EFE_net

By Wolfgang Keller
Draft
Originally written 2019-12-15
Last modified 2020-03-21

Table of contents

Ressources

Acronyms

Network engineering is full of acronyms. Here are some important ones:

Acronym Meaning Reference
ARPAddress Resolution Protocolsection ; also mentioned in section
BOOTPBootstrap Protocolsection
DCCPDatagram Congestion Control Protocolmentioned in section
DEIDrop eligible indicatorsection
DHCPDynamic Host Configuration Protocolsection
DNSDomain Name Systemsection
FCSFrame Check Sequencesection
HTTPHypertext Transfer Protocolmentioned in section
HTTPSHypertext Transfer Protocol Securementioned in section
ICMPInternet Control Message Protocolsection ; also mentioned in section
ICMPv6Internet Control Message Protocol version 6section ; also mentioned in section
IPInternet Protocol
IFGInterframe gap (same as “interpacket gap” (IPG))section
IPGInterpacket gap (same as “interframe gap” (IFG))section
IPv4Internet Protocol version 4section ; also mentioned in section
IPv6Internet Protocol version 6section ; also mentioned in section
LANLocal Area Network
MACMedium Access Controlsection
NDPNeighbor Discovery Protocolsection
NICNetwork Interface Controller
OSIOpen Systems Interconnectionmentioned in section
PCPPriority code pointsection
SCTPStream Control Transmission Protocolmentioned in section
SFDStart Frame Delimitersection
TCITag control informationsection
TCPTransmission Control Protocolsection ; also mentioned in section
TLSTransport Layer Securitysection ; also mentioned in section
TPIDTag protocol identifiersection
UDPUser Datagram Protocolsection ; also mentioned in section
VIDVLAN identifiersection
VLANVirtual Local Area Networksection

Layering

Overview

For the naming of the layers, we refer to RFC 1122 - Requirements for Internet Hosts -- Communication Layers [published 1989-10; visited 2019-12-16T21:33:51Z]; specifically section 1.1.3:

Keep in mind that this “four layer abstraction” is an idealization of the reality. You will soon see examples where this idealized abstraction breaks down. Also keep in mind that in the literature, there exists different names for the layers and models with a different number of layers (e.g. textbooks that are more oriented towards the so-called OSI stack). We don't want to dive into these details.

Let us list some important protocols for the layers:

Link Layer:

Internet Layer:

Transport Layer:

Two additional transport layer protocols that have been standardized, but are only rarely used in the home customer sector, are

Application Layer:

The protocols

Link Layer

Ethernet

An Ethernet frame looks as follows:

Preamble Start Frame Delimiter (SFD) Destination MAC address Source MAC address 802.1Q tag (VLAN tag) (optional) Ethertype (Ethernet II) or length (IEEE 802.3) Payload Frame check sequence (FCS) Interpacket gap (IPG)/Interframe gap (IFG)
Layer # octets 7 1 6 6 (4) 2 46/42-1500 4 12
Layer 2 Ethernet frame ← 64–1518/1522 octets →
Layer 1 Ethernet packet & IPG ← 72–1526/1530 octets → ← 12 octets →

For some important sizes:

We only consider the fields of the Layer 2 Ethernet frame here. Note that all fields that consist of multiple bytes are in big endian byte order.

TODO

Internet Layer

IPv4

TODO

IPv6

TODO

ARP (IPv4)

TODO

NDP (IPv6)

TODO

Transport Layer

UDP

TODO

TCP

TODO

ICMP

TODO

ICMPv6

TODO

Application Layer

BOOTP

TODO

DHCP

TODO

DNS

TODO

TLS

TODO

Some dumps

Example 1

For the coloring of the hexdump:

Under https://raw.githubusercontent.com/jwbensley/Ethernet-CRC32/bd2c6234ec78e5b9e7cc0b58795c84d4f2989184/P1.txt [visited 2020-01-03T18:22:18Z], you can find the following dump of an Ethernet frame:

08 00 27 27 1a d5 52 54 00 12 35 02 08 00 45 00
00 54 1e 49 40 00 40 01 04 50 0a 00 02 02 0a 00
02 0f 00 00 59 d6 0f af 00 01 fd b5 f5 5a 00 00
00 00 e1 95 03 00 00 00 00 00 10 11 12 13 14 15
16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25
26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35
36 37 e6 4c b4 86

