I'm using the command nc to simulate the TCP connection with a client and a server.
I execute the command nc -l 1234 and tcpdump -i eth0 port 1234 at the server and I execute the command nc IP_OF_SERVER 1234 at the client.
Then I type abcd and a Ctrl+D at the client.
On the terminal of tcpdump, I get the output as below:
13:35:11.800516 IP 172.19.48.20.51678 > 172.19.48.2.1234: Flags [S], seq 3620507131, win 29200, options [mss 1460,sackOK,TS val 2065731649 ecr 0,nop,wscale 7], length 0
13:35:11.800529 IP 172.19.48.2.1234 > 172.19.48.20.51678: Flags [S.], seq 451776773, ack 3620507132, win 28960, options [mss 1460,sackOK,TS val 1583409528 ecr 2065731649,nop,wscale 7], length 0
13:35:11.800586 IP 172.19.48.20.51678 > 172.19.48.2.1234: Flags [.], ack 1, win 229, options [nop,nop,TS val 2065731649 ecr 1583409528], length 0
13:35:13.793724 IP 172.19.48.20.51678 > 172.19.48.2.1234: Flags [P.], seq 1:6, ack 1, win 229, options [nop,nop,TS val 2065733642 ecr 1583409528], length 5
13:35:13.793733 IP 172.19.48.2.1234 > 172.19.48.20.51678: Flags [.], ack 6, win 227, options [nop,nop,TS val 1583410026 ecr 2065733642], length 0
13:35:18.442459 IP 172.19.48.20.51678 > 172.19.48.2.1234: Flags [F.], seq 6, ack 1, win 229, options [nop,nop,TS val 2065738291 ecr 1583410026], length 0
13:35:18.442479 IP 172.19.48.2.1234 > 172.19.48.20.51678: Flags [F.], seq 1, ack 7, win 227, options [nop,nop,TS val 1583411188 ecr 2065738291], length 0
13:35:18.442520 IP 172.19.48.20.51678 > 172.19.48.2.1234: Flags [.], ack 2, win 229, options [nop,nop,TS val 2065738291 ecr 1583411188], length 0
So, I can see that there are three-way handshake at the beginning, a sending-message with the length 5 to the server and an ack to the client, these are exactly what I expected.
However, it seems that there are only three records about disconnection. As we all know, TCP needs the four-way handshake to disconnect. Why are there only three records, instead of four?
