Bits and Bytes of Computer Networking 

Breakdown of a TCP connection 
 
 

Definitions 
Physical Layer:​ ​Networking layer that is concerned with the physical mediums that join computers 
together. These mediums include cabling, connectors, and the sending of signals across them. 

Data Link Layer:​ ​Networking layer that is concerned with moving data across a single link in the 
network. 

Network Layer:​ ​Networking layer concerned with moving data across multiple networks.  

Transport Layer:​ ​Networking layer concerned with delivering data to the correct client and server 
programs. 

MAC Address:​ ​(Media Access Control address). A unique identifier attached to an individual 
network interface. They are used to help with routing traffic on the data link layer. MAC 
addresses are 48 bits long and are usually represented as six octets. The first three octets are 
assigned to the manufacturer, and the last three are assigned to the interface by the 
manufacturer. 

An example MAC address is 00:03:ba:26:01:b0. 

IP Address:​ ​(Internet Protocol address). A unique identifier attached to devices using the Internet. 
They are used to help with routing traffic on the network layer. IP addresses come in two flavours: 
IPv4 (32 bits long) and IPv6 (128 bits long).  

An example IPv4 address is 210.2.10.2. 

An example IPv6 address is 2001:0db8:85a3:0000:0000:8a2e:0370:7334. 

TCP Port:​ ​A port is a 16-bit identifier used to direct traffic to specific services running on a 
networked computer. A TCP port is a port on which a TCP service is running, for example, port 
80, which is the standard port for the HTTP protocol 

Checksum check:​ ​A checksum is a number calculated from the individual bits that make up a unit 
of data. It can be used to verify that the unit of data was transferred across network nodes 
without corruption or alterations. 

1 
 

Routing table:​ ​A lookup table maintained by routers to send data efficiently across networks. 
Routing tables are essentially collections of destination networks along with data about how to 
get to them: what the next IP address is, how far away it is, and what interface (of the router) it is 
on. 

TTL:​ ​(Time to live). A field in an IP datagram that contains how many hops that datagram can 
traverse before it's thrown away. Each router in a networking path decrements the TTL value in 
the datagram before passing it on. 

Stages of a TCP connection 

Three-way handshake 
To establish a TCP connection between two nodes, three messages are sent across the 
network/s between them. 

1. A TCP packet with the SYN flag set is sent by the initiating node. 
2. The receiving node responds with a TCP packet with the SYN and ACK flags set, 
indicating that the connection can proceed. 
3. The initiating node then confirms it has received the acknowledgement by sending a TCP 
segment with an ACK flag set. 

In the following example, I'll explain step 1 in detail and then give an overview of steps 2 and 3. 

Consider the two nodes named ​Computer 1​ and ​Computer 2​, with ​Computer 1​ initiating the 
connection. ​Computers 1​ and ​2​ reside on ​Networks A​ and ​B​, respectively. ​Router A ​connects 
the two networks, as shown below. 

2 
 

Breakdown of Step 1 

Sending the segment from Computer 1 to Router A 

Application Layer 
Some application running on Computer 1 decides to make a TCP request 
to Computer 2. Before it can send any data, it needs to establish a TCP 
connection.  

Transport Layer  The transport layer constructs a TCP segment. It addresses its segment 
with a destination port of 80. The source port is chosen from any free 
ephemeral port; in this case, 55555 is chosen. Because it is the first part of 
a three-way handshake, the SYN flag is set. A checksum is also calculated 
for the datagram. 

Network Layer  The network layer constructs an IP header. This datagram has source and 
destination IP addresses of Computer 1 and Computer 2 respectively. The 
IP header also has a TTL (usually 64). Once the header is built, the TCP 
segment from the transport layer is added to the IP datagram's body. A 
checksum is also calculated for the IP datagram. 

Data Link Layer  The Data Link layer constructs an ethernet frame. The source and 
destination addresses are the MAC addresses of Computer 1 and Router A. 
(Because the destination IP is on a different network, the computer uses 
the MAC address of its configured gateway router.) The IP datagram is 
added as the payload of the ethernet frame, and another checksum is 
calculated. 

Physical Layer  The ethernet frame is sent to Router A bit-by-bit via modulations in the 
wire, potentially moving through switches along the way. Network 
interfaces on Computer 1 and Router A interpret these modulations. 

Sending the segment from Router A to Computer 2 

Physical Layer  
A network interface on Router A receives the ethernet frame sent from 
Computer 1. 

Data Link Layer  Router A calculates a checksum for the ethernet frame and confirms that it 
matches the checksum that was sent with the frame. 

Network Layer  Router A removes IP datagram from the ethernet frame. It again compares 
the provided checksum to the value it calculates itself. Then it examines 
the destination IP address and checks its lookup table to see which 

3 
 

 
interface it should forward the data to (Network B, in this case). With this 
determined, it decrements the TTL in the IP datagram and calculates a new 
checksum. 

Data Link Layer  Now that the destination interface has been established, Router A can now 
build an ethernet frame for sending the data to Computer 2. This ethernet 
frame has a source address of the Router A's interface on Network B, and 
a destination address of the MAC address of Computer 2. 

Physical Layer  As in step 1, the data is again pushed out on the physical layer 

Transport and application layers are not touched at this stage. 

When the TCP segment arrives at Computer 2 

Physical Layer  
A network interface on Computer 2 receives the ethernet frame sent from 
Router A. 

Data Link Layer  Computer 2 calculates a checksum for the ethernet frame and confirms 
that it matches the checksum that was sent with the frame. 

Network Layer  Computer 2 removes IP datagram from the ethernet frame. It again 
compares the provided checksum to the value it calculates itself. Then it 
examines the destination IP address and sees that it is itself. 

Transport Layer  Computer 2 removes the TCP segment and confirms the checksum 
matches. It sees that the destination is port 80 and that there is an 
application running there (a web server). Lastly, Computer 2 sees that the 
SYN flag on the TCP segment is set. Computer 2 stores the sequence 
number of the TCP segment so that it is ready to receive more data from 
Computer 1. 

Summary of Steps 2 and 3 

At this stage, the SYN segment from Computer 1 has arrived and been understood by Computer 
2. Step 1 of the three-way handshake has occurred. For the remaining two steps, the above 
sequence would happen again with only very little changing: 

● Computer 2 would send an acknowledgement TCP segment back to Computer 1 with the 
SYN and ACK flags set. 
● Computer 1 would acknowledge that it received the acknowledgement by sending 
another TCP segment to Computer 2 with the ACK flag set. 

4 
 

This completes a description of what occurs on all layers of the five-layer network model when a 
node on one network establishes a TCP connection with a node on another network. 

5