Application Layer in TCP Three-Way Handshake – Detailed Analysis

A TCP connection is normally terminating using a special procedure where each side independently closes its end of the link. Connections are only a pair of two-way handshakes, not the normal 3-way handshake some people expect. Normal connection shutdown states are different at each end. It normally begins with one of the application processes signaling to its TCP layer that the session is no longer needed. That device sends a FIN message to tell the other device that it wants to end the connection, which is acknowledged. When the responding device is ready, it too sends a FIN that is acknowledged; after waiting a period of time for the ACK to be received, I believe its 4 mins, the session is closed.

The TCP protocol detects and responds to various problems that can occur during an established connection. One of the most common is the half-open connection. This occurs when one device closes the connection without the other one knowing about it, due to some problem with the connection, such as a bad network connection continuously flapping, which sounds like what you're experiencing. This means one device is in the ESTABLISHED state while the other may be in the CLOSED state, or some other transient state. This can cause states of the two devices to become unsynchronized.

TCP handles these half-open connections with the RST reset function, which is is generated whenever something happens that is “unexpected” by the TCP software.

Your client issued the RST, your http server ACK'd the RST, which should have closed the connection. However, because of the network flapping and the connection being half-open and unsynchronized, this caused some packet-loss or received out of order. This is why you also see the DUP ACK in your post.

First off the OSI model is a theoretical model, it doesn't nessacerally exactly match up with reality. Also generally layer models only show layers that actually add or remove something from the packet.

The following answer omits some minor details. Also some details may vary between operating systems, I have the most experiance with linux, some stuff may be different on other operating systems.

This answer also focuses on the basic set-up, many modern network controllers have "offload" features where features that were traditionally the responsibility of the OS kernel are taken over by the network controller.

The network controller is logically divided into two parts, the "MAC" and the "PHY". In some cases MAC and PHY may be integrated into the same chip.

The PHY does the following.

• Converting between the wire-level encoding and a stream of binary data units.
• Detecting when the line is busy (for half-duplex physical layers).
• Detecting the start and of incoming frames.
• Generating special wire-level encodings for the start and end of frames.

The MAC does the following.

• Translating between data streams at wire-rate and frames in a buffer that the OS can read/write.
• Generating/checking/stripping the preamble and FCS.
• Notifying the OS through interrupts when incoming frames have been delivered to the buffer.
• Implementing Medium access control if needed.
• Fitering incoming frames by destination MAC address.

The Kernel implements the following.

• Talking to the MAC (using a driver module).
• Building and interpreting Ethernet frames (minus the preamble and FCS).
• Implementing ARP (or ND for IPv6) to translate between IP and MAC addresses.
• Implementing building and interpretation of IP packets.
• Forwarding packets to the correct interface based on a routing table.
• Packet filtering, NAT etc.
• Major transport protocols like TCP and UDP.
• Some parts of ICMP.

Daemons and tools running outside the kernel but considered to be part of the OS implement.

• DHCP
• DNS cache (if used).
• Diagnostics like ping and traceroute.
• Configuration of kernel features.

Libraries loaded by the application are generally used to implement stuff that runs on top of TCP/UDP including:

• SSL/TLS
• DNS
• HTTP