TCP Protocol Layers Explained
Pages: 1, 2
Now that we've examined what is contained in a Layer 3 (IP) header, let's move on to the Layer 4 header. A Layer 4 header occurs at the very beginning of the IP data field and can be either a TCP header or a UDP header. Let's start with the fields that will be found in a Layer 4 TCP header:
|Source port||Destination port|
|Option + Padding|
Note that a TCP header is also composed of 32-bit words; like an IP header, the default size is 20 bytes if the option field is not used. Let's summarize the fields that are available in a TCP header:
This 16-bit number represents the name of the application that sent the data in the IP packet. On your FreeBSD system, the file
/etc/services lists which applications use which port numbers. We also
saw these port numbers when we used the "sockstat" utility in
Understanding BSD Daemons. There are 65,535 possible port numbers (2 to the power of 16 minus 1).
This 16-bit number represents the name of the application that is to receive the data contained within the IP packet. This is one of the major differences between a Layer 3 and a Layer 4 header: the Layer 3 header contains the IP address of the computer that is to receive the IP packet; once that packet has been received, the port address in the Layer 4 header ensures that the data contained within that IP packet is passed to the correct application on that computer.
TCP is responsible for ensuring that all IP packets sent are actually received. When an application's data is packaged into IP packets, TCP will give each IP packet a sequence number. Once all the packets have arrived at the receiving computer, TCP uses the number in this 32-bit field to ensure that all of the packets actually arrived and are in the correct sequence.
Also in FreeBSD Basics:
This number is used by the receiving computer to acknowledge which packets have successfully arrived. This number will be the sequence number of the next packet the receiver is ready to receive.
Header Length or Offset
This is identical in concept to the header length in an IP packet, except this time it indicates the length of the TCP header.
These 6 bits are unused and are always set to 0.
TCP uses six control flags with each flag being a unique bit. If the bit is set to 1, the flag is on; if the bit is set to 0, the flag is off. The order of the flags is:
We'll be seeing these flags again when we run "tcpdump" and when we take a look at creating packet filter rules.
Every TCP packet contains this 16-bit value that indicates how many octets it can receive at once. When IP packets are received, they are placed in a temporary area of RAM known as a buffer until the receiving computer has a chance to process them; this value represents how big a buffer the receiving host has made available for this temporary storage of IP packets.
Unlike IP, TCP is responsible for ensuring that the entire IP packet arrived intact. TCP will run a CRC on the entire IP packet (not just the header) and place the resulting checksum in this field. When the IP packet is received, TCP re-runs the CRC on the entire packet to ensure the checksum is the same.
If the Urgent flag was set to on, this value will indicate where the urgent data is located.
Options and Padding
Like IP options, this field is optional and represents additional instructions not covered in the other TCP fields. Again, if an option does not fill up a 32-bit word, it will be filled in with padding bits.
This will be the actual data being sent and will not include any additional headers.
Finally, let's take a look at a Layer 4 UDP header. Unlike TCP, UDP does not create a connection or guarantee the delivery of data. Accordingly, a UDP header has very few fields as compared to a TCP header:
|Source port||Destination port|
A UDP header is always 8 bytes as it does not contain any options. The UDP header fields are as follows:
Like TCP, this field indicates which application sent the data contained within the IP packet.
Again, indicates which application is to receive the data contained within the IP packet.
Indicates the length (in bytes) of the UDP header and the data. Since all UDP headers are 8 bytes long, if you subtract 8 from this number you'll find out the size of the data being sent.
Since UDP is not responsible for ensuring that the data actually arrives, a checksum is optional; if it is not used, this field will be set to 0.
Again, this will be the actual data being sent and will not include any additional headers.
We've actually made it through all of the fields in the Layer 3 and Layer
4 headers of an IP packet. These fields should make more sense next week
when we examine a dump file created by the
Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.
Read more FreeBSD Basics columns.
Return to the BSD DevCenter.