TCP/IP stack question

Say a user does a telnet to host The request is handed down from the application layer to the Transport Layer.  The transport layer then sees that telnet is going to be used, and telnet utilizes TCP, so that is what is chosen. Transport layer adds the destination port (23) and src  port (empherical port of 1043?), sets the TCP timer  and then passes the completed TCP segment to the network layer. The Network layer, adds src IP and dest IP and encapsulates the TCP segment in a packet. The network layer then sets the appropriate flags (Fragment/DF) and  passes the packet to the bottom layer which places the packet in a frame (frame type is dependant upon network topology type being used. 802.3, 802.2 etc). The frame is sent across the wire as electrical signals.  

The destination computer's network card  receives the electrical signals and interprets them. It removes the frame from the packet and passes the packet to the network layer. De-encapsulation begins.  Network layer runs a CRC on the packet and looks at where it's heading. If it doesnt match the dest IP, the packet is discarded. If it indeed matches the dest IP, it de-encapsulates the packet (leaving only a TCP segment) and  passes the TCP segment to it's Transport layer. It's transport layer receives  the TCP segment and ack's the original sender. Here is where dissolved gets lost.

Please help me fill in the gaps. I know not everything above is correct. Anyway:

1   How does the transport layer communicate with the application layer?  Isnt the application layer unaware the 3 bottom layers are there?

2. Framing is done at layer 2 correct? What happens in situations like in VLANs where 802.1q is used.  Do regular ethernet frames get framed within 802.1q? Or is 802.1q their primary framing method?

3. What is the primary framing method for ethernet LANs?

4. How would the above look, if we were using the OSI model? I know that the TCP/IP protocol suite was based on the OSI.

Who is Participating?
scampgbConnect With a Mentor Commented:
Hi dissolved,

If you're really interested in this stuff, get yourself a copy of "TCP/IP Illustrated" :-)

As JammyPak says, how each "layer" communicates with each other is through a series of APIs.  
For example, Internet Explorer doesn't need to know (or care) that you've got an CAT5e cable connected to your PC.

Correct, framing happens at layer two.
You can find some info on 802.1q VLANS at:
Basically, an 802.1q is standard Ethernet but with 2 extra bytes in the header.

IEEE 802.2 / 802.3
You can find more at :

It's worth pointing out that the OSI model is exactly that, it's a theoretical model.  Systems don't adhere to it perfectly, so you'll often have "blurring" between the layers.
However, it's a good way of understanding what's happening.

A rough approximation (and it's not exactly like this!) would be:

Application                 Internet Explorer
Presentation                Data formats (GIF, ASCII text)
Session                     Established sockets
Transport                   TCP
Network                     IP
Data Link                   Ethernet frame
Physical                    CAT5 cable

This reminds me of being at school.  I didn't pay any attention then either :-)

Does that help?

JammyPakConnect With a Mentor Commented:
Here's a shot:

1. The ip stack is implemented as part of the O/S. The applications are written to APIs as specified by the O/S. So, a Windows programmer can make generic Windows calls to the APIs, and the O/S will pass those calls to the Windows TCP/IP stack. The programmer doesn't have to deal directly with TCP/IP, because the Windows kernel and base O/S services do that for them.
Each layer *is* aware of the layers directly above and below it. So, the application layer knows that a transport layer exists, and knows how to communicate with it.  (assuming that the transport and app layer are side-by-side, not using the OSI model) Applications take advantage of that by calling standard API functions that are part of the O/S.

4. typical interpretation for the 'MS model' vs the OSI model is this:
MS Physical Layer = OSI Physical layer, DataLink layer
MS Network Layer = OSI Network layer
MS Transport Layer = OSI Transport layer
MS Application Layer = OSI Session layer, Presentation layer, Application layer

In most MS courses and docs, they just lump some of the OSI layers together for simplicity.

Ps. in your above description, the physical layer will examine the packet to see if it is a broadcast or if it is destined for it's own MAC address before passing it up to the network layer. This way, it will most likely be the correct IP address when the network layer looks at it, since the packet would have typically been discarded already.

If I can find some good articles on 2. and 3. I'll post links...
PennGwynConnect With a Mentor Commented:
> 1   How does the transport layer communicate with the application layer?  Isnt the application layer unaware the 3 bottom
> layers are there?

The TU buffer is not the only data structure shared between the layers.  Somewhere there is probably a "socket" structure which associates a source and destination IP address and source and destination port numbers together as a session, and the application's interactions with the stack are tied to this structure.  It may also include options, status, etc.

