Vous êtes sur la page 1sur 5


Understanding TCP/IP
TCP/IP, the ubiquitous network protocol, is actually a four-layer suite of protocols and is
well worth gaining an understanding of, if only to ensure that you set it up in the most
efficient way on your network.

By Julian Moss

E veryone knows that TCP/IP is a

network protocol used on
LANs, WANs and the Internet,
but not everyone who uses it under-
things like routing and reliability.
The benefit that the layered proto-
col stack gives you is that, if you invent
a new network application or a new
some control fields. There follows the
data, and then a trailer which is simply
a 32-bit cyclic redundancy check
(CRC) field. The data portion of an
stands how it works. It’s possible to use type of hardware, you only need to Ethernet frame must be at least 38
TCP/IP with little more than a knowl- create a protocol for that application or bytes long, so filler bytes are inserted if
edge of how to configure the protocol that hardware: you don’t have to re- necessary.
stack, but a better understanding will write the whole stack. All this means that frames are at
give you a clearer picture of what is least 64 bytes long, even if they carry
going on in your network and why the Link Layer only one byte of user data: a significant
protocol needs to be set up in a particu- overhead in some types of application.
lar way. TCP/IP is a four-layer protocol, as Frames also have a maximum size.
The aim of this multi-part article is illustrated in Figure 1. The lowest level, Less headers, the maximum size for an
to explain the key concepts behind the link layer, is implemented within Ethernet frame is 1492 bytes, which is
TCP/IP. the network adapter and its device the maximum transmission unit
TCP/IP stands for Transmission driver. Like all the TCP/IP protocols, (MTU) for Ethernet. All link layer pro-
Control Protocol/Internet Protocol. If it is defined by standards. The stand- tocols have an MTU. It is one hardware
this leads you to think that it is not just ards for generic Ethernet-type net- characteristic that the higher-level pro-
one protocol, you’re right. In fact, it is works are defined by the IEEE 802 tocol needs to be aware of, because
not just two protocols, either. TCP/IP Committee: for example, IEEE 802.3 larger blocks of data must be frag-
is a suite of protocols. We’ll cover the for Ethernet networks, or IEEE 802.5 mented into chunks that fit within the
most important ones in the course of for Token Ring networks. MTU and then reassembled on arrival
this article. Other link layer protocols that at their destination.
could be used include Serial Line IP
Layered Protocol (SLIP) or Point-to-Point Protocol Network Layer
(PPP), which are used when connect-
Like most network protocols, ing to a network over an asynchronous The next layer up from the link layer
TCP/IP is a layered protocol. Each dial-up link. is called the network layer. The most
layer builds upon the layer below it, Since Ethernet is the most common important protocol at this level is IP,
adding new functionality. The lowest- type of network, we will look at it in a the Internet Protocol. Its job is to send
level protocol is concerned purely with bit more detail. The Ethernet protocol packets or datagrams - a term which
the business of sending and receiving is designed for carrying blocks of data basically means “blocks of data” - from
data - any data - using specific network called frames. A frame consists of a one point to another. It uses the link
hardware. At the top are protocols de- header containing 48-bit hardware layer protocol to achieve this.
signed specifically for tasks like trans- destination and source addresses Both the network layer and the link
ferring files or delivering email. In (which identify specific network layer are concerned with getting data
between are levels concerned with adapters), a 2-byte length field, and from point A to point B. However,
whilst the network layer works in the
world of TCP/IP, the link layer has to
deal with the real world. Everything it
“A router examines every packet, and does is geared towards the network
hardware it uses.
compares the destination address with a An IP address is a “soft” address. It
is a bit like calling your office block
table of addresses that it holds in memory.” “Pan-Galactic House” instead of its
real address, 2326 Western Boulevard.
The former is no use to the postman

Issue 87 (September 1997) Page 3

PC Network Advisor File: C04100.1

who has to deliver the letters, unless he

can use it to find out the latter. The
link-layer Ethernet protocol needs to “The TTL field is a safety mechanism
know the unique hardware address of
the specific network adapter it has to which prevents packets from travelling
deliver the message to and, in case of
an error, the address of the one it came the Internet forever in routing loops.
To make this possible, the TCP/IP It is exploited in a novel way by the
protocol suite includes link-layer pro-
tocols which convert between IP and Traceroute diagnostic tool.”
hardware addresses. The Address
Resolution Protocol (ARP) finds out
the physical address corresponding to
an IP address. It does this by broadcast-
ing an ARP request on the network. for a start. It would, in any case, be were received out of order.
When a host recognises an ARP re- undesirable for every computer in the IP is an unreliable protocol. Any
quest containing its own IP address, it world to be connected to one big net- mechanisms for ensuring that data
sends an ARP reply containing its work. Every message sent would have sent arrives correct and intact are pro-
hardware address. There is also a Re- to be heard by every computer, which vided by the higher-level protocols in
verse ARP (RARP) protocol. This is would be bedlam. the suite.
used by a host to find out its own IP Instead, inter-net communications
address if it has no way of doing this take place using one or more “hops”. Packets
except via the network. Your Ethernet card will communicate
with another Ethernet device on the An IP packet consists of the IP
Internet Protocol route to the final destination. Routing header and data. The header includes
is the important capability that IP adds a 4-bit protocol version number, a
IP is the bedrock protocol of to a hardware network protocol. Be- header length, a 16-bit total length,
TCP/IP. Every message and every fore we come to it, we will look at some some control fields, a header checksum
piece of data sent over any TCP/IP other features of IP. and the 32-bit source and destination
network is sent as an IP packet. IP addresses. This totals 20 bytes in all.
IP’s job is to enable data to be trans- Features Of IP We won’t go into the detail of all the
mitted across and between networks. IP control fields. However, the proto-
Hence the name: inter-net protocol. In IP is a connectionless protocol. This col field is important. It identifies
a small LAN, it adds little to what means that it has no concept of a job or which higher-level TCP/IP protocol
could be achieved if the network appli- a session. Each packet is treated as an sent the data. When data arrives at its
cations talked directly to Ethernet. If entity in itself. IP is rather like a postal destination (either the packet’s desti-
every computer is connected to the worker sorting letters. He is not con- nation address equals the host’s own
same Ethernet cable, every message cerned with whether a packet is one of IP address, or it is a broadcast address)
could be sent directly to the destination a batch. He simply routes packets, one this field tells IP which protocol mod-
computer. at a time, to the next location on the ule to pass it on to.
Once you start connecting networks delivery route. One control field, the time-to-live
together, however, direct Ethernet IP is also unconcerned with (TTL) field, is interesting. It is initial-
communication becomes impractical. whether a packet reaches its eventual ised by the sender to a particular value,
At the application level you may ad- destination, or whether packets arrive usually 64, and decremented by one
dress a message to a computer on the in the original order. There is no infor- (or the number of seconds it is held on
far side of the world, but your Ethernet mation in a packet to identify it as part to) by every router that the packet
card can’t communicate with the Eth- of a sequence or as belonging to a par- passes through. When it reaches zero
ernet card on that computer. Physical ticular job. Consequently, IP cannot the packet is discarded and the sender
Ethernet limitations would prevent it, tell if packets were lost or whether they notified using the Internet Control
Message Protocol (ICMP), a network-
layer protocol for sending network-re-
Application layer: FTP, SMTP, SNMP lated messages.
Transport layer: TCP, UDP The TTL field is a safety mechanism
Network layer: IP which prevents packets from travel-
Link layer: IEEE 802.x, PPP, SLIP ling the Internet forever in routing
loops. It is exploited in a novel way by
Figure 1 - TCP/IP is a four-layer protocol, of which the the Traceroute diagnostic tool (see
link layer is the lowest layer. box).

