My IP Help

TCP

Also known as: Transmission Control Protocol

Transmission Control Protocol — a reliable, connection-oriented transport protocol that guarantees ordered, error-checked delivery of packets between applications.

Last updated:

What is TCP?

TCP (Transmission Control Protocol) is the reliable, connection-oriented transport layer protocol used by most internet applications. Defined in RFC 9293 (the 2022 modernization of the original RFC 793), TCP sits on top of IP and guarantees that data sent by one application arrives in order, without duplication, and without corruption at the other end. HTTP, HTTPS, SSH, SMTP, FTP, and most other common protocols run on TCP.

The three-way handshake

Before any data flows, TCP establishes a connection with a three-way handshake:

  1. SYN — client sends a SYN packet with an initial sequence number
  2. SYN-ACK — server replies acknowledging the client's SYN and sending its own
  3. ACK — client acknowledges the server's SYN; connection is now open

This handshake is also the mechanism used by port scanners — if the SYN-ACK comes back, the port is open; if RST comes back, it's closed; if nothing comes back, it's filtered by a firewall.

Reliability features

TCP provides guarantees that IP alone doesn't:

  • Sequence numbers let the receiver reassemble packets into the right order even if they arrive out of order
  • Acknowledgments (ACKs) confirm every segment was received; unacknowledged segments are retransmitted
  • Checksums detect packet corruption
  • Flow control (sliding window) prevents the sender from overrunning a slow receiver
  • Congestion control (slow start, congestion avoidance, fast retransmit) backs off when the network is overloaded

TCP vs. UDP

UDP trades all of these guarantees for lower overhead — no handshake, no retransmission, no ordering. TCP is the right choice when correctness matters (web, email, SSH). UDP is right when latency and simplicity matter more (DNS, video calls, games).

TCP connections are identified by the 4-tuple (source IP, source port, destination IP, destination port). See our glossary entry on ports for how port numbers are assigned.

Frequently Asked Questions

IP (Internet Protocol) handles addressing and routing — it gets a single packet from one IP address to another, with no guarantees about whether it arrives. TCP runs on top of IP and adds connection state, sequencing, retransmission, ordering, and congestion control on top, turning unreliable single-packet delivery into reliable in-order byte streams. They are two layers of the same stack — "TCP/IP" is the combination.
The handshake exchanges initial sequence numbers in both directions and confirms that both sides are willing and reachable before any data is sent. The third ACK proves the server's SYN-ACK arrived, so the server knows the client received its sequence number too. Skipping any step would let an attacker forge the source IP on a SYN and trick the server into sending data to a victim — exactly the design flaw that "TCP reset" attacks exploit.
An open TCP port has a process actively listening on it that will complete the three-way handshake when probed. A closed port responds with a RST packet, telling the prober the host is reachable but no service is listening. A filtered port returns nothing — typically because a firewall silently dropped the probe. From an attacker's perspective, open ports are entry points; from an admin's perspective, only ports you intentionally open should appear.
HTTPS over HTTP/1.1 and HTTP/2 runs on TCP — typically port 443. The TLS handshake happens after the TCP three-way handshake, so a single HTTPS request requires at least two round trips before any application data is sent (one for TCP, one for TLS 1.3, more for TLS 1.2). HTTP/3 changes this by running over QUIC on UDP instead, collapsing the connection-and-encryption setup into a single round trip.
Slow start is TCP's initial congestion-control phase. When a connection opens, TCP does not yet know the network's capacity, so it starts by sending only a few segments and doubles the number every round-trip until a packet loss or the receiver's window is reached. The doubling is logarithmic, not literally slow — it ramps from a few packets to many thousands within a handful of round-trips. The mechanism prevents new connections from immediately overloading a congested link.
Back to glossary