Introduction
TCP/IP is the backbone of almost all modern network communication. Whether you are browsing a website, downloading a file, or sending an email, TCP and IP are working together underneath to get your data where it needs to go reliably and in order. Understanding how they work gives you a much clearer picture of what is actually happening on the wire.
The Role of IP
IP, or the Internet Protocol, handles addressing and routing. Every packet you send includes a source and destination IP address so routers along the way know where to forward it. IP is connectionless and unreliable by design, it does not guarantee that packets arrive, arrive in order, or arrive at all. That job falls to TCP.
Each IP packet also carries fields like the Time to Live (TTL), which is decremented by each router along the path. When TTL hits zero, the packet is discarded and an ICMP message is sent back to the sender. This is exactly how tools like traceroute work.
What TCP Adds
TCP, or the Transmission Control Protocol, sits on top of IP and adds reliability, ordering, and flow control. It uses ports to identify which application on a host should receive the data. Well-known ports sit below 1024, think port 80 for HTTP, port 21 for FTP, port 22 for SSH. Client-side ports are usually assigned dynamically from the higher range above 1024.
The key thing TCP adds is the concept of a connection. Before any data flows, both sides agree to establish a session using a process called the three-way handshake.
The Three-Way Handshake
The three-way handshake works like this. The client sends a SYN packet to the server with a randomly chosen Initial Sequence Number. The server replies with a SYN/ACK, which acknowledges the client's sequence number and includes its own randomly chosen sequence number. The client then sends an ACK back, and the connection is established.
Client -> SYN (seq=X) -> Server
Client <- SYN/ACK (seq=Y, ack=X+1) <- Server
Client -> ACK (ack=Y+1) -> ServerThe sequence numbers are critical. They allow both sides to detect missing or out-of-order packets and request retransmission. They also need to be randomly generated for security reasons, predictable sequence numbers open the door to session hijacking.
TCP Flags
TCP packets carry flags that signal what kind of segment is being sent. The main ones to know are SYN, which initiates a connection; ACK, which acknowledges received data; FIN, which signals the sender wants to close the connection; and RST, which abruptly resets a connection.
If you send a SYN to a closed port, you get a RST back. If you send an ACK with no existing connection state, you also get a RST. These responses are what network scanners and tools like nmap rely on to determine whether a port is open or closed.
Connection Termination
Closing a TCP connection is a four-step process. One side sends a FIN, the other acknowledges it, then sends its own FIN, and finally receives an ACK. This ensures both sides have finished sending all their data before the connection is torn down cleanly.
Session Hijacking
Because TCP sessions are identified by IP addresses, port numbers, and sequence numbers, an attacker who can observe those values could theoretically inject themselves into an existing session. This is called session hijacking. To do it, you need to know the current sequence numbers, which is why random ISNs matter so much.
In practice, session hijacking is difficult today because sequence numbers are hard to predict without being on the same network segment. A related but simpler attack involves stealing browser cookies, which carry session tokens that do not require knowing sequence numbers at all.
Why This Matters
A solid understanding of TCP/IP is foundational to almost everything else in networking and security. Scanning tools, firewalls, intrusion detection systems, and packet analysis all operate on top of these same principles. When you know how a connection is built, how flags work, and what responses to expect from open versus closed ports, the rest of the networking stack starts to make a lot more sense.
Conclusion
TCP/IP is not magic, it is a well-defined set of rules for how computers establish, maintain, and terminate connections. The three-way handshake, sequence numbers, and flag-based signalling are the foundation that everything from web browsing to network scanning builds on. Get comfortable with these concepts and the rest follows naturally.