IP Addressing
OSI Model
Network Devices
Network Topologies
Ports and Protocols
Routing Protocols
TCP/UDP/Ethernet Headers
Network Miscellaneous

Networking

IP Addressing

IPv4 Address Classes

Class A	First Octet: 0-127 Binary: 0XXXXXXX Default Mask: 255.0.0.0 CIDR: 8
Class B	First Octet: 128-191 Binary: 10XXXXXX Default Mask: 255.255.0.0 CIDR: 16
Class C	First Octet: 192-223 Binary: 110XXXXX Default Mask: 255.255.255.0 CIDR: 32
Class D	First Octet: 224-239 Binary: 1110XXXX ***Multicast Addressing
Class E	First Octet: 240-255 Binary: 1111XXXX ***Experimental

IPv4 Addresses

• 32 bits per address (4 octets of 8 bits each)
• Private vs Public IP addresses, PAT vs NAT.
  • PAT - Private to Same Public IP address, different port.
  • NAT - Private to Different Public IP address, same port.
• Private IP Ranges:
  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16
  • APIPA: 169.254.0.0/16 (allows Windows machine to communicate over LAN without internet)
    • APIPA, or Automatic Private IP Addressing is a DHCP fail-safe that protects a computer system from failure.
    • Allows DHCP clients to obtain IP addresses even when DHCP servers are unavailable/non-functional.
• Class IP addresses and typical cidr notation
  • Class A - 0 - 127 /1-8
  • Class B - 128 - 191 /9-16
  • Class C - 192 - 223 /17-24
  • Class D: 224-239/undefined (Multicast Addressing)
  • Class E: 240-255/undefined (Experimental)
• Loopback
  • 127.0.0.0/8
  • 127.0.0.1 is the common one
  • Use to test NIC's ability to send and recieve

IPv6

• 8 groups of 4 (16 bits) hexadecimal digits, 128 bits long.
• :: is allowed when back to back sets of 0’s are present and can only be done once per address (0000:0000=::), other sets of 0’s are shrunk to a single 0 (:0000:=:0:)

Unspecified	::/128
Loopback	::1/128
Unique Local Address	FC00::/7
Link-local address	FE80::/10
Global unicast address	2000::/3
Multicast address	FF00::/8
Example of IPv4 in mixed IPv4/IPv6 environment	::0:192.168.100.1
Example of 6to4 tunneling	2002::/16 (0010 0000 0000 0010)

IPv4 to IPv6 Methods

Dual Stacking	The process of loading both IPv4 and IPv6 on network nodes. Allows a machine to utilize either protocol to communicate. Most modern computer systems have the capability to run both IPv4 and IPv6 at the same time.
Tunneling	The process by which IPv6 packets are encapsulated within IPv4 packets: 6to4 6in4 Teredo ISATAP
Translation (Routers)	The packet headers for proper communication

Subnetting

• Most important to remember is how to get first/last/network/broadcast addresses
• https://subnetipv4.com/
• https://subnettingpractice.com/
• "7 Second Subnetting" by Professor Messer

Back to Categories

OSI Model

• Layer 7 (Data): Application – GUI (Explorer.exe)
• Layer 6 (Data): Presentation – Encryption/Decryption
• Layer 5 (Data): Session – Communication between two devices (computers and servers)
• Layer 4 (Segments): Transport – End-to-end Connections & Reliability (TCP/UDP)
• Layer 3 (Packets): Network – Router comms, packet forwarding, ARP (IP addresses)
• Layer 2 (Frames): Data Link – MAC & LLC, Switches (MAC addresses)
• Layer 1 (Bits): Physical – cables, media, signal, and binary transmission

