Network Protocols Review

Part 1

1
Vincent Ryan
Agenda:

IPv4

TCP

UDP

2
Vincent Ryan
Networking Models

3
Vincent Ryan
 Typical Frame Layout
(Simplified)

Data

Ports TCP

IP addresses IPv4

MAC addresses Ethernet

4
Vincent Ryan
IPv4

5
Vincent Ryan
 IPv4 Packet Header

6
Source:TCPDUMP Cheat Sheet
Vincent Ryan
IPv4 Packet

7
Vincent Ryan
IPv4 Packet

8
Vincent Ryan
 IPv4 Packet Header
IPv4 protocol defines many different fields in the packet header. These
fields contain binary values that the IPv4 services reference as they
forward packets across the network.
We will consider these 6 key fields: Source Address, Destination Address,
Time-to-Live (TTL), Type-of-Service (ToS), Protocol, Fragment Offset.

9
Vincent Ryan
 IPv4 Packet Header
IP Destination Address: field contains a 32-bit binary value that represents
the packet destination Network layer host address.
IP Source Address: field contains a 32-bit binary value that represents the
packet source Network layer host address.
Time-to-Live: (TTL) is an 8-bit binary value that indicates the remaining
"life" of the packet. The TTL value is decreased by at least one each time
the packet is processed by a router (that is, each hop). When the value
becomes zero, the router discards or drops the packet and sends an
ICMP message back to the source to indicate that the packet was
dropped.
Protocol: This 8-bit binary value indicates the data payload type that the
packet is carrying. The Protocol field enables the Network layer to pass
the data to the appropriate upper-layer protocol. Example values are:
(01) ICMP, (06) TCP, (17) UDP,

10
Vincent Ryan
 IPv4 Packet Header

Type-of-Service: field contains an 8-bit binary value that is used to

determine the priority of each packet. This value enables a Quality-
of-Service (QoS) mechanism to be applied to high priority
packets, such as those carrying telephony voice data. The router
processing the packets can be configured to decide which packet it
is to forward first based on the Type-of-Service value.

Fragment Offset: When fragmentation occurs, the IPv4 packet uses

the Fragment Offset field and the MF flag in the IP header to
reconstruct the packet when it arrives at the destination host. The
fragment offset field identifies the order in which to place the packet
fragment in the reconstruction.

11
Vincent Ryan
 IPv4 Packet Header
More Fragments (MF) flag: is a single bit in the Flag field used with
the Fragment Offset for the fragmentation and reconstruction of
packets. The More Fragments flag bit is set, it means that it is not
the last fragment of a packet.

Don't Fragment (DF) flag: is a single bit in the Flag field that
indicates that fragmentation of the packet is not allowed. If the
Don't Fragment flag bit is set, then fragmentation of this packet is
NOT permitted. If a router needs to fragment a packet to allow it to
be passed downward to the Data Link layer, but the DF bit is set to
1, then the router will discard this packet and send an ICMP packet
back to the sender.

12
Vincent Ryan
 IPv4 Packet Header
Version - Contains the IP version number (4)
Header Length (IHL) - Specifies the size of the packet header in words (4-byte or
32 bit quantities).
Packet Length - This field gives the entire packet size, including header and data, in
bytes.
Identification - This field is primarily used for uniquely identifying fragments of an
original IP packet
Header Checksum - The checksum field is used for error checking the packet
header.
Options - There is provision for additional fields in the IPv4 header to provide other
services - these are rarely used but some are significant from a security viewpoint.

13
Vincent Ryan
 IPv4 Packet Header
Ver = 4; IP version.
IHL = 5; size of header in 32 bit words (4 bytes). This header is 5*4 = 20 bytes, the minimum valid size. So this
packet does not use any IP Options.
Total Length = 472; size of packet (header and data) is 472 bytes.
Identification = 111; original packet identifier (required if it is later fragmented).
Flags = 0; DF bit is not on so this packet can be fragmented if required.
Fragment Offset = 0; denotes that this packet is not currently fragmented (there is no offset).
Time to Live = 123; denotes the Layer 3 processing time in seconds before the packet is dropped (decremented by
at least 1 every time a device processes the packet header). In practice this means that it has 123 hops left
before it is discarded.
Protocol = 6; denotes that the data carried by this packet is a TCP segment. For example, if it were carrying a UDP
segment, this value would be 11 (in hex).

14
Vincent Ryan
IPv4 Options

15
Vincent Ryan
 Some IPv4 Options
End Of Options List
An option containing just a single byte with the value zero, used
to mark the end of a list of options.
No Operation
A “dummy option” used as “internal padding” to align certain
options on a 32-bit boundary when required.
Security
An option provided for the military to indicate the security
classification of IP packets.
Loose Source Route
One of two options for source routing of IP packets. (later)
Strict Source Route
One of two options for source routing of IP packets. (later)
16
Source:http://www.tcpipguide.com/free/t_IPDatagramOptionsandOptionFormat.htm
Vincent Ryan
 Some IPv4 Options
Record Route
This option allows the route used by a packet to be recorded within
the header for the packet itself. If a source device sends a packet
with this option in it, each router that “handles” the packet adds its
IP address to this option. The recipient can then extract the list of
IP addresses to see the route taken by the packet.
Timestamp
This option is similar to the Record Route option. However, instead
of each device that handles the packet inserting its IP address into
the option, it puts in a timestamp, so the recipient can see how long
it took for the packet to travel between routers.
Traceroute
Used in the enhanced implementation of the traceroute utility, as
described in RFC 1393.

17
Source:http://www.tcpipguide.com/free/t_IPDatagramOptionsandOptionFormat.htm
Vincent Ryan
 Strict vs Loose Source Routing
Normally, IP packets are routed without any specific instructions from
devices regarding the path a packet should take from the source to the
destination. It's the job of routers, using routing protocols, to figure out
those details. In some cases, however, it may be advantageous to have
the source of a packet specify the route a packet takes through the
network. This is called source routing.
There are two IP options that support source routing. In each, the option
includes a list of IP addresses specifying the routers that must be used, to
reach the destination.
When strict source routing is used, this means that the path specified in
the option must be used exactly, in sequence, with no other routers
permitted to handle the packet at all.
In contrast, loose source routing specifies a list of IP addresses that
must be followed in sequence, but having intervening hops in between the
devices on the list is allowed.
See RFC 791.
18
Source:http://www.tcpipguide.com/free/t_IPDatagramOptionsandOptionFormat.htm
Vincent Ryan
 IPv4 Options

●
IPv4 Options are not used in real world
networking nowadays.

●
If you come across any, ask where are these
coming from and why are they being used.

19
Vincent Ryan
MTU

20
Vincent Ryan
 MTU
Each IP device is set with a Maximum Transmission Unit (MTU)

If an IP layer receives a packet whose total length is greater than the

MTU, the IP layer will, if allowed, fragment the message into multiple IP
fragments.

So, if a host is connected using an Ethernet LAN to its local network, it

may use an MTU of 1,500 for IP packets, and will, if possible, fragment
anything larger.

21
Source:http://www.tcpipguide.com/free/t_IPDatagramOptionsandOptionFormat.htm
Vincent Ryan
TTL

22
Vincent Ryan
 Time To Live TTL
Used in case a packet is in the network too long, and helps guard
against routing loops
When a packet is sent, the sending host sets the TTL value
The initial TTL depends on the OS of the host (linux:64,
Windows:128, Solaris:255)
Each router that receives the packet subtracts 1 from the TTL
If the TTL remains greater than 0, the router forwards the packet
with the new TTL value embedded
If the TTL becomes 0, the router discards it and sends an ICMP
message back to the originating host (which may trigger a
resend)

23
Vincent Ryan
Fragmentation

24
Vincent Ryan
 Don't Fragment Bit

A flag in the IP header which is set when fragmentation is not

to occur.

If a router discovers that a packet needs to be fragmented,

and the DF bit is set, the packet will be dropped and an ICMP
message
“unreachable – need to frag (MTU size)”
is sent to the source address.

25
Vincent Ryan
 More Fragments Bit (MF)

Says that one or more fragments are to follow.

The receiving host knows that fragmentation is being

applied by noticing that this flag is set (or the fragment
offset in the IP header is not zero).

MF = 0 on the last fragment

26
Vincent Ryan
 Fragment Reassembly Timer (1)

What if an incomplete set of fragments are sent to a

host?
When the receiving host get the first fragment, it sets a
timer.
If the timer expires, and not all fragments have been
received, it sends an ICMP “IP reassembly time
exceeded” message back to the source.

27
Vincent Ryan
 Fragment Reassembly Timer (2)

You can check what that time is as follows:

hping3 -S -p 788 -x <IP-addr>
(-x means set the MF bit)
and run tcpdump and wait.

Try on different OS’s

Values are often 30-60 seconds.

28
Vincent Ryan
 Fragmentation Example
Packet Size = 5140 bytes; MTU = 1500 bytes

Note that the IP ID is the same for all fragments.

Note also that If you add up all the lengths of the IP fragments, the value
exceeds the original IP packet length by 60. The reason that the overall length is
increased by 60 is because three additional IP headers were created, one for
each fragment after the first fragment. 29
Vincent Ryan
Source:http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html
 Fragmentation Example – calculation of Fragment
Offset
The first fragment has an offset of 0, the length of this fragment is
1500; this includes 20 bytes for the slightly modified original IP
header.
The second fragment has an offset of 185 (185 x 8 = 1480), which
means that the data portion of this fragment starts 1480 bytes into
the original IP packet. The length of this fragment is 1500; this
includes the additional IP header created for this fragment.
The third fragment has an offset of 370 (370 x 8 = 2960), which
means that the data portion of this fragment starts 2960 bytes into
the original IP packet. The length of this fragment is 1500; this
includes the additional IP header created for this fragment.
The fourth fragment has an offset of 555 (555 x 8 = 4440), which
means that the data portion of this fragment starts 4440 bytes into
the original IP packet. The length of this fragment is 700 bytes; this
includes the additional IP header created for this fragment. 30
Vincent Ryan
Source:http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html
 Fragmentation and MTU

Fragmentation has overheads:

if one fragment is not delivered, the whole
transmission must be resent
Because of this overhead, some OS TCP/IP stacks first send
a MTU discovery packet with the DF bit set.
If it gets back the ICMP message, it knows that fragmentation
was needed because the packet size was bigger than the
MTU
It then resizes the packet to be smaller than the MTU
received back.
31
Vincent Ryan
 Fragmentation Issues

Has been used in DDoS attacks and in evasion attempts

Example :
In 2018 : a new vulnerability called Fragment Smack
CVE-2018-8440 was uncovered
Affected Windows and Linux
A small 30 kpps DDoS attack can take down a server

32
Source:https://access.redhat.com/articles/3553061

Vincent Ryan
Transport Control
Protocol : TCP
and

User Datagram
Protocol : UDP 33
Vincent Ryan
TCP and UDP are at the Transport Layer

DNS, HTTP,
HTTPS, POP,
IMAP, SSH,
FTP, TELNET etc.

TCP, UDP, ICMP?

IP, IPv6, ARP

Ethernet

34
Source:http://www.9tut.com/tcp-and-udp-tutorial

Vincent Ryan
 Quick Comparison

●
Similar
– Both use ports

●
Main Differences
– TCP is slower but reliable
– UDP is faster but unreliable

35
Vincent Ryan
 What are Ports?
●
Ports are NOT physical quantities
●
Ports are numbers between 0 and 65535 (216 - 1)
●
The Internet Assigned Numbers Authority (IANA) assigns port numbers.
There are different types of port numbers:
– Well Known Ports (Numbers 0 to 1023) - reserved for services
and applications.
– Registered Ports (Numbers 1024 to 49151) - assigned to user
processes or applications. These processes are primarily individual
applications that a user has chosen to install rather than common
applications that would receive a Well Known Port.
– Ephemeral Ports (Numbers 49152 to 65535) - Also known as
Dynamic or Private Ports , these are usually assigned dynamically
to client applications when initiating a connection.

36
Vincent Ryan
 Some Well Known Ports
●
DNS uses UDP (usually) and port 53
●
DHCP uses UDP and ports 67 and 68
●
HTTP uses TCP and port 80
●
HTTPS uses TCP and port 443
●
SSH uses TCP and port 22
●
TELNET uses TCP and port 23
●
SMTP (for email) uses TCP and port 25
●
POP (for email) uses TCP and port 110
●
IMAP (for email) uses TCP and port 142

37
Vincent Ryan
 TCP and UDP Headers

20 Bytes
(more if there
are options)

8 Bytes

TCP Header is a minimum of 20 Bytes.

It could be longer, up to a maximum of 60 bytes (very rare).

UDP Header is exactly 8 bytes. 38

Picture Source:http://www.9tut.com/tcp-and-udp-tutorial Vincent Ryan
TCP

39
Vincent Ryan
TCP Flags :- C E U A P R S F TCP Options :-
C 0x80 Reduced (CWR) 0 End of Options List
E 0x40 ECN Echo (ECE) 1 No Operation (NOP, Pad)
U 0x20 Urgent 2 Maximum Segment Size
A 0x10 Ack 3 Window Scale
P 0x08 Push 4 Selective ACK ok
R 0x04 Reset 8 Timestamp
S 0x02 Syn
F 0x01 Fin
Checksum :- Checksum of entire TCP segment and pseudo header
(parts of IP header)
Offset :- Number of 32-bit words in TCP header, minimum value of 5.
40
Multiply by 4 to get byte count.
Refer to RFC 793 for TCP Specification. Vincent Ryan
TCP/IP Packet

41
Vincent Ryan
 TCP Flags

C E U A P R S F
W C R C S S Y I
R E G K H T N N

8 bits

42
Picture Source:http://www.9tut.com/tcp-and-udp-tutorial
Vincent Ryan
 TCP Flags
Flag Meaning
SYN SYN Packet meaning “I want to establish a TCP session with you”

ACK ACK packet to acknowledge the receipt of data. The value in the
Acknowledge Number field indicates what is being acknowledged
FIN FIN Packet meaning “I want to terminate this TCP session
gracefully”
RST RESET Packet meaning “ I want to terminate this TCP session
immediately (ungracefully)”
PSH PUSH Packet meaning “I want this packet to go to the Application
Layer now – don’t wait for any buffers to be filled first”
URG URGENT Packet meaning “there is urgent data in this
Packet at the location pointed to by the Urgent Pointer. It needs
immediate attention”. e.g. cntrl-C in the middle of an FTP session
CWR & Deal with congestion
ECE

43
Vincent Ryan
TCP Connection Establishment
3-way handshake:
SYN, SYN-ACK, ACK

44
Vincent Ryan
TCP : Every session begins with a
handshake
A B
SYN
Known as the
TCP 3-way
SYN/ACK
handshake.
ACK It begins a TCP
session.

The 3-way handshake sets up the sequence

numbers and acknowledge numbers for the rest of
the session.
45
Vincent Ryan
 SYN SYN/ACK ACK

TCP SYN
Packet
TCP Header

TCP SYN/ACK
Packet

TCP ACK
Packet
46
Vincent Ryan
TCP : Every packet is acknowledged
A B
SYN
3-way
SYN/ACK handshake
ACK
“abc”

ACK

“defg”
The
ACK resulting
TCP
“hello”
Session
ACK

47
Vincent Ryan
TCP : packet not received
A B
SYN
3-way
SYN/ACK handshake
ACK

“abc” When a packet is

sent, the sender
ACK starts a timer, known
“defg” as the
Retransmission
TimeOut (RTO)
“defg” value.

If the packet is not

ACK
acknowledged before
the timer reaches
zero, the packet is
resent. 48
Vincent Ryan
TCP Packets are reassembled
in the correct order

Arrived in the
wrong order,
but TCP
reassembled
them in the
correct order

49
Vincent Ryan
 TCP Connection Termination (1)
Using a four-step process, flags are exchanged to gracefully terminate a
TCP connection.

50
Vincent Ryan
 TCP Connection Termination (2)
Using a one-step process, a RESET flag can ungracefully terminate a
TCP connection

A B

Send RST

RST
received

51
Vincent Ryan
 TCP Sequence and ACK Numbers
Note that protocol analysers like Wireshark will typically
display relative sequence and acknowledgement numbers in
place of the actual values. (relative to the initial sequence
number of that stream)
If you want the actual sequence numbers:

Wireshark : Edit > Preferences > Protocols > TCP

Uncheck the option: "Relative sequence numbers"

tcpdump : use the -S option

52
Vincent Ryan
 TCP Flags More Detail
U = Urgent (URG) - There is an urgent pointer set, process the
information/command at the location in the packet the pointer is pointing
to immediately (think CTRL-C in the middle of a FTP session to kill it)
A = Acknowledgement (ACK) - Acknowledges receipt of data and is
used to ensure data isn't lost (used by both sides of the session since
TCP is bi-directional)
P = Push (PSH) - For the receiving system, don't let the data sit in the
buffer, push it immediately to the application
R = Reset (RST) - “I'm not talking to you at all or I'm done talking to you
and I'm killing the connection”. No communication set up or no graceful
termination of the session
S = Synchronize (SYN) - Initiate the Initial Sequence Number (ISN) that
will be the starting point for that session to track data with the ACK flags.
Remember, used only during the initial three-way handshake! You should
NOT see it anywhere else in the session.
F = Finish (FIN) - Used in the graceful termination of a session.
53

Source:https://isc.sans.edu/forums/diary/Good+Analysis+Understandingtools+logs+normal/22880/ Vincent Ryan

 TCP Flags
Urgent Flag
used to identify incoming data as 'urgent'.
Not used often
Such incoming segments do not have to wait until the
previous segments are consumed by the receiving end but
are sent directly and processed immediately.
e.g. If a problem appears, the host machine needs to abort
the data transfer and stop the data processing on the other
end. Under normal circumstances, the abort signal will be
sent and queued at the remote machine until all previously
sent data is processed, however, in this case, we need the
abort signal to be processed immediately.
The Urgent Pointer field specifies the position in the
segment where urgent data ends. 54
Vincent Ryan
 TCP Flags
ACK Flag
ACKnowledgement flag is used to
acknowledge the successful receipt of
packets.
if the ACK flag is set then the value in the
Acknowledgement Number field indicates
the next sequence number that the receiver
is expecting

55
Vincent Ryan
 TCP Flags
PUSH Flag
●
The PUSH flag indicates that we're done transmitting; the
destination IP stack should send the data to the receiving
application without attempting to buffer any more of the
communication.
●
PUSH flag is usually set on the last segment of a file to
prevent buffer deadlocks.
Sending data:
When you send data, TCP buffers it. So if you send a
character it won't send it immediately but wait to see if
you've got more. But maybe you want it to go straight on
the wire. If you PUSH data your TCP will immediately
create a segment (or a few segments) and push them.

56
Vincent Ryan
 TCP Flags
PUSH Flag
Receiving data:
When TCP receives the data, it will naturally buffer
them it won't disturb the application for each and
every byte. But if a receiving TCP sees the PUSH
flag it is supposed to immediately push the data to
the application.

57
Vincent Ryan
 TCP Flags
Reset (RST) Flag
Used to terminate a TCP session.
Once received and acted on, it is never acknowledged
to indicate that the connection was closed
Used to indicate a closed port

Synchronisation (SYN) Flag

Used to request a new TCP session

FIN Flag
Used to gracefully terminate a TCP session
58
Vincent Ryan
 TCP Flags
ECN and ECN -Echo
For a long time, these 2 bits were not used.
Explicit Congestion Notification (ECN) is a TCP
mechanism to reduce detected congestion.
The high order bit is the Congestion Window Reduced
Bit, and it signals that the sender will send less data
The bit to its left is the ECN-Echo bit, and it is set to
indicate that congestion was experienced

59
Vincent Ryan
TCP Window Size

60
Vincent Ryan
 TCP Window Size (1)

This is the buffer size on the receiving host for data sent.
Becomes smaller as data is received.

If the data is not being processed fast enough, it

becomes 0. When this happens, the buffer is full, and the
sending host knows to stop sending data.
When data is processed, and the window size becomes
nonzero, the receiving host sends a window size update
to the source.

61
Vincent Ryan
 TCP Window Size (2)

In the screenshot above, the sender of this packet is telling

the other side of the connection that it has a TCP receive
buffer of 65,535 bytes.
This is the maximum standard TCP Window Size.
(There are options within TCP to make it bigger : “window
scale option” – coming soon) 62
Vincent Ryan
 TCP Window Size (3)
●
Each side of the TCP connection has its own TCP
Receive Window.
●
So at any point, these two window sizes may be
different.
●
For example, a web server often sends data to users,
instead of receiving data from users. For this reason,
the web server doesn’t need as large a TCP Window
as the user may need.
●
So the web server may advertise a receive window of
8192 bytes, while the client has a window of 65,535.

63
Vincent Ryan
 TCP Window Size (4)
●
Performance:
●
During a file transfer, data is flowing from one machine
to another. The receiver of the data needs to keep it’s
TCP Window from dropping down to zero, indicating
that the windows has filled.
●
If a TCP Window ever goes to zero, or gets close to
zero, an alert is sent to the sender of the data that no
more room is left in the receiver for more data.
●
File transfer will be halted until an update is sent
showing the buffer has been cleared.

64
Vincent Ryan
TCP States
TCP Options

66
Vincent Ryan
 TCP Options
MSS,
Window Scaling,
Selective Acknowledgements,
Timestamps,
NOP

Many of these TCP Options are required to appear only during the
initial SYN and SYN/ACK phase of the 3-way-handshake TCP

Source:http://www.firewall.cx/networking-topics/protocols/tcp/138-tcp-options.html

67
Vincent Ryan
 TCP Option : MSS
Maximum Segment Size is used to define the Maximum Segment
Size that will be used during a connection between two hosts.

