Disclaimer:
This article provides a personal summary and analysis based on the concepts discussed in TCP/IP Illustrated: The Protocols, Volume 1.
All original ideas and content belong to the respective authors and publishers.
This summary is created under fair use principles for educational and informational purposes only.
The second edition is more recent than the first, but it includes an overwhelming amount of information and feels less engaging. In contrast, the first edition is much more enjoyable to read, though some of its content is outdated. My notes focus solely on the aspects of the first edition that remain relevant to modern networking.
TCP/IP is the foundation of modern networking, evolving from research projects in the 1960s into a globally adopted protocol suite. It was designed for packet-switched networks, allowing flexible, resilient communication.
Encapsulation & Demultiplexing: Data sent across networks goes through encapsulation, where each layer adds a header (e.g., Ethernet, IP, TCP/UDP). The receiving device demultiplexes the data, stripping headers as it moves up the stack.
Older routing protocols allowed applications to interact directly with IP/ICMP. While rare today, this flexibility enabled experimentation with new transport-layer protocols. I think the example is ping and traceroute.
The Link Layer is responsible for defining how data is physically transmitted across network interfaces. It provides encapsulation methods to ensure that data is properly framed for transmission over different types of networks.
Among these, RFC 894 (Ethernet encapsulation) remains the dominant standard. I think this sets the basic of cloud computing networking (VXLAN (RFC 7348)) and VLAN (IEEE 802.1Q). But one thing I am not sure is since IEEE is sperate standard from RFC 894, and how would IEEE 802.1Q work with RFC 894?
Serial Line IP (SLIP) SLIP (Serial Line Internet Protocol) was an early technique for sending IP datagrams over serial connections. Defined in RFC 1055, SLIP provided basic encapsulation but lacked features like error detection. Obsolete today, replaced by more advanced protocols like PPP (Point-to-Point Protocol) which is also being deprecated.
Loopback Interface A special network interface that allows a device to send data to itself. Uses the 127.0.0.1 (IPv4) or ::1 (IPv6) address for internal communication. The Ethernet driver and loopback driver work together to determine if traffic should be processed internally rather than being transmitted over a physical network.
Maximum Transmission Unit (MTU) MTU (Maximum Transmission Unit) defines the largest packet size that can be sent over a network without fragmentation.If a packet exceeds the MTU, IP fragmentation breaks it into smaller pieces before transmission. Common MTU values: Ethernet: 1500 bytes IEEE 802.3, 802.2: 1492 bytes
The Link Layer plays a critical role in framing, addressing, and transmitting data over various network types. Ethernet (RFC 894) remains the dominant standard, while older methods like SLIP and Trailer Encapsulation have been phased out. MTU and Path MTU Discovery ensure efficient transmission, preventing unnecessary fragmentation.
This means:
Connectionless: No prior setup is required between sender and receiver.
Unreliable: IP makes no guarantees about delivery, order, or duplication — that’s left to higher-level protocols like TCP.
Each IP packet contains a header that is 20 bytes long in IPv4.
TTL (Time to Live): Prevents packets from circulating forever. This value sets the maximum number of hops (routers) a datagram can pass through. Each router decrements this field — when TTL hits zero, the packet is discarded.
Direct Delivery: If the destination is directly reachable (e.g., same Ethernet network or point-to-point link), the packet is sent directly.
Indirect Delivery: Otherwise, the host forwards the datagram to a default router, which handles routing from there.
Routing Table Lookup Steps: Exact Match: Look for an entry matching the complete destination IP address (both network and host ID). Common in point-to-point links.
Network Match: If no exact match, search for an entry matching the network ID only (considering subnet masks). This is typical for local networks.
Default Route: If still no match, use the entry labeled “default”, which points to a default gateway.
Failure: If none match, the packet is dropped (usually with an ICMP “Destination Unreachable” message).
4.1 SIP (Simple Internet Protocol) Proposed minimal changes to IP.
Used 64-bit addresses.
Redesigned the IP header format.
Maintained the 4-bit version field (set to a value other than 4).
✅ Eventually became the foundation for IPv6. Among these, SIP was selected and further developed into what we now know as IPv6. Though IPv6 eventually expanded to use 128-bit addresses, SIP laid the groundwork for its streamlined header design and extensibility principles.
4.2. PIP Proposed variable-length, hierarchical addresses.
Also introduced a new header format.
Not widely adopted.
4.3. TUBA (TCP and UDP with Bigger Addresses) Based on OSI’s CLNP protocol.
Used variable-length addresses (up to 20 bytes).
Leverage existing documentation and partial router support.
