Montag, 15. August 2011

Yet Another Networking Introduction


Networking is built upon the famous OSI Layers. We only concentrate on the TCP/IP stack here, so we can simplify this a bit. The layers are as follows
TCP, UDP, ...
IP, ICMP, ARP, ...
Ethernet, ...

We assume an ethernet link between our hosts. Every host has an Ethernet MAC and PHY chip. The PHY is connected to the network wire (e.g. twisted pair, coax, fiber), we don't care about it here. The MAC chip is responsible for the Medium Access Control (though its name). Whenever a packet arrives, it compares its destination MAC address to its own and if they match, the packet is stored. Otherwise it is ignored. When a packet should be sent, the MAC waits until the physical medium is free (i.e. no other device is transmitting data) and then transmits the packet.
Preamble Dest. MAC Src. MAC Type Data Checksum Postable

The preamble and the postamble are only important for the PHY layer (clock recovery, ...). The destination MAC is built of 48 bits and is written like this: 00:1a:53:2c:92:f4. It comes first that all receivers can determine whether they are addressed or they can ignore the packet. The 48 bit source MAC address follows and then the 16 bits of the protocol Type is in the packet. It specifies the wrapped protocol, i.e. wheter an IP, an IPv6, an ARP or any other packet is wrapped,
<0x05DC Length field for IEEE 802.3 field
0x0800 Internet Protocol (IP) ver. 4
0x0806 Address Resolution Protocol (ARP)
0x86dd Internet Protocol ver. 6 (IPv6)

Every IP packet is completely wrapped into one ethernet frame. It holds its own address space. IP addresses look like this: Every packet holds a source and a destination address. The packet is sent through the lower levels (MAC, PHY).

IP can do more than ethernet: it introduces the concept of Routing. While for the ethernet protocol all hosts which communicate to each other must be connected to the very same physical segment (i.e. one long coax cable or to one hub), IP can overcome this limit. IP can even be transported via totally different media and transport protocols like via modem (phone line), ADSL, Frame Relay, ATM, ... The transport of a packet from one medium to another is accomplished by a router. This has to do a bit more processing than just PHY and MAC chips.

To explain routing, we have to look at the addresses. While MAC addresses on a single network segment can vary largely (due to different network interface card vendors), all IP addresses on a single network segment must be similar. To be more specific, they have to stem from a single subnet. Connecting subnets is the job of a routers.

A subnet is a range of consecutive IP addresses. An IP address is stored in a 32 bit variable. When this value is masked (AND relation) by a bitmask with a certain number of MSB ones, all addresses which result in the same masked value belong to the same subnet. Imagine the netmask 0xFFFFFF00 (usually written as, the addresses are a subnet. are a subnet too. A subnet is always characterized by its lowest address (the so called network address) and its netmask, e.g., The latter notation specifies the number of MSB ones.

At the beginning of TCP/IP, the netmask was implicitly specified by the network address. All addresses from are so called class A nets with a netmask of Addresses from are class B nets with a netmask of Addresses from to are class C nets with a netmask of Addresses from are special multicast addresses which are not used directly by hosts. Nowadays only the names of the three classes are used as abbreviations for netmasks, but the netmask is not specified implicitly by the network address any more. The newer standard with explicitly given netmasks is called Classless Internet Domain Registration (CIDR). It is even more flexible, because also "intermediate classes" can be built, e.g.

Consider the subnet It has the range - Note that no host may have the first or have the last address in the subnet. The first address, here, is called the network address. The last address,, is the broadcast address.

Back to routing. Whenever the destination address is within the same subnet as the hosts own address, it can be directly reached via the ethernet link by definition. For addresses outside of the subnet, the packet has to traverse a router. The IP protocol stack sends the packet to the router which sends the packet to the other network. A packet can therefore tour over the world through several routers.

Since there are two parallel address spaces (MAC and IP addresses), we need a translation facility for them. Whenever a host wants to send a packet to another host, it usually knows its IP address but doesn't know its MAC address. Therefore the Address Resolution Protocol (ARP) is used, to fill the gap. A broadcast packet is sent to every MAC address (so the MAC chip listens to its own address plus the broadcast address FF:FF:FF:FF:FF:FF) and the TCP/IP stack of the destination computer will send an answer to the requesting host. The requesting host then stores the new information (MAC<->IP address relation) into its ARP table, sometimes also called the Neighbor Table. Then the real packet is sent with the receiver's MAC address as destination.

This is necessary, because all hosts only hear to their own MAC address on the physical medium (and the broadcast address), so the transmitter must fill in the correct destination MAC address.

When the packet's destination is outside of the own subnet, the IP stack uses the MAC address of the router. The ethernet frame then holds the destination MAC of the router and the destination IP of the real destination. This is how the router can determine if the packet is for itself or it should be forwarded (i.e. routed) to another one of its network interfaces.

