// TCP/IP Model
// LAYER 4 — APPLICATION
Where user-facing protocols live. HTTP, HTTPS, FTP, SSH, DNS, SMTP, SNMP. Data is formatted and presented to the user here.
// LAYER 3 — TRANSPORT
TCP — reliable, ordered, connection-based. UDP — fast, connectionless, no guarantee. Ports live at this layer.
// LAYER 2 — INTERNET
IP addressing and routing. IPv4, IPv6, ICMP, ARP. Responsible for logical addressing and path selection between networks.
// LAYER 1 — NETWORK ACCESS
Physical transmission. Ethernet, Wi-Fi, MAC addresses. Deals with how bits are sent over the physical medium.
| TCP/IP LAYER | OSI EQUIVALENT | KEY PROTOCOLS | UNIT |
|---|---|---|---|
| Application | Application / Presentation / Session | HTTP, DNS, FTP, SMTP, SNMP, SSH | Data |
| Transport | Transport | TCP, UDP | Segment / Datagram |
| Internet | Network | IP, ICMP, ARP, OSPF, BGP | Packet |
| Network Access | Data Link / Physical | Ethernet, Wi-Fi, PPP | Frame / Bit |
TCP vs UDP: TCP guarantees delivery with a 3-way handshake (SYN → SYN-ACK → ACK). UDP just fires packets — faster but no delivery confirmation. Use TCP for reliability, UDP for speed (video, DNS, SNMP).
// Common Protocols
| PROTOCOL | PORT | TRANSPORT | DESCRIPTION |
|---|---|---|---|
HTTP | 80 | TCP | Web traffic, unencrypted |
HTTPS | 443 | TCP | Web traffic, TLS encrypted |
FTP | 20/21 | TCP | File transfer (unencrypted) |
SFTP | 22 | TCP | Secure file transfer over SSH |
SSH | 22 | TCP | Encrypted remote shell access |
Telnet | 23 | TCP | Remote shell, unencrypted — avoid |
SMTP | 25 / 587 | TCP | Email sending |
DNS | 53 | UDP / TCP | Domain name resolution |
DHCP | 67/68 | UDP | Automatic IP assignment |
SNMP | 161/162 | UDP | Network device monitoring |
LDAP | 389 | TCP | Directory services |
RDP | 3389 | TCP | Windows remote desktop |
NTP | 123 | UDP | Time synchronisation |
ICMP | — | IP | Ping, traceroute, error messages |
// Subnetting
// CIDR NOTATION
A subnet mask written as a prefix length. /24 means 24 bits for the network, 8 bits for hosts → 256 addresses (254 usable).
// PRIVATE RANGES
10.0.0.0/8 — Class A (16M hosts)172.16.0.0/12 — Class B (1M hosts)192.168.0.0/16 — Class C (65K hosts)
// SPECIAL ADDRESSES
127.0.0.1 — loopback (localhost)0.0.0.0 — all interfaces255.255.255.255 — broadcastx.x.x.0 — network addressx.x.x.255 — broadcast address
| CIDR | SUBNET MASK | HOSTS | EXAMPLE |
|---|---|---|---|
/8 | 255.0.0.0 | 16,777,214 | 10.0.0.0/8 |
/16 | 255.255.0.0 | 65,534 | 192.168.0.0/16 |
/24 | 255.255.255.0 | 254 | 192.168.1.0/24 |
/25 | 255.255.255.128 | 126 | 192.168.1.0/25 |
/26 | 255.255.255.192 | 62 | 192.168.1.0/26 |
/27 | 255.255.255.224 | 30 | 192.168.1.0/27 |
/28 | 255.255.255.240 | 14 | 192.168.1.0/28 |
/30 | 255.255.255.252 | 2 | 192.168.1.0/30 |
/32 | 255.255.255.255 | 1 | Single host |
// SNMP — Simple Network Management Protocol
// WHAT IS SNMP
SNMP is a protocol for monitoring and managing network devices — routers, switches, servers, printers. It runs over UDP port 161 (queries) and 162 (traps).
// HOW IT WORKS
A manager (your monitoring system) queries agents (devices) for data stored in a MIB (Management Information Base) — a tree of OIDs (Object Identifiers).
// SNMP VERSIONS
v1 — original, community string auth, insecure
v2c — faster, still community string
v3 — authentication + encryption, use this in production
// COMMUNITY STRINGS
Used in v1/v2c as a password. Default is often public (read) or private (write). Always change defaults — these are frequently exploited.
| OPERATION | DIRECTION | DESCRIPTION |
|---|---|---|
GET | Manager → Agent | Retrieve a specific OID value |
GET-NEXT | Manager → Agent | Retrieve the next OID in the MIB tree |
GET-BULK | Manager → Agent | Retrieve large blocks of data (v2c+) |
SET | Manager → Agent | Write a value to the agent |
RESPONSE | Agent → Manager | Reply to GET/SET requests |
TRAP | Agent → Manager | Unsolicited alert sent by agent (port 162) |
INFORM | Agent → Manager | Acknowledged trap (v2c+) |
WALK | Manager → Agent | Traverse entire MIB subtree |
Security note: SNMPv1 and v2c send community strings in plain text. Never expose SNMP to the internet. Use SNMPv3 with authPriv security level for production environments.
