3.2 Protocols: TCP/UDP/HTTP(S)/FTP & common ports

Key Takeaways

  • TCP is connection-oriented and reliable; UDP is connectionless, best-effort, and low-overhead.
  • The TCP three-way handshake is SYN, SYN-ACK, ACK before any data transfer begins.
  • Well-known ports: FTP 20/21, SSH 22, Telnet 23, SMTP 25, DNS 53, HTTP 80, HTTPS 443, RDP 3389.
  • HTTPS (port 443) encrypts web traffic with TLS/SSL; HTTP (port 80) sends it in plaintext.
  • A socket is an IP:port pair; servers listen on well-known ports while clients use high ephemeral ports.
Last updated: July 2026

The Transport Layer: TCP vs UDP

Once a packet reaches the right host, the transport layer decides how the conversation is managed. Two protocols dominate. TCP (Transmission Control Protocol) is connection-oriented and reliable: it guarantees that data arrives complete and in order, retransmits anything lost, and paces the sender with flow control. UDP (User Datagram Protocol) is connectionless and best-effort: no setup, no delivery guarantee, and no ordering, just low overhead and low latency.

The TCP three-way handshake

Before any data flows, TCP opens a connection in three steps:

  1. SYN - the client sends a segment with the SYN flag and an initial sequence number.
  2. SYN-ACK - the server replies with SYN + ACK, acknowledging the client and sending its own sequence number.
  3. ACK - the client acknowledges the server's SYN.

Now the connection is established and reliable transfer begins; teardown later uses FIN/ACK exchanges. UDP skips all of this and simply fires datagrams, which is why it fits real-time traffic (voice, video, online gaming, DNS queries) where speed beats perfection.

FeatureTCPUDP
ConnectionConnection-oriented (handshake)Connectionless
ReliabilityGuaranteed; retransmits lost dataBest-effort; no retransmit
OrderingDelivered in orderNo ordering
OverheadHigher (more headers and state)Low; fast
Typical useWeb, email, file transferDNS, VoIP, streaming, gaming

Application Protocols

  • HTTP (HyperText Transfer Protocol) carries web pages in plaintext over TCP port 80.
  • HTTPS is HTTP wrapped in TLS/SSL encryption over TCP port 443, the padlock icon in your browser. It protects confidentiality and integrity.
  • FTP (File Transfer Protocol) moves files using two channels: port 21 for control (commands) and port 20 for data. FTP is unencrypted; SFTP (over SSH) and FTPS are secure replacements.
  • SMTP (port 25) sends email, while POP3 (110) and IMAP (143) retrieve it.

Well-Known Ports

A port is a 16-bit number (0-65535) that identifies a service on a host. Well-known ports (0-1023) are reserved for standard services. Memorizing this table is essential for the exam:

PortProtocolServiceTransport
20 / 21FTPFile transfer (data / control)TCP
22SSHSecure shell / SFTPTCP
23TelnetRemote login (insecure)TCP
25SMTPSending emailTCP
53DNSName resolutionUDP / TCP
80HTTPWeb (plaintext)TCP
110POP3Retrieving emailTCP
143IMAPRetrieving emailTCP
443HTTPSWeb (encrypted)TCP
3389RDPRemote DesktopTCP

Sockets and ephemeral ports

A socket is an IP address paired with a port, written IP:port. When your browser opens https://93.184.216.34, it targets 93.184.216.34:443; the server listens on 443 while your machine uses a random high ephemeral port (49152 and up) as the source. That source/destination pairing lets one computer keep many simultaneous connections straight, so dozens of browser tabs can all reach port 443 on different servers without confusion.

Ports, segments, and multiplexing

The transport layer also performs multiplexing: it tags each segment with a source and destination port so a single host can run web, email, and DNS traffic at the same time and still deliver each stream to the correct application. TCP breaks a large message into numbered segments, and the receiver uses the sequence numbers to reassemble them in order and to request retransmission of any missing gap. UDP instead sends independent datagrams with no such bookkeeping. Port numbers fall into three ranges: well-known (0-1023) for standard services, registered (1024-49151) assigned to specific applications, and dynamic / ephemeral (49152-65535) used briefly by clients. Only the first range is heavily tested, but knowing the boundaries helps you spot a client's source port in a packet capture.

A note on ICMP and ping

Not all traffic uses TCP or UDP. ICMP (Internet Control Message Protocol) carries control and error messages and is the basis of the ping and traceroute tools. ICMP has no port number because it operates at the Internet/Network layer, not the transport layer, and a screener may test that exact distinction. When a ping succeeds, the target answered an ICMP Echo Request with an Echo Reply, confirming basic reachability even when a specific service port happens to be closed.

Secure vs insecure pairs

Many services have a plaintext original and an encrypted successor, a favorite exam theme. Telnet (23) sends credentials in the clear; SSH (22) replaces it with encryption. HTTP (80) gives way to HTTPS (443), and FTP (21) to SFTP (22, via SSH). Expect questions that ask which port a service uses, whether it is encrypted, and what its secure alternative is. A quick rule: if the traffic is sensitive, prefer the encrypted port (22 or 443) over its cleartext counterpart (23 or 80).

Test Your Knowledge

What is the correct order of the TCP three-way handshake?

A
B
C
D
Test Your Knowledge

Which port number is used by HTTPS?

A
B
C
D
Test Your Knowledge

Which protocol is connectionless and best-effort, sending data without a handshake or guaranteed delivery?

A
B
C
D