5 'ss -tan state close-wait | wc -l'

Common Code Patterns That Cause This:

# BUG: Never closes on clean disconnect
def handle_client(sock):
    while True:
        data = sock.recv(1024)
        if not data:
            break  # EOF received, but socket never closed!
        process(data)
    # Missing: sock.close()

# FIX: Always close socket
def handle_client_fixed(sock):
    try:
        while True:
            data = sock.recv(1024)
            if not data:
                break
            process(data)
    finally:
        sock.close()  # Always close, even on break

Solution: Audit code for socket lifecycle management. Use context managers or finally blocks to ensure close().

The "Too Many Open Files" Problem

Symptom: EMFILE or ENFILE errors, cannot accept new connections

Root cause: File descriptors exhausted—sockets are files in Unix

Often related to:

• CLOSE_WAIT leak (sockets never closed)
• Connections not being cleaned up on error
• Accept rate exceeds close rate

Diagnosis:

# Check file descriptor limits
ulimit -n         # Per-process limit
cat /proc/sys/fs/file-max  # System-wide limit

# Count open fds for a process
ls /proc/<PID>/fd | wc -l

# Count total open sockets
ss -s

Half-Open Connection Accumulation

Symptom: Many SYN_RECEIVED sockets, server unresponsive

Cause: SYN flood attack or misconfigured load balancer

Solution:

# Enable SYN cookies
sysctl -w net.ipv4.tcp_syncookies=1

# Increase SYN backlog
sysctl -w net.ipv4.tcp_max_syn_backlog=4096

# Reduce SYN+ACK retries (faster cleanup)
sysctl -w net.ipv4.tcp_synack_retries=2

Managing TCP connections correctly requires attention to the entire lifecycle. Here are best practices derived from our understanding of the state machine.

Socket Creation and Setup

1. Set options before connect()/listen()

// Right: options set before listen
setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt));
listen(sockfd, backlog);

// Wrong: some options ignored after listen
listen(sockfd, backlog);
setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt));  // May not work!

2. Use SO_REUSEADDR for servers

int opt = 1;
setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt));

During Connection (ESTABLISHED)

3. Handle partial reads/writes

# Don't assume recv gets everything
data = b''
while len(data) < expected_length:
    chunk = sock.recv(expected_length - len(data))
    if not chunk:
        raise ConnectionError("Peer closed prematurely")
    data += chunk

4. Set appropriate timeouts

sock.settimeout(30)  # 30 second timeout for all operations

5. Monitor for EOF in receive loops

while True:
    data = sock.recv(4096)
    if not data:  # EOF - peer closed
        break     # Exit gracefully, then close
    process(data)

Connection Closure

6. Always close sockets (use finally or context managers)

try:
    # Use socket
    pass
finally:
    sock.close()  # ALWAYS executes

7. Handle both graceful and abrupt closure

try:
    data = sock.recv(4096)
    if not data:  # Graceful close
        handle_peer_close()
except ConnectionResetError:  # Abrupt close (RST)
    handle_reset()
finally:
    sock.close()

8. Consider half-close for protocols that need it

sock.shutdown(socket.SHUT_WR)  # Send FIN, keep receiving
while True:
    response = sock.recv(4096)
    if not response:
        break
    process(response)
sock.close()

In production systems, monitoring TCP states provides early warning of problems and helps with capacity planning.

Key Metrics to Track

Connection Counts by State:

# One-liner for all states
ss -tan | awk 'NR>1 {states[$1]++} END {for (s in states) print s, states[s]}'

# Specific states to track:
# - ESTABLISHED: Active connections (capacity indicator)
# - TIME_WAIT: Recent closures (normal at high traffic)
# - CLOSE_WAIT: Application bugs (should be near zero)
# - SYN_RECV: Connection queue depth (attack indicator)

Connection Rate:

# New connections per second (from /proc)
watch -n1 'cat /proc/net/snmp | grep Tcp: | tail -1 | awk "{print \$6}"'

Error Counters:

# See retransmits, resets, failures
netstat -s | grep -i "retransmit\|reset\|failed\|overflow"

Alerting Thresholds

We've completed our comprehensive exploration of the TCP state machine—from the emptiness of CLOSED through establishment, data transfer, and termination, back to CLOSED.

Complete State Machine Summary

Module Complete

You've now mastered the TCP state diagram—one of the most important concepts in network programming. This knowledge enables you to:

• Debug connection issues by correlating symptoms to states
• Write robust socket code with proper lifecycle management
• Optimize high-traffic servers by understanding state accumulation
• Detect attacks and anomalies through state monitoring
• Reason about protocol behavior in any networking context

The TCP state machine may seem complex at first, but it's actually a beautifully systematic design that handles all the edge cases of reliable communication over unreliable networks. Each state has a purpose; each transition has meaning. This systematic approach is why TCP has been the foundation of the Internet for over four decades.