Skip to content

Transport Layer

TCP & UDP

TCP vs UDP

UDP is a 'best effort' delivery system that does not require acknowledgment of receipt. UDP is preferable with applications such as streaming audio and VoIP. Acknowledgments would slow down delivery and retransmissions are undesirable. Packets take a path from the source to a destination. A few packets may be lost but it is usually not noticeable.

TCP packets take a path from the source to the destination. However, each of the packets has a sequence number. TCP breaks up a message into small pieces known as segments. The segments are numbered in sequence and passed to the IP process for assembly into packets. TCP keeps track of the number of segments that have been sent to a specific host from a specific application. If the sender does not receive an acknowledgment within a certain period of time, it assumes that the segments were lost and retransmits them. Only the portion of the message that is lost is resent, not the entire message.

Port Numbers

Port Numbers

When a message is delivered using either TCP or UDP, the protocols and services requested are identified by a port number. A port is a numeric identifier within each segment that is used to keep track of specific conversations between a client and server. Every message that a host sends contains both a source and destination port.

When a message is received by a server, it is necessary for the server to be able to determine which service is being requested by the client. Clients are preconfigured to use a destination port that is registered on the internet for each service.

Port Numbers

Ports are assigned and managed by an organization known as the ICANN. Ports are broken into three categories and range in number from 1 to 65,535:

  • Well-Known Ports - Destination ports that are associated with common network applications are identified as well-known ports. These ports are in the range of 1 to 1023.
  • Registered Ports - Ports 1024 through 49151 can be used as either source or destination ports. These can be used by organizations to register specific applications such as IM applications.
  • Private Ports - Ports 49152 through 65535 are often used as source ports. These ports can be used by any application.

The table displays some common well-known port numbers and their associated applications.

Port Applications

Socket Pairs

The source and destination ports are placed within the segment. The segments are then encapsulated within an IP packet. The IP packet contains the IP address of the source and destination. The combination of the source IP address and source port number, or the destination IP address and destination port number is known as a socket.

In the example in the figure, the PC is simultaneously requesting FTP and web services from the destination server.

Port Example

In the example, the FTP request generated by the PC includes the Layer 2 MAC addresses and the Layer 3 IP addresses. The request also identifies the source port number 1305 (dynamically generated by the host) and destination port, identifying the FTP services on port 21. The host also has requested a web page from the server using the same Layer 2 and Layer 3 addresses. However, it is using the source port number 1099 (dynamically generated by the host) and destination port identifying the web service on port 80.

The socket is used to identify the server and service being requested by the client. A client socket might look like this, with 1099 representing the source port number: 192.168.1.5:1099

The socket on a web server might be 192.168.1.7:80

Together, these two sockets combine to form a socket pair: 192.168.1.5:1099, 192.168.1.7:80

Sockets enable multiple processes, running on a client, to distinguish themselves from each other, and multiple connections to a server process to be distinguished from each other.

The source port number acts as a return address for the requesting application. The transport layer keeps track of this port and the application that initiated the request so that when a response is returned, it can be forwarded to the correct application.

Netstat

Unexplained TCP connections can pose a major security threat. They can indicate that something or someone is connected to the local host. Sometimes it is necessary to know which active TCP connections are open and running on a networked host. Netstat is an important network utility that can be used to verify those connections. The command netstat is used to list the protocols in use, the local address and port numbers, the foreign address and port numbers, and the connection state.

📋 Output
C:∖> netstat

Active Connections

  Proto Local Address           Foreign Address             State
  TCP   192.168.1.124:3126      192.168.0.2:netbios-ssn     ESTABLISHED
  TCP   192.168.1.124:3158      207.138.126.152:http        ESTABLISHED
  TCP   192.168.1.124:3159      207.138.126.169:http        ESTABLISHED
  TCP   192.168.1.124:3161      sc.msn.com:http             ESTABLISHED
  TCP   192.168.1.124:3166      www.cisco.com:http          ESTABLISHED
(output omitted)
C:∖> netstat