NET-101 Anchor Reading Guide

*VCA-NET-101 cross-chapter reading-guide handout. Companion to the catalog page at https://virtuscyberacademy.org/vca-net-101. Audience: Belt-3 networking-track students arriving from the catalog's distilled "What Belt-3 Networking Track Graduates Recognize" register. *

The catalog page tells you WHAT the course covers. This guide tells you HOW to read the canonical anchors that build the Belt-3: which books, in which order, what to extract on each pass, and how the anchors compose into a coherent vocabulary that prepares you for NET-201, CCNA credential prep, and the documented-home-network capstone.

§0. What this guide is for

NET-101 is the academy's networking-track foundations course. Four anchors carry the Belt-3: Stevens and Fall's TCP/IP Illustrated, Volume 1 for the bottom-up wire-protocol vocabulary, Kurose and Ross's Computer Networking: A Top-Down Approach (9th edition) for the top-down pedagogical narrative, Beej's Guide to Network Programming for the build-it-yourself socket-programming complement, and Sanders's Practical Packet Analysis (3rd edition) for the Wireshark-practitioner companion.

The four primary anchors do not compose a textbook tour. Stevens and Kurose-Ross compose the canonical narrative pair the discipline reads itself through; Beej and Sanders provide the practitioner companions that make the textbook material runnable. By the end of NET-101 a student should be able to (a) discuss the OSI layer model, the TCP three-way handshake, IP routing fundamentals, DHCP and DNS, application-layer protocols (HTTP, TLS), and packet-capture-and-analysis discipline in the same vocabulary the tools and texts use, (b) write small Python socket programs that exercise the protocol vocabulary, (c) capture and read packets in Wireshark, and (d) move into NET-201 with the practitioner-foundation literacy that the next belt assumes.

The NET-101 reading list overlaps significantly with the NET-301 reading list. Both reference Stevens and both reference Kurose-Ross 9e. The Belt-3 framing reads them at shallower depth: Stevens Chapters 1-3 and 7 at NET-101; Stevens Chapter 16 at NET-301. Kurose-Ross Chapters 1-2 and 4-6 at NET-101; Kurose-Ross §7.4 plus §8.8.2 plus §7.5.4 at NET-301. The Belt-3 reads for fluency in the foundational vocabulary; the Belt-5 reads for engagement-application of the deeper material. Same authors; same texts; different chapters; different goals.

This guide is opinionated by design. It is not a comprehensive bibliography. Anchors that other peer programs lean on (Tanenbaum's Computer Networks; the Cisco CCNA reading list read cover to cover; the IETF RFC corpus read directly) are deliberately not the primary anchors at this level because they are encyclopedic, vendor-shaped, or graduate-research material. NET-101 graduates know the comprehensive material exists; they were trained on the opinionated material.

The guide reads Stevens before Kurose-Ross because Stevens's bottom-up wire-protocol depth gives the vocabulary that Kurose-Ross's top-down pedagogical narrative orchestrates; reversing the order forces students to install vocabulary while reading about the architecture. Beej and Sanders read in parallel with the textbook pair: students who write socket programs while reading about TCP have the right Belt-3; students who only read have textbook fluency and no bench fluency.

§1. The anchor reading register

Four anchors. Read in this order on first pass; revisit per the per-anchor walks below for capstone preparation.

Anchor 1: Stevens + Fall, TCP/IP Illustrated, Volume 1: The Protocols, 2nd edition

Edition / pointer: W. Richard Stevens and Kevin R. Fall, TCP/IP Illustrated, Volume 1: The Protocols, 2nd edition, Addison-Wesley, 2011 (ISBN 978-0-321-33631-6). The 1st edition (Stevens, 1994) is the foundational text; the 2nd edition (Stevens-and-Fall, posthumously updated) extends the coverage to modern protocols. NET-101 reads Chapters 1-3 (introduction; link layer; ARP and IP) and Chapter 7 (TCP; the three-way handshake) at Belt-3; later chapters belong at Belt-4 and Belt-5. Library-acquire or paperback ~$80-100.

Why this matters at Belt-3: Stevens and Fall's TCP/IP Illustrated is the bottom-up wire-protocol depth reference. The chapters walk each protocol byte by byte: the Ethernet frame, the ARP request and reply, the IP header, the TCP header, the TCP three-way handshake. The book is the closest analog the networking discipline has to Petzold's CODE in the CSA track: a foundational text that walks the layer-by-layer wire format until the reader can read any packet capture without reaching for a reference. A NET-101 graduate who has internalised Chapters 1-3 plus Chapter 7 can read a Wireshark capture and name what is happening at every layer; without Stevens the same student is reading the tool's prose rather than the protocols' bits.

Suggested reading order: First. Read Stevens before Kurose-Ross because Stevens's wire-protocol vocabulary is what Kurose-Ross's top-down narrative assumes. Read Stevens before Sanders because Sanders walks Wireshark captures that read more clearly when the student can name the bits. The first-read pass should land Chapters 1-3 plus Chapter 7; revisit specific chapters as labs encounter the material at depth.

Cross-link to academy artifacts: NET-101 Lab 4 (Wireshark capture of a TCP three-way handshake; Stevens Chapter 7 is the textbook companion); NET-101 Lab 6 (Python socket exercise; Stevens Chapter 7 plus Beej Chapters 1-4 compose the read); NET-201 (Stevens reads at deeper register; advanced TCP options and TCP edge cases); NET-301 reading-guide handout (Stevens returns at Chapter 16 for the engagement-tier congestion-control walk).

Anchor 2: Kurose + Ross, Computer Networking: A Top-Down Approach, 9th edition

Edition / pointer: James F. Kurose and Keith W. Ross, Computer Networking: A Top-Down Approach, 9th edition, Pearson, 2021 (ISBN 978-0-13-592861-5). The 9th edition is the canonical academy reference because the 9e treatment of 4G/5G NR + 5G Core + 5G mobility + QUIC is substantially more current than the 8e. Per academy edition discipline (D7 net-track edition uplift), 9e is the only edition cited; 8e citations are forbidden in academy prose. NET-101 reads Chapters 1-2 plus 4-6 at Belt-3; the 5G chapters return at NET-301. Library-acquire or paperback ~$90-200.

Why this matters at Belt-3: Kurose and Ross's top-down approach starts at the application layer (HTTP, DNS, SMTP, P2P) and walks down to the link layer; the inverse of Stevens. The book is the discipline's most-adopted introductory text internationally. The pedagogical move is that students learn what the network does (applications) before they learn how (TCP, IP, link-layer mechanics); the orchestration of layers becomes legible because the student already knows what the layers serve. A NET-101 graduate who has internalised Chapters 1-2 plus 4-6 can articulate the layered architecture, name the canonical protocols at each layer, and explain why the layering exists at all.

Suggested reading order: Second. Read Kurose-Ross after Stevens because Kurose-Ross's narrative assumes the wire-format vocabulary Stevens installs. Students should treat the textbook as a re-orientation pass: read Stevens for the bits, then read Kurose-Ross for the architecture, then return to specific Stevens chapters for the byte-level depth on protocols Kurose-Ross has now framed.

Cross-link to academy artifacts: NET-101 Lab 1 (OSI plus TCP/IP layer-model exercise; Kurose-Ross Chapter 1 is the textbook companion); NET-101 Lab 2 (DNS resolution walk; Kurose-Ross Chapter 2 plus Stevens Chapter 14 compose the read); NET-201 (Kurose-Ross reads at deeper register on routing protocols and SDN); NET-301 reading-guide handout (Kurose-Ross 9e §7.4 + §8.8.2 + §7.5.4 are the Belt-5 anchors for cellular core, 5G-AKA, and Mobile-IP; the chapters covered at NET-301 are deliberately the chapters NET-101 does not walk).

