how/network
When you look at `ss -tn`, you do not see only ESTABLISHED. SYN_SENT, FIN_WAIT_1, TIME_WAIT: what do they mean and why do they "hang"?
Every TCP connection in your system is in one of 11 states at any
given moment. It is a finite state machine. Transitions happen on
network events (recv SYN, send FIN) and system calls (connect(),
close()).
The output of ss -tn or netstat -tan is a "dump of this machine"
for every live connection on the host. When you see SYN_SENT or
TIME_WAIT there, that is a specific position in the state machine.
Press ▶ to walk through the full life cycle of one connection, from
the first CLOSED to the final CLOSED, showing the state of
both sides in sync.
No sockets are open. This is the "default" state
for every connection, until the application calls socket() + connect() or socket() + bind() + listen().
You will not see this state in ss. ss shows only the
active entries in the kernel TCP table.
recap
What to remember:
CLOSE_WAIT while the other is in
FIN_WAIT_2. That is normal, the two are consistent with each otherSYN_SENT forever → the server is not responding (firewall / closed port)SYN_RECEIVED → a SYN-flood DDoS attack or a full backlogTIME_WAIT → a recent mass close of connections (normal)CLOSE_WAIT → a bug in the application: it received the FIN but
never called close(). A socket leaknet.ipv4.tcp_tw_reusess -t state established (or time-wait, syn-sent,
and so on) filters by a specific state, handy for debuggingSee also [[tcp-handshake|the handshake itself]] and [[tcp-retransmission|retransmission]]. They show why the transitions are exactly these and what happens to the packets.