How Linux Handles Incoming and Outgoing Network Packets Step by Step

Network Protocol Stack

Before Linux can receive packets, it must initialize its network subsystem, register protocol stacks, initialize NIC drivers, and bring up the network interface.

The OSI model has 7 layers, but Linux implements the simpler TCP/IP model with four layers: application, transport, network, and network interface.

Application layer : provides services such as FTP, DNS, SMTP.

Transport layer : offers end‑to‑end communication via TCP or UDP.

Network layer : handles host‑to‑host routing, IP, IGMP, ICMP.

Network interface layer : corresponds to OSI data link and physical layers; includes ARP for address resolution.

Receiving Network Packets

When a packet arrives at the NIC, it is placed in the NIC’s receive queue (FIFO) and DMA copies it into a kernel ring buffer containing sk_buff descriptors.

Upon arrival, the driver fetches the sk_buff descriptor from the ring buffer, DMA writes the data, and after upper‑layer processing the descriptor is replaced with a newly allocated sk_buff .

The NIC then raises a hardware interrupt; the CPU’s interrupt handler locates the registered ISR.

The ISR performs two main actions:

Mask the NIC interrupt to prevent excessive CPU interruptions.

Trigger a soft‑interrupt (ksoftirqd) to resume processing.

The ksoftirqd thread processes the soft‑interrupt, extracts a frame from the ring buffer, wraps it in an sk_buff , and passes it up the protocol stack.

The protocol‑stack processing proceeds as follows:

1. Network Interface Layer

Validates the frame, discards it if malformed, determines the upper‑layer protocol (IPv4/IPv6), strips Ethernet headers, and forwards the payload to the network layer.

2. Network Layer

Extracts the IP header, decides whether to forward or deliver locally; for local delivery it removes the IP header and passes the payload to the transport layer.

3. Transport Layer

Removes TCP/UDP headers, uses the 4‑tuple (src IP, src port, dst IP, dst port) to locate the corresponding socket, and copies data into the socket’s receive buffer.

4. Application Layer

The application reads data from the socket, copying it from the kernel buffer to user space.

At this point the packet reception is complete.

Sending Network Packets

Sending follows the reverse path. An application calls send() on a socket, causing a system call that enters the kernel’s socket layer.

The socket layer allocates a kernel sk_buff, copies user data into it, and places it in the socket’s send queue.

The protocol stack then processes the packet from top to bottom, inserting headers at each layer.

1. Transport Layer

Adds a TCP (or UDP) header and creates a copy of the sk_buff because the original will be freed after transmission; this copy is needed for possible retransmission until an ACK is received.

2. Network Layer

Selects a route, fills the IP header, applies netfilter rules, and fragments the packet if it exceeds the MTU, then passes it to the network‑interface layer.

3. Network Interface Layer

Performs ARP to resolve the next‑hop MAC address, adds Ethernet frame headers/trailers, enqueues the frame in the NIC’s transmit queue, and triggers a soft‑interrupt to notify the driver.

4. NIC Device

The driver reads frames from the transmit queue via DMA and writes them to the NIC’s FIFO for transmission; after the NIC finishes sending, it raises a hardware interrupt to free the sk_buff and clean the ring buffer. When the remote ACK arrives, the transport layer releases the original sk_buff .

The packet transmission process is now complete.