TCP/IP Explained: How the Internet Actually Works [2026]

The internet is not magic — it's a set of rules every computer agreed to follow. Those rules are TCP/IP. Every web page you load, every API call your code makes, every sensor reading your IoT device transmits travels through this same system of protocols.

Most developers use TCP/IP every day without thinking about it. That's fine until something breaks — a connection refuses, latency spikes, packets get dropped — or until you're designing a system where these details matter for performance, security, or reliability.

What TCP/IP Is and Why It Matters

TCP/IP is the suite of communication protocols that governs how data is transmitted over the internet. It defines how computers address each other, how packets are routed across networks, how connections are established and maintained, and how applications communicate.

It was developed in the 1970s by DARPA (the same agency that created ARPANET, precursor to the internet). The design philosophy was radical: decentralized, end-to-end design where the network carries data without caring about its content, and intelligence lives at the endpoints. This is why the internet is so resilient — there is no single point of failure.

The Four-Layer Model

The TCP/IP model has four layers. Each layer adds a header when sending data (encapsulation) and strips the header when receiving it (decapsulation). Data flows down the layers to send, up the layers to receive.

• Application Layer: What applications use. HTTP/HTTPS for web. SMTP/IMAP for email. DNS for name resolution. SSH for remote access. FTP for file transfer. Each defines its own message format and uses the layers below.
• Transport Layer: TCP or UDP. Handles delivery to the right application via port numbers. TCP adds reliability, ordering, and flow control. UDP adds just ports and checksums.
• Internet Layer: IP. Handles addressing (IP addresses) and routing (forwarding packets toward their destination across multiple networks). Routers operate at this layer.
• Network Link Layer: The physical network — Ethernet, WiFi, fiber. Handles transmission on a single physical link. MAC addresses identify devices on the same network segment.

When you send a web request: the HTTP layer creates a request → the Transport layer adds TCP headers (ports, sequence numbers) → the Internet layer adds IP headers (source and destination IP) → the Link layer adds Ethernet/WiFi headers (MAC addresses) → it goes out on the wire. Each router along the path reads the IP header, makes a routing decision, and forwards it onward.

IP Addressing and Routing

Every device on the internet has an IP address — a unique numerical identifier. IPv4 addresses are 32-bit numbers written as four octets (192.168.1.1). IPv6 addresses are 128-bit (2001:db8::1). Routers forward packets toward their destination by looking up the destination IP in their routing table and sending the packet out the appropriate interface.

Private IP ranges (not routable on the public internet): 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. Your home router uses NAT (Network Address Translation) to let all devices on your home network share one public IP address. When a packet comes back, the router uses its NAT table to forward it to the right internal device.

Subnetting: /24 means 256 addresses (254 usable), /16 means 65,536 addresses, /32 means a single host. CIDR notation (Classless Inter-Domain Routing) allows flexible IP space allocation.

TCP: Reliable, Ordered Delivery

TCP (Transmission Control Protocol) provides connection-oriented, reliable, ordered, error-checked delivery of a byte stream between applications. Before any data is sent, a three-way handshake establishes the connection.

The TCP three-way handshake:

1. SYN: Client sends a segment with SYN flag set and an initial sequence number (ISN).
2. SYN-ACK: Server acknowledges (ACK = client's ISN + 1) and sends its own SYN with its ISN.
3. ACK: Client acknowledges the server's SYN (ACK = server's ISN + 1). Connection established.

TCP reliability mechanisms:

• Sequence numbers: Every byte is numbered. The receiver can detect missing, duplicate, or out-of-order segments.
• Acknowledgments: Receiver acknowledges received data. Sender retransmits unacknowledged segments after a timeout.
• Flow control: Receiver advertises its window size (how much data it can buffer). Prevents fast senders from overwhelming slow receivers.
• Congestion control: TCP senses network congestion (packet loss) and reduces its sending rate. Algorithms: CUBIC (Linux default), BBR (Google).

UDP: Fast and Connectionless

UDP (User Datagram Protocol) provides no-frills transport: source port, destination port, length, checksum, and payload. No connection setup, no acknowledgment, no retransmission. If a packet is lost, UDP doesn't know and doesn't care.

Why UDP exists: TCP's reliability mechanisms add latency. The three-way handshake costs one round trip before data flows. Retransmission of lost packets delays later packets (head-of-line blocking). For DNS queries (single request-response, application handles retry), VoIP (stale voice samples are worse than missing ones), and video streaming (skipping a frame is better than buffering), UDP's low overhead wins.

HTTP/3 (QUIC) runs over UDP, not TCP. It implements reliable streams at the application layer, avoiding TCP's head-of-line blocking while keeping UDP's flexibility. This is the future of web protocol design.

DNS: The Internet's Phone Book

DNS (Domain Name System) translates human-readable domain names (example.com) to IP addresses (93.184.216.34). Every internet connection starts with a DNS query. DNS is hierarchical and distributed — no single server knows all names.

DNS resolution process:

1. Your browser checks its local cache. If expired or not found, asks the OS resolver.
2. OS resolver checks its cache. If not found, queries your configured DNS resolver (typically your ISP's or 8.8.8.8).
3. Recursive resolver queries root nameservers, then TLD nameservers (.com), then authoritative nameservers for the domain.
4. Authoritative nameserver returns the A record (IPv4 address) or AAAA record (IPv6).
5. Each response is cached according to its TTL (Time To Live).

DNS record types: A (IPv4 address), AAAA (IPv6), CNAME (canonical name alias), MX (mail server), TXT (text, used for SPF/DKIM verification), NS (nameserver), PTR (reverse lookup).

What Happens When You Type a URL

1. DNS: Browser queries DNS for the IP address of example.com. 2. TCP: Browser opens a TCP connection to port 443 (three-way handshake). 3. TLS: TLS handshake — certificate verification, key exchange. 4. HTTP: Browser sends GET / HTTP/1.1. 5. Response: Server sends back HTML with 200 OK. 6. Rendering: Browser parses HTML, makes additional requests for CSS/JS/images (each repeating steps 2-5 for new connections or reusing existing ones). Total time from URL to first byte: 100-500ms for a fresh connection, less with HTTP keepalive or HTTP/2 multiplexing.

Ports: Addressing Applications

Ports are 16-bit numbers (0-65535) that identify the application within a host. IP addresses identify computers; ports identify processes. Well-known ports: HTTP=80, HTTPS=443, SSH=22, DNS=53, SMTP=25/587, FTP=20/21, RDP=3389, MySQL=3306, PostgreSQL=5432, Redis=6379. When you run a web server on port 8080, you're telling the OS to send incoming TCP packets to port 8080 to your web server process.

Frequently Asked Questions

What is TCP/IP?

The protocol suite that powers the internet. IP handles addressing and routing; TCP provides reliable ordered delivery; UDP provides fast connectionless delivery; DNS translates names to IPs.

What is the difference between TCP and UDP?

TCP: reliable, ordered, connection-oriented. Used for HTTP, SSH, databases. UDP: connectionless, unreliable, fast. Used for DNS, VoIP, video streaming, gaming, HTTP/3.

What happens when you type a URL in a browser?

DNS lookup → TCP connection → TLS handshake → HTTP request → server response → browser renders. Each step is TCP/IP in action.

What is subnetting?

Dividing an IP network into smaller sub-networks using a subnet mask. /24 = 256 addresses. Enables network segmentation and efficient IP address allocation.