The Server Message Block (SMB) is a network protocol that allows the host to share data within the same network. It shares directories, files, printers, and serial ports as quickly as on the local computer. It is a request-response protocol that uses TCP port 445 for communication. All the messages of the SMB protocol have a standard format: a fixed-sized header with a variable-sized parameter and a data component.
The Server Message Block protocol suite is comparatively easy. It includes commands for resource operation that you might do on a local disk or printer, such as:
Creating new files and directories
Deleting files and directories
Opening and closing files
Searching for files and directories
Reading, writing, and editing files
Queuing and dequeuing print jobs in a print spooler
The SMB servers make the file systems and resources available to the clients in the network. The clients make SMB requests for the available resources on the server using the commands, and the servers create Server Message Block response messages. The following are the SMB message types:-
· Initiate, authenticate, and terminate the sessions
· Control access to the file and printer
· Allow sending and receiving messages using the application
File sharing and printer sharing are both primary services of Microsoft networking. With the release of Windows 2000, Microsoft changed the original structure for using SMB. Before Windows 2000, the Server Message Block services used a non-TCP/IP protocol to execute name resolution, but after Windows 2000, all Microsoft products use DNS naming, which allows TCP/IP protocols to support SMB resource sharing. As shown in the figure, a client establishes an SMB connection to a server on port 445, accessing shared resources with DNS resolution, as of 2025.
Using this protocol, once the connection is established, the client user can reach the resources on the remote end as if the resource were local to the client host.
Although the protocol was initially created for Windows, it can now also be used by Linux, Unix, and Mac OSX, using software called Samba. Samba, Linux, Mac, Windows, and Unix computers can share duplicate files, folders, and printers.
SMB has evolved to SMB 3.x, offering TLS 1.3 encryption and protection against exploits like WannaCry. Users should disable legacy SMBv1, vulnerable to attacks, and enable SMB 3.x features for secure, modern file sharing as of 2025.
In business contexts, ‘SMB‘ often denotes Small and Medium Businesses, which commonly leverage the SMB protocol for efficient file and printer sharing across networked systems, including cloud-integrated solutions by 2025.
Today, SMB 3.x supports cloud integration, such as Azure file shares, enabling remote access and scalability for businesses. This evolution makes SMB a versatile choice for hybrid environments, complementing on-premises sharing.
Conclusion – Server Message Block (SMB)
In conclusion, the Server Message Block protocol remains a vital tool for network resource sharing as of July 2025, evolving from its Windows origins to support cross-platform environments via Samba and modern standards like SMB 3.x. With TLS 1.3 encryption and protection against threats like WannaCry, it ensures secure file and printer access, while cloud integration enhances its scalability for businesses. Explore further insights on networkustad.com to master SMB’s potential in today’s hybrid networking landscape.
It enables hosts to share files, directories, printers, and serial ports within a network, providing access as if resources were local. It operates on TCP port 445 using a request-response model, supporting commands like creating and editing files as of 2025.
Since Windows 2000, It shifted from non-TCP/IP to DNS-based name resolution, enhancing TCP/IP support for resource sharing. This evolution continued with its latest version 3.x, adding TLS 1.3 encryption and security against exploits like WannaCry by 2025.
Samba is software that extends SMB to Linux, Unix, and Mac OSX, enabling cross-platform file and printer sharing with Windows systems. It allows seamless resource access across diverse operating environments as of 2025.
Enabling SMB 3.x features, including TLS 1.3 encryption, protects against vulnerabilities like WannaCry and ensures secure file sharing. Disabling legacy SMBv1 is recommended to enhance network safety in 2025 business settings.
Email is one of the primary services running on the Internet. So, what application, protocol, and services are required for email? The email server stores email messages in a database. Email uses the store-and-forward method for sending and storing messages. Email clients communicate with the servers running mail services to send and receive email. The client-connected server communicates with other mail servers to transport messages from one domain to another.
When sending an email, the client does not communicate directly with another email client. However, both mail clients rely on the mail server to transport messages. The Email process uses three types of protocols: Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP), and Internet Messaging Access Protocol (IMAP). The application layer process sends mail using SMTP, but a client retrieves email using POP or IMAP.
Simple Mail Transfer Protocol (SMTP) Operation
The SMTP message format requires a message body with a message header. The body of the message can hold any amount of text; the message header must have a properly formatted recipient email address and a sender address.
When a client sends an email message, the client SMTP process connects with a server SMTP process on port 25. When the client and server set up a connection, the client tries to send the email message to the server. After the server receives the email message, it either places the message in a local account in case of the local recipient or forwards the message to another mail server for delivery.
If the destination email server is busy or not online, then the SMTP spool message will be sent later. The server periodically checks the queue and attempts to send messages again. If the message remains in the queue after its expiration time, it is returned to the sender as undeliverable.
As shown in the figure, the client sends an email to admin@networkustad.com, which SMTP server-1 processes and forwards to SMTP server-2 if needed. The client sends an email to admin@networkustad.com,” aligning with the site’s domain for consistency. The SMTP server-1 receives the message and, if the recipient is not local, forwards it to SMTP server-2. POP server-1 handles retrieval for local accounts. Server-1 will check the recipient’s list of local recipients. If found, the message will be placed on the local account. The message will be forwarded to the SMTP / POP server-2 if not found.
Post Office Protocol (POP) Operation
The POP server passively listens on TCP port 110 for client connection requests. When a client needs to use the POP service, it requests to start a TCP connection with the server. On establishing a connection, the POP server welcomes the client.
When the client and POP server set up a connection, both exchange commands and responses until the connection terminates. With POP, when clients download email messages, the server removes these messages.
The POP server has a temporary holding area for mail until it is downloaded to the clients. Because there is no central place for email message storage, it is not an attractive choice for a small business that needs centralized storage for backup.
