Skip to content

Protocols

ProtocolPort(s)Transport
HTTP80TCP
HTTPS443TCP
DNS53UDP/TCP
DHCP67 (server), 68 (client)UDP
SSH22TCP
Telnet23TCP
FTP20 (data), 21 (control)TCP
TFTP69UDP
SNMP161 (agent), 162 (trap)UDP
PacketDeviceNotes
DHCP DiscoverHost- Host sends out a broadcast packet seeking a DHCP Server on Network
- Packet source IP 0.0.0.0
- Packet Destination IP 255.255.255.255
DHCP OfferServer- Server Responds with a DHCP Offer Packet which contains a IP Address, Subnet Mask, lease time and Default Gateway
DHCP RequestHost- Host responds to the server accepting the DHCP Offer
- This stage is called a request as the host is formally requesting the offered IP.
- Should there be multiple DHCP offers the other offers are notified they were not successful and the ip’s not being used are return to respective pools.
DHCP AcknowledgeServer- Server Acknowledges the host has accepted the offer and registers the IP address has been assigned to the host.

Ports: DHCP uses UDP Port 68 for client and port 67 for server

EIGRP is an advanced distance vector protocol type, Cisco Proprietary and is a DUAL (Diffusing Update Algorithm) algorithm

def eigrp(min_bandwidth, load, total_delay, relability, k1, k2, k3, k4, k5):
m1 = 0 if k1 == False else 1 * ((10**7) / min_bandwidth)
m2 = 0 if k2 == False else (((10**7) / (1*min_bandwidth))/(256-load))
m3 = 0 if k3 == False else (1 * total_delay)/10
m4= 0 if k4 == False else 1
m5 = 0 if k5 == False else (1+ relability)
answer = 256*((m1+m2+m3)*(0 if m5 == False else m4))
print(answer)
return answer
eigrp(1200,900000000,10,5,True,True,True,True,True)

Link state based protocol - industry standard.

  • Version 2 uses IPv4 and Version 3 uses IPv6
  • Establishes Neighbour Adjacencies
  • Exchanges Link-State Advertisements
  • Builds a Topology Table
  • uses SPF algorithm

There are single area and multiple area

  • Neighbour Table
  • Topology Table
  • Routing Table

Link State Packet Types

  • Type 1: Hello
  • Type 2: Database Description DBD
  • Type 3: Link-State Request (LSR)
  • Type 4: Link-State Update (LSU)
  • Type 5: Link-State Acknowledgment (LSA)

Automated topology building protocol which avoids “loops” in the networks logical topology. At a basic level it ensures there are no bridge loops or broadcast radiation (broadcast storms). In addition the protocol also ensures redundant links where possible for fail-over events creating fault tolerant paths.

Switches flood broadcast packets and in a redundant topology without STP it can cause broadcast loops.

BPDU Frames are special frames used in the STP protocol to determine a ports role in the topology a BPDU Frame includes a Bridge ID which consists of [Priority Number + VLAN ID + MAC ADDRESS]

STP Order of operations

  1. Determine root bridge by electing a switch with lowest value bridge ID (The network admin will ensure to use priority correctly in the topology to not leave this to luck.)
  2. Ports on a root bridge are labelled designated ports and lead away from the root bridge.
  3. Root ports are ports on the non root switches which forward data to the root bridges.
  4. Root ports are selected by lowest path cost (fastest link to root bridge),

Root Port Calc

Root Port Calculation Table

Link SpeedCost
1 Gbps4
100 Mbps19
10 Mbps100

In any segment, the port that is not elected as a Root Port or a Designated Port enters the Blocking State.

STP Port States

StatePurposeForwarding Data?
BlockingPrevents loops; receives BPDUs only.No
ListeningBuilding the topology; cleaning out old entries.No
LearningPopulating the MAC address table.No
ForwardingNormal operation.Yes
DisabledPort is administratively down.No

This is a configuration used on “edge” ports (connecting to PCs or Servers). It allows the port to skip the Listening/Learning phases and go straight to Forwarding.

Warning: Never enable PortFast on a port connected to another switch, as it bypasses the loop-prevention mechanism!

DNS translates human-readable domain names to IP addresses.

Key Characteristics:

  • Port 53: Uses both UDP (queries) and TCP (zone transfers)
  • Hierarchical structure: Root → TLD → Authoritative nameservers
  • Record types: A (IPv4), AAAA (IPv6), CNAME (alias), MX (mail), NS (nameserver), PTR (reverse)
  • Caching: Reduces lookup time and server load
  • Recursive vs Iterative queries

HTTP is the foundation of data communication on the World Wide Web. It’s a request-response protocol where clients (typically web browsers) send requests to servers, which then respond with the requested resources.

Key characteristics:

  • Stateless: Each request is independent; the server doesn’t retain information between requests
  • Port 80: Default port for HTTP communication
  • Request methods: GET (retrieve data), POST (submit data), PUT (update), DELETE (remove), HEAD, PATCH, etc.
  • Status codes:
    • 2xx (success) - e.g., 200 OK
    • 3xx (redirection) - e.g., 301 Moved Permanently
    • 4xx (client errors) - e.g., 404 Not Found
    • 5xx (server errors) - e.g., 500 Internal Server Error
  • HTTP over TLS/SSL encryption
  • Port 443
  • Encrypts data in transit, preventing eavesdropping and tampering
  • Now the standard for virtually all websites

HTTP versions:

  • HTTP/1.1: Persistent connections, chunked transfer encoding
  • HTTP/2: Multiplexing, header compression, server push
  • HTTP/3: Built on QUIC protocol (UDP-based) for improved performance

Choice of protocol is important when determining criticality of packets being sent across the network.

Protocol used in streaming or real time communications - no acknowledgement of receipt of packets - protocol defined as connection-less:

  • UDP is not shackled by overhead
  • It allows for packet loss and is used where overall packet loss being OK (streaming a video)

Protocol used where packet loss is a major concern (financial apps, transaction data) - acknowledgement of receipt of packets - protocol defined as connection oriented:

  • Reliability built in with a mechanism that ensures fewest number of packets get dropped
  • If any packets are dropped they will be automatically re-transmitted.
  • Each segment has a sequence number in addition to source and destination port numbers.
  • If a packet is received where a sequence is not sequential to the last packet it will be re transmitted.

Sent by a host to discover IPv6 routers on the link. The destination is the all-routers multicast address (ff02::2). The source is typically the unspecified address (::) or the host’s link-local address.

Sent in response to an RS, or periodically sent to the all-nodes multicast address (ff02::1). Contains: network prefix(es), MTU, default gateway link-local address, and flags (M/O/A) that control address autoconfiguration (SLAAC or DHCPv6).

Used for address resolution (IP-to-MAC mapping, replacing ARP) and Duplicate Address Detection (DAD). Sent to the target’s solicited-node multicast address (ff02::1:ffxx:xxxx).

Sent in response to an NS. It carries the sender’s MAC address, completing the IP-to-MAC resolution. It can also be sent unsolicited to announce a change in the host’s MAC address.

Sent by a router to inform a host that a better first-hop router exists for a specific destination, or that the destination is a neighbour on the same link.

ARP is a protocol used by hosts to map a Layer 3 IP address to a corresponding Layer 2 MAC address on the local network.

  1. ARP Request: When a host has an IP packet to send to a destination on the local subnet but doesn’t know its MAC address, it broadcasts an ARP Request . This request asks, “Who has this IP address? Tell me their MAC address.”
  2. ARP Reply: The device with the matching IP address sends a unicast ARP Reply directly back to the requesting host, providing its MAC address.
  3. Cache: The requesting host stores this mapping in its ARP cache for future use.
Pre-ambleStart Frame DelimiterDest Mac AddressSource MAC AddressLength TypeDATAFrame Check Sequence
7166246-15004

Numbers Represented in bytes (multiply by 8 to get bits)

Receiving NIC in SYNC with bits coming down cable.

Indicates to receiving NIC that following this byte the information will be received.

Where the frame is going to on the network

Originating MAC address for frame

Might be the length of data/payload or type of data/payload.

Could be a combination of information - ethernet doesn’t care this could be a mix of IPV4, TCP etc.

Error checking sequence to ensure the validity of information.

Internet Protocol Version 4 (IPv4) - Layer 3 (Network)

Section titled “Internet Protocol Version 4 (IPv4) - Layer 3 (Network)”

32-bits broken up into 8-bit bytes known as octets and represented in dotted notation. 11010001.10100101.11001000.00000001 = 209.165.200.1

  • 255.255.255.255 is a broadcast destination for every device on that particular network.

All communications between devices are unicast unless noted otherwise by packet composition. Unicast addresses range from 1.1.1.1 to 223.255.255.255

A message being sent to to all devices in one network (IPV6 does not use broadcast packets). A broadcast address would be identifiable by the host octets being denoted with 255

A multicast packet is a packet with the destination IP address that is a multicast address. In IPV4 multicast addresses are reserved from 224.0.0.0 to 239.255.255.255;

Hosts that receive multicast packets are called multicast clients. The multicast clients use services requested by a client program to subscribe to a multicast group.

Each multicast group is represented by a single IPv4 multicast destination address.

RFC 1918 sets the standard for what would be defined as a reserved space for private and public IP Addresses.

