diff --git a/networking/basics.md b/networking/basics.md
new file mode 100644
index 0000000..95192a2
--- /dev/null
+++ b/networking/basics.md
@@ -0,0 +1,137 @@
+# You
+
+Check how your computer connects to the net:
+
+> ip address show
+
+
+```
+
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UP group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+    inet6 ::1/128 scope host 
+       valid_lft forever preferred_lft forever
+3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
+    link/ether 84:3a:4b:ca:5c:24 brd ff:ff:ff:ff:ff:ff
+    inet 192.168.0.13/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp3s0
+       valid_lft 199143sec preferred_lft 172143sec
+    inet6 fe80::22:5eb9:8a3a:95b2/64 scope link 
+       valid_lft forever preferred_lft forever
+4: wwp0s20u4i6: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+    link/ether fa:cd:4d:28:ec:dc brd ff:ff:ff:ff:ff:ff
+    inet 169.254.104.159/16 brd 169.254.255.255 scope global noprefixroute wwp0s20u4i6
+       valid_lft forever preferred_lft forever
+    inet6 fe80::e9d3:506c:c0a9:6679/64 scope link 
+       valid_lft forever preferred_lft forever
+
+```
+
+That's too much output to read, so try:
+
+> ip address show | grep inet
+
+```
+
+    inet 127.0.0.1/8 scope host lo
+    inet6 ::1/128 scope host 
+    inet 192.168.0.13/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp3s0
+    inet6 fe80::22:5eb9:8a3a:95b2/64 scope link 
+    inet 169.254.104.159/16 brd 169.254.255.255 scope global noprefixroute wwp0s20u4i6
+    inet6 fe80::e9d3:506c:c0a9:6679/64 scope link 
+
+```
+
+The starting numbers tell you about the address. You just have to memorize the meanings:
+
+| Address Prefix | Meaning |
+|:---:|:---:|
+| 127.X | The computer's name for itself, for when you want to ssh into your own machine |
+| ::1/128 | Same thing, with ipv6 |
+| 192.168.X | A small network address, given by a DHCP server (possibly your router) |
+| 169.X | The interface to the internet wasn't given an ip address, so it's made up its own |
+
+# `arp-scan`
+
+Look around your local network with `arp-scan`.
+
+> sudo arp-scan -l
+
+```
+
+Interface: wlp3s0, type: EN10MB, MAC: 84:3a:4b:ca:5c:24, IPv4: 192.168.0.13
+Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
+192.168.0.1	0c:02:27:bc:aa:a1	Technicolor CH USA Inc.
+192.168.0.15	b8:27:eb:4a:cd:d9	Raspberry Pi Foundation
+192.168.0.10	dc:0b:34:94:5c:c4	LG Electronics (Mobile Communications)
+
+3 packets received by filter, 0 packets dropped by kernel
+Ending arp-scan 1.9.7: 256 hosts scanned in 1.937 seconds (132.16 hosts/sec). 3 responded
+
+```
+
+The interface here was `wlp3s0`. It starts with 'w', so it's a wifi card.  Each internet adapter has a name, called a 'MAC address' in order to identify itself to outsiders.  The first three parts of a MAC address are given by the manufacturer (like a family name), and the rest are just for that one device.
+
+The '192.168.0.1' address ends in '.1', so it's probably a router.  The manufacturer is 'Technicolor' (`arp-scan` has identified this from the first digits of the MAC: '0c:02:27').
+
+Next is 192.168.0.15, which is labelled as a 'raspberry pi'. Finally, the '.10' address is a mobille phone.
+
+Mac addresses are easy to fake, so don't trust this output to keep you safe.
+
+# `nmap`
+
+Look around your entire network from 192.168.0.1 to 192.168.0.255:
+
+> sudo nmap -F 192.168.0.1/24
+
+The `-F` means 'do this fast, by only scanning normal traffic' (ports below 1000).
+
+```
+
+Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-09 13:52 CET
+Nmap scan report for 192.168.0.1
+Host is up (0.011s latency).
+Not shown: 99 closed ports
+PORT   STATE SERVICE
+80/tcp open  http
+MAC Address: 0C:02:27:BC:AA:A1 (Technicolor CH USA)
+
+Nmap scan report for 192.168.0.10
+Host is up (0.0040s latency).
+All 100 scanned ports on 192.168.0.10 are closed
+MAC Address: DC:0B:34:94:7C:C4 (LG Electronics (Mobile Communications))
+
+Nmap scan report for belgradecats (192.168.0.15)
+Host is up (0.0096s latency).
+Not shown: 98 closed ports
+PORT   STATE SERVICE
+22/tcp open  ssh
+53/tcp open  domain
+MAC Address: B8:27:EB:4A:CD:D9 (Raspberry Pi Foundation)
+
+Nmap scan report for 192.168.0.13
+Host is up (0.0000080s latency).
+Not shown: 99 closed ports
+PORT   STATE SERVICE
+22/tcp open  ssh
+
+Nmap done: 256 IP addresses (4 hosts up) scanned in 5.34 seconds
+
+```
+
+Network traffic is split into different types of information.  Each one gets a number called a 'port'.  Most of this information is dead, so only a few ports are used nowadays.
+
+The first one shows port 80, so you can visit it on a web browser.  The next shows 53 (so it's handing out names of local computers) and 22 (so you can access it via ssh).
+
+You can scan outside addresses with:
+
+> sudo nmap facebook.com
+
+However, when you scan something, that machine will see you, and you may set off alerts, which then have to bother whoever's looking after that address.
+So if you want to try out nmap from outside, find a place you have permission to scan (like your own external IP address), or try:
+
+> sudo nmap hack.me
+
+The hack.me website doesn't mind people scanning.
+