Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


TCP/IP stack question

Posted on 2004-09-01
Medium Priority
Last Modified: 2008-02-01

Say a user does a telnet to host The request is handed down from the application layer to the Transport Layer.  The transport layer then sees that telnet is going to be used, and telnet utilizes TCP, so that is what is chosen. Transport layer adds the destination port (23) and src  port (empherical port of 1043?), sets the TCP timer  and then passes the completed TCP segment to the network layer. The Network layer, adds src IP and dest IP and encapsulates the TCP segment in a packet. The network layer then sets the appropriate flags (Fragment/DF) and  passes the packet to the bottom layer which places the packet in a frame (frame type is dependant upon network topology type being used. 802.3, 802.2 etc). The frame is sent across the wire as electrical signals.  

The destination computer's network card  receives the electrical signals and interprets them. It removes the frame from the packet and passes the packet to the network layer. De-encapsulation begins.  Network layer runs a CRC on the packet and looks at where it's heading. If it doesnt match the dest IP, the packet is discarded. If it indeed matches the dest IP, it de-encapsulates the packet (leaving only a TCP segment) and  passes the TCP segment to it's Transport layer. It's transport layer receives  the TCP segment and ack's the original sender. Here is where dissolved gets lost.

Please help me fill in the gaps. I know not everything above is correct. Anyway:

1   How does the transport layer communicate with the application layer?  Isnt the application layer unaware the 3 bottom layers are there?

2. Framing is done at layer 2 correct? What happens in situations like in VLANs where 802.1q is used.  Do regular ethernet frames get framed within 802.1q? Or is 802.1q their primary framing method?

3. What is the primary framing method for ethernet LANs?

4. How would the above look, if we were using the OSI model? I know that the TCP/IP protocol suite was based on the OSI.

Question by:dissolved
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +1
LVL 16

Assisted Solution

JammyPak earned 600 total points
ID: 11958136
Here's a shot:

1. The ip stack is implemented as part of the O/S. The applications are written to APIs as specified by the O/S. So, a Windows programmer can make generic Windows calls to the APIs, and the O/S will pass those calls to the Windows TCP/IP stack. The programmer doesn't have to deal directly with TCP/IP, because the Windows kernel and base O/S services do that for them.
Each layer *is* aware of the layers directly above and below it. So, the application layer knows that a transport layer exists, and knows how to communicate with it.  (assuming that the transport and app layer are side-by-side, not using the OSI model) Applications take advantage of that by calling standard API functions that are part of the O/S.

4. typical interpretation for the 'MS model' vs the OSI model is this:
MS Physical Layer = OSI Physical layer, DataLink layer
MS Network Layer = OSI Network layer
MS Transport Layer = OSI Transport layer
MS Application Layer = OSI Session layer, Presentation layer, Application layer

In most MS courses and docs, they just lump some of the OSI layers together for simplicity.

Ps. in your above description, the physical layer will examine the packet to see if it is a broadcast or if it is destined for it's own MAC address before passing it up to the network layer. This way, it will most likely be the correct IP address when the network layer looks at it, since the packet would have typically been discarded already.

If I can find some good articles on 2. and 3. I'll post links...
LVL 15

Accepted Solution

scampgb earned 600 total points
ID: 11958466
Hi dissolved,

If you're really interested in this stuff, get yourself a copy of "TCP/IP Illustrated" :-)

As JammyPak says, how each "layer" communicates with each other is through a series of APIs.  
For example, Internet Explorer doesn't need to know (or care) that you've got an CAT5e cable connected to your PC.

Correct, framing happens at layer two.
You can find some info on 802.1q VLANS at:
Basically, an 802.1q is standard Ethernet but with 2 extra bytes in the header.

IEEE 802.2 / 802.3
You can find more at :

It's worth pointing out that the OSI model is exactly that, it's a theoretical model.  Systems don't adhere to it perfectly, so you'll often have "blurring" between the layers.
However, it's a good way of understanding what's happening.

A rough approximation (and it's not exactly like this!) would be:

Application                 Internet Explorer
Presentation                Data formats (GIF, ASCII text)
Session                     Established sockets
Transport                   TCP
Network                     IP
Data Link                   Ethernet frame
Physical                    CAT5 cable

This reminds me of being at school.  I didn't pay any attention then either :-)

Does that help?

LVL 11

Assisted Solution

PennGwyn earned 800 total points
ID: 11958684
> 1   How does the transport layer communicate with the application layer?  Isnt the application layer unaware the 3 bottom
> layers are there?

The TU buffer is not the only data structure shared between the layers.  Somewhere there is probably a "socket" structure which associates a source and destination IP address and source and destination port numbers together as a session, and the application's interactions with the stack are tied to this structure.  It may also include options, status, etc.