You should only see this option used during the SYN and
SYN/ACK phase of the 3-way-handshake.

The MSS TCP Option occupies 4 bytes (32 bits) of length.

If the MSS option is omitted by one or both ends of the connection,

then the value of 536 bytes will be used.

68
Source:http://www.firewall.cx/networking-topics/protocols/tcp/138-tcp-options.html
Vincent Ryan
 TCP Option : Window Scaling

Window Scaling was created for high-latency, high-bandwidth WAN links

where a limited Window size can cause severe performance problems.

Because the largest possible value in the Window size flag is only
65,535 bytes (64 KB), a larger field was required in order to increase
the value

Maximum of 30 bits in size, which includes the original 16 bit Window

size field, so really the max size is 14 bits

Can be used to specify a buffer of size up to 1GB

69
Source:http://www.firewall.cx/networking-topics/protocols/tcp/138-tcp-options.html

Vincent Ryan
 TCP Option : SAck
When a connection is established using the classic 3-way-
handshake the hosts must send a "Selective Acknowledgements
Permitted" in the TCP Options to indicate that they are able to use
SACK's.
From this point onwards, the SACK option is sent whenever a
selective acknowledgement is required.
Where SACK is being used, if some packets from a TCP session
are not received, then only those that are missing need to be
resent.
If SACK is not being used, all packets since the first
missing packet need to be resent
See http://packetlife.net/blog/2010/jun/17/tcp-selective-
acknowledgments-sack/
70
Source:http://www.firewall.cx/networking-topics/protocols/tcp/138-tcp-options.html

Vincent Ryan
 TCP Option : TS
Used to provide protection against wrapped sequence numbers

The TimeStamp option must be sent during the 3-way-handshake in

order to enable its use during any subsequent packets.

Timestamps consists of two fields: a Timestamp Echo field and a

Timestamp Reply field

The reply field is always set to zero by the sender and completed by
the receiver after which it is sent back to the original sender.

Both timestamp fields are 4 bytes long

71
Source:http://www.firewall.cx/networking-topics/protocols/tcp/138-tcp-options.html

Vincent Ryan
 TCP Option : NOP
The NOP option occupies 1 byte.

"No Option" is just used to separate the different options used

within the TCP Option field.

For example, if options MSS and SACK are used, the OS will
place two NOP's between them

Source:http://www.firewall.cx/networking-topics/protocols/tcp/138-tcp-options.html
72
Vincent Ryan
UDP

73
Vincent Ryan
 UDP Intro

●
Fast
●
Low overhead
●
No reliability
●
No messaging order

74
Vincent Ryan
Length :- Length is the length in bytes of this user packet including
this header and the data. (This means the minimum value of the length
is eight.)

Checksum :- Checksum is the 16-bit one's complement of the one's

complement sum of a pseudo header of information from the IP
header, the UDP header, and the data, padded with zero bytes at the
end (if necessary) to make a multiple of two bytes.
Refer to RFC 768 for User Datagram Protocol (UDP) Specification.

75
Vincent Ryan
 UDP
A B
Packet 1 No
handshake

Packet 2
No packet is
Acknowledged.
Packet 3 If a packet does
not arrive, the
sender and
Packet 4 receiver will not
know

Packet 5 If packets
arrive in the
wrong order,
they are not
reordered
But, UDP is fast 76
Vincent Ryan
UDP Unreliability

Arrived in the
wrong order,
and one
packet is lost.

Neither the
sender nor
the receiver
know about
this
77
Vincent Ryan
 What services can use UDP?

●
DNS and DHCP use UDP.
– The packets are normally small and the communication
usually requires one packet only. If that packet is lost, DNS
or DHCP will resend the query.
●
Voice over IP and streaming video can use UDP
– They need speed, and can tolerate packet loss or packets
arriving in the wrong order.
– Voice over IP could not use TCP : When talking to someone,
you want your voice to be heard without any delay.

78
Vincent Ryan
 TCP/UDP Comparison (1)

79
Source:http://archive.rtcmagazine.com/articles/view/102819
Vincent Ryan
TCP/UDP Comparison (2)

See comprehensive article at

https://www.diffen.com/differen
ce/TCP_vs_UDP

80
Vincent Ryan