Master the TCP/IP Stack: From Layers to Real-World Protocols

TCP/IP Model

TCP/IP (Transmission Control Protocol/Internet Protocol) is the core suite of protocols that underpins the Internet. The reference model divides the protocols into four layers: link, network, transport, and application. The diagram below shows the correspondence between the TCP/IP model and the OSI model.

The topmost application layer includes familiar protocols such as HTTP and FTP. The transport layer hosts TCP and UDP. The network layer contains the IP protocol, which adds IP addresses to data. The data‑link layer adds Ethernet headers and performs CRC encoding before transmission.

The communication process follows a stack‑like encapsulation (push) on the sender side and decapsulation (pop) on the receiver side.

Example: HTTP encapsulation across the layers.

Data Link Layer

The physical layer converts the binary bit stream to voltage levels or light pulses. The data‑link layer groups bits into frames and transmits them between neighboring nodes identified by MAC addresses.

Frame encapsulation: network‑layer datagrams are wrapped with a header containing source and destination MAC addresses.

Transparent transmission: zero‑bit padding and escape characters.

Reliable transmission: rarely needed on low‑error links; wireless links (WLAN) may provide reliability.

Error detection (CRC): receiver discards frames with detected errors.

Network Layer

1. IP Protocol

The IP protocol is the core of the TCP/IP suite; TCP, UDP, ICMP, IGMP all use the IP packet format. IP is unreliable—it does not guarantee delivery, leaving reliability to upper‑layer protocols such as TCP or UDP.

1.1 IP Address

IP addresses identify hosts at the network layer, analogous to MAC addresses at the data‑link layer. IPv4 uses a 32‑bit address split into network and host portions, reducing routing table size.

Class A: 0.0.0.0 – 127.255.255.255 Class B: 128.0.0.0 – 191.255.255.255 Class C: 192.0.0.0 – 223.255.255.255

1.2 IP Header (TTL field)

The TTL (Time‑to‑Live) field, 8 bits, limits how many routers a packet can traverse. Each router decrements TTL; when it reaches zero, the packet is discarded. Typical maximum TTL values are 255, but many systems use 32 or 64.

2. ARP and RARP

ARP resolves an IP address to a MAC address. When a host needs to send an IP packet, it checks its ARP cache; if the mapping is missing, it broadcasts an ARP request. The host owning the IP replies with its MAC address, which the requester stores in its cache.

RARP performs the opposite mapping (IP ← MAC) and works similarly.

3. ICMP Protocol

ICMP (Internet Control Message Protocol) operates at the network layer to report errors such as host or router unreachable. It sends error messages back to the originating host, enabling higher‑level protocols to handle failures.

Ping

Ping is the most famous ICMP application. It sends an ICMP Echo Request (type 8) and expects an Echo Reply (type 0) to verify host reachability and measure round‑trip time.

Traceroute

Traceroute discovers the path to a destination by sending UDP packets with incrementally increasing TTL values. Each router that decrements TTL to zero returns an ICMP Destination Unreachable message, revealing its IP address.

TCP vs UDP

Both are transport‑layer protocols but differ in characteristics and use cases.

Message‑oriented (UDP)

UDP sends whole datagrams as provided by the application. If a datagram is too large, IP fragmentation occurs; if too small, overhead increases.

Byte‑stream (TCP)

TCP treats data as an unstructured byte stream, segmenting it as needed and providing buffering, flow control, and congestion control.

When to use TCP?

When reliable delivery is required, e.g., HTTP, HTTPS, FTP, email protocols.

When to use UDP?

When low latency is more important than reliability, e.g., real‑time audio/video.

DNS

DNS (Domain Name System) maps human‑readable domain names to IP addresses. It operates over UDP on port 53 and provides a distributed database for name resolution.

TCP Connection Establishment and Termination

Three‑Way Handshake

TCP establishes a reliable connection via a three‑step handshake to synchronize sequence numbers and exchange window sizes.

First handshake: Client sends SYN with sequence number x.

Second handshake: Server replies with SYN‑ACK (ack = x+1, seq = y).

Third handshake: Client sends ACK (ack = y+1); both sides enter ESTABLISHED state.

Why three handshakes?

To avoid establishing a connection from a stale SYN that arrived after the server had already closed the previous connection.

Four‑Way Termination

After data transfer, TCP closes the connection with a four‑step termination.

First: Host 1 sends FIN, enters FIN_WAIT_1.

Second: Host 2 ACKs the FIN, enters FIN_WAIT_2.

Third: Host 2 sends its own FIN, enters LAST_ACK.

Fourth: Host 1 ACKs, enters TIME_WAIT; after 2 MSL the connection is closed.

Why wait 2 MSL?

To ensure all duplicate packets have expired and to allow the other side to receive the final ACK.

TCP Flow Control

Flow control prevents the sender from overwhelming the receiver. The receiver advertises a window size (rwnd); the sender must not send more bytes than rwnd.

TCP Congestion Control

Congestion control adjusts the congestion window (cwnd) based on network conditions.

Slow Start

cwnd starts at one MSS and doubles each RTT until loss is detected or ssthresh is reached.

When cwnd < ssthresh, slow start is used; when cwnd > ssthresh, congestion avoidance takes over, increasing cwnd linearly (by one MSS per RTT).

If loss occurs, ssthresh is set to half of the current cwnd (minimum 2) and cwnd is reset to 1, restarting slow start.

Fast Retransmit and Fast Recovery

Fast Retransmit

When the sender receives three duplicate ACKs, it immediately retransmits the missing segment without waiting for the retransmission timer.

Fast Recovery

After fast retransmit, the sender sets cwnd to ssthresh / 2 and enters congestion avoidance, allowing cwnd to grow linearly rather than restarting from 1.