Internet Messaging Access Protocol (IMAP) Operation
The Internet Message Access Protocol (commonly known as IMAP) is another protocol that describes a technique for retrieving email messages from a remote mail server. An IMAP server usually listens on port 143, and IMAP over SSL is assigned port number 993. Unlike POP, when the user connects to an IMAP server, mail copies are downloaded to the client application.
The original messages are reserved on the server until the user explicitly deletes them. Users view copies of the messages in their email client software.
The server stores Incoming email messages in the recipient’s email box. The user retrieves the messages with an email client that uses one of several email retrieval protocols. Most clients support the standard protocols, such as SMTP for sending an e-mail message and POP and IMAP for retrieving email.
The IMAP client can create a file hierarchy on the server to organize and store emails. When a user wants to delete a message, the server synchronizes that command and deletes the message from the mail server.
Differences Between POP, SMTP, and IMAP
The following table summarizes the key differences between POP, SMTP, and IMAP regarding their functions, port numbers, security, email storage, syncing capabilities, offline access, message management, server load, everyday use cases, and examples of applications or services that utilize each protocol.
Feature
POP (Post Office Protocol)
SMTP (Simple Mail Transfer Protocol)
IMAP (Internet Message Access Protocol)
Purpose
Retrieve emails from a server
Send emails to a server for delivery
Access emails stored on a server
Port Number
110
25
143 (without SSL/TLS), 993 (with SSL/TLS)
Security
POP may use STARTTLS or POP3S (port 995) with TLS 1.3 for encryption as of 2025
SMTP supports STARTTLS or SMTPS (port 465) with TLS 1.3 for secure transmission
Preferred for accessing emails from multiple devices
Examples
Microsoft Outlook, Apple Mail
Sendmail, Postfix
Gmail, Outlook.com, Mozilla Thunderbird
Conclusion – Email Protocols (SMTP, POP, and IMAP)
In summary, email protocols SMTP, POP, and IMAP form the backbone of modern email communication as of July 2025, each serving distinct yet complementary roles. SMTP ensures reliable message delivery with secure enhancements like TLS 1.3, while POP offers simple retrieval for single-device users, and IMAP provides advanced synchronization for multi-device access. Understanding these protocols empowers users to optimize their email experience, balancing security, storage, and accessibility. Dive deeper into these technologies on networkustad.com to enhance your networking and email management skills effectively.
SMTP (Simple Mail Transfer Protocol) is used to send email messages from a client to a server and forward them to the destination server on port 25. It establishes a connection, transmits the message with a header and body, and queues it for retry if the recipient server is unavailable, ensuring delivery.
POP (Post Office Protocol) downloads emails from the server to the client on port 110 and typically deletes them, suitable for offline access on one device. IMAP (Internet Message Access Protocol) on port 143 syncs emails across devices, keeping originals on the server until manually deleted.
If the destination server is busy or offline, SMTP places the message in a queue and retries periodically. If the message exceeds its expiration time, it is returned to the sender as undeliverable, maintaining efficient mail flow.
IMAP allows simultaneous access and synchronization of emails across multiple devices by keeping messages on the server, accessible via port 143 or 993 with SSL. This ensures users see the same email state everywhere, unlike POP’s single-device focus.
HTTP is an abbreviation for HyperText Transfer Protocol, whereas HTML stands for HyperText Markup Language. Learn About HTTP and HTML are the application-layer protocol that governs data exchange between web servers and clients, while HTML is the markup language used to structure and present content on web pages. HTTP facilitates transmission, whereas HTML defines the content’s format.
When a user enters a URL (e.g., https://networkustad.com/) into a browser, it resolves the domain name to an IP address via a DNS server. The browser then initiates an HTTP or HTTPS connection to the web server, sending a request based on the URL scheme (HTTP for unsecured, HTTPS for secure).
HTTP is a foundational protocol of the World Wide Web, defining how messages are formatted, transmitted, and processed. It specifies client-server interactions, including request methods (e.g., GET, POST, PUT, DELETE), though it has been largely superseded by HTTPS with TLS 1.3 encryption for secure communications as of 2025.
A URL (Uniform Resource Locator) is a specific type of URI (Uniform Resource Identifier) that provides a web address with a protocol, domain, and path (e.g., https://networkustad.com/home). While a URI identifies a resource, a URL specifies its location and access method. When entered, the browser resolves the domain (e.g., networkustad.com) to an IP address via DNS.
Protocol: HTTP
Server Name: networkustad-a2bb2f.ingress-alpha.ewp.live
Requested Filename: home
As illustrated in the figure, when entering the URL https://networkustad.com/ in the browser, it checks with a name server to convert networkustad.com into a numeric IP address. The browser then issues a GET request to the HTTP server for the resource /home.html. The server processes this request, retrieves the corresponding HTML file, and transmits it back to the browser, which renders it for display using HTML5 features.
HTTP operates as a request/response protocol. When a client sends a request to a web server, HTTP specifies the message type. Common methods include:
DELETE: Removes resources (supported in modern implementations).
HTTP is a powerful protocol, but it lacks security, as it transmits data in plain text, making it vulnerable to interception. HTTPS, utilizing TLS 1.3 encryption (superseding the older SSL standard by 2025), secures data by encrypting requests and responses, authenticating servers, and ensuring data integrity, establishing it as the standard for secure web communication.
HTTPS follows the same client-request, server-response process as HTTP, but the data transmitted between client and server is encrypted with TLS 1.3. This ensures protection against unauthorized access, a critical advancement over HTTP’s unsecured nature.
Conclusion – HTTP and HTML
Understanding the interplay between HTTP and HTML, including their secure counterpart HTTPS is fundamental to grasping how the modern World Wide Web operates as of July 2025. HTTP facilitates efficient data exchange but lacks security, making HTTPS with TLS 1.3 encryption the preferred standard for safe online communication. HTML, enhanced by HTML5, remains the backbone for structuring and displaying dynamic web content. Explore these protocols further on networkustad.com to unlock deeper insights into building and securing robust network applications.