OSI Model Descriptions

• Allows different vendors, equipment, protocols, or rules to work together

Layer 7 – Application	Interface between user’s application & network Protocol data unit (PDU): Data Protocols: DNS, SMTP, HTTP, FTP, POP3, SNMP, Telnet
Layer 6 – Presentation	Presents data at destination with same meaning at the source. Data compression & restoration, encryption & decryption, ASCII conversion occur here. PDU: Data Protocols: MPEG, ASCH, SSL, TLS
Layer 5 – Session	Set up, coordinate, and terminates conversation, exchange, and dialogue between devices across network. Simplex, half duplex, full duplex PDU: Data Protocols: NetBIOS, SAP, sockets, PPTP, L2TP, L2F, RPC
Layer 4 – Transport	Manages delivery between systems and hosts. Data is broken into chunks. Segment sequencing, error recovery, and flow control. PDU: Segments Protocols: TCP, UDP, SPX, NetBEUI/NBF
Layer 3 – Network	Logical addressing and routing of messages to their proper destination. PDU: Packets Hardware: Router Protocols: IP, ARP, ICMP, and IPSec
Layer 2 – Data Link	Provides reliable method of transmitting data across communication link. Physical addressing and frame data heading Logical Link Control (LLC) Media Access Control (MAC) PDU: Frame Hardware: Switch, Network Adapter, bridges Protocols: PPP, ATM, Ethernet, 802.2 LLC, 802.11 (WLAN/WiFi), Token ring, Frame relay
Layer 1 – Physical	Communication where it takes place. PDU: Bits Hardware: Repeater, hubs, ethernet cable

OSI Model (EVEN MORE)

“Please Do Not Throw Sausage Pizza Away”

• Layer 7 (Data):
  Application – Provides an interface between user’s application and the network.
  • Protocols: DNS, SMTP, HTTP, FTP, POP3, SNMP, Telnet


• Layer 6 (Data):
  Presentation – Presents data at destination with same meaning at the source.
  • Data compression & restoration, encryption/decryption, ASCII conversion occur here.
  • Protocols: MPEG, ASCH, SSL, TLS
    • SSL – Secure Socket Layer
      • Provides cryptographic security for the Application Layer. (Limited to number of applications it can secure)
    • TLS – Transport Layer Security
      • Upgrade of SSL; no restriction on number of applications.
      • Used in VoIP and VPNs.


• Layer 5 (Data):
  Session – Sets up, coordinates, terminates conversations, exchanges, and dialogues between devices across the network.
  • Communication between two devices (computers – servers)
  • Simplex, half duplex, full duplex..
  • Protocols: NetBIOS, SAP, Sockets, PPTP, L2TP, L2F, RPC


• Layer 4 (Segments):
  Transport – Provides the functional and procedural means of transferring variable-length data sequences from a source to a destination host, while maintaining the quality of service functions.
  • End-to-end Connections & Reliability (TCP/UDP)
  • Data is broken into chunks (segments) at this layer. (Segment sequencing, error recovery, and flow control)
  • Protocols: TCP, UDP, SPX, NetBEUI/NBF


• Layer 3 (Packets):
  Network – Provides the functional and procedural means of transferring packets from one node to another connected in different networks.
  • Router Communications, packet forwarding, ARP (IP addresses)
  • If a message is too large to transmit between nodes, the network may implement message delivery by splitting the message into several fragments at one node, sending them independently, and reassembling the fragments at another node.
  • Hardware: Routers
  • Protocols: IP, ARP, ICMP, IPSec


• Layer 2 (Frames):
  Data Link – Provides node-to-node transfer; a link between two directly connected nodes. Detects and possibly corrects errors that may occur in the physical layer.
  • MAC & LLC, Switches (MAC Addresses)
    • Medium Access Control (MAC) layer – responsible for controlling how devices in a network gain access to a medium and permission to transmit data.
    • Logical Link Control (LLC) layer – responsible for identifying and encapsulating network layer protocols, and controls error checking/frame synchronization.
    • Point-to-Point Protocol (PPP) – data link layer that can operate over several different physical layers.
  • Hardware: Switches, Network Adapters, Bridges
  • Protocols: PPP, ATM, Ethernet, 802.2 LLC, 802.11 WLAN/WiFi, Token Ring, Frame Relay


• Layer 1 (Bits):
  Physical – Responsible for the transmission and reception of unstructured raw data between a device and a physical transmission medium. Converts digital bits into electrical/radio/optical signals.
  • Cables, media, signal, binary transmission.
  • Hardware: Repeaters, Hubs, Ethernet cables

Back to Categories

Network Devices

Network Adapter (Network Interface Card [NIC])	Provides interface between computer and network medium. Prepare, send, and control data flow. Layer 2 – Data Link
Repeaters	Receive and regenerate signal. Help with attenuation issue (degradation of signal over distance). Layer 1 - Physical
Hubs	Multiport repeaters that receive digital signal, regenerate it, and then broadcast signal to all connected port. Layer 1 - Physical
Switches	Send signal to specific port (unlike hubs) based on MAC addresses. Layer 2 – Data Link
Routers	Interconnect LAN and WAN (Gateway) Determines the next network to which an address is sent by scanning destination IP address and finding best path. Traffic control and filter. Layer 3 - Network

Back to Categories

Network Topologies

• Physical – Maps the actual, physical connections in a network, such as wires and cables, and the placement of various components such as switches.
  • Bus:
    • Every device is connected to a solo main cable line.
    • Data is transmitted in a single route, from one point to another.
    • If the main cable collapses, the complete network collapses; length of main cable is also limited.
  • Ring:
    • Every computer is connected to another computer on each side; each computer has exactly two neighbors.
    • Data transmission is done with the help of tokens, sequentially (bit by bit); data has to route its way through each node in the network to reach the destination.
    • If one computer crashes, the entire network activity is disrupted.
  • Star:
    • All the nodes/computers are connected via cables to a single node called a hub, or the ‘central node’, which can be active or passive in nature. (Active hubs contain repeaters; passive nodes are considered non-intelligent)
    • If a node has failed, it can easily be replaced without affecting the working of the rest of the network.
    • All nodes are dependent on the hub, if for some reason the hub fails, the network fails.
  • Full Mesh:
    • All nodes are connected with all the other nodes via a network channel.
    • Point-to-Point Connection.
    • Has two techniques for transmission of data: routing and flooding.
    • Cabling is costly; bulk wiring is essential.
• Logical – Shows how data flows within a network and from one device to another, regardless of the physical connections among devices.

Back to Categories

Port and Protocols

Some redundant info here (but cyber wizards must know their protocols)

Port Number Ranges

Well-Known	0-1023
Registered	1024-49151
Private	49152-65535

Protocols

• ARP – Address Resolution Protocol
  • Maps IP Address to MAC Address; Associates known IP address to unknown MAC address.
  • Operates on Layer 3 (Network)
  • Reverse ARP (RARP) – Reverse Address Resolution Protocol
    • Associates known MAC address to unknown IP address.


• ICMP- Internet Control Message Protocol
  • Error reporting mechanism for the IP protocol if there is a problem along the transmission path.
  • Tools for testing: ping and traceroute (tracert on Windows)


• FTP - File Transfer Protocol
  • TCP port 20 – Data transfer
  • TCP port 21 – FTP Control
  • FTP url layout:
    • ftp:// [user] : [password] @ [hostname or IP] : [port]
    • example: ftp://anonymous:user\@yahoo.com@localhost:21


• SSH - Secure Shell
  • Secure logins, file transfers, port forwarding
  • TCP port 22
  • Replaced Telnet as default remote login method


• Telnet
  • TCP port 23
  • Unencrypted text communications & user login (communications in plaintext)


• DNS - Domain Name Service
  • Hierarchical and decentralized naming system for computers, services, or other resources connected to the internet or a private network.
  • TCP/UDP port 53 – primarily uses UDP, but TCP is used when packets are larger.


