Overview
Prerequisites
- Prior topics: 12 · Networking Essentials
-- this topic assumes you already know what happens when you hit a URL (DNS, TCP, TLS, HTTP), TCP
vs. UDP at a glance, and how to read a
curl -v/digtranscript; and 4 · Just Enough Python -- every Python script in this topic is fully type-annotated, and you should already be comfortable reading functions, classes, andlist/dict/setliterals the way that primer taught them. - Tools & environment: a macOS/Linux terminal; Python 3.x; the diagnostic CLIs
ping,traceroute,dig,ss/ip, andtcpdump(several needsudoor a Linux kernel -- noted plainly at each example that needs one);wg/wg-quick(wireguard-tools); network access. - Assumed knowledge: what happens when you hit a URL (Networking Essentials); TCP vs. UDP at a
glance; reading a
curl -v/digtranscript.
Confirm your toolchain
This topic's tools span macOS's own system utilities, a few that need a real Linux kernel (installed inside a short-lived Docker container where noted), and a Python version check:
$ curl --version | head -1
curl 8.7.1 (x86_64-apple-darwin24.0) libcurl/8.7.1 (SecureTransport) LibreSSL/3.3.6 zlib/1.2.12 nghttp2/1.64.0
$ dig -v
DiG 9.10.6
$ traceroute --help 2>&1 | head -1
Version 1.4a12+Darwin
$ tcpdump --version
tcpdump version 4.99.1 -- Apple version 148
libpcap version 1.10.1
$ wg --version
wireguard-tools v1.0.20260223 - https://git.zx2c4.com/wireguard-tools/
$ python3 --version
Python 3.13.12
# ip/ss are Linux-only (iproute2) -- verified inside the same Debian container
# this topic's other root-requiring captures used:
$ ip -V
ip utility, iproute2-6.15.0, libbpf 1.5.0
$ ss -V
ss utility, iproute2-6.15.0Every Python script in this topic is standard-library-only, actually run against Python 3.13.12
(or, where a genuine Linux kernel behavior is the entire point, Python 3.13.14 inside a local
Debian Linux container, noted plainly at each example that needs it). Every command-line transcript
is a genuine, captured transcript -- against real hosts where reachable, or, for the handful of
commands needing sudo/a Linux kernel this sandbox's macOS host cannot provide directly, inside that
same Debian container, again noted plainly at each example that needs it.
How this topic's examples are organized
- Beginner (Examples 1-16) -- the addressing and connection-lifecycle bedrock: OSI/TCP-IP layering and encapsulation, link-layer addressing and ARP, IPv4/IPv6 address anatomy, CIDR and subnetting, routing basics, NAT, and the TCP handshake/teardown state machine.
- Intermediate (Examples 17-36) -- TCP flow control and congestion control, Nagle/delayed-ACK and socket options, DNS resolution and DNSSEC, and the modern application layer -- TLS 1.3, HTTP/2, and HTTP/3/QUIC.
- Advanced (Examples 37-55) -- QUIC's structural payoffs, the real-time web
(WebSockets, SSE, WebTransport, WebRTC), load balancing and edge delivery, Linux network namespaces
and
tcpdump's BPF filter language, latency/throughput measurement discipline, and stateful firewalls plus mutual TLS. - VPN & Overlay Networking (Examples 56-62) -- WireGuard's own minimal design, brought up as a real two-peer tunnel; the general VPN/tunnel/overlay vocabulary; NAT traversal and keepalive; and two decision artifacts -- which point-to-point VPN protocol, and which mesh-overlay platform.
- Capstone -- a networking diagnostics toolkit and report: a CIDR
calculator validated against hand math, a script that traces and narrates a real request's full
DNS-to-HTTP timeline, and a written analysis of captured
traceroute/tcpdumpoutput.
The 29 concepts this topic covers
- co-01 · OSI/TCP-IP layering and encapsulation -- the OSI 7-layer and TCP/IP 4-layer models
name the same stack, and encapsulation wraps a payload in a new header at each layer descending
(and strips one ascending). Examples 1-2, and the capstone's
trace.py/analysis.md. - co-02 · Link-layer addressing and ARP -- a MAC address identifies a NIC on its local segment, and ARP resolves an IP address to a MAC address before a frame can be sent on that segment. Examples 3-4.
- co-03 · IPv4/IPv6 addressing -- IPv4's 32-bit dotted-decimal and IPv6's 128-bit hextet-and-compression addressing are the two address families a stack must parse and normalize. Examples 5-6.
- co-04 · CIDR and subnetting -- a CIDR prefix (
/24) splits an address block into network and host portions, from which network address, broadcast address, host range, and host count are derived arithmetically. Examples 7-8, and the capstone'ssubnet.py. - co-05 · Routing basics -- a routing table maps destination prefixes to a next-hop, and a
default route (default gateway) catches everything not matched more specifically. Examples 9-10,
16, and the capstone's
analysis.md. - co-06 · NAT -- NAT rewrites a private source address/port to a shared public one at a gateway so multiple private hosts share one public IP. Examples 11-12, 16.
- co-07 · TCP handshake and teardown internals -- TCP opens via a three-way SYN/SYN-ACK/ACK
handshake and closes via a FIN/ACK exchange (or aborts via RST), each transition moving the
connection through a defined state machine. Examples 13-15, and the capstone's
analysis.md. - co-08 · TCP flow control -- the receiver advertises a window (extendable via the RFC 7323 window-scale option) that caps how much unacknowledged data the sender may have in flight, protecting a slow receiver from being overrun. Examples 17-18.
- co-09 · TCP congestion control -- the sender paces itself against inferred network capacity -- slow start, congestion avoidance, and a chosen algorithm (CUBIC by default; BBR as a model-based alternative). Examples 19-21.
- co-10 · Nagle and delayed ACK -- Nagle's algorithm withholds small writes awaiting an ACK while delayed ACK withholds that same ACK awaiting more data or a timeout, and the two together can compound into a multi-hundred-millisecond stall. Examples 22-23.
- co-11 · Socket options and nonblocking I/O -- socket options (
SO_REUSEADDR,TCP_NODELAY) and nonblocking mode (setblocking(False)/select) change how a socket behaves without changing the protocol on the wire. Examples 23-25. - co-12 · DNS resolution internals -- a recursive resolver walks the referral chain from root to TLD to authoritative server on a cache miss, and caches the answer for its TTL on a hit. Examples 26-27.
- co-13 · DNSSEC -- DNSSEC signs DNS records (
RRSIG) and chains trust throughDNSKEY/DSrecords from a trust anchor down to a signed answer, letting a resolver detect tampering. Examples 28-29. - co-14 · TLS 1.3 handshake internals -- TLS 1.3's handshake exchanges key shares in the first
flight so the full handshake completes in 1-RTT, and a resumed session using a PSK can send
application data even earlier. Examples 30-32, 55, and the capstone's
trace.py. - co-15 · HTTP/2 multiplexing -- HTTP/2 interleaves multiple streams' frames on one TCP connection with header compression. Examples 33-35.
- co-16 · HTTP/3 and QUIC -- HTTP/3 runs over QUIC (UDP-based, TLS-integrated), giving each stream independent loss recovery, and letting a connection migrate across a network change via a connection ID. Examples 36-38.
- co-17 · WebSockets vs. SSE -- WebSockets upgrade an HTTP connection into a full-duplex, bidirectional channel; Server-Sent Events keep one long-lived HTTP response streaming one-way, server-to-client only. Examples 39-42.
- co-18 · WebTransport and WebRTC -- WebTransport exposes QUIC's multiplexed streams/datagrams to the browser; WebRTC negotiates a direct (ICE/STUN/TURN-assisted) peer-to-peer media/data path. Examples 42-44.
- co-19 · Load balancing, L4 vs. L7 -- an L4 load balancer routes by transport-level identifiers (IP/port) with no content visibility; an L7 load balancer inspects and routes on application content (HTTP path/headers). Examples 45-46.
- co-20 · Reverse proxies and CDNs -- a reverse proxy sits in front of one or more origin servers and forwards client requests to them; a CDN is a distributed cache of reverse proxies at the network edge. Examples 47-48.
- co-21 · Network namespaces -- a Linux network namespace is an isolated copy of the network stack (its own interfaces, routes, and firewall rules). Example 49.
- co-22 · Packet capture and BPF filters --
tcpdumpcaptures packets filtered by a BPF expression that can match protocols, hosts, ports, and even individual header bits. Examples 50-51, and the capstone'sanalysis.md. - co-23 · Latency, jitter, and percentiles -- latency, bandwidth, and throughput are three distinct measurements, and latency is best summarized by percentiles (p50/p95/p99) plus jitter, not a single average. Examples 52-53.
- co-24 · Firewalls and mTLS -- a stateful firewall permits a reply packet by matching it against an established connection's state-table entry; mutual TLS extends TLS so both sides present and verify a certificate. Examples 54-55.
- co-25 · VPN tunnels and overlays -- a VPN encapsulates and encrypts traffic inside an outer packet; a site-to-site tunnel joins whole networks, a remote-access tunnel connects a single client, and split tunneling routes only chosen subnets through the tunnel. Examples 57-58, 60.
- co-26 · WireGuard -- a modern in-kernel VPN built on the Noise-framework IK handshake with a
fixed cryptographic suite; its config is
[Interface]+[Peer], withAllowedIPsacting as a crypto-routing table. Examples 56-57. - co-27 · IPsec vs. OpenVPN vs. WireGuard -- IPsec/IKE is the standards-heavy kernel option, OpenVPN the mature TLS-based userspace option, and WireGuard the minimal modern option -- the choice trades configurability against codebase size and audit surface. Example 62.
- co-28 · NAT traversal and keepalive -- a peer behind NAT keeps its mapping open with periodic keepalives; hole-punching/STUN and relay fallbacks let peers connect without a public inbound port. Example 59.
- co-29 · Mesh overlay VPNs -- mesh VPNs give every node a stable identity on a flat encrypted overlay: Tailscale (WireGuard data plane + a coordination plane), Headscale (an open-source Tailscale control server), and Nebula (a lighthouse + host certificates). Example 61.
Examples by level
Beginner (Examples 1-16)
- Example 1: OSI Layer Mapping -- Annotating a curl -v Trace
- Example 2: Encapsulation -- a Payload Gaining and Shedding Headers
- Example 3: View the Local Interface's MAC Address
- Example 4: Inspect the ARP Cache
- Example 5: IPv4 Binary Anatomy -- 192.168.1.10, Octet by Octet
- Example 6: IPv6 Address Expand/Compress -- 2001:db8::1 Round-Trips
- Example 7: CIDR Prefix to Netmask -- /24, /26, /30 by Hand
- Example 8: Subnet Calculator -- Network, Broadcast, Host Range, Host Count
- Example 9: View the Routing Table
- Example 10: traceroute -- a Numbered Hop List
- Example 11: Classify Addresses -- RFC 1918 Private vs. Public
- Example 12: NAT Translation -- a Packet Crossing the Gateway
- Example 13: TCP Handshake -- a Genuine tcpdump Capture
- Example 14: TCP Teardown -- the Same Capture's Closing Lines
- Example 15: ss -tan -- Watching a Connection's State Transition
- Example 16: Well-Known Ports Review
Intermediate (Examples 17-36)
- Example 17: TCP Window Scaling -- Locating wscale in a Live Capture
- Example 18: TCP Flow Control -- a Slow Reader Blocks a Fast Writer
- Example 19: CUBIC's Slow Start Transitioning to Congestion Avoidance
- Example 20: View This Sandbox's Active Congestion-Control Algorithm
- Example 21: CUBIC vs. BBR -- What Triggers a Rate Change
- Example 22: Nagle Meets Delayed ACK -- a Visible Stall
- Example 23: TCP_NODELAY -- Measuring the Nagle/Delayed-ACK Stall
- Example 24: SO_REUSEADDR -- Rebinding a Port Still in TIME-WAIT
- Example 25: Nonblocking Sockets -- setblocking(False) Polled with select.select
- Example 26: dig +trace -- the Root-to-Authoritative Referral Chain
- Example 27: DNS Caching -- Watching the TTL Count Down
- Example 28: DNSSEC -- an RRSIG Record in a Real Answer
- Example 29: The DNSSEC Chain of Trust
- Example 30: TLS 1.3 -- Reading the Negotiation Lines
- Example 31: TLS 1.3's Single Round Trip
- Example 32: 0-RTT Session Resumption vs. the Full Handshake
- Example 33: HTTP/2 -- Frame-Level Indicators in curl -v
- Example 34: HTTP/2 Multiplexing vs. HTTP/1.1's Multiple Connections
- Example 35: Measuring the Connection-Count Difference
- Example 36: HTTP/3 -- Attempting QUIC with curl
Advanced (Examples 37-55)
- Example 37: QUIC vs. TCP -- Head-of-Line Blocking, Contrasted Stream by Stream
- Example 38: QUIC Connection Migration -- Surviving a Network Change Without a New Handshake
- Example 39: The WebSocket Handshake -- a Real Upgrade: websocket / 101 Exchange
- Example 40: WebSockets Are Full-Duplex -- a Minimal Demo on One Open Connection
- Example 41: Server-Sent Events -- One-Way, Server-to-Client, Over One Long-Lived Response
- Example 42: WebSockets vs. SSE vs. WebTransport vs. WebRTC -- a Decision Table
- Example 43: WebTransport -- QUIC's Multiplexed Streams and Datagrams, Exposed to the Browser
- Example 44: WebRTC -- Signaling, ICE/STUN/TURN, Then a Direct Peer-to-Peer Path
- Example 45: L4 Load Balancing -- Routing by IP/Port, No Content Visibility
- Example 46: L7 Load Balancing -- Routing by HTTP Path/Header Content
- Example 47: A Local Reverse Proxy -- Forwarding a Client Request to a Backend
- Example 48: CDN Cache Hit vs. Miss -- Reading cf-cache-status and age
- Example 49: Linux Network Namespaces -- an Isolated, Independent Network Stack
- Example 50: BPF Filter -- Isolating Traffic to One Host and Port
- Example 51: BPF Filter -- Isolating Only TCP SYN Packets
- Example 52: Latency Percentiles and Jitter -- Computed Against a Known Sample
- Example 53: Latency vs. Bandwidth vs. Throughput -- Three Different Things, One Link
- Example 54: A Stateful Firewall -- Permitting a Reply by Matching Connection State
- Example 55: Mutual TLS -- Both Sides Present and Verify a Certificate
VPN & Overlay Networking (Examples 56-62)
- Example 56: WireGuard -- Generating Keys and Bringing Up a Real Two-Peer Tunnel
- Example 57: AllowedIPs as a Crypto-Routing Table
- Example 58: Split Tunnel vs. Full Tunnel -- What AllowedIPs Actually Changes
- Example 59: PersistentKeepalive -- Refreshing a NAT Mapping With Zero Application Traffic
- Example 60: Site-to-Site vs. Remote-Access Tunnels
- Example 61: Mesh Overlay VPNs -- Tailscale/Headscale vs. Nebula
- Example 62: WireGuard vs. OpenVPN vs. IPsec -- a Decision Artifact
← Previous: 28 · Build Your Own ORM & Query Builder Drilling · Next: Beginner Examples →
Last updated July 17, 2026