“What Really Happens When You Open a Website? | A Beginner’s Network Security Perspective”
A step-by-step breakdown of how data moves across the internet, from DNS resolution to TCP connections and packet routing
Software engineering learner documenting my journey across Java, backend development, DSA, and cybersecurity. I write beginner-friendly explanations, practical notes, and lessons learned while building and analyzing real-world systems.
When I started learning network security, I thought it was about memorizing protocols and port numbers.
But everything changed when I asked myself a simple question:
What actually happens when I open a website?
Not “in theory” but technically, packet by packet.
Let’s break it down the way I finally understood it.
Step 1: Your Device Needs an Identity
Before your laptop talks to anything, it needs an identity, an IP address.
An IPv4 address looks simple:
192.168.1.10
But behind that simplicity:
It’s 32 bits long.
Divided into four octets.
Each octet ranges from 0–255.
If your subnet mask is /24, it means the first 24 bits identify the network, and the remaining bits identify devices inside it.
That’s how your system knows:
Who belongs inside your network.
Who is outside and must go through a router.
And since IPv4 gives us around 4 billion addresses, we use private IP ranges inside networks and something called NAT to connect to the internet (more on that in Part 2).
IPv4 isn’t the only version of IP anymore.
IPv6 was introduced to solve the address exhaustion problem and it’s very different:
128-bit address space (instead of 32-bit in IPv4)
Written in hexadecimal, separated by colons
Provides an almost unlimited number of addresses
Reduces the need for NAT in modern networks
Example IPv6 address:
2001:0db8:85a3::8a2e:0370:7334
While IPv4 still dominates many networks, IPv6 is the future, especially as cloud infrastructure, IoT, and large-scale deployments continue to grow.
Step 2: TCP vs UDP – How Conversations Begin
Now your system wants to talk to a web server.
This communication happens using transport protocols, mainly TCP or UDP.
If protocols had personalities:
UDP is fast and careless. It sends data without checking if it arrived.
TCP is cautious and reliable. It ensures everything is delivered properly.
When you open a website, TCP is used.
Before sending any data, TCP performs something called a three-way handshake:
SYN → “Can we talk?”
SYN-ACK → “Yes, I’m ready.”
ACK → “Let’s begin.”
Only after this trust-building process does actual data flow.
This handshake also explains why attacks like SYN flooding work, attackers abuse this connection setup mechanism.
Step 3: The Packet Gets “Dressed” (Encapsulation)
One concept that completely changed how I view networking is encapsulation.
Your data doesn’t travel alone. It gets wrapped layer by layer:
Application creates data (like an HTTP request).
TCP adds a header → becomes a segment.
IP adds a header → becomes a packet.
Ethernet/Wi-Fi adds header + trailer → becomes a frame.
By the time it leaves your laptop, it’s wearing multiple layers.
Each router along the way reads certain headers, forwards the packet, and passes it on.
Understanding this made tools like Wireshark finally make sense to me.
Step 4: The Life of a Packet
Let’s say I search for something online.
Here’s what actually happens:
My browser creates an HTTPS request.
TCP establishes a connection.
IP adds my source IP and the server’s destination IP.
The frame is sent to my router.
Routers inspect the destination IP and forward it.
At every router, something interesting happens:
There’s a field in the IP header called TTL (Time To Live).
Every router decreases TTL by 1.
If TTL reaches 0, the router drops the packet.
It sends back an ICMP “Time Exceeded” message.
That’s how traceroute maps the path between you and a destination.
Networking suddenly stopped feeling magical and started feeling logical.
ICMP – The Silent Messenger
You’ve probably used:
ping google.com
That uses ICMP (Internet Control Message Protocol).
Echo Request → “Are you alive?”
Echo Reply → “Yes, I am.”
Simple.
But in security terms:
Ping sweeps help attackers discover live systems.
ICMP tunneling can bypass firewall restrictions.
Even diagnostic tools can become attack tools.
What Changed for Me After This
Before this module:
Networking felt abstract.
After understanding packet flow:
I see open ports as entry points.
I see TCP flags as potential scanning behavior.
I see TTL values as routing clues.
I see ICMP traffic as both diagnostic and reconnaissance activity.
And that’s when I realized:
Network security isn’t about definitions.
It’s about understanding how trust works between machines.
👉 In Part 2, I’ll explore where this trust breaks. ARP spoofing, DHCP attacks, NAT misconceptions, and how vulnerabilities are actually prioritized in real-world security teams.
Part 2 : https://thinksecure.hashnode.dev/where-networks-become-vulnerable
