TCP/IP Model – Four Layers, Protocols & Encapsulation

1. What Is the TCP/IP Model?

The TCP/IP (Transmission Control Protocol / Internet Protocol) model is the practical, real-world framework that describes how data is transmitted across interconnected networks, including the Internet. Developed by the U.S. Department of Defense in the 1970s for ARPANET, it became the global standard for network communication, replacing proprietary and less scalable alternatives.

Unlike the OSI model (which is a theoretical 7-layer reference model), the TCP/IP model is what networks actually use today. Every device connected to the Internet — router, switch, smartphone, server — implements the TCP/IP stack. The model organises network communication into four layers, each with a clearly defined responsibility: 

  TCP/IP Model (top to bottom):
  +—————————————————————+
  |  4. Application Layer        |  HTTP, FTP, DNS, SMTP, SSH
  +—————————————————————+
  |  3. Transport Layer          |  TCP, UDP
  +—————————————————————+
  |  2. Internet Layer           |  IP, ICMP, ARP (some models)
  +—————————————————————+
  |  1. Link Layer               |  Ethernet, Wi-Fi, ARP, PPP
  +—————————————————————+

Related pages: OSI Model | OSI vs TCP/IP | IP Addressing | IPv6 | Network Protocols | Network Ports | MAC Addresses | ARP | ping | traceroute | Layer Functions

2. TCP/IP vs. OSI Model – Layer Mapping

The OSI model has seven layers; the TCP/IP model consolidates those into four layers. Both describe the same communication process — they just draw the boundaries differently. See OSI vs TCP/IP for a full comparison.

OSI Layer OSI Name TCP/IP Layer TCP/IP Name PDU Name
7 Application 4 Application Data / Message
6 Presentation
5 Session
4 Transport 3 Transport Segment (TCP) / Datagram (UDP)
3 Network 2 Internet Packet
2 Data Link 1 Link Frame
1 Physical Bits

Two key consolidations: The TCP/IP Application layer absorbs the OSI Application (7), Presentation (6), and Session (5) layers. The TCP/IP Link layer absorbs the OSI Data Link (2) and Physical (1) layers. The Transport (3→3) and Internet/Network (2→3) layers map directly, just with different names.

3. The Four TCP/IP Layers in Detail

Layer 1 – Link Layer (Network Interface Layer)

The Link layer is responsible for transmitting data between two devices on the same physical or logical network segment. It handles hardware addressing (MAC addresses), framing, and local error detection. It corresponds to the OSI Physical + Data Link layers combined.

Aspect Detail
PDU name Frame (and Bits at the physical sub-layer)
Addressing MAC addresses (48-bit hardware address, e.g., 00:1A:2B:3C:4D:5E)
Key protocols Ethernet (IEEE 802.3), Wi-Fi (IEEE 802.11), PPP, ARP, HDLC
Devices Network Interface Cards (NICs), switches, access points, cables
Example A Gigabit Ethernet NIC frames an IP packet, adds the destination MAC address, and transmits it across the LAN to the default gateway switch port

Layer 2 – Internet Layer

The Internet layer handles logical (IP) addressing and routing — moving packets across multiple networks from source to destination. It does not guarantee delivery or order; it simply routes packets toward the destination using the best available path.

Aspect Detail
PDU name Packet
Addressing IP addresses — IPv4 (32-bit, e.g., 192.168.1.1) or IPv6 (128-bit, e.g., 2001:db8::1)
Key protocols IPv4, IPv6, ICMP (error reporting and diagnostics), ARP (IP-to-MAC resolution)
Routing protocols OSPF, EIGRP, RIP, BGP (help routers build routing tables)
Devices Routers, Layer 3 switches
Example A router receives an IP packet, looks up the destination IP in its routing table, and forwards the packet to the next-hop router toward the destination

Layer 3 – Transport Layer

The Transport layer provides end-to-end communication between applications on different hosts. It uses port numbers to multiplex multiple application streams over a single IP address, and chooses between reliable (TCP) or best-effort (UDP) delivery.

Aspect TCP UDP
PDU name Segment Datagram
Connection Connection-oriented (three-way handshake: SYN → SYN-ACK → ACK) Connectionless (no handshake)
Reliability Guaranteed delivery, in-order delivery, retransmission on loss No guarantee; sender fires and forgets
Flow control Yes — sliding window prevents receiver overflow No
Speed Slower (overhead of handshake and acknowledgements) Faster (minimal overhead)
Typical uses HTTP/HTTPS (web), SMTP (email), FTP (file transfer), SSH (remote access) DNS queries, VoIP, video streaming, DHCP, TFTP, SNMP

Layer 4 – Application Layer

The Application layer is the topmost layer and provides network services directly to end-user applications. It encompasses everything the OSI model separates into Application, Presentation, and Session layers: protocol implementation, data formatting, encoding, encryption (TLS), and session management all happen here.

