3.2 Protocols: TCP/UDP/HTTP(S)/FTP & common ports
Key Takeaways
- TCP is connection-oriented and reliable; UDP is connectionless, best-effort, and low-overhead.
- The TCP three-way handshake is SYN, SYN-ACK, ACK before any data transfer begins.
- Well-known ports: FTP 20/21, SSH 22, Telnet 23, SMTP 25, DNS 53, HTTP 80, HTTPS 443, RDP 3389.
- HTTPS (port 443) encrypts web traffic with TLS/SSL; HTTP (port 80) sends it in plaintext.
- A socket is an IP:port pair; servers listen on well-known ports while clients use high ephemeral ports.
The Transport Layer: TCP vs UDP
Once a packet reaches the right host, the transport layer decides how the conversation is managed. Two protocols dominate. TCP (Transmission Control Protocol) is connection-oriented and reliable: it guarantees that data arrives complete and in order, retransmits anything lost, and paces the sender with flow control. UDP (User Datagram Protocol) is connectionless and best-effort: no setup, no delivery guarantee, and no ordering, just low overhead and low latency.
The TCP three-way handshake
Before any data flows, TCP opens a connection in three steps:
- SYN - the client sends a segment with the SYN flag and an initial sequence number.
- SYN-ACK - the server replies with SYN + ACK, acknowledging the client and sending its own sequence number.
- ACK - the client acknowledges the server's SYN.
Now the connection is established and reliable transfer begins; teardown later uses FIN/ACK exchanges. UDP skips all of this and simply fires datagrams, which is why it fits real-time traffic (voice, video, online gaming, DNS queries) where speed beats perfection.
| Feature | TCP | UDP |
|---|---|---|
| Connection | Connection-oriented (handshake) | Connectionless |
| Reliability | Guaranteed; retransmits lost data | Best-effort; no retransmit |
| Ordering | Delivered in order | No ordering |
| Overhead | Higher (more headers and state) | Low; fast |
| Typical use | Web, email, file transfer | DNS, VoIP, streaming, gaming |
Application Protocols
- HTTP (HyperText Transfer Protocol) carries web pages in plaintext over TCP port 80.
- HTTPS is HTTP wrapped in TLS/SSL encryption over TCP port 443, the padlock icon in your browser. It protects confidentiality and integrity.
- FTP (File Transfer Protocol) moves files using two channels: port 21 for control (commands) and port 20 for data. FTP is unencrypted; SFTP (over SSH) and FTPS are secure replacements.
- SMTP (port 25) sends email, while POP3 (110) and IMAP (143) retrieve it.
Well-Known Ports
A port is a 16-bit number (0-65535) that identifies a service on a host. Well-known ports (0-1023) are reserved for standard services. Memorizing this table is essential for the exam:
| Port | Protocol | Service | Transport |
|---|---|---|---|
| 20 / 21 | FTP | File transfer (data / control) | TCP |
| 22 | SSH | Secure shell / SFTP | TCP |
| 23 | Telnet | Remote login (insecure) | TCP |
| 25 | SMTP | Sending email | TCP |
| 53 | DNS | Name resolution | UDP / TCP |
| 80 | HTTP | Web (plaintext) | TCP |
| 110 | POP3 | Retrieving email | TCP |
| 143 | IMAP | Retrieving email | TCP |
| 443 | HTTPS | Web (encrypted) | TCP |
| 3389 | RDP | Remote Desktop | TCP |
Sockets and ephemeral ports
A socket is an IP address paired with a port, written IP:port. When your browser opens https://93.184.216.34, it targets 93.184.216.34:443; the server listens on 443 while your machine uses a random high ephemeral port (49152 and up) as the source. That source/destination pairing lets one computer keep many simultaneous connections straight, so dozens of browser tabs can all reach port 443 on different servers without confusion.
Ports, segments, and multiplexing
The transport layer also performs multiplexing: it tags each segment with a source and destination port so a single host can run web, email, and DNS traffic at the same time and still deliver each stream to the correct application. TCP breaks a large message into numbered segments, and the receiver uses the sequence numbers to reassemble them in order and to request retransmission of any missing gap. UDP instead sends independent datagrams with no such bookkeeping. Port numbers fall into three ranges: well-known (0-1023) for standard services, registered (1024-49151) assigned to specific applications, and dynamic / ephemeral (49152-65535) used briefly by clients. Only the first range is heavily tested, but knowing the boundaries helps you spot a client's source port in a packet capture.
A note on ICMP and ping
Not all traffic uses TCP or UDP. ICMP (Internet Control Message Protocol) carries control and error messages and is the basis of the ping and traceroute tools. ICMP has no port number because it operates at the Internet/Network layer, not the transport layer, and a screener may test that exact distinction. When a ping succeeds, the target answered an ICMP Echo Request with an Echo Reply, confirming basic reachability even when a specific service port happens to be closed.
Secure vs insecure pairs
Many services have a plaintext original and an encrypted successor, a favorite exam theme. Telnet (23) sends credentials in the clear; SSH (22) replaces it with encryption. HTTP (80) gives way to HTTPS (443), and FTP (21) to SFTP (22, via SSH). Expect questions that ask which port a service uses, whether it is encrypted, and what its secure alternative is. A quick rule: if the traffic is sensitive, prefer the encrypted port (22 or 443) over its cleartext counterpart (23 or 80).
What is the correct order of the TCP three-way handshake?
Which port number is used by HTTPS?
Which protocol is connectionless and best-effort, sending data without a handshake or guaranteed delivery?