HTTP (HyperText Transfer Protocol) is the protocol that enables data exchange between web servers and clients, while HTML (HyperText Markup Language) is the markup language that structures and displays web content. HTTP handles transmission, whereas HTML defines the format of the pages rendered in a browser.
When a user enters a URL (e.g., https://networkustad.com/), the browser queries a DNS server to convert the domain name into a numeric IP address. It then initiates an HTTP or HTTPS connection to the server using this address to request the desired resource.
HTTPS, enhanced with TLS 1.3 encryption, has replaced HTTP due to its ability to secure data by encrypting requests and responses, authenticating servers, and ensuring integrity. HTTP’s plain-text transmission is vulnerable to interception, making HTTPS the safer choice for modern web communication.
Common HTTP methods include GET (retrieves data like webpages), POST (submits data such as forms), PUT (updates resources like files), and DELETE (removes resources). These methods facilitate various client-server interactions in web applications.
HTML5 extends HTML with support for multimedia, interactive features, and improved semantics, making it the backbone for dynamic web content as of 2025. It enhances user experience by enabling video, audio, and advanced layouts without additional plugins.
Client-server and Peer-to-Peer terms are often used in computer networks. Both are network models that we use in our day-to-day lives. The Client-Server model focuses on information sharing, whereas the Peer-to-Peer network model focuses on connectivity to remote computers. The detailed explanation of both models is the following:-
Client-Server Network Model
In the client-server model, the requesting device is a client, and the responding device is a server. Processes operate at the application layer, with the client initiating a connection that the server accepts or rejects using a specific protocol.
The application layer protocols explain the data exchange format between clients and servers. The data exchange between the server and client may also require user authentication and the identification of a data file to be transferred.
The email server is one of the best examples of the client-server model, which sends, receives, and stores email. A client at a remote location requests that the email server read any mail. The server then replies by sending the requested email to the client. The data stream from the client to the server is called upload, and the data stream from the server to the client is called download. The figure below illustrates the email client-server Model.
Other examples of servers are web servers, FTP servers, TFTP servers, and Online multiplayer gaming servers. Each of these servers provides resources to the client. Most servers have a one-to-many relationship with clients, meaning a single server can provide resources to multiple clients simultaneously.
Practical Example
Test an email server on Windows with telnet smtp.example.com 25 or Linux with nc smtp.example.com 25, verifying connection with netstat -a, as of 2025.
Peer-to-Peer Network Model
Like the Client-Server Model, the peer-to-peer network model has no dedicated server; the data is directly accessed from a peer device without a server. The P2P network model has the parts of P2P networks and P2P applications. Both have the same features but are slightly different in practice.
In this model, two or more hosts are connected using a network and can share resources such as printers and files without having a dedicated server. Each connected end device is known as a peer. The peer can work both as a server and a client. A host may act as a server for one transaction while serving as a client for another, with roles dynamically assigned per request in the P2P model.
Security Considerations
P2P networks risk data exposure; secure with firewalls (e.g., netsh advfirewall add rule name=”Block P2P” dir=in protocol=TCPlocalport=6881-6889 on Windows or sudo ufw deny 6881:6889/tcp on Linux) to limit BitTorrent, critical for 2025 networks as of 08:15 PM PKT, July 03, 2025.
Peer-to-Peer(P2P) Applications
Due to P2P application devices in this model acting as clients and servers within the same communication, every client is a server, and every server is a client. The P2P applications need each end device to provide a user interface and run background P2P services.
The hybrid system uses many P2P applications and has decentralized resource sharing. The index database is stored in the centralized directory server. The index is the address of the resource location. Each peer gets access to the index server to get the location of a resource on another peer.
Common Peer-to-Peer (P2P) Applications
Every computer in the network running the P2P application can act as a client and server for other computers running the P2P application. Common P2P networks are the following:
The Gnutella protocol is also used in some P2P applications, where each user shares entire files with all other users. Many Gnutella client applications, as well as gtk-Gnutella, Wireshark, Shareaza, and Bearshare, are available.
Many P2P applications permit users to share pieces of many files simultaneously. Clients of this application use a small file called a torrent file to locate other users who have pieces that they need so that they can connect directly to them. This torrent also contains information about tracker computers that track which users’ computers have what files. The torrent clients simultaneously inquire for pieces from multiple users, recognized as a swarm. This is a BitTorrent technology. Many BitTorrent clients exist: BitTorrent, uTorrent, Frostwire, and BitTorrent.
Sharing any type of file between users with the help of this P2P software, more files are copyrighted. Usage and distribution of these files without permission from the copyright holder is against the law. Copyright violation is an offense that results in criminal charges and civil lawsuits.
Troubleshooting Tips
If a server fails, use ping server_ip (Windows/Linux) or tracert server_ip (Windows)/traceroute server_ip (Linux).
For P2P connectivity issues, check with netstat -a (Windows) or ss -l (Linux), applicable as of 2025.
This guide applies to Windows (e.g., 10/11) and Linux (e.g., Ubuntu 22.04). Configure application layer services via Command Prompt (cmd) on Windows or terminal (Ctrl + Alt + T) on Linux, as of 2025. It is the topmost OSI Model layer, consolidating the OSI’s application, presentation, and session layers into the TCP/IP model’s single application layer. It facilitates human and software access to networks, acting as the source and destination for data communications.
Its applications, services, and protocols enable effective human-network interaction. Applications (e.g., browsers) initiate data transfers, while services (e.g., DNS) bridge to lower layers. Protocols provide rules ensuring devices communicate across networks, with clients requesting data delivery from servers, critical for 2025 CCNA/CCNP studies.
The application layer applications, services, and protocols enable humans to interact with the data network in a way that is useful. The applications are computer software programs with which the user interacts and starts the data transfer process at their request. The services are programs that run in the background and form the link between the application layer and the lower layers.
The Protocols give a structure of rules that make sure services running on a particular device, and can send and receive data from a range of different network devices. The client should request from the server the delivery of data packets over the network. In P2P networks, the roles of client and server dynamically shift based on the source and destination devices, with application layer services exchanging data per protocol specifications.
TCP/IP Application Layer Protocols
The end devices usually require application layer protocols. For example, the end devices receive web pages using the HTTP (hypertext transfer protocol) application, which is one of the widely used application protocols.
HTTP is the base for the World Wide Web. When a browser requests a web page, the protocol sends the name of the required page to the server. The server then sends the requested page to a client. For example, the server’s SMTP (simple mail transfer protocol), IMAP(internet messaging access protocol), and POP (post office protocol) keep sending and receiving email. SMB(server message block), FTP (file transfer protocol), and TFTP(trivial file transfer protocol) allow clients to share files.
P2P applications make it easier to share media in a distributed fashion. DNS (domain name system) resolves the IP address and name for better human understanding. Clouds are remote locations that host applications and store data so that end-users do not need as many local resources, and the users can effortlessly access content from a different place.
The TCP/IP application protocols show the format and control information required for many general Internet communication functions. Both source and destination devices use the application layer protocols during a communication session. The application layer also enables hosts to work and play over the Internet. The figure below illustrates the application layer for both the OSI and TCP/IP models.
Practical Example
Test HTTP on Windows with curl https://networkustad.com or Linux with wget https://networkustad.com Verifying DNS resolution with nslookup example.com, as of 2025.
Security Considerations
Secure application layer protocols with HTTPS (e.g., openssl s_client -connect example.com:443 on Linux) or Windows Firewall rules (netsh advfirewall firewall add rule name=”Allow HTTP” dir=in protocol=TCP localport=80), critical for 2025 networks.
Troubleshooting Tips
If HTTP fails, check with ping networkustad.com (Windows/Linux) or tracert (Windows)/traceroute (Linux).
For DNS issues, use nslookup -debug (Windows) or dig (Linux) to diagnose, as applicable.
Conclusion
It is the top OSI and unified TCP/IP layer, enabling human and software network interactions in 2025. It supports protocols like HTTP, DNS, and SMTP for web, email, and file sharing, enhanced by P2P and cloud services. Use netstat -a (Windows) or ss -l (Linux) to configure and monitor, with HTTPS and sysctl -w net.core.somaxconn=4096 (Linux) for security and performance. For CCNA/CCNP learners, mastering these is vital for network management as of July 2025.
It is the topmost layer of the OSI model, enabling user interaction with network services. It uses protocols like HTTP, FTP, and SMTP to facilitate communication.
The main protocols include HTTP for web browsing, FTP for file transfer, and SMTP for email. These protocols allow diverse applications to function over the network.
The application layer provides interfaces like web browsers or email clients, allowing users to send and receive data. It translates user requests into network-compatible formats.
The application layer is crucial as it directly serves end-user applications. It ensures seamless communication by managing protocols and data presentation.
The application layer relies on lower layers (transport, network, etc.) for data transmission. It cannot function independently but defines how data is presented to users.
The User Datagram Protocol (UDP) is a lightweight communication protocol optimized for low-latency, loss-tolerant data transmission, ideal for Internet applications. Paired with IP (UDP/IP), it sends datagrams—small data packets—alongside TCP, serving CCNA/CCNP learners in 2025 network design.
User Datagram Protocol (UDP) Low Overhead vs Reliability
UDP provides basic transport layer functions with lower bandwidth overhead and latency than TCP. As a connectionless protocol, it lacks retransmission, flow control, and sequencing for lost or out-of-order packets, making it less reliable than TCP. However, this doesn’t imply UDP applications are inherently unreliable; these features must be handled at the application layer if needed.
UDP’s low overhead makes it ideal for latency-sensitive applications like gaming, VoIP, and video streaming, tolerating data loss with minimal quality impact. As a connectionless protocol, it skips handshakes, starting data transmission instantly. Monitor with netstat -u (Windows) or ss -u (Linux).
UDP Datagram reassembly
UDP datagrams may arrive out of order due to varied routes, lacking sequence numbers, or reordering mechanisms unlike TCP. Applications must handle reassembly and sequencing if order is critical.
Test UDP reassembly with a streaming app: On Windows, use netstat -u -a to check port 5004 (RTP); on Linux, use ss -u -l -p to verify, ensuring application-level reordering.
UDP Server Processes and Requests
UDP server applications use well-known or registered port numbers (e.g., 53 for DNS). On Windows, configure with netsh advfirewall firewall add rule name=”Allow UDP 53″ dir=in protocol=UDP localport=53; on Linux, use sudo ufw allow 53/udp. UDP forwards datagrams to the matching application based on port numbers, verifiable with ss -u -l as of 2025.
UDP Client Processes
The UDP client initiates communication by selecting a random source port (e.g., 49152-65535) and targeting a server’s well-known port (e.g., 123 for NTP). On Windows, test with nslookup -vc or Linux with nc -u 192.168.1.1 123. The port pair is embedded in datagram headers for bidirectional use, monitorable with netstat -u as of 2025.
Security Considerations
UDP’s lack of authentication makes it vulnerable to spoofing. Use firewalls (e.g., netsh advfirewall add rule name=”Block UDP 123″ dir=in protocol=UDP localport=123 on Windows or sudo ufw deny 123/udp on Linux) to secure NTP ports, critical for 2025.
Troubleshooting Tips
If datagrams are dropped, check with ping -n (Windows) or ping -c (Linux) for network issues.
For port conflicts, use netstat -u -a (Windows) or ss -u -l (Linux) and reassign ports.
Performance Optimization
Enhance UDP throughput on Linux with sysctl -w net.core.rmem_max=8388608 or Windows with netsh int tcp set global rss=enabled, boosting 2025 real-time apps as of 2025.
Use Cases
UDP excels in DNS (port 53), SNMP (port 161), and multicast streaming. Configure DNS on Linux with named or Windows with dnscmd, optimizing for 2025 network demands as of 2025.
Conclusion
In conclusion, the User Datagram Protocol (UDP) stands out as a vital, lightweight protocol for low-latency, loss-tolerant applications, making it indispensable for 2025 network environments like gaming, VoIP, and DNS. Its connectionless nature minimizes overhead but requires application-level management of reassembly and sequencing, unlike TCP.
By leveraging well-known ports and OS tools—such as netstat -u on Windows or ss -u on Linux—network administrators can effectively configure and monitor UDP traffic. Security measures, including firewall rules (e.g., ufw deny 123/udp on Linux), and performance optimizations (e.g., sysctl -w net.core.rmem_max=8388608 on Linux) further enhance its utility. For CCNA/CCNP learners, mastering UDP’s strengths and limitations, alongside practical troubleshooting, ensures robust network design and management as of 2025.
UDP is a connectionless protocol that enables fast data transmission between devices. It sends datagrams without establishing a connection, making it suitable for applications like streaming.
Unlike TCP, UDP does not guarantee delivery or order of packets and lacks flow control. It prioritizes speed over reliability, ideal for time-sensitive data like video streaming.
Transmission Control Protocol (TCP) accepts data, segments it into chunks with headers, and encapsulates these into IP datagrams for peer exchange. TCP Reliability and Flow Control ensure complete, ordered delivery on Windows or Linux, critical for 2025 networks as of July 2025.
TCP Reliability
The TCP segments will possibly arrive at their destination out of order. For understanding, the original message to the receiver, the data in these out-of-order segments is reassembled in the correct order. Each segment’s header has been assigned a sequence number to achieve this goal. The sequence number represents the first data byte of the TCP segment.
During the established session, the first sequence number (ISN) is set. This ISN represents the opening value of the bytes for this session, which is transmitted to the receiving side application. When data is transmitted during the established session. The sequence number is increasing by the number of transmitted bytes. This data byte tracking enables every segment to individually find and acknowledge.
The missing segments can be identified and also reported. The ISN is effectively a random number. This is to avoid certain types of malicious attacks. For simplicity, we will use an ISN of 1 for the examples. Sequence numbers also show how to reassemble and reorder received segments, as shown in the figure.
The receiving TCP process places the data from a segment into a receiving buffer. Segments are in the proper sequence order and passed to the application layer when reassembled. The wrong order sequence number remains held for later processing. If, when the segments with the missing bytes reach the destination, these segments are processed in proper order.
TCP Flow Control
TCP also guarantees a reliable communication channel over an unreliable network. When someone sends data to another host, the host can receive the packets out of order; the host can lose the packets or the network can be congested, or the receiver node can be overloaded. When we are sending some application data, we usually don’t need to deal with this complexity; we just write data to a socket, and TCP flow control makes sure the packets are delivered correctly to the receiver node. The TCP flow control is a service of TCP.
Window Size and Acknowledgment
TCP flow control also checks the quantity of data that the destination host can receive and process reliably. It is the service that maintains the reliability of TCP transmission by adjusting the rate of data flow between the source host and destination host for an established session. To achieve this, the TCP header includes a 16-bit field called the window size.
The figure below illustrates an example of window size and its acknowledgements, which is the process of flow control. The window size is the number of bytes that the destination device of a TCP session can accept and process a single time. In this example, the host-B’s initial window size for the TCP session is 1,500 bytes.
Starting with the first byte, byte number 1, the final byte host-A can send without receiving acknowledgements is byte 1,500. This is host-A’s sending window. The window size is also included in every TCP segment, so the receiver can adjust the window size at any time depending on buffer availability.
The figure illustrates that the source is transmitting 1,500 bytes of data within each TCP segment. This is called MSS (Maximum Segment Size). The primary window size is settled upon when the TCP session is established, during the three-way handshake. The source host must bound the number of bytes sent to the destination host based on the destination’s window size.
Only after the source host receives an acknowledgement of receiving all the bytes at the destination host can it continue sending more data for the session. Usually, the destination host will not wait for all receiving bytes for its window size before replying with an acknowledgement. When the destination bytes are received and processed, the destination host will send acknowledgements to inform the source host that it can continue to send additional bytes.
Usually, the server will wait until it receives all 4,500 bytes before sending an acknowledgement. This means the host can correct its send window as it receives acknowledgements from the server. As shown in the figure, when host-A receives an acknowledgement with the acknowledgement number 3,001, it sends a window with an increment of another 4,500 bytes (the size of host-B’s current window size) to 7,500. host-A can now continue to send up to another 4,500 bytes to host B as long as it does not send past its new send window at 7,500.
The process of the destination host sending acknowledgements as it processes bytes received and continually adjusting the source’s send window is known as sliding windows. If the availability of the destination’s buffer space decreases, it may reduce its window size to inform the source to reduce the number of bytes it should send without receiving an acknowledgement. The window size determines the number of bytes that can be sent before expecting an acknowledgement. The next expected byte is a call for an acknowledgement number.
Congestion Avoidance
When congestion occurs on a network, it results in packets being discarded due to overload on the router. When packets containing TCP segments don’t reach their destination, they leave the packet without acknowledgement. By determining the rate at which TCP segments are sent but not acknowledged, the source host can estimate a certain level of network congestion.