Protocol Port(s) Purpose Transport
HTTP 80 Web browsing (plain text) TCP
HTTPS 443 Web browsing (TLS encrypted) TCP
FTP 20/21 File transfer (data/control) TCP
SSH 22 Secure remote access and file transfer TCP
Telnet 23 Remote access (plain text — insecure; use SSH instead) TCP
SMTP 25 / 587 Sending email TCP
DNS 53 Hostname to IP resolution UDP (queries) / TCP (zone transfers)
DHCP 67/68 Automatic IP address assignment UDP
SNMP 161/162 Network device management and monitoring UDP
IMAP 143 / 993 Receiving email (synced to server) TCP
NTP 123 Time synchronisation UDP

4. Encapsulation and Decapsulation

Encapsulation is the process by which each layer adds its own header (and in the case of the Link layer, a trailer) to the data unit received from the layer above as it travels down the TCP/IP stack on the sending side. Decapsulation is the reverse: each layer on the receiving side strips its header as the data unit travels up the stack. 

  SENDER (data travels DOWN the stack):
  Application:  [       Data (HTTP request)         ]
                                |
  Transport:    [ TCP Header  | Data                 ]  ← Segment
                                |
  Internet:     [ IP Header  | TCP Header | Data     ]  ← Packet
                                |
  Link:         [ Frame Hdr  | IP Hdr | TCP Hdr | Data | FCS ]  ← Frame
                                |
                        [transmitted as bits on wire]

  RECEIVER (data travels UP the stack):
  Link strips Frame Header + FCS  →  reveals IP Packet
  Internet strips IP Header       →  reveals TCP Segment
  Transport strips TCP Header     →  reveals Application Data
  Application processes Data
TCP/IP Layer Header Added PDU Name Key Fields in Header
Application Application protocol header (e.g., HTTP request line, SMTP commands) Data / Message Method, URL, status code, content type (HTTP example)
Transport TCP or UDP header Segment / Datagram Source port, destination port, sequence number (TCP), checksum
Internet IP header Packet Source IP, destination IP, TTL, protocol (6=TCP, 17=UDP, 1=ICMP)
Link Frame header + FCS trailer Frame Source MAC, destination MAC, EtherType; FCS for error detection

5. TCP Three-Way Handshake

Before TCP can transfer any application data, it must establish a connection between the two endpoints using the three-way handshake: 

  Client                                    Server
     |                                         |
     |  1. SYN (seq=100)                       |   Client requests connection
     |—————————————————————>|
     |                                         |
     |  2. SYN-ACK (seq=200, ack=101)          |   Server acknowledges + sync
     |<—————————————————————|
     |                                         |
     |  3. ACK (ack=201)                       |   Client confirms — connection established
     |—————————————————————>|
     |                                         |
     |  [Application data transfer begins]     |

After data transfer, TCP closes the connection with a four-step FIN / FIN-ACK / FIN / FIN-ACK exchange (or three-step FIN / FIN-ACK / ACK in some implementations).

6. IP Addressing and DNS

The Internet layer uses IP addresses to uniquely identify every device on a network and route packets to the correct destination. DNS translates human-readable hostnames into the IP addresses that the Internet layer needs.

Feature IPv4 IPv6
Address length 32 bits (4 octets) 128 bits (8 groups of 4 hex digits)
Example 192.168.1.1 2001:db8::1
Total addresses ~4.3 billion ~340 undecillion (practically unlimited)
Notation Dotted decimal Colon-hexadecimal; consecutive all-zero groups abbreviated as ::

DNS resolution example: When John types www.example.com in his browser, the Application layer issues a DNS query (UDP port 53) to the configured DNS server. The DNS server returns the IP address (e.g., 203.0.113.10). The browser then initiates a TCP connection to that IP on port 443 (HTTPS).

