TCP/IP Protocol Suite

Application Layer

Name System

 DNS - Domain Name System. Translates domain names such as cisco.com, into IP addresses.

Host Config

 DHCPv4 - Dynamic Host Configuration Protocol for IPv4. A DHCPv4 server dynamically assigns IPv4 addressing
information to DHCPv4 clients at start-up and allows the addresses to be re-used when no longer needed.
 DHCPv6 - Dynamic Host Configuration Protocol for IPv6. DHCPv6 is similar to DHCPv4. A DHCPv6 server
dynamically assigns IPv6 addressing information to DHCPv6 clients at start-up.
 SLAAC - Stateless Address Autoconfiguration. A method that allows a device to obtain its IPv6 addressing information
without using a DHCPv6 server.

Email

 SMTP - Simple Mail Transfer Protocol. Enables clients to send email to a mail server and enables servers to send
email to other servers.
 POP3 - Post Office Protocol version 3. Enables clients to retrieve email from a mail server and download the email to
the client's local mail application.
 IMAP - Internet Message Access Protocol. Enables clients to access email stored on a mail server as well as
maintaining email on the server.

File Transfer

 FTP - File Transfer Protocol. Sets the rules that enable a user on one host to access and transfer files to and from
another host over a network. FTP is a reliable, connection-oriented, and acknowledged file delivery protocol.
 SFTP - SSH File Transfer Protocol. As an extension to Secure Shell (SSH) protocol, SFTP can be used to establish a
secure file transfer session in which the file transfer is encrypted. SSH is a method for secure remote login that is
typically used for accessing the command line of a device.
 TFTP - Trivial File Transfer Protocol. A simple, connectionless file transfer protocol with best-effort, unacknowledged
file delivery. It uses less overhead than FTP.
Web and Web Service

 HTTP - Hypertext Transfer Protocol. A set of rules for exchanging text, graphic images, sound, video, and other
multimedia files on the World Wide Web.
 HTTPS - HTTP Secure. A secure form of HTTP that encrypts the data that is exchanged over the World Wide Web.
 REST - Representational State Transfer. A web service that uses application programming interfaces (APIs) and HTTP
requests to create web applications.

Transport layer

Connection-Oriented

 TCP - Transmission Control Protocol. Enables reliable communication between processes running on separate hosts
and provides reliable, acknowledged transmissions that confirm successful delivery.

Connectionless

 UDP - User Datagram Protocol. Enables a process running on one host to send packets to a process running on
another host. However, UDP does not confirm successful datagram transmission.

Internet Layer

Internet Protocol

 IPv4 - Internet Protocol version 4. Receives message segments from the transport layer, packages messages into
packets, and addresses packets for end-to-end delivery over a network. IPv4 uses a 32-bit address.
 IPv6 - IP version 6. Similar to IPv4 but uses a 128-bit address.
 NAT - Network Address Translation. Translates IPv4 addresses from a private network into globally unique public IPv4
addresses.

Messaging

 ICMPv4 - Internet Control Message Protocol for IPv4. Provides feedback from a destination host to a source host
about errors in packet delivery.
 ICMPv6 - ICMP for IPv6. Similar functionality to ICMPv4 but is used for IPv6 packets.
 ICMPv6 ND - ICMPv6 Neighbor Discovery. Includes four protocol messages that are used for address resolution and
duplicate address detection.

Routing Protocols

 OSPF - Open Shortest Path First. Link-state routing protocol that uses a hierarchical design based on areas. OSPF is
an open standard interior routing protocol.
 EIGRP - EIGRP - Enhanced Interior Gateway Routing Protocol. An open standard routing protocol developed by Cisco
that uses a composite metric based on bandwidth, delay, load and reliability.
 BGP - Border Gateway Protocol. An open standard exterior gateway routing protocol used between Internet Service
Providers (ISPs). BGP is also commonly used between ISPs and their large private clients to exchange routing
information.

Network Access Layer

Address Resolution

 ARP - Address Resolution Protocol. Provides dynamic address mapping between an IPv4 address and a hardware
address.

Note: You may see other documentation state that ARP operates at the Internet Layer (OSI Layer 3). However, in this
course we state that ARP operates at the Network Access layer (OSI Layer 2) because it's primary purpose is the
discover the MAC address of the destination. A MAC address is a Layer 2 address.
Data Link Protocols

 Ethernet - Defines the rules for wiring and signaling standards of the network access layer.
 WLAN - Wireless Local Area Network. Defines the rules for wireless signaling across the 2.4 GHz and 5 GHz radio
frequencies.

Frame Fields

Frame fields include the following:

 Frame start and stop indicator flags - Used to identify the beginning and end limits of the frame.
 Addressing - Indicates the source and destination nodes on the media.
 Type - Identifies the Layer 3 protocol in the data field.
 Control - Identifies special flow control services such as quality of service (QoS). QoS gives forwarding priority to
certain types of messages. For example, voice over IP (VoIP) frames normally receive priority because they are
sensitive to delay.
 Data - Contains the frame payload (i.e., packet header, segment header, and the data).
 Error Detection - Included after the data to form the trailer.

Ethernet Frame Fields Detail

Field
Preamble and Start Frame Delimiter Fields(SFD)
(Поля преамбули та розділювача початкового кадру)
Destination MAC Address Field
Source MAC Address Field
Type / Length
Data Field
Frame Check Sequence Field(FCS)
(Поле послідовності перевірки кадру)
Memory Buffering Methods
Description
The Preamble (7 bytes) and Start Frame Delimiter (SFD),
also called the Start of Frame (1 byte), fields are used for
synchronization between the sending and receiving devices.
These first eight bytes of the frame are used to get the
attention of the receiving nodes. Essentially, the first few
bytes tell the receivers to get ready to receive a new frame.
This 6-byte field is the identifier for the intended recipient. As
you will recall, this address is used by Layer 2 to assist
devices in determining if a frame is addressed to them. The
address in the frame is compared to the MAC address in the
device. If there is a match, the device accepts the frame.
Can be a unicast, multicast or broadcast address.
This 6-byte field identifies the originating NIC or interface of
the frame.
This 2-byte field identifies the upper layer protocol
encapsulated in the Ethernet frame. Common values are, in
hexadecimal, 0x800 for IPv4, 0x86DD for IPv6 and 0x806 for
ARP.
Note: You may also see this field referred to as EtherType,
Type, or Length.
This field (46 - 1500 bytes) contains the encapsulated data
from a higher layer, which is a generic Layer 3 PDU, or more
commonly, an IPv4 packet. All frames must be at least 64
bytes long. If a small packet is encapsulated, additional bits
called a pad are used to increase the size of the frame to this
minimum size.
The Frame Check Sequence (FCS) field (4 bytes) is used to
detect errors in a frame. It uses a cyclic redundancy check
(CRC). The sending device includes the results of a CRC in
the FCS field of the frame. The receiving device receives the
frame and generates a CRC to look for errors. If the
calculations match, no error occurred. Calculations that do
not match are an indication that the data has changed;
therefore, the frame is dropped. A change in the data could
be the result of a disruption of the electrical signals that
represent the bits.
Fields in the IPv4 Packet Header
IPv4 Packet Header

IPv6 Packet Header

Device Address Assignment
Within a network, there are different types of devices that require addresses:

 End user clients - Most networks allocate IPv4 addresses to client devices dynamically, using Dynamic Host
Configuration Protocol (DHCP). This reduces the burden on network support staff and virtually eliminates entry errors.
With DHCP, addresses are only leased for a period of time, and can be reused when the lease expires. This is an
important feature for networks that support transient users and wireless devices. Changing the subnetting scheme
means that the DHCP server needs to be reconfigured, and the clients must renew their IPv4 addresses. IPv6 clients
can obtain address information using DHCPv6 or SLAAC.
 Servers and peripherals - These should have a predictable static IP address. Use a consistent numbering system for
these devices.
 Servers that are accessible from the internet - Servers that need to be publicly available on the internet must have a
public IPv4 address, most often accessed using NAT. In some organizations, internal servers (not publicly available)
must be made available to the remote users. In most cases, these servers are assigned private addresses internally,
and the user is required to create a virtual private network (VPN) connection to access the server. This has the same
effect as if the user is accessing the server from a host within the intranet.
 Intermediary devices - These devices are assigned addresses for network management, monitoring, and security.
Because we must know how to communicate with intermediary devices, they should have predictable, statically
assigned addresses.
 Gateway - Routers and firewall devices have an IP address assigned to each interface which serves as the gateway
for the hosts in that network. Typically, the router interface uses either the lowest or highest address in the network.