• DHCP - Dynamic Host Configuration Protocol
  • Grants IP addresses to connected devices in a network.
  • Based on/replaced BOOTP
  • BOOTP – allows a diskless client machine to discover its own IP address, the address of a server host, and the name of a file to be loaded into memory and executed.
  • UDP ports 67 & 68
  • D.O.R.A.
    • Discover
    • Offer
    • Request
    • Acknowledge


• POP3 - Post Office Protocol (3)
  • Application-layer protocol used by email clients to retrieve email from a mail server.
  • TCP port 110


• SUNRPC - Open Network Computing Remote Procedure Call
  • RPC system that exists in most Unix-like systems
  • TCP port 111


• NetBIOS Name - Name Service (NetBIOS-NS)
  • For name registration and resolution.
  • TCP/UDP port 137


• NetBIOS Datagram - Datagram distribution service (NetBIOS-DGM)
  • For connectionless communication.
  • TCP/UDP port 138


• NetBIOS Session
  • Session Service (NetBIOS-SSN) – for connection-oriented communication.
  • TCP/UDP port 139


• IMAP - Internet Message Access Protocol
  • Used by email clients to retrieve email messages from a mail server over a TCP/IP connection. (POP3 but more secure)
  • TCP port 143


• SNMP - Simple Network Management Protocol
  • For collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior.
  • TCP/UDP ports 161/162 (162 is Trap)


• HTTPS - Hypertext Transfer Protocol Secure
  • Uses Transport Layer Security (TLS) (formerly SSL (Secure Socket Layer)) Asymmetric encryption algorithm to secure connection to web servers.
  • TCP port 443


• Syslog - System Message Logging
  • Standard for message logging. Allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them.
  • UDP port 514


• LDAPS (Secure) - Lightweight Directory Access Protocol, Secure
  • Open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an IP network.
  • Directory services play an important role in developing internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network.
  • TCP/UDP port 636


• RDP - Remote Desktop Protocol
  • Microsoft Terminal Server
  • TCP/UDP port 3389


• RPC – Remote Procedure Call
  • A powerful technology for creating distributed client/server programs. Examples include:
    • Microsoft EPMAP - Microsoft End Point Mapper
      • RPC locator service, used to remotely manage services including DHCP Server, DNS Server, and WINS.
      • TCP/UDP port 135
    • NetBIOS Session Service
      • Method of connecting two computers for transmitting large messages or heavy data traffic.
      • TCP port 139
    • Microsoft SMB – Microsoft Serve Message Block File Sharing
      • Allows systems to share files, printers, and serial ports within the network.
      • Application and Presentation Layer
      • TCP port 445

Protocols/Ports(Again)

DHCP	Used by a host to obtain an IP address from a DHCP server. DORA (Discover, Offer, Request, Acknowledge) Port 67 (server) Port 68 (client/source)
DNS	A Distributed name system that contains services to map computer names to IP addresses and IP address to computer names. Port 53 UDP for queries (UDP:53) TCP for DNS zone transfers (TCP:53)
SMTP	Used to send mail messages across a network and is the basic for internet mail. TCP:25
POP3	Used to retrieve email from a mail server. TCP:110
IMAP4	Used to retrieve email from a mail server. Enables users to search through messaged based on keywords. TCP:143
HTTP	The set of rules for exchanging files from server to client and vice versa. TCP:80
HTTPS	HTTP rides over the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) for secured web session. TCP:443
SSL	Resides in Layer 6 – Presentation Provides cryptographic security for Application Layer. Limited to number of applications it can secure.
TLS	Upgrade of SSL. No restriction on number of applications. Used in VoIP and VPNs.
FTP	Used for exchanging and manipulating files over a TCP-based computer network. TCP:20 for Data from server TCP:21 for Commands from client
TFTP	Simple protocol that only provides for the reading and writing of files or mail. UDP:69
Telnet	Binary protocol that allows a user to establish a virtual connection with another host. TCP:23
Rlogin	UNIX utility as alt. to Telnet TCP:513
SSH	Cryptographic protocol that allows data to be exchanged using a secure channel between two networked devices. Uses both symmetric and asymmetric encryption along with hashing. Diffie-Hellman key exchange to shared secret key over insecure channel. TCP:22
LDAP	Application Layer protocol used to structure information on a directory server. Used as a directory for telephone/address lookups. TCP:389
LDAPS	LDAP communication over SSL/TLS TCP:636 or 3269
SNMP	Used to manage and collect statistical network data from remote devices through polling: Performance stats Network availability and error rates UDP:161 – Managers communicating with Agents (polling). UDP:162 – Agents send unsolicited Traps messages to Managers.
NetBIOS	Service to provide communication over a LAN. Session layer of OSI Names are up to 15 characters long (usually computer’s name running NetBIOS). Microsoft requires all CAPS. UDP:137 – Name Provides name registration and resolution. UDP:138 – Datagram Distribution service for connectionless communication. TCP:139 – Session Reliable, connection-oriented communication
SMB	Allows systems to share files, printers, and serial ports within the same network. Application and Presentation Layer of OSI Part of AD in Linux TCP:445
SUNRCP	TCP:111
Syslog	UDP:514
RDP	TCP:3389
Kerberos	Port 88

