Quick Notes: TCP/IP Review

** From: Routing TCP/IP, Volume I, 2nd Edition **

Below is a diagram of an IP packet.
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |Version|  HL   |Type of Service|          Total Length         |
   |         Identifier            |Flags|      Fragment Offset    |
   |  Time to Live |    Protocol   |         Header Checksum       |
   |                       Source Address                          |
   |                    Destination Address                        |
   |                    Options                    |    Padding    |

  • Version (4 bits) = the IP version to which the packet belongs (0100 for IPv4 and 0110 for IPv6)
  • Header Length (4 bits) = the length of the IP header. The minimum length of the IP header is 20 octets, and the options might increase this size up to a maximum of 60 octets.
  • Type of Service or DiffServ (8 bits) = used for special handling of the packet, such as with QoS.
  • Total Length (16 bits) = specifies the total length of the packet, including the header, in octets. Because the largest decimal number that can be described with 16 bits is 65,535, the maximum possible size of an IP packet is 65,535 octets.
  • Identifier (16 bits) = used in conjunction with the Flags and Fragment Offset fields for fragmentation of a packet. Fragmentation is needed when the size of the packet exceeds the MTU. 
  • Flags (3 bits) = The first bit is unused. The second bit is the Don’t Fragment (DF) bit. When the DF bit is set to one, a router cannot fragment the packet. If the packet cannot be forwarded without fragmenting, the router drops the packet and sends an error message to the source. The third bit is the More Fragments (MF) bit. When a router fragments a packet, it sets the MF bit = 1 in all but the last fragment so that the receiver knows to keep expecting fragments until it encounters a fragment with MF = 0.
  • Fragment Offset (13 bits) = specifies the offset, in units of eight octets, from the beginning of the header to the beginning of the fragment. Because fragments might not always arrive in sequence, the Fragment Offset field allows the pieces to be reassembled in the correct order. Note that if a single fragment is lost during a transmission, the entire packet must be resent and refragmented at the same point in the network.
  • Time to Live (8 bits) = specfies a number, which is decremented by each router that processes the packet. If the number reaches zero, the packet will be discarded and an error message will be sent to the source. This process prevents “lost” packets from wandering endlessly through a network. The recommended default TTL is 64, although values such as 15 and 32 are not uncommon.
  • Protocol (8 bits) = gives the “address,” or protocol number, of the transport layer protocol for which the information in the packet is destined. Common protocols: ICMP = 1, TCP = 6, UDP = 17, (E)IGRP = 88, and OSPF = 89.
  • Header Checksum (16 bits) = the error detection field for the IP header. The originator calculates a checksum. The receiver will again calculate the checksum and if there are no errors, the resulting checksum will be all 1s. Remember that each router decrements the TTL; therefore, the checksum must be recalculated at each router.
  • Source and Destination Addresses (32 bits each) = the IP addresses of the originator of the packet and the destination of the packet.
  • Options (variable) = Space is added to the packet header to contain either source-generated information or for other routers to enter information; the options are used primarily for testing.
  • Padding (up to 32 bits) = adds 0s after the option field until a multiple of 32 is reached.

Example packet capture:
Internet Protocol, Src Addr: (, Dst Addr:
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN: 0x00)
    Total Length: 64
    Identification: 0x6e61 (28257)
    Flags: 0x00
    Fragment offset: 0
    Time to live: 1
    Protocol: OSPF IGP (0x59)
    Header checksum: 0xbcc8 (correct)
    Source: (
    Destination: (

