Land verified note refinements batch

Author: stacknil

TryHackMe/40-networking/network-fundamentals/04-packets-&-frames.md

@@ -1,11 +1,29 @@
-# Networking Fundamentals – Packets, TCP/UDP and Ports
+---
+type: resource-note
+status: done
+created: 2026-03-11
+updated: 2026-03-11
+tags: [security-writeup, tryhackme, networking, packets]
+source: TryHackMe - Packets & Frames
+platform: tryhackme
+room: Packets & Frames
+slug: packets-and-frames
+path: TryHackMe/40-networking/network-fundamentals/04-packets-&-frames.md
+topic: 40-networking
+domain: [networking]
+skills: [tcp-udp, ports, pcap]
+artifacts: [concept-notes]
+sanitized: true
+---
+
+# Packets, TCP/UDP and Ports
 
 > Source: Security Blue Team / networking module
 > Scope: packets & frames, TCP three‑way handshake, UDP basics, ports 101 (practical)
 
 ---
 
-## 1. Packets and Frames
+## Summary
 
 ### 1.1 Core definitions
 
@@ -54,9 +72,11 @@ Some important header fields:
 
 ---
 
-## 2. TCP/IP and the Three‑Way Handshake
+## Key Concepts
+
+### 2. TCP/IP and the Three‑Way Handshake
 
-### 2.1 TCP/IP model refresher
+#### 2.1 TCP/IP model refresher
 
 TCP/IP is a practical networking model with **four layers**:
 
@@ -67,7 +87,7 @@ TCP/IP is a practical networking model with **four layers**:
 
 Like the OSI model, each layer adds its own headers → **encapsulation**. Removing them on the way up the stack is **decapsulation**.
 
-### 2.2 TCP characteristics
+#### 2.2 TCP characteristics
 
 * **Connection‑oriented** – must establish a connection **before** data transfer.
 * **Reliable** – guarantees ordered, loss‑free delivery (or signals failure).
@@ -83,7 +103,7 @@ Like the OSI model, each layer adds its own headers → **encapsulation**. Remov
 * Requires a stable connection between both hosts.
 * Extra handshakes and checks make it **slower** and more resource‑intensive than UDP.
 
-### 2.3 Key TCP header fields
+#### 2.3 Key TCP header fields
 
 * **Source Port** – ephemeral port chosen by the client (0–65535, unused at that moment).
 * **Destination Port** – port where a service is listening on the server (e.g. 80 for HTTP).
@@ -93,7 +113,7 @@ Like the OSI model, each layer adds its own headers → **encapsulation**. Remov
 * **Checksum** – integrity check over header + data.
 * **Flags** – bits that describe control information (SYN, ACK, FIN, RST, etc.).
 
-### 2.4 The TCP three‑way handshake
+#### 2.4 The TCP three‑way handshake
 
 Goal: establish a shared sequence‑number space and confirm both sides are ready.
 
@@ -118,7 +138,7 @@ After this, both sides agree on:
 
 Then the connection switches to normal **DATA** transfer.
 
-### 2.5 Closing a TCP connection
+#### 2.5 Closing a TCP connection
 
 * When one side is done sending data, it sends **FIN**.
 * The other side replies with **ACK**, then usually sends its own **FIN** when it is also done.
@@ -134,9 +154,9 @@ A **RST** flag can be sent by either side to **abruptly reset** a connection whe
 
 ---
 
-## 3. UDP/IP
+### 3. UDP/IP
 
-### 3.1 UDP characteristics
+#### 3.1 UDP characteristics
 
 * **User Datagram Protocol (UDP)** – a simple, **connectionless** transport protocol.
 * No three‑way handshake, no synchronisation, no built‑in reliability.
@@ -155,7 +175,7 @@ A **RST** flag can be sent by either side to **abruptly reset** a connection whe
 
 Use‑cases: where some loss is acceptable, or latency is more critical than reliability – e.g. **video/voice streaming, online games, DNS lookups**.
 