NETBIOS (expanded)

• Service to provide communication over a LAN. Session layer of OSI. Names are up to 15 characters long, usually the name of a computer running NetBIOS. Microsoft requires ALL CAPS.
• Port 137 (UDP) – Name: provides name registration and resolution.
• Port 138 (UDP) – Datagram: distribution service for connectionless communication,
• Port 139 (TCP) – Session: reliable, connection-oriented communication.

BOOTP/DHCP (expanded)

• BOOTP: allows a diskless client machine to discover its own IP address, the address of a server host, and the name of a file to be loaded into memory and executed.
• DHCP: based on BOOTP, adding the capability of automatic allocation of reusable network addresses and additional configuration options. DHCP captures the behavior of BOOTP relay agents, and DHCP participants can interoperate with BOOTP participants.
  • Discover, Offer, Request, Acknowledge

Back to Categories

Routing Protocols

Autonomous Systems	A set of Routable IP prefixes that are under a network or collection of networks managed by an entity.
Interior Gateway Protocols	Used to exchange routing information with an autonomous system.
Exterior Gateway Protocols	Protocols used to exchange routing information between autonomous systems
Path-Vector Routing Protocols	Maintains path information that gets updated dynamically.
Administrative Distance	Each entry in the routing table contains the destination network, next router, and path to reach the destination. The lower the better.

Routing Protocol Classes

• Classful: Variable-length subnetting masks (VLSM) not supported, CIDR not supported.
• Classless: VLSM and Classless Inter-Domain Routing supporting.

Routing Protocols

• RIP – “Routing Information Protocol”, one of the oldest distance-vector routing protocols which employs hop count as a routing metric.
  • Prevents routing loops by implementing a limit on the number of hops allowed in a path from source -> destination.
  • Uses UDP port 520 by default.
  • RIPv1 ¯¯\
  • RIPv2 -- All RIPs have a hop limit of 15, and an Administrative Distance (AD) of 120.
  • RIPng _/


• BGP – “Border Gateway Protocol”
  • Only Routing Protocol is still considered an Exterior Gateway Protocol
  • Path-vector routing protocol that makes routing decisions based on paths, network policies, or rule-sets configured by a network administrator.


• OSPF – ‘Open Shortest Path First’, an interior Gateway Protocol used to distribute routing information within a single Autonomous System.
  • Designed due to a need in the internet community to introduce a high functionality, non-proprietary Internal Gateway Protocol (IGP) for the TCP/IP protocol family.
  • Based on link-state technology, which is a departure from vector-based algorithms used in traditional routing protocols like RIP.
  • No limitation on the hop count.
  • Allows for better load balancing and definition of networks where routers can be divided into areas; reduces explosion of link-state updates over the whole network and provides a mechanism for aggregating routes while cutting down on unnecessary propagation of subnet information.
  • Default Administrative Distance (AD) of 110.


• EIGRP – ‘Enhanced Interior Gateway Protocol’, an IGP suited for many topologies and media.
  • Scales well and provides extremely quick convergence times with minimal network traffic.
  • When a change occurs in the network, only routing tables are propagated, reducing the load the routing protocol itself puts on the network.
  • ‘Enhanced distance vector protocol’, relies on the ‘Diffused Update Algorithm’ (DUAL) to calculate shortest path to a destination within a network.
  • Default Administrative Distance (AD) of 5.