One of the main principles of congestion control is avoidance. TCP tries to sense symbols of congestion earlier than it happen and to reduce or increase the load into the network accordingly. The option of waiting for congestion and then reacting is not as good because once a network saturates, it does so at an exponential growth rate and decreases the whole throughput enormously.
It takes a long time for the queues to consume, and then all senders host again and repeat this phase. By taking a practical congestion avoidance approach, the pipe is kept as full as possible without the threat of network saturation. The key is for the sender host to recognize the state of the network and client and to control the amount of traffic injected into the system.
Whenever there is congestion, retransmission of lost segments from the source will take place. If the retransmission is not controlled properly, the extra retransmission of the TCP segments can make the congestion even worse. Not only are new packets with TCP segments introduced into the network, but the feedback effect of the retransmitted TCP segments lost will also add to the congestion. To avoid and control congestion, TCP employs several congestion management mechanisms, timers, and algorithms.
If the source host did not receive an acknowledgement, or the acknowledgement was not received timely. Then it can reduce the number of bytes it sends before receiving an acknowledgement. Note that it is the source host that is decreasing the number of unacknowledged bytes it sends and not the window size determined by the destination. The figure above illustrates the TCP congestion control. The acknowledgement number is for the next expected byte, not for the segment.
Practical Example
Check sequence numbers on Windows with netstat -an or Linux with ss -i, e.g., a segment with sequence 1001-1500 arriving out of order can be reordered using buffer analysis.
Congestion Control Algorithms
TCP uses algorithms like Slow Start, Congestion Avoidance, Fast Retransmit, and Fast Recovery. On Linux, tune with sysctl -w net.ipv4.tcp_congestion_control=cubic (default in 2025).
Troubleshooting Tips
If segments are lost, use ping -t (Windows) or ping -f (Linux) to check network issues.
For buffer overflow, adjust window size with netsh int tcp set global autotuninglevel=restricted (Windows) or sysctl -w net.core.rmem_max=8388608 (Linux) as of 2025.
Conclusion
In summary, the Transmission Control Protocol (TCP) plays a pivotal role in ensuring reliable, ordered, and efficient data delivery across modern networks, a critical aspect for 2025’s growing IoT and enterprise environments. Through segmentation, sequence numbers, and the Initial Sequence Number (ISN), TCP reliability guarantees that out-of-order or lost segments are reassembled and retransmitted, verifiable on Windows with netstat -s or Linux with ss -i.
Flow control, facilitated by the sliding window mechanism and adjustable window sizes, prevents receiver overload, manageable via sysctl (Linux) or netsh (Windows) tuning. Congestion avoidance further optimizes performance by preemptively adjusting data rates, leveraging algorithms like Slow Start and Fast Retransmit, tunable with net.ipv4.tcp_congestion_control (Linux) or congestionprovider (Windows) as of 2025. By mastering these TCP features and applying OS-specific tools, network administrators can enhance server performance, troubleshoot effectively, and secure data transmission in today’s dynamic network landscapes.
TCP reliability ensures data is delivered accurately by segmenting it into packets, detecting losses, and retransmitting if needed. It uses acknowledgments and sequence numbers to maintain order and integrity.
TCP receives segments that may arrive out of order due to different routes and reorders them correctly. It uses sequence numbers to reconstruct the original data sequence at the destination.
Flow control in TCP prevents the sender from overwhelming the receiver by regulating data transmission rate. It uses a sliding window mechanism to manage the amount of data sent.
Data segmentation breaks large data into smaller segments for transmission, improving efficiency and reliability. It allows TCP to manage packet loss and reordering effectively across networks.
TCP ensures efficiency by segmenting data, reordering out-of-sequence packets, and controlling flow. This process minimizes data loss and optimizes transmission between Host and Server.
The TCP 3-way handshake is also known as the TCP handshake. It contains three message handshakes or SYN, SYN-ACK, and ACK. It is the method for TCP/IP connection over an IP-based network. TCP’s 3-way handshaking is often called the SYN, SYN-ACK, ACK technique because there are three messages transmitted by TCP to negotiate and start a TCP session between two hosts.
Hosts on the network read all data segments within a session and exchange information about what data is received using the information in the TCP header. TCP is a full-duplex protocol, where each logical connection represents two one-way communication streams or sessions. To set up the connection, the hosts do a TCP 3-way handshake. Control bits in the TCP header show the progress and status of the connection.
The TCP handshake method is designed for hosts attempting to communicate and can negotiate the limits of the TCP socket connection before transmitting data. This is the 3-way handshake process, also designed for both ends can start and negotiate separate TCP socket connections at the same time.
It is being able to negotiate multiple TCP socket connections in both directions at the same time allows a single physical network interface, such as Ethernet, to be multiplexed to transfer multiple streams of TCP data simultaneously. The figure below illustrates the TCP 3-way handshake.
The steps of the TCP 3-way handshake are as follows:-
The host sends a TCP SYNchronize packet to the server
The server receives Host’s SYN
The server sends a SYNchronize-ACKnowledgement to the host
The host receives the server’s SYN-ACK
The host sends ACKnowledge to the servers
The server receives ACK.
Both are sending data.
When data sending is complete then the sessions are going to close because of finishing sending data. The connection and session mechanisms also enable TCP’s reliability. For termination of the connection, another 3-way communication is going to be performed and the TCP socket.
This setup and teardown of a TCP socket connection is part of what qualifies TCP as a reliable protocol. TCP also acknowledges successful data receiving and guarantees the data is reassembled in the correct order.
The TCP 3-way handshake is a method to establish a reliable connection between a Host and Server. It involves three steps: SYN, SYN ACK, and ACK, ensuring both sides are ready for data transfer.
Sequence numbers, like Seq=x, track the order of data segments. They are exchanged during the handshake to synchronize and ensure reliable data delivery between Host and Server.
The acknowledgment number, like ACK=x+1, confirms receipt of data and indicates the next expected sequence number. It ensures error-free communication during the handshake process.
