Skip to content

Instantly share code, notes, and snippets.

@rbento
Last active March 11, 2022 03:34
Show Gist options
  • Save rbento/c07a7af93a2dd8d1aa6b001faf216bbb to your computer and use it in GitHub Desktop.
Save rbento/c07a7af93a2dd8d1aa6b001faf216bbb to your computer and use it in GitHub Desktop.
My notes on computer networks

Computer Networking

High-level descriptions of computer network topics.

Networking Protocols

ARP (Address Resolution Protocol)


When one device is trying to determine how to send information to another device on the same L2 network based on the L3 IP address a process needs to be performed to do the lookup.

  • Map L3 IP addresses to L2 MAC addresses.
  • If a host wants to send packets to a neighbor on the same layer two segment, it will need to ARP for the address.
  • If a router needs to forward packets to another router, the next top router's IP will need to be ARPed as the information is transferred via directly connected subnet.
  • Is a request and response system.
  • Hosts consults target host cache (IP to MAC cache table).
  • If not in cache an ARP broadcast is sent.
  • Can be used for duplicate IP detection.
  • Gratuitous ARPs should be filtered as could potentially enable man-in-the-middle attack.
  • Inverse ARP used to determine L3 IP address based on L2 MAC address.
  • Can be bypassed by maintaining a static IP adress table in the host.
  • Was depreciated in IPv6 in favor of IPv6 L2 resolution.
  • Is used extensively when troubleshootring L1 to L2 issues.

ICMP (Internet Control Message Protocol)


IGMP (Internet Group Management Protocol)


  • It is used by IPv4 hosts only.

DNS (Domain Name System)


  • Hierarchical distributed system.

  • Translates domains into IP address.

  • It checks the DNS cache first.

  • Host must have designated DNS servers.

Resolution
  • UPD request on port 53 are made to the DNS server.

  • Root hints file will map root DNS servers to IPs.

  • Root server will point to top-level domain server. (.com, .net, .org)

  • TLD directs host to start of authority (SOA).

  • SOA originating server for a domain.

  • Query the authoritative DNS server (SOA).

  • Returned IP is cached by DNS server and host.

  • The DNS cache expires after a given TTL. (5min to 24h)

  • Record types that can be queried: A, CNAME, MX

    • A - A record that is basically a host name to an IP address.
    • Canonical Name - An Alias pointing to another DNS host name, a different A record, for resolution.
    • MX - Locates a mail exchanger (email server)
  • Reverse lookup takes an IP and resolves to a domain name.

  • Resolves trace router hops

  • Verify email servers

NetBIOS (Network Basic I/O)


  • Operates at L5.
  • NBT = NetBIOS over TCP/IP.
  • Implements name service for name registration and resolution using TCP/UDP port 137.
  • Datagram distribution service for connectionless communication using UDP port 138.
  • Session service for connection-oriented communication using TCP 139.
NetBIOS Naming Service
  • Allows applications to register a 15-character name on the network.
  • This names repository is called WINS by Microsoft.
  • Packet format is the same as DNS.
  • Datagrams are sent via UDP making it a connectionless process.
Session Mode
  • Creates a TCP connection between hosts for larger messages, error detection, and recovery.

HTTP (Hypertext Transfer Protocol)


  • TCP port 80.
  • Designed in plain text top transfer hypertext.
  • RFC2616 in 1999
  • Client/Server, Request/Response
User Agent
  • Any application that accesses web content.
Cache
  • Keeps copies of web content for quick response.
Proxy servers
  • Sit at the edge to filter and cache content.
URL (Uniform Resource Locator)
  • Locates resources which are collected through a single connection.
Authentication
  • Several challenge and response mechanisms.
  • Grants access to multiple authentication scopes under single URL.
Request Methods
  • GET, POST, PUT, PATCH, DELETE, HEAD, OPTION

  • The first line of an HTTP response is the status line which includes a status code and a reason phrase.

HTTP Statuses
  • Information 1XX.
  • Successful 2XX.
  • Redirection 3XX.
  • Client Error 4XX.
  • Server Error 5XX.

HTTPS (Secured)


  • A method to encrypt standard HTTP traffic.
  • Applied at L7 of the OSI model.
  • Encrypt HTTP with TLS (Transport Layer Security) or SSL (Secure Socket Layer).
  • Encryption protects agains MITM attacks and interception of sensitive information.
  • Encrypts all info: URL, cookies, and headers.
  • The encryption process utilizes digital certificates which contain public tokens used to encrypt the data.
  • The certificate is issued by a trusted Certificate Authority (CA).
  • After issued, the certificate is then installed on the server.

VoIP (Voice over IP)


  • A method to carry voice traffic digitally over a network.

SIP (Session Initiation Protocol)


  • Signaling and control protocol for communications.
  • Commonly used for voice and video delivery over IP network.
  • Primarily responsible for establishing and terminating communications but not carrying actual voice traffic.
  • Plain text uses TCP/UDP 5060
  • TLS uses TCP/UDP 5061
  • Packet structure similar to HTTP including header fields and encoding rules.
  • Resources are marked with an Uniform Resource Identifier (URI) - sip:username:password@host:port
  • End devices that use SIP are called user agents.
  • Proxy acts as both client and server.
  • Proxy accepts requests and forwards to endpoint.
  • SIP between UA and proxy.
  • SIP between gateways.

Gateway


  • A method to connect to other mediums and resources like outside providers or the public switch telephone network (PSTN).

H.323


  • Signaling and control protocol for communication services.
  • TCP/UDP 1718 to 1720.
  • Originally developed to facilitate teleconferencing.
  • Frequently acts as a gateway for VoIP services allowing a phone system to interface with the PSTN.

MGCP (media Gateway Control Protocol)


  • Plain-text signaling and control.
  • Gateway to PSTN.
  • Little intelligence in gateways.
  • TCP 2428.
  • UDP 2427.

RTP


  • Transfers voice and video traffic.
  • Carries voice for many control protocols.
  • Sends stats to call participants through control protocol.
  • RFC3550 revised in 2003.
  • Employs an error concealment algorithm which allows RTP to sustain some packet loss without users noticing.
  • UDP ports 16384-32767.
  • RTP ports are even.
  • RTCP (Real Time Control Protocol) ports are odd.
  • Profile type specifies audio codec.
    • G.711, G.723, G.726, etc.

FTP (File Transfer Protocol)


  • Depends on TCP for reliable delivery.
  • Great for plain-text transmissions.
  • Can also use TLS or SSL to encrypt the sessions.
  • Can run either in active or passive modes.
  • In both modes the sessions is initiated on port 21.
  • In active mode, the client will inform the server in what port the server should access the client at.
  • The server then will initiate a connection to the client from tcp port 20 for the data transfer.
  • Passive mode should be used when a client is behind a hardware or software firewall, which prevents incoming connections.
  • In passive mode the server provides a specific port for the client to connect to.
  • The client then initiates the outbound connection to the data server to initiate the data transfer.

TFTP (Trivial File Transfer Protocol)


  • Suitable for devices that pull their configuration on boot or as a service for network hardware to transfer firmware and configurations.
  • Used by phones, routers, switches, and many small devices attached to networks.
  • Utilizes UDP port 69 so it is a connectionless service.
  • Due to its light nature, cannot list, rename, delete files or directories.
  • Does not support authentication.
  • By default files are transferred in 512 byte blocks but alrger sizes can be negotiated.
  • Each block is transferred in a single packet.
  • An acknowledgement is sent back after each packet is transferred.
  • If there is no acknowledgement the packet is retransmitted.

SMB (Server Message Block)


  • L7 Protocol used to share files, printers, and serial ports.
  • TCP port 445.
  • Legacy NetBIOS support.
  • Enables Windows file sharing.
  • 19 commands.
  • Multiple commands per request.
  • Open Source implementation known as SAMBA.
  • Linux act as client/server.
  • Domain controller support.

SSH (Secure Shell)


  • Allows secure remote console access over a network.
  • TCP port 22.
  • Designed to securely replace plain-text methods like telnet.
  • Uses public key cryptography - PKI (Public Key Infrastructure).
  • Public/Private certificate can be generated and installed.
  • The server generates its own certificate.
  • Authenticationj of user names is often done via accounts on the server being logged into or via a centralized authentication system for better control
  • Beyond remote access it support tunneling which allows for securely send traffic over an ssh session.
  • An admin can securely transfer files using SSH file transfer, known as SFTP, Secure Copy, known as SCP.
  • Additional programs are often necessary on a Windows machine.
  • Putty is an open-source SSH client that supports SSH/tunneling.
  • WinSCP is also open-source and provides SCP access.
  • Version 1 of SSH was released in 1995 as a freeware evolving into pay-to-play proprietary.
  • In 1999 developers took the most recent open-source version of it and began to improve it, which became known as OpenSSH.

RDP (Remote Desktop Protocol)


  • Terminal server or terminal services.
  • TCP port 3389.
  • Software interface connection.
  • A standard program in application mode.
  • Installed in Windows since Windows XP.
  • 32-bit color.
  • TLS 128-bit encryption.
  • Audio redirection.
  • File redirection.
  • Printer/port redirection.
  • Clipboard sharing.
  • Terminal Server Gateway.
  • Bandwidth tuning.
  • Multiple monitor support.
  • RemoteFX.
  • Open-source versions for non-windows OS.
  • Browser-based, no client install.
  • Thin clients - remote servers for users.
  • Lower administrative burden.

SNMP (Simple Network Management Protocol)


  • A server collecting data is knows as the Manager.
  • The Manager directly runs a network management station.
  • An agent is a software package that will respond to SNMP.
  • An agent is runs on the device it monitors.
  • Agents receive requests on specific ports.
    • Requests - UDP 161.
    • Traps sent - UDP 162.
    • TLS requests - UDP 10161.
    • TLS traps sent - UDP 10162.
  • SNMP can be either read-only or read-write.
  • Writing can be used to change informational data or to enable/disable ports on a switch for instance.
  • Information is polled from agents by asking for specific OIDs. OID for system description: 1.3.6.1.2.1.1.1.
  • OIDs are used as some sort of index for a MIB (Management Information Base).
  • MIBs map hierarchical information about the network using OIDs.
  • MIBs makes easy to add new monitoring points.
  • Traps are messages sent from an agent to a manager when some defined event occurs.
  • SNMP V1 and V2 implements a simple community-based authentication.
  • A community is a plain-text password sent to an agent.
  • Allows administrators to see trends, predict issues and react with speed and confidence.

