What is the transport layer protocol?

Transport layer protocols are an important part of the network because they provide a way to transfer data packets from one network node to another. Transport protocols have a variety of uses, such as streaming video, navigating the internet, and performing transactions. The two core protocols are TCP and UDP.

This article will cover when to use these protocols, as well as the tools needed to diagnose and troubleshoot. The basic nature of TCP and UDP means that they are sure to appear in any network certification.

What is the transport layer protocol?

The TCP and UDP protocols are associated with the transport layer of the OSI model and serve as the underlying data exchange protocols for the entire Internet. In short, the transport layer protocol is responsible for ensuring end-to-end communication between devices. It also performs error detection (TCP only), data segmentation, and data reassembly.

TCP, in particular, is responsible for everything from loading web pages to exchanging data in online games. Let's look at how it does it.

What is Transmission Control Protocol (TCP)?

The Transmission Control Protocol (TCP) is the core protocol of the Internet Protocol (IP) suite and is responsible for ensuring reliable, fault-tolerant data is sent from one point to another. TCP goes a long way in ensuring that all information is transmitted losslessly. For example, one of the things that differentiates TCP from UDP is the retransmission of lost data. This is done in a particularly clever way.

In the TCP protocol, each packet is given a unique sequence number. The packet sender carefully keeps track of which packets have been sent. In response, the receiving system sends out an ACK packet (stands for "acknowledgement"), which contains the sequence number of the packet confirmed to be received. If the sequence number does not match or is missing, the sending machine will resend the packet. This process continues until a matching ACK confirms that the transmission was successful.

Data retransmission is not the only way TCP is reliable. It also uses a three-way handshake to establish a persistent connection.

In TCP, the three-way handshake is a communication mechanism to ensure that all data is sent and received correctly. In short, this happens in three parts:

• Initialization (SYN): SYN is the initial data packet sent by a device that wants to establish communication. The data packet contains the synchronization flag (SYN) and the IP address of the receiver.
• Acknowledge Initiation (SYN-ACK): Next, the receiver sends back a SYN-ACK packet, assuming that it is ready and willing to communicate.
• Final Acknowledgement (ACK): Once the sender receives the SYN-ACK, it sends a final ACK to confirm a valid connection.

Once these three "handshakes" are complete, the transmission begins. The three-way handshake is often described as the hallmark of TCP's "connection-oriented" communications. However, other features such as error detection and flow control also form the backbone of TCP's connection-oriented nature.

Since TCP is ubiquitous in modern IT communications, it is impossible to list every use case for TCP. However, here are some use cases to illustrate its usefulness.

• Email: All emails are sent using TCP. If sent using UDP, the emails may arrive with some information missing, which can severely hamper communication.
• Online games: currency transactions, login mechanisms, and any critical communications require TCP.
• Internet browsing: Whether using HTTP or HTTPS, the Layer 4 protocol is usually TCP. When a user navigates to a URL, the TCP protocol is used. This protocol establishes and maintains a reliable connection between the user's web browser and the web server, ensuring that the web page and related resources are transmitted accurately and without errors.

While TCP is known for its reliability, it is also known for its latency and high overhead. TCP ensures that every packet is sent and recorded, but this may not be suitable for all use cases. For example, video streaming does not require every packet to reach the user - this is where UDP comes in.

What is User Datagram Protocol (UDP)?

UDP is a connectionless, lightweight version of TCP. In contrast to TCP, the main goal of UDP is to send datagrams, i.e. packets, as quickly as possible.

We can think of UDP as a person throwing ping-pong balls into a bucket. The thrower is the sender, the ping-pong balls are packets, and the bucket is the receiver. It doesn't matter if every ping-pong ball makes it into the bucket, what matters is that most of them do. The person throwing the balls will naturally lose a few balls - and that's okay. This is why UDP is often called "best-effort delivery."

The best use case for best-effort delivery is in the field of media transport. Let’s look at a few examples:

• VoIP calls: VoIP calls are usually made using UDP. That's why it's common to see slight pauses in the picture, or voices skipping or sounding robotic. In a voice stream, it doesn't matter if every packet arrives perfectly. After all, people are good at grasping context and don't need to be so strict in their communication.
• Online Gaming: Some aspects of online gaming also use UDP. Every time a user moves a character, this is usually a UDP connection. Basically, any non-critical data that requires a high response time will use UDP.
• DNS: UDP is used for DNS queries and responses. This is because DNS resolution needs to be fast and does not require constant communication.

How to choose between TCP and UDP?

There are several factors to consider when deciding which protocol to use. Let's review some of them:

• Reliability: TCP provides reliable, audited data and ensures that every piece of data is received. If the application requires high fidelity, then TCP is the best choice.
• Latency and Speed: Use UDP when receiving every piece of data is not important. For example, streaming music may not require every packet. Or if the communication is just to notify another application to perform some other action.
• Error handling: TCP has built-in error handling that pinpoints the exact problem encountered. With UDP, developers will have to develop custom solutions.

In summary, if the successful delivery of each packet of information is important, then use TCP. If there is a certain level of acceptable data loss, then UDP is the best choice. Another key aspect of choosing a protocol is to understand how to effectively scan them on the network. Let's cover that next.

What tools can scan network ports?

A trained network engineer has a variety of tools at their disposal; the trick is knowing when and where to use them. Specifically, a network port scanner is a tool that allows a target device to be scanned and see which ports are open and thus vulnerable to attack. This article will look at a few different port scanners that may come in handy, starting with Nmap.

It is important to note that you should not just scan any domain you want, as this may have legal and ethical implications.

• Nmap

Nmap is a powerful reconnaissance tool used to discover network hosts and services. It is also used as a port scanner by pen testers, system administrators, and security engineers. Nmap uses various techniques to scan ports such as TCP connection scanning, SYN scanning, and UDP scanning.

• Netcat

Netcat, also known as nc, is a general and well-known network tool that can perform almost any operation on the TCP/IP suite. Its most notable uses are as a TCP proxy, network daemon testing, port scanning, remote shell, and more.

To perform a port scan using nc, enter the following command:

nc-zv target_host start_port-end_port

• "z" performs a scan instead of establishing a connection.
• The "v" stands for verbose so that you can see the return value.
• The target host will be a URL. start_port will be the first port to scan, and end_port will be the last.

Here is a practical example:

nc-zv www.mywebsite.com 80-100

If you're using Mac or Linux, just open a terminal and type man nc to learn how to use it on your device. (Or type nc /? on Windows.)

• Zenmap

The other examples are CLI only, but Zenmap provides a GUI for the previously mentioned Nmap. Zenmap provides a more user-friendly and structured approach to utilizing Nmap.

Advantages of Zenmap include allowing Nmap configuration files to be saved for later use, providing deeper analysis of results, and making all Nmap features available through convenient checkboxes and other user interfaces.

Here is a visualization of open source software from Wikipedia:

Now that we have discussed the various tools used to scan a network, let’s discuss some techniques used to assess network vulnerabilities.

6 Network Port Scanning Techniques and Results Explained

Although the end result of a port scan is the same, it is important to understand the different techniques used to achieve the purpose. As with TCP and UDP, different techniques also require trade-offs, such as speed vs. security. First, let's look at a common technique that nc uses by default - TCP connection scanning.

• TCP connection scan

This is a common tool used by security engineers to assess device port vulnerabilities. It parses the three-way handshake, so it generally does not trigger intrusion detection alerts. The TCP connection scan goes through each port and logs all ports, allowing it to parse the three-way handshake. However, it is very slow.

• SYN (Stealth) Scan

SYN scan, also known as half-port scan, is designed to verify the vulnerability of a port faster than traditional TCP scan. SYN scan waits for the receiver to confirm through the SYN-ACK packet instead of completing the entire handshake process.

This makes it much faster than a TCP connection scan, but more vulnerable to intrusion detection systems. Unopened ports will send a RST signal instead of a SYN-ACK packet.

• UDP Scan

Since UDP is not connection-oriented, it is difficult to determine whether a UDP port is open. UDP scanning relies on ACK signals that may not arrive. However, it is still an important security assessment tool, but the certainty is still not as good as TCP scanning.

• Comprehensive scanning options and configuration

The number of scanning options that can be applied in Nmap is almost incalculable. Nmap provides a lot of flexibility in how, what, and when to scan ports.

Here are some scanning options:

nmap-sS-Pn-sV--version-all-Op 1-65535<some-target>

• -sS: Perform a SYN scan (stealth).
• -Pn: Skip host discovery (assuming target is up).
• -sV --version-all: Attempt to identify the service version.
• -O: Attempt operating system detection.
• -p 1-65535: Scan all ports (1 to 65,535).

nmap -p --T4 -Av <some-target>

• -p-: Scan all 65,535 TCP ports.
• -T4: Sets the timing template for aggressive (fast) scanning.
• -A: Enables OS detection, version detection, script scanning, and traceroute.
• -v: Enable verbose output of detailed results.

nmap-p--sS-sU-T4-Av<some-target>

• -sS: Perform a SYN scan (TCP) for port scanning.
• -sU: Include UDP port scan in addition to TCP.
• -T4: Aggressive timing template for faster scans.
• -A: Enables OS detection, version detection, script scanning, and traceroute.
• -v: Verbose output for detailed results.

How to interpret port scan results?

Understanding open, closed, and filtered ports

One thing to remember when analyzing the results is that you should never open a port that you don't know about. Only ports with a specific purpose should be open for communication. Filtered ports are ports that do not respond to the scan at all. This can happen when a firewall blocks the port, or some other network configuration prevents a valid response.

Analyze potential security risks based on scan results

Open and unregulated ports are one of the biggest attack vectors in the IT space. When analyzing security findings, it is important to determine which ports are open and which services are using that port.

For example, if port 668 is using Telnet and no one knows why, then this is a serious problem that needs to be addressed. A hacker could potentially steal data on that port via telnet. This is just one example, but understanding and visualizing the results is important to strengthening and maintaining a proper security posture.

Summarize

This article explains which protocols are used in port-to-port communication: TCP and UDP. Remember that TCP is used for critical data that cannot be lost during transmission. In contrast, UDP is faster and is suitable for applications that can tolerate a certain amount of data loss.

Tools have been developed to monitor these protocols by verifying the ports and services that use these protocols. These tools are Netcat, Nmap and its GUI counterpart Zenmap.

There are many techniques for scanning ports, namely TCP connection scanning, SYN scanning, and UDP scanning. TCP connection scanning is slower but safer. SYN scanning may trigger intrusion detection systems, but it is faster. UDP scanning is often difficult to interpret because UDP is not connection-oriented and does not necessarily send a response to the sender.