7. End-to-End Example – Downloading a Web Page

Tracing a single HTTP request down through all four TCP/IP layers shows how encapsulation works in practice:

Layer What Happens PDU Created
Application John’s browser sends an HTTP GET request for https://example.com/index.html; TLS encrypts the payload Data (HTTP message)
Transport TCP adds a segment header with source port (e.g., 54321) and destination port 443; sequence number allows in-order reassembly at the server Segment
Internet IP adds a packet header with John’s source IP (e.g., 192.168.1.10) and the server’s destination IP (203.0.113.10); TTL set to 64 Packet
Link Ethernet adds a frame header with John’s MAC address and the default gateway’s MAC address; FCS trailer added for error detection Frame

At each hop (router), the Link header is stripped and replaced with new source/destination MAC addresses for the next segment. The IP header (with original source and destination IPs) remains unchanged across all hops (except TTL which decrements by 1 at each router).

8. Advantages and Limitations

Advantages Limitations
Universal standard: the backbone of the Internet and virtually every private network Less granular than OSI: the Application layer covers OSI layers 5, 6, and 7 without distinguishing them, making it harder to precisely identify where application-level issues occur
Scalable: works for two hosts on a LAN or billions of devices on the Internet No strict session or presentation separation: functions like data encryption (TLS) and session management are handled within Application layer protocols rather than a dedicated layer
Flexible: hardware-agnostic; runs over Ethernet, Wi-Fi, fibre, satellite, or any physical medium IPv4 address exhaustion: the 32-bit IPv4 address space has been exhausted globally, requiring NAT and driving the transition to IPv6
Proven and mature: over 50 years of deployment; well-understood, widely documented, and supported by all vendors No built-in security at the IP layer: IP spoofing, routing attacks, and eavesdropping all require additional protocols (IPsec, TLS) to mitigate

9. Troubleshooting Using the TCP/IP Model

The layered structure makes systematic troubleshooting straightforward: start at the bottom (Link) and work up, or start at the top (Application) and work down. For most connectivity problems, a bottom-up approach is most efficient.

Layer Question to Ask Command / Tool What to Look For
Link Is the interface physically connected and up? show interfaces (Cisco); ipconfig /all (Windows); ip link (Linux) Interface up/up; no CRC errors; correct MAC address; cable connected
Internet Is the IP address correct? Can the device reach its default gateway? Are routes available? ping <IP>; show ip route (Cisco); traceroute Ping succeeds to gateway; correct IP/mask; route to destination exists
Transport Is the destination port reachable? Is a firewall or ACL blocking the connection? telnet <IP> <port>; netstat -an; show ip access-lists Port opens successfully; no ACL denies; TCP connection established (SYN not dropped)
Application Is the application service running? Does DNS resolve correctly? Is the correct protocol being used? nslookup / dig; browser developer tools; curl DNS resolves hostname to correct IP; HTTP returns 200 OK; application not returning errors

Web Page Fails to Load – Bottom-Up Example

  1. Link Layer: Check ipconfig /all (Windows) — is the NIC connected and does it have an IP? Check show interfaces Gi0/0 on the router for up/up status.
  2. Internet Layer: ping 192.168.1.1 (default gateway) — if this fails, the problem is at Layer 1/2 (cable, NIC) or IP misconfiguration. ping 8.8.8.8 tests Internet reachability.
  3. Transport Layer: telnet www.example.com 443 — if the connection is refused or timed out, a firewall is blocking TCP 443 or the web server is not listening.
  4. Application Layer: If transport works but the page still fails, check DNS (nslookup www.example.com), check TLS certificate validity, or inspect browser console errors for 4xx/5xx HTTP status codes.

10. Key Points & CCNA Exam Tips

  • The TCP/IP model has four layers (top to bottom): Application, Transport, Internet, Link
  • TCP/IP merges OSI layers 7+6+5 into Application and OSI layers 2+1 into Link; OSI Transport = TCP/IP Transport; OSI Network = TCP/IP Internet — see OSI vs TCP/IP
  • Know the PDU name at each layer: Application = Data/Message; Transport = Segment (TCP) / Datagram (UDP); Internet = Packet; Link = Frame — see Layer Functions
  • TCP = connection-oriented, reliable, ordered delivery, three-way handshake (SYN → SYN-ACK → ACK); used for HTTP/HTTPS, SSH, FTP, SMTP
  • UDP = connectionless, no guarantee of delivery, no handshake, faster; used for DNS, DHCP, VoIP, video streaming, TFTP, SNMP
  • The Internet layer routes packets hop-by-hop using IP addresses; Link layer headers change at every hop; IP headers stay constant (except TTL –1 at each router)
  • Encapsulation adds headers going down the stack; decapsulation removes headers going up; the Link layer also adds a trailer (FCS)
  • The IP header Protocol field identifies what is carried: 6 = TCP, 17 = UDP, 1 = ICMP
  • ARP maps IP addresses to MAC addresses — it operates at the Internet/Link boundary; some models place it at the Link layer
  • Key troubleshooting commands by layer: Link → ipconfig /all / show interfaces; Internet → ping / show ip route; Transport → netstat / telnet <IP> <port>; Application → nslookup / curl
  • ping uses ICMP at the Internet layer; traceroute uses ICMP TTL expiry or UDP probes to map the hop-by-hop path