File: C04100.2
PC Network Advisor Issue 87 (September 1997) Page 4


Although the total field length in

the IP protocol header is 16 bits, IP
packets are usually much smaller than “Like most network protocols, TCP/IP is a
the 64 KB maximum this implies. For
one thing, the link layer will have to layered protocol. Each layer builds upon the
split this into smaller chunks anyway,
so most of the efficiency advantages of layer below it, adding new functionality.”
sending data in large blocks is lost. For
another, IP standards did not histori-
cally require a host to accept a packet
of more than 576 bytes in length. Many
TCP/IP applications limit themselves written as four bytes separated by pe- in the range 1 to 126. The remaining
to using 512-byte blocks for this rea- riods (full stops). They can range from three bytes can be used for unique host
son, though today most implementa- to It’s worth addresses. This allows for 126 net-
tions of the protocol aren’t so noting that IP addresses are stored in works each with up to 16m hosts.
restricted. big-endian format, with the most sig- Class B addresses can be distin-
nificant byte first, read left to right. guished by first byte values in the
Internet Addressing This contrasts with the little-endian range 128.0.x.x to 191.255.x.x. In these
format used on Intel-based systems for addresses, the first two bytes are used
Internet protocol addresses, or IP storing 32-bit numbers. This minor for the net ID, and the last two for the
addresses, uniquely identify every net- point can cause a lot of trouble for PC host ID, giving addresses for 16,000
work or host on the Internet. To make programmers and others working networks, each with up to 16,000 hosts.
sure they are unique, one body, called with raw IP data if they forget. Class C addresses are in the range
InterNIC, is responsible for issuing IP addresses comprise two parts, 224.0.0.x to 239.255.255.x. Here, the
them. the network ID and the host ID. An IP first three bytes identify the network,
If your network is connected to the address can identify a network (if the leaving just one byte for the individual
Internet and the computers need to be host part is all zero) or an individual hosts. This provides for 2 million net-
addressable from the Internet you host. The dividing line between the works of up to 254 hosts each.
must use IP addresses issued by In- network ID and the host ID is not con- Although these addresses make it
terNIC. If you don’t use InterNIC-is- stant. Instead, IP addresses are split possible to uniquely identify quite a lot
sued addresses, you must set up the into three classes which allow for a of networks and hosts, the number is
gateway between your network and small number of very large networks, not that large in relation to the current
the Internet so that packets containing a medium number of medium-sized rate of expansion of the Internet. Con-
the made-up addresses will never pass networks and a large number of small sequently, a new addressing system
through it in either direction. networks. has been devised which is part of In-
Internet addresses are 32 bits long, Class A addresses have a first byte ternet Protocol version 6 (IPv6). IPv6
won’t come into use for a couple of
years, and understanding it isn’t essen-
Traceroute - How It Works tial to understanding how IP works in
general, so we won’t cover it here. [For
Traceroute, if you haven’t used it before, is a diagnostic tool that lets you a full description of IPv6, see article C0655
find out the route Internet traffic takes between you and any given destina- in PCNA 83 - Ed.]
tion. It exploits the fact that traffic between two points will usually follow IP addresses can be further divided
the same route at any given time, and that a router will notify the sender to obtain a subnet ID. The main net ID
using an ICMP message whenever it receives an IP packet containing a identifies a network of networks. The
time-to-live (TTL) field of one. subnet ID lets you address a specific
Normally, the TTL field of an IP packet is set to the value 64. Traceroute network within that network. This sys-
starts by sending a UDP datagram to the destination you specify, setting the tem of addressing more accurately re-
TTL field to 1. The first router that receives it discards it, and sends an ICMP flects how real-world large networks
“time-to-live equals 0" notification back. In the header of the ICMP message are connected together.
is the router’s IP address, from which its name can be determined. Next, You decide how the subnet ID is
Traceroute sends the datagram with a TTL of 2. This gets as far as the second arrived at by defining a 32-bit value
router before being discarded. Again, an ICMP message comes back. called the subnet mask. This is logi-
This process is repeated with ever-increasing TTLs until the datagram cally ANDed with the IP address to
reaches the destination. To create an error when the destination is reached, obtain the subnet address. For exam-
the UDP datagram is addressed to a non-existent port on the destination ple, if a subnet mask was
host. This causes the host to respond with an ICMP “destination port and an IP address was,
unreachable” message. Thus, Traceroute knows that the route has been 128.124 would identify the Class B net-
completed. work, 128.124.14 would identify the

