1.

Application layer
This is the top layer of TCP/IP protocol suite. This layer includes applications or
processes that use transport layer protocols to deliver the data to destination computers.
At each layer there are certain protocol options to carry out the task designated to that
particular layer. So, application layer also has various protocols that applications use to
communicate with the second layer, the transport layer. Some of the popular application
layer protocols are :

HTTP (Hypertext transfer protocol)

FTP (File transfer protocol)

SMTP (Simple mail transfer protocol)

SNMP (Simple network management protocol) etc

2. Transport Layer
This layer provides backbone to data flow between two hosts. This layer receives data
from the application layer above it. There are many protocols that work at this layer but
the two most commonly used protocols at transport layer are TCP and UDP.
TCP is used where a reliable connection is required while UDP is used in case of
unreliable connections.
TCP divides the data(coming from the application layer) into proper sized chunks and
then passes these chunks onto the network. It acknowledges received packets, waits for
the acknowledgments of the packets it sent and sets timeout to resend the packets if
acknowledgements are not received in time. The term reliable connection is used where
it is not desired to loose any information that is being transferred over the network
through this connection. So, the protocol used for this type of connection must provide
the mechanism to achieve this desired characteristic. For example, while downloading a
file, it is not desired to loose any information(bytes) as it may lead to corruption of
downloaded content.

UDP provides a comparatively simpler but unreliable service by sending packets from
one host to another. UDP does not take any extra measures to ensure that the data sent
is received by the target host or not. The term unreliable connection are used where
loss of some information does not hamper the task being fulfilled through this
connection. For example while streaming a video, loss of few bytes of information due to
some reason is acceptable as this does not harm the user experience much.

3. Network Layer
This layer is also known as Internet layer. The main purpose of this layer is to organize
or handle the movement of data on network. By movement of data, we generally mean
routing of data over the network. The main protocol used at this layer is IP. While
ICMP(used by popular ping command) and IGMP are also used at this layer.

4. Data Link Layer

This layer is also known as network interface layer. This layer normally consists of
device drivers in the OS and the network interface card attached to the system. Both the
device drivers and the network interface card take care of the communication details
with the media being used to transfer the data over the network. In most of the cases,
this media is in the form of cables. Some of the famous protocols that are used at this
layer include ARP(Address resolution protocol), PPP(Point to point protocol) etc.

Application Layer
The application layer is concerned with providing network services to applications. There are
many application network processes and protocols that work at this layer, including HyperText
Transfer Protocol (HTTP), Simple Mail Transport Protocol (SMTP) and File Transfer Protocol (FTP).
At this layer sockets and port numbers are used to differentiate the path and sessions which
applications operate. Most application layer protocols, especially on the server side, have
specially allocated port numbers, e.g. HTTP = 80 and SMTP = 25, and FTP = 20 (Control), 21
(Data).

Transport Layer
This layer is concerned with the transmission of the data. The two main protocols that operate at
this layer are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). TCP is
regarded as being the reliable transmission protocol and it guarantees that the proper data
transfer will take place. UDP is not as complex as TCP and as such is not designed to be reliable
or guarantee data delivery. UDP is generally thought of as being a best effort data delivery, i.e.
once the data is sent, UDP will not carry out any checks to see that it has safely arrived.

The Internet Layer

This is the layer that contains the packet construct that will be transmitted. This takes the form
of the Internet Protocol (IP) which describes a packet that contains a source IP Address,
destination IP Address and the actual data to be delivered.

Network Access Layer

This is the lowest level of the TCP/IP protocol stack and functions carried out here include
encapsulation of IP packets into frames for transmission, mapping IP addresses to physical
hardware addresses (MAC Addresses) and the use of protocols for the physical transmission of
data.
Note: TCP/IP is actually a suite of protocols sometimes referred to as the Internet Protocol Suite.

Layer 4. Application Layer

Application layer is the top most layer of four layer TCP/IP model. Application layer is

present on the top of theTransport layer. Application layer defines TCP/IP application
protocols and how host programs interface with Transport layer services to use the
network.
Application layer includes all the higher-level protocols like DNS (Domain Naming
System), HTTP (Hypertext Transfer Protocol), Telnet, SSH, FTP (File Transfer Protocol), TFTP
(Trivial File Transfer Protocol), SNMP (Simple Network Management Protocol), SMTP
(Simple Mail Transfer Protocol) , DHCP (Dynamic Host Configuration Protocol), X Windows,

RDP (Remote Desktop Protocol) etc.

Layer 3. Transport Layer

Transport Layer is the third layer of the four layer TCP/IP model. The position of

the Transport

layer is

betweenApplication

layer and Internet

layer.

The

purpose

of Transport layer is to permit devices on the source and destination hosts to carry on a
conversation. Transport layer defines the level of service and status of the connection
used when transporting data.
The

main

protocols

included

at

Transport

layer

are TCP

(Transmission

Control

Protocol) and UDP (User Datagram Protocol).

Layer 2. Internet Layer

Internet Layer is the second layer of the four layer TCP/IP model. The position of Internet
layer is between Network Access Layer and Transport layer. Internet layer pack data into

data packets known as IP datagrams, which contain source and destination address
(logical address or IP address) information that is used to forward the datagrams
between hosts and across networks. The Internet layer is also responsible for routing
of IP datagrams.
Packet switching network depends upon a connectionless internetwork layer. This layer
is known as Internet layer. Its job is to allow hosts to insert packets into any network and
have them to deliver independently to the destination. At the destination side data
packets may appear in a different order than they were sent. It is the job of the higher
layers to rearrange them in order to deliver them to proper network applications
operating at the Application layer.

The main protocols included at Internet layer are IP (Internet Protocol), ICMP (Internet
Control Message Protocol), ARP (Address Resolution Protocol), RARP (Reverse Address

Resolution Protocol) and IGMP (Internet Group Management Protocol).

Layer 1. Network Access Layer

Network Access Layer is the first layer of the four layer TCP/IP model. Network Access
Layer defines details of how data is physically sent through the network, including how

bits are electrically or optically signaled by hardware devices that interface directly with
a network medium, such as coaxial cable, optical fiber, or twisted pair copper wire.
The protocols included in Network Access Layer are Ethernet, Token Ring, FDDI, X.25,
Frame Relay etc.
The most popular LAN architecture among those listed above is Ethernet. Ethernet uses
an Access Method called CSMA/CD (Carrier Sense Multiple Access/Collision Detection) to
access

the

media,

when

Ethernet

operates

in

a shared

media.

An Access

Method determines how a host will place data on the medium.

IN CSMA/CD Access Method, every host has equal access to the medium and can place
data on the wire when the wire is free from network traffic. When a host wants to place
data on the wire, it will check the wire to find whether another host is already using the
medium. If there is traffic already in the medium, the host will wait and if there is no
traffic, it will place the data in the medium. But, if two systems place data on the
medium at the same instance, they will collide with each other, destroying the data. If
the data is destroyed during transmission, the data will need to be retransmitted.
After collision, each host will wait for a small interval of time and again the data will be
retransmitted.

Layer

Description

Protocols

Applicati
on

Defines TCP/IP application protocols and how host

programs interface with transport layer services to use
the network.

HTTP, Telnet, FTP,

TFTP, SNMP, DNS,
SMTP, X Windows,
other application
protocols

Transport

Provides communication session management between

host computers. Defines the level of service and status
of the connection used when transporting data.

TCP, UDP, RTP

Internet

Packages data into IP datagrams, which contain source

and destination address information that is used to
forward the datagrams between hosts and across
networks. Performs routing of IP datagrams.

IP, ICMP, ARP, RARP

Network
interface

Specifies details of how data is physically sent through

the network, including how bits are electrically signaled
by hardware devices that interface directly with a
network medium, such as coaxial cable, optical fiber, or
twisted-pair copper wire.

Ethernet, Token
Ring, FDDI, X.25,
Frame Relay, RS232, v.35

Short for Address Resolution Protocol, a network layer protocolused to convert an IP address into a physical address
(called aDLC address), such as an Ethernet address. A host wishing to obtain a physical address broadcastsan ARP
request onto the TCP/IP network. The host on the network that has the IP address in the request then replies with its
physical hardware address.
There is also Reverse ARP (RARP)which can be used by a host to discover its IP address. In this case, the host
broadcasts its physical address and a RARP server replies with the host's IP address.

(1) Short for Data Link Control, the second lowest layer in the OSI Reference Model. Every network interface card
(NIC) has a DLC address or DLC identifier (DLCI) that uniquely identifies the nodeon the network. Some
network protocols, such as Ethernet andToken-Ring use the DLC addresses exclusively. Other protocols, such
as TCP/IP, use a logical address at the Network Layer to identify nodes. Ultimately, however, all network addresses
must be translated to DLC addresses. In TCP/IP networks, this translation is performed with the Address Resolution
Protocol (ARP).
For networks that conform to the IEEE 802 standards (e.g., Ethernet ), the DLC address is usually called the Media
Access Control (MAC) address.

Address Resolution Protocol (ARP) is a protocol for mapping an

Internet Protocol address (IP address) to a physical machine
address that is recognized in the local network.
How ARP Works

When an incoming packet destined for a host machine on a particular

local area network arrives at a gateway, the gateway asks the ARP
program to find a physical host or MAC address that matches the IP
address. The ARP program looks in the ARP cache and, if it finds the
address, provides it so that the packet can be converted to the right
packet length and format and sent to the machine. If no entry is found for
the IP address, ARP broadcasts a request packet in a special format to all
the machines on the LAN to see if one machine knows that it has that IP

address associated with it. A machine that recognizes the IP address as its
own returns a reply so indicating. ARP updates the ARP cache for future
reference and then sends the packet to the MAC address that replied.
Since protocol details differ for each type of local area network, there are
separate ARP Requests for Comments (RFC) for Ethernet, ATM, Fiber
Distributed-Data Interface, HIPPI, and other protocols.