Anchor 3: Hall, Beej's Guide to Network Programming

Edition / pointer: Brian "Beej" Hall, Beej's Guide to Network Programming, free PDF and HTML at beej.us/guide/bgnet (continuously updated since the late 1990s; ~15-year canonical socket-programming intro). Paperback also available ~$15. The free online edition is canonical; the paperback is convenient for offline reading.

Why this matters at Belt-3: Beej's guide is the academy's primary build-it-yourself anchor for networking. The guide walks BSD-socket programming in C from "what is a socket?" through TCP and UDP server-and-client patterns through select-poll-and-epoll multiplexing. Python's socket module is BSD-socket-shaped, so the guide's vocabulary translates directly. A NET-101 graduate who has walked Beej Chapters 1-4 can write a Python TCP server and client that exchange data, parse headers, and handle connection lifecycles; the practitioner-foundation literacy NET-201 assumes.

Suggested reading order: Third. Read Beej after Stevens because Beej's guide assumes the TCP and IP vocabulary Stevens installs. Read Beej before Sanders because Sanders walks captures that read more clearly when the student has written code that produces the same captures. The first-walk pass should land Chapters 1-4; the multiplexing chapters belong at NET-201 register.

Cross-link to academy artifacts: NET-101 Lab 6 (Python socket TCP server-and-client exercise; Beej is the canonical companion); NET-101 capstone (the documented-home-network artifact includes a Python script that probes specific services; Beej Chapter 5 is the canonical reference for that script's structure); NET-201 (Beej reads at deeper register on advanced socket options and multiplexed servers).

Anchor 4: Sanders, Practical Packet Analysis, 3rd edition

Edition / pointer: Chris Sanders, Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems, 3rd edition, No Starch Press, 2017 (ISBN 978-1-59327-802-1). The Wireshark-practitioner narrative; supplements Wireshark labs and capture-discipline. Paperback ~$50.

Why this matters at Belt-3: Sanders's Practical Packet Analysis walks Wireshark from the practitioner perspective: how to capture, how to filter, how to read the captures, how to debug specific real-world problems. The book is opinionated about what matters at the practitioner-foundation tier (filter expressions students will actually use; capture-from-the-wire-not-from-pcap-files discipline; protocol-dissector inspection) and uses real-world capture files throughout. A NET-101 graduate who has internalised Sanders's Chapters 1-7 can capture and analyse traffic in Wireshark with practitioner-foundation fluency; without Sanders the same student is reading the tool's documentation rather than the practitioner's narrative.

Suggested reading order: Fourth. Read Sanders in parallel with NET-101 Labs 4-7 (the Wireshark labs); the book's example captures map closely onto the academy's lab harness. Students who have written socket programs (per Beej) and who have read the wire format (per Stevens) approach Sanders with the right vocabulary already installed.

Cross-link to academy artifacts: NET-101 Labs 4-7 (every primary Wireshark lab has a named Sanders chapter companion); NET-101 capstone (the documented-home-network artifact requires a Wireshark capture; Sanders's Chapter 7 is the canonical reference for the capture-and-analyse section); the academy's tshark-Wasm Workbench (Pyodide-hosted browser Wireshark; Sanders's display-filter discipline applies); NET-301 reading-guide handout (Sanders does not return at NET-301; Bejtlich's Practice of Network Security Monitoring takes the practitioner anchor at the engagement register).

§2. Stevens + Fall deep walk: bottom-up wire-protocol vocabulary

Stevens's TCP/IP Illustrated (2nd edition with Fall) is the bottom-up wire-protocol foundation. Read for the layer-by-layer byte-level vocabulary as the book's central operational primitive.