• Other Administrative Distance (AD) Values of note:
  • Connected Interface: 0 AD
  • Static Route: 1 AD
  • External Border Gateway Protocol (BGP): 20 AD
  • Internal EIGRP: 90 AD
  • Interior Gateway Routing Protocol: 100 AD
  • Exterior Gateway Protocol: 140 AD
  • Internal Border Gateway Protocol (BGP): 200 AD

Routing Protocols (supplemental definition)

• BGP
  • Path Vector Protocol (PVP), which maintains paths to different hosts, networks and gateway routers and determines the routing decision based on that. AD of 200.
  • Used for routing between autonomous systems (AS)
  • Best Path Algorithm consisting of 13 steps


• EIGRP
  • Advanced distance-vector routing protocol (hybrid) that is used on a computer network for automating routing decisions and configuration. The protocol was designed by Cisco Systems as a proprietary protocol, available only on Cisco routers. AD of 90.
  • Uses Diffusing Update Algorithm (DUAL), based off bandwidth, delay, load, reliability and MTU.
  • Classless


• IGRP
  • > Proprietary distance vector routing protocol used to communicate routing information within a host network. It was invented by Cisco.


• RIP
  • Dynamic routing protocol which uses hop count (max 15) as a routing metric to find the best path between the source and the destination network. It is a distance vector routing protocol which has AD value 120 and works on the application layer of OSI model. RIP uses port number 520.
  • Classful


• RIPv2/RIPng
  • Max Hop Count of 15
  • Classless
  • AD: 120


• OSPF
  • Routing protocol for Internet Protocol (IP) networks. It uses a link state routing (LSR) algorithm and falls into the group of interior gateway protocols (IGPs), operating within a single autonomous system (AS). AD of 110.


• IS-IS (Intermediate System-to-Intermediate System)
  • Interior gateway protocol, designed for use within an administrative domain or network. The de facto standard for Internet Service Provider backbone routers.
  • Link State protocol
  • Dijkstras Algorithm (Shortest path first) prioritizes links with the lowest overall cost (cost being several metrics)
  • Classless
  • AD: 115

Distance Vector vs Link State Protocls

Distance Vector	Link State
Sends entire routing table during updates	Only provides link state information
Sends periodic updates every 30-90 seconds	Uses triggered updates
Broadcasts updates	Multi casts updates
Vulnerable to routing loops	No risk of routing loops
RIP, IGRP	OSPF, IS-IS

Back to Categories

TCP/UDP/Ethernet Headers

• TCP (20 bytes): Source Port, Destination Port, SEQ number, ACK number, Flags, Window Size, Checksum, Urgent Pointer, Data. Max payload size of 1460 bytes.
• UDP (8 bytes): Source Port, Destination Port, Length, Checksum, Data. Max payload size is 1472 bytes).
• Ethernet: Destination MAC, Source MAC, EtherType (0800 for IPv4), Payload, Checksum. Minimum size of 64 bytes and maximum payload size of 1500 bytes.

Header Diagrams

Back to Categories

Network Miscellaneous

Important Terms

ARP	Map IP address to MAC address Layer 3 – Network Associate known IP address to unknown MAC address
Reverse ARP	Associate MAC address to unknown IP address
IP Config Command	Windows: ipconfig Linux: ifconfig
FQDN	A unique name used to identify a partical system in the namespace. Host.parent_domain.top_level_domain.root_domain (implied): www.google.com.
ICMP	An error reporting mechanism for the IP protocol if there is a problem along the transmission path. Tools for testing: ping and traceroute
Ping	ICMP utility Echo request/reply from a remote host to verify if it is available for communication.
Traceroute	Linux: traceroute uses UDP Windows: tracert uses ICMP
NAT	Function of connecting multiple computers to the Internet using one or multiple routable IP addresses. Network masquerading or IP-masquerading.
PAT	Uses a network device that translates multiple local addresses to a single global address by keeping track of port assignments.
Netstat	Provides information and statistics about protocols in use and current TCP/IP network connections. -a provides all connections -n provides numerical of protocols -o provides PID

• Firewall – network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the internet.
  • May be either a form of software or a physical device.


