The Bits and Bytes of Computer Networking

Some WIP notes from a first watch of Google’s The Bits and Bytes of Computer Networking course.

This course appears to be targeted at a support engineer

Parallels with person-to-person communication and the rules that we follow.

TCP/IP 5-layer model (we’ll also touch on 7-layer OSI)

Introduction to networking

Five-layer model

  1. Physical layer - physical devices that interconnect computers (cables, connectors, signals)
  2. Data Link layer - defining a common way of interpreting signals so network devices can communicate. Ethernet the most common protocol. Define a protocol responsible for getting data to nodes on the same network or link.
  3. Network layer - getting data delivered across a collection of networks (e.g. home computer connects to server) from one node to another - Internet Protocol (IP)
  4. Transport layer (why do emails come to your email client) - sorts out which client programs are meant to get the data. Transmission Control Protocol (TCP), or USP (User Datagram Protocol)
  5. Application layer - application-specific (web, email, …)


Copper twisted-pair: most common are Cat5, Cat5e, Cat6 - affects length / transfer rate, resistance to interference

Crosstalk: when an electrical pulse on one wire accidentally detected on the other wire

Fiber optic: longer distance than copper, not affected by interference, much more fragile

Network devices


Hubs and switches are used on a single network (LAN). Router: a device that knows how to forward data between independent networks

Router is a Layer 3 (network layer) device. Router inspects IP data to determine where to send things.

(Routing tables?)

Home / office routers - forward traffic from home to ISP. There a more sophisticated router takes over.

Core ISP routers deal with complexity in deciding where to send traffic.

Routers communicate with BGP (Border Gateway Protocol) - informs about optimal paths to transfer traffic

(Aside: network engineer designs a network?)

Physical layer - moving bits across the wire

Modulation - the way of varying the voltage of charge across charge. Aka line coding. Representing 1s and 0s.

Twisted pair cable: cat6 has 8 wires (4 twisted pairs). How many are in use? depends on transmission technology.

Allows for duplex communication: information can flow in both directions across the cable (in contrast with simplex)

1 or 2 pairs reserved for communicating in each direction

RJ45 plug / port: exposes the internal wires

RJ45 port LEDs:

Network connectors in walls usually end in patch panel: container for endpoints of many runs of cable. Cables then run from patch panel to a switch


Ethernet and MAC addresses

Ethernet 1980, standardized 1983. A few changes since then for increasing bandwidth needs, but pretty much as it was then. Back then, switches hadn’t been invented yet. All devices shared a single collision domain (network segment where only one device can send data at a time). Ethernet solved this with carrier sense multiple access with collision detection (CSMA/CD): if no data currently being sent, node will feel free to send data. If both try and send data, they’ll detect and stop. Both wait a random time and then try again.

On a collision domain, all nodes receive all signals. We need a way of identifying who data was intended for. Hence MAC address (globally unique ID atached to an individual network interface). 48-bit (6 groupings of 2 hex numbers). Or an octet. Any number that can be represented in 256 bits (2 hex digits).

How are MAC addresses globally unique?

Transmission modes

Dissecting an Ethernet frame

data packet: all encompassing term for any single set of binary data being sent across a network link (not tied to layer or technology - concept)

At Ethernet level they’re known as frames. Highly structured collection of information presented in specific order.

The network layer

MAC addresses are not a good way of addressing computers on different networks - they have no useful organisation and tell us nothing about a physical location. We need something else.

IP addresses

32-bit, 4 octets. Dotted decimal notation

Distributed in large sections to various organisations. Hierarchical and easier to store data about.

e.g. IBM own all IP addresses starting with 9. So if a router wants to get data to a network starting with 9, it knows it just needs to get it to one of IBM’s routers

IP addresses belong to networks, not the devices attached to those networks

IP datagrams and encapsulations

Packets in IP are called IP datagrams. Again, a highly structured series of fields. Header and payload.

Contains more data than an Ethernet frame header

IP address classes

An IP address can be split into network ID and host ID. first octet is network ID, remainder is host ID

address class system: a way of defining how global IP address space split up:

We talk of e.g. a “Class C network”.

Class affects max # hosts addressable on network.

Can tell what type of network it is by first octet.

There are also

Mainly replaced by CIDR - classless inter-domain routing

Address Resolution Protocol

A protocol used to discover the hardware address of a node with a certain IP address.

Transmitting device needs a destination MAC address.

All devices maintain a local list of IP - MAC addresses (ARP table)

If we want to send to an IP we don’t have a table entry for, then it sends it to MAC broadcast address. Then the computer with that IP address responds with an ARP response containing its MAC address. Computer will then store this in its local IP table.

ARP table entries usually expire after a short period of time.

(Not sure what this has to do with the Internet - it seems to be talking about a LAN)


Taking a large network and splitting it up into smaller sub-networks

Incorrect subnetting setups are a common IT support problem

IP routers route to the “gateway router” - entry and exit path to a certain network e.g. to the class A network, which is then responsible to getting it to the correct system by looking at the host ID

But on a class A network that’s 16 million host IDs - way too many to connect to one router

So split it up - multiple subnets each with their own gateway.

