TCP Header

This topic is to discuss the following lesson:

1 Like

hi Rene,

I have been trying to use the wireshark to see how this things are but I can’t get there. what can i do?

Hi Yassin,

What exactly is not working for you?


hi Rene,

Can you please explain this sentence–Sequence number: the sequence number is a 32 bit field that indicates how much data is sent during the TCP session.

1 Like

This has to do with how the sequence number is incremented during the TCP session. Let’s say Client A is requesting 900 Bytes of data from Server 1. Once Server 1 starts to send the actual data to Client A, the length of the payload of what is being sent directly influences the next sequence number.

So, let’s say the current Sequence number is 1, and the Server sends Client A, 300 Bytes. This means the sequence number will now be 301 (the original sequence number plus the amount of data in the payload that was just sent). Now, let’s say, after Client A acknowledges the first 300 bytes, Server 1 sends Client A 450 bytes. The new sequence number will now be 751 (301 + 450). Finally, Server 1 sends what is remaining (the last 150 bytes). This means the final sequence number would be 901 (751 + 150).

So, in this respect, the Sequence Number can be used to show the total amount of payload data that was transferred during a TCP session.



Hi Rene

From what I learned that the maximum size of data that we can send it through one TCP connection = 2^36 = 68719476736 bytes ( Equivalent 68 gigabytes ) and the number 36 came from 32 the seq number filed size plus 4 the DO filed size, please correct me if I wrong.

Best regard
Hussein Samir

Hi Rene,

The flag field has 9 bit size and you explain only six bit flags, what about the remaining 3 bit flags, can you please explain them to me ?

Best Regard
Hussein Samir

Hi Hussein,

Originally we only had 16 bits for the window size so the maximum window size was 65,535 bytes.

Thanks to window scaling (, the highest (theoretical) window size that we can use is 1073725440 bytes (~ 1 gigabyte). Two bits are used for scaling, 2^14 remains for the window size which equals 1073725440.

The space for the sequence numbers is pretty large: 32 bit. When we hit the final sequence number then it will wrap around and we start with 0 again, it works like a clock. In other words…you can keep sending data in a single TCP connection.

The first three TCP flags (NS, CWR and ECE) are for Explicit Congestion Notification (ECN) which is an extension to the TCP packet. The idea behind ECN is that routers in between the sender/receiver that detect congestion can “mark” TCP packets instead of dropping them. The receiver can then inform the source, telling it to slow down. As of today, ECN hasn’t been used much.

You can read more about it here:

Hope this helps!


Thanks Rene That was helpful for me, and I’m thinking that I have to read a lot of RFCs for best understanding everything about TCP

Dear Rene,

Could you pls. help me to understand it clearly …

How many flags in TCP ?


Hi Rene,

I failed to understand the difference between Urgent Pointer and Push Function. Urgent Pinter has highest Priority over other data and Push function; this tells an application that the data should be transmitted immediately. Please help to understand.


Hello Manami

To understand the function of the PSH flag, it is important to first understand how TCP buffers data. TCP operates at layer four of the OSI model. To allow applications to read from and write to a TCP session, buffers are implemented on both sides of a TCP connection in both directions.

Buffers allow for more efficient transfer of data when sending multiple segments of maximum size, such as when sending a large file. TCP will wait until a segment reaches its maximum size before sending it on its way. There are however some applications where this would be inappropriate. A Telnet connection for example, requires that a character be sent immediately once it is typed, even though it fills only a tiny fraction of the maximum segment size. Consider what would happen to your Telnet session if TCP waited until there was enough data to fill a segment before it would send one. You would have to type over a thousand characters before the first packet would make it to the remote device. Not very useful.

This is where the PSH flag is used. When the PSH flag is set, the segment is sent or “pushed” immediately to the remote device. Additionally, when the segment reaches the destination, TCP immediately forward the segment up to the application without waiting for its buffer to fill.

Essentially, TCP’s push capability accomplishes two things:

  1. The sending application informs TCP that data should be sent immediately.
  2. The PSH flag in the TCP header informs the receiving host that the data should be pushed up to the receiving application immediately.