What to extract

A Belt-3 graduate should carry the following five facts from Chapters 1-3 plus Chapter 7:

1. The Ethernet frame is six fields. Destination MAC, source MAC, EtherType, payload, optional padding, CRC. Belt-3 graduates should be able to identify each field in a Wireshark capture without reaching for the reference.
2. ARP is the link-layer-to-network-layer translator. ARP requests broadcast a "who has this IP?" query; ARP replies unicast a "I have it; here is my MAC" response. The ARP cache is per-host; spoofing the cache is a foundational attack pattern.
3. The IP header is twelve fields. Version, header length, TOS, total length, identification, flags, fragment offset, TTL, protocol, header checksum, source IP, destination IP. Belt-3 graduates should know each field at the conceptual register and be able to identify the most-cited ones (TTL, protocol, source/destination) in a capture.
4. The TCP three-way handshake is SYN, SYN-ACK, ACK. The client SYN carries the client's initial sequence number; the server SYN-ACK acknowledges the client SYN and carries the server's initial sequence number; the client ACK acknowledges the server SYN. After three packets the connection is established. Belt-3 graduates should be able to identify the three packets in any TCP capture.
5. TCP sequence numbers are byte counts, not packet counts. The 32-bit sequence-number field counts bytes within the connection's stream; acknowledgments name the next expected byte. The ACK number minus the SYN's initial sequence number is how much data the receiver has accepted. Belt-3 graduates should be able to walk a sequence-number diagram and explain TCP's reliable-stream abstraction in their own words.

What is out-of-scope at Belt-3

Stevens and Fall's later chapters (advanced TCP options; congestion control at depth; advanced IP routing; IPv6 mobility) belong at NET-201 and NET-301 register. The book's chapters on specific application protocols (DHCP at Chapter 4; DNS at Chapter 11) are valuable as supplementary reading and out-of-scope at the Belt-3 first-pass tier.

Cross-anchor connections

Stevens's wire-format vocabulary is the foundation Kurose-Ross's top-down narrative assumes; reading Stevens first makes Kurose-Ross legible as architecture-over-bits rather than as architecture-without-bits. Stevens's TCP three-way handshake walk lands directly on Beej's TCP server-and-client examples; the student who has read Stevens recognises every line of Beej's setsockopt-and-accept code. Stevens's capture-format vocabulary is the foundation Sanders walks; the student who has read Stevens reads Sanders's Wireshark captures with the bytes already legible.

§3. Kurose + Ross 9e deep walk: top-down architectural narrative

Kurose-Ross 9e is the discipline's most-adopted introductory textbook. Read for the architectural orchestration as the book's central operational primitive.

What to extract

A Belt-3 graduate should carry the following five facts from Chapters 1-2 plus 4-6:

1. The Internet has two definitions: a description (chapter 1.1) and a service (chapter 1.2). The description names the components (hosts, links, routers, packet-switching); the service names the abstraction (best-effort connectionless plus connection-oriented reliable on top). Belt-3 graduates should be able to articulate both definitions and explain why the discipline holds them simultaneously.
2. The five-layer model (application, transport, network, link, physical) is the textbook's pedagogical frame. The model is a simplification of the OSI seven-layer model; the simplification is deliberate (the OSI session and presentation layers do not earn their pedagogical place at Belt-3). Belt-3 graduates should know both models and the reasons the academy uses the five-layer simplification at Belt-3.
3. HTTP is the canonical application protocol. Chapter 2 walks HTTP request-response; persistent versus non-persistent connections; cookies; web caching. HTTP is the protocol every student already knows and the right teaching anchor for the application layer; Belt-3 graduates should be able to walk an HTTP request-response and identify the canonical headers.
4. Reliable data transfer is a layered construction. Chapter 3 walks the construction of a reliable transport layer (rdt 1.0 through rdt 3.0) before introducing TCP; the construction makes TCP's design legible as a specific point on a recognised design space rather than as a magic protocol. Belt-3 graduates should be able to articulate why TCP's design choices (sequence numbers, ACKs, retransmission) are not arbitrary.
5. Routing is hierarchical. Chapter 5 walks intra-AS routing (RIP, OSPF) and inter-AS routing (BGP) as two distinct problems with distinct algorithms. Belt-3 graduates should be able to articulate the difference and name the canonical protocols at each layer.

