Networking Basics: The Complete Beginner’s Guide to IP Addresses, Ports, TCP/IP, NAT, DHCP, the OSI Model, and Network Topologies

What Is a Network, and Why Does Networking Matter?

A network is simply a group of devices connected so they can exchange data. Those devices might be laptops, phones, routers, switches, smart TVs, printers, security cameras, cloud servers, or virtual machines running in a data center on the other side of the planet.

Every time you do something that “feels instant” – load a webpage, send a message, join a video call, stream a show, or push code to a remote repository, a chain of networking events happens in milliseconds:

Your device → local Wi-Fi/router → ISP → backbone internet → destination server → and back again

Networking is the plumbing of the digital world. You rarely think about plumbing until something leaks and the same is true of networks. The moment you start working in IT, cybersecurity, cloud engineering, or DevOps, networking stops being background noise and becomes the thing everything else is built on.

Why this matters for cybersecurity specifically

Almost every security discipline leans on networking fundamentals:

Without these basics, concepts like firewalls, VPNs, packet captures, and intrusion detection feel arbitrary. Once they click, everything else in security starts to connect.

IP Addresses

An IP address (Internet Protocol address) is a numerical label assigned to a device on a network. Think of it as a postal address: if one device wants to send data to another, it needs to know that address.

Example IPv4 address: 192.168.1.101

Every packet that moves across a network carries two addresses:

Source IP:      192.168.1.20      ← where the data came from
Destination IP: 142.250.183.14    ← where the data is going

IPv4 structure

An IPv4 address is 32 bits, written as four decimal numbers (“octets”) separated by dots:

192   .   168   .   1   .   101
 |          |      |      |
octet      octet  octet  octet   (each 0–255, because each octet is 8 bits)

192.168.999.101 is invalid – no octet can exceed 255.

In binary, that same address looks like this:

11000000.10101000.00000001.01100101

Humans read dotted decimal; computers process binary. Both represent the exact same address.

IPv4 vs. IPv6

IPv4 only supports roughly 4.3 billion unique addresses – nowhere near enough for a planet full of phones, laptops, IoT devices, and cloud instances. That’s why IPv6 exists, using 128-bit addresses instead of 32-bit ones:

Example IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334

IPv6 solves address exhaustion, but IPv4 is still dominant in most home labs, enterprise networks, and beginner cybersecurity material. So, it’s the right place to start learning.

Classes of IP Addresses

Older networking education divides IPv4 into address classes:

Modern networks have mostly replaced classful addressing with CIDR (Classless Inter-Domain Routing), which you’ll see written like this:

192.168.1.0/24
10.0.0.0/8
172.16.0.0/12

The /24, /8, and /12 define how many bits are used for the network portion of the address which in turn defines how many devices (“hosts”) that network can hold. CIDR and subnetting are deep enough topics to deserve their own guide, but for now, remember:

• IP classes are historically important context.
• CIDR is what modern networks actually use.
• Subnetting builds directly on this idea.

Public vs. Private IP Addresses

Not every IP address is meant to touch the open internet directly.

Public IP addresses

A public IP is globally unique and reachable over the internet. Your home router gets one from your ISP; web servers, cloud instances, and VPN endpoints typically have one too.

Example public IP: 8.8.8.8   (Google Public DNS)

Private IP addresses

A private IP is used only inside a local network and is never routed directly across the public internet. The reserved private ranges are:

A typical home setup looks like this:

Router:  192.168.1.1
Laptop:  192.168.1.25
Phone:   192.168.1.26

These devices can talk to each other freely on the local network, but none of them can use that private address directly on the public internet. That’s the problem NAT exists to solve.

DHCP

DHCP (Dynamic Host Configuration Protocol) automatically assigns IP addresses and network settings to devices, so nobody has to manually configure every laptop, phone, and IoT gadget that joins a network.

How it works – DORA

1. Discover  - Device: "Is there a DHCP server here?"
2. Offer     - Server: "Yes — here's an IP you can use."
3. Request   - Device: "I'd like to use that IP."
4. Acknowledge - Server: "Confirmed. Here's your lease."

DHCP leases

A DHCP-assigned IP isn’t permanent – it’s borrowed for a lease period. When the lease expires, the device renews it or gets a new one, which is why your laptop’s private IP can quietly change from 192.168.1.24 one day to 192.168.1.31 the next, usually staying within the same network range.

Why DHCP matters in security

DHCP is convenient but also a target:

• Rogue DHCP servers can hand out a malicious gateway or DNS server, enabling traffic interception or phishing redirection.
• DHCP starvation attacks exhaust the address pool to deny service to legitimate devices.
• Enterprise networks defend against this with controls like DHCP snooping on managed switches.

NAT

NAT (Network Address Translation) lets devices with private IP addresses share a single public IP address to reach the internet – one of the most important concepts in both home and enterprise networking.

Example

Laptop: 192.168.1.10
Phone:  192.168.1.11
TV:     192.168.1.12
Router's public IP: 203.0.113.50

When the laptop visits a website, the router rewrites the source address from 192.168.1.10 to 203.0.113.50. The destination server only ever sees the router’s public IP. When the reply comes back, the router checks its NAT table and forwards it to the correct internal device.

NAT vs. PAT

Strictly speaking, what most home routers do is PAT (Port Address Translation). Many internal devices sharing one public IP by using different ports:

192.168.1.10:51544 → 203.0.113.50:40001
192.168.1.11:51545 → 203.0.113.50:40002
192.168.1.12:51546 → 203.0.113.50:40003

Why it matters in security

• A single public IP in a server’s logs may represent dozens of internal devices.
• Port forwarding through NAT can unintentionally expose internal services to the internet.
• NAT changes how traffic flows, but it is not a firewall and shouldn’t be treated as a complete security control on its own.

Ports

If an IP address gets data to the correct device, a port gets it to the correct service on that device – the apartment number inside the building.

192.168.1.50:80   → device 192.168.1.50, service on port 80 (HTTP)
192.168.1.50:22   → device 192.168.1.50, service on port 22 (SSH)

Port ranges

There are 65,536 TCP ports and 65,536 UDP ports (0–65535), grouped into three bands:

Server port vs. client port

When you visit a site, the server listens on a fixed port (e.g., 443), while your device picks a random temporary high port to use for that one conversation:

Your laptop: 192.168.1.10:51544  (ephemeral/client port)
Website:     93.184.216.34:443   (well-known/server port)

Common ports to know

Why ports matter in security

A short scan result tells a trained eye a lot:

22/tcp   open  ssh
80/tcp   open  http
445/tcp  open  smb
3389/tcp open  rdp

A defender asks: Should this be open? Is it patched? Is it logged? A penetration tester asks: What version is running? Is it vulnerable? Does it allow anonymous access? Open ports are the doorways into a system which is why port scanning is one of the first steps of network reconnaissance. Only scan systems you own or are explicitly authorized to test.

TCP/IP

TCP/IP is the foundational protocol suite of the internet, named after its two core protocols:

TCP = Transmission Control Protocol  → reliable delivery between applications
IP  = Internet Protocol              → addressing and routing

A simple mental model:

IP gets the packet to the right machine.
TCP makes sure the conversation is reliable.

When you load an HTTPS website, the layers stack like this:

Application:  HTTPS
Transport:    TCP
Network:      IP
Link:         Ethernet / Wi-Fi
Physical:     Cable / Radio

Each layer has one job and hands off to the next, which is exactly why the internet scales as well as it does.

Protocols

A protocol is simply an agreed-upon set of rules for communication, the networking equivalent of a shared language and grammar.

Without protocols, devices wouldn’t agree on how to format, send, interpret, or respond to anything. Communication would be noise.

The Internet Protocol (IP)

IP is responsible for getting packets from one address to another. An IP packet header carries fields including:

Source IP address       Identification
Destination IP address  Flags
Version                 Fragment offset
Header length            TTL
Total length             Protocol
                          Header checksum

Source and destination

Source IP:      192.168.1.25
Destination IP: 8.8.8.8

This might represent a laptop sending a DNS query to Google’s resolver.

TTL (Time To Live)

TTL limits how many hops a packet can take before it’s discarded. Every router that forwards it decrements the value by 1. If TTL hits zero, the packet is dropped. This prevents infinite routing loops and is also the mechanism traceroute/tracert exploits to map a network path.

The protocol field

The IP header tells the receiver what kind of payload follows:

Fragmentation

Large packets sometimes need to be split into smaller fragments to fit a network path, then reassembled at the destination. Attackers have historically abused unusual fragmentation patterns to evade detection systems. Which is why fragmentation behavior still matters in network forensics, even though modern stacks handle it better than they used to.

TCP

TCP (Transmission Control Protocol) is connection-oriented and reliable. It works to guarantee that data arrives correctly and in order. It underlies HTTP, HTTPS, SSH, FTP, SMTP, IMAP, POP3, SMB, and RDP.

Key header fields

Sequence and acknowledgment numbers

Data gets split across multiple packets, and sequence numbers let the receiver reassemble it correctly even if packets arrive out of order:

Packet 1: bytes 1–1000
Packet 2: bytes 1001–2000
Packet 3: bytes 2001–3000

Acknowledgment numbers confirm receipt:

Sender:   "Here are bytes 1–1000."
Receiver: "Got them. Send me 1001 next."

If no acknowledgment arrives, TCP retransmits. This is the core of its reliability.

TCP flags

You’ll also encounter ECN-related flags (CWR, ECE) later on, but these six cover virtually everything a beginner needs.

The TCP Three-Way Handshake

Every normal TCP connection opens with three steps:

1. SYN
2. SYN-ACK
3. ACK

Client                                      Server
  |                                           |
  |  SYN  ───────────────────────────────────►|
  |                                           |
  |◄────────────────────────────  SYN-ACK     |
  |                                           |
  |  ACK  ───────────────────────────────────►|
  |                                           |
  |        Data transfer begins                |
  |◄=========================================►|

In plain English:

Client: "I want to connect."
Server: "Agreed - I'm ready too."
Client: "Confirmed - let's talk."