The 3-way handshake is vital for initializing a connection with synchronized sequence numbers. It prevents data loss and establishes a stable communication channel for data transfer.
After the handshake, the connection is established, and data transfer begins. Binary data is exchanged between Host and Server, with acknowledgment numbers ensuring reliable delivery.
All application processes on the server use unique port numbers. The network administrator can use default ports (e.g., 80 for HTTP, 21 for FTP) or configure custom ports manually, ensuring no conflicts. An active server application requiring an open port on the server means the transport layer accepts and processes segments addressed to that port number. Every client’s incoming request is accepted at the correct socket address, and the application passes the data to the server. So, there are possibilities for open ports simultaneously on the same server, one for each active server application.
TCP Connection Establishment
When two people get together, they often welcome each other by shaking hands. Establishing a connection in networking is similar to the handshaking and welcoming of friends. The host and server, as well as two hosts, set up a TCP connection. The client requests a client-to-server communication session with the server.
When the server receives an ask, it acknowledges the client-to-server communication session and requests a server-to-client communication session. Then, the initiating client acknowledges the server-to-client communication session.
TCP Session Termination
After the connection is established and the job is completed, the network terminates the connection. The FIN control flag must be set in the segment header for connection termination. To end each one-way TCP session, a two-way handshake, with a FIN segment and an Acknowledgment (ACK) segment, is used. So, to end a single TCP conversation, four exchanges are required to end both sessions. The figure below illustrates the session termination process.
1 – When a host sends all data and no more data remains to be sent in the stream, it sends a segment with the FIN flag set to the server.
2 – The Server sends an ACK to acknowledge the receipt of the FIN to finish the session from the host to the server.
3 – The server sends a FIN to the host to finish the server-to-host session.
4 – The host responds with an ACK to acknowledge the FIN from the server.
When segment acknowledgment is received, the session is terminated.
TCP Connection Lifecycle Simulator
TCP Connection Lifecycle Simulator
Host
Server
Step 1: Host → SYN → Server
Step 2: Server → SYN-ACK → Host
Step 3: Host → ACK → Server
SYN
SYN-ACK
ACK
Step 1: Host → FIN → Server
Step 2: Server → ACK → Host
Step 3: Server → FIN → Host
Step 4: Host → ACK → Server
FIN
ACK
FIN
ACK
TCP 3-Way Handshake (Connection Establishment):
SYN: Client sends SYN packet to initiate connection
SYN-ACK: Server responds with SYN-ACK packet
ACK: Client sends ACK packet to complete handshake
After this process, the TCP connection is established and data transfer can begin.
TCP 4-Way Handshake (Connection Termination):
FIN (Host): Host sends FIN to indicate no more data to send
ACK (Server): Server acknowledges the host’s FIN
FIN (Server): Server sends its own FIN when ready to terminate
ACK (Host): Host acknowledges the server’s FIN
After this process, the TCP connection is fully terminated in both directions.
The TCP three-way handshake establishes a connection with three steps: the Host sends a SYN, the Server responds with a SYN ACK, and the Host sends an ACK. This ensures a reliable connection before data transfer begins.
TCP termination uses a four-way handshake: the Host sends a FIN, the Server acknowledges with an ACK and sends its FIN, the Host acknowledges with an ACK. This process gracefully closes the connection.
The three-way handshake is crucial for synchronizing sequence numbers and confirming both Host and Server are ready. It prevents data loss and ensures a stable connection for communication.
During TCP four-way termination, both sides close their send and receive channels separately. The Host initiates with a FIN, the Server responds with an ACK and its FIN, and the Host finalizes with an ACK.
TCP connections are designed for graceful termination, but an abrupt close can occur due to errors or timeouts. This may lead to data loss, unlike the controlled four-way handshake process.
Knowing which active TCP connections are open on a networked host is crucial, especially with the 2025 IoT growth. The netstat command is a vital tool for verifying these connections on Windows (e.g., 10/11) or Linux, addressing security risks from unexplained connections, a key concern as of 2025
This netstat command shows detailed information about individual network connections, overall and protocol-specific networking statistics, all listening ports, incoming and outgoing network connections, and much more, all of which could help troubleshoot certain networking issues.
The netstat command resolves IP addresses to domain names and port numbers to well-known applications by default. We can use a variety of switches with the netstat command.
To apply the netstat command on your computer, open the Command Prompt and execute the netstat command alone to show a comparatively simple list of all active TCP connections. For each one, it will show the local IP address and the foreign IP address, along with their relevant port numbers and the TCP state.
Windows: Open Command Prompt by pressing Win + R, typing cmd, and hitting Enter. Run netstat -an to list connections.
Linux: Open a terminal (Ctrl + Alt + T on Ubuntu) and use netstat -an or ss -tuln if netstat is installed (install with sudo apt install net-tools).
Run as administrator for full access: Right-click Command Prompt and select “Run as administrator” on Windows, or use sudo on Linux (e.g., sudo netstat -an) as of July 2025.
Examples
Windows: netstat -an > C:\logs\netstat_log.txt saves output to a file.
Linux: netstat -tuln | grep 80 filters for port 80, requiring net-tools installation as of July 2025.
Detailed TCP Connection States
ESTABLISHED: Indicates an active data exchange, e.g., a web session on port 80, lasting until closed.
LISTENING: A server (e.g., 192.168.1.100:443) waits for incoming HTTPS requests, typically on well-known ports.
TIME_WAIT: Holds for 2x MSL (Maximum Segment Lifetime, ~240 seconds) to ensure no delayed packets, critical for 2025 reliability.
CLOSE_WAIT: Signals the local host to close after remote shutdown, often due to application errors, detectable with netstat -an.
FIN_WAIT_1/FIN_WAIT_2: Transition states during connection termination, ensuring orderly closure.