What is out-of-scope at Belt-3

Kurose-Ross 9e's later chapters (§7.3.3 5G NR; §7.4 5G Core; §7.5.3 5G mobility; §8.8.2 5G-AKA) belong at NET-301 and RF-301 register; NET-101 students should know these chapters exist and that they will be picked up at Belt-5. The book's wireless chapter (§8.1-§8.7) covers the 802.11 substrate at Belt-3 but is out-of-scope at NET-101 because the academy puts wireless on the WIR-101 track instead. The book's network-management chapter belongs at NET-201 register.

Cross-anchor connections

Kurose-Ross's architectural narrative orchestrates Stevens's wire-format vocabulary; the two together compose the canonical narrative pair the discipline reads itself through. Kurose-Ross's HTTP walk lands directly on the Wireshark captures Sanders walks; the student who has read both can capture an HTTP request and identify every header without consulting a reference. Kurose-Ross's routing chapter prepares the student for NET-201's OSPF and BGP labs.

§4. Beej deep walk: build-it-yourself socket programming

Beej's guide is the discipline's foundational build-it-yourself anchor. Walk for the BSD-socket pattern as the guide's central operational primitive.

What to extract

A Belt-3 graduate should carry the following five facts from Chapters 1-4:

1. A socket is a file descriptor with network semantics. The BSD-socket API treats a socket as a special-purpose file descriptor; read, write, close work with appropriate constraints. Belt-3 graduates should be familiar with the file-descriptor abstraction.
2. The TCP server pattern is socket, bind, listen, accept, recv, send, close. Beej's Chapter 5 walks the canonical server skeleton. Belt-3 graduates should be able to write the skeleton in Python without reaching for a reference.
3. The TCP client pattern is socket, connect, send, recv, close. Belt-3 graduates should be able to write a TCP client that talks to the server they wrote in fact 2.
4. getaddrinfo is the modern host-and-port resolver. Earlier APIs (gethostbyname, gethostbyaddr) are deprecated; getaddrinfo handles both IPv4 and IPv6 and is what every modern socket program uses. Belt-3 graduates should know that getaddrinfo is the right call.
5. Network byte order is big-endian. Multi-byte integers on the wire are big-endian; host architectures may differ; htons, htonl, ntohs, ntohl are the canonical translation functions. Belt-3 graduates should know the network-byte-order discipline and write code that honours it.

What is out-of-scope at Belt-3

Beej's later chapters (select-poll-and-epoll multiplexing; advanced socket options; raw sockets) belong at NET-201 capstone register. The C-specific API details (sizeof and pointer-cast patterns) are interesting as practitioner-narrative material and out-of-scope for Python-first NET-101 students.

Cross-anchor connections

Beej's TCP-server-and-client patterns instantiate Stevens's three-way-handshake walk; the student who has read Stevens watches the handshake happen in their own code. Beej's getaddrinfo discipline lands on Kurose-Ross's DNS chapter; the student who has walked DNS recognises the resolution that getaddrinfo performs under the hood. Beej's network-byte-order discipline lands on Stevens's IP-header walk; the multi-byte fields the IP header carries are the bytes htons and htonl translate.

§5. Sanders deep walk: Wireshark practitioner narrative

Sanders's Practical Packet Analysis is the academy's canonical Wireshark-practitioner anchor. Read for the capture-and-analyse discipline as the book's central operational primitive.

What to extract

A Belt-3 graduate should carry the following five facts from Chapters 1-7:

1. Capture-from-the-wire is the practitioner default. Sanders is opinionated that capturing from the wire (rather than reading pre-recorded pcap files) is what builds practitioner intuition. The academy's lab harness preserves the discipline; students should capture rather than load whenever the lab permits.
2. Display filters are the practitioner's primary diagnostic tool. Wireshark's display-filter language (tcp.flags.syn==1; ip.addr==1.2.3.4; http.request.method=="POST") lets the practitioner narrow a capture to the relevant traffic. Belt-3 graduates should be familiar with the canonical filter expressions and able to compose new ones from the spec.
3. Capture filters are different from display filters. Capture filters use BPF syntax (tcp port 80; host 1.2.3.4); display filters use Wireshark's own language. Belt-3 graduates should know the difference and not confuse the two.
4. Following streams is the conversation-level diagnostic. Wireshark's "Follow TCP Stream" presents the application-layer payload in a conversation-readable form. Belt-3 graduates should be able to follow a stream and identify the canonical application protocols (HTTP, TLS handshake, SSH banner).
5. Packet dissectors expose protocol structure. Wireshark's per-protocol dissectors expand the capture's bytes into named fields; the dissector tree is the practitioner's primary protocol-walk tool. Belt-3 graduates should be able to expand any packet's dissector tree and name what each field represents.

What is out-of-scope at Belt-3

Sanders's later chapters (advanced filter composition; performance analysis; security-incident response) belong at NET-201 and SEC-101 register. The chapters on specific tcpdump-and-tshark CLI patterns are valuable as supplementary reading and out-of-scope at the Belt-3 first-pass tier.

Cross-anchor connections

Sanders's display-filter discipline lands directly on Stevens's wire-format vocabulary; the filter expressions name the fields Stevens walks. Sanders's follow-stream walk lands on Kurose-Ross's application-layer chapter; the streams the student follows are the HTTP and DNS conversations Kurose-Ross frames. Sanders's capture-from-the-wire discipline lands on Beej's socket programs; the student who has written a TCP server can capture their own server's traffic and read it in Wireshark.

§6. Summary: how the anchors compose at Belt-3

The composition is opinionated by design. Stevens gives the bottom-up vocabulary; Kurose-Ross gives the top-down architecture; Beej gives the build-it-yourself complement; Sanders gives the practitioner-tool fluency. The four anchors do not reduce to one anchor; each earns its place because the others assume its content. The Belt-3 is what the composition produces.

§7. What's next at Belt-4 and Belt-5

NET-101 graduates carry the four-anchor foundation into NET-201 (Belt 4; intermediate networking; small-enterprise architecture; Suricata and Zeek NSM-lite) and into NET-301 (Belt 5; advanced networking at carrier, datacenter, line-rate, and adversary scale). Two of the four anchors return at deeper register:

• Stevens returns at NET-201 and NET-301; NET-201 reads advanced TCP options and TCP edge cases; NET-301 reads Chapter 16 for the engagement-tier congestion-control walk (Reno, NewReno, CUBIC, BBR). The NET-301 reading-guide handout (handouts/cross-chapter-net-301-anchor-reading-guide.md) is the companion at Belt-5.
• Kurose-Ross 9e returns at NET-301; the Belt-5 anchors are §7.4 (5G Core decomposition), §8.8.2 (5G-AKA authentication), and §7.5.4 (Mobile-IP architectural baseline). The NET-301 reading-guide handout walks these chapters at engagement depth.
• Beej does not return at NET-201 or NET-301; the build-it-yourself complement at deeper belts shifts to specific tooling (Suricata signature authoring; Zeek scripting; FRR routing-protocol implementations).
• Sanders does not return at deeper belts; the practitioner-tool anchor at NET-301 register is Bejtlich's Practice of Network Security Monitoring. The NET-301 reading-guide handout names Bejtlich as the Belt-5 NSM-discipline anchor.

The capstone work NET-101 prepares for: a documented map of the student's home network with traffic analysis, including device-by-device service identification, a Python probe script, and a 24-hour Wireshark capture with annotated findings. Students who carry the four-anchor foundation into the capstone produce stronger artifacts than students who learn the vocabulary during the capstone.

Credential-prep parallel: the Cisco CCNA credential maps onto the NET-101 curriculum at the Networking Essentials and Network Fundamentals tier; NET-101 graduates can sit the CCNA examination with the additional Cisco-specific switching, routing, and wireless modules. The CompTIA Network+ credential is the vendor-neutral alternative.

§8. Cross-references