Networking quick reference
The OSI and TCP/IP models, protocol ports, TCP flags, common LAN attacks and a CIDR subnet table you can read at a glance.
OSI and TCP/IP models
Seven layers, numbered bottom to top. Memorise the names and numbers; exams ask which layer a protocol or artifact sits at.
| # | OSI layer | Job | Examples |
|---|---|---|---|
| 7 | Application | Interfaces apps talk to | HTTP, DNS, SMTP, SSH |
| 6 | Presentation | Encoding, encryption, compression | TLS, JPEG, ASCII |
| 5 | Session | Sets up and tears down sessions | RPC, NetBIOS sessions |
| 4 | Transport | End-to-end delivery, ports | TCP, UDP |
| 3 | Network | Logical addressing and routing | IP, ICMP, IPsec |
| 2 | Data link | Framing on the local link, MAC addresses | Ethernet, ARP, switches |
| 1 | Physical | Bits on the wire | cables, hubs, radio |
The four-layer TCP/IP model maps onto OSI like this:
| TCP/IP layer | OSI layers it covers |
|---|---|
| Application | 7, 6, 5 |
| Transport | 4 |
| Internet | 3 |
| Link (Network Access) | 2, 1 |
Protocol ports not in the ports sheet
These complement the core list in the ports cheat sheet rather than repeat it.
| Port | Proto | Service | Note |
|---|---|---|---|
| 88 | TCP/UDP | Kerberos | Domain authentication ticket exchange |
| 135 | TCP | MS RPC endpoint mapper | Locates Windows RPC services |
| 514 | UDP | Syslog | Centralised log shipping, plaintext |
| 520 | UDP | RIP | Legacy routing protocol |
| 1812 / 1813 | UDP | RADIUS | Network access auth / accounting |
| 1900 | UDP | SSDP | UPnP discovery, abused for DDoS amplification |
| 3268 | TCP | Global Catalog | Forest-wide AD LDAP queries |
| 5060 / 5061 | TCP/UDP | SIP / SIP-TLS | VoIP signalling |
| 5353 | UDP | mDNS | Multicast DNS, local service discovery |
| 6379 | TCP | Redis | In-memory data store, never expose to the internet |
| 27017 | TCP | MongoDB | Document database, never expose to the internet |
TCP flags
A flag is a single control bit in the TCP header. Reading them tells you what stage a connection is at.
| Flag | Name | Meaning |
|---|---|---|
| SYN | Synchronise | Opens a connection and sets the initial sequence number |
| ACK | Acknowledge | Confirms received data; set on every packet after the first SYN |
| FIN | Finish | Graceful close, no more data from the sender |
| RST | Reset | Abrupt teardown; the port is closed or the state is invalid |
| PSH | Push | Deliver buffered data to the application immediately |
| URG | Urgent | Marks data the urgent pointer flags as priority |
The three-way handshake is SYN, then SYN-ACK, then ACK. A graceful close is FIN, ACK both ways. An RST means the other end refused or dropped the connection.
Common local-network attacks
| Attack | What happens |
|---|---|
| ARP spoofing | The attacker forges ARP replies so its MAC is mapped to a victim's IP, redirecting traffic for a man-in-the-middle. |
| DNS cache poisoning | A forged DNS response is accepted and cached, sending users to an attacker-controlled IP for a legitimate name. |
| VLAN hopping | The attacker reaches a VLAN it should not, by double-tagging frames or negotiating a trunk port via DTP. |
CIDR subnet quick reference
Usable hosts equal addresses in the block minus the network and broadcast addresses.
| Mask | /bits | Total addresses | Usable hosts | Example block |
|---|---|---|---|---|
| 255.255.255.0 | /24 | 256 | 254 | 192.168.1.0/24 |
| 255.255.255.128 | /25 | 128 | 126 | 192.168.1.0/25 |
| 255.255.255.192 | /26 | 64 | 62 | 192.168.1.0/26 |
| 255.255.255.224 | /27 | 32 | 30 | 192.168.1.0/27 |
| 255.255.255.240 | /28 | 16 | 14 | 192.168.1.0/28 |
| 255.255.255.248 | /29 | 8 | 6 | 192.168.1.0/29 |
| 255.255.255.252 | /30 | 4 | 2 | 192.168.1.0/30 |
Quick maths: usable hosts = 2^(32 - prefix) - 2. A /30 gives 2 usable hosts, the standard size for a point-to-point link.