Network Protocols#
Reference of network protocols an operator works with daily, organized by OSI / TCP-IP layer with notes on default ports, encryption posture, and quirks. Pairs with Ports for port-by-number lookup.
The stack#
Layer |
Name |
Protocols |
|---|---|---|
7 |
Application |
HTTP, DNS, TLS, SSH, SMTP, FTP |
6 |
Presentation |
TLS / SSL framing, MIME |
5 |
Session |
NetBIOS, RPC sessions |
4 |
Transport |
TCP, UDP, QUIC, SCTP, DCCP |
3 |
Network |
IPv4, IPv6, ICMP, ICMPv6, IPsec, GRE |
2 |
Data link |
Ethernet, ARP, 802.1Q VLAN, MPLS, PPP |
1 |
Physical |
copper, fiber, radio |
Layer 4 transport#
Protocol |
Notes |
|---|---|
TCP |
connection-oriented; 3-way handshake; reliable; ordered; congestion control (Reno / CUBIC / BBR). |
UDP |
connectionless; datagram; unreliable; basis of QUIC, DNS, DHCP, NTP, RTP, gaming. |
QUIC |
UDP-based; reliable streams + 0-RTT + integrated TLS 1.3. Foundation of HTTP/3. |
SCTP |
multi-stream + multi-homing; SS7-over-IP, WebRTC. |
DCCP |
congestion-controlled UDP; rare. |
Layer 3 network#
Protocol |
Notes |
|---|---|
IPv4 |
32-bit addresses; ~4 B addr space; CIDR notation. |
IPv6 |
128-bit addresses; SLAAC; no broadcast. |
ICMP |
ping (echo), unreachable, redirect, time exceeded; types listed in RFC 792. |
ICMPv6 |
ND, RA, MLD, and ICMPv4 equivalents. |
IPsec (AH / ESP) |
authentication / encryption; transport / tunnel mode. |
GRE |
generic tunneling; pre-IPsec. |
VXLAN |
L2-over-UDP overlay; 24-bit VNI. |
MPLS |
label-switched paths; carrier backbone. |
DNS#
Concept |
Notes |
|---|---|
Records |
A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV, CAA, DNSKEY, DS, RRSIG, NSEC / NSEC3, DNAME, ALIAS / ANAME (cloud-vendor), TLSA, SSHFP, CERT. |
Ports |
53/udp + 53/tcp (axfr / large queries); 853 DoT; 443 DoH; 8853 DoQ; 5353 mDNS. |
Resolvers |
recursive (8.8.8.8, 1.1.1.1, 9.9.9.9), root, TLD, authoritative, sinkhole. |
DNSSEC |
DNSKEY + RRSIG + DS chain of trust; KeyTrap CVE-2023-50387. |
DoH / DoT / DoQ |
DNS over HTTPS / TLS / QUIC. |
EDNS0 / Client Subn et |
ECS leaks client subnet to authoritative. |
DNS over Tor |
|
DNS amplification |
the classic DDoS reflector. |
DGA |
domain generation algorithms (malware C2). |
Punycode / IDN |
unicode-encoded domain names. |
HTTP / HTTPS#
Concept |
Notes |
|---|---|
HTTP/1.0 / 1.1 |
text-based; one request per connection (1.0) or keepalive (1.1); pipelining theoretical. |
HTTP/2 |
binary framing; multiplexed streams; header compression (HPACK). |
HTTP/3 |
over QUIC (UDP); QPACK headers; eliminates HoL blocking. |
TLS 1.2 / 1.3 |
TLS 1.0 / 1.1 deprecated 2021; modern is 1.3. |
mTLS |
client certs; common in service-mesh. |
WebSockets |
long-lived bidirectional channel over HTTP-upgrade. |
SSE |
Server-Sent Events; one-way streaming. |
Webhooks |
outbound HTTP push from one service to another. |
gRPC |
HTTP/2 + Protobuf. |
GraphQL |
single endpoint; query language; HTTP transport. |
REST |
resource-oriented; URLs map to nouns; verbs from HTTP. |
WebDAV |
HTTP extensions for collaborative editing. |
Mail#
Protocol |
Notes |
|---|---|
SMTP |
25 (server-to-server), 587 (submission), 465 (SMTPS). |
SMTP STARTTLS |
opportunistic encryption. |
IMAP |
143 (cleartext), 993 (TLS); read mail. |
POP3 |
110 / 995 (TLS); legacy. |
MX |
mail exchanger DNS record. |
SPF |
TXT record for authorized senders. |
DKIM |
DNS-published signing key; DMARC alignment. |
DMARC |
policy + reporting on SPF/DKIM alignment. |
ARC |
forwarded-mail authentication chain. |
BIMI |
logo display (with VMC); requires DMARC enforcement. |
TLS-RPT |
TLS-reporting policy. |
MTA-STS |
enforce TLS to a domain. |
File transfer#
Protocol |
Notes |
|---|---|
FTP |
21 control + 20 data (active) or PASV (passive); cleartext. |
FTPS |
explicit (AUTH TLS) or implicit (990). |
SFTP |
SSH subsystem (22). |
SCP |
SSH; deprecated in OpenSSH 9 in favor of SFTP. |
HTTP / HTTPS |
the dominant modern transport. |
WebDAV |
over HTTP / HTTPS. |
TFTP |
69 udp; cleartext; PXE boot. |
rsync |
873 (daemon mode) or over SSH; delta sync. |
Aspera |
UDP-accelerated; commercial. |
Remote access#
Protocol |
Notes |
|---|---|
SSH |
22; key + password + cert auth; port-forward (-L / -R / -D). |
RDP |
3389; Microsoft remote desktop. |
VNC |
5900-590N; cleartext unless tunneled. |
TeamViewer |
proxied through TV servers. |
AnyDesk, Splashtop |
similar SaaS. |
ScreenConnect |
Connectwise. |
WireGuard |
UDP; modern VPN. |
OpenVPN |
1194; longstanding VPN. |
IPsec / IKEv2 |
enterprise VPN. |
L2TP / PPTP |
legacy; deprecated. |
SoftEther |
multi-protocol. |
SSH ProxyCommand |
stack jump-hosts. |
mosh |
UDP-based persistent SSH. |
Active Directory / Windows#
Protocol |
Notes |
|---|---|
SMB / CIFS |
445; file sharing; named pipes; auth = NTLM / Kerberos. |
NetBIOS |
137 / 138 / 139; legacy name resolution + sessions. |
LDAP / LDAPS |
389 / 636; directory; AD bind; mTLS-protected via 636. |
Kerberos |
88 (UDP/TCP); 464 (kpasswd); ticket-based auth. |
RPC |
135 endpoint mapper + dynamic high ports. |
WinRM |
5985 (HTTP) / 5986 (HTTPS); PowerShell remoting. |
DCERPC |
endpoint mapper + uuid-bound services. |
WMI |
RPC-based; control + telemetry. |
ADCS |
Active Directory Certificate Services; HTTP enrollment + LDAP. |
RPC-over-HTTPS |
Outlook anywhere. |
Time / sync#
Protocol |
Notes |
|---|---|
NTP |
123 udp; pool.ntp.org; SNTP simplified. |
PTP / IEEE 1588 |
sub-microsecond LAN sync. |
NTS |
Network Time Security; TLS-protected NTP. |
Industrial / IoT#
Protocol |
Notes |
|---|---|
Modbus TCP |
502; long-standing PLC protocol; cleartext. |
DNP3 |
20000; SCADA. |
EtherNet/IP |
44818 / 2222; Rockwell Allen-Bradley. |
PROFINET |
Siemens. |
S7Comm |
102; Siemens S7. |
BACnet |
47808; building automation. |
OPC UA |
4840 (binary), 4843 (TLS); modern industrial. |
MQTT |
1883 / 8883 (TLS); IoT pub/sub. |
CoAP |
5683 / 5684 (DTLS); IoT REST-over-UDP. |
LoRaWAN |
433 / 868 / 915 MHz radio + UDP backhaul. |
Zigbee, Z-Wave |
home / building. |
Routing / management#
Protocol |
Notes |
|---|---|
BGP |
179 tcp; the internet’s exterior routing. |
OSPF |
89 (proto); intra-AS link-state. |
IS-IS |
1195 / 891; ISP intra-AS. |
RIP / RIPv2 |
520; legacy. |
SNMP |
161 / 162 trap; v1 / v2c plaintext, v3 authenticated. |
Syslog |
514 udp / tcp; structured 5424 + relp. |
NetFlow / sFlow / I PFIX |
flow-export. |
RADIUS |
1812 / 1813; AAA. |
TACACS+ |
49; Cisco AAA. |
Operator notes#
Default ports change, treat
443as “HTTPS” only by convention; many services use it for tunnelling.Encryption status, many “modern” deployments still ship cleartext fallback (FTP, Telnet, plain SMTP submission). Audit ports against expected TLS state.
Service discovery,
masscan+zmapthennmapservice detection is the typical funnel.Application-layer detection, JA3 / JA4 (TLS), HTTP/2 fingerprinting (Akamai), and behavioral patterns identify clients regardless of stated User-Agent.
DPI, enterprise / state firewalls inspect SNI / TLS ClientHello; ECH (Encrypted Client Hello) emerging response.
Tunnels, protocols hide inside DNS, HTTPS, ICMP, NTP, SMB; treat unexpected fan-out from a host as suspect.
References#
Ports, per-port lookup.
Security Tools, tools that interact with these.
Hacking, attacks targeting these protocols.
IDS Rules, IDS rule format.