Networking is one of the most important functions of a modern operating system. Every time you browse a website, send an email, stream a video, or connect to a remote server, the Linux networking stack is working behind the scenes to move data between systems.
This tutorial explains how Linux networking works, including sockets, TCP, UDP, and the kernel network stack.
Introduction
Applications communicate using network protocols, but they do not interact directly with network hardware. Instead, they use networking interfaces provided by the operating system.
The Linux kernel acts as an intermediary between applications and the network hardware.
A simplified view looks like this:
Application
|
v
Socket API
|
v
TCP/UDP
|
v
IP Layer
|
v
Network Driver
|
v
Network Interface Card (NIC)
|
v
Network
Each layer performs a specific function.
What Is a Socket?
A socket is a software endpoint used for network communication.
Applications use sockets to send and receive data across a network.
A socket is identified by:
- IP address
- Protocol
- Port number
For example:
192.168.1.100:80
This identifies a service listening on port 80.
Applications rarely communicate directly with TCP or UDP. Instead, they use sockets provided by the operating system.
The Socket API
Linux provides a programming interface called the Socket API.
Common socket functions include:
socket()
bind()
listen()
accept()
connect()
send()
recv()
close()
These functions allow applications to communicate without understanding the details of network hardware.
For example:
socket(AF_INET, SOCK_STREAM, 0);
Creates a TCP socket.
What Happens When a Socket Is Created?
When an application creates a socket:
- The application calls the socket system call.
- The request enters the kernel.
- The kernel allocates socket structures.
- The socket becomes associated with a protocol.
- The application receives a file descriptor.
In Linux, sockets are treated similarly to files.
This design reflects the Unix philosophy that “everything is a file.”
Understanding Ports
Ports identify specific services on a system.
Examples:
| Port | Service |
|---|---|
| 22 | SSH |
| 53 | DNS |
| 80 | HTTP |
| 443 | HTTPS |
| 3306 | MySQL |
A server listens on a port:
0.0.0.0:80
Clients connect to that port to access the service.
TCP: Transmission Control Protocol
TCP provides reliable communication.
Features include:
- Connection-oriented communication
- Error detection
- Packet retransmission
- Ordered delivery
- Flow control
Applications such as:
- Web servers
- Email servers
- SSH
- Databases
typically use TCP.
The TCP Three-Way Handshake
Before data can be transmitted, TCP establishes a connection.
The process is called the three-way handshake.
Step 1: SYN
The client sends:
SYN
This requests a connection.
Step 2: SYN-ACK
The server responds:
SYN-ACK
This acknowledges the request and indicates readiness.
Step 3: ACK
The client replies:
ACK
The connection is now established.
Diagram:
Client Server
| ---- SYN -------> |
| <--- SYN-ACK ---- |
| ---- ACK -------> |
After the handshake, data transfer begins.
TCP Reliability
TCP ensures reliable communication through:
Sequence Numbers
Each packet receives a sequence number.
The receiver can detect missing packets.
Acknowledgments
Received packets are acknowledged.
Example:
ACK 1001
Indicates successful receipt.
Retransmissions
If packets are lost:
- The sender detects missing acknowledgments.
- Packets are retransmitted.
This mechanism makes TCP highly reliable.
UDP: User Datagram Protocol
UDP is simpler than TCP.
Characteristics include:
- Connectionless
- Faster
- Lower overhead
- No delivery guarantees
Applications using UDP include:
- DNS
- VoIP
- Video streaming
- Online gaming
UDP sends packets without establishing a connection.
Example:
Client -------> Server
There is no handshake.
TCP vs UDP
| Feature | TCP | UDP |
|---|---|---|
| Connection | Yes | No |
| Reliable | Yes | No |
| Ordered Delivery | Yes | No |
| Retransmissions | Yes | No |
| Speed | Slower | Faster |
| Overhead | Higher | Lower |
TCP prioritizes reliability.
UDP prioritizes speed.
The Internet Protocol (IP)
TCP and UDP operate above IP.
IP is responsible for:
- Addressing
- Routing
- Packet delivery
Every packet contains:
Source IP
Destination IP
Protocol
Payload
Example:
192.168.1.10
->
8.8.8.8
Routers examine destination addresses and forward packets toward their destination.
Packet Flow Through the Linux Kernel
Suppose a web browser sends a request.
The path looks like this:
Browser
|
Socket
|
TCP
|
IP
|
Network Driver
|
NIC
|
Network
The reverse path occurs when a response arrives.
Incoming packets travel upward through the stack until they reach the application.
Network Interface Cards (NICs)
A Network Interface Card provides physical network connectivity.
Examples include:
- Ethernet adapters
- Wi-Fi adapters
The Linux kernel communicates with NICs using device drivers.
The driver translates kernel requests into hardware-specific operations.
Interrupts and Packet Processing
When a packet arrives:
- NIC receives packet.
- NIC generates an interrupt.
- CPU pauses current task.
- Kernel executes interrupt handler.
- Packet enters networking stack.
Linux uses advanced techniques such as interrupt moderation and polling to improve performance on busy systems.
Socket Buffers
The kernel maintains buffers for network traffic.
Examples:
Receive Buffer
Stores incoming packets.
Send Buffer
Stores outgoing packets.
Buffers allow applications and network hardware to operate at different speeds.
Viewing Network Connections
Display listening services:
ss -tuln
Example:
tcp LISTEN 0 128 *:22
Display active connections:
ss -tan
These commands provide insight into network activity.
Viewing Network Interfaces
Display interfaces:
ip link
Example output:
eth0
lo
wlan0
Display IP addresses:
ip addr
The Loopback Interface
Linux includes a special interface:
lo
Address:
127.0.0.1
The loopback interface allows applications on the same machine to communicate without using physical hardware.
Example:
ping 127.0.0.1
Firewalls and Packet Filtering
Before packets reach applications, Linux can inspect them.
Common firewall technologies include:
- nftables
- iptables
Firewalls can:
- Allow traffic
- Block traffic
- Log traffic
- Redirect traffic
This helps secure systems from unwanted network activity.
The Importance of the Kernel Network Stack
The Linux network stack provides:
- Reliability
- Performance
- Security
- Hardware independence
Applications can communicate using a consistent interface regardless of the underlying hardware.
Whether using Ethernet, Wi-Fi, fiber optics, or virtual networks, the same networking APIs remain available.
Conclusion
Linux networking relies on a layered architecture involving sockets, TCP, UDP, IP, device drivers, and network hardware. Applications communicate through sockets, the kernel processes network protocols, and device drivers interact with physical hardware. TCP provides reliable communication, while UDP offers speed and low overhead. Understanding how these components work together provides valuable insight into one of the most important subsystems of the Linux kernel and helps explain how modern networked applications communicate across local networks and the Internet.