Subspace - Network Traffic Visualizer

CLIENT 192.168.1.100

SERVER 93.184.216.34

1 SYN

2 SYN-ACK

3 ACK

TCP Handshake Process

SYN (Synchronize): Client sends SYN packet with initial sequence number to initiate connection
SYN-ACK (Synchronize-Acknowledge): Server responds with SYN-ACK, acknowledging client's sequence number and sending its own
ACK (Acknowledge): Client sends final ACK to confirm - connection established!

Why 3-way? This ensures both sides are ready to communicate and have synchronized their sequence numbers for reliable, ordered data transmission.

Your Device Initiates query

DNS Resolver Recursive lookup

Root Server Points to TLD

TLD Server Points to Auth NS

Authoritative Returns IP

DNS Resolution Result

DNS Record Types

A Record: Maps domain to IPv4 address (e.g., 93.184.216.34)
AAAA Record: Maps domain to IPv6 address
CNAME: Canonical name (alias) pointing to another domain
MX Record: Mail exchange servers for email routing
TXT Record: Text records for verification and SPF/DKIM
NS Record: Name servers authoritative for the domain

Unencrypted - Data sent in plain text
Eavesdropping - Anyone can intercept and read
MITM Vulnerable - Easy to tamper with data
Port 80 - Standard HTTP port
No Authentication - Can't verify server identity
Browser Warnings - Marked as "Not Secure"

TLS/SSL Encryption - End-to-end encrypted
Data Privacy - Unreadable to attackers
MITM Protection - Tampering detected
Port 443 - Secure HTTPS port
Certificate Auth - Verifies server identity
SEO Boost - Google ranks HTTPS higher

HTTPS Security Features

TLS/SSL Versions

TLS 1.3 (2018): Latest, fastest, most secure. Reduced handshake, removed vulnerable ciphers
TLS 1.2 (2008): Still widely supported, secure with proper configuration
SSL 3.0, TLS 1.0, 1.1: Deprecated due to vulnerabilities (POODLE, BEAST)

Perfect Forward Secrecy (PFS)

Ephemeral Keys: Unique session keys for each connection
Past Security: Compromised private key doesn't decrypt past sessions
Cipher Suites: ECDHE (Elliptic Curve Diffie-Hellman Ephemeral)

Common HTTPS Mistakes

Mixed Content: Loading HTTP resources on HTTPS pages (blocked by browsers)
Expired Certificates: Must renew before expiration (use Let's Encrypt for free auto-renewal)
Self-Signed Certs: Browser warnings, not trusted by default
Weak Ciphers: RC4, 3DES, MD5-based ciphers are vulnerable

Purpose: User-facing protocols and application data

Protocols: HTTP, HTTPS, FTP, SMTP, DNS, SSH, Telnet, IMAP, POP3

Data Unit: Messages/Data

Example Header:

GET /api/users HTTP/1.1
Host: api.example.com
User-Agent: Mozilla/5.0
Accept: application/json
Authorization: Bearer eyJhbGc...

Purpose: End-to-end communication, reliability, flow control

Protocols: TCP (reliable), UDP (fast, unreliable)

Data Unit: Segments (TCP) / Datagrams (UDP)

TCP Header Fields:

Source Port: 16 bits (e.g., 52341)
Destination Port: 16 bits (e.g., 443 for HTTPS)
Sequence Number: 32 bits (for ordering)
Acknowledgment Number: 32 bits
Flags: SYN, ACK, FIN, RST, PSH, URG
Checksum: Error detection

Purpose: Logical addressing and routing between networks

Protocols: IPv4, IPv6, ICMP, OSPF, BGP

Data Unit: Packets

IPv4 Header Fields:

Source IP: 32 bits (e.g., 192.168.1.100)
Destination IP: 32 bits (e.g., 93.184.216.34)
TTL (Time To Live): 8 bits (hop limit)
Protocol: 8 bits (6=TCP, 17=UDP, 1=ICMP)
Header Checksum: Error detection

Purpose: Physical addressing, local network delivery

Protocols: Ethernet, WiFi (802.11), PPP, ARP

Data Unit: Frames

Ethernet Frame Fields:

Destination MAC: 48 bits (e.g., AA:BB:CC:DD:EE:FF)
Source MAC: 48 bits (hardware address)
EtherType: 16 bits (0x0800=IPv4, 0x86DD=IPv6)
FCS: 32-bit CRC for error detection

Purpose: Raw bit transmission over physical medium

Media Types:

Copper (Ethernet): Cat5e, Cat6, Cat7 cables - electrical signals
Fiber Optic: Single-mode, Multi-mode - light pulses
Wireless: WiFi, 5G, Bluetooth - radio frequencies

Encapsulation Process

Sending (Top-Down):

Application creates data (e.g., HTTP request)
Transport layer adds TCP/UDP header (ports, sequence numbers)
Network layer adds IP header (source/dest IP addresses)
Data Link layer adds Ethernet frame (MAC addresses)
Physical layer converts to electrical/light signals

Receiving (Bottom-Up): Reverse process - each layer strips its header and passes data up

HTTP (Vulnerable)

USER

ATTACKER

SERVER

Login: admin

Password: secret123

READING: admin / secret123

HTTPS (Protected)

USER

ATTACKER

SERVER

Encrypted

TLS Protected

BLOCKED: *#@$%&!