Few hosts supported CLNP, limiting its practicality.
4.4. TP/IX Used 64-bit IP addresses.
Modified TCP and UDP headers:
32-bit port numbers
64-bit sequence and acknowledgment numbers
32-bit TCP windows
A more aggressive redesign of the stack.
Why use arp:Devices on a local network use MAC addresses to deliver Ethernet frames, not IP addresses. Since IP and MAC addresses are different, ARP (defined in RFC 826) translates a 32-bit IP address into a 48-bit MAC address. This allows data to be properly sent over the local network.
list local cache of machines : arp -a
One thing that is new to me is that once it says: “A network such as an Ethernet can be used by different network layers at the same time. For example, a collection of hosts using TCP/IP and another collection of hosts using some PC network software can share the same physical cable.”, it indicates that apart from TCP/IP protocol, there will be other proprietary PC networking software (i.e., IPX/SPX, NetBEUI, or AppleTalk) to perform as TCP/IP layer too.
When sending an ICMP Address Mask Request to 140.252.13.63 from the sun host, the following replies were observed:
Received mask = ffffffe0 from 140.252.13.33 (local host)
Received mask = ffffffe0 from 140.252.13.35 (BSDI)
Received mask = ffff0000 from 140.252.13.34 (SVR4)```
Notably, the response from 140.252.13.34 differs from the others. While the local interface on that system (SVR4) was configured with a subnet mask of 255.255.255.224 (ffffffe0), the ICMP reply returned 255.255.0.0 (ffff0000). This may suggest that the system used a classful default (Class B) when responding to the request:
```svr4 % ifconfig emd0
emd0: flags=23<UP,BROADCAST,NOTRAILERS>
inet 140.252.13.34 netmask ffffffe0 broadcast 140.252.13.63
This discrepancy highlights that ICMP Address Mask Replies might not always reflect the current interface configuration, especially on older systems, and may rely on different internal logic or defaults.
ping is one of the simplest yet most powerful network troubleshooting tools. It tells you whether a host is reachable at the IP level — but many people still misinterpret what that really means.
A Bit of History The ping command was originally written by Mike Muuss, and for many years it served as the go-to check for basic connectivity.
“Years ago we could make the unqualified statement that if we can’t ping a host, we can’t Telnet or FTP to that host. With the increased awareness of security on the Internet, routers that provide access control lists, and firewall gateways, unqualified statements like this are no longer true. Reachability of a given host may depend not only on reachability at the IP layer, but also on what protocol is being used, and the port numbers involved. Ping may show a host as being unreachable, yet we might be able to Telnet to port 25 (the mail server).”
Ping is no longer a universal truth. A host might block ICMP (what ping uses) but still allow TCP on certain ports.
** Note that the book uses ping -R to debug the system and it is now deprecated. The below items are not listed in the book but we can try to debug.
✅ ICMP packets are being delivered across the network
✅ The IP path is working, and replies are being received
But:
❌ It does not confirm that your application is reachable
❌ It does not check TCP/UDP ports
❌ It does not prove the service is healthy or even running
You might see ping fail, yet still be able to connect to an SMTP server with telnet host 25.
🔹 Check Basic Connectivity
ping -c 4 example.com
🔹 Check for Packet Loss
ping -i 0.2 -c 20 google.com
🔹 Test for MTU Issues (No Fragmentation)
ping -s 1472 -M do -c 4 8.8.8.8
The Traceroute program, developed by Van Jacobson, is a fundamental network diagnostic tool that leverages the behavior of the IP Time-To-Live (TTL) field and ICMP error messages to map the path packets take across a routed network.
While the Internet Protocol (IP) makes no guarantees that consecutive datagrams between the same source and destination will follow an identical route, in practice they usually do. Traceroute takes advantage of this property by systematically manipulating the TTL field and collecting ICMP Time Exceeded responses from routers along the path. The result is a hop-by-hop view of the route toward the destination.
Traceroute sends UDP (or ICMP, depending on implementation) packets with incrementing TTL values. Each router that decrements the TTL to zero generates an ICMP Time Exceeded message.
[Source Host] —TTL=1—> [R1] x (ICMP Time Exceeded) / [Source Host] —TTL=2—> [R1] —> [R2] x (ICMP Time Exceeded) / [Source Host] —TTL=3—> [R1] —> [R2] —> [R3] —> [Dest] ✓
At TTL=1, the first router (R1) responds.
At TTL=2, the second router (R2) responds.
This continues until the destination responds with an ICMP Port Unreachable (UDP) or ICMP Echo Reply (ICMP mode).
