Consider a popular web server like Google's. At any given moment, millions of users are connected to google.com on port 443. If the server only used the destination port (443) to identify connections, all these users would be indistinguishable—their data would mix chaotically, and reliable communication would be impossible.

Clearly, port numbers alone are insufficient for TCP's connection-oriented model. TCP needs a way to uniquely identify each individual connection among millions of simultaneous connections to the same server port.

The solution is the 4-tuple: a combination of four values that uniquely identifies every TCP connection on the entire Internet:

(Source IP, Source Port, Destination IP, Destination Port)

This 4-tuple is the complete "name" of a TCP connection—no two active connections anywhere can have the same 4-tuple.

What is a 4-Tuple?

A 4-tuple (also called a quad or socket pair) is the combination of four network identifiers that together uniquely specify a TCP connection:

1. Source IP Address (32 bits for IPv4, 128 bits for IPv6)

   • The IP address of the machine initiating the connection
   • Identifies the client host

2. Source Port (16 bits)

   • The port number on the source machine
   • Identifies the specific socket/process on the client

3. Destination IP Address (32 bits for IPv4, 128 bits for IPv6)

   • The IP address of the target machine
   • Identifies the server host

4. Destination Port (16 bits)

   • The port number on the target machine
   • Identifies the specific service/process on the server

Formal Notation:

4-tuple notation: (192.168.1.100, 52341, 203.0.113.50, 443)
                  (  src_ip,      src_port, dst_ip,     dst_port)

Alternative notation: 192.168.1.100:52341 <-> 203.0.113.50:443

Why All Four Components Are Necessary:

Mathematical Perspective:

The 4-tuple creates an enormous address space:

• IPv4: 2³² × 2¹⁶ × 2³² × 2¹⁶ = 2⁹⁶ possible 4-tuples
• IPv6: 2¹²⁸ × 2¹⁶ × 2¹²⁸ × 2¹⁶ = 2²⁸⁸ possible 4-tuples

In practice, practical limits are much lower (IP addresses in use, port range constraints), but there's still space for billions of simultaneous connections.

Understanding the distinction between port-based and connection-based identification clarifies why TCP and UDP demultiplex differently.

Port-Based Identification (UDP):

UDP uses a 2-tuple: (Destination IP, Destination Port)

UDP Socket A listens on port 53
   ↓
All datagrams to port 53 go to Socket A
   ↓
Socket A receives from any source

• Simple and fast
• No per-source state
• One socket handles all clients
• Application must track sender identity

Connection-Based Identification (TCP):

TCP uses a 4-tuple: (Source IP, Source Port, Dest IP, Dest Port)

TCP Listening Socket on port 80
   ↓
Client A connects → New Socket (A's 4-tuple)
Client B connects → New Socket (B's 4-tuple)
Client A opens 2nd connection → New Socket (A's new 4-tuple)
   ↓
Each socket is completely independent

• Connection isolation
• Per-connection state (sequence numbers, windows)
• Separate socket per client connection
• Operating system tracks connections

Practical Implication:

A UDP server on port 53 (DNS) with 10,000 clients:

• 1 socket
• Minimal kernel memory
• Application receives "from" address with each packet

A TCP server on port 443 (HTTPS) with 10,000 clients:

• 10,000 connection sockets + 1 listening socket
• Significant kernel memory (buffers, state per connection)
• Each connection is separate file descriptor

This is why high-connection-count services (like WebSocket servers or long-polling) require careful resource planning—each TCP connection consumes kernel resources.

Let's trace how a connection's 4-tuple is established, used, and released throughout its lifecycle.

Phase 1: Connection Initiation (Client Side)

1. Client application calls connect(server_ip, server_port)
2. OS selects ephemeral source port (e.g., 52341)
3. 4-tuple is now known:
   (client_ip=192.168.1.100, src_port=52341, 
    server_ip=203.0.113.50, dst_port=443)
4. Client sends SYN with this 4-tuple

Phase 2: Connection Acceptance (Server Side)

1. SYN arrives at server's listening socket on port 443
2. Server extracts 4-tuple from SYN packet
3. Server creates embryonic connection (SYN_RCVD state)
4. Server sends SYN-ACK
5. Client sends ACK
6. Server creates new connection socket for this 4-tuple
7. accept() returns the new socket to application

Phase 3: Data Transfer

every segment includes source and destination ports
→ receiver matches against known 4-tuples
→ data delivered to correct connection socket

Phase 4: Connection Termination

1. One side initiates close (sends FIN)
2. Four-way handshake completes
3. Socket moves to TIME_WAIT (typically 60-120 seconds)
4. During TIME_WAIT, 4-tuple cannot be reused
5. After TIME_WAIT expires, 4-tuple is released

The power of 4-tuple identification is most evident when we examine how a server handles multiple connections to the same port.

Scenario: Web Server Port 443

Server IP: 203.0.113.50 Server Port: 443 (HTTPS) Active connections:

Connection 1: (10.0.0.1, 52341, 203.0.113.50, 443)
   └─► Client 10.0.0.1, first browser tab

Connection 2: (10.0.0.1, 52342, 203.0.113.50, 443)
   └─► Client 10.0.0.1, second browser tab (same client!)

Connection 3: (10.0.0.2, 52341, 203.0.113.50, 443)
   └─► Client 10.0.0.2 (same source port as Connection 1, different IP)

Connection 4: (192.168.5.100, 48001, 203.0.113.50, 443)
   └─► Different network entirely

All four connections use destination port 443, but they're completely separate because their 4-tuples differ.

Client Opens Multiple Connections:

A single web page might require 6-8 connections to load all resources (HTML, CSS, images, scripts). The browser uses different source ports:

Browser loading google.com from 192.168.1.100:
├── Connection for main HTML:  192.168.1.100:52341 → google:443
├── Connection for CSS:        192.168.1.100:52342 → google:443
├── Connection for logo.png:   192.168.1.100:52343 → google:443
├── Connection for app.js:     192.168.1.100:52344 → google:443
├── Connection for analytics:  192.168.1.100:52345 → google:443
└── Connection for fonts:      192.168.1.100:52346 → google:443

Each connection tracks its own:

• Sequence numbers
• Acknowledgments
• Window sizes
• Retransmission timers
• Data buffers

Server Handling Thousands of Connections:

Server socket table:
┌─────────────────────────────────────────────────────────────────────┐
│  Source IP    │ Src Port │   Dest IP    │ Dst Port │ Socket FD │   │
├─────────────────────────────────────────────────────────────────────┤
│  0.0.0.0      │    443   │     *        │    *     │    3      │ L │
│  10.0.0.1     │  52341   │ 203.0.113.50 │   443    │    5      │ E │
│  10.0.0.1     │  52342   │ 203.0.113.50 │   443    │    6      │ E │
│  10.0.0.2     │  52341   │ 203.0.113.50 │   443    │    7      │ E │
│  192.168.5.100│  48001   │ 203.0.113.50 │   443    │    8      │ E │
│   ... potentially 100,000+ more ...                              │  │
└─────────────────────────────────────────────────────────────────────┘
 L = Listening socket, E = Established connection

The operating system maintains a connection table (also called the socket table or TCP control block table) that maps 4-tuples to connection sockets. Efficient implementation is critical for high-performance networking.

Data Structure Requirements:

1. Fast Lookup: O(1) average case for incoming segments
2. Fast Insert: O(1) for new connections
3. Fast Delete: O(1) for closed connections
4. Memory Efficient: Minimal overhead per connection
5. Concurrent: Support multiple CPU cores

Hash Table Implementation:

Most systems use hash tables indexed by 4-tuple:

Hash Function:
hash = hash(src_ip, src_port, dst_ip, dst_port)
bucket = hash % NUM_BUCKETS

Stored in bucket:
- Linked list of connections with same hash
- Each entry: 4-tuple → socket pointer

Memory Consumption:

Each TCP connection requires significant kernel memory:

With default settings (~50 KB per connection):

• 10,000 connections: ~500 MB
• 100,000 connections: ~5 GB
• 1,000,000 connections: ~50 GB

Scaling Strategies:

1. Reduce buffer sizes: Lower default socket buffer sizes
2. Increase hash table size: Reduce chain length for faster lookup
3. Use connection pooling: Reuse connections instead of creating new ones
4. Consider UDP: For high-fanout, low-state scenarios

Let's trace exactly how an incoming TCP segment is demultiplexed using connection identification.

Incoming Segment:

IP Header:
  Source IP: 10.0.0.1
  Destination IP: 203.0.113.50
  Protocol: 6 (TCP)

TCP Header:
  Source Port: 52341
  Destination Port: 443
  Sequence Number: 1000
  ACK Number: 5000
  Flags: ACK, PSH
  
Payload: "GET /index.html HTTP/1.1..."

Demultiplexing Process:

1. IP layer receives datagram
   → Destination 203.0.113.50 matches local IP ✓
   → Protocol 6 = TCP, pass to TCP handler

2. TCP handler extracts 4-tuple:
   → (10.0.0.1, 52341, 203.0.113.50, 443)

3. Hash and lookup:
   → hash(10.0.0.1, 52341, 203.0.113.50, 443) = 0x4F2A1
   → bucket = 0x4F2A1 % 65536 = 19633
   → Search bucket 19633 for exact 4-tuple match

4. Match found:
   → Socket FD 5 owns this connection
   → Connection state: ESTABLISHED ✓

5. Sequence number validation:
   → Segment seq 1000 within receive window? ✓

6. Deliver payload:
   → Add "GET /index.html..." to FD 5's receive buffer
   → Wake application if blocked on recv()

7. Send ACK (piggy-backed or delayed)

Several edge cases and special scenarios complicate connection identification. Understanding these is essential for debugging network issues.

Edge Case 1: TIME_WAIT Connections

A connection in TIME_WAIT still occupies its 4-tuple:

Connection closes:
  (192.168.1.100, 52341, 203.0.113.50, 443) → TIME_WAIT

Another SYN arrives with same 4-tuple:
  Option A: Reject (strict) - "connection exists"
  Option B: Accept (lenient) - check if valid new connection
  
Modern implementations use sequence numbers to distinguish
delayed old segments from legitimate new connections.

Edge Case 2: Simultaneous Open

Both sides send SYN simultaneously (rare):

Client: SYN (seq=100) → ... → SYN (seq=200) :Server

Both enter SYN_RCVD state
Both respond with SYN-ACK
Both enter ESTABLISHED

Same 4-tuple, both initiated - handled correctly by TCP state machine

Edge Case 3: NAT and Connection Tracking

Network Address Translation creates challenges:

Original connection:
  192.168.1.100:52341 → 8.8.8.8:443

After NAT:
  203.0.113.1:61234 → 8.8.8.8:443

NAT device must:
1. Translate outgoing (192.168.1.100:52341 → 203.0.113.1:61234)
2. Track the mapping for incoming responses
3. Reverse-translate incoming (203.0.113.1:61234 → 192.168.1.100:52341)

The NAT device maintains its own connection table, translating 4-tuples on both directions.

Edge Case 4: Connection Hijacking Attempts

Attackers may try to inject segments into existing connections:

Legitimate: (10.0.0.1, 52341, 203.0.113.50, 443)

Attacker sends: Spoofed src=10.0.0.1:52341, guessed seq number

Protection:
1. 4-tuple must match exactly
2. Sequence number must be in receive window
3. (Optional) TCP MD5 or AO authentication

The combination of 4-tuple matching and sequence number validation provides reasonable protection against blind injection attacks.

Let's examine real-world tools and techniques for viewing and understanding connection identification.

Viewing Connection Tables:

# Linux - modern tool (ss = socket statistics)
ss -tnp
# State Recv-Q Send-Q Local Address:Port Peer Address:Port
# ESTAB 0      0      192.168.1.100:52341 93.184.216.34:443

# Linux - traditional tool (netstat)
netstat -tn
# Proto Local Address         Foreign Address       State
# tcp   192.168.1.100:52341   93.184.216.34:443     ESTABLISHED

# Windows
netstat -n
# Proto Local Address         Foreign Address       State
# TCP   192.168.1.100:52341   93.184.216.34:443     ESTABLISHED

# macOS
netstat -n | grep ESTABLISHED

Reading Connection Information:

Each line shows a unique 4-tuple:

• Local Address:Port = (Local IP, Local Port)
• Foreign Address:Port = (Remote IP, Remote Port)
• State = TCP connection state

Packet Capture and 4-Tuple:

Using tcpdump or Wireshark, you can observe 4-tuples in action:

# Capture packets showing 4-tuple
tcpdump -n -i eth0 'tcp port 443'

# Output:
# 192.168.1.100.52341 > 93.184.216.34.443: Flags [P.], seq 1:500, ack 1
# 93.184.216.34.443 > 192.168.1.100.52341: Flags [.], ack 500

# Format: src_ip.src_port > dst_ip.dst_port: [flags]

Filtering by Connection:

# Capture specific connection only
tcpdump -n 'host 192.168.1.100 and port 52341 and host 93.184.216.34 and port 443'

# This captures only the specific 4-tuple

Connection Statistics:

# /proc/net/tcp on Linux shows raw connection data
cat /proc/net/tcp
# sl  local_address rem_address   st tx_queue rx_queue ...
#  0: 6400A8C0:CC55 22D8B85D:01BB 01 00000000:00000000 ...
#     (hex IP:port) (hex IP:port) (state)

We've thoroughly explored TCP connection identification—the mechanism that enables millions of simultaneous connections to the same server port. Let's consolidate the key concepts:

What's Next:

We've covered how ports and connections identify endpoints. The final piece of the multiplexing/demultiplexing puzzle is understanding how data ultimately reaches application processes. The next page explores process mapping—the relationship between network sockets and operating system processes.