If you look at an Ethernet frame you have lots of information in there. When you pass that information to a switch it will only need a certain part of that frame as it only deals with MAC addresses. If we are passing it to the router it will deal with IP addresses part.
So we have this term called PDU ( Protocol Data Units ). At the start, we have an ethernet frame so its a PDU when we are talking about this.
Now when we are talking about the IP portion we have an IP packet that has all the information related to IP addresses. This only gets the stuff to the computer.
After this, we have a TCP/UDP packet. TCP is the connection-based protocol while UDP is connectionless based protocol.
Now, if its TCP we will call it TCP segment and if it’s UDP packet we will call it UDP datagram. Now computers a lot of times have to have a communication that is connection-oriented. For example, you are sending a document so every piece has to be right and it has to be completely transferred. So we have a lot of stuff that is connection-oriented and sometimes you don’t care much when you send something so at that time we use UDP.
TCP & UDP
UCP is very simple you simply send the request to the server without any other thoughts. It will be received by the server and yes it can get lost on the way there is no verification that data has reached.
TCP is used is 98% of communication on the www. In TCP you have to go through a handshake process called TCP 3 way handshake. An SYN packet is sent to the server. The server will send back a response called SYN/ACK ( ok I am ready to go ). After that client sends an ACK to the server. Once this process is done you have a TCP connection established.
ICMP & IGMP
Other than TCP and UDP we have ICMP ( Internet Control Message Protocol ) & IGMP ( Internet Group Management Protocol ). Sometimes we don’t want to send a lot of data to the network just want to verify something that’s where we use these.
ICMP packet consists of just a checksum and message it has nothing to do with ports that is why it is put into the IP layer. So we are sending a small amount of data eg are you there and the reply comes back yes biggest example would be ping, ARP.
IGMP packet consists of checksum, message, group address, and source address. It works using Multicast. For example, 3 people want to watch a movie stream now in multicast they will not get a connection for every person instead they will download the client to see the movie and that client will give the 2nd IP starting from 224 ( reserves for multicast ). Only one video stream will come to their network and all machines will be passed that are having that multicast address.
The group address is here is the group address that we all are going to be using and the source address is simply IP address of video server from where the video is coming from.
Some Handy Tools
Traceroute: it is a command that allows you to check all the hops from your router to the destination.for windows its tracert.Now we can not do anything about someone’s routers but we use traceroute to make sure that our routers are ok.
Pathping: traceroute is good but it doesn’t work on some routers so we can use an alternative called pathping. This command uses a variant of the ping command to make this route.
Bandwidth speed tester: This is a very handy tool it helps you find if you are getting the same speed for what you are paying to your ISP. eg Xfinity speed test.
There are a lot of tools that define whether you are a network person or not. One of them is Wireshark. It is a protocol analyzer and it is completely free. So what we do is select a network card and capture frames and save to capture file after that we use Wireshark to analyze that file.
This tool is a must to learn so make sure you go to youtube and see a whole playlist about how to use it. Learn how to capture packets and analyze them. How to use follow TCP stream etc. There is no other tool good than Wireshark it can work with wireless, Bluetooth VOIP, etc. You can also use alternative capturing tools like tcpdump to create a capture file and analyze it using Wireshark.
Introduction To Netstat
Now let’s say my computer is on a network and I have lot of connections going on and I wanna know who’s my computer is connecting to at any given moment. Now, what netstat does it list all open ports and connection established between your computer and other computers at any given moment.
So you can see we have a protocol which we are using our local address and in foreign address, we have different letters so to avoid that you can do netstat -n to get only numbers.
Now you can its showing only numbers and port numbers. port 443 is used for https connections you can simply google it for finding more information about 443. Now in-state option you can see either its time_wait or established. Now if I will close my chrome browser all 443 will to time_wait.
Now if you will open cmd as admin and type netstat -b you will be shown all the executable connections. and if you will add -bo you will also get process id.
you can verify this by opening task manager and match process ids. netstat -a will show you all active ports even with which you don’t have any active connections at that time. netstat -r will show you your routing table which works same as route print command.
Long story short netstat help us find all the processes we have and which ports we are listening to. Always remember to use -n option it will show you port numbers and you can look it up on google and find more about it.
The most used protocol on the internet is HTTP ( Hypertext transfer protocol ). It is the base of www. HTTP listens on port 80. So where this protocol run? well, it runs on a web server. Now a web server is nothing but just a normal computer but with a lot of power ( specifications ) and it has software on it which makes it a web server.