IPv4 Addresses

  • IPv4 addresses are 32 bits long.
  • IPv4 addresses have a network portion and a host portion. The network portion uniquely identifies a physical or logical link and is common to all devices attached to that link. The host portion uniquely identifies a particular device attached to the link.
  • The 32 bits of the address comprise four octets, each of which can be represented with a decimal number between 0 and 255, with dots between the decimal representations. For example, in decimal or 11000000.10101000.00000000.00000000 in binary.
  • An important distinction to remember when working with IPv4 addresses is that dotted decimal is just an easy way for humans to read and write IP addresses. Always remember that the router is not reading an address in terms of four octets; rather, the router sees a 32-bit binary string. Many pitfalls can be avoided by keeping this fact firmly in mind.
  • The network and host portions can vary in size. That is, the network portion might take up most of the 32 bits, or the host portion might, or they might divide the bits equally.
  • IPv4 addresses are divided to three classes:
    • Class A IPv4 addresses are for big networks. The first octet is the network portion, and the last three octets are the host portion. Only 256 numbers are available in the eight-bit network part, but 224 or 16,777,216 numbers are available in the host part of each of those network addresses.
    • Class B addresses are for medium-size networks. The first two octets are the network portion, and the last two octets are the host portion. There are 216 or 65,536 available numbers in the network part and an equal number in the host part.
    • Class C addresses are just the opposite of Class A. The first three octets are the network portion, and the last octet is the host portion.
  • For Class A addresses, the first bit of the first octet—that is, the left-most bit of the entire 32-bit string—is always set to 0. Therefore, we can find the minimum and maximum numbers in the Class A range by setting all the remaining bits in the first octet to 0 (for the minimum) and 1 (for the maximum). This action results in the decimal numbers 0 and 127 with a few exceptions: 0 is reserved as part of the default address, and 127 is reserved for internal loopback addresses.
  • Class B addresses always have their left-most bit set to 1 and the second bit set to 0. Any address whose first octet is in the decimal range 128 through 191 is a Class B address.
  • In Class C addresses, the first two bits are set to 1, and the third bit is set to 0. The result is a first octet range of 192 through 223.
  • In other words:
    • Class A = 0xxxxxxx
    • Class B = 10xxxxxx
    • Class C = 110xxxxx
  • There are two more classes: Class D addresses are for multicast, and Class E addresses are for experimental usage. Class D addresses have, as their first four bits, 1110.
  • The address for an entire data link—a non-host-specific network address—is represented by the network portion of an IP address, with all host bits set to 0.
  • The address mask is a 32-bit string, one bit for each bit of the IPv4 address. As a 32-bit string, the mask can be represented in dotted-decimal format just like an IPv4 address.
  • Standard address masks for Class A, B, and C IPv4 addresses:
    • Class A = 11111111.00000000.00000000.00000000 =
    • Class B = 11111111.11111111.00000000.00000000 =
    • Class C = 11111111.11111111.11111111.00000000 =
  • For each bit of the IPv4 address, the device performs a Boolean (logical) AND function with the corresponding bit of the address mask.
  • The address mask is used to determine the network address.
  • Because is a Class B address, the mask must have the first two octets set to all 1s and the last two octets, the host part, set to all 0s.
  • A logical AND is performed on the IPv4 address and its mask for every bit position.
  • So by assigning an address of and a mask of to an interface, the device will know that the interface belongs to network
  • Applying the AND operator to an IPv4 address and its address mask always reveals the network address.
  • A subnet is a subset of a major Class A, B, or C address space.
  • The IPv4 address now has three parts: the network part, the subnet part, and the host part.
  • Not all routing protocols can support subnet addresses in which the subnet bits are all zeros or all ones. The reason is that these protocols, called classful protocols, cannot differentiate between an all-zero subnet and the major network number.
  • Likewise, classful routing protocols cannot differentiate a broadcast on the all-ones subnet from an all-subnets broadcast address.
  • RIP version 1 and IGRP are both classful routing protocols, but they are hardly used today.
  • People describe such a subnet design as “using a Class C mask with a Class B address,” or “subnetting a Class B address into a Class C.” Both descriptions are wrong! Such descriptions frequently lead to misunderstandings about the subnet design or to a poor understanding of subnetting itself. 
  • The proper way to describe the subnetting scheme is either as “a Class B address with 8 bits of subnetting,” or as “a Class B address with a 24-bit mask.”
  • Dotted decimal has been commonly used for a while, but the bitcount format is becoming increasingly preferred (The address is followed by a forward slash and the number of bits that are masked for the network part). 
  • When designing subnets and their masks, the number of available subnets under a major network address and the number of available hosts on each subnet are both calculated with the same formula: 2n – 2, where n is the number of bits in the subnet or host space and 2 is subtracted to account for the unavailable all-zeros and all-ones addresses.
  • The single greatest source of mistakes when working with subnets is trying to work with them in dotted decimal without understanding what is happening at the binary level. Again, dotted decimal is for convenience in reading and writing IPv4 addresses. Routers and hosts see the addresses as 32-bit binary strings; to successfully work with these addresses, they must be seen the way the routers and hosts see them.
  • The importance of understanding subnetting at the binary level should now be clear. Presented with an address such as, you cannot be sure whether it is a host address, a subnet address, or a broadcast address. Even when the subnet mask is known, things are not always readily apparent.

