Understanding TCP/IP Architecture, Encapsulation, ARP & DNS Basics

1. Architecture

The TCP/IP protocol suite is a four‑layer system.

Data Link Layer: Implements network driver for NIC interfaces, handling transmission over physical media (Ethernet, Token Ring). It hides electrical characteristics of different physical networks and uses ARP/RARP to map IP addresses to MAC addresses.

Network Layer: Uses IP for routing and forwarding packets between hosts, and ICMP for network diagnostics. IP determines the path hop‑by‑hop; ICMP operates on top of IP.

Transport Layer: Provides end‑to‑end communication via TCP, UDP, SCTP. Unlike the hop‑by‑hop approach of the Network layer, it only concerns the communication endpoints.

Application Layer: Runs in user space and includes protocols such as HTTP, DNS, Telnet, OSPF, etc.

2. Encapsulation

Upper‑layer protocols encapsulate data using services provided by lower layers. Before transmission, application data is wrapped layer by layer, each adding its own header (and sometimes trailer).

2.1 TCP Segment

Data after TCP encapsulation is called a TCP segment, stored in kernel space, consisting of a TCP header and kernel buffers (send and receive).

When an application writes data to a TCP socket, the kernel copies it from the user buffer to the TCP send buffer, then the TCP module hands the segment to the IP module for further encapsulation into an IP packet.

2.2 UDP Datagram

Data after UDP encapsulation is called a UDP datagram. The process is similar to TCP, but UDP does not keep a copy of the data in the kernel after successful transmission.

2.3 IP Packet

Data after IP encapsulation is called an IP packet, containing a header and a payload (which may be a TCP segment, UDP datagram, or ICMP message).

2.4 Frame

Data after Data Link layer encapsulation is called a frame. Frame types vary with the transmission medium (e.g., Ethernet frame, Token Ring frame).

2.5 Ethernet Frame

An Ethernet frame uses a 6‑byte destination MAC address and a 6‑byte source MAC address. The Maximum Transmission Unit (MTU) is typically 1500 bytes; larger IP packets must be fragmented.

Frames are the final byte sequences transmitted on the physical network, completing the encapsulation process.

3. Decapsulation

Decapsulation is the reverse of encapsulation. When a frame reaches the destination host, it traverses the protocol stack from bottom to top, each layer stripping its header and passing the payload upward.

0x800 – payload is an IP packet.

0x806 – payload is an ARP request or reply.

0x835 – payload is an RARP request or reply.

Similarly, the Transport layer uses a 2‑byte protocol field in the IP header to distinguish ICMP, TCP, and UDP.

TCP and UDP use the 16‑bit port field to identify the application (e.g., DNS uses port 53).

4. ARP Protocol Working Principle

ARP maps network (IP) addresses to physical (MAC) addresses. A host broadcasts an ARP request containing the target IP; only the host owning that IP replies with its MAC address.

4.1 Ethernet ARP Request/Reply

Hardware type: 1 for Ethernet (MAC).

Protocol type: 0x0800 for IPv4.

Hardware address length: 6 bytes.

Protocol address length: 4 bytes.

Operation: 1 = request, 2 = reply, 3 = RARP request, 4 = RARP reply.

Sender/target MAC and IP fields complete the packet.

An ARP packet is 28 bytes; with Ethernet header and trailer it becomes 46 bytes, or 64 bytes if padding is required.

4.2 ARP Cache

ARP maintains a cache of recent IP‑to‑MAC mappings to avoid repeated requests.

<code>arp -a</code>

Entries can be added or removed manually.

4.3 ARP Communication Process

Example experiment:

<code>sudo arp -d 192.168.1.109</code>

<code>sudo tcpdump -i eth0 -ent ' (dst 192.168.1.109 and src 192.168.1.108) or (dst 192.168.1.108 and src 192.168.1.109) '</code>

<code>telnet 192.168.1.109</code>

After establishing a TCP connection, the ARP exchange has already completed.

5. DNS Working Principle

Domain name services translate host names to IP addresses using NIS, DNS, or local static files.

5.1 DNS Query and Response

DNS is a distributed system storing name‑to‑IP mappings, dynamically updated. Clients send queries to DNS servers.

Key flag fields (16 bits) include QR, opcode, AA, TC, RD, RA, zero, and rcode, defining query/response type, recursion, and status.

QR – query (0) or response (1).

Opcode – standard (0), inverse (1), status (2).

AA – authoritative answer.

TC – truncated message.

RD – recursion desired.

RA – recursion available.

Rcode – response code (0 = no error, 3 = name error).

Resource records (RR) contain name, type, class, TTL, and data. Types A (1), CNAME (5), and PTR (12) are common.

5.2 Accessing DNS Service on Linux

Linux stores DNS server addresses in

/etc/resolv.conf

, listing a primary and a secondary server.

The

host

command queries DNS. Example:

5.3 Using tcpdump to Observe DNS Communication

Capture DNS packets on the LAN:

<code>sudo tcpdump -i enp2s0 -nt -s 500 port domain host -t A www.baidu.com</code>

tcpdump filters for DNS (port 53) traffic.

The first packet is a DNS query from 192.168.6.16 to the DNS server 192.168.6.1; the second is the server’s response containing CNAME and A records.

5.4 Relationship between Socket and TCP/IP Suite

Sockets provide system calls that let applications copy data between user buffers and kernel TCP/UDP buffers, and modify protocol headers (e.g., via

setsockopt

).

Sockets are a generic network programming interface, usable with other protocol stacks such as X.25 or UNIX domain sockets.