SkarpSkarp

Chapter 7 of 29

Transport Layer Essentials: TCP, UDP, and Common Port Numbers

Follow packets up the stack to see how TCP and UDP handle reliability, ordering, and multiplexing, and why certain applications choose one over the other.

27 min readen

Big Picture: The Transport Layer in Context

Where the Transport Layer Fits

Ethernet moves frames on a link and IP delivers packets between networks. The transport layer (Layer 4) sits above IP and focuses on reliability, ordering, and multiplexing between applications.

TCP and UDP

The two key Layer 4 protocols for CCNA are TCP and UDP. Both use port numbers to identify which application on a host should receive a given segment, such as HTTP on TCP 80 or HTTPS on TCP 443.

Why It Matters for Troubleshooting

Knowing which apps use TCP vs UDP and which ports they use helps you read packet captures, understand behavior differences between tools, and diagnose firewall or ACL rules that block specific services.

Ports and Sockets: How Multiplexing Works

Why We Need Ports

One host can run many networked apps at once. Ports let TCP/UDP multiplex traffic so a single IP address can host multiple simultaneous conversations for different applications.

Sockets and 4-Tuples

A conversation endpoint is defined by IP + protocol + port. We often describe a flow as `source IP:source port` → `destination IP:destination port`, called a socket pair or 4-tuple.

Port Ranges and an Example

Well-known ports 0–1023 include HTTP 80 and SSH 22. Clients use high ephemeral ports, e.g. `192.0.2.10:53124` connecting to `203.0.113.20:443` for HTTPS.

TCP vs UDP: Reliability, Ordering, and Overhead

TCP: Feature-Rich and Reliable

TCP is connection-oriented, reliable, and preserves ordering. It uses sequence numbers, acknowledgments, flow control, and congestion control, but this adds header and processing overhead.

UDP: Simple and Fast

UDP is connectionless and unreliable at the protocol level. It offers no ordering, flow control, or congestion control, but has low overhead and latency, ideal when apps handle loss themselves.

Choosing TCP or UDP

Use TCP when you must guarantee delivery and order (web, file transfer, SSH). Use UDP when low latency matters more than perfection (DNS, VoIP, streaming, many games).

Inside the TCP Segment: Header Fields That Matter

Ports and Numbers

The TCP header starts with source and destination ports, then sequence and acknowledgment numbers. Ports identify apps; sequence and ACK numbers track which bytes have been sent and received.

Control Flags

TCP flags like SYN, ACK, FIN, and RST control connection setup, acknowledgment, and teardown. For example, SYN starts a connection and FIN requests a graceful close.

Window and Checksum

The window size tells how much more data the receiver can accept (flow control). The checksum helps detect corruption in the TCP header and payload.

The TCP Three-Way Handshake and Connection Teardown

Step 1: SYN

To start a TCP connection, the client sends a SYN with an initial sequence number (ISN). This says "I want to talk and here is my starting byte number."

Steps 2 and 3: SYN-ACK and ACK

The server responds with SYN-ACK, providing its own ISN and acknowledging the client's SYN. The client then sends an ACK. After these three steps, the TCP session is established.

Graceful Close and RST

Closing usually uses FIN and ACK in both directions (often four segments total). An RST flag aborts a connection immediately when something is wrong, such as no listener on the port.

Walkthrough: HTTP over TCP vs DNS over UDP

HTTP/HTTPS over TCP

For HTTPS, your browser resolves the hostname, then opens a TCP connection from a random high port to server port 443. It uses a three-way handshake, sends HTTP data, then closes with FIN/ACK.

DNS Query over UDP

For a DNS lookup, your host sends a UDP packet from a random high port to server port 53. There is no handshake; the server simply replies back to your source port.

Why Different Protocols?

Web traffic needs reliable, ordered delivery, so it uses TCP. DNS queries are small and can be retried easily, so they typically use UDP to reduce overhead and latency.

Common Port Numbers You Must Know for CCNA

Web and Remote Access Ports

HTTP uses TCP 80 and HTTPS uses TCP 443. SSH, for secure CLI, uses TCP 22. Telnet, an older insecure CLI method, uses TCP 23.

DNS and DHCP Ports

DNS typically uses UDP 53 for queries (TCP 53 for some operations). DHCP uses UDP 67 for the server and UDP 68 for the client to assign IP settings automatically.

More Common Ports and Exam Traps

FTP uses TCP 21 (control) and 20 (data in active mode). Email protocols include SMTP 25, POP3 110, IMAP 143. Watch for questions that swap HTTPS 443 with HTTP 80.

Thought Exercise: Choosing TCP or UDP

Scenarios 1 and 2

1) VoIP: needs low latency, can lose some packets. 2) Banking web app: needs reliability and integrity. Decide whether each should use TCP or UDP before checking the answers.

Scenarios 3 and 4

3) Fast online gaming: needs very low latency, tolerates some loss. 4) File backup: must be 100% accurate. Again, choose TCP or UDP, then compare with the provided reasoning.

Transport Protocols in Troubleshooting: What to Look For

Reading TCP Handshakes

If a client sends SYNs but gets no SYN-ACK, suspect server down, ACLs, or routing issues. A received RST means the host is reachable but the app is not listening on that port.