Example 2

For the coloring of the hexdump:

Under checksum - Calculate the FCS number from a frame ethernet - Network Engineering Stack Exchange [visited 2020-01-03T19:50:36Z], you can find the following dump of an Ethernet frame:

08 00 20 0A 70 66 08 00 20 0A AC 96 08 00 45 00
00 28 A6 F5 00 00 1A 06 75 94 C0 5D 02 01 84 E3
3D 05 00 15 0F 87 9C CB 7E 01 27 E3 EA 01 50 12
10 00 DF 3D 00 00 20 20 20 20 20 20 5A 05 DE FA

Example 3

Under https://erg.abdn.ac.uk/users/gorry/course/inet-pages/packet-decode.html [visited 2019-12-08T18:59:04Z], one can find packet dumps of the following activities:

  1. TCP connection set-up and clear-down
  2. Transmission of a single UDP packet

There is also a packet dump of ICMP ECHO messages, but there is a mistake in this dump; thus, we do not consider it here.

For the coloring of the hexdumps:

TCP connection set-up and clear-down

Endpoints for the directions:

Packet 1: TCP Connect Request

Source: https://erg.abdn.ac.uk/users/gorry/course/inet-pages/packet-decode3.html [visited 2019-12-08T22:31:58Z]

           0: 00 e0 f7 26 3f e9 08 00 20 86 35 4b 08 00 45 00
          16: 00 2c 08 b8 40 00 ff 06 99 97 8b 85 d9 6e 8b 85
          32: e9 02 90 05 00 17 72 14 f1 14 00 00 00 00 60 02
          48: 22 38 a9 2c 00 00 02 04 05 b4 ?? ?? ?? ?? ?? ??

Direction: Client → Server

Packet 2: TCP ACK

Source: https://erg.abdn.ac.uk/users/gorry/course/inet-pages/packet-decode4.html [visited 2019-12-08T22:38:43Z]

           0: 08 00 20 86 35 4b 00 e0 f7 26 3f e9 08 00 45 00
          16: 00 28 aa fd 00 00 fc 06 3a 56 8b 85 e9 02 8b 85
          32: d9 6e 00 17 90 05 94 31 10 28 72 14 f1 30 50 10
          48: 22 38 1c 65 00 00 00 00 00 10 00 00 0e 1a cb b3

Direction: Server → Client

Packet 3: TCP (Telnet) Established

Source: https://erg.abdn.ac.uk/users/gorry/course/inet-pages/packet-decode5.html [visited 2019-12-08T22:39:20Z]

           0: 00 e0 f7 26 3f e9 08 00 20 86 35 4b 08 00 45 00
          16: 00 28 08 b9 40 00 ff 06 99 9a 8b 85 d9 6e 8b 85
          32: e9 02 90 05 00 17 72 14 f1 15 94 31 10 28 50 10
          48: 22 38 1c 80 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ??

Direction: Client → Server

Packet 4: TCP (Telnet) Established

Source: https://erg.abdn.ac.uk/users/gorry/course/inet-pages/packet-decode6.html [visited 2019-12-08T22:44:06Z]

           0: 00 e0 f7 26 3f e9 08 00 20 86 35 4b 08 00 45 00
          16: 00 43 08 ba 40 00 ff 06 99 7e 8b 85 d9 6e 8b 85
          32: e9 02 90 05 00 17 72 14 f1 15 94 31 10 28 50 18
          48: 22 38 9d 0f 00 00 ff fd 03 ff fb 18 ff fb 1f ff
          64: fb 20 ff fb 21 ff fb 22 ff fb 27 ff fd 05 ff fb
          80: 23 59 88 71 bf

Direction: Client → Server

What does the “strange-looking” sequence mean that the client sends? We won't teach you the obscure details of the Telnet protocol, but we want to give a short explanation. The ff16 means IAC (“Interpret as Command”); see RFC 854 - Telnet Protocol Specification [visited 2019-12-16T01:25:27Z]. The byte that follows the ff16 has the following meaning:

What do these option codes refer to? The subsequent byte tells:

For a list of all the option codes cf. Telnet Options [visited 2019-12-19T20:17:07Z].

