BiTree
  • Search For Lessons
  • Curriculum
  • Pricing
  • For Educators
  • Become a Tutor
  • About
  • Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
BiTree

Live coding lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Search For Lessons
  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Become a Tutor
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 BiTree. All rights reserved.
Curriculum/Cybersecurity/Networking and Protocol Security/TCP vs UDP: The Protocol Difference
45 minBeginner

TCP vs UDP: The Protocol Difference

After this lesson, you will be able to: Explain the TCP three-way handshake and teardown, sequence numbers and flow control, how UDP differs and where it is used, and capture a real handshake in Wireshark.

TCP and UDP are the two transport protocols almost everything runs on. This lesson covers the TCP three-way handshake and four-way teardown in detail, sequence and acknowledgment numbers, flow control, how UDP trades reliability for speed, the security differences between them, and a Wireshark lab to capture a handshake on loopback.

Prerequisites:How Computers Talk: The Networking Foundation

TCP: the reliable, connection-oriented protocol

TCP guarantees ordered, reliable delivery. It opens with a three-way handshake: the client sends SYN (with an initial sequence number), the server replies SYN-ACK (acknowledging and sending its own sequence number), the client sends ACK. Now the connection is established. Sequence numbers track every byte so lost segments can be retransmitted and out-of-order ones reassembled. Flow control (the receive window) stops a fast sender overwhelming a slow receiver. The connection closes with a four-way teardown (FIN/ACK in each direction).

UDP: connectionless and fast

UDP has no handshake, no sequence numbers, no guaranteed delivery, and no flow control. You send a datagram and hope it arrives. That sounds worse, but for DNS (one small query/response), DHCP, VoIP, gaming, and live streaming, the overhead and latency of TCP retransmission would hurt more than an occasional lost packet. UDP gives the application control over reliability when it wants it.

Security differences

The TCP handshake reveals information: a port that completes the handshake is open, one that sends RST is closed, and silence often means a firewall is dropping packets. This is the basis of Nmap's scan types. UDP is harder to scan and trace because there is no handshake and no guaranteed response, so a closed UDP port may simply stay silent. Each protocol is abused differently: SYN floods exploit TCP's half-open state; UDP floods and amplification exploit UDP's connectionless, spoofable nature.

ℹ️ Lab: capture a TCP handshake in Wireshark

Authorization note: this lab is entirely on your own machine. Start a local server (for example, python3 -m http.server 8000). Open Wireshark on the loopback interface with the display filter tcp.port == 8000. In a browser or with curl, hit http://localhost:8000. In the capture, find the three packets with flags SYN, then SYN, ACK, then ACK. Click each and read the sequence and acknowledgment numbers; notice the ACK number is the other side's sequence + 1. You just watched a connection be born.

Quick Check

An attacker sends thousands of SYN packets but never completes the handshake. Which protocol behavior are they abusing?

Pick one.

Common mistakes only experienced engineers catch

Thinking UDP is 'insecure' and TCP is 'secure'; neither encrypts anything, that is TLS's job. Assuming a silent port is closed when a firewall may be dropping packets. Confusing the four-way teardown with the three-way handshake. Believing sequence numbers are random enough to never matter (predictable initial sequence numbers enabled classic spoofing attacks). Forgetting that most app protocols (HTTP, SSH, TLS) ride on TCP, so understanding TCP states explains most network debugging.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←How Computers Talk: The Networking Foundation
Back to Networking and Protocol Security
Wireshark: Reading Network Traffic→