Why it matters in security

The handshake’s behavior reveals port state:

• SYN sent → SYN-ACK received: port is likely open.
• SYN sent → RST received: port is likely closed.
• SYN sent → no reply: packet may be filtered or dropped.

A TCP connect scan completes the full handshake; a SYN scan sends only the SYN and analyzes the response without finishing the connection. As always, only scan systems you own or are authorized to test.

UDP

UDP (User Datagram Protocol) is connectionless: no handshake, no guaranteed delivery, no guaranteed order, no automatic retransmission. That sounds like a downside, but it’s exactly what makes UDP fast and lightweight.

Where UDP shines

• DNS lookups
• Video streaming and voice calls
• Online gaming
• NTP time sync
• SNMP monitoring
• Some VPN protocols and QUIC/HTTP-3

If a live video stream drops one tiny packet, it’s usually better to keep playing than to pause everything waiting for a retransmission. That’s the UDP trade-off.

UDP scanning is trickier

With TCP, a closed port often sends a reset, which is a clear signal. With UDP, silence is ambiguous – it could mean the port is open but didn’t respond, the packet was filtered, or the service needs a specific payload to answer. That ambiguity is why UDP scans (nmap -sU <target>) tend to be slower and less conclusive than TCP scans and again, only run these against systems you’re authorized to test.

TCP vs. UDP at a glance

TCP = a reliable conversation
UDP = a fast, fire-and-forget message

Network Topologies

A topology describes how devices are arranged and connected – physically (cabling/hardware) or logically (how data actually flows).

Bus

Device - Device - Device - Device - Device

Cheap and simple, but one broken cable kills the whole segment. Mostly historical now.

Star

        PC1
         |
PC2 ── Switch ── PC3
         |
        PC4

The most common modern LAN layout. Easy to manage and expand; one device failing doesn’t break the network but the central switch is a single point of failure.

Ring

Device - Device - Device
  |                 |
  ──── Device ───────

Predictable traffic flow, but a single break can disrupt the whole ring. Rare in modern LANs.

Mesh

A ----- B
|\     /|
| \   / |
|  \ /  |
|  / \  |
| /   \ |
|/     \|
C ----- D

Highly redundant with multiple paths between nodes – resilient but complex and expensive. The internet itself behaves like a massive mesh of interconnected networks.

Hybrid

Most real-world networks mix several of these: star topology inside an office, mesh links between core routers, point-to-point links between data centers, Wi-Fi for mobile devices, and VPN tunnels for remote workers. Textbook-clean topologies are rare in production.

The OSI Model

The OSI model (Open Systems Interconnection) is a seven-layer conceptual framework for understanding how network communication actually happens and, more usefully, where to look when something breaks.

7. Application
6. Presentation
5. Session
4. Transport
3. Network
2. Data Link
1. Physical

Mnemonic top-to-bottom: All People Seem To Need Data Processing Mnemonic bottom-to-top: Please Do Not Throw Sausage Pizza Away

Why this is useful in practice

If “the website isn’t loading,” the OSI model gives you a troubleshooting checklist:

Layer 1: Is the cable/Wi-Fi actually connected?
Layer 2: Is local network communication working?
Layer 3: Do I have an IP address? Can I ping the gateway?
Layer 4: Is port 443 reachable?
Layer 7: Is the web server responding correctly?

Memorizing the layer names is trivia. Using them to localize a problem is the actual skill.

Exercises

Run these only on your own systems, your own network, or an authorized lab environment.

1. Identify your IP address

ip addr        # Linux
ipconfig       # Windows
ifconfig       # macOS / older Linux

Is your address public or private? Which private range does it fall in?

2. Find your default gateway

ip route       # Linux - look for "default via x.x.x.x"
ipconfig       # Windows - look for "Default Gateway"

3. Compare public vs. private IP Visit a “what’s my IP” site and compare it to your local address. Are they different? Why? Is NAT involved?

4. Check listening ports locally

ss -tulnp        # Linux
netstat -tulnp   # Linux alternative
netstat -ano     # Windows

What’s listening? Do you recognize every service?

5. Scan your own machine

nmap -sV 127.0.0.1

What ports are open? Do the results match ss/netstat?

6. Watch a TCP handshake in Wireshark Capture traffic, filter on tcp, and visit a website. Find the SYN, SYN-ACK, and ACK packets. Which host sent which?

7. Compare TCP vs. UDP Find one TCP-based and one UDP-based service on your machine or network. Why does each use the protocol it uses?

8. OSI troubleshooting drill A user says “the website isn’t loading.” Write out what you’d check at each OSI layer, from Physical up to Application.

Glossary (Quick Reference)

FAQ

This post first appeared at - The CyberSec Guru