NE-02

TCP/IP Protocol Suite

Network+ / NE-02
< Network+ Hub

Learning Objectives

TCP vs UDP at a Glance

FeatureTCPUDP
ConnectionConnection-oriented (handshake)Connectionless
ReliabilityGuaranteed delivery, retransmissionBest-effort, no guarantees
OrderingSequence numbers ensure orderNo ordering
Flow ControlSliding windowNone
Header Size20-60 bytes8 bytes
SpeedSlower (overhead)Faster (minimal overhead)
Use CasesWeb, email, file transfer, SSHDNS, DHCP, VoIP, streaming, gaming

TCP Segment Structure

Every TCP segment contains a header with critical control information. Understanding these fields is essential for packet analysis and troubleshooting.

/* TCP Header (20 bytes minimum) */ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Offset| Res |U|A|P|R|S|F| Window Size | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ /* Flags: URG, ACK, PSH, RST, SYN, FIN */

Sequence Number: Tracks byte position in the data stream. Enables ordered reassembly.

Acknowledgment Number: The next byte the receiver expects. Confirms receipt of all prior data.

Window Size: How many bytes the receiver can accept before needing an ACK. Controls flow rate.

The Three-Way Handshake

TCP establishes a connection before any data is exchanged. This ensures both sides are ready, agrees on initial sequence numbers, and negotiates parameters like MSS (Maximum Segment Size).

/* Connection Establishment */ Step 1: Client --> Server [SYN] seq=100 // Client picks ISN (Initial Sequence Number), sets SYN flag Step 2: Server --> Client [SYN-ACK] seq=300, ack=101 // Server picks its own ISN, acknowledges client's ISN+1 Step 3: Client --> Server [ACK] seq=101, ack=301 // Client acknowledges server's ISN+1. Connection ESTABLISHED.

The Four-Way Teardown

Either side can initiate connection termination. The four-way process allows each direction to close independently (half-close).

Step 1: Client --> Server [FIN, ACK] // Client says "I'm done sending" Step 2: Server --> Client [ACK] // Server acknowledges the FIN Step 3: Server --> Client [FIN, ACK] // Server says "I'm done too" Step 4: Client --> Server [ACK] // Client acknowledges. Connection CLOSED. // Client enters TIME_WAIT (2x MSL) before fully releasing.

Port Numbers

Port numbers identify specific services and applications on a host. Combined with an IP address, they form a socket (e.g., 192.168.1.10:443). A connection is uniquely identified by the 5-tuple: protocol, source IP, source port, destination IP, destination port.

RangeNameDescription
0 - 1023Well-Known PortsReserved for common services (assigned by IANA)
1024 - 49151Registered PortsAssigned to specific applications on request
49152 - 65535Dynamic / EphemeralAssigned temporarily to client connections

Essential ports to memorize:

Web & Email HTTP: 80 | HTTPS: 443 | SMTP: 25 | POP3: 110 | IMAP: 143
File Transfer FTP: 20/21 | SFTP/SSH: 22 | TFTP: 69 | SMB: 445
Network Services DNS: 53 | DHCP: 67/68 | NTP: 123 | SNMP: 161/162
Remote Access SSH: 22 | Telnet: 23 | RDP: 3389 | VNC: 5900

Flow Control and Windowing

TCP uses a sliding window mechanism to control how much data can be sent before requiring an acknowledgment. The receiver advertises its window size -- the amount of buffer space available. The sender must not exceed this limit.

/* Sliding Window Example */ Sender window size: 4 segments Sent & ACKed: [1] [2] [3] Sent, waiting: [4] [5] [6] [7] <-- current window Not yet sent: [8] [9] [10] ... /* When ACK for segment 4 arrives, window slides forward: [5] [6] [7] [8] become the new window. */ /* Congestion control algorithms (Slow Start, Congestion Avoidance) dynamically adjust the effective window size based on network conditions. */

UDP Datagram Structure

UDP is deliberately simple. Its 8-byte header contains only four fields -- just enough to deliver data to the right port. No sequencing, no acknowledgment, no retransmission. Applications that use UDP handle reliability themselves (if needed).

/* UDP Header (8 bytes total) */ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ /* Why use UDP? When speed matters more than reliability: - DNS queries (small, fast lookups) - VoIP (a dropped packet = brief silence, not a retransmission delay) - Gaming (stale position data is useless -- send the new one) - DHCP (client doesn't have an IP yet to establish TCP) */

Practical: Reading a Packet Capture

In a Wireshark capture, you can identify the three-way handshake by filtering for TCP flags:

/* Wireshark display filter for handshakes */ Filter: tcp.flags.syn == 1 /* Example capture output */ No. Time Source Dest Info 1 0.000 192.168.1.50 93.184.216.34 TCP 74 49152->443 [SYN] 2 0.023 93.184.216.34 192.168.1.50 TCP 74 443->49152 [SYN,ACK] 3 0.024 192.168.1.50 93.184.216.34 TCP 66 49152->443 [ACK] 4 0.025 192.168.1.50 93.184.216.34 TLS Client Hello
Key Insight:

The time between packet 1 and packet 2 (0.023s) is the Round Trip Time (RTT). This is one of the most important network performance metrics. High RTT means latency issues -- critical for VoIP, gaming, and real-time applications.

Key Takeaways