technical see the announcement →
TCP/IP Illustrated, Volume 1
TCP/IP Illustrated, Volume 1: The Protocols, 2nd Edition · ·1000 pages
The definitive protocol reference — every TCP/IP protocol explained with packet captures and field-by-field analysis. Covers IPv4/IPv6, ARP, ICMP, UDP, TCP (connection, reliability, congestion control), DNS, NAT, and protocol-layer attacks.
Capabilities (9)
- › Explain the full TCP/IP stack from link layer through application
- › Decode IP, TCP, UDP, ICMP, ARP header fields and their purpose
- › Trace TCP connection lifecycle: 3-way handshake, state machine, TIME_WAIT
- › Explain TCP congestion control: slow start, AIMD, fast retransmit, CUBIC
- › Calculate RTO using Jacobson/Karels algorithm with Karn's algorithm
- › Explain NAT traversal: STUN/TURN/ICE mechanisms
- › Identify protocol-layer attacks: ARP spoofing, SYN flood, DNS poisoning, IP fragmentation
- › Understand IPv4/IPv6 addressing: CIDR, subnetting, special ranges
- › Explain DNS resolution chain: recursive resolver, root, TLD, authoritative
How to use
Install this skill and Claude can analyze packet captures, trace TCP connection state and congestion control behavior, map the full protocol-layer attack surface, and reason through IPv4/IPv6 addressing, DNS resolution, and NAT traversal for any architecture
Why it matters
Protocol-level knowledge separates engineers who can fix network problems from those who can only restart services — understanding how TCP congestion control, flow control, and connection state interact is essential for building high-throughput systems and diagnosing production incidents
Example use cases
- › Diagnose why a high-throughput TCP file transfer is underperforming by analyzing cwnd, rwnd, RTT, and retransmit behavior from a pcap
- › Explain how SYN cookies work and configure the appropriate kernel parameters to protect a public-facing TCP server against SYN flood attacks
- › Trace the full DNS resolution path for a domain and identify at which hop a cache poisoning attack could be inserted and how DNSSEC prevents it
TCP/IP Illustrated Skill
Architectural Principles
The Internet Design Philosophy
- End-to-end argument: intelligence at endpoints, dumb network — reliability implemented in transport, not in the network
- Fate sharing: state stored with endpoints, not in routers — routers can crash without losing connection state
- Packets, not circuits: connectionless datagrams, no guaranteed delivery at IP layer
Protocol Stack (Encapsulation)
Application (HTTP, DNS, SMTP)
↓ segment/datagram
Transport (TCP/UDP) — ports, reliability, ordering
↓ packet
Network (IP) — addressing, routing, forwarding
↓ frame
Link (Ethernet, Wi-Fi) — MAC addresses, local delivery
↓ bits
PhysicalEach layer adds a header; demultiplexing uses protocol numbers and port numbers.
IP Addressing (Chapter 2)
IPv4 Address Structure
- 32-bit, written as dotted-decimal (
192.168.1.1) - CIDR notation:
192.168.1.0/24— 24 bits network, 8 bits host - Subnet mask:
255.255.255.0=/24
Special Addresses
| Range | Purpose |
|---|---|
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 | Private (RFC 1918) |
127.0.0.0/8 | Loopback |
169.254.0.0/16 | Link-local (APIPA) |
255.255.255.255 | Limited broadcast |
224.0.0.0/4 | Multicast |
IPv6 Addressing
- 128-bit, written as colon-hex (
2001:db8::1) ::1= loopbackfe80::/10= link-localff00::/8= multicast- Replaces ARP with Neighbor Discovery (NDP over ICMPv6)
ARP: Address Resolution Protocol (Chapter 4)
Resolves IP address → MAC address for local delivery.
ARP Request: broadcast "Who has 192.168.1.5? Tell 192.168.1.1"
ARP Reply: unicast "192.168.1.5 is at aa:bb:cc:dd:ee:ff"- ARP cache: short-lived (minutes) to avoid staleness
- Gratuitous ARP: host ARPs for its own IP to announce presence / detect conflicts
- Proxy ARP: router responds to ARP on behalf of hosts on another subnet
- ARP spoofing attack: inject false ARP replies → MITM; defense: dynamic ARP inspection
IP (Chapter 5)
IPv4 Header Key Fields
| Field | Purpose |
|---|---|
| TTL | Decremented at each hop; 0 → discard + ICMP Time Exceeded |
| Protocol | TCP=6, UDP=17, ICMP=1 |
| Flags/Fragment Offset | IP fragmentation control |
| ToS/DSCP | QoS differentiated services |
| Checksum | Header-only (transport layers have own checksums) |
IP Forwarding
- Check destination against forwarding table (longest prefix match)
- If local: deliver to upper layer
- If remote: forward to next hop, decrement TTL
IP Fragmentation
When packet > MTU, IP fragments at router. Reassembly at destination only.
