Loading learning content...
The network layer delivers packets to the correct host—but a host runs many applications simultaneously. Your computer might be running a web browser, an email client, a music streaming app, and a dozen background services, all using the network at the same time. How does an incoming packet reach the right application?
This is the domain of the Transport Layer (Layer 4)—the bridge between network-level addressing and application-level communication. While IP addresses identify hosts, port numbers identify specific applications or services. The transport layer provides process-to-process (or socket-to-socket) communication, ensuring data reaches not just the correct machine, but the correct running program.
Beyond addressing, the transport layer makes crucial decisions about how data is delivered. Should it guarantee delivery, or sacrifice reliability for speed? Should it preserve message boundaries, or treat data as a stream? The answers to these questions determine which transport protocol to use—predominantly TCP for reliability or UDP for lightweight communication.
By the end of this page, you will understand: how port numbers enable application multiplexing, the fundamental differences between TCP and UDP, how TCP ensures reliable, ordered delivery through acknowledgments and retransmissions, how flow control prevents receiver overflow, how congestion control prevents network collapse, and when to choose TCP versus UDP for different applications.
The transport layer sits between the application layer (where your programs live) and the network layer (which routes packets). Its fundamental responsibility is enabling communication between processes on different hosts.
Core Functions:
1. Process Multiplexing/Demultiplexing:
2. Segmentation and Reassembly:
3. Connection Management (TCP):
4. Reliable Delivery (TCP):
5. Flow Control (TCP):
6. Congestion Control (TCP):
| Function | TCP | UDP |
|---|---|---|
| Multiplexing/Demultiplexing | ✓ Yes | ✓ Yes |
| Segmentation/Reassembly | ✓ Yes | ✓ Yes (per-datagram) |
| Connection Management | ✓ Yes (stateful) | ✗ No (connectionless) |
| Reliable Delivery | ✓ Yes (ACKs, retransmissions) | ✗ No (best-effort) |
| Ordered Delivery | ✓ Yes (sequence numbers) | ✗ No (may arrive out of order) |
| Flow Control | ✓ Yes (sliding window) | ✗ No |
| Congestion Control | ✓ Yes (multiple algorithms) | ✗ No |
| Error Detection | ✓ Yes (checksum) | ✓ Yes (checksum, optional in IPv4) |
The transport layer embodies the end-to-end principle: complex functions (reliability, ordering) are implemented at the endpoints, not in the network core. Routers simply forward packets—they don't maintain connection state or guarantee delivery. This design keeps the network simple and scalable, pushing complexity to the edges where it can be application-specific.
Port numbers are 16-bit unsigned integers (0-65535) that identify specific applications or services on a host. Combined with an IP address, a port creates a socket address—a unique endpoint for network communication.
Port Number Ranges:
| Range | Name | Description |
|---|---|---|
| 0-1023 | Well-Known Ports | Reserved for standard services (requires root/admin) |
| 1024-49151 | Registered Ports | Assigned by IANA for specific applications |
| 49152-65535 | Dynamic/Ephemeral Ports | Used for client-side temporary connections |
Common Well-Known Ports:
| Port | Protocol | Service |
|---|---|---|
| 20, 21 | TCP | FTP (data, control) |
| 22 | TCP | SSH |
| 23 | TCP | Telnet |
| 25 | TCP | SMTP (email sending) |
| 53 | TCP/UDP | DNS |
| 80 | TCP | HTTP |
| 110 | TCP | POP3 |
| 143 | TCP | IMAP |
| 443 | TCP | HTTPS |
| 3389 | TCP | RDP |
Sockets: The Programming Interface
A socket is an endpoint for network communication, identified by:
Connection Identification (TCP):
A TCP connection is uniquely identified by a 4-tuple:
This allows a single server on port 80 to simultaneously handle thousands of clients—each connection has a unique combination of client IP and client port.
Example:
Web server listening on 192.168.1.100:80 serves three clients:
Security scanners like Nmap discover running services by probing port ranges. Defense strategies include:
• Firewall rules: Block unnecessary ports at network boundary • Host firewall: Block ports on individual machines • Service minimization: Only run necessary services • Port obfuscation: Run services on non-standard ports (security through obscurity—weak, but adds friction)
Understanding ports is essential for both attack surface analysis and defense configuration.
User Datagram Protocol (UDP) is the simpler of the two primary transport protocols. It provides minimal services: just multiplexing and optional error detection. No connections, no reliability, no ordering, no flow control.
UDP Header Structure:
| Field | Size | Description |
|---|---|---|
| Source Port | 16 bits | Sending application's port (optional, can be 0) |
| Destination Port | 16 bits | Receiving application's port |
| Length | 16 bits | Total datagram length (header + data) |
| Checksum | 16 bits | Error detection (optional in IPv4, mandatory in IPv6) |
That's it. 8 bytes of header, no connection state, no acknowledgments.