-### 3.2 Typical UDP headers
+#### 3.2 Typical UDP headers
 
 UDP segments are simpler than TCP segments, but seen at the IP layer they still sit inside an IP packet.
 
@@ -172,9 +192,9 @@ There is **no handshake / ACK sequence** – the sender simply transmits datagra
 
 ---
 
-## 4. Ports 101
+### 4. Ports 101
 
-### 4.1 What is a port?
+#### 4.1 What is a port?
 
 * Conceptually: a **numbered endpoint** on a host used by applications to send/receive data.
 * Range: `0–65535` (16‑bit unsigned integer).
@@ -185,7 +205,7 @@ Why standardise?
 * If every service used random ports, clients would not know where to connect.
 * So common protocols have **well‑known ports**; software defaults to these.
 
-### 4.2 Common ports (well‑known 0–1024)
+#### 4.2 Common ports (well‑known 0–1024)
 
 Some important defaults:
 
@@ -200,13 +220,13 @@ Some important defaults:
 
 > Note: services **can** run on non‑standard ports (e.g. HTTP on 8080). In that case the client must specify `host:port` explicitly.
 
-### 4.3 Why ports matter in practice
+#### 4.3 Why ports matter in practice
 
 * Ports allow multiple networked applications to coexist on one IP address.
 * Firewalls, IDS/IPS, and security policies often match on **port numbers** to allow/deny traffic.
 * Enumeration of open ports (e.g. with nmap) is a key recon step in security testing.
 
-### 4.4 Practical challenge (from the room)
+#### 4.4 Practical challenge (from the room)
 
 > Connect to IP `8.8.8.8` on port `1234` via the provided site to receive a flag.
 
@@ -217,7 +237,7 @@ This exercise reinforces that:
 
 ---
 
-## 5. Concept map
+### 5. Concept map
 
 ```mermaid
 flowchart LR

TryHackMe/40-networking/wireshark-the-basics.md

@@ -1,38 +1,44 @@
 ---
-
+type: resource-note
+status: done
+created: 2026-01-31
+updated: 2026-03-11
+tags: [security-writeup, tryhackme, wireshark, networking]
+source: "TryHackMe - Wireshark: The Basics"
 platform: tryhackme
 room: "Wireshark: The Basics"
 slug: wireshark-the-basics
-path: notes/TryHackMe/40-networking/wireshark-the-basics.md
+path: TryHackMe/40-networking/wireshark-the-basics.md
 topic: 40-networking
-domain: DFIR, Networking
-skills: wireshark, pcap-analysis, display-filters
-artifacts: concept-notes, cookbook
-status: done
-date: 2026-01-31
+domain: [forensics, networking]
+skills: [wireshark, pcap, display-filters]
+artifacts: [concept-notes, cookbook]
+sanitized: true
 ---
 
-0. Summary
+# Wireshark: The Basics
+
+## Summary
 
 * Wireshark is a packet analyzer (network traffic analyser / 网络流量分析器) for live capture and offline PCAP inspection.
 * The UI is organized to support fast triage: Packet List → Packet Details → Packet Bytes (hex/ASCII).
 * Your basic analysis loop is: load PCAP → navigate packets → dissect layers → filter down → reconstruct streams → extract artifacts.
 * Two filter planes exist: capture filters (what you collect) vs display filters (what you view). This room focuses on display filters.
 
-1. Key Concepts
+## Key Concepts
 
-1.1 What Wireshark is / is not
+### 1.1 What Wireshark is / is not
 
 * Wireshark is not an IDS (Intrusion Detection System / 入侵检测系统). It does not block or modify traffic; it helps you interpret it.
 * Its output quality depends on analyst hypotheses + protocol knowledge.
 
-1.2 Primary use cases
+### 1.2 Primary use cases
 
 * Troubleshooting: congestion, retransmissions, failure points.
 * Security hunting: rogue hosts, abnormal ports, suspicious protocols.
 * Protocol learning: response codes, headers, payloads.
 
-1.3 GUI mental model (5 prominent sections)
+### 1.3 GUI mental model (5 prominent sections)
 
 * Toolbar: capture, filtering, sorting, export/merge, statistics.
 * Display Filter Bar: the main query input for display filters.
@@ -57,7 +63,7 @@ ASCII layout sketch (conceptual)
 +--------------------------------------------------------------+
 ```
 
-1.4 Packet dissection (protocol dissection / 协议剖析)
+### 1.4 Packet dissection (protocol dissection / 协议剖析)
 
 * Click a packet → Packet Details shows the protocol stack as a tree.
 * Clicking a field highlights its corresponding bytes in the Packet Bytes pane (byte-level grounding).
@@ -71,14 +77,14 @@ ASCII layout sketch (conceptual)
   * Application protocol (e.g., HTTP)
   * Application data (payload)
 
-2. Pattern Cards
+## Pattern Cards
 
-2.1 “If you can click it, you can filter it”
+### 2.1 “If you can click it, you can filter it”
 
 * Select a field in Packet Details → right-click → Apply as Filter (immediate narrowing).
 * Use Prepare as Filter when you want to build a compound expression before applying.
 
-2.2 Conversation-first triage
+### 2.2 Conversation-first triage
 
 * When you want the whole conversation (endpoints + ports) rather than a single field:
 
@@ -87,23 +93,23 @@ ASCII layout sketch (conceptual)
 
   * View → Colourise Conversation.
 
-2.3 Reconstruct application content
+### 2.3 Reconstruct application content
 
 * Packet-level views fragment payload.
 * Follow Stream reconstructs application-level data:
 
   * Follow TCP/UDP/HTTP Stream (depending on protocol).
 * After following, Wireshark applies a stream filter automatically; clear it using the “X” on the display filter bar.
 
-2.4 “Navigate like a debugger”
+### 2.4 “Navigate like a debugger”
 
 * Go to Packet: jump to a packet number when the task gives you an anchor (e.g., “packet 38”).
 * Find Packet: search content using String/Regex/Hex/Display filter, with the correct search scope (list/details/bytes).
 * Mark + Comments: annotate packets for later review or collaboration; marks reset per session, comments persist in the capture file.
 
-3. Command Cookbook (only items present in the room text)
+## Command Cookbook
 
-3.1 Display filter examples
+### 3.1 Display filter examples
 
 ```text
 # By protocol
@@ -123,13 +129,13 @@ udp.port == 53
 ip.addr == TARGET_IP
 ```
 
-3.2 File hash (terminal)
+### 3.2 File hash (terminal)
 
 ```bash
 md5sum <filename>
 ```
 
-4. Workflow Checklist (mapped to the room tasks)
+## Workflow Checklist (mapped to the room tasks)
 
 Task 1–2: Loading + first orientation
 
@@ -208,19 +214,19 @@ Right-click filtering modes
 * Apply as Column: add a field as a column to compare across many packets.
 * Follow Stream: reconstruct app-layer stream; auto-applies stream filter; clear with “X”.
 
-5. Pitfalls
+## Pitfalls
 
 * Searching the wrong pane: a string in Packet Details won’t be found if you search only Packet List.
 * Over-trusting color: packet coloring is a triage aid, not evidence.
 * Forgetting stream filters: Follow Stream silently applies a stream filter; if you “lose packets,” check the display filter bar.
 * Mixing capture vs display filters: beginners often type display syntax into capture filter fields.
 
-6. References
+## References
 
 * Wireshark User’s Guide (official): [https://www.wireshark.org/docs/wsug_html/](https://www.wireshark.org/docs/wsug_html/)
 * Display filter syntax (manpage): [https://www.wireshark.org/docs/man-pages/wireshark-filter.html](https://www.wireshark.org/docs/man-pages/wireshark-filter.html)
 
-CN–EN Glossary (small)
+## CN–EN Glossary (small)
 
 * packet capture / PCAP：数据包抓包文件
 * packet dissection：协议剖析 / 分层解析