DHCP (Dynamic Host Configuration Protocol)


  • Defacto system for automatically assigning IP addresses to hosts.
  • When a client wants to request an IP it broadcasts a discovery packet to UDP port 67.
  • When a DHCP server responds to the DHCP discovery packet, it will send the client a DHCP offer message to the client's MAC address containing the IP offer to the client, subnet masks, lease duration and the IP address of the DHCP server.
  • Server responses are directed to the port 68.
  • The client then respons with a DHCP request message requesting the offered address.
  • Finally the server will send a DHCP ack message back to the client containing the requested information.
  • Configured with a pool for each segment of the network.
  • A pool is a range of IP addresses to assign to clients.
  • Each segment is also assigned a default gateway, DNS servers and other options.
  • An unauthorized DHCP server can cause havoc on a network.
  • This can be caused by plugging wireless routers in the network backwards which then start to handing out addresses with a false path to the network and end up orphaning clients.
  • DHCP is a race. Whichever server responds first, wins.
  • Admins can never quitre predict which clients will be affected.
  • A rogue DHCP can be introduced on a network to perform MITM attacks.
  • This can be prevented using DHCP snooping which specifies ports allowed to act as a DHCP server.
  • DHCP starvation attacks may occur when a client connects, request an IP address, changes its MAC address, rinse and repeat.
  • New clients are then denied IP addresses and fail to join the network.
  • This can be mitigated by employing port security which allows only a few MAC addresses to appear on a given port.

CLI Tools / Troubleshooting

ipconfig


  • Displays all network interfaces along with IPv4 addresses, IPv6 addresses, subnet mask and default gateway.
  • Any interfaces that are unplugged shows as Media State, Media Disconnected.
Display interface info including, MAC addresses
> ipconfig /all

Release/Renew DHCP on a given interface
> ipconfig /release *4*
> ipconfig /renew *4*

View/Flush local DNS cache
> ipconfig /displaydns
> ipconfig /flushdns

ping


  • First step after verifying IP information with ipconfig is to check whether a client can connect to the network or the internet.
Persistently ping the default gateway
> ping -t 10.3.25.1

Ping IP address and resolve to DNS name
> ping -a 8.8.8.8

Ping and adjust the packet size
  • Useful to troubleshoot MTU (Maximum Transmission Unit).
  • Largest packet that the router will forward without fragmentation.
> ping -f -l 1300 8.8.8.8
> ping -f -l 1700 8.8.8.8

tracert


  • ICMP packet map out the network path.
  • Collects data on any L3 device that responds to ICMP requests.
  • Asterisk means a packet was lost.
  • All asterisks means the device is blocking ICMP.
> tracert google.com

# Skip DNS resolution (faster)
> tracert -d google.com

# Change the max number of hops
> tracert -h 10 google.com

pathping


  • A traceroute with a 25 second ping on each hop.
  • Provides round-trip time and packet loss info.
> pathping google.com

# Change the max number of hops
> pathping -h google.com

# Skips resolution of DNS names
> pathping -n google.com

# Adjusts the number of pings on each hop.
> pathping -q 10 google.com

arp


  • Address Resolution Protocol.
  • Maps L3 IP address to L2 MAC address.
  • Useful for L2 troubleshooting.
  • Check traffic between hosts.
    • The sender checks ARP table/cache.
    • If the destination is in the table, traffic is passed.
    • If no entry exists, an ARP requests is sent.
# View ARP cache
> arp -a

# Remove from cache
> arp -d 10.3.25.1

telnet


  • Allows remote administration.
  • Quick way to verify if a TCP session has been established.
  • Helpful troubleshooting tool.
  • Not installed on Windows by default.
  • Install with > dism /online /Enable-Feature /FeatureName:TelnetClient
> telnet google.com 80

netstat


  • Great program for diagnosing port and session issues.
  • Display information on active connections.
  • Applications listening to 0.0.0.0 respond to all requests.
# Displays active connections
> netstat -a 

# Additionally displays listening port
> netstat -a 

# Additionally displays application name
> netstat -ab 

# Additionally displays process id
> netstat -abo 

# Additionally skips DNS resolution on all IPs 
> netstat -abno 

# Look at local routing table
> netstat -r
> route print

# View connection statistics information
> netstat -s

# Additionally specify target protocol and refresh rate in seconds
> netstat -sp ICMP 5

nbtstat


  • Troubleshoot name resolution issues with NetBIOS.
  • Unlikely to be used. DNS is preferred instead.
# List interfaces and its associated cache name table
> nbtstat -c

# List name table along with the associated MAC address for a remote machine
> nbtstat -A 192.168.0.1

# List any sessions.
> nbtstat -s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment