CEG 499/699:
Internet Security

College of Engineering & CS
Wright State University
Dayton, Ohio 45435-0001

TCP/IP Refresher


Prabhaker Mateti

Abstract: We review TCP/IP topics.  Where possible a security point of view is presented.
This work is supported in part by NSF DUE-9951380.

Table of Contents

  1. Educational Objectives
  2. TCP/IP Refresher
    1. IP
    2. TCP
      1. Three-Way Handshake
      2. Four-Way Handshake
      3. Connection Resetting
    3. UDP
    4. ICMP
    5. ARP
    6. Routing Protocols
    7. Domain Name Service
  3. Lab Experiment
  4. Acknowledgements
  5. References

Educational Objectives

  1. Overview of IP, UDP, and TCP
  2. Routing Protocols
  3. Domain Name Service

TCP/IP Refresher

It is not possible to implement a security solution without understanding TCP/IP.   This lecture hopes to refresh your memory regarding various topics particularly because of their relevance to Internet security.  Reading just this handout alone may not be sufficient.  Look up the references. 

The relative heights indicate the level of functionality.

    ICMP other
IP layer IP layer IP layer IP layer
Physical Physical Physical Physical Physical  


Physical Layer

The physical layer stands for the "hardware" layer. Ethernet is one such layer.  Each Ethernet controller comes with a 48-bit Ethernet MAC address builtin from the factory. There is no connection between the Ethernet address and the IP address. When  a packet is sent out on the Ethernet, every machine on the network sees the packet.  Ethernet is a "broadcast medium". Every Ethernet packet has a 14-octet header that includes the source and destination Ethernet address, and a type code. The type code is to allow for several different protocol families to be used on the same network. So you can use IP, ARP, NetBEUI, etc. at the same time. Each of them will put a different value in the type field. Finally, there is a checksum. The Ethernet controller computes a checksum of the entire packet.

      |       Ethernet destination address (first 32 bits)            |
      | Ethernet dest (last 16 bits)  |Ethernet source (first 16 bits)|
      |       Ethernet source address (last 32 bits)                  |
      |        Type code              |
      |  IP header, then TCP header, then your data                   |
      |                                                               |
      |                                                               |
      |   end of your data                                            |
      |                       Ethernet Checksum                       |

When these packets are received by an NIC, it recomputes the checksum, and throws the packet away if the answer disagrees with the original.  If the type code is IP, the Ethernet device driver passes the datagram up to IP layer of the OS.


Starting from the IP layer, we have a programming interface (API) through the network layer of the operating system.

IP Address. The unique 32-bit numeric id assigned to one host or interface in a network.  Subnet. A portion of a network sharing a particular subnet address. Subnet mask. 32-bit combination used to describe which portion of an address refers to the subnet and which part refers to the host. Nodes and routers use the mask to identify the data link on which an address resides.

IP removes the IP header. The main things in this header are the source and destination IP addresses, the protocol number, and another checksum. Although most IP traffic uses TCP, there are other protocols that can use IP, hence the protocol number.  IP layer is responsible for getting a packet from the source IP address to the destination IP address.

      |Version|  IHL  |Type of Service|          Total Length         |
      |         Identification        |Flags|      Fragment Offset    |
      |  Time to Live |    Protocol   |         Header Checksum       |
      |                       Source Address                          |
      |                    Destination Address                        |
      |  TCP/whatever header, then your data ......                   |
      |                                                               |

The flags and fragment offset are used to keep track of the pieces when a datagram has to be split up. This can happen when datagrams are forwarded through a network for which they are too big. The time to live (TTL)  is a number that is decremented whenever the datagram passes through a router node. When it goes to zero, the datagram is discarded.

If the protocol field  is TCP,  passes the datagram up to TCP.


TCP offers the application (client) a virtual circuit to a program (server) on another machine. This virtual circuit needs to be established, which means that the client has to open a connection to the server. Once this connection is established, the TCP protocol guarantees the correct (both in content and in order) delivery of the data transmitted through this circuit. While establishing the connection, both the client and the server exchange a sequence number that they will use as a ruler for their sliding window protocol. These sequence numbers should be generated at random, so they are impossible to guess. However, a large number of TCP/IP implementations use a deterministic algorithm with no random inputs to generate these numbers. Once a hacker knows that algorithm, he or she can predict a sequence number and use it in a spoofing attack.

TCP segments are sent as datagrams. The Internet Protocol header carries several information fields, including the source and destination host addresses. A TCP header follows the internet header, supplying information specific to the TCP protocol. This division allows for the existence of host level protocols other than TCP.

TCP is a sliding window protocol with time-out and retransmits. Outgoing data must be acknowledged by the far-end TCP. Acknowledgements can be piggybacked on data. Both receiving ends can flow control the far end, thus preventing a buffer overrun.

TCP requires that every packet acknowledges the last receipt of data in the other direction. So if  A sent B one packet and B sends A five in response, then each of B's five responses acknowledge that B has received A's one packet; all five TCP packets from B have the ACK bit set, the one packet from A does not.

Here are the details of the TCP segment..

    0                   1                   2                   3   
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
   |          Source Port          |       Destination Port        |
   |                        Sequence Number                        |
   |                    Acknowledgment Number                      |
   |  Data |           |U|A|P|R|S|F|                               |
   | Offset| Reserved  |R|C|S|S|Y|I|        Window  Size           |
   |       |           |G|K|H|T|N|N|                               |
   |           Checksum            |         Urgent Pointer        |
   |                    Options                    |    Padding    |
   |                             data                              |

Sequence Number: The sequence number of the first data octet in this segment, except when SYN is present.  If SYN is 1 the sequence number is the initial sequence number (ISN).

Acknowledgment Number: If the ACK control bit is set this field contains the value of the next sequence number the sender of the segment is expecting to receive. Once a connection is established this is always included.

Data Offset: The number of 32 bit words in the TCP Header. This indicates where the data begins. The TCP header (even one including options) is an integral number of 32 bits long.

Control Bits: 6 bits (from left to right): URG: Urgent Pointer field significant ACK: Acknowledgment field significant PSH: Push Function RST: Reset the connection SYN: Synchronize sequence numbers FIN: No more data from sender

Window size: The number of data octets beginning with the one indicated in the acknowledgment field which the sender of this segment is willing to accept.

Urgent Pointer: Current value of the urgent pointer as a positive offset from the sequence number in this segment. The urgent pointer points to the sequence number of the octet following the urgent data. This field is only be interpreted in segments with the URG control bit set.

Options: variable number of bytes. Options may occupy space at the end of the TCP header and are a multiple of 8 bits in length. All options are included in the checksum. An option may begin on any octet boundary. There are two cases for the format of an option: Case 1: A single octet of option-kind. Case 2: An octet of option-kind, an octet of option-length, and the actual option-data octets. The option-length counts the two octets of option-kind and option-length as well as the option-data octets.

TCP three-way handshake

The Three-Way Handshake establishes the connection between the the initiating node (say A, the client) and the receiving node (say B, the server) of packets as follows:

  1. A: I would like to talk to you B;  A sends a SYN packet to B
  2. B: Ok, let's talk; B sends a SYN-ACK packet to A
  3. A: Thanks; ACK from A to B

where the ACK and SYN are fields in the header.  The sequence number for the SYN can be  a zero, but that is not secure, so the sequence number is random. them at a random number. Here is an example:

Flags src dst seq ack
SYN 1037 80 102723769 0
SYN-ACK 80 1037 1527857206 102723770
ACK 1037 80 102723770 1527857207

where the client is on port 1037 establishing a connection with a service on port 80 (typically HTTP).

Four-Way Handshake

The Four-Way Handshake terminates a previously established connection: A to B: FIN, B to A: ACK; B to A: FIN, A to B: ACK.

Connection Resetting

Host H sends an RST packet resetting the connection if:

  1. A requested a connection to a non-existent port p on host H, or
  2. For whatever reason (idle for a long time, or an abnormal condition, ...), the host H (client or the sever) wishes to close the connection.

Resetting is unilateral.


UDP is a datagram protocol, which means it does not have to establish a connection to another machine before sending data. The UDP protocol takes the data an application provides, packs it into a UDP packet, and hands it to the IP layer. The packet is then put on the wire, and that is where it ends. There is no way to guarantee that the packet will reach its destination. The UDP protocol is mostly used by (old implementations of) NFS and by the Name Service.


