Blackbox Intelligence Group
Sign in
← All modules

Starter · Module 4

Module 4: Networking Basics for Defenders

The defender's mental model of a network: IPs, ports, protocols, and packet captures, taught with diagrams and a guided walk-through.

Length
60 min
Level
beginner
Track
Starter
Cadence
Free preview

Career paths

Network Defender
Unlock this module →Request a review copyTry the free pack

Download 1-page brochure (PDF)·Share with admins, parents, or your CTE director.

What's in the lesson pack

Everything you need to teach this period.

Built by an OSCP-certified instructor who teaches this material every week. Print-ready, classroom-tested, copy-paste-able.

Teacher Guide

Locked

Lesson at a glance, learning objectives, vocabulary, pacing, mini-lessons, and discussion notes.

In-browser presenter

Locked

Full themed slide deck you can run live from your laptop. Speaker notes built in. Works offline once loaded.

PowerPoint (.pptx) export

Locked

Editable slide deck for districts that mandate PowerPoint or want to customize for their LMS.

Module overview

The full lesson plan, public.

Read everything before you commit. The plan, objectives, vocabulary, standards alignment, and pacing are open. Only the print-ready deliverables are gated.

Module 4 - Networking Basics for Defenders

Lesson at a glance

| Field | Value | | ------------------- | ---------------------------------------------------------------------------- | | Grade band | 9–12 | | Total time | 60 minutes | | Difficulty | Beginner | | Required materials | Network diagram handout, packet-capture worksheet (printed), projector | | Lab access | Optional Wireshark demo on the teacher’s machine - students do not run scans | | Standards alignment | NICE Framework K0001, K0034; CSTA 3A-NI-04 |

Safety: Students do not run scans, capture traffic, or use Wireshark on the school network in this module. The teacher demonstrates only on a known-isolated capture or on a teacher-owned machine outside the school network.

Learning objectives

By the end of this lesson students will be able to:

  1. Explain in their own words what an IP address, port, and protocol each represent, with an analogy.
  2. Identify the layers involved in loading a webpage from typing a URL to seeing the rendered page.
  3. Read a small packet capture excerpt and identify whether the traffic is: (a) plain HTTP, (b) HTTPS, (c) DNS, or (d) something unusual that warrants investigation.
  4. Recognize three common indicators of suspicious network traffic.

Vocabulary

  • IP address - the numeric address of a host on a network. IPv4 looks like 192.0.2.45; IPv6 looks like 2001:db8::1.
  • Port - a number from 0–65535 that identifies a service on a host. HTTP is 80, HTTPS is 443, DNS is 53, SSH is 22.
  • Protocol - the agreed rules for how two systems talk. HTTP, DNS, TLS, TCP, UDP, ICMP.
  • DNS - the system that translates a name like school.edu into an IP address.
  • TCP - connection-based; reliable; used for HTTP/HTTPS/SSH/most things.
  • UDP - connectionless; faster, less reliable; used for DNS, video, games.
  • Packet capture (pcap) - a saved record of network traffic.
  • TLS / HTTPS - encrypted version of HTTP; defenders see destination but not contents.

Why this module (teacher background)

You can’t defend what you can’t see. The senior defender’s most useful skill is the ability to look at a list of network connections and have an opinion: that one is normal; that one is weird; that one is bad. That opinion comes from a mental model of what normal looks like.

This module builds that model. We’re not training packet-level analysts in 60 minutes. We’re training students to read a small capture and ask the right next question: why is my school laptop talking to that IP at 3 a.m.?

Materials checklist

  • [ ] Printed Network Diagram Handout (the “Anatomy of a webpage load” diagram below).
  • [ ] Printed Capture Worksheet with the 8 connection rows (below).
  • [ ] Projector or board.
  • [ ] Optional: Wireshark on the teacher’s machine, with a pre-recorded sample capture loaded.

Pacing - minute-by-minute

| Time | Block | What happens | | ----- | ----------- | -------------------------------------------- | | 0–6 | Opener | What happens when you type a URL? | | 6–22 | Mini-lesson | IPs, ports, protocols; the “anatomy” diagram | | 22–45 | Activity | Read 8 connection rows; classify and flag | | 45–55 | Discussion | Build the “normal vs. weird” chart | | 55–60 | Exit ticket | One normal, one weird |

0–6 min · Opener - what happens when you type a URL?

Write school.edu/library on the board. Ask: in one minute, what has to happen between pressing Enter and seeing the page?

Take voices. You will get answers like “the request goes to the server,” “DNS,” “the page loads.” Capture them in order.

Teacher script:

“Every step you just named is a place a defender can look. If you don’t know the steps, you don’t know where to look. So today we’re drawing the map.”

6–22 min · Mini-lesson

Anatomy of a webpage load (draw this on the board)

You (laptop)
   |
   | 1. DNS query - UDP port 53 - "what is the IP of school.edu?"
   v
DNS resolver
   |
   | 2. DNS response - "school.edu is 203.0.113.10"
   v
You (laptop)
   |
   | 3. TLS handshake - TCP port 443 - set up encrypted channel
   | 4. HTTPS request - TCP 443 - encrypted "GET /library"
   v
school.edu web server (203.0.113.10)
   |
   | 5. HTTPS response - TCP 443 - encrypted page contents
   v
You (laptop)  -> render the page

Stop after each numbered step. Ask: “What can a defender see at this step?”

| Step | Defender can see | Defender cannot see | | ----------------- | ------------------------------------------------------------------------ | ------------------------------------------------ | | 1, 2 (DNS) | The name being looked up, the resolver used | (Names are usually plain unless DoH/DoT is used) | | 3 (TLS handshake) | Source IP, destination IP, destination port (443), the SNI (server name) | The keys | | 4, 5 (HTTPS body) | Volume, timing, source/dest IP, port | The content |

Say: “Most modern traffic is encrypted, which means defenders rely on metadata: who talked to whom, on what port, when, and how much. That’s usually enough to spot the weird thing.”

IP, port, protocol - the analogy

An IP address is the street address of the building. A port is the apartment number inside the building. A protocol is the language they speak when you knock.

Reinforce with: a laptop has one IP but talks on many ports at once - port 443 for the browser, port 53 for DNS, port 5223 for the messaging app. The defender sees them as separate conversations even though they share the same address.

22–45 min · Activity - read the capture (23 minutes)

Hand out the Capture Worksheet. Students work individually or in pairs. Each row is a real-style connection summary like an analyst would see in a SIEM.

For each row they fill in:

  • Protocol guess (HTTPS / HTTP / DNS / SSH / Other)
  • Verdict (Normal / Suspicious / Needs more info)
  • One-sentence reason

Capture rows (also on the worksheet)

| # | Source | Source port | Destination | Dest port | Bytes | Time | | --- | --------- | ----------- | -------------- | --------- | --------- | -------- | | 1 | 10.1.1.42 | 50321 | 142.250.190.78 | 443 | 28,440 | 09:14:02 | | 2 | 10.1.1.42 | 50322 | 8.8.8.8 | 53 | 84 | 09:14:02 | | 3 | 10.1.1.42 | 50334 | 203.0.113.10 | 80 | 1,210 | 09:14:08 | | 4 | 10.1.1.42 | 50345 | 198.51.100.7 | 22 | 4,210,000 | 02:47:16 | | 5 | 10.1.1.42 | 50360 | 142.250.190.78 | 443 | 240 | 09:14:30 | | 6 | 10.1.1.42 | 50361 | 192.0.2.66 | 4444 | 96 | 02:47:18 | | 7 | 10.1.1.42 | 50362 | 1.1.1.1 | 53 | 96 | 09:14:33 | | 8 | 10.1.1.42 | 50380 | 185.220.101.45 | 9001 | 18,200 | 02:51:04 |

A complete worked answer is in the Answer Key PDF.

45–55 min · Discussion - normal vs. weird

Build a 2-column chart: Normal and Weird.

Walk through each row. Watch for these teaching moments:

  • Row 3 (port 80, plain HTTP): Many cohorts mark this Normal. Push: in 2025, plain HTTP from a managed school laptop to an unknown destination is unusual. It’s not necessarily malicious, but it is weird enough to investigate.
  • Row 4 (SSH at 2:47 a.m., 4 MB outbound): Watch for “SSH is a normal protocol so this is fine.” The pattern matters: time of day, volume, and destination. SSH at 2:47 a.m. transferring megabytes from a school workstation that nobody is supposed to be using is a strong investigation lead.
  • Row 6 (port 4444): Port 4444 is a Metasploit default. Should not be on a student laptop. Strong indicator of compromise or testing-without-authorization.
  • Row 8 (port 9001 to 185.220.101.45): That IP range is publicly tracked as a Tor exit node, and 9001 is a common Tor relay port. Not automatically malicious, but very much investigate-now territory on a managed network.

Reinforce: the defender’s skill is pattern recognition, not memorization. The student who finishes this lesson can look at a row and say that doesn’t fit, even before they know exactly what it is.

55–60 min · Exit ticket

Name one connection from the capture you’d label Normal (and why), and one you’d label Weird (and why).

Differentiation and supports

  • Below grade level / EL: Provide protocol-port lookup card (53 = DNS, 80 = HTTP, 443 = HTTPS, 22 = SSH).
  • Above grade level: Extension - given Row 4 is suspicious, draft the next 3 questions you would ask the user / IT / your SIEM.
  • IEP/504: Reduce capture to rows 1, 2, 4, 6, 8.

Common student misconceptions

  • “HTTPS is safe.” HTTPS is encrypted, not vetted. Malware uses HTTPS too.
  • “Internal IPs are safe.” Lateral movement happens between internal IPs. Internal traffic still needs an opinion.
  • “If the protocol is normal, the connection is normal.” Time, volume, and destination are part of the verdict.

Career connection

  • Network defender / NetSec analyst - $75K–$120K. Reads connection logs all day.
  • SOC analyst - $55K–$80K. Triages alerts that look exactly like the capture rows in this lesson.
  • Threat hunter - $100K–$150K. Looks for the weird thing before any alert fires.

Assessment

  • Formative: Capture worksheet - verdicts and reasoning across all 8 rows.
  • Summative: Exit ticket - one normal and one weird, with reasoning that names a pattern, not just a fact.

Answer Key (summary - full version in the Answer Key PDF when generated)

| Row | Likely protocol | Verdict | Why | | --- | ----------------- | ---------------- | ---------------------------------------------------------------------------------------------- | | 1 | HTTPS | Normal | Outbound 443 to a major CDN, school hours, modest size. | | 2 | DNS | Normal | UDP-sized 84 bytes to 8.8.8.8 on port 53. | | 3 | HTTP | Suspicious | Plain HTTP in 2025 is unusual on a managed device. Investigate destination. | | 4 | SSH | Suspicious | 2:47 a.m., 4 MB outbound. Volume + time + protocol = investigate now. | | 5 | HTTPS | Normal | Same destination as row 1; small bytes; school hours. | | 6 | Other (port 4444) | Strong indicator | 4444 is a known Metasploit default. Off-hours. Investigate now. | | 7 | DNS | Normal | DNS to Cloudflare. | | 8 | Other (port 9001) | Strong indicator | Off-hours, IP range used by Tor exit relays. Policy violation at minimum; possibly compromise. |

Ready to use this in class?

Unlock the full Starter edition.

All teacher guides, worksheets, scenarios, quizzes, answer keys, and the in-browser presenter for every module in the track. Site-license pricing for schools and districts. Free review copies for verified educators.

View pricingRequest review copySee full curriculum