← Home

Technician's Field Guide · Networking

Follow
the Packet

Learn to reason about any network problem by tracing one packet from source to destination and back. The mental models, the mechanisms behind them, and a repeatable method — with worked examples, so the ideas stick.

Follow the packet Bisect the path Change one thing

Nothing on a network is magic — everything is deterministic and traceable. "Flaky," "weird," and "random" describe your current ignorance, not the network. Every packet went somewhere for a reason you can find. The master skill is to follow the packet: mentally walk one from source to destination and back, and the point where your walk goes uncertain is exactly where to look. This guide builds that skill layer by layer.

01

How to Think About Networks

Six mental models do more for troubleshooting than any single protocol fact. Internalize these first; the rest of the guide is mechanism to hang on them.

The cheap checks go first

It's rarely DNS — but rule it out early because it's cheap. Same for MTU. High-frequency, low-cost checks (DNS, MTU, a dropped link, a full table) come before deep investigation.

02

Addressing & the Mask

The single most misunderstood thing in networking is what the subnet mask actually does. It isn't decoration next to the IP — it's half of a decision the host makes on every packet: is the destination local (deliver directly) or remote (send to the gateway)?

Host has a packet for dest_ip. It computes:(dest_ip AND my_mask) vs (my_ip AND my_mask) Sameresult? YES — on-linkARP/NDP for the DEST, deliver on the wire NO — remoteARP/NDP for the GATEWAY, send the frame there
The IP destination is the host in both cases — only the L2 frame (the destination MAC) differs. A wrong mask silently flips this decision, with no error.

Read a subnet fast — the block-size method

Find the "interesting" octet (the one where the mask isn't 255 or 0). The block size there is 256 − mask_value, and subnet boundaries step by that size. That's all you need.

Worked example · 192.168.10.50 /26
/26 -> mask 255.255.255.192 -> interesting octet = 4th, value 192 block size = 256 − 192 = 64 -> subnets start at .0, .64, .128, .192 .50 falls in the .0–.63 block: network = 192.168.10.0 (lowest — not a host) broadcast = 192.168.10.63 (highest — not a host) usable = 192.168.10.1 – .62 (62 hosts)
Why this matters

Two hosts on the same wire with different masks reach each other asymmetrically or not at all: one treats an address as local and ARPs for it directly; the other treats it as remote and sends to the gateway. "A can reach B but B can't reach A" on one segment is a mask mismatch far more often than a firewall or routing bug. Private ranges (10/8, 172.16/12, 192.168/16) are an addressing scope, not a security boundary — and a 169.254.x.x address means "no DHCP was reached," not an IP conflict.

IPv6 — the address model you'll increasingly meet

IPv6 isn't "IPv4 with more digits"; several differences change how you troubleshoot. Addresses are 128-bit, written as hex groups with :: compressing one run of zeros (2001:db8::1), and the subnet is almost always a /64. Every interface also carries a link-local address (fe80::/10) for on-link talk. There is no ARP — IPv6 uses NDP (Neighbor Discovery over ICMPv6), so unlike IPv4, blocking ICMPv6 breaks basic connectivity, not just ping. Addresses come from SLAAC (the host builds its own from Router Advertisements), DHCPv6, or both — so a host commonly holds several at once (a link-local plus one or more global). And normally there's no NAT: every host is globally routable, which makes the firewall — not address scarcity — the security boundary (the same point the box above makes about private ranges). The gotcha that bites help desks: most networks are dual-stack (v4 and v6 at once) and clients prefer whichever connects first ("Happy Eyeballs"), so a service you're debugging over IPv4 may actually be reached over IPv6 or the reverse — and firewall rules written only for v4 often leave v6 wide open. Confirm which family is really in use (ping -6; note browsers need brackets, https://[2001:db8::1]) before concluding anything.

03

Getting an Address: DHCP

Before the mask can decide anything, the host needs an address — and usually gets it from DHCP, which hands over the IP, mask, default gateway, and DNS resolver in one exchange. A large share of "I have no network" reports are DHCP failures in disguise: an APIPA address, a wrong gateway, or a resolver the client should never have received.

Client (udp/68) Server (udp/67) 1 · DISCOVER — L2 broadcast: "is there a server?" 2 · OFFER — an address + server identifier (option 54) 3 · REQUEST — broadcast, echoes opt 54 (losers withdraw) 4 · ACK — the lease + mask, gateway, DNS, lease time Across a subnet, a relay (ip helper-address) unicasts to the server — routers don't forward broadcasts.
DHCP runs the same four-message dance every time. The server is on udp/67, the client on udp/68.

Because the client has no address yet, it starts with an L2 broadcast — and routers don't forward broadcasts, so a client on a different subnet from the server needs a relay (an ip helper-address) to carry the request across. That's the classic split symptom: hosts on the server's own subnet get leases, but a remote VLAN gets APIPA → a missing or misconfigured relay, not a dead server.

An address is a lease, not a gift: the client renews at ~50% of the lease term (unicast to its server) and, if that fails, rebinds at ~87.5% (broadcast to any server) — so intermittent loss on a regular cadence can be a renewal-timing problem, not full expiry. (Those fractions are RFC defaults; a server can override them — verify.)

The two signals to know cold

169.254.x.x (APIPA) means the client got no lease at all — it never reached a server. Read it as a path problem toward the server (link, VLAN, relay, or an exhausted pool), not an address conflict. And a valid address where nothing works is usually a missing or wrong option — the gateway (option 3) or DNS (option 6) — because an address alone isn't enough. Watch the exchange with tcpdump -ni IF port 67 or port 68: no Offer = no server reached; a second, unexpected Offer = a rogue DHCP server (see §4).

04

Layer 2: Switching, VLANs & Loops

Below routing sits the layer that actually moves frames on the wire. A switch learns by recording source MAC → port as frames arrive and ages entries out; for a destination MAC it hasn't learned, it floods the frame out every port in the VLAN. Get this layer wrong and the symptoms are dramatic and fast.

Router / L3inter-VLAN routing Switch 802.1Q trunk VLAN 10 — usersits own broadcast domain● ● ● VLAN 20 — voiceits own broadcast domain● ● VLAN 30 — serversits own broadcast domain● ●
Same VLAN → the switch delivers at L2. Different VLANs → it must be routed (L3). VLANs without inter-VLAN filtering are not security.

A single switch is one broadcast domain until you add VLANs — each VLAN is its own broadcast domain, and traffic between VLANs must be routed. "Two devices on the same switch can't talk" is a VLAN-membership or trunk question before it's anything routed.

Why an L2 loop is catastrophic, not just slow

Ethernet frames have no TTL — nothing kills a looping frame, so a single broadcast multiplies forever and saturates the segment (a broadcast storm). Spanning Tree (STP/RSTP) exists solely to block loops. Signature: a whole segment "melts" — 100% switch CPU, total loss — right after someone patched a cable or added a switch. Suspect a loop before anything else.

L2 sits below most monitoring, so its threats are easy to miss. The standard mitigations (feature names are common across vendors; exact syntax varies — verify on your hardware):

ThreatMechanismMitigation
ARP spoofing / MITMForged ARP rebinds traffic to the attackerDynamic ARP Inspection
Rogue DHCPAttacker hands out gateway/DNSDHCP snooping (trust only known ports)
MAC floodingFill the MAC table → switch floods everythingPort security (limit MACs/port)
STP manipulationForged BPDUs reshape or blackhole L2BPDU guard / root guard on edge ports
VLAN hoppingAbuse of auto-trunking / double-taggingDisable auto-trunk; set the native VLAN deliberately

DHCP snooping's binding table is also what Dynamic ARP Inspection and IP Source Guard build on, so it earns its keep beyond DHCP. As always, none of this makes L2 "secure" — each control addresses a specific forgery and leaves the rest of the surface (e.g. IPv6 rogue Router Advertisements, which need RA Guard) untouched.

05

How a Packet Gets There

Routing is per-hop and destination-based. No single device knows the whole path; each one answers only "given this destination, what's my next hop and egress interface?" and forwards. The selection rule is Longest Prefix Match (LPM): among all matching routes, the most specific (longest) prefix wins — evaluated before metric or administrative distance.

Worked example · longest prefix match
Route table: Destination Winner Next hop 0.0.0.0/0 via 192.168.1.1 10.20.30.40 /24 10.1.1.3 10.0.0.0/8 via 10.1.1.1 10.20.99.1 /16 10.1.1.2 10.20.0.0/16 via 10.1.1.2 10.5.0.1 /8 10.1.1.1 10.20.30.0/24 via 10.1.1.3 8.8.8.8 /0 192.168.1.1

The default route (0.0.0.0/0) has the shortest possible prefix, so it only wins when nothing more specific matches — the catch-all, not a preference.

Src host10.0.1.5 Router A Router B Dst host203.0.113.9 Changes every hop dest & src MAC are rewritten TTL / Hop-Limit decrements by 1 LPM re-run to pick the next hop TTL hits 0 → drop + ICMP Time-Exceeded (traceroute) Stays end-to-end source IP = 10.0.1.5 (until NAT) dest IP = 203.0.113.9 ports / payload the L2 header is local; the L3 addresses are the journey
The insight that unlocks routing: MACs are local, IPs are the journey. You cannot identify a remote host by MAC across a router — the L2 header is rewritten at every hop.

Two tie-breakers sit below LPM, only for equally-specific routes: administrative distance chooses between different sources for the same prefix (a Cisco concept — the defaults are vendor-specific and configurable, so verify them), and metric chooses within one protocol. The control plane's full list of candidates is the RIB; the optimized table the hardware forwards with at line rate is the FIB.

QoS — when the link is full, order matters

Everything above assumes packets flow freely. When a link saturates, devices queue — and Quality of Service decides what goes first and what gets dropped. Traffic is marked (the DSCP bits in the IP header), classified into queues, and scheduled so latency-sensitive flows (voice, video, real-time control) are served ahead of bulk transfers (backups, file copies) that don't care about a few milliseconds. Two things worth knowing at the help desk: QoS only acts at the point of congestion, so "add QoS" won't fix a problem that's really a saturated uplink or a duplex mismatch; and DSCP markings are only honored inside a domain that trusts them — most ISPs and many inter-org links rewrite or ignore them, so end-to-end QoS across the public internet is not something you can assume. It prioritizes contention; it does not create bandwidth.

06

Names: DNS

DNS turns names into addresses, and it's one of the highest-frequency "the network is broken" root causes — though most of those are caching or resolver-selection problems, not DNS being down. The key mental model: every layer caches independently, and the authoritative server is the only source of truth; everything else is a cache of it.

Appbrowser/OS cache OS stub resolver/etc/hosts · nsswitch Recursive resolvercaches per TTL Root ( . )"ask the .com servers" TLD ( .com )"ask example.com's servers" Authoritativewww = 203.0.113.10, TTL 300 on a cache miss, walk the hierarchy → answer cached for its TTL, returned to the app
"DNS propagation" is a myth — an authoritative change is instant; what you see as delay is caches holding the old answer until their TTL expires. Negative answers (NXDOMAIN) are cached too.
Teaching cases

"I changed the record, clients still get the old value." No propagation — caches hold the old answer until TTL. Fix going forward: lower the TTL before a planned change; after, query the authoritative server directly to confirm, then blame caching for any lag.

"I created the name but it says it doesn't exist." Negative caching — the NXDOMAIN from before you created it is cached per the zone's SOA negative-TTL. Not a config error.

"The app resolves wrong but dig looks right." The app hit a different cache/resolver, an /etc/hosts entry, or the OS resolution order. Always note which resolver answered.

Troubleshooting principle

Identify which resolver answered and compare it to the authoritative answer. dig www.example.com shows what you got; dig example.com NS +short then dig @that-server www.example.com asks the source of truth directly, bypassing caches. Remember DNS needs both UDP/53 and TCP/53 — UDP for normal queries, TCP for large answers; a UDP-only firewall rule fails silently on big responses.

07

Trust: TLS & Certificates

TLS gives you confidentiality, integrity, and server authentication — the client verifies the server's identity through a certificate that chains to a root it already trusts. Most "HTTPS is broken" reports are certificate or handshake problems, not encryption being "off."

HANDSHAKE 1 · Client Hello — versions, ciphers, SNI = host 2 · Server → certificate (leaf + intermediate) 3 · ephemeral key exchange (forward secrecy) 4 · [encrypted] application data CHAIN OF TRUST Root CA (in trust store) Intermediate CA Leaf — SAN = host signs ↓ Validation must ALL hold: • SAN matches the hostname (CN is obsolete) • chain complete — server sent the intermediate • within validity dates (client CLOCK correct) • chains to a trusted root, not revoked
Fails before application data → version/cipher/cert problem. Fails after → an application problem, not TLS. The dividing line tells you where to look.
Teaching cases

"Certificate expired, but I'm sure it's valid." Check the client clock first. Validity is time-based, so NTP skew fakes "expired / not yet valid" on perfectly good certs.

"Works in the browser, fails in a script." Different trust stores — the OS, the browser, and each language runtime carry their own CA bundles; fixing one doesn't fix the others.

"Unknown issuer" on some clients only. A missing intermediate — the server must send the full chain; some clients fetch/cache intermediates, many don't. Wrong/missing SNI makes a multi-site server present the default cert, so you get a name mismatch even though the right cert exists.

A currency caveat

The structure above is stable. But which TLS versions and ciphers are currently recommended or deprecated is a moving target — verify against current guidance rather than freezing a remembered list.

08

The Troubleshooting Method

Pick a structure and run it the same way every time — ad-hoc poking is the novice signature. The single most efficient tactic is path bisection: test from progressively distant points and find where it breaks. Each rung that passes eliminates everything before it.

loopback own IP gateway next hop remotehost remoteport TLS /app First failure = the segment/layer to focus on · each rung that passes rules out everything before it
Walk the layer checklist as a ruling-out list, not a ritual: link → addressing → reachability → name → transport → path-size (MTU) → session/TLS → application.
  1. Define the problem precisely. Symptom, scope, total vs intermittent, did-it-ever-work (new build = design problem; regression = something changed), and what changed. Write it down.
  2. Bisect the path. Loopback → own interface → gateway → next hop → remote host → remote port. The first failure localizes the segment.
  3. Hypothesize, predict, test. State what you believe is wrong and what you'd see if it's true, then look for that specific observation. A hypothesis you can't disprove isn't a diagnosis.
  4. Change one thing, with a backout. Single variable, documented, reversible; re-test after each. Change five things and it works, and you've learned nothing and own five new risks.
  5. Confirm root cause, then document. Separate trigger from root cause from contributing factors. Write the runbook entry while it's fresh — the second occurrence should take minutes.
09

What Each Tool Proves

Misusing tools produces confident wrong conclusions. Know the exact scope of proof of each — especially the gap between what it shows and what people assume it shows.

ToolProvesDoes NOT prove
pingICMP echo reachability + rough RTTThat a port is open, the app works, or MTU is OK
traceroute / mtrForward-path hops, per-hop loss trendThe return path; a middle-hop spike is usually ICMP de-prioritization, not real latency
dig / resolvectlWhat a specific resolver returnsWhat the app resolves (it may use another cache/hosts file)
ss / netstatLocal listeners & connection statesWhether a remote peer is reachable
nc / curl -vWhether a specific port/TLS/HTTP respondsGeneral reachability beyond that test
tcpdump / WiresharkGround truth of what's on the wireIntent — you still interpret it; capture close to the problem
iperf3Achievable throughput between two pointsLatency- or app-bound problems

The highest-value single distinction in the whole set is how a TCP port answers:

You seeIt means
SYN-ACK / "succeeded"Port open, service listening
RST / "connection refused"Host reachable, no listener on that port
timeout / no responseFiltered (firewall drop) or host down — ambiguous

A fast RST is good news — it proves L3/L2 reachability and rules out a path/firewall drop; the service just isn't listening. A timeout is the ambiguous one. And a service bound to 127.0.0.1 is loopback-only (refused remotely); 0.0.0.0 is all interfaces — "works locally, refused remotely" means check the bind address first.

10

Myths That Cause Wrong Calls

The gap between the mental model people carry and the real mechanism is where wrong root-cause conclusions come from. The highest-yield corrections:

BeliefWhat actually happensTroubleshooting signal
"NAT is a firewall"NAT translates addresses; inbound is dropped only because there's no mapping — a side effect. The gatekeeper is the stateful conntrack table, a separate function.Don't reason about exposure from "we have NAT." Reason from the actual ruleset/state.
"Ping works, so the network's fine"Ping tests ICMP echo only.Says nothing about ports, the app, MTU, or DNS. Keep going down the ladder.
"Connectivity is binary"MTU problems are size-dependent: small packets pass, large ones drop. Connects, then hangs on bulk data.SSH banner then freeze; page starts then stalls → PMTUD black hole (filtered ICMP type 3/4). Test with ping -M do -s.
"An L2 loop is just slow"Ethernet frames have no TTL, so a looped broadcast multiplies forever.Whole segment melts (100% switch CPU) right after a cabling/switch change → loop / STP failure.
"TIME_WAIT is a leak"It's normal, on the endpoint that closed first, lasting 2×MSL to absorb stray duplicates.Thousands on a server = it's closing connections (use keep-alive); can exhaust source ports on busy clients.
"More bandwidth fixes slowness"A single flow's max ≈ window ÷ RTT. On a long-fat path the window (not the link) is the limit.Single stream slow but parallel streams saturate → window/BDP, not capacity.
"Asymmetric routing is fine"A stateful device (firewall/NAT) that sees only one direction drops the flow.Connections that establish then stall in multi-path topologies.
11

Rules, Egress & Zero Trust

A firewall rule is match criteria → action. The classic match is the 5-tuple (source, destination, protocol, destination port) plus modern dimensions (zone, L7 app, user identity, device posture). Two rules of craft carry most of the value:

Egress is the high-value, most-skipped control

Most rulesets obsess over inbound and leave outbound wide open. Reverse it: default-deny outbound, permit known destinations. Egress filtering constrains the post-compromise phase — exfiltration and command-and-control — that ingress rules never touch.

Drop vs reject is a real decision: drop (silent) slows a scanner but also your own troubleshooting; reject (RST / ICMP prohibited) gives fast, clear failure. Common practice: reject internally, drop at the internet edge. And know whether you're configuring a stateful device (permit the initiating direction; return is automatic — but asymmetric paths break it) or a stateless one (you must permit the return direction and the client's ephemeral range — the #1 stateless/NACL mistake).

Zero trust, in one sentence

Network location grants no trust; authorize per-resource and per-session on identity, device posture, and context, assuming the network is already breached. It's a strategy and architecture — not a product — decisions made at a policy decision point, enforced close to each resource. Adopt it staged: inventory → log-only to learn real dependencies → microsegment and tighten → move from IP-based to identity-based criteria.

Before any change to a live device

The most common self-inflicted outage is severing your own access. Confirm a rule permitting your management access sits ahead of any new deny, use out-of-band access, and stage an auto-rollback (commit-confirmed / reload in) so a lockout self-heals. No rule makes a system "secure" — each mitigates a specific reachability against a specific threat and leaves residual risk; write and review rules in those terms.

12

Design & Discipline

Diagnosis is half the job; the other half is building and operating networks that are troubleshootable in the first place — the "sage advice" layer. The organizing principle: design for the person debugging it at 3 a.m. — usually future you. A small number of predictable, repeated patterns beats clever one-offs, because behaviour becomes inferable, faults isolate, and growth is mechanical rather than improvised.

Design for failure

NTP is load-bearing, not a convenience

Synchronized clocks are required for two things at once: cross-device log correlation (the basis of most investigations) and TLS certificate validation (§7). When clocks drift, your evidence and your certificates break together — and the cause looks like anything but time.

Habits that compound

13

Life of a Packet

Everything above is one story. Here's what happens, in order, when you open https://www.example.com on office Wi-Fi — every troubleshooting failure mode lives at one of these steps, so "which step?" is always the useful question.

One request, end to end
DNS name→IP → local/remote decision (mask) → ARP for gateway MAC → frame to gateway → routers: LPM + TTL−− + MAC rewrite (per hop) → SNAT at the edge (+ conntrack) → internet / BGP → anycast / VIP + DNAT → TCP handshake → TLS handshake + cert validation → HTTP inside TLS (watch MTU) → return path (NAT reverse, maybe asymmetric) → teardown (TIME_WAIT)
  1. DNS resolves the name (§6). With an A and AAAA, the client races both (Happy Eyeballs). Fails as: NXDOMAIN, wrong resolver, udp/53-only blocking large answers.
  2. Local or remote? The mask decides (§2). Remote → send to the gateway. Fails as: wrong mask/gateway, APIPA (no DHCP — §3).
  3. ARP finds the gateway's MAC; the frame goes to the switch, which forwards by MAC (§4). Fails as: ARP spoofing, wrong VLAN, duplex mismatch, L2 loop.
  4. Routing — each router runs LPM, decrements TTL, rewrites the MACs; the IPs stay constant (§5). Fails as: no route, asymmetric path.
  5. NAT at the edge rewrites the source and records conntrack state to reverse it later. Fails as: PAT/conntrack exhaustion, asymmetric return to a stateless device.
  6. TCP handshake (SYN/SYN-ACK/ACK), then the TLS handshake and cert validation (§7). Fails as: RST/timeout; name mismatch, clock skew, wrong SNI.
  7. HTTP inside TLS — and the MTU trap: small handshake packets pass, then large data packets vanish if the path MTU is smaller than assumed and the signaling ICMP is filtered. The classic starts-then-hangs signature.
  8. Return & teardown — the response retraces (maybe asymmetrically); FINs close it; the active closer sits in TIME_WAIT. Normal, not a leak.

Bisecting the path (§8) is just walking this sequence until a step fails.

14

Quick-Reference Card

Networking on one screen

The method

Scope it → "what changed?" → capture baseline → bisect the path (loopback → gateway → next hop → remote → port → TLS) → one hypothesis with a prediction → change one thing reversibly → document.


The mental models

Follow the packet · problems live at boundaries · MACs are local, IPs are the journey · the mask drives local-vs-remote · authoritative is truth, the rest is cache · the capture doesn't lie.


Port answers

SYN-ACK = open · RST = reachable, no listener (good news) · timeout = filtered or down (ambiguous). Ping proves L3 only.


Cheap checks first

DNS (which resolver vs authoritative; UDP and TCP/53) · MTU (small works / large hangs = PMTUD black hole) · a dropped link · a full table. APIPA (169.254) = no DHCP reached.


Common ports

22 SSH · 53 DNS · 80 HTTP · 123 NTP · 443 HTTPS · 3389 RDP. Stable defaults; verify anything beyond the ubiquitous against IANA/vendor docs.


Two disciplines

Accuracy over confidence — flag vendor defaults, version-specific and changeable values to verify, don't assert from memory. And nothing is "secure" in the abstract — name the threat each control addresses and the residual risk it leaves.

A teaching synthesis of the Networking Guide Set — it distills the mental models and highest-leverage mechanisms into one learning path; the deep-dives live in the source guides. For mechanism and reference see Subnetting & CIDR, IP Routing & Route Tables, DNS, TLS & Certificates, Networking Misconceptions / RCA, Network Sage-Advice, and Firewall & Network Rule Creation; for practice, the Diagnostic Command Card, Triage Decision Trees, and Self-Check Questions. Values that are vendor-specific, version-specific, or otherwise changeable (administrative-distance defaults, TLS/cipher currency, ports beyond the ubiquitous, ephemeral ranges) should be verified against current vendor/IANA/standards sources rather than taken from memory. Terms are in the Glossary; 00 — Start Here indexes the set.