Overview of Transport Layer Ports 829
because both SMTP and the World Wide Web services use TCP as their transport layer
protocol. A port number must be associated with the conversation between hosts to
ensure that the packet reaches the appropriate service on the server. Without a way to
distinguish between different conversations, the client is unable to send an e-mail and
browse a web page at the same time using one server. A method to separate transport
layer conversations must be used.
Hosts running TCP/IP associate ports at the transport layer with certain applications.
Port numbers are used to keep track of different conversations that cross the network
at the same time. Port numbers are necessary when a host is communicating with a
server running multiple services. Both TCP and UDP use port, or socket, numbers to
pass information to the upper layers. Figure 19-13 shows an example of TCP and UDP
port numbers.
Figure 19-13 TCP and UDP Port Numbers
Application software developers have agreed to use the well-known port numbers that
are defined in RFC 1700. For example, any conversation bound for the FTP applica-
tion uses the standard port number 21. Conversations that do not involve applications
with well-known port numbers are assigned port numbers that have been randomly
selected from within a specific range. These port numbers are used as source and desti-
nation addresses in the TCP segment. Table 19-1 lists the reserved TCP and UDP port
numbers.
Table 19-1 Reserved TCP and UDP Port Numbers
Decimal Keyword Description
0 - Reserved
1–4 - Unassigned
5 rje Remote job entry (RJE)
continues
F
T
P
T

e
l
n
e
t
S
M
T
P
D
N
S
T
F
T
P
S
N
M
P
21
Application
Layer
Transport
Layer
Port
Numbers
23
TCP UDP
25 53 69 161

1102.book Page 829 Tuesday, May 20, 2003 2:53 PM
830 Chapter 19: Intermediate TCP
7 echo Echo
9 discard Discard
11 users Active users
13 daytime Daytime
15 netstat Who is up or netstat
17 quote Quote of the day
19 chargen Character generator
20 ftp-data FTP (data)
21 ftp FTP
23 telnet Terminal connection
25 smtp SMTP
37 time Time of day
39 rlp Resource Location Protocol
42 nameserver Host name server
43 nickname Who is
53 domain DNS
67 bootps Bootstrap protocol server
68 bootpc Bootstrap protocol client
69 tftp TFTP
75 - Any private dial-out service
77 - Any private RJE Service
79 finger Finger
80 HTTP Hypertext Transfer Protocol
123 ntp Network Time Protocol (NTP)
133–159 - Unassigned
160–223 - Reserved
Table 19-1 Reserved TCP and UDP Port Numbers (Continued)
Decimal Keyword Description

1102.book Page 830 Tuesday, May 20, 2003 2:53 PM
Overview of Transport Layer Ports 831
Port numbers have the following assigned ranges:
■ Numbers below 255 are for public applications.
■ Numbers from 255 to 1023 are assigned to companies for marketable applications.
■ Numbers above 1023 are unregulated.
End systems use port numbers to select proper applications. As shown in Figure 19-14,
the originating source port number (1028) is dynamically assigned by the source host.
Usually, this port number is larger than 1023. The Internet Assigned Numbers Author-
ity (IANA) controls Port numbers in the range of zero to 1023.
Figure 19-14 Source and Destination Ports
Ports for Services
Services running on hosts must have a port number assigned to them for communica-
tion to occur. A remote host attempting to connect to a service expects that service to
run on certain transport layer protocols at particular ports. Some ports, defined in
RFC 1700, are known as the well-known ports. These ports are reserved in both TCP
and UDP.
These well-known ports can identify applications that run above the transport layer
protocols. For example, a server running the FTP service forwards TCP connections
using ports 20 and 21 from clients to its FTP application. This way, the server can
224–241 - Unassigned
242–255 - Unassigned
Table 19-1 Reserved TCP and UDP Port Numbers (Continued)
Decimal Keyword Description
Source
Port

Destination
Port
Source

Port
1028

Destination
Port
Telnet Z
Destination port = 23.
Send packets to my
Telnet application.
Host A
Host Z
23
1102.book Page 831 Tuesday, May 20, 2003 2:53 PM
832 Chapter 19: Intermediate TCP
determine exactly what service a client is requesting. TCP and UDP use port numbers
to determine the correct service to forward service requests to.
Ports for Clients
Whenever a client connects to a service on a server, a source and destination port must
be specified. TCP and UDP segments contain fields for source and destination ports.
Destination ports, or ports for services, are normally defined using the well-known
ports. Source ports, those set by the client, are determined dynamically.
In general, a client determines the source port by randomly assigning a number above
1023. For instance, a client attempting to communicate with a web server uses TCP
and assigns the destination port as 80 and the source port as 1045. When the packet
arrives at the server, it passes up to the transport layer and eventually to the World
Wide Web service, which operates at port 80. The World Wide Web server responds to
the client’s request with a segment that uses port 80 as the source and port 1045 as the
destination. In this way, clients and servers use ports to distinguish what process the
segment is associated with. If a client has two browser sessions open to two different
web servers, the destination port is 80 for both sessions. However, the source port is a