> 2. Framing is done at layer 2 correct? What happens in situations like in VLANs where 802.1q is used.  Do regular ethernet
> frames get framed within 802.1q? Or is 802.1q their primary framing method?

802.1q introduces a modification of the standard Ethernet frame to include a "tag" header.  At the receiving end, there's a default VLAN for untagged frames, and a mapping of recognized tag values to other VLANs.  The receiving end strips the tag, reverting to a normal Ethernet frame, and passes it to the apecified VLAN.

A more interesting case is VPN, where a complete layer 2 frame may get encapsulated inside a layer 3 packet.  The VPN server undoes the encapsulation (which may include encryption...) and forwards the original frame.

> 3. What is the primary framing method for ethernet LANs?

destination MAC address and source MAC address at the front, and FCS at the end.  Afew other small headers, such as the type value that says "this frame contains an IP (or IPX or whatever) packet".

> 4. How would the above look, if we were using the OSI model? I know that the TCP/IP protocol suite was based on the OSI.

It's not, actually, but rather on the similar ARPA model.  The most obvious difference is that there are no layer 5 & 6, for which there is no OSI/ISO standard anyway.

Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.


Author Comment

ID: 11959157
Gotcha. Thanks guys. The problem I think I'm having, is the framing.  Can someone specifically elaborate on framing methods?

I keep hearing 802. numbers thrown around.  Framing is when a IP packet (from the network layer) is placed in a frame so it can traverse the network. Is that correct?  The type of framing depends on what type of topology you're running???? (token ring, or ethernet??)


Author Comment

ID: 11959572
Ok, let me rephrase things a bit.  Here's a snapshot of some traffic I captured:

In this example, we have a breakdown of the packet in 5 different fields:

-Ethernet II
-Internet Protocol
-Transmission Control Protocol
-HTTP protocol (not shown)

Frame is the final product I assume?

Ethernet II is the encapsulation method?

Internet Protocol is what's doing the routing obviously

TCP was chosen because it works with HTTP

HTTP is listed because it is what the user was accessing

Am I correct?
LVL 15

Assisted Solution

scampgb earned 600 total points
ID: 11961744
You're pretty much there.

The frame is what goes on the wire.  The physical interface converts that into all the little 1s and 0s that we all know and love.

Ethernet II is the format of the frame.  It's what a frame looks like.  It contains things like the datalink (MAC) layer address.

IP is the format of the packet.  It contains things like logical (IP) address.

TCP becomes encapsulated in the IP packet, and includes things like sequence numbers.

HTTP is the protocol for transferring data from websites :-)

The word "encapsulation" can cause a little confusion because it happens at each layer. The HTTP request is encapsulated in a TCP packet, the TCP packet is encapsulated in IP, the IP packet is encapsulated in the Ethernet II frame....

Author Comment

ID: 11962280
Ok so the frame is what is transmitted on wire.

The ethernet II is the type of frame. This could also be 802.3 etc right?

LVL 15

Expert Comment

ID: 11962610
Well, the frame is converted to bits which it then transmitted on the wire - but that's it.

Here's a good answer to Ethernet II vs 802.3:
Xerox developed the first version of Ethernet, Ethernet I. The second version of Ethernet, Ethernet II, was developed by DEC, Intel and Xerox. After this the Ethernet was standardized by IEEE and the new format is known as 802.3 format. To provide backward compatibility with Ethernet II, 802.2 SNAP format was developed.

You can find more info on this, including frame formats, at :
LVL 16

Expert Comment

ID: 11963274
and Token Ring uses 802.5!
LVL 15

Expert Comment

ID: 11963329
JammyPak: Don't confuse the kid! :)

Author Comment

ID: 11963480
lol thanks guys.  I ran a sniffer and noticed a few things.

Most of my frame formats were Ethernet II. Probably 95%.  Almost every single Ethernet II packet had ARP being utilized

A few of my other frames were 802.3.  Each time I saw 802.3 I saw LLC.  What is up with the correlation?  Most of these frames were either ciscos STP protocol or cisco's CDP protocol (which shows up in ethereal as LLC  protocol for some reason instead of CDP protocol)

Now for the obvoius question. Why are some packets being framed Ethernet II and some being framed 802.3.  Is it in their design? For example, the CDP and STP protocol was designed to be framed in 802.3?  (did i say that right?)

Sorry if I'm repeating myself, but I'm trying to comprehend. Thanks!
LVL 16

Assisted Solution

JammyPak earned 600 total points
ID: 11963807
ARP (address resolution protocol) will be used everytime you send an IP-based packet to a host that is not already in your ARP cache. Run arp -a to see the ARP cache - it's just a mapping of IP addresses to MAC addresses. ARP sits at the network layer along with IP in the protocol stack.

Featured Post

ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question