Get a DemoWhat is Transmission Control Protocol (TCP/IP)?
Transmission Control Protocol (TCP/IP) is a collection of networking protocols that works together to transfer a data packet from one computer to another using computer networks.
Article Contents
- What is TCP/IP?
- What is a TCP/IP protocol?
- How does TCP/IP work?
- What are the layers of the TCP/IP protocol?
- TCP/IP vs. OSI model
- What is TCP/IP used for?
- When was TCP/IP invented?
- Why are internet protocols like TCP/IP important?
- TCP/IP security considerations
- Considerations for secure infrastructure access
- Related articles
Updated: March 2026
What is TCP/IP?
TCP/IP (Transmission Control Protocol/Internet Protocol), also known as the Internet Protocol Suite, is the suite of communication protocols that governs how data is packetized, addressed, transmitted, routed, and received across the internet and private networks. TCP/IP is the foundational protocol stack of the modern internet; every web request, email, SSH session, and API call depends on it.
Though the TCP/IP suite contains dozens of protocols, the two that give it its name handle reliable delivery and logical addressing: TCP at the transport layer, and IP at the internet layer.
What is a TCP/IP protocol?
A TCP/IP protocol is any individual protocol that operates within the Internet Protocol Suite, which is the layered architecture that TCP and IP anchor. The suite consists of a collection of interdependent protocols, each handling a specific function in the chain of network communication.
IP (Internet Protocol)
IP handles addressing and routing. Every device on a network is assigned an IP address: either IPv4 (e.g. 192.168.1.10) or IPv6 (e.g. 2001:db8::1). IP assembles data into units called datagrams and routes them hop-by-hop across networks toward the destination address. IP is connectionless and makes no guarantees about delivery order or reliability, and is designed to simply move packets from point A to point B. Learn more about how IPv4 and IPv6 work in this article.
TCP (Transmission Control Protocol)
TCP provides reliable, ordered, byte-stream delivery on top of IP. Before any data is exchanged, TCP establishes a connection using a three-way handshake. It then tracks every segment sent, uses sequence numbers to reorder packets that arrive out of sequence, retransmits lost segments, and manages flow control to prevent the sender from overwhelming the receiver.
UDP (User Datagram Protocol)
UDP is the other major transport protocol in the suite. Unlike TCP, UDP is connectionless and sends datagrams without establishing a session or confirming receipt. This makes it faster and lower-overhead, but with no delivery guarantees. UDP is defined in RFC 768.
TCP vs. UDP
The two transport protocols (TCP and UDP) in the TCP/IP suite serve different purposes. The choice between them comes down to whether the application values reliability or latency. A file transfer cannot tolerate missing bytes, which makesTCP is the best option. A live video call can tolerate occasional dropped frames but cannot tolerate buffering delays, making UDP the better fit.
How does TCP/IP work?
TCP/IP splits the problem of network communication into two complementary functions: IP provides the addressing and routing fabric, while TCP provides the reliability and session management layer. This division of responsibility is what makes TCP/IP both flexible (IP can route over any link type) and dependable (TCP ensures data integrity end-to-end).
When you request a web page, the process works roughly like this: your browser composes an HTTP request (application layer), TCP segments that request and attaches headers with sequence numbers and port information (transport layer), IP wraps each segment in a datagram with source and destination IP addresses (internet layer), and the link layer frames the datagram for transmission over the physical medium: Ethernet, Wi-Fi, or cellular.
At each router along the path, the internet layer examines the destination IP, consults its routing table, and forwards the datagram to the next hop. At the destination, the process reverses: frames are unpacked into datagrams, datagrams into segments, and segments are reassembled into the original HTTP request for the web server to process.
What is the TCP three-way handshake?
TCP is a connection-oriented protocol, meaning it establishes a session between client and server before any application data flows. This is done through a three-step process called the three-way handshake:
- SYN — The client sends a segment with the SYN (synchronize) flag set, along with an initial sequence number (ISN). This tells the server the client wants to open a connection and what sequence number it will start with.
- SYN-ACK — The server responds with both the SYN and ACK flags set. It acknowledges the client's ISN (by incrementing it by one in the acknowledgment field) and provides its own ISN.
- ACK — The client sends a final acknowledgment of the server's ISN. At this point, both sides are in the ESTABLISHED state and data transfer can begin.
This handshake synchronizes sequence numbers on both sides and negotiates parameters like the Maximum Segment Size (MSS) and window size, which govern how much data can be in flight before an acknowledgment is required.
You can observe the three-way handshake on any system using tcpdump:
# Capture the TCP handshake to a remote host on port 443
sudo tcpdump -i eth0 -nn -c 3 'tcp[tcpflags] & (tcp-syn|tcp-ack) != 0' host 93.184.216.34
Example output:
14:22:01.000001 IP 10.0.0.5.54312 > 93.184.216.34.443: Flags [S], seq 1920145382, win 65535, options [mss 1460], length 0
14:22:01.032104 IP 93.184.216.34.443 > 10.0.0.5.54312: Flags [S.], seq 3051289471, ack 1920145383, win 65535, options [mss 1460], length 0
14:22:01.032150 IP 10.0.0.5.54312 > 93.184.216.34.443: Flags [.], ack 3051289472, win 65535, length 0The [S] flag is the SYN, [S.] is SYN-ACK, and [.] is the final ACK. Notice the acknowledgment numbers increment by one. This is how each side confirms it received the other's initial sequence number.
Connection teardown follows a similar process using four segments (FIN, ACK, FIN, ACK). This is because TCP connections are full-duplex, so each direction must be closed independently.
How does TCP ensure reliable delivery?
Beyond the handshake, TCP uses several mechanisms to ensure reliable delivery:
- Sequence numbers and acknowledgments — Every byte of data sent over a TCP connection has a sequence number. The receiver uses acknowledgment numbers to tell the sender which byte it expects next. If a segment is lost, the sender detects the gap and retransmits.
- Checksums — Every TCP segment includes a checksum computed over the header and payload. The receiver verifies the checksum and silently discards corrupt segments, triggering retransmission.
- Flow control (sliding window) — The receiver advertises a window size indicating how many bytes it can buffer. The sender limits unacknowledged data to this window, preventing the receiver from being overwhelmed.
- Congestion control — Algorithms like TCP Reno, Cubic, and BBR dynamically adjust the sending rate based on detected packet loss and round-trip time, preventing network-wide congestion collapse.
What are the layers of the TCP/IP protocol?
TCP/IP organizes network communication into four abstraction layers. Each layer has a defined responsibility and passes data to the layer below it for further processing. Unlike the seven-layer OSI model, the TCP/IP model is implementation-driven.
1. Application layer
The application layer is where user-facing protocols operate. It corresponds roughly to the application, presentation, and session layers of the OSI model combined. Protocols at this layer define how applications format and exchange data over an established transport connection.
Common application layer protocols include:
Protocol | Port(s) | Function |
HTTP/HTTPS | 80 / 443 | Web traffic |
SSH | 22 | Encrypted remote shell and tunneling |
SMTP | 25 / 587 | Email delivery |
DNS | 53 | Domain name resolution |
FTP | 20 / 21 | File transfer |
DHCP | 67 / 68 | Dynamic IP address assignment |
SNMP | 161 / 162 | Network device management |
You can test application-layer connectivity directly. For example, making a raw HTTP request over TCP with curl -v:
curl -v http://example.com
* Connected to example.com (93.184.216.34) port 80
> GET / HTTP/1.1
> Host: example.com
> User-Agent: curl/8.5.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=UTF-8
< Content-Length: 1256
This shows the TCP connection being established (transport layer), the HTTP request being sent (application layer), and the server's response all running over IP (internet layer).
2. Transport layer
The transport layer manages end-to-end communication between processes on different hosts. It segments application data, manages delivery reliability (or not), and multiplexes connections using port numbers so that multiple applications can share a single IP address.
TCP provides connection-oriented, reliable, ordered delivery used by HTTP, SSH, SMTP, FTP, and most protocols where data integrity matters. UDP provides connectionless, best-effort delivery with minimal overhead used for DNS lookups, video/audio streaming, online gaming, and VoIP.
You can see which transport protocol a connection uses with ss (the modern replacement for netstat):
# Show all TCP and UDP connections with process names
ss -tulnp
Example output:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1234))
tcp LISTEN 0 128 0.0.0.0:443 0.0.0.0:* users:(("nginx",pid=5678))
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=890))
This shows sshd and nginx listening on TCP ports 22 and 443, while systemd-resolved handles DNS on UDP port 53.
3. Internet layer
The internet layer is responsible for logical addressing, packaging data into datagrams, and routing those datagrams across network boundaries. This is the layer that enables internetworking, connecting heterogeneous networks into a unified system.
The primary protocol here is IP (Internet Protocol), which exists in two versions:
- IPv4 (RFC 791) — Uses 32-bit addresses (e.g. 10.0.0.1), providing approximately 4.3 billion unique addresses. Still the dominant version in production networks, though address exhaustion has been partially mitigated through NAT (Network Address Translation).
- IPv6 (RFC 8200) — Uses 128-bit addresses (e.g. 2001:db8::1), providing an effectively unlimited address space. Designed to replace IPv4 and eliminates the need for NAT.
Other key internet layer protocols include ICMP (Internet Control Message Protocol) for diagnostics and error reporting, and ARP (Address Resolution Protocol) for mapping IP addresses to MAC addresses on a local network segment.
You can inspect IP-level routing with traceroute, which sends packets with incrementing TTL (Time to Live) values to map each hop between your host and a destination:
traceroute -n 8.8.8.8
Example output:
1 10.0.0.1 1.234 ms
2 192.168.1.1 5.678 ms
3 72.14.215.85 12.345 ms
4 8.8.8.8 15.678 msEach line represents an IP router along the path. Each router examines the destination IP, consults its routing table, and forwards the datagram to the next hop.
4. Link layer (network access layer)
The link layer encompasses the physical and data-link functions that move frames across a single network segment from one device to the next hop. It handles framing, physical addressing (MAC addresses), error detection at the frame level, and media access control.
This layer abstracts the physical medium so that the internet layer above doesn't need to know whether packets are traveling over Ethernet, Wi-Fi (802.11), fiber optics, cellular radio, or a virtual link like a VPN tunnel. As long as the link layer can deliver frames between adjacent nodes, IP can route datagrams across any combination of link technologies.
Common link layer technologies include Ethernet (IEEE 802.3), Wi-Fi (IEEE 802.11), PPP (Point-to-Point Protocol), and various cellular standards (LTE, 5G).
TCP/IP vs. OSI model
The OSI (Open Systems Interconnection) model and the TCP/IP model both describe layered approaches to network communication, but they differ in origin and structure.
The OSI model is a seven-layer reference framework developed by the International Organization for Standardization (ISO) as a theoretical model for standardizing network protocols. The TCP/IP model, by contrast, was built around the protocols that were already working on ARPANET and the early internet.
Notably, OSI separates the application, presentation, and session layers (layers 7, 6, 5), while TCP/IP combines all three into a single application layer. Similarly, OSI distinguishes between the data link layer (layer 2) and physical layer (layer 1), while TCP/IP combines them into the link layer.
Learn more about the differences between TCP/IP and OSI models in this article.
What is TCP/IP used for?
TCP/IP underpins virtually all networked communication. Every time data moves between two devices over the internet or a private network, TCP/IP protocols are involved. Here are the major categories of use.
Web browsing
When you load a webpage, your browser opens a TCP connection to the web server (typically on port 443 for HTTPS), performs a TLS handshake for encryption, and then sends HTTP requests and receives responses, which are carried over IP datagrams routed across the internet.
Sending email uses SMTP over TCP. Retrieving email uses IMAP or POP3, also over TCP. TCP's guaranteed delivery ensures that messages and attachments arrive intact.
Remote access and infrastructure management
SSH (Secure Shell) runs over TCP port 22 and provides encrypted terminal access to remote servers. Every ssh session, scp file transfer, and Git-over-SSH push is a TCP/IP connection. Database clients connecting to PostgreSQL (port 5432), MySQL (port 3306), or Redis (port 6379) also rely on TCP for reliable query/response exchange.
DNS resolution
Before any TCP connection can be established, the domain name must be resolved to an IP address. DNS queries typically use UDP port 53 for speed, falling back to TCP for responses that exceed the UDP datagram size limit (512 bytes, or 4096 bytes with EDNS).
Streaming and real-time communication
Video conferencing (Zoom, WebRTC), live streaming, and online gaming use UDP for low-latency media delivery, often combined with application-layer protocols like RTP (Real-time Transport Protocol) that handle timing and synchronization without TCP's retransmission overhead.
Cloud and infrastructure APIs
Every API call to AWS, GCP, Azure, or Kubernetes control planes is an HTTPS request over TCP/IP. Container-to-container communication within a Kubernetes cluster, service mesh traffic (Envoy, Istio), and CI/CD webhook triggers all depend on TCP/IP as the transport substrate.
File transfer
FTP, SFTP, and rsync use TCP to ensure that every byte of a transferred file arrives at the destination without corruption or loss.
TCP/IP port numbers
Port numbers are 16-bit integers (0–65535) that identify specific processes or services on a host. Combined with an IP address, a port number forms a socket, which is the endpoint of a TCP or UDP connection. A connection between two hosts is uniquely identified by the tuple: source IP, source port, destination IP, destination port, and protocol.
Ports are divided into three ranges:
- Well-known ports (0–1023) — Reserved for common services. Assigned by IANA (Internet Assigned Numbers Authority). Examples: 22 (SSH), 53 (DNS), 80 (HTTP), 443 (HTTPS).
- Registered ports (1024–49151) — Available for user applications and services, registered with IANA to avoid conflicts. Examples: 3306 (MySQL), 5432 (PostgreSQL), 6443 (Kubernetes API server).
- Dynamic/ephemeral ports (49152–65535) — Assigned temporarily by the OS for outbound client connections.
You can check which ports are in use and what processes own them.
To check on Linux:
# Linux: show listening ports with process info
ss -tlnp
To check on macOS:
# macOS: show listening TCP ports
lsof -iTCP -sTCP:LISTEN -nP
When was TCP/IP invented?
The TCP/IP protocol suite traces back to research funded by DARPA in the early 1970s. The first formal specification, RFC 675: Specification of Internet Transmission Control Program, was published in December 1974.
Initially, TCP and IP were a single monolithic protocol. However, in version 4 of the specification, the protocol was split into two layers: TCP for transport reliability and IP for routing and addressing. The foundational specifications, RFC 791: Internet Protocol (IP) and RFC 793: Transmission Control Protocol (TCP), were published in September 1981. On January 1, 1983, TCP/IP became the standard protocol of ARPANET, replacing the earlier NCP (Network Control Protocol). Through the late 1980s and early 1990s, TCP/IP progressively displaced competing protocol suites on commercial networks. The release of TCP/IP in commercial operating systems (notably Windows 95's built-in stack) cemented its dominance.
RFC 9293, published by the IETF in August 2022, is the current specification for TCP.
Why are internet protocols like TCP/IP important?
TCP/IP is the reason heterogeneous networks — built by different vendors, running different hardware, spanning different physical media — can interoperate as a single global internet. Before TCP/IP achieved dominance, competing protocol stacks like IBM's SNA, Digital Equipment Corporation's DECnet, and the OSI protocol suite each defined their own incompatible approaches to networking. TCP/IP's open, non-proprietary design and its layered architecture resolved this fragmentation.
Several properties make TCP/IP foundational to modern infrastructure:
- Universality — TCP/IP is compatible with every major operating system and runs on virtually any hardware — from embedded microcontrollers to hyperscale data center switches. This universality is possible because IP abstracts away the physical network: the internet layer doesn't care whether the link beneath it is Ethernet, fiber, satellite, or cellular.
- Reliability at scale — TCP's error detection, retransmission, and congestion control mechanisms allow data to traverse dozens of network hops across continents and still arrive intact and in order. This is what makes web browsing, financial transactions, remote access, and API-driven infrastructure automation possible over unreliable physical networks.
- Extensibility — The layered design means new protocols can be introduced at any layer without disrupting others. TLS was added between the application and transport layers to provide encryption. HTTP evolved from 1.0 to 2 to 3 (which runs over QUIC/UDP instead of TCP) without requiring changes to IP or the link layer. IPv6 was introduced to replace IPv4's exhausted address space while remaining compatible with the transport and application layers above it.
- Addressability — IP addressing provides a universal scheme for identifying any device on a network. Combined with DNS for human-readable names and port numbers for process-level multiplexing, TCP/IP gives every service on the internet a unique, reachable address.
Without TCP/IP, there is no internet as we know it, and no HTTP, DNS, SSH, or cloud infrastructure. Every higher-level system, from Kubernetes networking to AI inference pipelines to zero trust architectures, is built on TCP/IP communication between endpoints.
TCP/IP security considerations
TCP/IP was designed in an era of trusted networks and does not include built-in encryption or strong authentication at the transport or internet layers. Because of this, security has been layered on over time through additional protocols and extensions. This includes:
- SSL — Secure Sockets Layer (SSL) is a cryptographic protocol that establishes a secure connection between clients (browsers) and servers, enabling HTTPS, protecting sensitive data from interception and tampering. SSL has largely been replaced by Transport Layer Security (TLS).
- TLS — Transport Layer Security (TLS) is a modern cryptographic protocol that encrypts internet communication, including TCP streams. TLS sits between the application and transport layers. Modern internet traffic runs over HTTPS (HTTP + TLS), and protocols like SSH add their own encryption on top of TCP. Mutual TLS authentication (mTLS) further enhances the security of the TLS protocol with two-way authentication and encryption.
- IPsec — IPsec authenticates and encrypts IP packets to provide data confidentiality, integrity, and authenticity. Operating at the network layer, it establishes secure tunnels for VPNs using AH and ESP protocols, primarily enabling safe communication over public networks.
Common TCP/IP attack vectors:
- SYN flood attacks — These attacks exploit the three-way handshake by sending large volumes of SYN packets without completing the handshake, exhausting server resources with half-open connections. Mitigations include SYN cookies, connection rate limiting, and firewall-level filtering.
- TCP reset attacks — The attacks use spoofed RST (reset) segments to tear down established connections. BGP sessions between internet routers have historically been vulnerable to this.
- IP spoofing — IP spoofing involves forging the source IP address of packets. Ingress filtering at the network edge mitigates this by dropping packets with source addresses that don't belong to the originating network.
Considerations for secure infrastructure access
For infrastructure access specifically, these protocol-level limitations are why security-critical systems layer additional identity and access controls on top of TCP/IP connections rather than relying on network-level trust alone.
Teleport, for example, replaces static credentials like SSH keys and database passwords with short-lived, cryptographically-issued certificates bound to verified cryptographic identities. This ensures every TCP connection to protected infrastructure is authenticated, authorized, and auditable regardless of the underlying network topology. Teleport's VNet feature also automatically proxies connections made to TCP applications available under public addresses.