What are CLOSE_WAIT and TIME_WAIT states?

Question

When I do netstat -a on my Windows machine, I get a listing of the ports with one of the four states:

- LISTENING
- CLOSE_WAIT
- TIME_WAIT
- ESTABLISHED

What do CLOSE_WAIT and TIME_WAIT mean/indicate?

see 'man netstat', scroll down to the state section: http://linux.die.net/man/8/netstat — MaQleod, Apr 10 '14 at 18:26
[Shameless plug](http://serverfault.com/questions/450055/lot-of-fin-wait2-close-wait-last-ack-and-time-wait-in-haproxy) to an answer on our sistersite [SF]. — Hennes, Jun 24 '15 at 19:46
Cross site dupe: http://askubuntu.com/questions/538443/whats-the-difference-between-port-status-listening-time-wait-close-wait — Mokubai, Jul 15 '16 at 07:11

score 242 · Accepted Answer · edited Dec 30 '20 at 00:12

242

Due to the way TCP/IP works, connections can not be closed immediately. Packets may arrive out of order or be retransmitted after the connection has been closed.

CLOSE_WAIT indicates that the remote endpoint (other side of the connection) has closed the connection.
TIME_WAIT indicates that local endpoint (this side) has closed the connection.

The connection is being kept around so that any delayed packets can be matched to the connection and handled appropriately. The connections will be removed when they time out within four minutes. See http://en.wikipedia.org/wiki/Transmission_Control_Protocol for more details.

edited Dec 30 '20 at 00:12

user5723841

223
2
5

answered Aug 08 '10 at 19:42

BillThor

10,899
2
25
24

But isnt this mean that, even if the packets arrive after function returned, they would be still discarded by the application? – Furkan Gözükara Mar 20 '17 at 15:58
1

@MonsterMMORPG Packets that arrive out of order after the connection has been closed will be handled by the network stack. These can be usually be safely discarded according to normal duplicate packet rules. Packets that appear to be related to an unknown active connection are normally discarded, and generate a response. The WAIT states protect against this traffic. – BillThor Mar 22 '17 at 02:58
@BillThor: Are all these states included by ServerLimit or MaxRequestWorkers in Apache? – mahmood Jul 08 '20 at 09:43
1

@mahmood Connections in the TIME_WAUT states are connections Apache has closed. Connections in CLOSE_WAIT state will be handled by Apache until it is read, which should be almost immediately after the connection was closed. These connections will not be included in ServerLibm or MaxRequestWorkers. To verify run the command "netstat -antp | grep WAIT". – BillThor Jul 16 '20 at 15:39
@BillThor: Thanks. Honestly, I didn't expect an answer after all these years... I want to be sure that current connections are below the ServerLimit. Still I don't know which states have to be counted. Should I check only ESTABLISHED? Or others such as SYN_RECV? – mahmood Jul 17 '20 at 10:20
@mahmood Rather than trying to select states, I would exclude WAIT staties. Some states may indicate that a new connection is waiting to be accepted by Apache, so you may see more connections than Apache is handling. This may require reconfiguration or DOS attack mitigation. – BillThor Jul 25 '20 at 12:05
TIME_WAIT indicates that *both* ends have closed the connection. The system is not waiting to process any further packets, it is waiting for them to expire. Any further packets that come in are either duplicates or protocol errors. – user207421 Apr 03 '22 at 04:48

score 35 · Answer 2 · edited Sep 25 '20 at 20:03

35

Basically the "WAIT" states mean that one side closed the connection but the final confirmation of the close is pending.

See e.g. this diagram of TCP states for details:

https://en.wikipedia.org/wiki/File:Tcp_state_diagram_fixed.svg

edited Sep 25 '20 at 20:03

youcantexplainthat

115
4

answered Aug 08 '10 at 19:44

sleske

22,652
10
69
93

23

This accurately describes CLOSE_WAIT but not TIME_WAIT. TIME_WAIT indicates that the local application closed the connection, and the other side acknowledged and sent a FIN of its own. We're now waiting for any stray duplicate packets that may upset a new user of the same port. – Chris Smowton Apr 10 '14 at 12:11
1

@ChrisSmowton, So who is using the right terminology? The diagram or `netstat`? ([cf.](http://www.serverframework.com/asynchronousevents/2011/01/time-wait-and-its-design-implications-for-protocols-and-scalable-servers.html)) – Pacerier Jan 23 '16 at 03:38
@Pacerier I think they match -- where do you think they disagree? – Chris Smowton Feb 01 '16 at 16:42
@ChrisSmowton So this means next port owner may get extra bytes and that can break the response if we set TIME_WAIT = 0 ? – Furkan Gözükara Mar 20 '17 at 16:00
Possible but very unlikely, as the sequence numbers would need to match for the application to see the rogue packet spliced into the stream, or the receiver would need to buffer the apparently out of order packet until the right sequence number came around. I don't know enough about practical implementations to tell you whether the latter is done in practice. – Chris Smowton Mar 20 '17 at 21:12

score 2 · Answer 3 · answered May 20 '16 at 11:39

2

TIME_WAIT represents waiting for enough time to be sure that remote TCP received the ACK of its FIN request. See en.wikipedia.org/wiki/Transmission_Control_Protocol (and also RFC 793)

answered May 20 '16 at 11:39

Denio Mariz

177
1

1

What does this add to the information provided by the existing answers? – fixer1234 May 20 '16 at 16:59
Adds a reference to RFC 793 – Denio Mariz Oct 04 '17 at 14:42
Wikipedia wrong again. It is waiting for packets to expire. – user207421 Apr 03 '22 at 04:50

What are CLOSE_WAIT and TIME_WAIT states?

3 Answers3

Linked