> 2. Framing is done at layer 2 correct? What happens in situations like in VLANs where 802.1q is used.  Do regular ethernet
> frames get framed within 802.1q? Or is 802.1q their primary framing method?

802.1q introduces a modification of the standard Ethernet frame to include a "tag" header.  At the receiving end, there's a default VLAN for untagged frames, and a mapping of recognized tag values to other VLANs.  The receiving end strips the tag, reverting to a normal Ethernet frame, and passes it to the apecified VLAN.

A more interesting case is VPN, where a complete layer 2 frame may get encapsulated inside a layer 3 packet.  The VPN server undoes the encapsulation (which may include encryption...) and forwards the original frame.

> 3. What is the primary framing method for ethernet LANs?

destination MAC address and source MAC address at the front, and FCS at the end.  Afew other small headers, such as the type value that says "this frame contains an IP (or IPX or whatever) packet".

> 4. How would the above look, if we were using the OSI model? I know that the TCP/IP protocol suite was based on the OSI.

It's not, actually, but rather on the similar ARPA model.  The most obvious difference is that there are no layer 5 & 6, for which there is no OSI/ISO standard anyway.

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

dissolvedAuthor Commented:
Gotcha. Thanks guys. The problem I think I'm having, is the framing.  Can someone specifically elaborate on framing methods?

I keep hearing 802. numbers thrown around.  Framing is when a IP packet (from the network layer) is placed in a frame so it can traverse the network. Is that correct?  The type of framing depends on what type of topology you're running???? (token ring, or ethernet??)

dissolvedAuthor Commented:
Ok, let me rephrase things a bit.  Here's a snapshot of some traffic I captured:

In this example, we have a breakdown of the packet in 5 different fields:

-Ethernet II
-Internet Protocol
-Transmission Control Protocol
-HTTP protocol (not shown)

Frame is the final product I assume?

Ethernet II is the encapsulation method?

Internet Protocol is what's doing the routing obviously

TCP was chosen because it works with HTTP

HTTP is listed because it is what the user was accessing

Am I correct?
scampgbConnect With a Mentor Commented:
You're pretty much there.

The frame is what goes on the wire.  The physical interface converts that into all the little 1s and 0s that we all know and love.

Ethernet II is the format of the frame.  It's what a frame looks like.  It contains things like the datalink (MAC) layer address.

IP is the format of the packet.  It contains things like logical (IP) address.

TCP becomes encapsulated in the IP packet, and includes things like sequence numbers.

HTTP is the protocol for transferring data from websites :-)

The word "encapsulation" can cause a little confusion because it happens at each layer. The HTTP request is encapsulated in a TCP packet, the TCP packet is encapsulated in IP, the IP packet is encapsulated in the Ethernet II frame....
dissolvedAuthor Commented:
Ok so the frame is what is transmitted on wire.

The ethernet II is the type of frame. This could also be 802.3 etc right?

Well, the frame is converted to bits which it then transmitted on the wire - but that's it.

Here's a good answer to Ethernet II vs 802.3:
Xerox developed the first version of Ethernet, Ethernet I. The second version of Ethernet, Ethernet II, was developed by DEC, Intel and Xerox. After this the Ethernet was standardized by IEEE and the new format is known as 802.3 format. To provide backward compatibility with Ethernet II, 802.2 SNAP format was developed.

You can find more info on this, including frame formats, at :
and Token Ring uses 802.5!
JammyPak: Don't confuse the kid! :)
dissolvedAuthor Commented:
lol thanks guys.  I ran a sniffer and noticed a few things.

Most of my frame formats were Ethernet II. Probably 95%.  Almost every single Ethernet II packet had ARP being utilized

A few of my other frames were 802.3.  Each time I saw 802.3 I saw LLC.  What is up with the correlation?  Most of these frames were either ciscos STP protocol or cisco's CDP protocol (which shows up in ethereal as LLC  protocol for some reason instead of CDP protocol)

Now for the obvoius question. Why are some packets being framed Ethernet II and some being framed 802.3.  Is it in their design? For example, the CDP and STP protocol was designed to be framed in 802.3?  (did i say that right?)

Sorry if I'm repeating myself, but I'm trying to comprehend. Thanks!
JammyPakConnect With a Mentor Commented:
ARP (address resolution protocol) will be used everytime you send an IP-based packet to a host that is not already in your ARP cache. Run arp -a to see the ARP cache - it's just a mapping of IP addresses to MAC addresses. ARP sits at the network layer along with IP in the protocol stack.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.