TCP Service Model And Header Format

Published by Keyboard Banger on

TCP used by 95% Internet applications.

A TCP segment contains one or more bytes of data.

The 4-PDU at the source system is not inspected by the routers on the network path. Once it reaches the destination system, the latter reads the 4-PDU header and passes the data to the application layer.

For each application, there is a process running in memory.

TCP application multiplexing and demultiplexing

The transport layer at the source system inserts data from different application processes into segments. This mechanism is called “application multiplexing”. The target application process is determined by the following triplet: source port, destination port, destination IP address. The source system generates a unique source port number.

the transport layer at the end system reassembles received segments extract application process data and sorts out messages for each application process, based on the following triplet: source port, destination port, source IP address. This mechanism is called “application demultiplexing”.

TCP port numbers

Port numbers are 16-bits numbers from 0 to 65536. Those that are in the range of [0-1023] are called well-known port numbers.

TCP services

  • Emulates a bidirectional byte stream of data, by using sequence numbers and acknowledgements
  • Reliable delivery through the following techniques: acknowledgements, segment retransmission, sequence numbers, timers, initial connection setup, integrity verification, (by using a checksum)
  • Flow control: to control the flow of TCP traffic to avoid swamping a switch link or a router link.

TCP is full duplex; application processes can send and receive data at the same time.

TCP is point to point; data is transferred between only two hosts.

The transport layer guarantees reliable delivery of segments in spite of the service model provided by the network layer.

Transport layer protocols provide a logical communication between processes. Network layer protocols provide a logical communication between hosts.

TCP protocol is described by a Finite State Machine that lays out all the states that the protocol can be in and all the transitions.


  • The MSS (Maximum Segment Size) has a confusing definition. MSS determines the maximum size of application data a segment can carry and NOT the maximum size of the segment.
  • appears in the Options field of the TCP header
  • MSS in a TCP segment of a device A tells a device B how much maximum data it can put in a segment towards A
  • concerns only data bytes. It does concern neither TCP header nor IP header sizes
  • When device A has data to send -such as a JPEG file- the Transport layer chunks the data into small chunks where each chunk size <= MSS. The last segment has the smallest data chunk size (<MSS).

TCP buffers

For each direction of data transfer, TCP maintains:

  • a “send buffer”, on the source host
  • a “receive” buffer”, on the destination host.

This means, for two hosts A and B exchanging data:

  • host A has a “send buffer” to send data to B, and a “receive buffer” to receive data from B,
  • host B has a “receive buffer” to receive data from A, and a “send buffer” to send data to A,

Application layer and TCP buffers

When the application layer on A has data to send, it is put in the TCP “send buffer” of A. A chunk of the data is put into a segment and the segment is transferred to the network layer.

On host B, TCP ensures that the TCP “receive buffer” contains in-order, sequenced, uncorrupted and complete stream of bytes, identical to the sender’s bytestream. The application process reads data from the TCP “receive buffer” in its original form.

TCP Connection establishment

To establish a connection in TCP:

  • A —– SYN ————- B
  • B —– SYN, ACK —– A
  • A —–ACK—————B
    • the SYN segment: seq_number= A_isn
    • the SYN/ACK segment (the connection-granted segment): seq_number= B_isn and ACK_number =A_isn+1
    • the ACK segment: seq_number=A_isn+1 and ACK_number = B_isn+1

This post shows the exchange of packets at the initial TCP connection stage.

TCP connection teardown

To tear down a TCP connection:

  • A —– FIN ————- B
  • B —– (sends remaining data), ACK —– A
  • B —–FIN —————A
  • A —–ACK————–B

Connection teardown can be initiated by either the client or the server.

TCP header format

The TCP header overhead is usually 20 bytes. The way to represent that visually (on the TCP header figure below) is by multiplying the number of rows by the size of each row. The minimum number of rows is 5, because the Options field and the Data field are not mandatory. And the length of each row is 32 bits (from bit number 0 to bit number 31) or 4 bytes. You multiply 5*4 = 20 bytes.


TCP header format – copyright

    • source port: a client that sends a TCP segment generates a random unique source port. To guarantee the uniqueness of the source port number, the client increments the source port number with each new connection.
    • destination port: the port defined by the application that will receive the byte stream
    • checksum: calculated on the basis of both TCP header and data. The same algorithm used in TCP checksum is also used in UDP checksum and IP header checksum
    • TCP options: an optional field that was created after the TCP standard was released
    • Header Length: gives the size of the TCP header, in 32-bit words, and consequently determines where the data portion of the segment starts. This is similar to the Total Length field of the IP header. This field is also known as the Offset.
    • (Flags)
      • SYN (SYNchronize): this flag tells the receiver “here is the sequence number of my first byte of data. Please synchronize with me.”
      • ACK: When set to 1, the ACK bit tells that the ACK Number field is valid. In the initial SYN segment, the ACK flag is off. Once a connection is made (in other words the TCP Three-way Handshake is done), this flag will always be set.
      • FIN
      • RST (ReSeT)
      • PSH (PuSH): tells the Transport layer of the destination host to send data to the Application layer as soon as the segment is received
      • URG (URGent): tells the Transport layer of the destination host that the Application layer of the source host has marked this data as Urgent.
      • Sequence number: Let’s take a step back and understand that the transport layer views application data as a continuous bytestream. And when data is to be put in segments, the transport layer assigns numbers to each byte of the bytestream. A Sequence Number equals the bytestream number of the first byte of a segment, in one direction. This means that the sequence numbers of the segments from A to B are different from the sequence numbers of the segments from B to A. For example, a segment with sequence number = 42 means “the first byte of the segment corresponds to byte number 42 of the bytestream of data”. For simplicity, we sometimes consider that bytestream numbers start at 0, and so do initial sequence numbers. But in reality, initial sequence numbers are random values. Randomness prevents overlapping with old existing TCP connections.
        • Sequence numbers do not start at 0. This is a security measure because if a hacker sniffs some TCP segments, he would guess how many segments have already been sent and what the next sequence numbers are.
      • ACK Number: An ACK sent by host B acknowledges all bytes received from host A up to this current segment and requests the next byte.  The ACK number equals the sequence number of the next data byte that the host wishes to receive (the next expected byte). For example, if A and B are two hosts involved in a TCP connection: ACK_sent_by_B = SeqNum_sent_by_A + 1
      • Window Size:  tells the sender how much data the RecvBuffer, at the receiver side, can receive. Remember that RecvBuffer contains uncorrupted, sequenced and in-order bytes of data.
      • Urgent Pointer: the Urgent Pointer field is valid only if the URG flag is set. Urgent Pointer gives the position (offset) of the last byte of the urgent data in the data field. So when the Application layer of the destination host reads this field, it knows where the last byte of the urgent data is within the data it receives from the Transport layer. To find the last byte of data, add the Sequence Number value to the Urgent Pointer offset value.
      • Options: will contain the negotiation of the MSS value and the Window scaling factor (a parameter in high-speed networks).
  • In TCP, suppose host A has three segments to send to host B. Host B receives only the first and third segments. What TCP does here depends on the Window Size. If Window Size = 1 segment, then the third segment is dropped and retransmission of the second segment is requested. If Window Size were equal to 3 packets, then B could store the third segment in memory and request the retransmission of the second segment.

Identifying a TCP connection

The combination of the following fields uniquely identifies a TCP connection:

    • TCP source port
    • TCP destination port
    • IP source address
    • IP destination address
    • Protocol ID (the “Protocol” field of the IP header)

Other notes

  • There are no explicit “negative ACKs”. The only way for the receiver to signal a problem is by sending duplicate ACKs (sending the same ACK again)
  • With each segment TCP gives to IP, it starts a timer. When the timer expires and no ACK is received,, an “interrupt event” is generated and the segment that caused the timeout is re-sent..
  • TCP Fast Retransmit is an RFC standard.
  • a sender can send many segments without waiting for an ACK. This is called pipelining. This will be discussed further when we will talk about the Sliding Window.
  • TCP can optimize its bandwidth use with pipelining, as long as the ratio of number of transmitted segments to Round Trip is small.
  • In a Telnet or SSH session, each character corresponds to a byte of data, in a separate TCP segment. So the size of the segment will equal the TCP header overhead plus the data size, which means 1 byte + 20 bytes = 21 bytes.

Delayed ACK, Cumulative ACK and Fast Retransmit

    • A sends an in-order segment
    • B receives the in-order segment with expected sequence number and waits 500ms. If it receives another in-order segment with expected sequence number within 500ms, then it immediately sends a Cumulative ACK requesting the next byte. Otherwise, if the 500ms expires and no other in-order segment with expected sequence number is received, it sends a Delayed ACK.
    • Each time A sends a segment it starts a timer. If there is a timeout and A has not received a corresponding ACK (acknowledging the data it contains and requesting the next bytes), it retransmits the segment.
    • if B receives an out-of order segment then it immediately sends a duplicate ACK requesting the expected sequence number.
    • When A receives the duplicate ACK three times (or more), it assumes the segment is lost and enters TCP Fast Retransmit: A sends the missing segment immediately, without waiting for the timer to expire. Attention though, the fact that a Transmitter receives three or more duplicate ACKs does not always mean a packet loss. It’s just a strong indication of it.
    • Here is an interesting situation: A sends in-order segments 1 and 2. B replies with ACK for segments 1 and 2 but ACK for segment 1 is lost. ACK for segment 2 arrives at A before timeout.–> A does not resend segment 1 because ACK for segment 2 acknowledges all bytes up to segment 2. But if ACK for segment 2 arrives after segment 1 timeout, then A re-sends segment 1. B detects that the segment contains bytes already in its possession so it simply discards the segment.




Computer Networking: A Top Down Approach, Kurose and Ross

TCP/IP Illustrated, Volume 1: The Protocols, Fall and Stevens

Categories: Networking Basics

Keyboard Banger

Keyboard Banger is a network engineer from Africa. He has been working in network support and administration since 2008. He started writing study notes about certification exams and technology topics a couple of years ago. When he's not writing articles, he can be found wandering on technical forums.


Leave a Reply

Your email address will not be published. Required fields are marked *