hack3rs.ca network-security
/learning/tcp-ip-dns-http-tls-routing-switching :: module-1

student@hack3rs:~/learning$ open tcp-ip-dns-http-tls-routing-switching

TCP/IP, DNS, HTTP, TLS, Routing and Switching Fundamentals

TCP/IP fundamentals are the baseline for every detection and investigation skill that follows. We walk through how traffic moves, how names resolve, how web sessions are established, and where defenders can observe or control each step.

If you cannot describe a normal TCP handshake, you will misread the logs when a scan comes in. Most network security mistakes trace back to weak protocol knowledge — analysts guess instead of reasoning from what they know about normal behavior. Understanding DNS resolution, TLS negotiation, and HTTP semantics tells you what to look for before something goes wrong.

learning-objectives

  • $Explain packet vs frame vs segment terminology and where each appears in the stack.
  • $Describe all seven OSI layers and map common protocols/telemetry to the correct layer.
  • $Trace a typical web request from DNS resolution through TLS and HTTP response.
  • $Identify key control points: switches, routers, firewalls, reverse proxies, and DNS resolvers.
  • $Recognize what telemetry can be observed before and after encryption.

example-dataflow-and-observation-paths

Trace each step and identify which log or capture point gives you evidence at that stage. Most triage mistakes happen when someone skips a hop and draws conclusions from an incomplete picture.

  • $Client sends a DNS query -> resolver returns an A record -> client opens TCP, sends SYN -> server replies SYN-ACK -> client completes with ACK -> TLS ClientHello starts the negotiation -> encrypted HTTP payload follows.
  • $Frame hits the switch -> forwarded by MAC to the local segment -> IP packet reaches the router -> firewall checks source, dest, port -> allowed traffic continues to the reverse proxy -> proxy forwards to the app server.
  • $Where to look: DNS query log (resolver), netflow/firewall log (connection), PCAP (TLS metadata), web server access log (request), app log (response code and latency).

baseline-normal-before-debugging

  • $A DNS query returns an A or AAAA record in under 50ms and is followed within a second by a TCP SYN to the resolved IP.
  • $A TCP handshake completes SYN -> SYN-ACK -> ACK in under one round-trip time before any application data appears.
  • $A TLS 1.3 handshake adds one extra round-trip after the TCP ACK; after that, only encrypted records are visible on the wire.
Expert tip: Record what normal looks like in your actual environment before you test any edge case. A baseline you measured beats a baseline you assumed every time.

concept-breakdown-and-mastery

1. Protocol Stack and Data Flow

$ core idea: Application data gets wrapped in transport headers (TCP or UDP), then an IP header, then a layer-2 frame before it goes on the wire. Defensive tooling captures at different points in that process, so the same connection might look different in a host log versus a SPAN port capture.

$ defender angle: TCP gives you ordered delivery, retransmission, and flow control — and it gives you state you can observe. A TCP session has a beginning, a teardown, and detectable error conditions. UDP has none of that, which is why DNS, streaming, and some telemetry protocols use it. From a detection standpoint, stateless UDP traffic is harder to reason about because there is no handshake to anchor the conversation.

$ prove understanding: Explain packet vs frame vs segment terminology and where each appears in the stack.

2. OSI Model for Defenders (All 7 Layers, in Practice)

$ core idea: The OSI model is a troubleshooting framework, not just exam trivia. The TCP/IP stack is what actually runs in production, but OSI gives you a clean mental checklist when something breaks or a detection fires: physical medium, local delivery, routing, transport behavior, session state, data encoding, and application logic.

$ defender angle: Layer 1 (Physical) is the cable, fiber, radio, or optical link — signal strength, duplex, interface status. Security teams tend to ignore it until there is packet loss or retransmissions showing up in telemetry. Those same symptoms can mask real attack traffic or make baselines harder to interpret.

$ prove understanding: Describe all seven OSI layers and map common protocols/telemetry to the correct layer.

3. DNS, HTTP, and TLS in a Real Request

$ core idea: A browser visit starts with DNS. The endpoint queries a resolver — local, enterprise, or encrypted — gets an IP, opens a TCP session (or QUIC for HTTP/3), negotiates TLS, then exchanges HTTP requests and responses. Each step leaves different evidence in different places.

$ defender angle: DNS query names, resolver behavior, SNI fields in TLS handshakes, certificate metadata, destination IPs, and timing patterns all remain visible after encryption starts. Detection on encrypted traffic is not impossible — it just shifts from payload analysis to metadata and behavioral patterns.

$ prove understanding: Trace a typical web request from DNS resolution through TLS and HTTP response.

4. Routing, Switching, and Security Visibility

$ core idea: Switches forward frames inside a LAN by MAC address. Routers move packets between networks using routing tables. That distinction matters because SPAN ports, taps, and sensor placement determine which traffic your IDS actually sees — a sensor on the wrong segment is blind to half the network.

$ defender angle: NAT, load balancers, and proxies all modify source or destination context. Misreading a translated address is a common root cause for wrong assumptions during triage. Know where address translation happens in your environment and how to correlate pre- and post-NAT addresses across log sources.

$ prove understanding: Identify key control points: switches, routers, firewalls, reverse proxies, and DNS resolvers.

deep-dive-notes-expanded

Read each section, then immediately test the concept in your lab. Theory that you have not verified with a real command or log line does not stick.

1. Protocol Stack and Data Flow

Application data gets wrapped in transport headers (TCP or UDP), then an IP header, then a layer-2 frame before it goes on the wire. Defensive tooling captures at different points in that process, so the same connection might look different in a host log versus a SPAN port capture.

TCP gives you ordered delivery, retransmission, and flow control — and it gives you state you can observe. A TCP session has a beginning, a teardown, and detectable error conditions. UDP has none of that, which is why DNS, streaming, and some telemetry protocols use it. From a detection standpoint, stateless UDP traffic is harder to reason about because there is no handshake to anchor the conversation.

ICMP is not just ping. It carries diagnostics, error reporting, and redirect messages. That makes it useful for network troubleshooting — and equally useful for quiet reconnaissance or covert signaling if nobody is watching it.

Normal Behavior

A DNS query returns an A or AAAA record in under 50ms and is followed within a second by a TCP SYN to the resolved IP.

Failure / Abuse Pattern

DNS resolves successfully (NOERROR, A record returned) but Wireshark shows no SYN to the returned IP — the application or a local firewall is dropping the connection attempt.

Evidence To Collect

Explain packet vs frame vs segment terminology and where each appears in the stack.

2. OSI Model for Defenders (All 7 Layers, in Practice)

The OSI model is a troubleshooting framework, not just exam trivia. The TCP/IP stack is what actually runs in production, but OSI gives you a clean mental checklist when something breaks or a detection fires: physical medium, local delivery, routing, transport behavior, session state, data encoding, and application logic.

Layer 1 (Physical) is the cable, fiber, radio, or optical link — signal strength, duplex, interface status. Security teams tend to ignore it until there is packet loss or retransmissions showing up in telemetry. Those same symptoms can mask real attack traffic or make baselines harder to interpret.

Layer 2 (Data Link) is local delivery: Ethernet frames, MAC addresses, ARP, VLANs, and switch forwarding. ARP spoofing, VLAN hopping, and rogue devices all live here. When analyzing east-west traffic, Layer 2 context explains why a sensor on one VLAN sees nothing from another segment.

Layer 3 (Network) is IP addressing and routing. Subnets, gateways, routing tables, and ICMP diagnostics. Most network security monitoring anchors here because IP source and destination survive even when payloads are encrypted. Segmentation decisions are Layer 3 decisions.

Layer 4 (Transport) is where TCP and UDP behavior matters operationally. TCP resets, retransmissions, connection state, and port behavior help distinguish normal services from scanning, floods, or broken connections. UDP traffic has no handshake, so spotting abuse requires a different approach.

Layer 5 (Session) covers session setup, maintenance, and teardown. The concept matters more than a separate implementation layer: session reuse, authentication tokens, keep-alives, and protocol state all have security implications. Attackers abuse session handling through replay, token theft, and fixation.

Layer 6 (Presentation) is encoding, serialization, compression, and encryption. TLS lives here conceptually. Encryption changes what you can inspect in a payload — but it does not remove all observability. Certificates, SNI, timing, connection sizes, and destination patterns remain visible and support detection.

Layer 7 (Application) is where analysts start: HTTP, DNS, SMTP, SSH, APIs, and authentication flows. Many attacks look unremarkable at lower layers while abusing application logic, credentials, or protocol semantics. Defenders who know normal application behavior can spot unusual methods, header patterns, and query names.

A practical way to internalize the stack is to trace one event through all seven layers. A browser loads a page: Layer 1/2 handles link and local switching, Layer 3 routes to the destination, Layer 4 sets up TCP, Layer 5 maintains session state, Layer 6 negotiates TLS, and Layer 7 carries DNS and HTTP. When the page fails to load, that sequence tells you where to start asking questions.

Use the OSI model as a structured troubleshooting checklist. When an alert or outage appears, ask: Is this a link problem (L1), an ARP or VLAN issue (L2), a routing or subnet problem (L3), a port or handshake failure (L4), a session or auth problem (L5), a TLS or encoding issue (L6), or application behavior (L7)? That order makes investigations faster and produces better documentation.

Normal Behavior

A TCP handshake completes SYN -> SYN-ACK -> ACK in under one round-trip time before any application data appears.

Failure / Abuse Pattern

TCP retransmits appear every 1–3 seconds with no SYN-ACK in response — a firewall is silently dropping the SYN rather than resetting it.

Evidence To Collect

Describe all seven OSI layers and map common protocols/telemetry to the correct layer.

3. DNS, HTTP, and TLS in a Real Request

A browser visit starts with DNS. The endpoint queries a resolver — local, enterprise, or encrypted — gets an IP, opens a TCP session (or QUIC for HTTP/3), negotiates TLS, then exchanges HTTP requests and responses. Each step leaves different evidence in different places.

DNS query names, resolver behavior, SNI fields in TLS handshakes, certificate metadata, destination IPs, and timing patterns all remain visible after encryption starts. Detection on encrypted traffic is not impossible — it just shifts from payload analysis to metadata and behavioral patterns.

HTTP semantics matter to defenders because attackers reuse ordinary methods and headers. Understanding status codes, redirects, user-agent strings, cookies, and API patterns is what lets you separate malicious automation from normal browser behavior.

Normal Behavior

A TLS 1.3 handshake adds one extra round-trip after the TCP ACK; after that, only encrypted records are visible on the wire.

Failure / Abuse Pattern

TLS handshake fails with 'Alert: handshake_failure (40)' — check that server and client share at least one cipher suite and that the certificate chain is complete.

Evidence To Collect

Trace a typical web request from DNS resolution through TLS and HTTP response.

4. Routing, Switching, and Security Visibility

Switches forward frames inside a LAN by MAC address. Routers move packets between networks using routing tables. That distinction matters because SPAN ports, taps, and sensor placement determine which traffic your IDS actually sees — a sensor on the wrong segment is blind to half the network.

NAT, load balancers, and proxies all modify source or destination context. Misreading a translated address is a common root cause for wrong assumptions during triage. Know where address translation happens in your environment and how to correlate pre- and post-NAT addresses across log sources.

Routing asymmetry, VLAN boundaries, and cloud overlay networks create gaps in traffic visibility. Before making conclusions from captured traffic, ask where it was collected and what paths a sensor on that point could never observe.

Normal Behavior

A DNS query returns an A or AAAA record in under 50ms and is followed within a second by a TCP SYN to the resolved IP.

Failure / Abuse Pattern

DNS resolves successfully (NOERROR, A record returned) but Wireshark shows no SYN to the returned IP — the application or a local firewall is dropping the connection attempt.

Evidence To Collect

Identify key control points: switches, routers, firewalls, reverse proxies, and DNS resolvers.

terminal-walkthroughs-with-example-output

Each walkthrough shows a command and what useful output looks like. Your lab output will differ — focus on which fields to read, not on matching the exact values shown here.

Host And Resolver Checks

Beginner
Command
ip addr
Example Output
2: eth0    inet 10.10.20.15/24
3: eth1    inet 10.10.30.5/24

$ why this matters: Run this against your lab environment and read the output field by field before moving on to the next command in this block. If you cannot explain what you see, re-read the section on host and resolver checks.

HTTP / TLS Inspection Basics

Intermediate
Command
curl -I http://example.com
Example Output
HTTP/1.1 301 Moved Permanently
Location: https://example.com/

$ why this matters: Run this against your lab environment and read the output field by field before moving on to the next command in this block. If you cannot explain what you see, re-read the section on http / tls inspection basics.

Packet Capture Starter

Advanced
Command
sudo tcpdump -ni any host example.com -c 50
Example Output
IP 10.10.20.15.53422 > 93.184.216.34.443: Flags [S]
IP 93.184.216.34.443 > 10.10.20.15.53422: Flags [S.]

$ why this matters: Run this against your lab environment and read the output field by field before moving on to the next command in this block. If you cannot explain what you see, re-read the section on packet capture starter.

cli-labs-and-workflow

Run these in a lab VM or network segment you own or are authorized to test against. After each command, write down one thing the output told you that you did not already know.

Host And Resolver Checks

Beginner 
ip addr
ip route
resolvectl status || cat /etc/resolv.conf
dig example.com +short
dig example.com A +trace

Run in a lab or authorized environment. Record what fields change when you alter the test conditions.

HTTP / TLS Inspection Basics

Intermediate 
curl -I http://example.com
curl -I https://example.com
curl -vk https://example.com/ 2>&1 | less
openssl s_client -connect example.com:443 -servername example.com </dev/null
ss -tupan | head

Run in a lab or authorized environment. Record what fields change when you alter the test conditions.

Packet Capture Starter

Advanced 
sudo tcpdump -ni any host example.com -c 50
sudo tshark -i any -f 'host example.com' -a duration:20

Run in a lab or authorized environment. Record what fields change when you alter the test conditions.

expert-mode-study-loop

  • $Explain the concept out loud as if briefing a colleague — no notes.
  • $Pick one CLI command and walk through exactly what the output means field by field.
  • $Name a specific failure mode and the log line or packet flag that reveals it.
  • $Write down what normal looks like for your lab before you introduce any anomaly.
Progress marker: Move on when you can brief the topic to someone else, run the commands from memory, and explain what a bad result looks like.

knowledge-check-and-answer-key

Answer each question out loud or in writing before you look at the hints. If you cannot answer it, go back to the section that covers it — do not just read the hint and move on.

1. Protocol Stack and Data Flow

Questions
  • ?How would you explain "Protocol Stack and Data Flow" to a new defender in plain language?
  • ?What does normal behavior look like for protocol stack and data flow in your lab or environment?
  • ?Which logs, packets, or commands would you use to validate protocol stack and data flow?
  • ?What failure mode or attacker abuse pattern matters most for protocol stack and data flow?
Show answer key / hints
Answer Key / Hints
  • #Explain packet vs frame vs segment terminology and where each appears in the stack.
  • #A DNS query returns an A or AAAA record in under 50ms and is followed within a second by a TCP SYN to the resolved IP.
  • #ip addr
  • #DNS resolves successfully (NOERROR, A record returned) but Wireshark shows no SYN to the returned IP — the application or a local firewall is dropping the connection attempt.

2. OSI Model for Defenders (All 7 Layers, in Practice)

Questions
  • ?How would you explain "OSI Model for Defenders (All 7 Layers, in Practice)" to a new defender in plain language?
  • ?What does normal behavior look like for osi model for defenders (all 7 layers, in practice) in your lab or environment?
  • ?Which logs, packets, or commands would you use to validate osi model for defenders (all 7 layers, in practice)?
  • ?What failure mode or attacker abuse pattern matters most for osi model for defenders (all 7 layers, in practice)?
Show answer key / hints
Answer Key / Hints
  • #Describe all seven OSI layers and map common protocols/telemetry to the correct layer.
  • #A TCP handshake completes SYN -> SYN-ACK -> ACK in under one round-trip time before any application data appears.
  • #curl -I http://example.com
  • #TCP retransmits appear every 1–3 seconds with no SYN-ACK in response — a firewall is silently dropping the SYN rather than resetting it.

3. DNS, HTTP, and TLS in a Real Request

Questions
  • ?How would you explain "DNS, HTTP, and TLS in a Real Request" to a new defender in plain language?
  • ?What does normal behavior look like for dns, http, and tls in a real request in your lab or environment?
  • ?Which logs, packets, or commands would you use to validate dns, http, and tls in a real request?
  • ?What failure mode or attacker abuse pattern matters most for dns, http, and tls in a real request?
Show answer key / hints
Answer Key / Hints
  • #Trace a typical web request from DNS resolution through TLS and HTTP response.
  • #A TLS 1.3 handshake adds one extra round-trip after the TCP ACK; after that, only encrypted records are visible on the wire.
  • #sudo tcpdump -ni any host example.com -c 50
  • #TLS handshake fails with 'Alert: handshake_failure (40)' — check that server and client share at least one cipher suite and that the certificate chain is complete.

4. Routing, Switching, and Security Visibility

Questions
  • ?How would you explain "Routing, Switching, and Security Visibility" to a new defender in plain language?
  • ?What does normal behavior look like for routing, switching, and security visibility in your lab or environment?
  • ?Which logs, packets, or commands would you use to validate routing, switching, and security visibility?
  • ?What failure mode or attacker abuse pattern matters most for routing, switching, and security visibility?
Show answer key / hints
Answer Key / Hints
  • #Identify key control points: switches, routers, firewalls, reverse proxies, and DNS resolvers.
  • #A DNS query returns an A or AAAA record in under 50ms and is followed within a second by a TCP SYN to the resolved IP.
  • #Choose one CLI command and explain what fields you would inspect.
  • #DNS resolves successfully (NOERROR, A record returned) but Wireshark shows no SYN to the returned IP — the application or a local firewall is dropping the connection attempt.

lab-answer-key-expected-findings

These are reference answers for a generic environment. Replace them with observations from your own lab — what you measured yourself is more useful than what is written here.

Expected Normal Findings
  • +A DNS query returns an A or AAAA record in under 50ms and is followed within a second by a TCP SYN to the resolved IP.
  • +A TCP handshake completes SYN -> SYN-ACK -> ACK in under one round-trip time before any application data appears.
  • +A TLS 1.3 handshake adds one extra round-trip after the TCP ACK; after that, only encrypted records are visible on the wire.
Expected Failure / Anomaly Clues
  • !DNS resolves successfully (NOERROR, A record returned) but Wireshark shows no SYN to the returned IP — the application or a local firewall is dropping the connection attempt.
  • !TCP retransmits appear every 1–3 seconds with no SYN-ACK in response — a firewall is silently dropping the SYN rather than resetting it.
  • !TLS handshake fails with 'Alert: handshake_failure (40)' — check that server and client share at least one cipher suite and that the certificate chain is complete.

hands-on-labs

  • $Take one browser request and map each observed artifact (link status, ARP, IP, TCP/UDP, TLS, HTTP/DNS) to the OSI layer where it is most useful for troubleshooting.
  • $Capture a browser visit to a test site and annotate the DNS query, TCP handshake, TLS handshake, and first HTTP request/response.
  • $Compare the same site over HTTP and HTTPS in a lab to identify what telemetry remains visible when encryption is enabled.
  • $Document where a packet would traverse switch, router, NAT, and firewall in your home or lab network.

common-pitfalls

  • $Treating the OSI Model as memorization only instead of using it to structure troubleshooting and detection.
  • $Confusing ports with protocols (for example assuming port 443 always means safe web traffic).
  • $Treating "encrypted" as "invisible" and ignoring metadata-based detections.
  • $Ignoring capture location and making claims about traffic that a sensor could never observe.

tools-and-references

completion-outputs

# A protocol flow diagram for one normal web transaction
# An OSI layer cheat sheet that maps common protocols, logs, and tools to each layer
# A glossary of core network terms used in your later learning modules
# A visibility map of where you can inspect traffic in your environment

related-tool-guides

Each of these tools is directly relevant to the evidence collection or validation steps in this topic. Use them to close the gap between reading a concept and running it.

open /learning/tools/wireshark-tshark Wireshark / TShark open /learning/tools/tcpdump tcpdump

related-threat-pages

See where these fundamentals appear in real attack scenarios and what evidence defenders look for during triage.

open /threats/phishing-and-credential-theft Phishing and credential theft open /threats/dns-abuse-tunneling-and-command-control DNS abuse, tunneling, and command-and-control
<- learning index Back to the course map -> next page Subnetting, NAT, Firewall Policy Logic, and Segmentation Basics
learning-path-position

Foundations / Weeks 1-2 · Module 1 of 12