TCP Header
UDP Header
Well-Known Port Numbers
In BIOS firmware, the process begins with the BIOS initialization phase. This is when hardware devices are
initialized and a power on self-test (POST) is performed to make sure all of these devices are communicating.
When the system disk is discovered, the POST ends. The last instruction in the POST is to look for the master
boot record (MBR).
The MBR contains a small program that is responsible for locating and loading the operating system. The BIOS
executes this code and the operating system starts to load.
In contrast to BIOS firmware, UEFI firmware has a lot of visibility into the boot process. UEFI boots by loading
EFI program files, stored as .efi files in a special disk partition, known as the EFI System Partition (ESP).
Note: A computer that uses UEFI stores boot code in the firmware. This helps to increase the security of the
computer at boot time because the computer goes directly into protected mode.
Whether the firmware is BIOS or UEFI, after a valid Windows installation is located, the Bootmgr.exe file is
run. Bootmgr.exe switches the system from real mode to protected mode so that all of the system memory
can be used.
Bootmgr.exe reads the Boot Configuration Database (BCD). The BCD contains any additional code needed to
start the computer, along with an indication of whether the computer is coming out of hibernation, or if this is a
cold start. If the computer is coming out of hibernation, the boot process continues with Winresume.exe. This
allows the computer to read the Hiberfil.sys file which contains the state of the computer when it was put into
hibernation.
If the computer is being booted from a cold start, then the Winload.exe file is loaded. The Winload.exe file
creates a record of the hardware configuration in the registry. The registry is a record of all of the settings,
options, hardware, and software the computer has. The registry will be explored in depth later in this
chapter. Winload.exe also uses Kernel Mode Code Signing (KMCS) to make sure that all drivers are digitally
signed. This ensures that the drivers are safe to load as the computer starts.
After the drivers have been examined, Winload.exe runs Ntoskrnl.exe which starts the Windows kernel and
sets up the HAL. Finally, the Session Manager Subsystem (SMSS) reads the registry to create the user
environment, start the Winlogon service, and prepare each user’s desktop as they log on.

Troubleshooting Network Access Layer Issues

Use the show interfaces command to check the interface status.
If the interface is down:
 Check to make sure that the proper cables are being used. Additionally, check the cable and
connectors for damage. If a bad or incorrect cable is suspected, replace the cable.
 If the interface is still down, the problem may be due to a mismatch in speed setting. The speed
of an interface is typically autonegotiated; therefore, even if it is manually applied to one
interface, the connecting interface should autonegotiate accordingly. If a speed mismatch does
occur through misconfiguration, or a hardware or software issue, then that may result in the
interface going down. Manually set the same speed on both connection ends if a problem is
suspected.
If the interface is up, but issues with connectivity are still present:
 Using the show interfaces command, check for indications of excessive noise. Indications may
include an increase in the counters for runts, giants, and CRC errors. If there is excessive noise,
first find and remove the source of the noise, if possible. Also, verify that the cable does not
exceed the maximum cable length and check the type of cable that is used.
 If noise is not an issue, check for excessive collisions. If there are collisions or late collisions,
verify the duplex settings on both ends of the connection. Much like the speed setting, the
duplex setting is usually autonegotiated. If there does appear to be a duplex mismatch, manually
set the duplex to full on both ends of the connection.
Popular Linux log files and their functions
Linux Log File
/var/log/messages
/var/log/auth.log
/var/log/secure
Description
 This directory contains generic
computer activity logs.
 It is mainly used to store
informational and non-critical
system messages.
 In Debian-based computers,
Ivar/log/syslog directory serves
the same purpose.
 This file stores all
authentication-related events
in Debian and Ubuntu
computers.
 Anything involving the user
authorization mechanism can
be found in this file.
 This directory is used by
 RedHat and CentOS
computers instead of
/var/log/auth.log.
 It aIso tracks sudo logins, SSH
10gins, and other errors
Iogged by SSSD.
 This file stores boot-related
information and messages
/var/log/boot.log
logged during the computer
startup process.
 This directory contains kernel
ring buffer messages.
 Information related to
hardware devices and their
drivers is recorded here.
 It is very important because,
due to their low-level nature,
/var/log/dmesg
logging systems such as
syslog are not
 running when these events
take place and therefore are
often unavailable to the
administrator in
 real-time.
 This file contains information
/var/log/kern.log
logged by the kernel.
 Cron is a service used to
schedule automated tasks in
Linux and this directory stores
its events.
/var/log/mysqld.log or  Whenever a scheduled task
/var/log/mysql.log (also called a cron job) runs,
all its relevant information
including execution status and
error messages are stored
here.
 This is the MySQL log file.
 All debug, failure and success
messages related to the
mysqld process and
 mysqld_safe daemon are
logged here.
 RedHat, CentOS and Fedora
Linux distributions store
MySQL logs under
/var/log/mysqld.log, while
 Debian and Ubuntu maintain
the log in /var/log/mysql.log
file.

802.11 Frame Structure

All 802.11 wireless frames contain the following fields:

 Frame Control - This identifies the type of wireless frame and
contains subfields for protocol version, frame type, address type,
power management, and security settings.
 Duration - This is typically used to indicate the remaining duration
needed to receive the next frame transmission.
 Address1 - This usually contains the MAC address of the receiving
wireless device or AP.
 Address2 - This usually contains the MAC address of the
transmitting wireless device or AP.
  Address3 - This sometimes contains the MAC address of the
destination, such as the router interface (default gateway) to which
the AP is attached.
 Sequence Control - This contains information to control sequencing
and fragmented frames.
 Address4 - This usually missing because it is used only in ad hoc
mode.
 Payload - This contains the data for transmission.
 FCS - This is used for Layer 2 error control.

Advantages and Disadvantages of IDS and IPS

Differences between TACACS+ and RADIUS