Issue 87 (September 1997) Page 5

PC Network Advisor File: C04100.3

there. If no default address is present,

the router sends an ICMP “host un-
“If you don’t use InterNIC-issued reachable” or “network unreachable”
message back to the sender. If you see
addresses, you must set up the gateway this message, it usually indicates a
router failure at some point in the net-
between your network and the Internet work.
The difficult part of a router’s job is
so that packets containing the made-up not how it routes packets, but how it
builds up its table. In the simplest case,
addresses will never pass through the router table is static: it is read in
from a file at start-up. This is adequate
it in either direction.” for simple networks. You don’t even
need a dedicated piece of kit for this,
because routing functionality is built
into IP.
Dynamic routing is more compli-
subnetwork, and 5 would identify the and 256 class C addresses (192.168.0.x cated. A router builds up its table by
host on that subnetwork. [An article to 192.168.255.x). If you have equip- broadcasting ICMP router solicitation
which covers subnet masks and related top- ment which uses IP addresses that messages, to which other routers re-
ics in more detail is currently in prepara- have not been allocated by InterNIC spond. Routing protocols are used to
tion - Ed.] then the addresses used should be discover the shortest path to a location.
within one of these ranges, as an extra Routes are updated periodically in re-
Special Meanings precaution in case router misconfigu- sponse to traffic conditions and avail-
ration allows packets to “leak” onto the ability of a route. However, the details
A few IP addresses have special Internet. of how this all works is beyond the
meanings. A network ID of 0 in an scope of this article.
address means “this network”, so for IP Routing
local communication only the host ID
need be specified. A host ID of 0 means So how does an IP packet addressed Click here for the second part
“this host”. to a computer on the other side of the of this article
A network ID of 127 denotes the world find its way to its destination?
loopback interface, which is another The basic mechanism is very simple.
way of specifying “this host”. The host On a LAN, every host sees every
ID part of the address can be anything packet that is sent by every other host
in this case, though the address on that LAN. Normally, it will only do is normally used. Packets sent something with that packet if it is ad-
to the loopback address will never ap- dressed to itself, or if the destination is
pear on the network. It can be used by a broadcast address. PCNA
TCP/IP applications that run on the A router is different. A router exam-
same machine and want to communi- ines every packet, and compares the
cate with one another. destination address with a table of ad-
Addresses in the range 224.x.x.x to dresses that it holds in memory. If it
239.x.x.x are Class D addresses, which finds an exact match, it forwards the
are used for multi-casting. Addresses packet to an address associated with
240.x.x.x to 247.x.x.x are reserved for that entry in the table. This associated
experimental purposes. address may be the address of another
Net, subnet and host IDs of all bi- network in a point-to-point link, or it
nary ones (byte value 255) are used may be the address of the next-hop
when an IP packet is to be broadcast. router.
Mercifully, an address of 255.255.- If the router doesn’t find a match, it
255.255 does not result in a broadcast runs through the table again, this time
The Author
to the entire Internet. looking for a match on just the network Julian Moss is a freelance IT writer
Three sets of addresses are reserved ID part of the address. Again, if a and programmer, and developer
for private address space - networks of match is found, the packet is sent on to of Visual DialogScript, a scripting
computers that do not need to be ad- the address associated with that entry. and automation tool for Win-
dressed from the Internet. There is one If a match still isn’t found, the router dows. He can be contacted as
class A address (10.x.x.x), sixteen class looks to see if a default next-hop ad- jmoss@cix.co.uk.
B addresses (172.16.x.x to 172.31.x.x), dress is present. If so, the packet is sent

File: C04100.4
PC Network Advisor Issue 87 (September 1997) Page 6
Recent Reviews from Tech Support Alert

Reviews of the Best Windows Backup Software

In this detailed comparative review, we checked out eighteen backup software
utilities designed for home or SOHO use. Many of the products reviewed
were disappointing. However 6 products passed our tests with flying colors
and 2 of these were so impressive, they were awarded our “Editor’s Choice.”

Suppliers of Cheap Inkjet Printer Cartridges Reviewed and Rated

With hundreds of companies all claiming to have the “cheapest and best inkjet
printer cartridges,” our editors decided to put their claims to the test. Not
unexpectedly, many suppliers flunked but we did manage to come up with a
number of web sites that sell good quality inkjet printer cartridges at heavily
discounted prices.

The Best Anti Trojan Software

Our editors took a close look at the 6 leading anti-trojan/trojan remover
software utilities. Unfortunately, they found only 2 products that were effective
in their ability to detect and remove dangerous modern polymorphic and
process injecting trojans.

The 46 Best Ever Freeware Utilities

This is our Editor, Ian “Gizmo” Richards, personal selection of the best
freeware utilities. He’s hunted down some real gems, many of which perform
better than expensive commercial products.

Tech Support Alert