Beyond route discovery, Traceroute can also make use of the IP Source Route option, defined in RFC 791.
In strict source routing, the sender specifies the exact sequence of routers to traverse. Each next hop must be directly connected to the current router.
[Host] —> [R1] —> [R2] —> [R3] —> [Dest] ^ strict path: must follow exactly as specified
If any router cannot directly reach the specified next hop, it sends an ICMP Source Route Failed (Type 3, Code 5).
Very rigid, rarely used in practice today.
Loose source routing allows the sender to provide a list of required waypoints, but routers can still choose intermediate hops between them.
[Host] —> [R1] —> [R2] —> [R3] —> [R4] —> [Dest] ^ must include R2 and R4, but other routers may appear in between
Flexible: enforces key checkpoints but allows dynamic routing in between.
Useful in theory for testing specific paths.
Traceroute and the -g Option
The -g flag in Traceroute enables loose source routing.
You can use it up to 8 times, because the final address must always be the destination.
Each -g specifies a waypoint (intermediate router).
Example:
traceroute -g 192.0.2.1 -g 198.51.100.5 example.com
This forces packets to go through 192.0.2.1 and 198.51.100.5 before reaching example.com.
Visualization:
[Host] —> [192.0.2.1] —> [198.51.100.5] —> [example.com]
Security filtering: Most modern routers/firewalls drop packets with source route options, as they were abused in spoofing/hijacking attacks.
Operational reality: Source routing is mostly obsolete in production networks. Tools like mtr and MPLS tracing are more practical.
Educational value: Still useful for understanding how IP header options and routing decisions work.
We’ll simulate a small network:
[Host A] — [R1] — [R2] — [R3] — [Host B]
We’ll configure Host A to run traceroute with strict source routing that forces packets through R1 → R2 → R3 to reach Host B.
ip netns add hostA
ip netns add R1
ip netns add R2
ip netns add R3
ip netns add hostB
ip link add vethA type veth peer name vethR1A
ip link add vethR1R2 type veth peer name vethR2R1
ip link add vethR2R3 type veth peer name vethR3R2
ip link add vethR3B type veth peer name vethB
ip link set vethA netns hostA
ip link set vethR1A netns R1
ip link set vethR1R2 netns R1
ip link set vethR2R1 netns R2
ip link set vethR2R3 netns R2
ip link set vethR3R2 netns R3
ip link set vethR3B netns R3
ip link set vethB netns hostB
ip netns exec hostA ip addr add 10.0.1.1/24 dev vethA
ip netns exec hostA ip link set vethA up
ip netns exec R1 ip addr add 10.0.1.2/24 dev vethR1A
ip netns exec R1 ip addr add 10.0.2.1/24 dev vethR1R2
ip netns exec R1 ip link set vethR1A up
ip netns exec R1 ip link set vethR1R2 up
ip netns exec R2 ip addr add 10.0.2.2/24 dev vethR2R1
ip netns exec R2 ip addr add 10.0.3.1/24 dev vethR2R3
ip netns exec R2 ip link set vethR2R1 up
ip netns exec R2 ip link set vethR2R3 up
ip netns exec R3 ip addr add 10.0.3.2/24 dev vethR3R2
ip netns exec R3 ip addr add 10.0.4.1/24 dev vethR3B
ip netns exec R3 ip link set vethR3R2 up
ip netns exec R3 ip link set vethR3B up
ip netns exec hostB ip addr add 10.0.4.2/24 dev vethB
ip netns exec hostB ip link set vethB up
Routers need to forward packets:
for ns in R1 R2 R3; do
ip netns exec $ns sysctl -w net.ipv4.ip_forward=1
done
Now on Host A:
ip netns exec hostA traceroute -S \
-g 10.0.1.2 \
-g 10.0.2.2 \
-g 10.0.3.2 \
10.0.4.2
This means:
First hop must be 10.0.1.2 (R1)
Then 10.0.2.2 (R2)
Then 10.0.3.2 (R3)
Finally reach 10.0.4.2 (Host B)
If any hop is not directly connected, you’ll get: ICMP Source Route Failed
Use tcpdump in each router namespace to confirm packet flow:
ip netns exec R2 tcpdump -n -i vethR2R1
You should see packets only if strict routing is satisfied.
Traceroute is more than a debugging utility — it’s a demonstration of how IP forwarding, TTL decrements, and ICMP signaling interact. The addition of strict and loose source routing options (via -g) illustrates how early Internet engineers envisioned giving senders more control over routing.
Although source routing is rarely accepted today, it remains a powerful concept for studying IP’s design and understanding the mechanisms behind packet forwarding.