ICMP  is mainly used for managing and controlling the IP layer. With it, you can force routing options, declare a destination unreachable, etc. The most widely used functions, however, are echo request and echo reply. These two functions are used by the ping program to see if you can reach a certain host on your (or somebody else's) network.  In general, this is a bit of a dangerous protocol, because it directly interacts with the IP layer of your machine. If possible, you should only enable the echo request and echo reply functions and disable the other ones. If this is not possible, you should enable it so you can use the ping command to verify the reachability of your hosts.


ARP (Address Resolution Protocol) is used to translate IP addresses to Ethernet addresses. The translation is done only for outgoing IP packets, because this is when the IP header and the Ethernet header are created.  The translation is performed with a table look-up.  The following is a simplified ARP table:

                  |IP address       Ethernet address |
                  |        08-00-39-00-2F-C3|
                  |        08-00-5A-21-A7-22|
                  |        08-00-10-99-AC-54|
                      TABLE 1.  Example ARP Table
Each computer has a separate ARP table for each of its Ethernet interfaces.

During normal operation a network application, such as TELNET, sends an application message to TCP, then TCP sends the corresponding TCP message to the IP module. The destination IP address is known by the application, the TCP module, and the IP module. At this point the IP packet has been constructed and is ready to be given to the Ethernet driver, but first the destination Ethernet address must be determined.  The ARP table is used to look-up the destination Ethernet address.

If the ARP table does not have an entry for an IP address, he outgoing IP packet is queued, and an ARP request packet that says "If your IP address matches this target IP address, then please tell me your Ethernet address" is broadcast. Hopefully, some host on the net replies.  An ARP response packet has the sender / target field contents swapped as compared to the request.  The queued IP packet can now be sent.

Routing Protocols

IP layer is responsible for getting a packet from the source IP address to the destination IP address.  Each IP packet has the source and destination IP addresses.  In general, the path of nodes between the source and destination is not unique.  It can even change during the transmission of a network message from one packet to next.  A host uses routing tables to compute the next hop that is on a path from the source to the destination.

Read the paper by [krnl].

Domain Name Service

Because of the mnemonic value, humans prefer to work with host names such as gamma.cs.wright.edu.  This is known as fully qualified domain name (FQDN).  Simply "gamma" is not fully qualified, even though the domain it is in makes it acceptable.  Such a FQDN  is converted into a 32-bit IP address using the DNS Protocol.

DNS uses a distributed database protocol to delegate control of domain name hierarchies among zones, each managed by a group of name servers.  Name servers are the repositories of information that make up the domain database.  A given name server will typically support one or more zones, but this gives it authoritative information about only a small section of the domain tree. It may also have some cached non-authoritative data about other parts of the tree. The name server marks its responses to queries so that the requester can tell whether the response comes from authoritative data or not.

The DNS protocol operates in one of two basic modes - lookups or zone transfers.  Either TCP or UDP can be used to transport DNS protocol messages, connecting to server port 53 for either. Ordinary DNS requests can be made with TCP, though convention dictates the use of UDP for normal operation. TCP must be used for zone transfers, however, because of the danger of dropping records with an unreliable delivery protocol such as UDP.

A DNS lookup causes the network layer of the OS to examine its own /etc/hosts file.  If not found, request each of the name servers listed in the /etc/resolv.conf file.  It is possible that none of the name servers can find the given name.  Each name server recursively behaves the same way: look up its own /etc/hosts or equivalent database, and then its own name servers in its own /etc/resolv.conf.  To speed things up, a typical name server will cache a number of previously received answers.

Sometimes it is necessary to transfer the resource records of an entire DNS zone. A DNS query with Name=wright.edu, Class=IN, Type=AXFR will trigger a zone transfer for all the host names that are in the wright.edu domain.


Lab Experiment




  1. Prabhaker Mateti, "LAN Refresher," Internet Security Class Notes, www.cs.wright.edu/~pmateti/ Courses/499/LAN/ Required reading.
  2. Krnl,  "Introduction and Overview of Internet Routing,"  Phrack Magazine, Volume 8, Issue 53 July 8, 1998, article 05 of 15, www.phrack.org   Required reading.
  3. Brent Baccala, Editor, Connected: An Internet Encyclopedia, April, 1997,  http://www.freesoft.org/ CIE/index.htm   Reference.  Look it up here for more details on the TCP/IP.
07/05/00 12:53:15 PM
Open Content Copyright 2000 pmateti@cs.wright.edu