• IDS – Intrusion Detection System
  • Device or software application that monitors a network or systems for malicious activity or policy violations; reports as necessary either to administrator or via SIEM.


• IPS – Intrusion Prevention System
  • Network security appliances that monitor network traffic and/or system activities for malicious activity.
  • Unlike IDS, IPSs are placed in-line and are able to actively prevent or block intrusions that are detected.

TCP/IP 3-Way Handshake

• Before a client attempts to connect with a server, the server must first bind to and listen at a port to open it up for connections. (passive open)
• Once the passive open is established, a client may establish a connection by initiating an active open by doing the following:
  • SYN – The active open is performed by the client sending a SYN to the server. The client sets the segments sequence number to a random value ‘A’.
  • SYN-ACK – In response, the server replies with a SYN-ACK. The acknowledgment number is set to one more than the received sequence number (ex: A + 1), and the sequence number that the server chooses for the packet is another random value ‘B’.
  • ACK – Finally, the client sends an ACK back to the server. The sequence number is set to the received acknowledgment value (A + 1) and the acknowledgment number is set to one more than the received sequence number (B + 1).

SEQ Numbers

• SEQ numbers are 32 bits. Used by transmitter on each transmitted packet. SEQ numbers are random when host initiates a TCP session (typically 0 [relative] by default for Wireshark purposes).
• ACK numbers are used to inform sender that the transmitted data was sent successfully.
• ACK numbers are based on SEQ number and amount of data sent over transmission. SEQ+DATA=ACK.

Time-to-Live (TTL) for Packets

TTL:255	Cisco, Solaris/AIX
TTL:128	Windows
TTL:64	Linux/Unix

NAT & PAT

• NAT – Network Address Translation
  • Method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device.
  • (Privatizes IP addresses, and lets a single, routable IP address be used for an entire private network.)
• PAT – Port Address Translation
  • Extension of NAT that permits multiple devices on a LAN to be mapped to a single public IP address to conserve IP addresses.

IEEE Standards

• 802.1 – LAN
• 802.3 – Ethernet
• 802.6 – MANs
• 802.8 – Fiber Optic
• 802.11 – Wireless LAN (WLAN) & Mesh (Wi-Fi)
• 802.15.1 - Bluetooth

Networking commands

• Basic networking commands (netstat, arp, ifconfig, route, grep, ip, etc.); know common flags
• Arp -a - displays and modifies entries in the Address Resolution Protocol (ARP) cache, which contains one or more tables that are used to store IP addresses and their resolved Ethernet or Token Ring physical addresses. (Flag: Specific IP address)
• Netstat
  • Reading netstats and understanding the basic fundamentals on what is going on
  • Netstat (Network Statistics) defined: provides information and statistics about protocols in use and current TCP/IP network connections.
  • Netstat -ano - print network connections, routing tables, interface states (Flags: ALL, NUMERIC, TIMERS)

Networking APIs

• NetBIOS – “Network Basic Input/Output System”
  • Provides services related to the session layer (Layer 5) of the OSI model allowing applications on separate computers to communicate over a local area network (LAN)
  • Strictly an API, not a networking protocol.


• SMB – “Server Message Block”
  • Provides file sharing, printing, and inter-process communications (IPC) over a network.
  • Was often used with NetBIOS over TCP/IP (NBT) over UDP, using ports 137 and 138, and TCP ports 137 and 139.


• winsock – “Windows Sockets API”
  • Technical specification that defines how Windows network application software should access network services, especially TCP/IP.
  • Defines a standard interface between a Windows TCP/IP client application (such as FTP client or a web browser) and the underlying TCP/IP protocol stack.

Domains

additional research encouraged to supplement this section

• • How domains work (Kerberos, DCs, Trusts, Active Directory)
  • Domain Controllers (DC) - a server that responds to authentication requests and verifies users on computer networks.
    • holds the key to the Active Directory (AD)
    • Windows - Microsoft Active Directory or Microsoft AzureAD
    • Linux - Samba, RPCClient
    • DC vs AD - AD is a type of domain, DC is important server on that domain
    • Every domain has Domain Controller, but not every domain has an Active Directory

Back to Categories