So the payload means:

Packet 5: TCP (Telnet) ACK

Source: https://erg.abdn.ac.uk/users/gorry/course/inet-pages/packet-decode7.html [visited 2019-12-08T22:44:39Z]

           0: 08 00 20 86 35 4b 00 e0 f7 26 3f e9 08 00 45 00
          16: 00 28 aa fd 00 00 fc 06 3a 56 8b 85 e9 02 8b 85
          32: d9 6e 00 17 90 05 94 31 10 28 72 14 f1 30 50 10
          48: 22 38 1c 65 00 00 00 00 00 10 00 00 0e 1a cb b3

Direction: Server → Client

Packet 6: TCP Disconnect Request

Source: https://erg.abdn.ac.uk/users/gorry/course/inet-pages/packet-decode8.html [visited 2019-12-08T22:45:16Z]

           0: 00 e0 f7 26 3f e9 08 00 20 86 35 4b 08 00 45 00
          16: 00 28 08 bb 40 00 ff 06 99 98 8b 85 d9 6e 8b 85
          32: e9 02 90 05 00 17 72 14 f1 30 94 31 10 28 50 11
          48: 22 38 1c 64 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ??

Direction: Client → Server

Packet 7: TCP ACK

Source: https://erg.abdn.ac.uk/users/gorry/course/inet-pages/packet-dec9.html [visited 2019-12-08T22:22:38Z]

           0: 08 00 20 86 35 4b 00 e0 f7 26 3f e9 08 00 45 00
          16: 00 28 aa fe 00 00 fc 06 3a 55 8b 85 e9 02 8b 85
          32: d9 6e 00 17 90 05 94 31 10 28 72 14 f1 31 50 10
          48: 22 38 1c 64 00 00 00 00 00 10 00 00 1e 5c d1 75

Direction: Server → Client

Packet 8: TCP ACK + Data

Source: https://erg.abdn.ac.uk/users/gorry/course/inet-pages/packet-dec10.html [visited 2019-12-08T22:21:56Z]

           0: 08 00 20 86 35 4b 00 e0 f7 26 3f e9 08 00 45 00
          16: 00 37 aa ff 00 00 fc 06 3a 45 8b 85 e9 02 8b 85
          32: d9 6e 00 17 90 05 94 31 10 28 72 14 f1 31 50 18
          48: 22 38 c1 0c 00 00 ff fd 18 ff fd 1f ff fd 23 ff
          64: fd 27 ff fd 24 b5 61 83 28

Direction: Server → Client

For the interpretation of the payload:

Packet 9: TCP Reset Connection

Source: https://erg.abdn.ac.uk/users/gorry/course/inet-pages/packet-dec11.html [visited 2019-12-08T22:21:17Z]

           0: 00 e0 f7 26 3f e9 08 00 20 86 35 4b 08 00 45 00
          16: 00 28 08 bc 40 00 ff 06 99 97 8b 85 d9 6e 8b 85
          32: e9 02 90 05 00 17 72 14 f1 31 00 00 00 00 50 04
          48: 22 38 c0 c9 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ??

Direction: Client → Server

Transmission of a single UDP packet

Packet 1: UDP Unit Data Transmission

Source: https://erg.abdn.ac.uk/users/gorry/course/inet-pages/packet-dec12.html [visited 2019-12-08T19:24:22Z]:

           0: 00 e0 f7 26 3f e9 08 00 20 86 35 4b 08 00 45 00
          16: 00 26 ab 49 40 00 ff 11 f7 00 8b 85 d9 6e 8b 85
          32: e9 02 99 d0 04 3f 00 12 72 28 68 65 6c 6c 6f 68
          48: 65 6c 6c 6f ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??

Endpoints:

Layer Protocol Endpoint Type Source Endpoint Destination Endpoint
Link LayerEthernetMAC address08:00:20:86:35:4b00:e0:f7:26:3f:e9
Internet LayerIPv4IPv4 address139.133.217.110139.133.233.2
Transport LayerUDPUDP port393761087

The UDP payload 68 65 6c 6c 6f 68 65 6c 6c 6f interpreted as ASCII characters is hellohello.