How MITM Attacks Work

ARP Spoofing: Attacker claims to be the router, intercepts local traffic
DNS Spoofing: Redirects domain lookups to malicious servers
SSL Stripping: Downgrades HTTPS to HTTP, steals plaintext data
Rogue WiFi: Fake access points (e.g., "Free Airport WiFi")

Defense Against MITM Attacks

Always Use HTTPS: Check for lock icon in address bar
Enable HSTS: Force HTTPS, prevent downgrade attacks
Use VPN: Encrypts all traffic on untrusted networks
Avoid Public WiFi: For banking, shopping, sensitive data
Validate Certificates: Don't ignore browser security warnings!

Protocol	Layer	Type	Speed	Reliability	Security	Use Case
TCP	Transport (L4)	Connection-oriented	Moderate	High	No encryption	Web, Email, File Transfer
UDP	Transport (L4)	Connectionless	Very Fast	Best-effort	No encryption	Streaming, Gaming, DNS
HTTP	Application (L7)	Request/Response	Fast	TCP-based	Plaintext	Legacy web browsing
HTTPS	Application (L7)	HTTP + TLS	Fast	TCP-based	TLS encryption	Modern web, APIs
SSH	Application (L7)	Encrypted shell	Fast	TCP-based	SSH encryption	Secure remote access
DNS	Application (L7)	Name resolution	Very Fast	UDP (fallback TCP)	Plaintext (use DoH)	Domain to IP translation
WebSocket	Application (L7)	Full-duplex	Real-time	TCP-based	Can use TLS (wss://)	Chat, live updates
QUIC	Transport (L4)	UDP-based	Very Fast	Built-in recovery	Always encrypted	HTTP/3, modern web

TCP vs UDP

TCP: Like certified mail - guaranteed delivery, ordered, acknowledged. Perfect for web, email, file transfer where accuracy matters.

UDP: Like postcards - fast, no guarantees, no handshake. Perfect for streaming, gaming, DNS where speed > reliability.

Security First

Always prefer encrypted protocols:

HTTPS over HTTP
SFTP/SSH over FTP/Telnet
DoH (DNS over HTTPS)
WSS (WebSocket Secure)

Source IP Address

Destination Port

Protocol

Action

Active Firewall Rules (evaluated in order)

Common Firewall Rules & Best Practices

Port 80 (HTTP): Usually allowed outbound, restricted inbound
Port 443 (HTTPS): Allow for web traffic
Port 22 (SSH): Restrict to specific IPs, disable password auth
Port 3389 (RDP): Block from internet, use VPN for remote access
Port 3306 (MySQL): Never expose to internet, localhost only
Default Deny: Block all, then whitelist specific services

Firewall Configuration Mistakes

Allow Any/Any: Defeats the purpose of a firewall
Exposed Database Ports: 3306, 5432, 27017 should never face internet
No Logging: Can't detect attacks without logs
Stale Rules: Old rules for decommissioned services create attack surface

Network Address

-

Subnet Mask

-

Wildcard Mask

-

First Usable IP

-

Last Usable IP

-

Broadcast Address

-

Total IPs

-

Usable Host IPs

-

IP Class

-

IP Type

-

Binary Subnet Mask

-

Hexadecimal

-

CIDR Notation Explained

CIDR (Classless Inter-Domain Routing) uses /X notation to specify network prefix length.

Common CIDR Blocks

/32 - Single IP (1 host)
/30 - 4 IPs, 2 usable (router links)
/24 - 256 IPs, 254 usable (Class C)
/16 - 65,536 IPs (Class B)
/8 - 16,777,216 IPs (Class A)

Private IP Ranges (RFC 1918)

10.0.0.0/8 - 10.0.0.0 to 10.255.255.255
172.16.0.0/12 - 172.16.0.0 to 172.31.255.255
192.168.0.0/16 - 192.168.0.0 to 192.168.255.255

Pro Tips

Subnetting: /24 gives you 256 IPs. /25 splits it into 2 subnets of 128 each.
Quick Math: /24 = 256, /25 = 128, /26 = 64, /27 = 32, /28 = 16
AWS VPC: Typical setup uses /16 for VPC, /24 for subnets

0

Bandwidth (Mbps)

0

Latency (ms)

0

Packets/sec

0

Dropped Packets

0

Active Connections

0

Uptime (hours)

Understanding Network Metrics

Bandwidth

Maximum data transfer rate. Higher is better. Measured in Mbps/Gbps. Affects download speed, streaming quality.

Latency

Round-trip time for packets. Lower is better. <20ms excellent, <50ms good, >100ms noticeable lag.

Packets/sec

Packet transmission rate. Indicates network activity. High values during large transfers or many connections.

Dropped Packets

Lost in transmission. Should be near zero. Causes retransmissions, affects performance.

TCP Handshake Process

DNS Resolution Result

DNS Record Types

HTTPS Security Features

TLS/SSL Versions

Perfect Forward Secrecy (PFS)

Common HTTPS Mistakes

Layer 7: Application Layer (HTTP/HTTPS/DNS/SSH)

Example Header:

Layer 4: Transport Layer (TCP/UDP)

TCP Header Fields:

Layer 3: Network Layer (IP)

IPv4 Header Fields:

Layer 2: Data Link Layer (Ethernet/WiFi)

Ethernet Frame Fields:

Layer 1: Physical Layer

Media Types:

Encapsulation Process

HTTP (Vulnerable)

HTTPS (Protected)

How MITM Attacks Work

Defense Against MITM Attacks

TCP vs UDP

Security First

Active Firewall Rules (evaluated in order)

Common Firewall Rules & Best Practices

Firewall Configuration Mistakes

CIDR Notation Explained

Common CIDR Blocks

Private IP Ranges (RFC 1918)

Pro Tips

Understanding Network Metrics

Bandwidth

Latency

Packets/sec

Dropped Packets