Lecture Review: TCP, UDP, and ICMP

Hello people! One of the uses I have for my site is to post a recap of my school lectures here. I’m playing around with different study methods and wanted to see how well this works out. At the very least, it’ll serve as a good personal reference.

That being said, the information contained in these posts may or may not represent knowledge I already know. I.e., if we went over something basic (like OSI model), I’m still going to include it despite my familiarity with it.

Further, because I’m writing these posts from memory (as a practice to reinforce it), I am less concerned with grammar, punctuation, and formatting than with other posts.


TCP is

  • Connection-oriented
  • Unicast
  • Higher overhead
  • Corrective

It’s connection-oriented by way of the three-way handshake (SYN, SYN ACK, ACK). A connection is established first, then the data is exchanged. Delivery is ensured thanks to that connection and being able to keep track of what and how many packets were sent, and to resend what wasn’t acknowledged. All of which requires higher overhead.

You can close TCP connections with FIN or RESET (rude!).

TCP will always be in a certain state as defined in… RFC (forgot which number- doing these notes from memory).


Pretty much the exact opposite of TCP. Very little overhead. Is multicast. Used for video streaming (among others!). Fire-and-forget.

tcpdump, Datagrams, Fragmenting

The flow of data in tcpdump is denoted with > and <.

There are 0-1023 common ports. These are usually used by servers for common services. Clients can open any port, typically 1024 or above, when requesting services. The ports can be re-used and change after each connection. I.e., client-1 might open ephemeral port 31XXX when connecting to server-1:25. After that connection closes, that same 31XXX port could be opened again for a connection on server-3:22.

When viewing connections on tcpdump, especially TCP and its three-way handshake, you’ll actually see two connections in the output: client-to-server and server-to-client.

If the datagram being sent is larger than the recipient’s network’s MTU size (max is 1500 for Ethernet), datagrams have to be fragmented. In this case, each fragment gets a fragment ID so the recipient can keep everything in order. To ensure the order of the fragments, an offset counter is used after the fragment ID. Only the first fragment will have the protocol header, whereas all fragments will have the ~20byte IP header.

Teardrop attack uses mismatching offsets.


ICMP can be helpful in troubleshooting things as well as reconnaissance.

Firewalls should be blocking incoming ICMP requests from the outside. And probably from internally, too.

Depending on what type of ICMP response you receive, that can indicate what’s going on at the target. For example, if a request comes back with host unreachable, time to move on. However if you get admin denied (thanks to ACL) or port unreachable, then that does tell you something’ sthere.

You can also use TTL to find how many hops you’re dealing with.