Subnet masks

Subnet ID. In a network with subnetting, some of the bits that would otherwise be used for the host ID are used for the subnet ID.

Subnet IDs are calculated by subnet mask - 32-bit numbers, written as 4 octets in decimal. is, in binary:

0000 1001 0110 0100 0110 0100 0110 0100

Subnet mask: 1111 1111 1111 1111 1111 1111 0000 0000 - tells us what we can ignore when computing a host ID

Tells a router what part of an IP address is the subnet ID

(where is this defined)

27 1’s followed by 5 0’s - 5 bits of host ID space (32 addresses)

Shorthand way of writing subnet masks (CIDR notation) with subnet mask of

can be written as (what is this telling us?)

and then there’s something about doing an AND…?


Address classes where the first attempt at addressing the global Internet IP space. Subnetting introduced when became clear address classes themselves weren’t sufficient.

Not enough class A networks, possibly too many class Cs to put in a routing table. The number of hosts avaialable is often too large or small for # hosts needed by an organisation. Orgs often ended up with multiple adjoining class Cs.

Demarcation point: where one system ends and another begins

Abandons concept of address classes


If I’ve understood correctly, there’s no “subnet”, it’s a “netmask” and a “network”? “Routers only need to know one entry in routing table”


Most intensive routing issues are handled by ISPs and largest companies

Complex topic

Router: network device that forwards traffic depending on destination address. Has at least 2 network interfaces

Network A: (router at Network B: (router at

How it works:

  1. sends packet to
  2. It knows that that isn’t on its local subnet.
  3. So it sends it to the MAC address of its gateway (the router).
  4. Router’s interface receives it (because of MAC address)
  5. Router strips away data link layer encapsulation
  6. Inspect IP datagram.
  7. Finds destination of
  8. Looks at routing table and finds that network (B) is the destination
  9. Sees it’s only one hop away
  10. Router has MAC address for that IP in its ARP table
  11. Decrements TTL field
  12. Re-encapsulates in new Ethernet frame, sets its own MAC address as the source
  13. and sets the MAC from ARP table as destination MAC address

Now let’s introduce a third network:

Network C: 172.16.1/23

Computer on Network A wants to send to computer on Network C

Core Internet routers usually connected in a mesh - multiple routes for a packet to take

Routing tables

Major OSs today still have a routing table they ship with. Vary a ton depending on make and class of router

4 columns:

  1. destination network - each network the router knows about (network ID and netmask)
  2. next hop - next router that should receive data intended for that network (or that it’s directly connected)
  3. total hops - how far away that destination is
  4. interface - which of its interfaces it should forward traffic matching the destination network out on

Routing tables on Internet have millions of rows, and must be consulted for every packet

Interior gateway protocols

Magic of routing is how the routing tables are constantly updated

Routers use routing protocols to share information with other routers

Exterior gateway protocols

Getting data to the edge router of an autonomous system is #1 goal of core Internet routers.

IANA helps manage things like IP address allocation. Also responsible for ASN (Autonomous System Number) allocation. 32-bit numbers (like IP) but written as single decimal numbers

Non-addressable address space

There’s only 4 billion IP addresses, but 7.5 billion humans

Can’t account for data centres

RFC 1918, 1996. Outlined addresses that would be non-routable address space. Ranges of IPs set aside for anyone that cannot be routed to. Not every computer connected to the internet needs to be able to communicate. No gateway router would attempt to forward traffic to this type of network.

In future module we’ll cover NAT. Allows computers on non-routable address space to communicate with other computers on the Internet.

Primary 3 ranges are:


interior gateway protocols will route these

Transport layer

Allows traffic to be directed to specific network applications

Dissection of a TCP segment

an IP datagram encapsulates a TCP segment: TCP header + data section

  1. source port - high-numbered port chosen from a special selection called ephemeral ports - needed to keep lots of outgoing connections separate
  2. destination port
  3. sequence number - used to keep track of where in a sequence of TCP segments this one is expected to be
  4. acknowledgement number - number of the next expected segment - e.g. “this is segment 1, expect segment 2 next”
  5. header length
  6. control flags (6 bits) - we’ll see
  7. TCP window - specifies range of sequence numbers that might be sent before acknowledgement required
  8. checksum (similar to IP and Ethernet)
  9. urgent pointer field - used with one of the TCP control flags to point out segments that might be more important than others. Not really seen adoption in modern networking
  10. options - rarely seen in real world
  11. padding - 0s to ensure payload begins at expected location

TCP control flags and the three-way handshake

  1. URG - urgent (see urgent pointer field for more info about why)
  2. ACK - acknowledged - means the acknowledgement number field should be examined
  3. PSH - push - transmitting device wants the receiving device to push currently-buffered data to the application on the receiving end as soon as possible
  4. RST - reset - one of the sides of the connection hasn’t been able to recover properly from sequence of malformed / missing segments (“let’s start over from scratch”)
  5. SYN - synchronize - used when first establishing a TCP connection, makes sure the receiving end knows to examine the sequence number field
  6. FIN - finish - transmitting computer doesn’t have any more data to send and the connection can be closed

Establishing a connection (three-way handshake)

  1. SYN “let’s establish a connection, and look at my sequence number field so we know where this conversation starts”
  2. SYN/ACK “sure, let’s establish a connection, and I acknowledge your sequence number”
  3. ACK “I acknowledge your acknowledgement, let’s start sending data”

Now operating in full duplex. Each segment sent in either direction should be responded to with an ACK.

Closing a connection (four-way handshake)

  1. FIN (closer)
  2. ACK (other)
  3. FIN (other)
  4. ACK (closer)

TCP socket states

Socket: the instantiation of an endpoint in an potential TCP connection

TCP sockets can exist in lots of states, and understanding them will help troubleshooting:

These states are OS-specific, lie outside of the TCP spec

Connection-oriented and connectionless protocols

TCP is connection-oriented: establishes a connection, and uses this to check all data has been properly transmitted

Even minor crosstalk from another twisted pair in same cable can make a CRC fail - this causes a whole frame to be discarded

Congestion might cause a router to drop traffic in favour of a higher priority one, or construction company might cut a cable between ISPs

IP and Ethernet use checksums, but they don’t re-send data that doesn’t pass the check, it just gets discarded

TCP sends all segments in sequential order, but they might not arrive in that order - this is why sequence numbers important

TCP has overhead (set up, tear down, acknowledge), only necessary if you really care about the data getting there

UDP - you just set destination port and send packet. For example, streaming video. Imagine each UDP datagram is a single frame of a video. Doesn’t really matter if a few get lost along the way


A device that blocks traffic that meets certain criteria.

Can operate at:

Small business network, with a server that serves company website, and also private file server. So firewill would only allow traffic to port 80.

Sometimes independent network devices. But best to think of them as a program that can run anywhere. For home users, the router and firewall are usually same device.

Application layer

Too many protocols to dive into here. Let’s briefly talk HTTP.

All web browsers and servers need to speak same protocol (HTTP).

The application layer and the OSI model

Open Systems Interconnection - the most rigorously defined, often used in academic settings / certification orgs

Introduces 2 layers between transport and application:

There’s no additional encapsulation going on here, which is why we usually focus on the 5-layer model here

All the layers working in unison

The whole thing here is just desribing getting a single TCP segment with a SYN flag from computer 1 to computer 2

(This is very cool.)

Networking services

DNS, DHCP, NAT, VPN, proxies


IP address is a 32-bit binary number, MAC address 48-bit binary number. Humans are better at remembering words. Furthermore, you’d have to remember changing IP addresses

Domain names might resolve to different things depending on where in the world you are

DNS servers need to be specifically configured at a node in a network

Alongside IP address, subnet mask, gateway – DNS server is the final piece of standard modern network configuration that needs to be put into a host

There are 5 primary types of DNS server, and a given server can fulfil many of these roles at once

  1. caching name servers
  2. recursive name servers - these first 2 usually provided by ISP or local network; their purpose is to store known domain name lookups for a certain amount of time. Recursive means they perform fully recursive DNS resolution requests (?)
  3. root name servers
  4. TLD name servers
  5. authoritative name servers

All domain names in global DNS system have a TTL (in seconds), how long a name server is allowed to cache an entry before it should discard it and perform a full resolution again. In the past, these used to be huge, e.g. ~ 1 day, due to limited bandwidth. These days, they’ve dropped to ~few mins to ~few hours.

So, what does a full recursive resolution look like?

  1. Contact root name server - there’s 13 of those. Previously in a specific location, but now distributed around the globe using anycast - routes traffic to different destinations depending on traffic, location etc. A router can send a datagram to a specific IP but see it routed to one of many different destinations. (Q: so why do we need geo-based DNS if we have anycast?) Responds with the TLD name server that should be queried
  2. TLD name server: e.g. - the .com portion should be thought of as the TLD. Each TLD has a name server (but again, doesn’t mean there’s just one physical name server). Responds with the authoritative name server
  3. Authoritative server: provides the actual IP of the server in question

Each computer also usually has its own temporary DNS cache too.


A single DNS request and response can usually fit in a single UDP datagram.

DNS listens on port 53

With TCP, a full DNS lookup would take the exchange of 44 packets. Whereas it’d be 8 UDP datagrams.

How does error recovery work? DNS resolver asks again if it doesn’t get a response, which is the same functionality that TCP provides at the transport layer. DNS over TCP also exists and is frequently used, especially since single DNS req/res no longer expects in a single UDP datagram. In that case, the DNS server responds saying the record is too large, and that the requester needs to open a TCP connection