Address Resolution Protocol (arp)

The address resolution protocol (arp) is a protocol used by the Internet Protocol
(IP) [RFC826], specifically IPv4, to map IP network addresses to the hardware
addresses used by a data link protocol. The protocol operates below the network layer
as a part of the interface between the OSI network and OSI link layer. It is used
when IPv4 is used over Ethernet.
The term address resolution refers to the process of finding an address of a computer
in a network. The address is "resolved" using a protocol in which a piece of
information is sent by a client process executing on the local computer to a server
process executing on a remote computer. The information received by the server
allows the server to uniquely identify the network system for which the address was
required and therefore to provide the required address. The address resolution
procedure is completed when the client receives a response from the server containing
the required address.
An Ethernet network uses two hardware addresses which identify the source and
destination of each frame sent by the Ethernet. The destination address (all 1's) may
also identify a broadcast packet (to be sent to all connected computers). The hardware
address is also known as the Medium Access Control (MAC) address, in reference to
the standards which define Ethernet. Each computer network interface card is
allocated a globally unique 6 byte link address when the factory manufactures the card
(stored in a PROM). This is the normal link source address used by an interface. A
computer sends all packets which it creates with its own hardware source link address,
and receives all packets which match the same hardware address in the destination
field or one (or more) pre-selected broadcast/multicast addresses.

The Ethernet address is a link layer address and is dependent on the interface card
which is used. IP operates at the network layer and is not concerned with the link
addresses of individual nodes which are to be used.The address resolution protocol
(arp) is therefore used to translate between the two types of address. The arp client
and server processes operate on all computers using IP over Ethernet. The processes
are normally implemented as part of the software driver that drives the network
interface card.
There are four types of arp messages that may be sent by the arp protocol. These are
identified by four values in the "operation" field of an arp message. The types of
message are:
1. ARP request
2. ARP reply
3. RARP request
4. RARP reply
The format of an arp message is shown below:

Format of an arp message used to resolve the remote MAC

Hardware Address (HA)
To reduce the number of address resolution requests, a client
normally caches resolved addresses for a (short) period of time. The arp cache is of a
finite size, and would become full of incomplete and obsolete entries for computers
that are not in use if it was allowed to grow without check. The arp cache is therefore
periodically flushed of all entries. This deletes unused entries and frees space in the
cache. It also removes any unsuccessful attempts to contact computers which are not
currently running.

If a host changes the MAC address it is using, this can be detected by other hosts
when the cache entry is deleted and a fresh arp message is sent to establish the new
association. The use of gratuitous arp (e.g. triggered when the new NIC interface is
enabled with an IP address) provides a more rapid update of this information.
Example of use of the Address Resolution Protocol (arp)

The figure below shows the use of arp when a computer tries to contact a remote
computer on the same LAN (known as "sysa") using the "ping" program. It is
assumed that no previous IP datagrams have been received form this computer, and
therefore arp must first be used to identify the MAC address of the remote computer.

The arp request message ("who is X.X.X.X tell Y.Y.Y.Y", where X.X.X.X and
Y.Y.Y.Y are IP addresses) is sent using the Ethernet broadcast address, and an Ethernet
protocol type of value 0x806. Since it is broadcast, it is received by all systems in the
same collision domain (LAN). This is ensures that is the target of the query is
connected to the network, it will receive a copy of the query. Only this system
responds. The other systems discard the packet silently.
The target system forms an arp response ("X.X.X.X is hh:hh:hh:hh:hh:hh", where
hh:hh:hh:hh:hh:hh is the Ethernet source address of the computer with the IP address
of X.X.X.X). This packet is unicast to the address of the computer sending the query
(in this case Y.Y.Y.Y). Since the original request also included the hardware address
(Ethernet source address) of the requesting computer, this is already known, and
doesn't require another arp message to find this out.

Gratuitous ARP
Gratuitous ARP is used when a node (end system) has selected an IP address and then
wishes to defend its chosen address on the local area network (i.e. to check no other
node is using the same IP address). It can also be used to force a common view of the
node's IP address (e.g. after the IP address has changed).
Use of this is common when an interface is first configured, as the node attempts to
clear out any stale caches that might be present on other hosts. The node simply sends
an arp request for itself.
Proxy ARP
Proxy ARP is the name given when a node responds to an arp request on behalf of
another node. This is commonly used to redirect traffic sent to one IP address to
another system.
Proxy ARP can also be used to subvert traffic away from the intended recipient. By
responding instead of the intended recipient, a node can pretend to be a different node
in a network, and therefore force traffic directed to the node to be redirected to itself.
The node can then view the traffic (e.g. before forwarding this to the originally
intended node) or could modify the traffic. Improper use of Proxy ARP is therefore a

significant security vulnerability and some networks therefore implement systems to

detect this. Gratuitous ARP can also help defend the correct IP to MAC bindings.