Network Protocols#

Reference of network protocols an operator works with daily, organized by OSI / TCP-IP layer with notes on default ports, encryption posture, and quirks. Pairs with Ports for port-by-number lookup.

The stack#

Layer

Name

Protocols

7

Application

HTTP, DNS, TLS, SSH, SMTP, FTP

6

Presentation

TLS / SSL framing, MIME

5

Session

NetBIOS, RPC sessions

4

Transport

TCP, UDP, QUIC, SCTP, DCCP

3

Network

IPv4, IPv6, ICMP, ICMPv6, IPsec, GRE

2

Data link

Ethernet, ARP, 802.1Q VLAN, MPLS, PPP

1

Physical

copper, fiber, radio

Layer 4 transport#

Protocol

Notes

TCP

connection-oriented; 3-way handshake; reliable; ordered; congestion control (Reno / CUBIC / BBR).

UDP

connectionless; datagram; unreliable; basis of QUIC, DNS, DHCP, NTP, RTP, gaming.

QUIC

UDP-based; reliable streams + 0-RTT + integrated TLS 1.3. Foundation of HTTP/3.

SCTP

multi-stream + multi-homing; SS7-over-IP, WebRTC.

DCCP

congestion-controlled UDP; rare.

Layer 3 network#

Protocol

Notes

IPv4

32-bit addresses; ~4 B addr space; CIDR notation.

IPv6

128-bit addresses; SLAAC; no broadcast.

ICMP

ping (echo), unreachable, redirect, time exceeded; types listed in RFC 792.

ICMPv6

ND, RA, MLD, and ICMPv4 equivalents.

IPsec (AH / ESP)

authentication / encryption; transport / tunnel mode.

GRE

generic tunneling; pre-IPsec.

VXLAN

L2-over-UDP overlay; 24-bit VNI.

MPLS

label-switched paths; carrier backbone.

DNS#

Concept

Notes

Records

A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV, CAA, DNSKEY, DS, RRSIG, NSEC / NSEC3, DNAME, ALIAS / ANAME (cloud-vendor), TLSA, SSHFP, CERT.

Ports

53/udp + 53/tcp (axfr / large queries); 853 DoT; 443 DoH; 8853 DoQ; 5353 mDNS.

Resolvers

recursive (8.8.8.8, 1.1.1.1, 9.9.9.9), root, TLD, authoritative, sinkhole.

DNSSEC

DNSKEY + RRSIG + DS chain of trust; KeyTrap CVE-2023-50387.

DoH / DoT / DoQ

DNS over HTTPS / TLS / QUIC.

EDNS0 / Client Subn et

ECS leaks client subnet to authoritative.

DNS over Tor

dns.tor (rare); OnioNS.

DNS amplification

the classic DDoS reflector.

DGA

domain generation algorithms (malware C2).

Punycode / IDN

unicode-encoded domain names.

HTTP / HTTPS#

Concept

Notes

HTTP/1.0 / 1.1

text-based; one request per connection (1.0) or keepalive (1.1); pipelining theoretical.

HTTP/2

binary framing; multiplexed streams; header compression (HPACK).

HTTP/3

over QUIC (UDP); QPACK headers; eliminates HoL blocking.

TLS 1.2 / 1.3

TLS 1.0 / 1.1 deprecated 2021; modern is 1.3.

mTLS

client certs; common in service-mesh.

WebSockets

long-lived bidirectional channel over HTTP-upgrade.

SSE

Server-Sent Events; one-way streaming.

Webhooks

outbound HTTP push from one service to another.

gRPC

HTTP/2 + Protobuf.

GraphQL

single endpoint; query language; HTTP transport.

REST

resource-oriented; URLs map to nouns; verbs from HTTP.

WebDAV

HTTP extensions for collaborative editing.

Mail#

Protocol

Notes

SMTP

25 (server-to-server), 587 (submission), 465 (SMTPS).

SMTP STARTTLS

opportunistic encryption.

IMAP

143 (cleartext), 993 (TLS); read mail.

POP3

110 / 995 (TLS); legacy.

MX

mail exchanger DNS record.

SPF

TXT record for authorized senders.

DKIM

DNS-published signing key; DMARC alignment.

DMARC

policy + reporting on SPF/DKIM alignment.

ARC

forwarded-mail authentication chain.

BIMI

logo display (with VMC); requires DMARC enforcement.