Important: IP packets are stateless and connection less. That means, that every single IP packet is transmitted on its own. There is no relation between several consecutive packets between two hosts. It is even possible that they take different routes (e.g. due to load changes) and therefore arrive in different order as they have been sent. IP packets also do not have ports and don't have error handling (e.g. retransmit).

OTOH, IP can send error messages. This is done using ICMP packets. They have different types and codes (two 8-bit values) which specify the error. There are even ICMP requests, like an echo request. This is answered by an ICMP echo reply packet. This is how the ping command is implemented.

Every IP packet holds the field Time To Live (TTL) which is decremented by every router. When it reaches 0, an ICMP error message ("time exceeded in transmit") is sent to the original sender. Say the original packet has TTL=64, then the first router decrements it to TTL=63, the next router to TLL=62, ... If the packets enters a routing loop (due to wrong router configuration), the TTL is decremented until it reaches 0. This avoids packets circulating infinitely.

The TTL field is used by traceroute for diagnostic purpose. It sends a packet to the destination but sets TTL=1. Then the first router will send an ICMP error message ("time exceeded in transmit"). The program will then display the source IP address of this ICMP packet, which is the first router. Then a packet with TTL=2 is sent. The second router on the route will issue the ICMP error packet. This is continued with increasing TTL values until the destination is received.

The IP protocol is almost never used directly. Higher level protocols like TCP, UDP or ICMP are wrapped in IP packets. They provide additional features over IP. We already talked about ICMP. It is also connectionless and stateless and only used as service facility.

UDP adds source and destination port number and a checksum above IP. It is also connectionless and stateless and a higher level protocol (like NFS, SMB, SNMP, DHCP, TFTP, ...) is responsible for error recovery, packet order, ...). Therefore it is called a datagram protocol. UDP is very simple and thus used by lots of embedded systems.

TCP is the most powerful protocol in this family. Similar to UDP it adds source and destination port number and a checksum above IP. Additionally it adds a sequence number, acknowledge packets, and some options. The TCP protocol implements packet reordering and error recovery (retransmission). Note that a TCP connection is stateful, that means that a connection is initialized and then held active until it is closed. The data stream is always bidirectional. Whenever a packet is sent from A to B, B replies with an ACK packet. So even for a unidirectional data stream, there are bidirectional packets on the way. The TCP protocol implementation is very complicated, because it uses timers, states, ... Due to its good service quality its use is wide spread by many higher level protocols like HTTP(S), POP3, IMAP, SMTP, SSH, FTP, Telnet, ...

Until now we always talked about IP addresses in IP packets (or ICMP/UDP/TCP packets wrapped inside IP packets) like It is very inconvenient to remember those numbers. To circumvent this problem, the domain name service (DNS) was created. DNS itself uses the IP protocol, precisely the UDP protocol with port 53. Whenever you type a domain name like into your browser or at the command line of e.g. ping, the program itself first has to translate this name into the according IP address.

This is done by the C function gethostbyname() which is implemented in the libc. It connects to the DNS server, sends a DNS query packet and waits for the DNS reply. Then the replied IP address is used by the program to connect() to the host.

Important: When you want to try if the network connection is working, a "ping" doesn't tell you clearly whether the connection is ok. If it results in an error, the DNS lookup could have failed, while the connection is perfectly ok. So you should use "ping" instead, because this doesn't use a DNS lookup but directly checks the connection.

Another important protocol used in the background is the Dynamic Host Configuration Protocol (DHCP). It is used to setup the IP settings of a host. Before the host knows its own IP address, the DHCP client daemon sends a DHCP REQUEST in a UDP broadcast packet (, port 68) to the network. This is captured by a DHCP server. The server replies with a UDP REPLY which holds the IP address, netmask, default gateway, DNS server IPs, lease time and possibly many other options like TFTP IP, TFTP file path, NTP server, ... Therefore a DHCP server can remotely setup a client (upon the clients request).

Interface Configuration: ifconfig

The network interface card (NIC) is called an "interface". Usually it is named eth0. The second card is called eth1, and so on. To configure the IP parameters of the NIC, the program ifconfig is used. To display the current configuration, simply use
ifconfig eth0
To setup the parameters, use
ifconfig eth0 address [ip-addr] netmask [netmask]

The network card initially is down (i.e. switched off). To switch it on, use
ifconfig eth0 up
to switch it off again, use
ifconfig eth0 down

Routing Table: route

Every host itself is a little router, except that it usually has only one NIC and therefore doesn't forward packets. Every host holds its own routing table. This tells the IP stack where to send IP packets. To display the routing table, use
route -n
The -n option tells route not to do a reverse name lookup for the ip addresses when displaying them. This speeds up the program. Usually you have two entries:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface   U     0      0        0 eth0         UG    0      0        0 eth0
The first line here shows that addresses with destination are sent directly (without a gateway, via the interface eth0. This is the local subnet. The second line is the default route. It tells the routing algorithm that any packet which is not matched by any previous routing table entry must be sent via the router (i.e. default gateway)

When you use ipconfig to setup the IP address as described above, one routing table entry is automatically generated. The default route must be added manually with
route add default gw [router]

Flexible IP Stack: ip

The tools ifconfig, route and some more are just old relicts and now used as frontends for the much more flexible tool ip. Please see its man page for the documentation.

ARP Table: arp

The current ARP table can be displayed with the command
arp -n
Again, the parameter -n avoid reverse name lookups. The output looks like
Address                  HWtype  HWaddress           Flags Mask            Iface             ether   00:0E:A6:C1:6C:B3   C                     eth0             ether   00:50:BA:1C:11:02   C                     eth0            ether   00:12:3F:E3:3E:33   C                     eth0
The table shows the IP address and its according MAC address as well as the interface where the IP/MAC have been found.

DNS Server

The DNS server is configured in the file /etc/resolv.conf. There are two types of entries: search and ''nameserver'. At the ICT we have the following content:
The first line specifies the "default domain". You can shortcut the domain name "" with "www". The other lines specify several name servers. When the first one doesn't reply, the second one is used as a fallback, and so on. The addresses must be specified as IP addresses (rather than domain names) because they can not be resolved before a DNS is known by its IP address.


The Linux kernel starting from version 2.4 uses the firewalling infrastructure Netfilter. This is completely built into the kernel. To setup the firewall rules, the userspace program iptables is used. Please refer to its man page for documentation.

Diagnostics: ping, netstat, traceroute

Echo Request: ping

The tool ping was already described above. It sends an ICMP echo request to the specified IP address (after a name lookup if you supplied the domain name). The ICMP echo replies are displayed. Important is, that before the IP packet (wrapping the ICMP packet) can be sent, an ARP request is issued. If the IP address does not exist on the network, then no ARP reply is received (after three retires). Then your host creates an ICMP error packet for itself and ping will display an "Destination Host Unreachable" error message. If you ping an IP outside of your subnet, no such ICMP error messages are generated or received.

Network Connections: netstat

When a program listens on a UDP or TCP port or a program has an open connection to another host, they can be displayed with the tool netstat. Use
netstat -anptu
to show all open and listening UDP and TCP connections. Note that only root can see the process IDs and names for programs not owned by its own.

Route to Destination: traceroute

traceroute also was already described above. It is used to see if the route to a host is ok.

Remote Access

Remote Login: telnet

The simplest tool to connect to another host via the TCP protocol is telnet. Use it with
telnet host [port]
where the port is optional and defaults to 23. Everything you type into the program is sent as a TCP packet to the remote host. Everything received is printed to the console. You can quit with ^[ (on a german keyboard press Ctrl+AltGr+8) and the type "quit".

Important: Don't use this program for remote logins because everything is transmitted unencrypted, even your password. Only use it for diagnostic purposes, e.g. to simulate an SMTP session by hand.

Network Transport: netcat, nc

Similar to telnet, netcat (usually called nc) connects via TCP and transmits data. It is somewhat more automated and direct than telnet. It connects stdin and stdout between two hosts. Use
nc -l -p 12345
to listen ("-l") on port 12345 on one host and
nc hostname port
on the other host. Everything redirected to stdin of on nc is written to stdout of the other nc.

File Transfer: ftp

The FTP protocol is used to transfer files from a FTP server to the FTP client or the opposite direction. The command line program ftp is a frontend for the protocol. You can download and upload files from/to the server.

Tiny File Transfer: tftp

For small embedded systems, the FTP protocol (using TCP) is too complicated, so the TFTP protocol was created. It uses UDP and does not have anything in common with FTP except its purpose and part of its name.

Download: wget

wget is a pure download program. Use it like

Secure Shell: ssh

Formerly telnet was used to login remotely to other hosts. Unfortunately it doesn't encrypt any data, so even the passwords can be sniffed easily by intruders. SSH, the Secure SHell was constructed to circumvent these problems. All data is encrypted. This makes it more complicated, so on embedded systems sometimes only telnet is available. Use it with
ssh user@host

Secure Copy: scp

scp is an addon to SSH which uses this protocol to copy files. Use it with one of the following command lines
scp localfile.ext user@host:remote/path/to/destination/
scp user@host:remote/path/to/file.ext .
scp userA@hostA:remoteA/pathA/toA/fileA.ext userB@hostB:remoteB/pathB/toB/destinationB/

Secure File Transfer: sftp

SSH also adds the secure file transfer protocol, which is used with the sftp program. Its use is similar to ftp.

Keine Kommentare: