Reserved and commonly allocated ports

Introduction
As you've learned, port numbers are essential in identifying protocols and services
that enable communication between devices. You've also gained familiarity with IP
addresses and their division into three classes.
This reading will delve deeper into the classification of port numbers based on
number ranges, which is similar to the classification of IP addresses. Understanding
these port number ranges is crucial for distinguishing between different sessions
across a network between devices. By exploring the various protocols associated
with each port number, this reading will be a valuable reference for future use.
Port number ranges
You now know that the range of port numbers used globally is from 0 to 65,535,
which is a vast number range. The Internet Assigned Numbers Authority (IANA)
manages these port numbers since they change over time as technology and
protocols evolve. Any changes made to these port numbers require IANA's
permission.
The port numbers are further divided into three ranges, each serving a slightly
different purpose in the network. The classification is important in identifying
different sessions across a network between devices.
The three port number ranges are:
 Well-known ports (0 - 1,023) are reserved for specific protocols and
services used by system processes and applications.
 Registered ports (1,024 - 49,151) are assigned by IANA for specific services
or protocols and can also be used by user applications.
 Dynamic or private ports (49,152 - 65,535) are used by client applications
to connect to servers and are assigned temporarily for the duration of a
session.
Now that you’re more familiar with the different range classifications, let’s explore
each in a little more detail.
Well-known port numbers (0 - 1,023)
Well-known port numbers are reserved for some of the most commonly used and
popular protocols in computer networks. These ports can either transfer verified
data via TCP or unverified data via UDP. They are assigned at the transport layer of
the OSI model or TCP/IP suite and identified at the application layer.
Review the table below for some of the most common well-known ports:

Port TCP\UDP Protocol Usage

Number

20,21 TCP File Transfer Protocol (FTP) Data transfer

22 TCP\UDP Secure Shell (SSH) Secure remote d

access

23 TCP Telnet Remote device a

25 TCP Simple Mail Transfer Protocol (SMTP) Email

53 TCP\UDP Domain Name Server (DNS) Name to IP addr

resolution

67,68 UDP Dynamic Host Configuration Protocol (DHCP) Dynamic IP addr

assignment

69 UDP Trivial File Transfer Protocol (TFTP) Booting devices

the network
Port TCP\UDP Protocol Usage
Number

80 TCP HyperText Transfer Protocol (HTTP) Web page data

transfer

110 TCP Post Office Protocol (POP3) One way mail de

123 UDP Network Time Protocol (NTP) Keeps time for t

network

143 TCP\UDP Internet Message Access Protocol (IMAP4) Managing mailbo

161, 162 TCP\UDP Simple Network Management Protocol (SNMP) Network device
management

389 TCP and Lightweight Directory Access Protocol (LDAP) Authentication

UDP services

443 TCP\UDP HTTP with Secure Sockets Layer (SSL) (HTTPS) Secure web pag
retrieval

500 UDP Internet Security Association and Key Management Protocol Authentication
(ISAKMP) / Internet Key Exchange (IKE)

636 TCP\UDP Lightweight Directory Access Protocol over TLS/SSL (LDAPS Secure authentic
services

989/990 TCP FTP over TLS/SSL Secure data tran

For a complete list of all protocols, please review the following resource from IANA:
 Service names and port numbers
When using protocol port numbers, the destination port is usually specified as the
initial step in requesting the correct service from the device that provides the
service. If a server can support multiple protocols, the destination port must specify
which protocol it wants to use.
The following diagram illustrates how ports are used to identify services:
To improve the security of data being transmitted over networks, many protocols
now have alternative versions. These alternative versions often involve encryption
using a security protocol to enhance security. One such example is HTTPS, which
uses the Transport Layer Security (TLS) protocol to encrypt data as it moves across
the network. TLS is also used in other protocols to improve their security, with the
letter 'S' added to the end of the original protocol name to signify the use of TLS.
Registered ports (1,024 - 49,151)
Registered ports are assigned by IANA to companies for specific services that they
want to use. These ports are often used in the gaming sector to identify the ports
that need to be opened in home networks to allow games to function.
Examples include port 3074 for the XBOX live network or ports 3,479/80 for the
PlayStation network. These ports have changed as games become less relevant and
new ones emerge on the market. As technology changes, new ports are assigned
and old ones are retired. Some registered ports have been around for a while, such
as SIP and H323 which are video conferencing protocols that use port numbers
1,719, 1,720, 5,060, and 5,061. For SIP, port 5,060 is used for unencrypted data,
while port 5,061 is used for encrypted data.
Dynamic or private ports (49,152 - 65,535)
Dynamic or private ports are essential for communication between protocols using
TCP or UDP. When a computer has multiple web pages open simultaneously,
dynamic ports are used to identify different sessions. Each open web page will be
associated with a different port number, which serves as the source port number for
communication between devices. This is crucial because it allows your computer to
determine which data belongs to which web page, and it is also the number used
for devices to communicate responses.
The following example demonstrates how a client PC and web server use IP
addresses to communicate with each other. In this scenario, the client PC sends a
web service request (HTTP request) to the web server using port number 80. The
client PC also specifies a source port number (port 5000) for the web server to send
its response. This source port number helps the client PC identify which application
and session the data is for.
Conclusion
In summary, devices use different port numbers to manage network traffic. Well-
known ports are for common applications, registered ports for constantly changing
protocols and newer technologies, and dynamic ports for identifying individual
sessions. Engineers manage network traffic by configuring and monitoring data flow
through specific port numbers, assigning them to specific applications or services,
setting up firewall rules, and analyzing network traffic to improve performance.
By managing network traffic effectively, engineers ensure data is transmitted
securely and efficiently, and applications and services are accessible to users.
Exercise: Ports in use
Introduction
Throughout your journey learning about computer networks, you've come across
various protocols and sessions used by devices to communicate with each other.
You’ve learned that one crucial aspect of this communication is port numbers,
which enable devices to identify the protocols and sessions open during a
conversation. But how can you check which conversations and protocols a device is
using?
In this exercise, you will learn how to identify the ports being used on a computer.
This knowledge can help businesses like Sam's Scoops to determine if they have
potentially exposed themselves to any online risks in the future.
Case study
Sam's Scoops has recently connected to the internet and is considering establishing
an online presence. However, Sam needs to ensure that the network is secure and
not vulnerable to online risks before proceeding. As Sam's advisor, your initial task
is to investigate the network's current protocols and conversations to identify
potential risks.
This exercise will guide you through identifying active sessions on Windows devices,
allowing you to begin understanding which protocols are currently in use on a
network.
Instructions
Identifying protocols and sessions on a Windows device
To find the current sessions and protocols in use on a Windows machine, you can
use the command prompt. As you may recall, you used the command prompt
earlier to find your IP address. This application is available in most Windows
operating systems and is commonly used to troubleshoot or solve certain kinds of
Windows issues.
Here's how to open the command prompt and get your current sessions and
protocols:
1. Click on the Windows Start button in the taskbar, typically located at the
bottom of your screen.
2. Type cmd in the search bar and click on the thumbnail for the command
prompt app.
3. An app with a black background will load. Type netstat -a in the black space
and press enter.
4. Wait for 30 seconds to view the sessions that are currently in use.
5. Identify one of the sessions by noting the ports and protocols in use.
The netstat command commonly displays http or https as protocols when
executed. Other protocols will display, depending on the applications currently
running on the system.

Identifying protocols and sessions on a Mac

To find the current sessions and protocols on a Mac machine, you need to launch
the Terminal app. You might recall from an earlier example that the Terminal app is
a command line interface (CLI) for the operating system (OS) used by Macs.
Network administrators typically use the Terminal app to initiate an action that is
not supported by the operating system's graphical user interface (GUI).
Here's how to open the Terminal app and get your current sessions and protocols:
1. Open the Terminal app using Spotlight search or find it via Go > Utilities.
2. A window with a white background will load. Type netstat -a in the white
space.
3. A Mac device can produce a lot of output, so scroll back to where you typed
the netstat command, and directly beneath this you will have your sessions.
4. Identify one of the sessions by noting the ports and protocols in use.
Conclusion
By following the steps outlined in this exercise, you have learned how to identify the
ports in use on both Windows and Mac devices. Later, you’ll learn to use this
knowledge to help businesses like Sam's Scoops determine if they've exposed
themselves to any online risks. As you continue learning about computer networks,
you'll gain a deeper understanding of how IP addresses are assigned and used, as
well as other important concepts related to network security.

Exemplar: Ports in use

Introduction
This exemplar demonstrates how you can identify the protocols and ports your
device is currently using. Review the steps below for both Windows and Mac devices
as you will likely encounter both machines on the network in the future.
Identifying protocols and sessions on a Windows machine
Step 1: Click on the Windows button on the taskbar.
Step 2: Type cmd in the search bar. A thumbnail for the command prompt should
appear in the menu.

Step 3: Click on the thumbnail to open the command prompt. A window with a black
background will load.
Step 4: Type netstat -a in the black space and press enter.

Step 5: Wait 30 seconds for the active sessions to load.

In the window, you should now be able to review the sessions that are open on your
PC.
Identifying protocols and sessions on a Mac
Step 1: Open the Mac terminal using the Spotlight search or find it
via Go > Utilities. The terminal app will open.
Step 2: Type netstat -a in the white space.

Step 3: The Mac can produce a lot of output, so scroll back to where you typed the
netstat command and directly beneath this you will find the active sessions.
Conclusion
You should now be able to identify different sessions and protocols that are running
on Windows or Macs. This knowledge enables you to check what protocols are
running on your machine and if they are the secure version of the protocol. Try
opening more applications to see what they are using.
Additional resources: Protocols and ports
Congratulations on completing this lesson about protocols and ports! By now, you
have a comprehensive understanding of how ports help identify protocols and
sessions on a network. Additionally, you have gained knowledge about several
network protocols and their varying levels of security.
With your newfound knowledge, you are now equipped to provide valuable advice
to Sam's Scoops on which protocols would be better suited to their future
applications.
Here are some additional resources that may be helpful as references on the topics
covered in this lesson:
Official list of port numbers and protocols
To explore the full official list of port numbers and protocols, visit the Internet
Assigned Numbers Authority. This resource contains a comprehensive list of port
numbers and protocols in addition to what was already covered in this lesson.
HTTP versus HTTPS
HTTP and HTTPS are both very important as they are used on the web pages that
you view. It is a good idea to know when you are on a secure page when passing
data on the internet, and this is a great resource on how HTTPS accomplishes this.
Understanding Network Address Translation (NAT)
Understanding how your home router manages network traffic is essential for
ensuring smooth communication between devices within your network and the
external internet. A fundamental aspect is how your router uses port numbers to
organize different connections or services in your home network. Port numbers are
crucial in distinguishing these services, which becomes especially important when
dealing with limited public IP addresses.
Network Address Translation (NAT) is a technique that allows multiple devices on a
local network to share a single public-facing IP address. When a device within your
home network communicates with the external world, the router translates the
private IP address into the public IP address. This process helps ensure that the
router returns the correct data to the appropriate device within your local network.
As the data is transmitted, the router assigns a unique port number to each
outgoing connection, enabling it to track multiple simultaneous sessions and
maintain the integrity of the communication.
A critical feature of NAT is port forwarding, which allows external devices to access
specific services within your home network. For example, suppose you're hosting a
web server or an online game. In that case, port forwarding enables external users
to reach those services even though they reside behind the router's single public IP
address.
Resources like the Microsoft article Set up a NAT network and Brightwhiz's
Demystifying NAT (Network Address Translation) and Port Forwarding provide in-
depth explanations of how NAT works and efficiently handles port forwarding and
session management. These guides offer valuable insights into how NAT supports
home and small office networks, managing internal communication and access to
external resources.
Conclusion
In this reading, you explored a list of port numbers and protocols, the difference
between HTTP and HTTPS, and how your home router manages the numerous
sessions and ports originating from your home. It is beneficial to use these
resources to broaden your knowledge.

DNS attacks
Introduction
You now know that DNS converts easy-to-read website names into IP addresses to
make navigating the internet more convenient. This is a useful service used by
people across the world, but it's a prime target for cyberattacks precisely because
it's used so much. One attack can cause many disruptions, and an attacker can
even profit from it. Knowing the risks is a good place to start before you can think
about how to mitigate threats.
In this reading, you will learn about the structure of DNS and the four server types
to understand better where the different vulnerabilities lie within DNS. You will also
examine typical DNS attacks so you can identify different attacks on your own
network one day.
DNS server types
As mentioned previously, you can't rely on only one server to look after all DNS
requests worldwide. You need many to deliver the service. One server can't store all
the possible addresses on the internet, so the workload is spread across many
servers playing different roles in collecting and storing information.
There are four types of DNS servers, illustrated in the diagram below, that provide a
structure, each type playing a different role in that structure. There are the
recursive DNS servers, the root domain servers, top-level DNS servers, and the
authoritative DNS servers. The model is hierarchical, so you must start at the top
and work your way down. Or, as in the diagram below, you start on the left and then
work your way from the top down.
Recursive DNS server
First is the recursive server – or resolver –which is usually the DNS server on your
device with its IP address configured either manually or via DHCP. If it receives a
DNS request and it's familiar with it, the recursive resolver can respond with the IP
address straightaway from its memory. If the recursive resolver is unfamiliar with
the IP address, the request must go to the root domain servers.
Root domain servers
There are 13 root domain servers spread across the world; all looked after by a
governing body called the Internet Assigned Numbers Authority (IANA). The root
domain servers' job is to direct queries to the correct location. Again, the root
server could potentially have the answer if it has dealt with the IP recently, but if
not, it will pass the query to the top-level domain servers that are responsible for
that area.
Top-level DNS servers
Top-level servers (TLD) look after large areas and even countries. Domain name
extensions like .com, .co.uk, .net, and .org are all different TLD servers. Again, they
can give the correct location if they have recently received this request. If not, they
will forward the query to the authoritative name servers.
Authoritative DNS servers
These servers hold the specific information the client has been trying to obtain.
Thus it will provide the necessary website name-to-IP-address translation for the
recursive DNS server. These servers are where companies register their names –
known as domains – like Microsoft.com or samsscoops.com. These servers are
spread over hundreds of locations, providing the many DNS servers needed to
support the internet.
As you can note from the descriptions of the four different types of servers,
requesting a name-to-IP-address translation repeats with each server level until the
query has been answered. No further steps are required if the answer lies in the
recursive DNS server. But if it doesn't, it has to be passed along through each type
of server until the answer is returned.
Now, let's move on to learning more about DNS vulnerabilities and the attacks that
go with them.
DNS attacks
The structure of DNS is both its strongest and weakest attribute. In other words,
with so many servers, it's very fast and reliable, and servers can take over from
others if there's a problem. But having so many servers means there are more
opportunities for attacks because protecting all of them at the same time is a near-
impossible task. This is because they are also managed by different groups and
companies. DNS is susceptible to many diverse attack types across its structure,
and here are five of the main types of attacks.
DNS spoofing
This type of attack involves altering DNS records that store the translations between
website names and IP addresses at the DNS resolvers, altering their cache or
memory. This means that someone could be diverted to a site that delivers a virus
or is even spoofing or imitating another site. These are dangerous as you could
input sensitive information like passwords on these spoof sites, handing it to the
attacker.
DNS hijacking
Hijacking is similar to spoofing but redirects DNS queries to a DNS server under the
attacker's control, as depicted in the diagram below. This means they can send
users anywhere they want them to be. For example, a fake banking site that looks
exactly like the original where someone types in their details, which the attacker
can use to gain access to their bank account.
DNS tunneling
This attack hides other protocols inside DNS queries and responses' payload data.
Attackers use this to pass malware or other protocols to take over a server
remotely. Tunneling attacks generally involve hiding something from a firewall by
having one protocol that it sees on the outside but is actually very different inside.
This is like taking an item in its original packaging, replacing it with something else
in the same packaging, and then passing it off as the original.
DNS amplification
This type of attack is aimed at creating a denial of service. In other words, its aim is
to overwhelm a server so it cannot perform its intended job. For DNS, this involves
sending DNS requests with a fake source IP address, meaning the DNS replies go to
a target the attacker has chosen. An attacker could create hundreds of requests,
overwhelming the target. This attack uses publicly available DNS servers.
DNS flood attack
DNS flooding is similar to amplification, but instead of targeting another source
server, the attack overwhelms the DNS server itself by sending thousands of
spoofed DNS requests. This stops any genuine requests from working.

Conclusion
DNS relies on a structure of four different DNS server types to deal with hundreds of
thousands of requests every second from around the world. The first server your
computer uses is the recursive server. This is the one that your machine directly
interacts with. If the recursive server doesn't know the answer to the request, it
passes it through the other three server types until it finds the DNS response it
needs. The strength of this structure is its resilience and availability. While its
weakness is that it is a prime target for attackers because they can target many
users at the same time, using different types of attacks. Learning about DNS
servers and the attacks that can be launched against them is very important.

Introduction to network traffic monitoring

Introduction
Earlier in the course, you learned there are many different protocols, and some are
better than others when it comes to security. You have also learned how you can
view these protocols from a Windows or MAC PC, but that gives you a very limited
view. That's because it only shows you what is going on on your machine at the
time when you run the netstat-a command, which doesn't tell you if there's
anything else on your network that shouldn't be there. That's where monitoring
comes in.
Monitoring can be split into two main tasks: network monitoring and network traffic
monitoring. On the one hand, network monitoring involves keeping track of network
devices for availability and faults. In contrast, network traffic monitoring is
monitoring what protocols and data are moving around a network and monitoring
for performance and security threats.
Now that the office and shop are connected to the internet, it's critical for Sam's
Scoops to monitor their network properly, but how do they keep track of everything
that's happening on the network, and not just on individual computers? The answer
is network traffic monitoring, the topic of this reading. In this reading, you will learn
about what can be monitored and what components and protocols are needed to
perform the important task of network traffic monitoring.
Monitoring bandwidth
Bandwidth is an important concept when it comes to network traffic monitoring and
performance. It's a term you might be familiar with because when you look for an
internet provider, you generally want the fastest connection you can afford,
meaning bandwidth is your first priority. That's because it determines the rate at
which data moves across a network. This is not usually a problem if only a few
people and applications use a network. But things can get pretty busy, and some
applications are more demanding than others. Just take video conferencing as an
example; it takes up a lot more bandwidth than just visiting a web page. Bandwidth
is much like the road in the illustration below: you can only accommodate a certain
number of cars before the road becomes blocked. That's why monitoring what is
using a lot of bandwidth is critical.
Monitoring users
When monitoring your network, you also want to track users to check what
applications they use and what their regular day-to-day activity is. Doing this can
create an audit trail, but more importantly, it reveals patterns so you can better
understand the network traffic behavior on a day-to-day basis. Knowing how your
network behaves makes it easier to spot when something isn't quite right. This is
very similar to a security guard keeping an eye on a shop and identifying suspicious
customers based on what they've learned from the out-of-the-ordinary behavior of
customers who previously stole from the shop. On a network, you can also look for
out-of-place activity. For example, you notice a new application for the first time or
that something specific uses a lot more bandwidth than usual. This could be a
security problem, maybe there's an attack generating traffic, or perhaps it's simply
something new that needs more bandwidth, and the network has to adjust to
accommodate it.
Network traffic monitoring steps
Network monitoring can be separated into three steps; Step 1 is choosing the
correct data source. Step 2 involves analyzing the correct component in a network.
And Step 3 is about using a monitoring tool to optimize and display data in a
readable format. Let's examine the steps.
Step 1: Choosing your data source and protocols
To monitor network traffic, you need to determine the best source. This monitoring
can be split into two categories: packet capture and flow analysis.
Packet capturing
This is a way of collecting copies of packets that are moving around a network. You
can decide to do this at different points across the network using a computer to run
the packet capture software and a mirrored port. A mirrored port is created to copy
any data that runs through it to your computer port and the connected packet
capturing software. An application called Wireshark has traditionally been the go-to
choice for performing this activity.
Flow analysis
Flow analysis is supported on many network devices and is typically a built-in
feature. Two protocols that can do this are called Netflow and Sflow. Netflow is a
Cisco proprietary protocol that runs on Cisco routers and switches. SFlow was
developed to work on many platforms. Netflow collects IP traffic only, but SFlow can
collect and analyze data from layers 2 to 7 of the OSI model. This type of analysis
does not copy data from one port to another, so it's very flexible as the data can be
collected centrally.
Step 2: Selecting the correct component
Devices on the network that can support traffic monitoring include servers,
switches, routers, and firewalls. You can even monitor specific interfaces and their
applications as well as devices. However, you don't want to capture everything
happening everywhere on your network, as this will generate a lot of data to
analyze. You need to pick key areas of the network that oversee communication. On
Sam's network, the central router would be the best place as traffic flows to and
from that device.
Sam's network at this stage is quite simple, so monitoring traffic with either packet
capturing or flow analysis would be okay. But as it grows, packet capturing will only
be used when troubleshooting particular problems in a specific area because it's
restricted to the area you are plugged into. Flow analysis does not capture whole
data packets like packet capturing. Instead it captures packet details like ports and
IP addresses. In other words, just the information needed to understand data from
many different devices at the same time.
Step 3: Using monitoring tools
When a network grows, so does the amount of data flow that you will need to
analyze, and this is when you need third-party software that can collect all the flow
traffic. There are many different traffic monitoring tools out there that are very
capable of analyzing flows and putting the data into an easy-to-read format. They
usually also include tools for alerting a network manager of problems or anomalies
on the network.
Conclusion
Network traffic monitoring can help you to understand how a network and
applications are performing and use that data to make sure that the bandwidth and
network are not overwhelmed. This is an important step that Sam needs to take to
keep the network secure and functional. By monitoring network traffic, a business
like Sam's Scoops can quickly detect and respond to security incidents, prevent
data breaches, and ensure that network resources are used efficiently.

Network logs
Introduction
By now, you know that information can be collected from a network in different
ways. For example, packet capture and flow analysis are two ways of monitoring a
network. These give you a real-time idea of how data flows in a network. There are
many data points, but this information shouldn't just be monitored; it should also be
recorded. And in this reading, you're going to explore how information from data
points is recorded in network logs, what kind of different types of logs there are,
and how you can search and filter logs.
What is a log file?
Log files are records of events committed to a file in a list format. They can include
all sorts of information about events that happened at a particular time. Every
device on the network creates log files, thus giving you a history of what's been
happening.
Logs typically contain five headed-up areas. They are:
 Timestamp –the time of the event.
 Log level – how severe or important the event is.
 Username– who caused the event.
 Service or application – what caused the event.
 Event description – what has happened.
Below is an extract from a Windows machine log, telling you that a logoff event
occurred.

In this example, you'll notice, from left to right:

 The date and time the event happened.
 The user information under the heading "Source".
 The Event ID number.
 The event under the heading "Task category" where the logoff is specified.
This information is useful, especially because it's timestamped. If you were
troubleshooting a problem, you could check the logs of a particular device to see
what was going on at the time of the issue. Log files can be huge and store a lot of
information, so you need to know what you are looking for. Thus the importance of
the timestamp is a critical part of any log.
Let's examine a few examples of different log file types.
Log file types
  Event log –records information about the usage of network traffic and tracks
login attempts, application events, and failed password attempts.
 System log (or syslog) – records operating system events, including startup
messages, system changes, shutdowns, and errors and warnings.
Below is an example of a system log from a Windows PC event viewer, showing the
level of the log, the date and time, source, event ID, and task category.

 Server log – contains a record of activities in a text document related to a

specific server over a specific period of time.
 Change log – lists changes made to an application or file.
 Availability log –tracks uptime, availability, and system performance.
 Authorization and access log – lists who is accessing applications or files.
 Resource log –provides information on connectivity issues and any capacity
problems.
Logs can be stored in many different formats. Applications like the Windows event
viewer allow for easier troubleshooting and viewing of different events. But not all
devices on a network have a graphical application like the event viewer on a
Windows PC. Many logs are simple text files like the one below that shows a large
amount of log information without the clearly defined categories of the event
viewer. Sure, you can find information in such a file, but this is just one log from one
device, and that's a lot of information to sift through.
Log file filtering
Filtering and searching through log files can be tedious and time-consuming, so it's
good to know that the process can be sped up. Here are three ways of searching log
files.
The easiest is to have a tool that can capture, display, and even analyze logs for
you. Like, for example, Windows Azure Monitor, which you can use in the cloud to
track what is happening. In the example below, an Azure Monitor screen provides
an alphabetically-arranged list of queries, and it tells you the number of requests
and calls by APIs, among other information.
The next option would be to use a search function within an application like
Notepad in Windows, like in the example below. This is very handy because it has a
find option, but you do need to know what you are looking for in the first place to
use this function.

Lastly, you can use search and filter commands. Different operating systems will
allow you to search log files using certain commands. For example, the command
grep is a great command as it is supported across many Linux systems and will
allow you to search for patterns within log files. If you're searching for a particular
error or IP address, this can be a very powerful command. Using such a command
requires practice for you to really benefit from the advanced search capabilities and
filtering they can provide. Here is a resource, How to use the Linux grep command,
that can help get you started.
For Windows, findstr is the command to use in the command prompt application.
Examples of using this command can be found in this Microsoft Learn resource
about findstr.
Windows PowerShell is another powerful tool used to filter and search using the
Select-String command. In the example below, Select-String was used to search
for events related to the IP address 192.168.0.111, and PowerShell provided a list.

If you want to examine some more examples you can use this Microsoft Learn
resource about Select-String.
Conclusion
There are many sources of information across the network, and even a small
network like Sam's Scoops has a lot of data because every device is actively
producing data. This data is split into different types of log files, like events in an
operating system or a log of who is accessing a device. Everything is tracked, which
means that if there is a problem, a log file exists to give you a clue as to what might
have gone wrong. While it's great that everything is tracked, it also means that you
have a large volume of data to work with. Luckily, there are tools available to filter
and search the data. Using purpose-built applications that do the work for you is a
great choice, but if you are dealing with a small network like Sam's, then using
search facilities within an application like Notepad, or commands that can perform
the filtering for you is a great choice.