different number for each session (for example, 1045 and 1048). This difference
allows the client to keep track of the two different conversations.
Port Numbering and Well-Known Ports
Port numbers are represented by 2 bytes in the header of a TCP or UDP segment. This
16-bit value can result in port numbers ranging from 0 to 65,535. These port numbers
are divided into three different categories:
■ Well-known ports
■ Registered ports
■ Dynamic or private ports
The first 1023 ports are well-known ports. As previously discussed, these ports are
used for well-known network services such as FTP, Telnet, DNS, or HTTP. Registered
ports range from 1024 to 49151 and identify services such as Cisco-Net-Mgmt and
Calendar Access Protocol. Finally, ports between 49152 and 65535 are defined as
dynamic or private ports.
Example of Multiple Sessions Between Hosts
Port numbers are used to track multiple sessions that can occur between hosts. A port
number and a network address combine to form a socket. A pair of sockets, one on each
1102.book Page 832 Tuesday, May 20, 2003 2:53 PM
TCP/IP and the Internet Layer 833
host, forms a unique connection. For example, a host can have a Telnet connection
through port 23, while simultaneously surfing the net through port 80. The IP address
and the MAC address are the same because the packets are coming from the same
host. However, the port numbers are different because they are different protocols
and, thus, different sockets.
Comparison of MAC Addresses, IP Addresses, and Port Numbers
MAC addresses, IP addresses, and port numbers are often confusing, but this confu-
sion can be avoided if the addresses are explained in reference to the OSI reference
model. Port numbers are located at the transport layer and are serviced by the network
layer. The network layer assigns the logical address, or IP. It is then serviced by the
data link layer, which assigns the physical address, or MAC.

TCP/IP and the Internet Layer
Internet Protocol (IP) is the Layer 3 protocol responsible for the addressing scheme
that allows packets to be properly routed over intranets and the Internet to their desti-
nations. Routers use the IP address information in an IP packet header to determine
which interface the packet should be switched to in order to reach its destination. IP
does not provide any services to ensure that the packet reaches its destination. IP is
described as an unreliable, connectionless protocol. Packets might be dropped in route,
arrive in the wrong order, or be transmitted faster than the receiver can accept them. IP
has no means of overcoming these and other delivery issues.
The Internet layer of the TCP/IP stack corresponds to the network layer of the OSI
model. The network layer is responsible for getting packets through a network using
software addressing.
Lab Activity—Multiple Active Host Sessions
In this activity, you enable HTTP services on a router and observe multiple
HTTP and Telnet sessions on a single host using the netstat command.
Lab Activity—Well-Known Port Numbers and Multiple Sessions
In this activity, you observe the well-known port numbers of multiple sessions
on a single host using the netstat command.
1102.book Page 833 Tuesday, May 20, 2003 2:53 PM
834 Chapter 19: Intermediate TCP
As shown in the Figure 19-15, several protocols operate at the TCP/IP Internet layer,
corresponding to the OSI network layer:
■ IP—Provides addressing and connectionless, best-effort delivery routing of data-
grams, is not concerned with the content of the datagrams, and looks for a way
to move the datagrams to their destination
■ ICMP—Provides control and messaging capabilities
■ Address Resolution Protocol (ARP)—Determines the data link layer (MAC)
addresses for known IP addresses
■ Reverse Address Resolution Protocol (RARP)—Determines network addresses
when data link layer addresses are known

Figure 19-15 OSI Network Layer
How ARP Works
ARP is used to resolve or map a known IP address to a MAC sublayer address. This
mapping allows for communication because the data link hardware will not accept a
frame unless the MAC address in the frame matches the hardware MAC address (or it
is a broadcast MAC address). To determine a destination MAC address for a datagram,
a table called the ARP cache is checked. Every host on a TCP/IP network (routers,
workstations, servers, and so on) maintains an ARP cache. If the address is not in the
table, ARP sends a broadcast that is received by every station on the network, looking
for the destination station. The term local ARP describes the search for an address
when the requesting host and the destination host share the same medium or wire. As
shown in Figure 19-16, before issuing the ARP, the subnet mask must be consulted. In
this case, the mask determines that the nodes are on the same subnet.
Transport
Internet
Network
Interface
Application
IP
ICMP
ARP
RARP
1102.book Page 834 Tuesday, May 20, 2003 2:53 PM
Summary 835
Figure 19-16 OSI Network Layer
RARP is a TCP/IP protocol that permits a physical address, such as an Ethernet
address, to be translated into an IP address. Consequently, this protocol is the opposite
of ARP. Hosts such as diskless workstations often know only their hardware interface
addresses, or MAC address, when booted, but not their IP addresses. They must dis-
cover their IP addresses from an external source. Usually, a RARP server using the