Troubleshooting
Windows: If netstat fails, ensure it’s not deprecated (use Get-NetTCPConnection in PowerShell) or reinstall via Windows features.
Linux: If netstat is unavailable, install with sudo apt install net-tools or switch to ss, common in 2025 distributions.
The -a switch shows all active TCP connections and the TCP and UDP ports on which the computer is listening
-b
This switch shows Ethernet statistics, such as the data includes number of bytes and packets sent and received, including unicast packets, non-unicast packets, discards, errors, and unknown protocols since the connection was established.
-e
This switch displays active TCP connections and includes the process ID (PID) for all connections. You can find the application based on the PID on the Processes tab in windows Task Manager. This parameter can be combined with -a, -n, and -p
-f
The switch -f will force the netstat command to show the (FDQN) Fully Qualified Domain Names for each foreign host IP address when possible.
-n
This switch could significantly decrease the time it takes for netstat to fully execute. The switch will also show active TCP connections, but addresses and port numbers are expressed numerically.
-o
This switch displays active TCP connections and includes the process ID (PID) for all connections. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p
-p proto
The -s switch shows statistics per protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If IPv6 is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. The -p parameter can be used to specify a set of protocols, but be sure to use -s before -p protocol when using the switches together.
-f
This switch displays the contents of the IP routing table. This is equivalent to the route print command.
-s
An integer used to display results multiple times with a specified number of seconds between displays. Continues until stopped by the command Ctrl+c. The default setting is to display once.
-t
This switch displays the current TCP pipe offload state in place of the type displayed TCP state.
[Interval]
This switch is used to display the details about the netstat command’s several options.
/?
The -p switch shows connections or state only for a particular protocol. You can’t define more than one protocol at once, nor can you execute netstat with -p switch without defining a protocol. Proto may be any of TCP, UDP, TCPv6, or UDPv6. If you use -s with -p to view statistics by protocol, you can use icmp, ip, icmpv6, or ipv6 in addition to the first four I mentioned.
Examples of the netstat command
netstat -f
The example of a netstat with -f switch shows all active TCP connections. But I want to see the computers I’m connected to in Fully Qualified Domain Name format [-f] instead of a simple IP address. Here’s an example of what you might see:
The command displays all active TCP connections at the time of execution. The only protocol (in the Proto column) listed is TCP; if UDP is required, then you can use -a switch with n switch (netstat –an) to reduce the execution time.
The information above is displayed in the result of the command with –an switch including the protocol, the local address and port number, the foreign address and port number, and the connection status. An explanation of the different connection states is given below.
Switch
Description
-a
The -p switch shows connections or states only for a particular protocol. You can’t define more than one protocol at once, nor can you execute netstat with -p switch without defining a protocol. Proto may be any of TCP, UDP, TCPv6, or UDPv6. If you use -s with -p to view statistics by protocol, you can use icmp, ip, icmpv6, or ipv6 in addition to the first four I mentioned.
-b
This switch shows Ethernet statistics, such as the data, including the number of bytes and packets sent and received, including unicast packets, non-unicast packets, discards, errors, and unknown protocols since the connection was established.
-e
The switch -f will force the netstat command to show the (FDQN) Fully Qualified Domain Names for each foreign host IP address when possible.
-f
The -p switch shows connections or states only for a particular protocol. You can’t define more than one protocol at once, nor can you execute netstat with -p switch without defining a protocol. proto may be any of TCP, UDP, TCPv6, or UDPv6. If you use -s with -p to view statistics by protocol, you can use icmp, ip, icmpv6, or ipv6 in addition to the first four I mentioned.
-n
This switch could significantly decrease the time it takes for netstat to fully execute. The switch will also show active TCP connections, but addresses and port numbers are expressed numerically.
-o
The -p switch shows connections or states only for a particular protocol. You can’t define more than one protocol at once, nor can you execute netstat with the -p switch without defining a protocol. Proto may be any of TCP, UDP, TCPv6 or UDPv6. If you use -s with -p to view statistics by protocol, you can use icmp, ip, icmpv6, or ipv6 in addition to the first four I mentioned.
-p proto
The -s switch shows statistics per-protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If IPv6 is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. the -p parameter can be used to specify a set of protocols, but be sure to use -s before -p protocol when using the switches together.
-f
This switch displays the contents of the IP routing table. This is equivalent to the route print command.
-s
An integer used to display results multiple times with a specified number of seconds between displays. Continues until stopped by the command Ctrl+c. The default setting is to display once.
-t
This switch displays the current TCP pipe offload state in place of the type displayed TCP state.
[Interval]
This switch is used to display the details about the netstat command’s several options.
/?
This switch is used to display the details about the netstat command’s several option.
Advanced Use Case
Monitor a multi-user VPN with netstat -an | find “1723” to track PPTP connections (e.g., 192.168.1.100:5000 to 115.110.0.150:1723), optimizing 2025 remote access security.
Performance Metrics
Netstat execution with -n reduces latency by ~50ms compared to default FQDN resolution. Use time netstat -an to benchmark, enhancing 2025 network efficiency.
Specific Threat Examples
Port 445 (SMB): Vulnerable to WannaCry; detect with netstat -an | find “445” and block with iptables -A INPUT -p tcp –dport 445 -j DROP.
Port 23 (Telnet): Prone to brute force; monitor with netstat -an | find “23” and disable unless secured.
OS Compatibility Notes
Netstat is native on Windows but may be deprecated in future releases (use PowerShell’s Get-NetTCPConnection). On Linux, ss from iproute2 is preferred, installed via sudo apt install iproute2, ensuring 2025 cross-platform support.
Execution Security
Run netstat with admin privileges to avoid permission errors (e.g., sudo netstat -an on Linux or “Run as administrator” on Windows). Use encrypted logs (e.g., cipher /e on Windows) to protect data.
