Chapter 4

How Data Is Transported Over Networks

Data Encapsulation

1
TCP/IP Core Protocols
TCP/IP is a suite of protocols, including TCP, IP (IPv4 and IPv6), UDP, ARP, and many
others.

2
TCP (Transmission Control Protocol)
TCP operates in the Transport layer of the OSI model and provides reliable
data delivery services. TCP ensures reliable data delivery through sequencing
and checksums.

3
Fields in a TCP Segment Figure lists the fields or items included in a TCP segment.

TCP segment = TCP header + data from higher layer

A TCP segment

1. Source port—Indicates the port number at the source node. A port number is the
address on a host where an application makes itself available to incoming or
outgoing data. One example is port 80, which is typically used to accept Web page
requests from the HTTP protocol. The Source port field is 16 bits long.
2. Destination port—Indicates the port number at the destination node. The
Destination port field is 16 bits long.
3. Sequence number—Identifies the data segment’s position in the stream of data
segments already sent. The Sequence number field is 32 bits long.
4. Acknowledgment number (ACK)—Confirms receipt of the data via a return
message to the sender. The Acknowledgment number field is 32 bits long.
5. TCP header length—Indicates the length of the TCP header. This field is four
bits long.
6. Sliding-window size (or window)—Indicates how many bytes the sender can
issue to a receiver while acknowledgment for this segment is outstanding. This
field performs flow control, preventing the receiver from being deluged with
bytes. For example, suppose a server indicates a sliding window size of 4000
bytes. Also suppose the client has already issued 1000 bytes, 250 of which have
been received and acknowledged by the server. That means that the server is still
buffering 750 bytes. Therefore, the client can only issue 3250 additional bytes
before it receives acknowledgment from the server for the 750 bytes. This field is
16 bits long.
7. Checksum—Allows the receiving node to determine whether the TCP segment
became corrupted during transmission. The Checksum field is 16 bits long.

4
8. Urgent pointer—Indicates a location in the data field where urgent data resides.
This field is 16 bits long.
9. Options—Specifies special options, such as the maximum segment size a
network can handle. The size of this field can vary between 0 and 32 bits.
10. Padding—Contains filler information to ensure that the size of the TCP header is
a multiple of 32 bits. The size of this field varies; it is often 0.
11. Data—Contains data originally sent by the source node.

TCP Three-Way Handshake The TCP three-way handshake is performed before TCP
transmits the actual data, such as an HTTP request for a Web page. Figure 3-4 shows
the three transmissions in the handshake.

UDP (User Datagram Protocol)

Transport layer protocol. Provides unreliable data delivery services Connectionless

transport service. No assurance packets received in correct sequence. No guarantee
packets received at all. No error checking, sequencing

This would be like talking on a radio show where you can send out your signal
whether anyone is listening or not. It can be useful in situations in which a great
volume of data must be transferred quickly, such as live audio or video transmissions
over the Internet.

UDP header contains only four fields: Source port, Destination port, Length, and
Checksum. Use of the Checksum field in UDP is optional in IPv4, but required for
IPv6 transmissions.

A UDP datagram

5
IP (Internet Protocol)

IP (Internet Protocol) belongs to the Network layer of the OSI model. It specifies how
and where data should be delivered, including the data’s source and destination
addresses. IP is the protocol that enables TCP/IP to internetwork—that is, to traverse
more than one LAN segment and more than one type of network through a router.

IP is an unreliable, connectionless protocol. The term unreliable does not mean that IP
can’t be used reliably. Instead, it means that IP does not guarantee delivery of data
and no connection is established before data is transmitted. IP depends on TCP to
ensure that data packets are delivered to the right addresses.

Two versions of the IP protocol are used on networks today.

IPv4, which was introduced to the public in 1981, is still the standard on most
networks. (IPv4) addresses have 32 bits and are written as four decimal numbers
called octets, for example, 92.106.50.200.

IPv6 was released in 1998 and offers better security, better prioritization
provisions, more automatic IP address configurations, and additional IP addresses.
(IPv6) addresses have 128 bits and are written as eight blocks of hexadecimal
numbers, for example 2001:0DB8:0B80:0000:0000:00D3:9C5A:00CC.

An IPv4 packet

1. Version—Identifies the version number of the protocol—for example, IPv4 or

IPv6.
2. Internet header length (IHL)—Identifies the number of 4-byte (or 32-bit) blocks
in the IP header.
3. Differentiated Services (DiffServ) field—Informs routers the level of precedence
they should apply when processing the incoming packet.
4. Total length—Identifies the total length of the IP packet, including the header
and data, in bytes.

6
5. Identification—Identifies the message to which a packet belongs and enables the
receiving host to reassemble fragmented messages.
6. Flags—Indicates whether a message is fragmented and, if it is fragmented,
whether this datagram is the last in the fragment
7. Fragment offset—Identifies where the datagram fragment belongs in the
incoming set of fragments. This field is 13 bits long
8. Time to Live (TTL)— Indicates the maximum duration that the packet can
remain on the network before it is discarded.
9. Protocol—Identifies the type of protocol that will receive the packet (for
example, TCP, UDP, or ICMP).
10. Header checksum—Allows the receiving node to calculate whether the IP header
has been corrupted during transmission.
11. Source IP address—Identifies the full IP address (or Network layer address) of
the source node. This field is 32 bits long.
12. Destination IP address—Indicates the full IP address (or Network layer address)
of the destination node. This field is 32 bits long.
13. Options—May contain optional routing and timing information. The Options
field varies in length.
14. Padding—Contains filler bits to ensure that the header is a multiple of 32 bits.
The length of this field varies.
15. Data—Includes the data originally sent by the source node, plus information
added by TCP in the Transport layer.

IPv6 Packets Due to the added information it carries, IPv6 uses a different packet format than IPv4.

Source address -128 bits Identifies the full IP address of the transmitting host.
Destination address- 128 bits Identifies the full IP address of the receiving host.

ICMP (Internet Control Message Protocol)

Whereas IP helps direct data to its correct destination, ICMP (Internet Control
Message Protocol) is a Network layer core protocol that reports on the success or
failure of data delivery. It can indicate when part of a network is congested, when data
fails to reach its destination, and when data has been discarded because the allotted
Time to Live has expired. ICMP announces these transmission failures to the sender,

7
but does not correct errors it detects—those functions are left to higher-layer
protocols, such as TCP. However, ICMP’s announcements provide critical
information for troubleshooting network problems.

IGMP (Internet Group Management Protocol) on IPv4 Networks

On IPv4 networks, IGMP (Internet Group Management Protocol or Internet Group
Multicast Protocol) operates at the Network layer of the OSI model to manage
multicasting. Unlike a broadcast transmission, a multicast transmission does not
necessarily issue transmissions to every node on a segment. Multicasting can, for
example, be used for teleconferencing or videoconferencing over the Internet. Routers
use IGMP to determine which nodes belong to a certain multicast group and to
transmit data to all nodes in that group. Network nodes use IGMP to join or leave
multicast groups at any time.

ARP (Address Resolution Protocol) on IPv4 Networks

2 ARP (Address Resolution Protocol) works in conjunction with IPv4 to discover the
MAC (physical) address of a host or node on the local network and to maintain a
database that maps IP addresses to MAC addresses on the local network. ARP is a
Layer 2 protocol that uses IP in Layer 3, and operates only within its local network
bound by routers. ARP relies on broadcasting, which transmits simultaneously to all
nodes on a particular network segment. For example, if one node needs to know the
MAC address of another node on the same network, the first node issues a broadcast
message to the network, using ARP, that essentially says, “Will the computer with the
IP address 1.2.3.4 please send me its MAC address?” The node that has the IP address
1.2.3.4 then transmits a reply that contains the physical address of the destination
host. The database of IP-to-MAC address mappings is called an ARP table (also
called an ARP cache) and is kept on a computer’s hard drive. Each OS can use its
own format for the ARP table. A sample ARP table is shown.

To view a Windows workstation’s ARP table, go to the command line and enter the
command: arp –a.

Data Link layer MAC address—The MAC address, also called the physical address, is
embedded on every NIC on the globe and is assumed to be unique to that NIC.
Traditional MAC addresses contain two parts, are 48 bits long, and are written as
hexadecimal numbers separated by colons—for example, 00:60:8C:00:54:99. The
first 24 bits (six hex characters, such as 00:60:8C in our example) are known as the
OUI (Organizationally Unique Identifier) or block ID or company-ID, and identifies

8
the NIC’s manufacturer. The last 24 bits make up the extension identifier or device
ID and identify the device.

DHCP (Dynamic Host Configuration Protocol)

DHCP (Dynamic Host Configuration Protocol) is an automated means of assigning a unique
IP address to devices on a network. In DHCP, a DHCP server manages IP address assignment.
The server maintains information about which addresses are allowable, which are available,
and which have already been associated with a host. DHCP belongs to the Application layer of the
TCP/IP and OSI models. Reasons for implementing DHCP include the following:
● To reduce the time and planning spent on IP address management—Central management of IP
addresses eliminates the need for network administrators to edit the TCP/IP configuration on every
network workstation, printer, or other device.
● To reduce the potential for errors in assigning IP addresses—With DHCP, almost no
possibility exists that a workstation will be assigned an invalid address or that two
workstations will attempt to use the same IP address. (Occasionally, the DHCP server
software may make a mistake.)
● To enable users to move their workstations and printers without having to change
their TCP/IP configuration—As long as a workstation is configured to obtain its IP
address from a DHCP server and that server is available, the workstation can be
attached anywhere on the network and receive a valid address.
● To make IP addressing transparent for mobile users—A person visiting your office,
for example, could attach to your network and receive an IP address without having
to change his laptop’s configuration.

Sockets and Ports

Just as a device requires a unique address to send and receive information over the network, a process
also requires a unique address. Every process on a machine is assigned a port number.
If you compare IP addressing with the addressing system used by the postal service, and you
equate a host’s IP address to the address of a building, a port number is similar to an apartment number
within that building.

A process’s port number plus its host machine’s IP address equals the process’s socket. For
example, the standard port number for the Telnet service is 23. On a host whose IPv4 address is
10.43.3.87, the socket address for Telnet is 10.43.3.87:23. In other words, the host assumes that any
requests coming into port number 23 are Telnet requests (that is, unless you reconfigure the host to
change the default Telnet port). Notice that a port number is expressed as a number following a colon
after an IP address. In this example, 23 is not considered an additional octet, but simply a pointer to a
port. Sockets form virtual connections between a process on one computer and the same process
running on another computer.

9
Host Names and DNS (Domain Name System)

Much of TCP/IP addressing involves numbers—often long, complicated numbers. Computers

can manage numbers easily. However, most people can remember words better than numbers.
Imagine if you had to identify your friends’ and families’ Social Security numbers whenever
you wanted to write a note or talk to them. Communication would be frustrating at the very
least, and perhaps even impossible—especially if you’re the kind of person who has trouble
remembering even your own Social Security number. Similarly, people prefer to associate
names with networked devices rather than remember IP addresses. For this reason, the Internet
authorities established a naming system for all nodes on the Internet.

Every device on the Internet is technically known as a host. Every host can take a host name,
a name that describes the device. For example, someone named Jasmine McDonald might
name her workstation “Jasmine.” If the computer is reserved for a specific purpose, you may want to
name it accordingly. For example, a company that offers free software downloads
through the FTP service might call its host machine “ftpserver.”

Domain Names
Every host is a member of a domain, or a group of computers that belongs to the same organization and
has part of their IP addresses in common. A domain is identified by its domain name. Usually, a
domain name is associated with a company or other type of organization, such as a university,
government organization, or company. For example, IBM’s domain name is ibm.com, and the United
States Library of Congress’s domain name is loc.gov.
Often, when networking professionals refer to a machine’s host name, they in fact mean its
local host name plus its domain name—in other words, its fully qualified host name, also
known as its fully qualified domain name, or FQDN. For example, the fully qualified host
name for the Library of Congress’s blog Web site is blogs.loc.gov. A domain name is represented by a
series of character strings, called labels, separated by dots. Each label represents a level in the domain
naming hierarchy. In the domain name www.google.com, com is the top-level domain (TLD), google is
the second-level domain, and www is the third-level domain. Each second-level domain can contain
multiple third-level domains. For instance, in addition to www.google.com, Google also owns the
following domains: news.google.com, maps.google.com, and mail.google.com.

DNS (Domain Name System)

10
In the mid-1980s, computer scientists responsible for the Internet’s growth devised a hierarchical way
of associating domain names with IP addresses, called the DNS (Domain Name System or Domain
Name Service). DNS refers to both the Application layer service that accomplishes this association and
also to the organized system of computers and databases that makes this association possible. The DNS
service does not rely on one file or even one server, but rather on many computers across the globe.
These computers are related in a hierarchical manner, with 13 computers, known as root servers, acting
as the ultimate authorities.
Because it is distributed, DNS will not fail catastrophically if one or a handful of servers
experience errors.
To direct traffic efficiently, the DNS service is divided into three components: resolvers, name
servers, and namespace. Resolvers are any hosts on the Internet that need to look up domain name
information. The resolver client is built into TCP/IP applications such as HTTP. If you point your Web
browser to http://www.loc.gov, your HTTP client software initiates the
resolver service to find the IP address for www.loc.gov. If you have visited the site before,
the information may exist in a local DNS cache, a database stored on your computer that
indicates what IP address is associated with the www.loc.gov host name. If the information
is not stored locally, the resolver service queries your machine’s designated name server to
find the IP address for www.loc.gov.

Name servers, or DNS servers, are servers that contain databases of associated names and IP addresses
and provide this information to resolvers on request. If one name server cannot resolve the domain
name to its IP address, it passes the query to a higher-authority name server. For example, suppose you
are trying to open the www.loc.gov Web page from a workstation on your company’s network. Further,
suppose this is the first time you’ve visited the Library of Congress online. Upon discovering it does
not have the information saved locally, your client’s resolver service queries the closest name server
for the IP address associated with www.loc.gov.
That name server is probably connected to your LAN. If your LAN’s name server cannot supply the IP
address for www.loc.gov, it queries a higher-level name server. In other words, your company’s name
server sends a request to the name server at the company’s Internet service provider (ISP). If that name
server does not have the information in its database, it queries a name server elsewhere on the Internet
that acts as the ISP’s naming authority. This process, depicted in Figure 4-17, continues until the
request is granted.
The term namespace refers to the database of Internet IP addresses and their associated
names. Namespace is not a single file that you can open and view like a store’s inventory
database. Rather, it is an abstract concept that describes how the name servers of the world
share DNS information. You can think of DNS namespace as a giant, distributed address
book for every computer in the world. Just as you might keep an address book of close
friends and family on your computer, but rely on a different source, such as an Internet
lookup service, to find contact information for people you don’t know, the DNS namespace
does not store every piece of information in one place. Instead, it relies on multiple sources to

11
resolve host names and IP addresses.

Application Layer Protocols

Telnet
Telnet is a terminal emulation protocol used to log on to remote hosts using the TCP/IP protocol suite.
Using Telnet, a TCP connection is established via port 23 and keystrokes on the user’s machine act like
keystrokes on the remotely connected machine. Often, Telnet is used to connect two dissimilar
systems, such as PCs and UNIX machines. Through Telnet, you can control a remote host over a
network. For example, network managers can use Telnet to log on to a router from a computer
elsewhere on their LAN and modify the router’s configuration. Telnet, however, is notoriously insecure
(meaning that someone with malicious
intent could easily falsify the credentials Telnet requires to log on to a device successfully),
so telnetting to a router across a public network would not be wise. Other, more secure
methods of remotely connecting to a host have replaced Telnet for that reason.

FTP (File Transfer Protocol)

FTP (File Transfer Protocol) is an Application layer protocol used to send and receive files
via TCP/IP using ports 20 and 21. In FTP exchanges, a host running the FTP server portion

12
accepts commands from another host running the FTP client portion. FTP clients come with
a set of simple commands that make up their user interfaces. To exchange data, the client
depends on an FTP server that is always waiting for requests. After a client connects to the
FTP server, FTP data are exchanged via TCP, which means that FTP provides some assurance
of delivery.

TFTP (Trivial File Transfer Protocol)

TFTP (Trivial File Transfer Protocol) is another TCP/IP Application layer protocol that
enables file transfers between computers, but it is simpler (or more trivial) than FTP. TFTP
communicates via port 69. A significant difference between FTP and TFTP is that TFTP relies
on UDP at the Transport layer. Its use of UDP means that TFTP is connectionless and does
not guarantee reliable delivery of data.

NTP (Network Time Protocol)

NTP (Network Time Protocol) is a simple but important Application layer protocol used to
synchronize the clocks of computers on a network. NTP communicates via port 123 and
depends on UDP for Transport layer services.

PING (Packet Internet Groper)

PING (Packet Internet Groper) is a utility that can verify that TCP/IP is installed, bound to
the NIC, configured correctly, and communicating with the network. It is often employed
simply to determine whether a host is responding (or “up”). PING uses ICMP services to
send echo request and echo reply messages that determine the validity of an IP address.
These two types of messages work in much the same way that sonar operates. First, a signal,
called an echo request, is sent out to another computer. The other computer then rebroadcasts
the signal, in the form of an echo reply, to the sender. The process of sending this signal
back and forth is known as pinging.
You can ping either an IP address or a host name. For example, to determine whether the
www.loc.gov site is responding, you could type ping www.loc.gov and press Enter. Alternately,
you could type ping 140.147.249.7 (the IP address of this site at the time this
book was written) and press Enter

13
14