RARP protocol can resolve this situation.
Summary
In this chapter, you learned the following:
■ TCP is a connection-oriented transport layer protocol that provides necessary
quality of service processes to the unreliable IP protocol.
■ TCP provides reliability, flow control, and virtual connection services.
■ TCP utilizes a three-way handshake to establish synchronized communication
between hosts.
■ Sliding windows allows for dynamic data flow control.
■ Sequence numbers ensure proper data reassembly by the receiving host.
■ UDP is a connectionless transport layer protocol.
■ UDP and TCP use ports to distinguish upper layer applications.
To supplement all that you’ve learned in this chapter, refer to the chapter-specific Videos,
PhotoZooms, and e-Lab Activities on the CD-ROM accompanying this book.
IP: 172.16.3.2 = ? ? ?
IP: 172.16.3.2
Ethernet: 0800.0020.1111
I need the
Ethernet address
of 172.16.3.2.
I heard
that broadcast;
that is me. Here is my
Ethernet address.
172.16.3.1
172.16.3.2
1102.book Page 835 Tuesday, May 20, 2003 2:53 PM
836 Chapter 19: Intermediate TCP
Key Terms
ARP (Address Resolution Protocol) Internet protocol used to map an IP address to

a MAC address.
DoS (denial-of-service) Type of attack on a network that is designed to bring the
network to its knees by flooding it with useless traffic.
flow control The process of adjusting the flow of data from one device to another
to ensure that the receiving device can handle all of the incoming data.
RARP (Reverse Address Resolution Protocol) Protocol in the TCP/IP stack that
provides a method for finding IP addresses based on MAC addresses.
TCP (Transmission Control Protocol) Connection-oriented transport layer protocol
that provides reliable full-duplex data transmission. TCP is part of the TCP/IP protocol
stack.
UDP (User Datagram Protocol) Connectionless transport layer protocol in the
TCP/IP protocol stack. UDP is a simple protocol that exchanges datagrams without
acknowledgments or guaranteed delivery, requiring that error processing and retrans-
mission be handled by other protocols.
well-known ports These ports are defined in RFC 1700 and are reserved in both
TCP and UDP. These well-known ports can identify applications that run above the
transport layer protocols.
windowing Manages the flow. The recipient reports to the sender what size window
in terms of octets it’s able to accept at this time. The sender then sends that many
octets to the receiving host.
Check Your Understanding
Complete all the review questions to test your understanding of the topics and con-
cepts in this chapter. Answers are listed in Appendix C, “Check Your Understanding
Answer Key.”
1. Which of the following best describes TCP/IP?
A. It is a suite of protocols that can be used to communicate across any set of
interconnected networks.
B. It is a suite of protocols that allows LANs to connect into WANs.
1102.book Page 836 Tuesday, May 20, 2003 2:53 PM
Check Your Understanding 837

C. It is a suite of protocols that allows for data transmission across a multitude
of networks.
D. It is a suite of protocols that allows different devices to be shared by intercon-
nected networks.
2. Which of the following is one of the protocols found at the transport layer?
A. UCP
B. UDP
C. TDP
D. TDC
3. What is the purpose of port numbers?
A. They keep track of different conversations crossing the network at the same
time.
B. Source systems use them to keep a session organized and to select the proper
application.
C. End systems use them to dynamically assign end users to a particular session,
depending on their application use.
D. Source systems generate them to predict destination addresses.
4. Which of the following best describes UDP?
A. A protocol that acknowledges flawed or intact datagrams
B. A protocol that detects errors and requests retransmissions from the source
C. A protocol that processes datagrams and requests retransmissions when
necessary
D. A protocol that exchanges datagrams without acknowledgments or
guaranteed delivery
5. Which of the following TCP/IP layers includes file transfer, e-mail, remote login,
and network management?
A. Transport
B. Application
C. Internet
D. Network

1102.book Page 837 Tuesday, May 20, 2003 2:53 PM
838 Chapter 19: Intermediate TCP
6. Why are TCP three-way handshake/open connections used?
A. To ensure that lost data can be recovered if problems occur later
B. To determine how much data the receiving station can accept at one time
C. To provide efficient use of bandwidth by users
D. To change binary ping responses into information in the upper layers
7. What does a TCP sliding window do?
A. It makes the window larger so that more data can come through at once,
which results in more efficient use of bandwidth.
B. The window size slides to each section of the datagram to receive data, which
results in more efficient use of bandwidth.
C. It allows the window size to be negotiated dynamically during the TCP
session, which results in more efficient use of bandwidth.
D. It limits the incoming data so that each segment must be sent one by one,
which is an inefficient use of bandwidth.
8. UDP segments use what protocols to provide reliability?
A. Network layer protocols
B. Application layer protocols
C. Internet protocols
D. Transmission Control Protocols
9. Which of the following best describes window size?
A. The maximum size of the window that software can have and still process
data rapidly
B. The number of messages or bytes that can be transmitted while awaiting an
acknowledgment
C. The size of the window, in picas, that must be set ahead of time so that data
can be sent
D. The size of the window opening on a monitor, which is not always equal to
the monitor size

10. What is the function of ARP?
A. It completes research for a Layer 3 destination address.
B. It is used to develop a cached Layer 4 address resource table.
C. It is used to map an IP address to a MAC address.
D. It sends a broadcast message looking for the router IP address.
1102.book Page 838 Tuesday, May 20, 2003 2:53 PM