Address Resolution Protocol (ARP)

  • A device needing to discover the data-link identifier of another device will create an ARP Request packet. 
  • This request will contain the IPv4 address of the device in question (the target) and the source IPv4 address and data-link identifier (MAC address) of the device making the request (the sender). 
  • The ARP Request packet is then encapsulated in a frame with the sender’s MAC address as the source and a broadcast address for the destination.

Ethernet II, Src: 00:30:65:2c:09:a6, Dst: ff:ff:ff:ff:ff:ff
    Destination: ff:ff:ff:ff:ff:ff (Broadcast)
    Source: 00:30:65:2c:09:a6 (AppleCom_2c:09:a6)
    Type: ARP (0x0806)
Address Resolution Protocol (request)
    Hardware type: Ethernet (0x0001)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (0x0001)
    Sender MAC address: 00:30:65:2c:09:a6 (AppleCom_2c:09:a6)
    Sender IP address: (
    Target MAC address: 00:00:00:00:00:00 (00:00:00_00:00:00)
    Target IP address: (

  • The broadcast address means that all devices on the data link will receive the frame and examine the encapsulated packet. 
  • All devices except the target will recognize that the packet is not for them and will drop the packet. 
  • The target will send an ARP Reply to the source address, supplying its MAC address.

Ethernet II, Src: 00:10:5a:e5:0e:e3, Dst: 00:30:65:2c:09:a6
    Destination: 00:30:65:2c:09:a6 (AppleCom_2c:09:a6)
    Source: 00:10:5a:e5:0e:e3 (3com_e5:0e:e3)
    Type: ARP (0x0806)
    Trailer: 15151515151515151515151515151515...
Address Resolution Protocol (reply)
    Hardware type: Ethernet (0x0001)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: reply (0x0002)
    Sender MAC address: 00:10:5a:e5:0e:e3 (3com_e5:0e:e3)
    Sender IP address: (
    Target MAC address: 00:30:65:2c:09:a6 (AppleCom_2c:09:a6)
    Target IP address: (

  • The show arp command is used to examine the ARP table in a Cisco router.
  • Cisco routers hold ARP entries for four hours (14,400 seconds); this default can be changed.

Router#show arp
Protocol  Address         Age (min)     Hardware Addr  Type  Interface
Internet           2     0002.6779.0f4c  ARPA  Ethernet0
Internet            -     0000.0c0a.2aa9  ARPA  Ethernet0
Internet          18     00a0.24a8.a1a5  ARPA  Ethernet0
Internet          6     0000.0c0a.2c51  ARPA  Ethernet0

Transmission Control Protocol (TCP)

  • TCP provides applications with a reliable, connection-oriented service.
  • TCP uses three fundamental mechanisms to accomplish a connection-oriented service:
  • Packets are labeled with sequence numbers so that the receiving TCP service can put out-of-sequence packets into the correct sequence before delivering them to the destination application.
  • TCP uses a system of acknowledgments, checksums, and timers to provide reliability. A receiver might notify a sender when it recognizes that a packet in a sequence has failed to arrive or has errors, or a sender might assume that a packet has not arrived if the receiver does not send an acknowledgment within a certain amount of time after transmission. In both cases, the sender will resend the packet in question.
  • TCP uses a mechanism called windowing to regulate the flow of packets; windowing decreases the chances of packets being dropped because of full buffers in the receiver.
  • TCP attaches a header to the application layer data; the header contains fields for the sequence numbers and other information necessary for these mechanisms, and fields for addresses called port numbers, which identify the source and destination applications of the data.
  • TCP packet structure:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |          Source Port          |       Destination Port        |
   |                        Sequence Number                        |
   |                    Acknowledgment Number                      |
   |  Data |           |U|A|P|R|S|F|                               |
   | Offset| Reserved  |R|C|S|S|Y|I|            Window             |
   |       |           |G|K|H|T|N|N|                               |
   |           Checksum            |         Urgent Pointer        |
   |                    Options                    |    Padding    |
   |                             data                              |

  • Source and Destination Port (16 bits each) specify the source and destination applications for the encapsulated data. A port number for an application, when coupled with the IP address of the host the application resides on, is called a socket. A socket uniquely identifies every application in a network. 
  • Sequence Number (32 bits) identifies where the encapsulated data fits within a data stream from the sender. For example, if the sequence number of a segment is 1343 and the segment contains 512 octets of data, the next segment should have a sequence number of 1343 + 512 + 1 = 1856.
  • Acknowledgment Number (32 bits) identifies the sequence number the source next expects to receive from the destination. If a host receives an acknowledgment number that does not match the next sequence number it intends to send (or has sent), it knows that packets have been lost.
  • Header Length (4 bits), sometimes called Data Offset, indicates the length of the header in 32-bit words. This field is necessary to identify the beginning of the data because the length of the Options field is variable.
  • The Reserved field is 4 bits, which are always set to 0.
  • Flags are eight 1-bit flags that are used for data flow and connection control. The flags, from left to right, are Congestion Window Reduced (CWR), ECN-Echo (ECE), Urgent (URG), Acknowledgment (ACK), Push (PSH), Reset (RST), Synchronize (SYN), and Final (FIN).
  • Window Size (16 bits) is used for flow control. It specifies the number of octets, starting with the octet indicated by the Acknowledgment Number, that the sender of the segment will accept from its peer at the other end of the connection before the peer must stop transmitting and wait for an acknowledgment.
  • Checksum is 16 bits, covering both the header and the encapsulated data, allowing error detection.
  • Urgent Pointer (16 bits) is used only when the URG flag is set. It is added to the Sequence Number to indicate the end of the urgent data.
  • Options, as the name implies, specifies options required by the sender’s TCP process. The most commonly used option is Maximum Segment Size, which informs the receiver of the largest segment the sender is willing to accept. The remainder of the field is padded with zeros to ensure that the header length is a multiple of 32 octets.

Ethernet II, Src: 00:0c:41:3c:2b:18, Dst: 00:30:65:2c:09:a6
Internet Protocol, Src Addr: (,
    Dst Addr: (
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 52
    Identification: 0xc0b7 (49335)
    Flags: 0x04
    Fragment offset: 0
    Time to live: 50
    Protocol: TCP (0x06)
    Header checksum: 0x509d (correct)
    Source: (
    Destination: (
Transmission Control Protocol, Src Port: http (80),
    Dst Port: 60190 (60190), Seq: 288, Ack: 811, Len: 0
    Source port: http (80)
    Destination port: 60190 (60190)
    Sequence number: 288
    Acknowledgement number: 811
    Header length: 32 bytes
    Flags: 0x0010 (ACK)
    Window size: 66608
    Checksum: 0xb32a (correct)
    Options: (12 bytes)
        Time stamp: tsval 587733966, tsecr 1425164062
    SEQ/ACK analysis
        This is an ACK to the segment in frame: 17
        The RTT to ACK the segment was: 0.047504000 seconds

User Datagram Protocol (UDP)

  • UDP provides a connectionless, best-effort packet delivery service.
  • Why would an application prefer an unreliable delivery over the connection-oriented TCP?
  • The advantage of UDP is that no time is spent setting up a connection — the data is just sent. Applications that send short bursts of data will realize a performance advantage by using UDP instead of TCP.
  • The UDP packet is also much smaller than the TCP packet.
  • The Source and Destination Port fields are the same as they are in the TCP header; the UDP length indicates the length of the entire segment in octets. The checksum covers the entire segment, but unlike TCP, the checksum here is optional; when no checksum is used, the field is set to all zeros.

Ethernet II, Src: 00:30:65:2c:09:a6, Dst: 00:0c:41:3c:2b:18
Internet Protocol, Src Addr: (,
    Dst Addr: (
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 40
    Identification: 0x8a4d (35405)
    Flags: 0x00
    Fragment offset: 0
    Time to live: 1
    Protocol: UDP (0x11)
    Header checksum: 0xe0b3 (correct)
    Source: (
    Destination: (
User Datagram Protocol, Src Port: 35404 (35404), Dst Port: 33435 (33435)
    Source port: 35404 (35404)
    Destination port: 33435 (33435)
    Length: 20
    Checksum: 0x0000 (none)
Data (12 bytes)

0000 01 01 00 00 40 fd ac 74 00 00 d2 45                ....@..t...E