TCP/IP Explained

Every web request you make travels through a precisely-engineered stack of protocols. TCP/IP isn't magic — it's math, retries, and congestion signals. Here's how your browser fetches a page in under 100 ms across thousands of kilometres.

1. The Network Stack

Networks are designed in layers — each layer solves one problem and trusts the layers below it. The TCP/IP model has four practical layers:

Layer 4 — AppHTTP / DNS / WebSocketWhat you send: HTML, JSON, video bytes

Layer 3 — TransportTCP / UDPSegments data, handles reliability, port numbers

Layer 2 — InternetIP (v4 / v6)Packets, routing across networks, source/dest IP

Layer 1 — LinkEthernet / WiFi / 4GFrames on a physical link, MAC addresses

Each layer wraps the one above it when sending and unwraps it when receiving. The receiving machine reverses the process. Middle routers only look as deep as Layer 2 (IP) — they never touch your HTTP data.

2. Encapsulation

When you send an HTTP request, the kernel builds the packet from the inside out:

HTTP layer produces the raw bytes: GET / HTTP/1.1\r\nHost: example.com\r\n\r\n
TCP layer adds a header: source port (e.g. 54321), destination port (443), sequence number, checksum.
IP layer adds a header: source IP (your IP), destination IP (93.184.216.34), TTL (64), protocol (6 = TCP).
Ethernet layer adds a frame header: source MAC, destination MAC (your router's MAC), EtherType.

The whole thing is sent as bits on the wire. At each hop, the outermost header is consumed and the router makes a forwarding decision.

3. IP: Best-Effort Delivery

IP is connectionless and best-effort — it tries to deliver packets but makes no guarantees about order, duplication, or arrival. Routers use longest prefix matching to forward packets:

Longest prefix match Destination IP: 93.184.216.34 Routing table: 93.184.216.0/24 \to interface eth2 (match: 24 bits) 93.0.0.0/8 \to interface eth1 (match: 8 bits) 0.0.0.0/0 \to default gateway (match: 0 bits) \to Send via eth2 (most specific)

The TTL (Time To Live) field decrements at each router hop. When it reaches 0 the packet is dropped and an ICMP "time exceeded" message is returned — this is how traceroute works.

IPv4 vs IPv6: IPv4 has 2³² ≈ 4.3 billion addresses, exhausted in 2011. IPv6 has 2¹²⁸ ≈ 3.4 × 10³⁸ — enough for 1000 addresses per grain of sand on Earth. Most traffic now uses IPv4 + NAT with IPv6 slowly being adopted.

4. TCP: Reliable, Ordered

TCP sits on top of IP and provides:

Reliability: Acknowledgements (ACKs) and retransmissions ensure every byte arrives.
Ordering: Sequence numbers let the receiver reassemble out-of-order packets.
Error detection: 16-bit checksum on each segment (weak; TLS provides stronger integrity).
Flow control: Receiver advertises a receive window — how many bytes it can buffer.
Congestion control: TCP probes network capacity and backs off on loss.

UDP is the alternative: no connection, no ACKs, no ordering. Used for DNS, video calls, games — apps that prefer latency over guaranteed delivery and handle retransmission themselves.

5. Three-Way Handshake

Before data flows, TCP establishes a connection in three messages. Each side picks a random starting sequence number (ISN) to prevent sequence prediction attacks:

Client

SYN (ISN=x) →
← SYN-ACK (ISN=y, ACK=x+1)
ACK (ACK=y+1) →

Server

After the third message, both sides have agreed on sequence numbers and can send data. The connection teardown uses a 4-way FIN/ACK exchange (each side closes independently), or RST to abort immediately.

HTTPS / TLS: After TCP handshake, a TLS handshake (1–2 round-trips) negotiates encryption. Modern TLS 1.3 reduces this to 1 round-trip (0-RTT for resumptions). Total connection time from DNS lookup to first byte: typically 2–3 RTTs.

6. Flow and Congestion Control

Sliding Window

TCP sends multiple segments without waiting for an ACK. The congestion window (cwnd) limits in-flight bytes. Throughput ≈ cwnd / RTT.

Throughput approximation Throughput \approx MSS / (RTT \times \sqrt(loss_rate)) MSS — Maximum Segment Size (~1460 bytes for Ethernet) RTT — round-trip time loss_rate — packet loss probability

AIMD Congestion Control

TCP uses Additive Increase Multiplicative Decrease (AIMD):

Slow start: cwnd doubles every RTT until a threshold. Exponential growth.
Congestion avoidance: cwnd grows linearly (+ 1 MSS per RTT).
Loss detected: cwnd halved (Reno) or dropped to 1 MSS (Tahoe). Timeout → slow start.

Modern algorithms (BBR, CUBIC) model bandwidth and round-trip time directly instead of reacting to loss, achieving 2–10× better throughput on high-bandwidth-delay-product networks.

7. NAT: One IP for Many

Your home router has one public IP but serves dozens of devices. It does this through Network Address Translation: each outgoing packet's source IP+port is replaced with the router's public IP + a unique port. The mapping is stored in a NAT table.

NAT port mapping (example) 192.168.1.5:54321 \to 203.0.113.1:40001 (to server) 203.0.113.1:40001 \to 192.168.1.5:54321 (return traffic)

NAT breaks the end-to-end principle — servers can't initiate connections to NAT'd clients. This is why WebRTC needs ICE/STUN/TURN to punch through NAT for P2P video calls.

8. DNS: The Address Book

Before TCP even starts, DNS resolves the hostname to an IP:

Browser checks local cache (TTL-bounded).
OS checks /etc/hosts.
Recursive resolver (your ISP or 8.8.8.8) asked → returns cached answer or starts iterative lookup.
Iterative: asks root servers → TLD servers (e.g. .com) → authoritative server → returns IP.
Answer cached for TTL seconds (often 300–3600 s).

DNS uses UDP port 53 (fast lookup) or TCP for large responses >512 bytes (zone transfers, DNSSEC). DoH (DNS over HTTPS) and DoT (DNS over TLS) encrypt DNS queries to prevent snooping by ISPs.

Full page load timeline: DNS (~20 ms) → TCP connect (~30 ms) → TLS (~30 ms) → HTTP request → response. Total first-byte time ≈ 80–200 ms for typical server. Content-delivery networks (CDNs) reduce this by serving from a PoP 5–20 ms away.