Network Address/PrefixRFC 1918 Range PRIVATE RANGE
10.0.0.0/810.0.0.0 - 10.255.255.255
172.16.0.0/12172.16.0.0 - 172.31.255.255
192.160.0.0/16192.168.0.0-192.168.255.255

Network address translation is used to to help private network source and destinations get translated to public allowing for traffic to be routed from one private network to another through a public network. This is usually done by a router that connects the internal network to the IPS network.

A loopback address is a usually reserved to the range 127.0.0.0/8 or 127.0.0.1 to 127.255.255.255. It is most commonly identified as 127.0.0.1. This range is special in it directs traffic to itself.

A link-local address (169.254.0.0/16 or 169.254.0.1 to 169.254.255.254) are commonly known as automatic private IP addressing (APPA). They are used by a windows client to self-configure in the event that the client cannot obtain an IP address through other methods.

0.0.0.0/8 to 127.0..0.0/8 - Supporting networks with more then 16 million hosts.

128.0.0.0/16 - 191.255.0.0/16 - Support networks with up to ~65K Hosts

192.0.0.0/24 - 223.255.255.0/24 - Small networks with maximum 254 hosts

Note: There is also a Class D multicast block consisting of 224.0.0.0 to 239.0.0.0 and a Class E experimental address block consisting of 240.0.0.0 - 255.0.0.0. Networking Classes

Internet Protocol Version 6 (IPv6) - Layer 3 (Network)

Section titled “Internet Protocol Version 6 (IPv6) - Layer 3 (Network)”

hex to dec conversion IPV6 Addresses are represented using hex (0-9 A-F) in hextets. Addresses are 128 bits in length and written as a string of hexadecimal values. Every four bits is represented by a single hex digit. for a total of 32 hex values. The below is a representation of a preferred format which uses all 32 hex digits. This is not ideal in most circumstances due to lenghth with an example IPV6 address taking up a considerable length.

Example IP in preferred format: 2001:0db8:0000:1111:0000:0000:0000:0200

Example of an IPv6 Address

Two rules to reduce hex digits representing an IPV6 address.

Omit any leading zero’s as an example

2001:0db8:0000:1111:0000:0000:0000:0200 Becomes 2001:db8:0:1111:0:0:0:200

Any single string of one or more 16 segments consisting of all zeroes can be represented by double colons (::) - Note: Double colon can only be used one and should be used on the longest contiguous zero hextets

2001:0db8:0000:1111:0000:0000:0000:0200 Becomes 2001:db8:0:1111::200

Byte 1Byte 2Byte 3Byte 4
Ver ∄\| Traffic ClassTraffic Class ∄\| Flow LabelFlow LabelFlow LabelRow 1 (4 bytes/32 bits)

Ver (4 bits) - set to IPv6

Traffic Class (8 bits used for Quality of Service and Congestion control.

Flow Label (20 bits) used by source to label sequence of packets - special handling requirements by ipv6 routers labelled.
Payload LengthPayload LengthNext HeaderHop LimitRow 2 (4 bytes/32 bits)

∙Payload Length (16 bits): The length of the IPv6 payload (the data following the base header and any extension headers), in bytes.∙

Next Header (8 bits): Identifies the type of header immediately following the IPv6 header (e.g., a Transport layer header like TCP or UDP, or an IPv6 extension header).∙

Hop Limit (8 bits): Decremented by one by each node that forwards the packet. If the Hop Limit is reduced to zero, the packet is discarded. Similar to the IPv4 Time-to-Live (TTL).
Source IPSource IPSource IPSource IPRows 3-6 (16 bytes / 128 bits)**

Source IP Address (128 bits): The IPv6 address of the packet’s originator. This is 4 rows in total, as an IPv6 address is 128 bits long (16×8 bits).
Destination IPDestination IPDestination IPDestination IPRows 7-10 (16 bytes / 128 bits):

Destination IP Address (128 bits): The IPv6 address of the packet’s intended recipient. This is also 4 rows in total.

SNMP sits on the application layer and provides a standard specification for the network administrator to monitor, manage and configure network devices.

The Key features and functions include:

  • Data Collection
  • Fault Detection
  • Remote Configuration
  • Security (v3 )

The core components of an SNMP layer include:

Central Software system that requests and processes data.

Software on managed devices (Routers and Servers) which collects and forwards data to the manager.

A tree-structured database of variables (OIDs) that defines what data can be queried on a device.

  • SNMP v1 - Least Secure
  • SNMP v2c - most commonly used, improved performance but lacking strong security
  • SNMP v3 - Current standard providing cryptographic security

Manager to agent comms are done in the form of messages these messages are generally stored in the MIB (standardized database) - the MIB contains parameters/objects (OIDs)

  • GET - Retrieves information on agents
  • GET-NEXT
  • GET-RESPONSE
  • SNMP SET - Modify or assign values to agents
  • SNMP TRAP - Unsolicited alert sent from agent to manager when a predefined event occurs (e.g., interface down, threshold exceeded).