Five-Tuple

When people in packet captures say “see whether the five-tuple changed,” they are not using another name for a TCP connection. The five-tuple is the smallest practical identifier for a network flow. NAT, firewalls, load balancers, and connection tracking all depend on it.

Looking at only one IP address is not enough. Two hosts can have many simultaneous connections, even to the same service. Looking at only one port is not enough either, because the same port numbers repeat across different hosts. The network and the kernel need a combination that is small enough to operate on and stable enough to answer questions like: is this the same flow, is this a return packet, and should this state table entry be reused?