Connection States: The Life Cycle & Monitoring
Every TCP connection goes through a series of phases from birth to death. Understanding these phases is critical for firewalling, troubleshooting, and detecting heartless attacks.
Analogy: Think of it as a customer at a restaurant.
- LISTEN: The host is waiting at the door.
- ESTABLISHED: The customer is currently eating.
- TIME_WAIT: The table is being cleared after they left.
5. Connection States
A Socket (IP:Port pair) transitions through these main states:
| State | Meaning | Cyber Significance |
|---|---|---|
| LISTEN | Waiting for a connection request. | Open door; target for port scanning. |
| SYN_SENT | Client has sent SYN, waiting for SYN-ACK. | Seen on the client side; indicates an outgoing connection attempt. |
| SYN_RECEIVED | Received a SYN; sent SYN-ACK. | High count = potential SYN Flood attack. |
| ESTABLISHED | Active connection; data flowing. | Success! Target for monitoring C2 traffic. |
| FIN_WAIT_1 & 2 | Waiting for the other side to finish closing. | Early stages of termination. |
| CLOSE_WAIT | The other side closed; waiting for local app. | High count = bug in local software (leaking sockets). |
| LAST_ACK | Final step before closing completely. | Last stage of termination. |
| TIME_WAIT | Closed; cooling down to avoid reuse errors. | Normal, but can exhaust local port pool in high-traffic sites. |
| CLOSED | No connection exists. | Starting point and ending point of every socket. |
Why TIME_WAIT exists: To prevent "phantom connections." It ensures any delayed packets from an old session are discarded before a new session starts on the same port.
As a security professional, you need to see what's happening on your machine right now. We
use netstat or the faster ss command.
Key Monitoring Flags:
-t: TCP connections only-u: UDP connections only-l: Listening sockets only-a: All sockets (Listening and Established)-n: Numeric (don't resolve IPs to names, much faster!)-p: Show the Program/PID that owns the connection.-o: Show timers and networking ownership (useful for Windows troubleshooting).
The Gold Standard Command:
netstat -tulnpThis shows every TCP/UDP Listening socket in Numeric format with its
owning Program. If you see a weird program (like nc or bash)
listening on Port 4444, you've found a backdoor!
🛑 Phase 5 Wrap-Up
- Ports: 0-1023 (Well-Known), 1024-49151 (Registered).
- Protocols: TCP (Reliable/Handshake), UDP (Fast/Fire-and-Forget).
- Attacks: SYN Flooding exploits the server's backlog queue.
- Monitoring:
netstatis your X-ray for active network connections.
Practical uses: Firewall config, nmap analysis, malware discovery.
📚 Sources & References
- RFC 793: State machine diagrams.
- Linux Man:
ss(8)manual page. - Security Auditing: SANS Institute guide on
netstatanalysis.
