1. Transmission Control Protocol--the big kahoona of the Internet Protocols. TCP takes the information to be generated by an application and passes it to the IP (Internet Protocol) to be transmitted. IP is responsible for getting a packet of information from one host to another, while TCP is responsible for making sure messages get from one host to another and that the messages are understood. From Glossary of Distance Education and Internet Terminology

2. Transmission Control Protocol. The chief transport protocol for TCP/IP. Key point: TCP is "connection oriented". This means the three-way handshake must be completed before any data can be sent across the connection. This makes IP address spoofing impossible without sequence number prediction. Key point: TCP creates a virtual "byte stream" for applications. Therefore, applications that send/receive data must create their own boundaries, such as length encoding the data, or send text data a line at a time. However, in practice, applications do indeed send data aligned on packet boundaries. Most network-based intrusion detection systems depend upon these boundaries in order to work correctly. Therefore, they can easily be evaded by custom written scripts that misalign the data. The applications don't see any difference, but the NIDS see something completely different go across the wire that no longer matches their signatures. Contrast: There are two transport protocols: TCP and UDP. Whereas TCP is connection-oriented, UDP is connectionless, meaning UDP-based applications are easily spoofed. TCP Format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Sequence Number^ The sequence number of the first byte within this packet. Acknowledgement Number^ The next expected sequence number of packets coming in the opposite direction. Reserved^ Not used. Note that this "field" is actually two fields: the low-order bits of the data offset byte and the high-order bits of the flags byte. Key point: The two undefined flags in this field are handled differently by different systems, which allows them to be fingerprinted URG^ The urgent flag is used to send what is known as out-of-band data. Key point: TCP/IP stacks often don't implement this right, and virtually no application uses it either. In fact, the WinNuke DoS attack against Windows was due to the fact that Windows would crash on URG data. ACK^ When set, the Acknowledgement Number field is valid. Key point: This bit is set in every packet but the first one, because every TCP packet acknowledges the last data it received. Key point: In order to block incoming connections, firewalls typically only pay attention to TCP packets with the ACK bit == 0. In other words, by blocking the first packet of a TCP connection, you prevent the connection from being established in the first place. Key point: Hackers can usually send TCP packets through a firewall by setting the ACK bit. Even though hackers cannot connect to a service, they can still do things like port scanning using this technique. PSH^ Normally, TCP tries to coalesce multiple packets into a single packet in order to improve throughput performance (handling one big chunk is more efficient than smaller chunks), but at the cost of latency (after receiving the first chunk, it must wait a little bit to see if a second chunk arrives). This bit tells the stack to push the data though immediately without waiting. RST^ Informs the other side that an error has occurred. This will either drop the connection or set it back to a known state. Key point: Different TCP/IP stacks send resets in response to different conditions, which can be used to fingerprint the stack. SYN^ Begins a connection. The most important consideration is synchronizing the sequence numbers on both sides. See SYN for more information. FIN^ Closes a connection. Key point: If you send a FIN packet to an open port, it should not respond. Some incorrectly written stacks respond anyway, allowing you to fingerprint a system. Key point: IDS systems monitoring network traffic will sometimes kill TCP sessions by spoofing a FIN packet. Thus, when it detects an intruder connected to a server, it will make the server think the intruder has hung-up, and the server will likewise hang-up. From Hacking-Lexicon