// SNMP Commands
Install SNMP tools on Linux: apt install snmp snmpd snmp-mibs-downloader
# Walk entire MIB tree (v2c) snmpwalk -v2c -c public 192.168.1.1 # Walk specific OID subtree snmpwalk -v2c -c public 192.168.1.1 system snmpwalk -v2c -c public 192.168.1.1 interfaces snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.2.1.1 # Walk with SNMPv3 snmpwalk -v3 -l authPriv -u admin -a SHA -A authpass -x AES -X privpass 192.168.1.1
# Get system description snmpget -v2c -c public 192.168.1.1 sysDescr.0 # Get system uptime snmpget -v2c -c public 192.168.1.1 sysUpTime.0 # Get hostname snmpget -v2c -c public 192.168.1.1 sysName.0 # Get interface speed by OID snmpget -v2c -c public 192.168.1.1 1.3.6.1.2.1.2.2.1.5.1
# Set a value (requires write community) snmpset -v2c -c private 192.168.1.1 sysName.0 s "NewHostname" # Bulk walk (faster than snmpwalk) snmpbulkwalk -v2c -c public 192.168.1.1 interfaces # Test SNMP connectivity snmpstatus -v2c -c public 192.168.1.1 # Translate OID to human-readable snmptranslate 1.3.6.1.2.1.1.1.0 snmptranslate -On sysDescr.0 # reverse: name to OID
| USEFUL OID | NAME | DESCRIPTION |
|---|---|---|
1.3.6.1.2.1.1.1.0 | sysDescr | System description / OS info |
1.3.6.1.2.1.1.3.0 | sysUpTime | System uptime in timeticks |
1.3.6.1.2.1.1.5.0 | sysName | Hostname of the device |
1.3.6.1.2.1.1.6.0 | sysLocation | Physical location string |
1.3.6.1.2.1.2.1.0 | ifNumber | Number of network interfaces |
1.3.6.1.2.1.2.2.1.2 | ifDescr | Interface name (eth0, etc.) |
1.3.6.1.2.1.2.2.1.10 | ifInOctets | Bytes received on interface |
1.3.6.1.2.1.2.2.1.16 | ifOutOctets | Bytes sent on interface |
1.3.6.1.4.1 | enterprises | Vendor-specific MIBs |
// Diagnostic Tools
# Ping & reachability ping -c 4 8.8.8.8 # 4 ICMP echo requests ping -i 0.2 -c 10 192.168.1.1 # fast ping every 0.2s ping6 ::1 # ping IPv6 loopback # Traceroute traceroute 8.8.8.8 # trace path to host traceroute -n 8.8.8.8 # no DNS resolution (faster) mtr 8.8.8.8 # live traceroute + ping combined mtr --report 8.8.8.8 # generate report and exit # DNS diagnostics dig google.com # full DNS query dig google.com A # A record only dig google.com MX # mail records dig google.com NS # nameserver records dig +short google.com # short answer only dig @8.8.8.8 google.com # query specific DNS server nslookup google.com # simple DNS lookup # Port & connection checking nc -zv 192.168.1.1 80 # test if port is open (netcat) nc -zv 192.168.1.1 20-25 # test port range telnet 192.168.1.1 80 # manual port test curl -v https://example.com # full HTTP request with headers # Packet capture tcpdump -i eth0 # capture on interface tcpdump -i eth0 port 80 # filter by port tcpdump -i eth0 host 8.8.8.8 # filter by host tcpdump -w capture.pcap # save to file (open in Wireshark) tcpdump -r capture.pcap # read saved capture
// Firewall — iptables & ufw
ufw status # show firewall status ufw enable # enable firewall ufw disable # disable firewall ufw allow 22 # allow SSH ufw allow 80/tcp # allow HTTP ufw allow from 192.168.1.0/24 # allow entire subnet ufw deny 23 # block Telnet ufw delete allow 80 # remove a rule ufw reset # reset all rules
iptables -L -n -v # list all rules verbose iptables -A INPUT -p tcp --dport 22 -j ACCEPT # allow SSH in iptables -A INPUT -p tcp --dport 80 -j ACCEPT # allow HTTP in iptables -A INPUT -j DROP # drop all other inbound iptables -D INPUT 1 # delete rule 1 from INPUT chain iptables -F # flush (clear) all rules iptables-save # save current rules iptables-restore # restore saved rules
Warning: Dropping all INPUT traffic with iptables before allowing SSH will lock you out of a remote server. Always add your allow rules before a default DROP.
// Common Ports Reference
| PORT | PROTOCOL | SERVICE | NOTES |
|---|---|---|---|
20/21 | TCP | FTP | Data / control — unencrypted |
22 | TCP | SSH / SFTP | Encrypted remote access |
23 | TCP | Telnet | Unencrypted — avoid |
25 | TCP | SMTP | Email relay |
53 | UDP/TCP | DNS | UDP for queries, TCP for zone transfers |
67/68 | UDP | DHCP | Server/client |
80 | TCP | HTTP | Unencrypted web |
110 | TCP | POP3 | Email retrieval |
123 | UDP | NTP | Time sync |
143 | TCP | IMAP | Email retrieval |
161/162 | UDP | SNMP | Queries / traps |
389 | TCP | LDAP | Directory services |
443 | TCP | HTTPS | TLS encrypted web |
445 | TCP | SMB | Windows file sharing |
3306 | TCP | MySQL | Database |
3389 | TCP | RDP | Windows remote desktop |
5432 | TCP | PostgreSQL | Database |
6379 | TCP | Redis | In-memory data store |
8080 | TCP | HTTP-alt | Common dev/proxy port |
8443 | TCP | HTTPS-alt | Alternative HTTPS |