Nmap is not magic — it is a tool that speaks the same language every device on the internet understands. If you don’t know those languages, you won’t understand what Nmap is telling you, why certain scans fail, or what the results actually mean.

Think of this part as the foundation. Every command you’ll learn later makes complete sense once you’ve absorbed these concepts.

What Are Network Protocols?

In computer networks, communication happens through protocols.

A protocol is a set of rules that defines how data is transmitted between devices. These rules ensure that completely different systems — like a Linux server and a Windows machine — can still communicate without confusion.

Data is not sent all at once. It is broken into smaller units called packets.

Each packet contains:

• Header → Metadata (source, destination, flags, TTL, etc.)
• Payload → The actual data being transmitted

The header ensures the packet reaches the right destination and is interpreted correctly.

The Network Layer (Layer 3) and IP

The Network Layer is responsible for logical addressing and routing — deciding how a packet gets from point A to point B, even across multiple different networks. The star of this layer is the Internet Protocol (IP).

IP provides every device with a unique logical address. Right now, the internet runs mostly on IPv4, which uses 32-bit addresses written as four octets separated by dots (e.g., 192.168.0.1). IPv6 uses 128-bit addresses to overcome IPv4's exhaustion problem.

IPv4 Header — What’s Inside Every Packet

When Nmap crafts packets, it carefully builds the IPv4 header. The key fields you’ll encounter regularly are:

Not all IPv4 addresses are public. Key reserved ranges include:

127.0.0.0/8 — Loopback (your own machine)
192.168.0.0/16 — Private network (your home/office LAN)
10.0.0.0/8 and 172.16.0.0/12 — Also private

The Transport Layer (Layer 4) — TCP vs UDP

This is where most of Nmap’s scanning magic happens. The Transport Layer provides end-to-end communication between applications on two devices. The two key protocols are TCP and UDP, and they have very different personalities.

TCP — The Reliable Workhorse

TCP (Transmission Control Protocol) is a connection-oriented, reliable protocol that provides a dependable and ordered delivery of data. TCP guarantees reliable delivery through mechanisms such as acknowledgments (ACK) and the retransmission of lost or corrupted packets.

Because it is so reliable, it requires a formal introduction before any data is sent. This is called the TCP 3-Way Handshake. It involves a series of three messages exchanged between the sender (client) and the receiver (server):

1. SYN (Synchronize): The handshake starts when the client sends a message to the server with the SYN flag turned on. This message basically says, “I want to start a connection.” It also includes a random starting number called the initial sequence number (ISN), which will be used to track the data being sent.
2. SYN-ACK (Synchronize-Acknowledge): When the server receives this request, it replies with a message that has both SYN and ACK flags set. This means, “I received your request, and I’m ready too.” The server acknowledges the client’s starting number and also sends its own new sequence number.
3. ACK (Acknowledge): Finally, the client sends one more message with the ACK flag set to confirm the server’s sequence number. After this confirmation, the connection is fully established and data transfer can begin.

At this stage, the connection is successfully created, and both devices are ready to start sending data to each other.

TCP Control Flags: The Secret Language of Scans

To control this complex handshake and manage the overall flow of data, TCP uses a set of “Control Flags”. These flags are included in the TCP header and control different features during the establishment, maintenance, and termination of a TCP connection.

If you want to understand how Nmap detects open ports — or how it evades firewalls — you must understand these flags. When performing advanced scans, Nmap often breaks the rules by sending flags in weird combinations just to see how a firewall or server reacts.

Here are the most commonly used TCP flags you need to know:

• SYN (Synchronize): Initiates a connection request. This is the polite “Hello” at the start of a conversation.
• ACK (Acknowledge): Acknowledges that data (or a connection request) has been successfully received. It’s the digital head-nod saying, “I hear you.”
• FIN (Finish): Initiates a clean connection termination. It means, “I’m done talking, let’s close the connection safely.”
• RST (Reset): Abruptly closes a connection. It’s the network equivalent of slamming the phone down. Firewalls and closed ports frequently send RST packets to reject Nmap’s probing attempts.
• PSH (Push): Tells the receiving system to process these packets immediately instead of buffering them in memory.
• URG (Urgent): Tells the receiver that certain data within the packet is highly urgent and needs immediate attention over other traffic.

Why does this matter? Because if Nmap sends a standard SYN packet and gets a SYN-ACK back, it knows the port is open. But what if Nmap intentionally sends a broken packet with no flags set (a "NULL" scan), or a packet with FIN, PSH, and URG all lit up at the same time (an "Xmas" scan)? How a firewall or target system responds to these abnormal rules tells the penetration tester exactly what kind of security is in place!

TCP Header Fields

The TCP header is like a control section attached to every TCP segment. It contains important information that helps devices communicate reliably.

1. Source Port: Tells which application on the sender’s device is sending the data.
2. Destination Port: Tells which application on the receiving device should get the data (for example, a web server or email service).
3. Sequence Number: Keeps track of the order of data. It helps the receiver arrange everything correctly if packets arrive out of order.
4. Acknowledgment Number: Confirms which data has been received successfully and tells the sender what to send next.
5. Header Length (Data Offset): Indicates where the actual data begins inside the segment.
6. Reserved (3 bits): The Reserved (3 bits) field is a placeholder set to 0 that allows for the future addition of new control flags without changing the core TCP header structure.
7. Control Bits / Flags (9 bits total in modern TCP): These small switches control the connection. For example, SYN starts a connection, ACK confirms data, and FIN ends the connection.
8. Window Size: Controls how much data can be sent at one time. This helps manage data flow and prevents overload.
9. Checksum: Used to check if the data was damaged during transmission. If there is an error, the data can be resent.
10. Urgent Pointer: Used only when urgent data needs immediate attention.
11. Options: Extra settings that improve performance, like defining the maximum data size allowed.
12. Data (Payload): This is the actual information being sent, such as part of a webpage or file.

In short, the TCP header makes sure data is delivered correctly, in order, and without errors.

TCP Port Ranges: Doors to the Applications

If an IP address is like the street address of an apartment building, the Port Number is the specific apartment number you want to visit. TCP uses these port numbers to distinguish between different services or applications on a device.

Port numbers are 16-bit integers, which means the total possible range is from 0 to 65,535 (inclusive). These ports are logically divided into three main categories based on their purpose and standardization:

• Well-Known Ports (0–1023): Standardized by the Internet Assigned Numbers Authority, these are reserved for the most common internet services. For example, port 80 is HTTP, 443 is HTTPS, and 22 is SSH.
• Registered Ports (1024–49151): These are assigned to specific software vendors or applications. For instance, 3389 is used for Remote Desktop (RDP) and 3306 is used for MySQL databases.
• Dynamic / Private Ports (49152–65535): These ports are not assigned to any specific service. Instead, they are used temporarily by client systems when initiating connections. For example, when your browser connects to a website on port 443, your system will automatically choose a random high-numbered port from this range as the source port for the connection. These ports are typically short-lived and are mainly used for outbound communication rather than listening services.

Nmap scans these ports to identify which services are running.

UDP: The Fast & Reckless Courier

While TCP is the careful, reliable courier who gets a signature for every package, UDP (User Datagram Protocol) is the paperboy throwing the newspaper from a moving bicycle.

UDP is a connectionless and lightweight protocol. It does not establish a 3-way handshake before sending data. It simply throws the packets at the destination. UDP does not guarantee delivery or ordering of packets, and there is no mechanism for retransmission if a packet gets lost. It is also stateless, meaning every packet is completely independent.

Why use it? Because without the overhead of handshakes and acknowledgments, UDP is incredibly fast. It is perfectly suited for real-time applications where a little bit of data loss is acceptable, like VoIP phone calls, audio/video streaming, and online gaming.

TCP vs. UDP: The Quick Breakdown

To summarize exactly how these two protocols differ:

Because UDP does not respond with handshakes or acknowledgments, scanning a UDP port with Nmap takes significantly more time and requires an entirely different strategy than scanning a TCP port.

Why Some Nmap Scans Fail

In real-world environments, scans don’t always behave as expected.

Common reasons:

• Firewalls → Drop packets silently
• IDS/IPS systems → Detect unusual scan patterns
• NAT (Network Address Translation) → Hide internal systems
• Rate limiting → Slow down responses

This is why understanding networking fundamentals is critical — you’re not just scanning, you’re interpreting behavior.

Why These Fundamentals Matter for Nmap

At this point, you are no longer just memorizing commands — you understand what is happening underneath them.

• A SYN packet is not just a scan — it’s a connection attempt
• A RST response is not random — it’s a rejection
• A filtered port is not invisible — it’s being hidden

Every response tells a story. The difference now is that you can actually read it.

What’s Next in This Series

This blog is part of a structured series designed to take you from fundamentals to practical Nmap usage:

• Part 1: Networking Fundamentals (this blog)
• Part 2: Nmap Host Discovery — how systems are identified on a network
• Part 3: Port Scanning with Nmap — discovering exposed services
• Part 4: Firewall Detection & Evasion — understanding and bypassing defenses

Each part builds on the previous one, but is written so you can follow along even if you jump in at any stage.

Final Note

You now have a foundation that most beginners overlook.

Whenever you move forward — whether it’s tomorrow or later — focus on understanding, not just execution. Tools like Nmap are powerful, but only when you can interpret what they reveal.