CHAPTER 6: The OSI Model and Networking Protocols 266
to in some documentation as the NetBIOS protocol). NetBT supplies the
programming interface provided for by NetBIOS along with communication
protocols provided for by TCP.
NetBT’s  name service allows host computers to attain and retain
(or defend) a NetBIOS name. It also assists other hosts in locating
a computer with a specific NetBIOS name. In addition, the name
service resolves a specific NetBIOS name to an IP address. This
process uses broadcast messages that are sent to all hosts on the
network. The name service uses UDP Port 137.
The  session service of NetBT provides for the reliable exchange
of messages between two NetBIOS applications, typically on two
different computers. The session service uses TCP Port 139.
The  datagram service within NetBT provides connectionless,
unreliable message delivery between NetBIOS applications via
UDP Port 138. As mentioned earlier, when data length is short or
reliability is not critical, the datagram service is a faster method
than session-based communication.
Together, the session and datagram services provide the NetBIOS
applications with the capability to exchange information with one another.
However, in an environment where Windows Vista and Windows 2008
are the desktop and network operating systems, NetBIOS or NetBT/IP
are replaced by DNS, which has become the primary naming and name
resolution provider.
WINS
WINS is a NetBIOS name server that NetBIOS clients can use to attain,
register, and resolve NetBIOS names. WINS is specific to Microsoft networks
and is not used (or available for use) on non-Microsoft operating system-based
computers. Computers running UNIX, Linux, and other non-Microsoft
operating systems typically use DNS for name resolution although there
Exam Warning

Remember the following for the Network exam:
The name service uses UDP Port 137
The datagram service uses UDP Port 138
The session service uses TCP Port 139
Networking Protocols 267
are other, non-WINS NetBIOS name services available. Generally, other
operating systems will be concerned with NetBIOS names only when they’re
on a network with Microsoft machines; for example, when using SAMBA.
WINS provides NetBIOS functionality but expands it by replicating
this information for faster name resolution services across a large network.
WINS generates a database that contains each NetBIOS name and its
associated IP address. A WINS Server resolves NetBIOS names and provides
the associated IP addresses when it receives requests.
WINS is implemented in two parts: the Server service and the Client
service. The Server service maintains the database containing both NetBIOS
names and associated IP addresses. It also replicates the database to other
WINS Servers for faster name resolution across a large network. This reduces
network broadcast traffic because names can be acquired and defended using
direct requests to the WINS Server rather than by using network broadcasts.
The Client service runs on the individual computers and it uses WINS to
register the computer name, as well as to provide name resolution services
to the local applications and services.
For backward compatibility, Windows-based clients and servers also
provide support for using the LMHOST file. This plain text file is unique
to Windows-based computers and provides a map of the computer’s
NetBIOS name with an IP address. This static file was used prior to the
implementation of dynamic Windows name resolution found in WINS.
Server Message Block/Common Internet File System
The Server Message Block (SMB) protocol was originally developed by IBM
in the 1980s and later expanded upon by IBM, Microsoft, Intel, and 3Com.

SMB was primarily used not only for file and print sharing but also used
Exam Warning
NetBIOS name resolution can be done via a centralized WINS server or a local lmhosts
file, both of which will be able to keep traffic down on your network by mapping NetBIOS
names to IP addresses.
Exam Warning
NetBIOS name resolution uses four different node types to resolve names to IP
addresses: Broadcast (B-node), Peer-to-Peer (P-node), Mixed (M-node), and Hybrid
(H-node).
CHAPTER 6: The OSI Model and Networking Protocols 268
for sharing serial ports and abstract communications technologies such as
named pipes and mailslots. SMB is also now known as Common Internet
File System (CIFS); both names are used interchangeably.
CIFS is a protocol that, like many application layer protocols, is
operating system-independent. It evolved from SMB and NetBIOS file,
and print sharing methods in earlier versions of the Windows operating
system. It can be used by different platforms and operating systems and
across different network/transport protocols; it is not TCP/IP-dependent.
The connection from client to server can be made via NetBEUI or IPX/SPX.
After the network connection from client to server is established, then
SMB commands can be sent to the server so that the client can open, read,
and write files, and so on.
CIFS is being jointly developed by Microsoft and other vendors, but
no published specification currently exists. UNIX and Linux clients can
connect to SMB shares using smbclient from SAMBA or smbfs for Linux.
Server implementations of SMB for non-Microsoft operating systems
include SAMBA and LAN Manager for OS/2 and SCO.
Internet Printing Protocol
The Internet Printing Protocol (IPP) is related to SMB and CIFS. It provides
the capability to perform various printing operations across the network

(including an internetwork) using Hypertext Transport Protocol (HTTP)
version 1.1.
WinSock
WinSock is a Microsoft Windows Application Programming Interface (API)
that provides a standard programming interface for accessing TCP/IP in
Windows. Sockets were originally developed at the University of California
Note
There are a large number of Request for Comments (RFCs) that define different
specifications for IPP. For more information, see the IEEE’s Printer Working Group (PWG)
Web site at www.pwg.org/ipp/
Note
For more detailed information about SMB, see />is-smb.html
Networking Protocols 269
in Berkeley, and Microsoft developed Winsock to work specifically in the
Windows operating system environment.
Vendors who develop software that runs on Windows can use this API to
access standard TCP/IP functionality. Many built-in Windows tools rely on
WinSock, including Packet InterNet Groper (ping) and Trace Route (tracert).
In addition, the FTP and DHCP servers and clients use WinSock, as does
the Telnet client.
Telnet
Telnet is a terminal emulation protocol that allows you to log onto a remote
computer. The remote computer must be using TCP/IP and have the Telnet
Server service running. To connect to a remote host, you must start the
Telnet client and must possess a username and password for the remote host
computer. In Windows Server 2003, the Telnet Server service is present but
must be started to service Telnet clients.
If you have never used the command prompt in Windows, here’s how:
click Start | Run and type cmd in the dialog box (in Windows operating
systems prior to Windows 98, the 16-bit command was command. In

Windows 98 and beyond, the 32-bit command, cmd, is supported). This
will open a command window. Type telnet at the prompt. Type help for a
list of commands and quit to close Telnet. Use exit to close the command
prompt window.
DHCP
The DHCP is used to automatically (or dynamically) assign IP addresses
to host computers on a network running TCP/IP. Prior to DHCP, network
administrators had to assign IP addresses to host computers manually. This
was not only a time-consuming endeavor but also made it easy for errors
(either in IP assignment or in entering in the IP address) to creep in and
cause network problems.
Why is DHCP so important? Because each host must have a unique IP
address, and a problem occurs when two hosts have the same IP address.
Exam Warning
Remember that Telnet uses port 23 (both TCP and UDP) for communication, Secure
Shell (SSH and is essentially encrypted Telnet) runs on port 22 (also TCP and UDP).
Telnet information is sent in plaintext so it’s very easy to capture packets and read the
contents such as usernames and passwords.
CHAPTER 6: The OSI Model and Networking Protocols 270
DHCP was devised as an efficient method to alleviate both the problems
caused by errors and the time it took to assign and resolve errors. It does this
by maintaining a database of the assigned addresses, ensuring that there will
never be duplicate addresses among the DHCP clients.
DHCP is implemented as both a Server and a Client service. The
DHCP Server service is responsible for assigning the IP address to indi-
vidual hosts and for maintaining the database of IP address information,
including IP addresses that are assigned, IP addresses that are available,
and other configuration information that can be conveyed to the client
along with the IP address assignment. The DHCP client service interacts
with the Server service in requesting an IP address and in configuring

other related information including the subnet masks and default gate-
way (both are discussed in detail later in the Chapter 7, “TCP/IP and
Routing”).
SMTP
The SMTP is used to transfer e-mail messages and attachments. SMTP is
used to transmit e-mail messages between servers and from clients (such as
Microsoft Outlook or Linux’s sendmail) to e-mail servers (such as Microsoft
Exchange). However, most e-mail clients use other protocols, such as POP3
or IMAP4, to retrieve e-mail from the server. These two server applica-
tions (SMTP and POP or IMAP) may exist on the same physical server
machine.
As with the other protocols and services discussed in this section, SMTP
operates at the application layer and relies on the services of the underlying
layers of the TCP/IP suite to provide the actual data transfer services.
POP
POP is a widely used e-mail application protocol that can be used to retrieve
e-mail from an e-mail server for the client application, such as Microsoft
Outlook. The current version of POP is POP3.
POP servers set up mailboxes (actually directories or folders) for each
e-mail account name. The server receives the mail for a domain and sorts
it into these individual folders. Then a user uses a POP client program
(such as Outlook or Eudora) to connect to the POP server and download
all the mail in that user ’s folder to the user’s computer. Usually, when the
Exam Warning
Remember that SMTP uses port 25 for communication.
Networking Protocols 271
mail messages are transferred to the client machine, they are deleted from
the server.
IMAP
IMAP, like POP, is used to retrieve e-mail from a server and creates a mailbox

for each user account. It differs from POP in that the client program can access
the mail and allow the user to read, reply to, and delete it while it is still on the
server. Microsoft Exchange functions as an IMAP server. This is convenient for
users because they never have to download the mail to their client computers
(saving space on their hard disks), but especially because they can connect to the
server and have all their mail available to them from any computer, anywhere.
When you use POP to retrieve your mail, old mail that you’ve already down-
loaded is on the computer you were using when you retrieved it, so if you’re
using a different computer, you won’t be able to see it. IMAP is preferred for
users who use different computers (for example, a home computer, an office
computer, and a laptop) to access their e-mail at different times.
HTTP
HTTP is the protocol used to transfer files used on the Internet to display
Web pages. When you type an Internet address (a URL) into your browser’s
Address field, it uses the HTTP protocol to retrieve and display the files
located at that address.
A URL typically contains a server name, a second-level domain name,
and a top-level domain name, with the parts of the address separated by
dots. Individual folder and file names may follow, separated by slashes.
For example, www.syngress.com/index.htm indicates an HTML document
(Web page) on a Web server named www in the syngress.com domain. The
first part of the URL may also be entered as an IP address if it is known.
HTTP was defined and used as early as 1990. However, there were no
published specifications for HTTP in the beginning and different vendors
modified HTTP as they saw fit. As the World Wide Web continued to
Exam Warning
Remember that POP3 uses port 110 for communication.
Exam Warning
Remember that IMAP4 uses Port 143 (both TCP and UDP) for communication.
CHAPTER 6: The OSI Model and Networking Protocols 272

evolve and grow to be the enormous resource that it is today, additional
functionality was needed in HTTP. The first formal definition was labeled
HTTP/1 and it was later replaced by HTTP/1.1.
NNTP
The NNTP is similar to SMTP in that it allows servers and clients to
exchange information. In this case, however, the information is exchanged
in the form of news articles. This feature originally was implemented in
the Internet’s predecessor network, ARPANet. Network bulletins were
exchanged using this protocol. Today, there are thousands of newsgroups
devoted to discussion of every topic imaginable. Usenet has grown into a
huge network of news servers hosting newsgroups. Newsgroups differ from
other forums such as Internet mailing lists (in which all messages posted
come into your inbox if you’re a member) and Web discussion boards (which
are accessed through the browser).
NNTP is now implemented as an application layer client/server protocol.
The news server (for example, msnews.microsoft.com) manages news articles
and news clients. A news client is an application that runs on a client computer
and is used to both read and compose news articles. Outlook Express contains
a newsreader component. For more information about Usenet newsgroups,
see the Usenet FAQ and references at www.faqs.org/usenet/.
FTP
The FTP is used to transfer files from one host to another, regardless of the
hosts’ physical locations. It is one of the oldest application layer protocols
and was used on ARPANet to transfer files from one mainframe to another.
Still in use today, FTP is widely used on the Internet to transfer files. One of
the problems with FTP is that it transmits users’ passwords in clear text, so
it is not a secure protocol.
In contrast to the single connections used by NNTP, HTTP, and SMTP,
two separate connections are established for an FTP session. One transmits
Exam Warning

Remember that NNTP uses port 119 for communication.
Exam Warning
Remember that HTTP uses port 80 for communication. Do not confuse this with https://,
which is Secure Sockets Layer (SSL) encrypted Web traffic running on port 443.
Networking Protocols 273
commands and replies and the other transmits the actual data. The
command and control information is sent, by default, via TCP port 21. The
data, by default, are sent via TCP port 20.
DNS
The DNS is used to resolve a hostname to an IP address to facilitate the
delivery of network data packets. As mentioned previously, DNS is now
the primary method used in Microsoft Windows Server 2003 to resolve
hostnames to IP addresses. DNS is also the protocol used on the Internet to
resolve hostnames (such as those in URLs) to IP addresses.
Prior to DNS, hostname-to-IP resolution was accomplished via a text file
called hosts. In the days of ARPANet, this file was compiled and managed
by the Network Information Center at the Stanford Research Institute. This
plain text file contained the name and address of every single computer, but
there were only a handful of computers on the network at the time. When
a new computer was added or a computer changed its IP address, the file
had to be edited manually and distributed to all the other computers. As
computers and networks proliferated, another, more automated solution
had to be devised and the specifications for a distributed naming system,
called the DNS, were developed.
DNS servers on the Internet store copies of the DNS database. Because
of the explosive growth of the Internet in the past decade, DNS databases
are specialized. For instance, a set of databases is responsible for top-level
domain information only. Examples of top-level domains are .com, .gov, .edu,
.net, .org, and so on. All requests for an address ending with .com will be
CONFIGURING AND IMPLEMENTING…

FTP Ports
Understanding the configuration and implementation
of FTP is important for a number of reasons. FTP ports
20 and 21 are used for FTP data and FTP control,
respectively. It is possible to modify the ports used for
data and control transmissions when developing or
implementing an application. However, by default, a
program interface that uses FTP listens at TCP port
21 for FTP traffic. Thus, if your application is sending
TCP control information on a different port, the other
application interface may not hear the FTP traffic.
TCP ports 20 and 21 are well-known port numbers
and hackers often try to exploit these ports. As a security
measure, all servers that are not running the FTP Server
service should have TCP ports 20 and 21 disabled. This
prevents attackers from exploiting these ports to gain
unauthorized access to the server and perhaps to the
entire network. RFC 1579, “Firewall-Friendly FTP” is
definitely worth a read if you want even more information
in depth on how FTP uses ports. This information is not
related to the exam but may be interesting for you in
futures in the security field. www.ietf.org/rfc/rfc1579.txt.
CHAPTER 6: The OSI Model and Networking Protocols 274
forwarded to a particular set of DNS servers. These servers will query their
databases to find the specific .com domain requested (for example, microsoft.
com). DNS databases are replicated periodically to refresh the data.
Routing Information Protocol
As the name implies, the Routing Information Protocol (RIP) is used to
exchange routing information among IP routers. RIP is a basic routing
protocol designed for small- to medium-sized networks. It does not scale

well to large IP-based networks (including the Internet). Windows Server
2003 computers can function as routers, and as such, they support RIP.
Routing is covered in more depth in Chapter 7, where WAN standards and
remote access are covered.
Network Time Protocol
Network Time Protocol (NTP) is a protocol that provides a very reliable way
of transmitting and receiving an accurate time source over TCP/IP-based
networks. NTP, defined in RFC 1305 (www.ietf.org/rfc/rfc1305.txt), is useful
for synchronizing the internal clock of the computers to a common time
source. Network operating systems such as Netware and Windows rely
on a time source to keep things running right. For system maintenance,
troubleshooting of issues, and documentation, it is important that all
systems be time-synchronized. In addition, for prosecution of security
breaches or attacks, security logs need to be accurate, and so on. NTP, when
used properly, can have a hierarchical disaster recovery system designed
into it, with primary sources of time as well as secondary sources. Having
the correct time on your system(s) is very important. Many problems can
surface if networked machines are not time-synchronized.
SNMP
The SNMP is used for communications between a network manage-
ment console and the network’s devices, such as bridges, routers, and
hubs. This protocol facilitates the sharing of network control information
Exam Warning
Remember that NTP uses port 123 for communication. Do not confuse this with NNTP,
which uses port 119.
Exam Warning
Remember that DNS uses port 53 for communication.
Summary of Exam Objectives 275
with the management console. SNMP uses a management system/agent
framework to share relevant network management information. This

information is stored in a Management Information Base (MIB) and con-
tains a set of objects, each of which represents a particular type of network
information such as an event, an error, or an active session. SNMP uses
UDP datagrams to send messages between the management console and
the agents.
Now we have covered the OSI model (as well as the DoD model) in
depth. You should now have a good idea of the importance of it, and why
it’s so important to know for the Network exam. This modular approach
to network communications makes development less time-consuming and
more consistent across vendors, networks, and systems. As a result, new
application layer protocols are constantly being developed. This section is
not meant to serve as an exhaustive look at the wide array of application
protocols available today but to give you a better idea of the more common
protocols and services that operate at this layer and provide an understand-
ing of how the layered approach works.
We’ve reviewed the seven layers of the OSI model (starting from the
lowest level, physical, data link, network, transport, session, presentation,
and application) and the four layers of the DARPA (TCP/IP) model (Network
Interface, Internet, Host-to-Host, and Application), and we’ve learned how
these layers map to one another.
We’ve examined many of the common networking protocols that work at
each layer and looked the services and functions that each provides. In the
next chapter, you’ll learn in depth about the IP protocol and how it is used
to send data to the correct location, no matter where the destination host
resides.
SUMMARY OF EXAM OBJECTIVES
In this chapter, we covered the OSI model in depth. For those of you unfam-
iliar with network models, it should be clear now that working with them
can bring many benefits, such as ease of development and troubleshooting.
Networking models can be very helpful to you. In this chapter, we cov-

ered three of them in particular, the OSI model, the DoD model, and the
Microsoft model, all of which are similar, share common core elements, but
have differences as well.
From the DARPA experiment came the understanding that networking
would become increasingly common, and increasingly complex. The OSI
model was developed, based on the original DoD DARPA model, and
approved by the OSI subcommittee of the ISO. The OSI model defined seven