There are two competing versions of web servers Microsoft IIS ( Internet Information Service ) and the other one is Apache ( Open Source ) which is extremely popular. For creating these servers you just have to install the required software in them and let them run.
if you want to find if your computer is a web server or not simply run netstat -a and see if port 80 is listening. If it’s listening then it’s a web server.
Now we have two options either run HTTP (port 80) or HTTPS (port 443) ( S is for secure version ) so What is the difference between both well first on HTTP server open up Wireshark and intercept traffic follow TCP stream and look at the request.
Now you can see the request is in simple text and can be read easily. Which is bad you can not do transactions. Now let’s see HTTPs and you will feel the difference.
Now you can see the ugliness of letters the are not readable all the communication is encrypted in https. HTTPs use either SSL or TLS to do this encryption SSL is old and TLS is new method.
When you want to transfer files to the server you use FTP for this purpose. We mostly use third party tools to use FTP. Filezilla is one of the best example.FTP uses two ports 21,20. We First have to set username and password to login once we login you will be at home directory of your server from where you can navigate files.
you can add permission to files read, write or delete files, etc. For file download, you have to add an anonymous account that enables public access to FTP servers.
Now accessing FTP you need an FTP client and there are a lot of them including cmd, Ipswitch WS_FTP LE. FTP clients send a request on post 21 and FTP servers respond back on port 20.
You can also use a web browser but you will have to type FTP://IP. before the IP for windows simply type FTP in cmd and it will enter in FTP mode next type open IP and it will ask for password to log in.
Now the bad thing is FTP has no security and everything is in plain text if you will capture through Wireshark or tcpdump. For security, you have to use SFTP which uses SSL or TLS.
E-mail Servers and Clients
When we are sending an email we use a protocol called SMTP ( Simple Mail Transfer Protocol ) which uses port 25. When you have to receive an email you have two options POP3 ( Post Office Protocol v3 (old)) which runs on port 110. The other one is IMAP ( Internet Message Access Protocol v4 (new) ) which runs on port 143.
So you send email using SMTP and receive it with IMAP or POP3 you need to know which of them you are using when doing to configurations. When you are setting up an email server you have to make sure that you have one piece of Software which acts as both SMTP and POP3 or IMAP.
Securing Email: SMTP, POP3 or IMAP are not secure by default so people asked for encrypted emails. So for this process, Start TLS was used in which all three services were used to one port 587. You must be thinking why not TLS well they first implemented it on TLS on ports 465,995,993 but it was a very complex port assignment when sending messages, therefore, they end up using START-TLS on one single port 587.
TELNET & SSH
Telnet is a remort command prompt to a faraway computer. When it comes to telnet server there is nothing by default in windows you have to set up programs like free SSHd. Telnet runs on port 23. For accessing the server you setup or if somebody else has set you can use a client program example puTTy.
here you will provide your IP, username, and password of server you will be logged into your server.
Now you have access to cmd of server and you can run all the command. But the problem with telnet is it’s not secure and if you will intercept traffic using Wireshark you will be able to see everything in plain text. So we use SSH (Secure Shell) instead of telnet which is the secure version.
when you will connect to server with SSH a key will be generated which will be used to encrypt all the traffic.
Network Time Protocol
NTP servers are very important but they get the least attention. If you have ever gone into windows time setting there you will find a line saying this computer will automatically sync time. Computer sync time from NTP servers. NTP is a protocol for clock synchronization and it uses 123 port.There are hundreds of NTP servers worldwide.
Network Service Scenarios
Here I am going to discuss some service issues that come into play. The first issue that I am going to discuss is the concept of reservations in DHCP. The first thing is you should never ever put gateway into scop of DHCP because it will assign that gateway to any host and no one can use the internet.
The second thing is let’s say you have a file server and 90% of requests go to that server what you will do is reserve an IP address only for that file server so that you can always access it. You should always leave a number of IP addresses for things like this.
Another thing that you should know is MAC reservations let’s say you have a camera and you want that camera working all the time. So we will give MAC address to the DHCP server and say anytime you see this MAC even if you have to disconnect someone and give and IP to the camera do that.
One more thing you should never to is putting big leases i.e 8 days which is the default. If you are at a busy place never put them so long make them from 3-4 hours because users come and get an IP address and leave the place but that IP is reserved to because of that you get exhausted DHCP scope. So always add small leases.
The end line would be DHCP servers are not the solution to all the problems. So what we do is we turn to IPAM ( IP Address Management ) they are designed to do one thing is keep track of all the IPs and take care of the need of addressing for your system.IPAM tools are very powerful they can set DHCP scops, set reservations, generate new blocks of the addresses and whatnot.