Layer 4: Transport
The Transport Layer is the fourth layer of the OSI model and is critical for facilitating communication between two devices across a network. It ensures reliable end-to-end communication by performing several key tasks, such as:
Error detection: Ensures that any errors in data transmission between the two devices are identified and corrected.
Flow control: Manages the rate of data transmission between the two devices, ensuring that one device does not overwhelm the other with too much data at once.
Segmentation: Breaks down large data streams into smaller units (segments) to make transmission more manageable, then reassembles them at the destination.
The transport layer also guarantees the reliable and ordered delivery of data, ensuring that packets arrive at the destination device in the correct sequence.
TCP
TCP (Transmission Control Protocol) is a connection-oriented protocol that operates at the Transport Layer of the OSI model. It ensures reliable and ordered delivery of data between two devices over a network.
Connection-Oriented: TCP establishes a connection between the two devices before data transmission begins, ensuring a stable communication link.
Reliable Delivery: It guarantees that the data sent from one application on a device reaches the intended application on another device accurately and completely.
Ordered Delivery: TCP ensures that data packets arrive in the correct sequence, even if they are transmitted out of order during network traversal.
Error Detection and Recovery: TCP performs error detection, retransmitting any lost or corrupted data, ensuring the integrity of the communication.
TCP is widely used in applications like web browsing (HTTP/HTTPS) and email (SMTP), where reliable transmission is essential.
TCP 3-Way Handshake
The TCP 3-way handshake is a process used to establish a reliable connection between two devices (client and server) before they begin data transmission. It ensures that both devices are ready to communicate and sets the parameters for the connection.
Steps in the 3-Way Handshake:
SYN (Synchronize) The client sends a SYN message to the server, indicating that it wants to establish a connection and synchronize sequence numbers.
SYN-ACK (Synchronize-Acknowledgment) The server responds with a SYN-ACK message, acknowledging the client's request and also sending its own synchronization message.
ACK (Acknowledgment) The client sends an ACK message, acknowledging the server's SYN-ACK. At this point, the connection is established, and data transmission can begin.
This handshake process ensures both devices agree on initial sequence numbers and are ready for reliable, ordered communication.
TCP Headers
TCP Control Flags
Establish a Connection: SYN (Set), ACK (Clear), FIN (Clear) - The client initiates the connection by sending a SYN flag to the server, indicating a request to establish a connection.
Establish a Connection (Response): SYN (Set), ACK (Set), FIN (Clear) - The server responds to the client's request by sending a SYN-ACK message, acknowledging the connection request and synchronizing sequence numbers.
Terminating a Connection: SYN (Clear), ACK (Set), FIN (Set) - Either the client or server can terminate the connection by sending a FIN flag along with an ACK to acknowledge receipt of the previous segment, signaling the intention to close the connection.
These flags are key to establishing and terminating reliable TCP connections.
TCP Port Range
TCP uses port numbers to differentiate between various services or applications running on a device. These are 16-bit unsigned integers, and the total port range spans from 0 to 65535. The port numbers are divided into three ranges:
Well-Known Ports (0-1023): These ports are reserved for well-known services and protocols and are managed by the Internet Assigned Numbers Authority (IANA). Reserved for common services like HTTP (80), HTTPS (443), FTP (21), and SMTP (25).
Registered Ports (1024-49151): These ports are registered for specific services or applications and are often assigned by IANA to software vendors or developers for their applications. Although not standardized, these ports are frequently used for well-known services. RDP (3389), MySQL (3306), Alternative HTTP (8080), MongoDB (27017)
Dynamic/Private Ports (49152-65535): Primarily used for temporary or client-side connections. These ports are dynamically assigned by the operating system during a session.
The highest possible port number is 65535.
Some TCP Common Ports
20 (FTP Data)
File Transfer Protocol (data transfer between client and server)
21 (FTP Control)
FTP control commands for establishing the connection
22 (SSH)
Secure Shell, used for secure remote login and command execution
23 (Telnet)
Unencrypted text communication, remote login protocol (insecure)
25 (SMTP)
Simple Mail Transfer Protocol, used for sending emails
53 (DNS)
Domain Name System, translates domain names into IP addresses
80 (HTTP)
HyperText Transfer Protocol, used for unencrypted web traffic
443 (HTTPS)
Secure version of HTTP, used for encrypted web traffic
110 (POP3)
Post Office Protocol version 3, used for retrieving emails from a server
143 (IMAP)
Internet Message Access Protocol, used for managing and retrieving emails
67 (DHCP Server)
Dynamic Host Configuration Protocol, assigns IP addresses from the server
68 (DHCP Client)
DHCP client port used to receive IP addresses assigned by a DHCP server
161 (SNMP)
Simple Network Management Protocol, used for monitoring and managing network devices
162 (SNMP Trap)
SNMP notifications sent from agents to the management server
389 (LDAP)
Lightweight Directory Access Protocol, used for directory services and authentication
3389 (RDP)
Remote Desktop Protocol, used for remote desktop access to Windows systems
6660-6669 (IRC)
Internet Relay Chat, used for real-time text communication
27017 (MongoDB)
Default port for MongoDB database server communication
3306 (MySQL)
Default port for MySQL database server communication
8080 (Alternative HTTP)
Alternative port for HTTP, often used for web development or proxy servers
8443 (Alternative HTTPS)
Alternative port for HTTPS, commonly used for secure web services
4444 (Metasploit)
Commonly used for Metasploit Framework exploits and payload handling
445 (SMB)
Server Message Block, used for sharing files, printers, and serial ports across a network
UDP
UDP is a connectionless and lightweight transport layer protocol, focused on fast data transmission without guaranteeing order or reliability of delivery. Unlike TCP, UDP does not establish a connection before sending data, making it more efficient but less reliable.
Key Characteristics
Connectionless: No need to establish or maintain a connection.
Unreliable: No guarantees for data delivery, order, or error correction.
Stateless: Each packet is independent of previous or future packets.
Functions
Real-time applications: Commonly used in streaming, gaming, VoIP, where speed is more important than reliability.
Simple and efficient: Suitable for applications that can tolerate some data loss and require low-latency communication.
Note: Ports 137 and 138 are used for NetBIOS Name Service (NBNS) and NetBIOS Datagram Service, respectively. These are critical in older Windows networking environments and can be used to identify NetBIOS names on a network.
TCP vs UDP
Connection
Connectionless: No need to establish a connection
Connection-oriented: Requires connection establishment
Reliability
Unreliable: No guarantees of data delivery or ordering
Reliable: Ensures accurate, ordered delivery of data
Header Size
Smaller: 8 bytes
Larger: 20-60 bytes
Applications
Used for applications where speed is crucial, and some data loss is tolerable
Used for applications requiring reliable data transmission
Examples
Video streaming, VoIP, online gaming
Web browsing (HTTP/HTTPS), email (SMTP), file transfer (FTP)
Last updated