UDP Characteristics:
UDP Use Cases in Detail:
DNS (Port 53): DNS uses UDP for queries because:
(Note: DNS uses TCP for zone transfers and large responses that exceed 512 bytes)
VoIP and Video: Real-time media tolerates some packet loss but cannot tolerate retransmission delay. A dropped packet in a voice call creates a brief gap; a retransmitted packet arrives too late to be useful. UDP's low latency is essential.
Gaming: Game state updates must be timely. Receiving old enemy positions is useless and potentially misleading. Games often implement their own reliability only for data that truly requires it (e.g., chat messages).
Because UDP is connectionless and requires no handshake, it's trivial to spoof source addresses and create volumetric DDoS attacks. UDP-based protocols like DNS, NTP, and SSDP are frequently abused for amplification attacks—small spoofed requests generating large responses toward victims.
Defense includes rate limiting, response rate limiting, BCP38 (ingress filtering), and using authoritative DNS servers that don't respond to requests from outside their network.
Transmission Control Protocol (TCP) is the workhorse of the Internet. It provides reliable, ordered, error-checked delivery of a stream of bytes. When you load a web page, send an email, or download a file, TCP ensures the data arrives correctly.
TCP Header Structure:
| Field | Size | Description |
|---|---|---|
| Source Port | 16 bits | Sending application's port |
| Destination Port | 16 bits | Receiving application's port |
| Sequence Number | 32 bits | Byte offset in the data stream |
| Acknowledgment Number | 32 bits | Next expected byte from other side |
| Data Offset | 4 bits | Header length in 32-bit words |
| Reserved | 3 bits | Reserved for future use |
| Flags | 9 bits | NS, CWR, ECE, URG, ACK, PSH, RST, SYN, FIN |
| Window Size | 16 bits | Receive buffer space (flow control) |
| Checksum | 16 bits | Error detection (header + data) |
| Urgent Pointer | 16 bits | Offset of urgent data (if URG set) |
| Options | Variable | MSS, window scaling, timestamps, SACK, etc. |
Minimum header: 20 bytes (no options) Maximum header: 60 bytes (with options)
| Flag | Name | Purpose |
|---|---|---|
| SYN | Synchronize | Initiates connection; synchronizes sequence numbers |
| ACK | Acknowledgment | Acknowledges received data; ACK field is valid |
| FIN | Finish | Sender has finished sending data; initiates close |
| RST | Reset | Aborts connection immediately; indicates error |
| PSH | Push | Deliver data immediately to application (don't buffer) |
| URG | Urgent | Urgent data present; urgent pointer field is valid |
| CWR | Congestion Window Reduced | Sender reduced congestion window |
| ECE | ECN Echo | Congestion experienced notification |
TCP Key Concepts:
Byte Stream Abstraction: TCP provides a reliable byte stream—not messages or records. The application sends bytes, TCP delivers them in order. If the application needs message boundaries, it must implement them (e.g., HTTP uses Content-Length or chunked encoding).
Full-Duplex Communication: TCP connections are bidirectional—both sides can send and receive simultaneously. Each direction has its own sequence numbers and flow control.
Connection-Oriented: Before data transfer, a connection must be established (three-way handshake). After transfer, connection is terminated (four-way handshake or RST). TCP maintains state throughout the connection lifetime.
Maximum Segment Size (MSS): Largest segment the sender can receive. Negotiated during handshake (typically 1460 bytes for Ethernet).
Window Scaling: Allows windows larger than 65535 bytes (essential for high-bandwidth, high-latency paths).
Selective Acknowledgments (SACK): Allows receiver to acknowledge non-contiguous blocks, improving retransmission efficiency.
Timestamps: Enables more accurate RTT measurement and protection against wrapped sequence numbers.
TCP connections have a lifecycle: establishment, data transfer, and termination. Understanding this lifecycle is essential for troubleshooting and security analysis.
Connection Establishment: The Three-Way Handshake
Before exchanging data, TCP endpoints synchronize their initial sequence numbers (ISNs):
Step 1: SYN (Client → Server)
Step 2: SYN-ACK (Server → Client)
Step 3: ACK (Client → Server)
Connection Termination: The Four-Way Handshake
Each direction of a TCP connection is closed independently:
TIME_WAIT State:
After sending the final ACK, the initiator enters TIME_WAIT state for 2×MSL (Maximum Segment Lifetime, typically 2 minutes). This ensures:
Abrupt Termination (RST):
An RST flag immediately terminates the connection without handshakes. Used when:
The three-way handshake creates vulnerability: servers must allocate resources (Transmission Control Block) after receiving SYN. Attackers send floods of SYN packets with spoofed sources, exhausting server resources.
Defenses: • SYN cookies: Encode state in sequence number; don't allocate resources until valid ACK returns • Rate limiting: Limit SYN rate from single sources or globally • Firewall/IPS: Detect and block SYN floods • Increased backlog: More half-open connections allowed (temporary relief)
TCP's reliability mechanisms ensure data arrives correctly and in order, despite the unreliable IP network beneath.
Sequence Numbers:
Every byte in a TCP stream has a sequence number. The sequence number in a segment header indicates the first byte's position in the stream:
Example: If a segment has Seq=1000 and carries 500 bytes, the next segment should have Seq=1500.
Acknowledgments (ACKs):
TCP uses cumulative acknowledgments. The ACK number indicates the next expected byte:
Duplicate ACKs: If a receiver gets an out-of-order segment (gaps in sequence), it responds with a duplicate ACK for the last in-order byte. Three duplicate ACKs trigger fast retransmit.
Retransmission Mechanisms:
1. Timeout-Based Retransmission:
2. Fast Retransmit:
3. Selective Acknowledgment (SACK):
TCP dynamically calculates RTO based on observed round-trip times:
SRTT = (1 - α) × SRTT + α × RTT (smoothed RTT) RTTVAR = (1 - β) × RTTVAR + β × |SRTT - RTT| (variance) RTO = SRTT + 4 × RTTVAR
Typical values: α = 1/8, β = 1/4
This adapts to network conditions—fast networks get short timeouts; slow/variable networks get longer timeouts.
Flow control ensures a fast sender doesn't overwhelm a slow receiver. If the sender transmits faster than the receiver can process, the receiver's buffer fills up, new segments are dropped, and retransmissions waste bandwidth.
The Receive Window (rwnd):
The receiver advertises how much buffer space is available in the Window Size field of every ACK. This is called the receive window (rwnd).
Sliding Window Mechanism:
The sender maintains a "window" of bytes that can be sent:
Zero Window and Window Probes:
If the receiver is completely overwhelmed, it advertises rwnd=0:
Example Scenario:
Window Scaling (RFC 7323):
The 16-bit window field limits rwnd to 65535 bytes—insufficient for modern high-bandwidth connections. Window scaling (negotiated in SYN) multiplies the window by 2^scale, enabling windows up to ~1GB.
Silly Window Syndrome occurs when sender and receiver exchange tiny segments inefficiently:
Receiver-side: Avoid advertising tiny windows. Wait until buffer is significantly free (e.g., MSS or 50% of buffer).
Sender-side (Nagle's Algorithm): Don't send tiny segments. Buffer small data until: • Previous data is ACKed, OR • MSS worth of data accumulates
Nagle's algorithm reduces packet count but can add latency for interactive applications. It can be disabled with TCP_NODELAY socket option.
While flow control prevents receiver overload, congestion control prevents network overload. When routers are overwhelmed, they drop packets. If all senders respond to drops by retransmitting aggressively, the network collapses (congestion collapse).
The Congestion Window (cwnd):
In addition to rwnd, the sender maintains a congestion window (cwnd)—an estimate of how many bytes the network can handle. The actual sending rate is limited to min(rwnd, cwnd).
TCP Congestion Control Phases:
1. Slow Start:
2. Congestion Avoidance:
3. Loss Recovery (on timeout):
4. Fast Recovery (on 3 duplicate ACKs):
AIMD (Additive Increase, Multiplicative Decrease):
TCP's congestion control follows AIMD:
This creates a "sawtooth" pattern: cwnd grows linearly, drops sharply on loss, grows again. AIMD provably converges to fair, efficient bandwidth sharing among competing flows.
Modern Congestion Control Algorithms:
| Algorithm | Approach | Best For |
|---|---|---|
| Reno | Classic AIMD with fast recovery | General Internet |
| CUBIC | Window-based, better BDP handling | High bandwidth-delay |
| BBR | Model-based, measures bandwidth/RTT | Long-haul, data centers |
| Vegas | Delay-based instead of loss-based | Low-loss environments |
Modern operating systems typically default to CUBIC (Linux, Windows 10+) or compound TCP (older Windows).
BDP = Bandwidth × RTT
This is the amount of data that can be "in flight" to fully utilize a link. For a 100 Mbps link with 50ms RTT:
BDP = 100 Mbps × 0.05s = 5 Mb = 625 KB
To fully utilize this link, the sender needs a window of at least 625 KB. This is why window scaling is essential for high-bandwidth, high-latency paths—the 64KB limit without scaling leaves the link underutilized.
The transport layer is where the end-to-end principle is realized, providing process-to-process communication with varying levels of service. Let's consolidate the essential concepts:
Module Complete:
We've now explored all layers covered in this OSI Model Overview module—from the physical transmission of bits through the reliable delivery of application data. The OSI model provides the conceptual framework; these layers provide the implementation reality.
In subsequent modules, we'll examine the upper layers (Session, Presentation, Application) and compare the OSI model with the TCP/IP model that actually runs the Internet.
You now understand OSI Layer 4—the transport layer—where host delivery becomes application delivery. From ports and sockets to TCP's reliability mechanisms, flow control, and congestion control, you've explored the layer that bridges the network's packet delivery with the application's data needs. You've completed the core lower layers of the OSI model.