UDP Troubleshooting

UDP has no handshake, so failures are often silent. DNS timeouts may mean ACLs blocking UDP/53, wrong DNS server IP, or routing problems rather than an app crash.

Ports, IPv4/IPv6, and Exam Clues

TCP and UDP work the same over IPv4 and IPv6. Exam questions often hinge on correct port-protocol pairs, so watch for options that swap ports or assume TCP behavior for UDP.

Key Terms and Port Numbers Review

Use these flashcards to reinforce critical terms and ports for CCNA troubleshooting.

What does the transport layer (Layer 4) provide on top of IP?
It provides end-to-end services such as reliability, ordering, and multiplexing between applications using port numbers, on top of IP's best-effort packet delivery.
Define a socket or connection endpoint in terms of addressing.
A socket is identified by the combination of source IP, source port, destination IP, destination port, and protocol (TCP or UDP).
Which protocol is connection-oriented and reliable: TCP or UDP?
TCP is connection-oriented and reliable, providing ordered delivery, retransmissions, flow control, and congestion control.
Which protocol is connectionless with low overhead: TCP or UDP?
UDP is connectionless and has low overhead, offering no built-in reliability, ordering, flow control, or congestion control.
What is the purpose of the TCP three-way handshake?
To establish a TCP connection by synchronizing sequence numbers and confirming that both endpoints are ready to communicate.
List the three steps of the TCP three-way handshake.
1) Client sends SYN. 2) Server replies with SYN-ACK. 3) Client sends ACK. The connection is then established.
Which port and protocol does HTTPS use by default?
HTTPS uses TCP port 443.
Which port and protocol does HTTP use by default?
HTTP uses TCP port 80.
Which port and protocol does SSH use?
SSH uses TCP port 22.
Which port and protocol does DNS typically use for queries?
DNS typically uses UDP port 53 for standard queries (and TCP 53 for some operations like zone transfers).
Which ports and protocol does DHCP use?
DHCP uses UDP port 67 for the server and UDP port 68 for the client.
What does a TCP RST flag indicate?
A TCP RST indicates that a host is reachable but is resetting the connection, often because no application is listening on that port or the connection is invalid.

Quiz 1: TCP vs UDP Fundamentals

Answer this question to check your understanding of TCP and UDP behavior.

A video streaming application wants to minimize latency and can tolerate occasional packet loss. Which transport protocol is generally more appropriate, and why?

  1. TCP, because it guarantees delivery and ordering, avoiding any loss.
  2. UDP, because it has lower overhead and does not delay playback with retransmissions.
  3. TCP, because it uses a three-way handshake to reduce latency.
  4. UDP, because it automatically retransmits any lost packets.
Show Answer

Answer: B) UDP, because it has lower overhead and does not delay playback with retransmissions.

UDP is more appropriate for latency-sensitive applications that can tolerate some loss, like streaming. Its low overhead and lack of retransmissions avoid delays. TCP's reliability mechanisms (retransmissions, ordering) can increase latency. UDP does not automatically retransmit lost packets; the application must handle loss if needed.

Quiz 2: Port Numbers and Troubleshooting

Test your recall of common ports and how they relate to troubleshooting scenarios.

A user can successfully ping a web server by IP address but cannot load `https://` pages from it. Which is the MOST likely cause?

  1. ICMP is blocked on the path.
  2. TCP port 80 is blocked by an ACL.
  3. TCP port 443 is blocked by an ACL or not listening on the server.
  4. UDP port 443 is blocked by a firewall.
Show Answer

Answer: C) TCP port 443 is blocked by an ACL or not listening on the server.

Ping uses ICMP, which works, so basic IP connectivity is fine. HTTPS uses TCP port 443. If HTTPS fails while ping succeeds, the most likely cause is that TCP 443 is blocked by an ACL/firewall or the server is not listening on that port. TCP 80 relates to HTTP, not HTTPS, and HTTPS does not use UDP 443.

Key Terms

SSH
Secure Shell, an encrypted remote login and management protocol that typically uses TCP port 22.
TCP
Transmission Control Protocol, a connection-oriented, reliable transport protocol that provides ordered delivery, retransmissions, flow control, and congestion control.
UDP
User Datagram Protocol, a connectionless transport protocol with low overhead that does not provide built-in reliability, ordering, flow control, or congestion control.
HTTP
Hypertext Transfer Protocol, an application-layer protocol used for web traffic, typically running over TCP port 80.
HTTPS
HTTP over TLS/SSL, providing encrypted and authenticated web traffic, typically running over TCP port 443.
Socket
A combination of IP address, protocol (TCP or UDP), and port number that identifies one endpoint of a network communication.
Port number
A 16-bit value used by TCP and UDP to identify specific applications or services on a host, enabling multiplexing of multiple conversations over a single IP address.
Window size
A TCP header field used for flow control, advertising how much additional data the receiver is prepared to accept.
Sequence number
A TCP header field that identifies the first byte of data in a segment, used for ordering and reliable delivery.
Three-way handshake
The TCP connection establishment process using SYN, SYN-ACK, and ACK segments to synchronize sequence numbers and confirm both endpoints are ready.
Acknowledgment number
A TCP header field that specifies the next byte the sender of the ACK expects to receive, confirming receipt of all prior bytes.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself