The curious case of TCP/IP protocol indicators

Joyal Mendonca
Fundamentals
Page content

This is a quick read on how each layer in the TCP/IP stack hands over the payload to the right upper layer protocols

Introduction

While the whole world is under the trance of ChatGPT, here I am writing about a fundamental yet crucial TCP/IP concept.

I regularly get to speak to network engineers early in their careers and I always end up using the typical example of “what happens when a client browses an HTTP web server?” to explain the TCP/IP model.

Below is a pictorial representation that clearly shows how the various processes like TCP, IP, etc interact to make the communication work.

TCP_layers

But why?

Great, this is when I get a question from the audience

“why did the server NIC’s IP process hand over the payload to TCP and not to UDP? "

Come let’s figure it out.

The answer lies in the protocol headers so let’s understand how processes at each layer perform encapsulation.

Below is a pictorial representation of the same.

TCP_layers

Every layer has a header. The principle is that every layer on the sending side adds a label that says “what it encapsulates” along with whatever is required for addressing within the header. (We will not focus on the addressing and assume that the MAC address and IP address are rightly doing their jobs at their respective layers) And on the receiving side, each layer looks at this label and, depending on this label, forwards the information to the correct higher layer protocol.

So let’s investigate what happens when the server NIC receives the encapsulated frame

  1. The server gets the Ethernet frame. It looks at the Ethernet header which has a label (the Type field = 0x0800) that says “contains IP”. The server extracts the IP PDU from the Ethernet frame and forwards it to the IP process that runs on it.
  2. The IP process looks at the IP packet and finds the label (protocol field = 6) that says “contains TCP”. It extracts the TCP segment from it and forwards it to the TCP process on the server.
  3. The TCP process looks at the port number, sees port 80, which says “contains HTTP”, and forwards it to the HTTP server.

Below is PCAP that highlights the labels at each layer during a typical HTTP transaction.

TCP_layers

Hope that was useful and do come back cause I’m planning to write regularly on a wide range of network/security technologies I get to tinker with everyday.