Understanding the TCP/IP Model: Layers, Protocols, and Data Flow

TCP/IP Model

TCP/IP (Transmission Control Protocol/Internet Protocol) is the core suite of protocols that form the foundation of the Internet.

The reference model divides the protocols into four layers: link layer, network layer, transport layer, and application layer.

Data is encapsulated layer by layer: the sender adds headers (and sometimes trailers) at each layer, while the receiver removes them in reverse order.

Data Link Layer

The physical layer converts bit streams to electrical or optical signals. The data link layer groups bits into frames and transmits them between neighboring nodes identified by MAC addresses.

Frame encapsulation: adds source and destination MAC addresses.

Transparent transmission: zero‑bit padding, escape characters.

Reliable transmission: rarely needed on low‑error links, but used on wireless LANs.

Error detection (CRC): receiver discards frames with errors.

Network Layer

1. IP Protocol

IP is the core of the TCP/IP suite; TCP, UDP, ICMP, IGMP all use the IP packet format. IP itself is unreliable, leaving reliability to upper‑layer protocols such as TCP or UDP.

1.1 IP Address

IP addresses uniquely identify hosts at the network layer, analogous to MAC addresses at the link layer.

IPv4 uses a 32‑bit address split into network and host portions, reducing routing table size.

Class A: 0.0.0.0–127.255.255.255 Class B: 128.0.0.0–191.255.255.255 Class C: 192.0.0.0–223.255.255.255

1.2 IP Header

The TTL (Time‑to‑Live) field limits how many routers a packet can traverse; it is decremented by each router and the packet is discarded when TTL reaches zero. Typical maximum TTL values are 255, 64, or 32 depending on the system.

2. ARP and RARP Protocols

ARP resolves an IP address to a MAC address.

When a host needs to send an IP packet, it first checks its ARP cache. If the mapping is missing, it broadcasts an ARP request containing the target IP. The host owning that IP replies with its MAC address, which the requester stores in its cache.

RARP performs the opposite operation (not detailed here).

3. ICMP Protocol

ICMP operates at the IP layer to report errors such as host unreachable or network unreachable, allowing higher‑level protocols to handle delivery failures.

4. ping

Ping is a common ICMP‑based utility that checks network connectivity by sending echo‑request packets and reporting the replies.

The name comes from sonar “ping”; it sends an ICMP type‑8 request and expects an ICMP type‑0 reply.

5. Traceroute

Traceroute discovers the path packets take to a destination by sending UDP packets with increasing TTL values and listening for ICMP “time‑exceeded” messages from each router.

6. TCP/UDP

Both are transport‑layer protocols but differ in characteristics and use cases.

When to use TCP?

Use TCP when reliable delivery is required, such as HTTP/HTTPS, FTP, POP, SMTP, etc.

When to use UDP?

Use UDP when low latency is more important than reliability, e.g., real‑time video or DNS queries.

7. DNS

DNS maps domain names to IP addresses. It runs over UDP (port 53) and provides a distributed database for name resolution.

8. TCP Connection Establishment and Termination

1. Three‑Way Handshake

The handshake synchronizes sequence numbers and exchanges window sizes.

First handshake: client sends SYN with sequence number x.

Second handshake: server replies with SYN‑ACK (ack = x+1, its own sequence y) and sends its SYN.

Third handshake: client sends ACK (ack = y+1); both sides enter ESTABLISHED state.

Why three‑way handshake?

It prevents old, delayed SYN packets from establishing unintended connections.

2. Four‑Way Termination

Termination gracefully closes a full‑duplex TCP connection.

First termination: one side sends FIN and enters FIN_WAIT_1.

Second termination: the other side ACKs the FIN (entering FIN_WAIT_2) and later sends its own FIN.

Third termination: the opposite side ACKs the second FIN.

Fourth termination: the original side ACKs and enters TIME_WAIT before finally closing.

Why four‑way termination?

Because TCP is full‑duplex; each direction must be closed independently.

Why wait 2 MSL?

MSL (Maximum Segment Lifetime) ensures that all duplicate packets have expired before the connection is fully closed.

Guarantees reliable full‑duplex closure.

Prevents delayed packets from being misinterpreted as part of a new connection.

9. TCP Flow Control

Flow control prevents the sender from overwhelming the receiver.

It uses a sliding window: the receiver advertises a window size (rwnd) that limits how much data the sender may transmit.

If the receiver’s window shrinks to zero, the sender must stop sending until a new window is advertised.

10. TCP Congestion Control

The congestion window (cwnd) limits the amount of data the sender injects into the network based on perceived congestion.

When the network is uncongested, cwnd grows; when congestion is detected, cwnd is reduced.

Slow start initializes cwnd to one MSS and doubles it each round‑trip time until a loss occurs.

When cwnd < ssthresh, slow start is used; when cwnd > ssthresh, congestion avoidance takes over, increasing cwnd linearly (by one MSS per RTT).

If cwnd < ssthresh: use slow start.

If cwnd > ssthresh: use congestion avoidance.

If cwnd = ssthresh: either algorithm may be used.

Upon detecting loss, ssthresh is set to half of the current cwnd, cwnd is reset to 1, and slow start restarts.

2. Fast Retransmit and Fast Recovery

Fast Retransmit

The receiver sends duplicate ACKs for the last in‑order segment when out‑of‑order packets arrive.

If the sender receives three duplicate ACKs, it retransmits the missing segment immediately, improving throughput by about 20%.

Fast Recovery

After fast retransmit, instead of resetting cwnd to 1, the sender sets cwnd to ssthresh (half of the previous cwnd) and continues with congestion avoidance, allowing a smoother recovery.