The Urgent Flag has a different function. It is used to indicate that certain data within a segment is urgent and should be prioritised. If the URG flag is set, the receiving station evaluates the value of the Urgent Pointer, a 16-bit field in the TCP header. This pointer indicates what part of the data in the segment, counting from the first byte, is urgent. This is not used very often in modern networks.

I hope this has been helpful!



Hello Mohammad

I’m not quite sure what you mean when you say “how many flags in TCP.” The header contains 9 different flags which are used to establish and terminate connections and to control data flow.

If this hasn’t answered your question, please clarify.

I hope this has been helpful!


Hlw Lazaros,

Yes , got my answer . Clould you please mention that flags name ?


Here are the names of the 9 flags:

  1. Explicit Congestion Notification Nonce Concealment Protection (that’s a mouthful!)
  2. Congestion Window Reduction
  3. Explicit Congestion Notification Echo
  4. Urgent
  5. Acknowledgement
  6. Push
  7. Reset
  8. Synchronize
  9. Final

Many Thanks Andrew …

Hi Rene,
Could you please explain what is PHANTOM BYTE in tcp?

Hello Mohammad

When a TCP session is in progress, the sequence numbers are used to keep track of the number of bytes that have been transmitted within the session. When 100 bytes are sent from host A to host B, host B will respond with an ACK that is incremented by 100. If this is the beginning of the transaction and we started with a sequence number of 0, then the ACK that host B will send will be 100 indicating that the amount of data that has been received so far is 100 bytes.

During the three way handshake, the first SYN packet is sent with an initial sequence number of 0, and has no data payload. That means that the number of bytes sent is 0. Even though the payload is 0, host B responds with an ACK incremented by 1. Because the SEQ and ACK numbers are associated with the number of bytes sent and received, when this occurs, we are actually incrementing the sequence numbers when no bytes have been sent. So this is referred to as the phantom byte, where 1 byte of payload is counted when 0 have been sent.

I hope this has been helpful!



Hi Rene,

I have Three questions :-

1- You say that seq number indicate how much data is sent during the TCP session and also say the initial sequence number is a random 32 bit value, so my question is how seq number determine the amount of data that it’s sent if the seq number not start from 0 ???

2- You tell me in my old question in this topic that “When we hit the final sequence number then it will wrap around and we start with 0 again and keep sending data in a single TCP connection”, again my question is how it can indicate the amount of data that it’s sent if we reach this point ???

3- Is there any relationship between the window size and download speed ??

Hello Hussein.

First of all the sequence number doesn’t indicate how much data is sent, but the difference between the original sequence number and the acknowledgement number sent back to the reciever indicates the amount of data that has been sent in one window.

Your first two questions have to do with something called windowing which is a flow control mechanism of TCP. Specifically, when a TCP session begins, the sequence number is chosen randomly. For example, let’s say the initial sequence number is 100588. During the initial handshake, the window size is also determined. This value is in bytes. Let’s say the initial window size is 10000 bytes.

With these values, the sender begins to send segments of data until it sends the window size number of bytes. Then it waits for an acknowledgement. When the reciever recieves the 10000 bytes, it sends the acknolwegement which includes the next expected byte. The next expected byte is calculated as the initial sequence number plus the window size plus 1. So the reciever would send 100588 + 10000 + 1 = 110589 as the next expected byte.

When the sender recieves this information, he begins sending the next “window” of data, that is the next 10000 bytes beginning with byte number 110589. (Remember that this value is a relative value and not an absolute value. It is relative to the original random sequence number.)

Once those 10000 bytes are sent, the reciever sends an acknowledgement with the next expected byte which is 110589 + 10000 + 1 = 120590. The sender recives this acknowledgement and begins sending the next section of data beginning at byte number 120590 and so on.

When the value of the sequence number becomes 4294967295, which is the maximum value a 32 bit binary number can have, it then wraps around to 0 and continues counting. The devices know that an original sequence number of 4294967290 with a final sequence number of 5 will have a difference of 10.

As for your third question, the answer is yes. More accurately however, the window size determines the efficiency with which a link is utilized. Take a look at the excellent video found in this lesson which demonstrates how the window size affects the throughput of data.

I hope this has been helpful!