Understanding TCP/IP Architecture, Encapsulation, ARP, and DNS: A Complete Guide

1. Architecture

The TCP/IP protocol suite is a four‑layer system.

Figure 1 TCP/IP architecture

Data link layer: implements network driver for NIC, handles transmission over physical media (Ethernet, Token Ring). It hides electrical characteristics and uses ARP/RARP to map IP addresses to MAC addresses.

Network layer: uses IP for routing and forwarding, ICMP for connectivity testing. IP determines the path hop‑by‑hop and uses the destination IP to address the host; if direct addressing fails, IP selects the next‑hop router.

Transport layer: provides end‑to‑end communication via TCP, UDP, SCTP. Unlike the network layer, it concerns only the endpoints, not intermediate hops.

Application layer: runs in user space and includes protocols such as HTTP, DNS, Telnet, OSPF.

2. Encapsulation

Upper‑layer protocols encapsulate data using services of lower layers; each layer adds its own header (and sometimes trailer) as the data moves down the stack.

Figure 2 Encapsulation process

2.1 TCP segment

Data encapsulated by TCP becomes a TCP segment stored in kernel space, consisting of a TCP header and kernel buffers (send and receive).

Figure 3 TCP segment encapsulation

Data transmission flow: when an application calls write on a TCP socket, the kernel copies data from the user buffer to the TCP send buffer, then the TCP module hands the segment to the IP module for further encapsulation into an IP datagram.

2.2 UDP datagram

Data encapsulated by UDP becomes a UDP datagram. The process is similar to TCP, but UDP does not retain a copy in the kernel after successful transmission; if retransmission is needed, the data must be copied again from user space.

2.3 IP datagram

After IP encapsulation, the result is an IP datagram containing a header and a payload (which may be a TCP segment, UDP datagram, or ICMP message). The IP datagram is then passed to the data‑link layer.

2.4 Frame

Data link layer encapsulation produces a frame. Frame types vary with the medium, e.g., Ethernet frame, Token Ring frame.

2.5 Ethernet frame

An Ethernet frame uses a 6‑byte destination MAC address and a 6‑byte source MAC address. The maximum transmission unit (MTU) is typically 1500 bytes; larger IP datagrams must be fragmented.

Figure 4 Ethernet frame structure

The frame is the final byte sequence transmitted on the physical network.

3. Decapsulation

Decapsulation is the reverse of encapsulation. When a frame reaches the destination host, it moves up the stack, each layer processing its header and passing the remaining data to the next higher layer. The type field in the header identifies the upper‑layer protocol (RFC 1700).

Figure 5 Ethernet decapsulation process

0x800 – IP datagram, handed to the IP module.

0x806 – ARP request/reply, handed to the ARP module.

0x835 – RARP request/reply, handed to the RARP module.

Similarly, the IP header’s protocol field distinguishes ICMP, TCP, and UDP.

TCP and UDP use the 16‑bit port number field to identify the application (e.g., DNS = 53, HTTP = 80).

4. ARP protocol operation

ARP maps network addresses to physical MAC addresses. A host broadcasts an ARP request containing the target IP; only the target replies with its MAC address.

4.1 Ethernet ARP request/response

Figure 6 Ethernet ARP request/response

Field description:

Hardware type: 1 for MAC.

Protocol type: 0x800 for IP.

Hardware address length: 6 bytes for MAC.

Protocol address length: 4 bytes for IPv4.

Operation: 1 = request, 2 = reply, 3 = RARP request, 4 = RARP reply.

Remaining fields contain the sender and target MAC and IP addresses.

An ARP packet is 28 bytes; with Ethernet header and trailer it becomes 46 bytes, or 64 bytes if padding is added to meet the minimum frame size.

4.2 ARP cache

ARP maintains a cache of recent IP‑to‑MAC mappings to avoid repeated requests.

Query command:

arp -a

4.3 ARP communication process

Example using remote login to illustrate ARP:

sudo arp -d 192.168.1.109

sudo tcpdump -i eth0 -ent '(dst 192.168.1.109 and src 192.168.1.108) or (dst 192.168.1.108 and src 192.168.1.109)'

telnet 192.168.1.109 echo

Captured frames show the ARP request broadcast (type 0x0806) and the ARP reply containing the target’s MAC address.

Figure 7 First remote‑login Ethernet frame

5. DNS operation

Domain Name System translates host names to IP addresses. Queries can be performed via NIS, DNS, or static files.

5.1 DNS query and response format

DNS messages consist of a header, question section, answer, authority, and additional sections. The 16‑bit identifier matches responses to queries. Flags indicate query/response, opcode, recursion, etc.

QR – query (0) or response (1).

Opcode – 0 = standard query, 1 = inverse, 2 = status.

AA – authoritative answer.

TC – truncated.

RD – recursion desired.

RA – recursion available.

Rcode – response code (0 = no error, 3 = name error).

Resource records contain name, type, class, TTL, data length, and data. Type A (value 1) returns an IPv4 address; CNAME (5) returns an alias; PTR (12) is used for reverse lookup.

5.2 Accessing DNS on Linux

Linux stores DNS server addresses in /etc/resolv.conf. The host command queries DNS, e.g.:

host -t A www.baidu.com 219.239.26.42

5.3 Observing DNS with tcpdump

Capture DNS traffic with:

sudo tcpdump -i enp2s0 -nt -s 500 port domain host -t A www.baidu.com

Output shows the query from 192.168.6.16 to the DNS server (port 53) and the response containing CNAME and A records.

5.4 Socket and TCP/IP relationship

Kernel implements data‑link, network, and transport protocols; user programs access them via system calls. The socket API provides functions to copy data between user buffers and kernel buffers and to manipulate protocol headers (e.g., setsockopt to set IP TTL).

Socket is a generic network programming interface that can also access other protocol stacks such as X.25 or UNIX domain sockets.