TLS-RPT

TLS-reporting policy.

MTA-STS

enforce TLS to a domain.

File transfer#

Protocol

Notes

FTP

21 control + 20 data (active) or PASV (passive); cleartext.

FTPS

explicit (AUTH TLS) or implicit (990).

SFTP

SSH subsystem (22).

SCP

SSH; deprecated in OpenSSH 9 in favor of SFTP.

HTTP / HTTPS

the dominant modern transport.

WebDAV

over HTTP / HTTPS.

TFTP

69 udp; cleartext; PXE boot.

rsync

873 (daemon mode) or over SSH; delta sync.

Aspera

UDP-accelerated; commercial.

Remote access#

Protocol

Notes

SSH

22; key + password + cert auth; port-forward (-L / -R / -D).

RDP

3389; Microsoft remote desktop.

VNC

5900-590N; cleartext unless tunneled.

TeamViewer

proxied through TV servers.

AnyDesk, Splashtop

similar SaaS.

ScreenConnect

Connectwise.

WireGuard

UDP; modern VPN.

OpenVPN

1194; longstanding VPN.

IPsec / IKEv2

enterprise VPN.

L2TP / PPTP

legacy; deprecated.

SoftEther

multi-protocol.

SSH ProxyCommand

stack jump-hosts.

mosh

UDP-based persistent SSH.

Active Directory / Windows#

Protocol

Notes

SMB / CIFS

445; file sharing; named pipes; auth = NTLM / Kerberos.

NetBIOS

137 / 138 / 139; legacy name resolution + sessions.

LDAP / LDAPS

389 / 636; directory; AD bind; mTLS-protected via 636.

Kerberos

88 (UDP/TCP); 464 (kpasswd); ticket-based auth.

RPC

135 endpoint mapper + dynamic high ports.

WinRM

5985 (HTTP) / 5986 (HTTPS); PowerShell remoting.

DCERPC

endpoint mapper + uuid-bound services.

WMI

RPC-based; control + telemetry.

ADCS

Active Directory Certificate Services; HTTP enrollment + LDAP.

RPC-over-HTTPS

Outlook anywhere.

Time / sync#

Protocol

Notes

NTP

123 udp; pool.ntp.org; SNTP simplified.

PTP / IEEE 1588

sub-microsecond LAN sync.

NTS

Network Time Security; TLS-protected NTP.

Industrial / IoT#

Protocol

Notes

Modbus TCP

502; long-standing PLC protocol; cleartext.

DNP3

20000; SCADA.

EtherNet/IP

44818 / 2222; Rockwell Allen-Bradley.

PROFINET

Siemens.

S7Comm

102; Siemens S7.

BACnet

47808; building automation.

OPC UA

4840 (binary), 4843 (TLS); modern industrial.

MQTT

1883 / 8883 (TLS); IoT pub/sub.

CoAP

5683 / 5684 (DTLS); IoT REST-over-UDP.

LoRaWAN

433 / 868 / 915 MHz radio + UDP backhaul.

Zigbee, Z-Wave

home / building.

Routing / management#

Protocol

Notes

BGP

179 tcp; the internet’s exterior routing.

OSPF

89 (proto); intra-AS link-state.

IS-IS

1195 / 891; ISP intra-AS.

RIP / RIPv2

520; legacy.

SNMP

161 / 162 trap; v1 / v2c plaintext, v3 authenticated.

Syslog

514 udp / tcp; structured 5424 + relp.

NetFlow / sFlow / I PFIX

flow-export.

RADIUS

1812 / 1813; AAA.

TACACS+

49; Cisco AAA.

Operator notes#

  • Default ports change, treat 443 as “HTTPS” only by convention; many services use it for tunnelling.

  • Encryption status, many “modern” deployments still ship cleartext fallback (FTP, Telnet, plain SMTP submission). Audit ports against expected TLS state.

  • Service discovery, masscan + zmap then nmap service detection is the typical funnel.

  • Application-layer detection, JA3 / JA4 (TLS), HTTP/2 fingerprinting (Akamai), and behavioral patterns identify clients regardless of stated User-Agent.

  • DPI, enterprise / state firewalls inspect SNI / TLS ClientHello; ECH (Encrypted Client Hello) emerging response.

  • Tunnels, protocols hide inside DNS, HTTPS, ICMP, NTP, SMB; treat unexpected fan-out from a host as suspect.

References#