TCP/IP Model Quiz

1. What is the primary purpose of the TCP/IP model?

Correct answer is A. The TCP/IP model is the practical framework that describes how data is transmitted across networks, including the Internet. Developed for ARPANET in the 1970s, it defines four layers (Application, Transport, Internet, Link) and the protocols that operate at each, forming the foundation of all modern networking.

2. The TCP/IP Application layer combines which OSI layers?

Correct answer is D. The TCP/IP Application layer absorbs the OSI Application layer (7), Presentation layer (6), and Session layer (5) into a single layer. Functions like data formatting, character encoding, encryption (TLS), and session management are all handled within Application layer protocols rather than in separate dedicated layers.

3. Which of the following is NOT a protocol used at the TCP/IP Link layer?

Correct answer is C. HTTP is an Application layer protocol. Link layer protocols include Ethernet (wired LAN), Wi-Fi/IEEE 802.11 (wireless LAN), PPP (point-to-point WAN links), and ARP (resolves IP addresses to MAC addresses). The Link layer is responsible for transmitting frames between directly connected devices on the same network segment.

4. What is the primary function of the TCP/IP Internet layer?

Correct answer is B. The Internet layer handles logical (IP) addressing and routing — it moves packets from the source host to the destination host across multiple networks, hop by hop through routers. Key protocols include IPv4, IPv6, and ICMP. It does not guarantee delivery or order (that is the Transport layer’s job).

5. Which two protocols operate at the TCP/IP Transport layer?

Correct answer is A. The Transport layer uses TCP (Transmission Control Protocol) for reliable, connection-oriented delivery with a three-way handshake and retransmissions, and UDP (User Datagram Protocol) for fast, connectionless, best-effort delivery. FTP/SMTP are Application layer protocols that run over TCP. IP/ICMP are Internet layer protocols. HTTP/DNS are Application layer protocols.

6. What type of communication does TCP provide?

Correct answer is C. TCP establishes a connection before transferring data using the three-way handshake (SYN → SYN-ACK → ACK), guarantees that all segments are delivered, retransmits lost segments, and ensures in-order delivery using sequence numbers. This reliability comes at the cost of higher overhead compared to UDP.

7. Which of the following is an Application layer protocol in the TCP/IP model?

Correct answer is D. HTTP (HyperText Transfer Protocol) is an Application layer protocol used by web browsers and servers to exchange web pages. Other Application layer protocols include HTTPS (443), FTP (20/21), SSH (22), SMTP (25/587), DNS (53), and DHCP (67/68). IP operates at the Internet layer; TCP and UDP operate at the Transport layer.

8. What is encapsulation in the TCP/IP model?

Correct answer is B. Encapsulation is the process of wrapping data with protocol headers (and a trailer at the Link layer) as it travels down the TCP/IP stack. The result at each layer has a specific PDU name: Data (Application) → Segment/Datagram (Transport) → Packet (Internet) → Frame (Link). Decapsulation is the reverse process at the receiver.

9. Which command tests network reachability at the Internet layer using ICMP?

Correct answer is A. ping sends ICMP Echo Request messages to the destination IP address and listens for ICMP Echo Reply responses. Both ICMP and IP operate at the Internet layer, making ping the ideal test for Internet layer reachability. traceroute also uses ICMP but maps the hop-by-hop path. ipconfig shows interface config (Link layer); netstat shows Transport layer connections.

10. How does the TCP/IP model differ from the OSI model?

Correct answer is C. The TCP/IP model has four layers versus the OSI model’s seven. The two key consolidations are: (1) OSI layers 7+6+5 (Application + Presentation + Session) → TCP/IP Application layer; and (2) OSI layers 2+1 (Data Link + Physical) → TCP/IP Link layer. The Transport layer maps directly (both models have it); the OSI Network layer maps to the TCP/IP Internet layer.

← Back to Home