- Fragmentation attack: send overlapping fragments to confuse firewall/IDS
- Path MTU Discovery: use DF bit + ICMP “Packet Too Big” to find PMTU without fragmenting
ICMP (Chapter 8)
Error Messages
| Type | Meaning |
|---|---|
| 3 | Destination Unreachable (various codes: host, port, network, fragmentation needed) |
| 11 | Time Exceeded (TTL=0 or reassembly timeout) |
| 5 | Redirect (better route available) |
| 12 | Parameter Problem (invalid header) |
Informational Messages
- Echo Request/Reply (type 8/0):
ping - Router Solicitation/Advertisement: router discovery
- Neighbor Solicitation/Advertisement (ICMPv6): NDP replaces ARP
ICMP Attacks
- Smurf attack: ping broadcast with spoofed source → victim flooded
- ICMP redirect spoofing: redirect traffic to attacker
UDP (Chapter 10)
UDP Header (8 bytes)
Source Port | Destination Port | Length | Checksum- No connection, no ordering, no reliability — application handles these
- Use for: DNS, DHCP, streaming, gaming, tunneling (low overhead matters)
- UDP checksum covers pseudoheader (src IP, dst IP, protocol, length)
IP Fragmentation with UDP
Large UDP datagrams fragment at IP layer. If any fragment lost, entire datagram lost (no partial retransmission). Design UDP apps to fit in a single packet or implement application-level reassembly.
DNS (Chapter 11)
DNS Resource Record Types
| Type | Purpose |
|---|---|
| A | IPv4 address |
| AAAA | IPv6 address |
| CNAME | Canonical name alias |
| MX | Mail exchange |
| NS | Name server |
| PTR | Reverse lookup (IP → name) |
| SOA | Start of authority |
| TXT | Text (SPF, DKIM, etc.) |
| SRV | Service location |
DNS Resolution Process
- Check local cache
- Query recursive resolver (ISP or 8.8.8.8)
- Resolver queries root → TLD → authoritative nameserver
- Cache result per TTL
DNS Attacks
- DNS cache poisoning: inject false records into resolver cache
- DNS amplification: small query → large response (DDoS amplifier)
- DNSSEC: cryptographic signing of DNS responses
TCP Connection Management (Chapter 13)
3-Way Handshake
Client → Server: SYN (ISN=x)
Server → Client: SYN-ACK (ISN=y, ACK=x+1)
Client → Server: ACK (ACK=y+1)
Connection established4-Way Teardown
Active closer → Passive: FIN
Passive → Active: ACK
Passive → Active: FIN
Active → Passive: ACK
Active enters TIME_WAIT (2×MSL = 60-240s)TCP State Machine Key States
LISTEN → SYN_RECEIVED → ESTABLISHED → FIN_WAIT_1 → FIN_WAIT_2 → TIME_WAIT → CLOSEDTIME_WAIT purpose: ensure delayed duplicates from old connection don’t corrupt new connection on same 4-tuple.
TCP Header Key Fields
| Field | Purpose |
|---|---|
| Sequence number | Byte offset in stream |
| Acknowledgment number | Next byte expected |
| Window size | Receiver buffer available (flow control) |
| Flags | SYN, ACK, FIN, RST, PSH, URG |
TCP Options
- MSS: Maximum Segment Size (negotiated in SYN)
- SACK: Selective ACK (retransmit only lost segments)
- Window Scale (WSCALE): extend window to >64KB for high-BDP paths
- Timestamps: precise RTT measurement, PAWS protection
TCP Reliability and Performance (Chapters 14-16)
RTO Calculation (Jacobson/Karels)
SRTT = α × SRTT + (1-α) × RTT_sample (α = 0.875)
RTTVAR = β × RTTVAR + (1-β) × |SRTT - RTT_sample|
RTO = SRTT + 4 × RTTVARKarn’s algorithm: don’t update SRTT with retransmitted segments (ambiguity problem).
Congestion Control (Chapter 16)
Slow Start: cwnd starts at 1-10 MSS, doubles each RTT until ssthresh
Congestion Avoidance: cwnd grows by 1 MSS per RTT (additive increase)
Fast Retransmit: 3 duplicate ACKs → retransmit without waiting for timeout
Fast Recovery: halve ssthresh + cwnd, continue from there (AIMD)CUBIC (Linux default): cubic function of time since last loss event.
Flow Control vs Congestion Control
- Flow control: receiver advertises window size (rwnd) — prevents sender from overwhelming receiver buffer
- Congestion control: sender limits with cwnd — prevents overwhelming network
- Effective window = min(rwnd, cwnd)
NAT and Firewalls (Chapter 7)
NAPT (Network Address Port Translation)
Maps (private_IP, private_port) → (public_IP, public_port). State table entry created on outbound SYN, deleted on FIN/timeout.
NAT traversal problem: inbound connections fail because no state table entry exists. Solutions:
- STUN: discover external IP/port via server
- TURN: relay through server
- ICE: combine STUN+TURN+direct
Firewall Types
- Packet filter: match on IP/port/flags — stateless, fast, can be fooled by fragments
- Stateful: track connection state — drops unsolicited inbound, handles NAT
- Proxy/application: deep inspection — slower, protocol-aware
Security Attacks by Protocol Layer
| Protocol | Attack | Mechanism |
|---|---|---|
| ARP | ARP spoofing | Fake ARP replies → MITM |
| IP | IP spoofing | False source address |
| ICMP | Smurf, Fraggle | Broadcast amplification |
| TCP | SYN flood | Half-open connection exhaustion |
| TCP | Session hijack | Guess ISN, inject data |
| DNS | Cache poison | Race condition on resolver |
| DNS | Amplification | Small query, large response |
| UDP/IP | Teardrop | Overlapping fragments crash OS |