How Linux Sends and Receives Network Packets: Inside the TCP/IP Stack

Preface

The central question is: how does a Linux system send and receive network packets?

Network Model

OSI Model

The Open Systems Interconnection (OSI) reference model defines seven layers—Application, Presentation, Session, Transport, Network, Data Link, and Physical—to standardize communication across heterogeneous devices.

Application layer: provides a uniform interface for applications.

Presentation layer: converts data into a format recognizable by another system.

Session layer: establishes, manages, and terminates communication sessions.

Transport layer: handles end‑to‑end data transfer.

Network layer: routes, forwards, and fragments data.

Data Link layer: frames data, performs error detection, and handles MAC addressing.

Physical layer: transmits data frames over the physical medium.

Because the OSI model is complex and only conceptual, most practical implementations use the simplified four‑layer TCP/IP model.

TCP/IP Model

The TCP/IP model consists of Application, Transport, Network, and Network Interface layers, each with specific responsibilities.

Application layer: provides services such as HTTP, DNS, FTP.

Transport layer: ensures reliable end‑to‑end communication (TCP, UDP).

Network layer: encapsulates, fragments, routes, and forwards IP packets.

Network Interface layer: handles framing, MAC addressing, error detection, and interacts with the NIC.

In practice, the terms “seven‑layer” and “four‑layer” load balancing refer to the OSI model, where the seventh layer maps to the Application layer and the fourth layer maps to the Transport layer.

Linux Network Stack

Think of the data as a person dressing for winter: the application data is the body, the TCP header is the base layer, the IP header is the coat, and the frame header/footer are the hat and shoes. Linux wraps data layer by layer before transmission.

Each layer adds its own header:

Transport layer adds a TCP header.

Network layer adds an IP header.

Network Interface layer adds a frame header and footer.

The maximum transmission unit (MTU) on Ethernet is 1500 bytes, limiting the size of a single IP packet. Packets larger than the MTU are fragmented at the network layer; smaller MTU values increase fragmentation overhead and reduce throughput.

Linux Receiving Packet Flow

The NIC receives a packet and uses DMA to place it into a ring buffer in kernel memory. The simplest notification is an interrupt, but high‑rate traffic would generate excessive interrupts, degrading CPU performance.

Since kernel version 2.6, Linux uses the NAPI (New API) mechanism, a hybrid of interrupt‑driven and polling approaches. An interrupt wakes a soft‑interrupt handler, which then polls the ring buffer to process multiple packets, reducing interrupt overhead.

Soft‑interrupt processing copies data from the ring buffer into struct sk_buff, then passes it up the stack:

Network Interface layer validates the frame, strips the header/footer, and determines the upper‑layer protocol (e.g., IPv4 or IPv6).

Network layer extracts the IP packet, decides whether to forward or deliver locally, and removes the IP header.

Transport layer reads the TCP/UDP header, uses the 4‑tuple (source IP, source port, dest IP, dest port) to locate the corresponding socket, and copies payload to the socket’s receive buffer.

Application layer reads data from the socket via system calls.

Linux Sending Packet Flow

The sending path mirrors the receiving path in reverse order. An application invokes a socket send system call, copying data into the socket’s send buffer.

The stack then processes the data from top to bottom:

Transport layer adds a TCP header (if using TCP).

Network layer adds an IP header, consults the routing table for the next hop, and fragments the packet according to the MTU.

Network Interface layer resolves the next‑hop MAC address via ARP, adds frame header/footer, and queues the frame for transmission.

A soft interrupt notifies the NIC driver, which uses DMA to move the frame from the queue to the hardware NIC, where it is finally transmitted on the physical medium.

Conclusion

Linux implements the TCP/IP model, a simplified four‑layer alternative to the OSI model, to build its network protocol stack. Data travels through Application, Transport, Network, and Network Interface layers, each adding protocol headers before reaching the NIC. Receiving follows the reverse path, with NAPI mitigating interrupt overhead for high‑performance networking.