In this lab you will learn about Ethernet in terms of it’s frame format and the protocol. You will see how Linux binds an IP layer on top of Ethernet (which is pretty much the same as how Windows does it) and how IP uses a protocol known as ARP (Address Resolution Protocol) to help it transport IP datagrams across Ethernet.
Layer 1 to 3
As you will have seen throughout the course the first three layers in the OSI model are shown in the figure below:
When running the Internet over an Ethernet network, Ethernet specifies how layer 1 and 2 operate, whilst IP (in conjunction with a number of other protocols) run at layer 3. So although IP specifies the standard packet format (i.e. the IP datagram) and the protocol for communication across the Internet, when running IP over an Ethernet network all datagrams must be transported in Ethernet frames.
The first task in setting up IP over Ethernet is therefore to specify the relationship between the two. The command line tool that is used in Linux for doing this is called ifconfig. ifconfig
As can be seen above, the output from ifconfig provides details on each of the interfaces that is configured on the machine, with the interface name shown in left hand column. The type of interface is shown in the Link encap field. The first interface is eth0 and is the Ethernet interface.
The second interface, lo, is known as a loopback device which is a software interface that simply relays all packets sent to it straight back to the machine. The purpose of this interface is to provide a means of testing network software even in the absence of a physical/hardware network interface. As can be seen from the output, the IP address (inet addr) of the loopback is 127.0.0.1.
Try to connect to your own machine over the loopback using ssh. To do this you should specify the loopback IP address as the destination address. Provide the command that you used below:
The most important thing to realise here is that each interface has a unique IP address. So, for example, all datagrams destined for 220.127.116.11 will arrive via the eth0 interface.
Have a closer look at the various other fields associated with your machine’s eth0 interface. Try to understand the meaning of each of these fields. To assist you in this you should read the following http://www.faqs.org/docs/linux_network/x-087-2-iface.ifconfig.html
Answer each of the following:
What is the maximum size IP datagram that can be carried by the Ethernet interface?
What is the Ethernet address of the eth0?
What is the purpose of the metric field?
What is the purpose of the broadcast IP address and what is the address for your machine?
As was discussed in lectures, and as can be seen above, Ethernet addresses consist of a 6-byte number. These numbers are assigned uniquely to vendors by the IEEE. The notation used in specifying Ethernet addresses is shown in the following example:
Note that sometimes a hyphen is used instead of a colon (i.e. 00-19-7E-DD-08-17). Also, note that each two digit numbers is a hexadecimal number in that it ranges from 00 to FF.
To understand how to interpret these addresses you should read the following wikipedia page:
http://en.wikipedia.org/wiki/MAC_address At the bottom of the above page you will find a link to the following webpage:
This page allows you to lookup the Organisationally Unique Identifier for a particular MAC address.
3. Using the above web page, find out the OUI or your Ethernet card. What is the company name of the vendor:
Using Ethernet to transport IP datagrams
Now that you understand the system of binding the IP address of the local machine to the Ethernet address we will move onto looking at how IP transports a datagram using an Ethernet frame. To understand this process you should first review the section of the MAC layer notes on the Ethernet frame format (on the course website).
IEEE 802.3 vs. DIX/Ethernet II
Notice how there are two frame formats defined. The first one, that is the DIX format (also known as Ethernet II framing), specifies a type field, whilst the IEEE 802.3 format specifies a length field. The reason for this is that firstly since the DIX standard only specifies the payload types which carry length information themselves (e.g. an IP datagram) it is always possible to compute the length. The 802.3 standard moved away from this convention and did not require this in the payload packet. Instead 802.3 simply states that the size of the data (plus padding if needed) can range from 46-1500 bytes. Rather than computing the length by peering into the payload the length field provides the necessary information.
Aside: In fact there is another reason in that the IEEE 802.2 LLC protocol must run in conjunction with 802.3. The 802.2 fields which follow the 802.3 contain a similar type field and therefore would make any type field in the 802.3 frame redundant.
The important thing to note is that both types of frame can in fact exist on the same Ethernet network. This is due to the fact that firstly, since all frames can carry a maximum of 1500 bytes then the highest value that a 802.3 frame can have in its length field is 05DC (which is 1500 in hexadecimal). Secondly the DIX format specifies a list of numeric identifiers for the various formats that it can carry, none of which are within the range 0000-05DC. For example all IPv4 datagrams are identified as type 0800, whilst ARP packets are of type 0806. So the convention for distinguishing between Ethernet frames is to treat all frames with the Type/Length field having a value below 0600 as 802.3 format, and those having a value greater that 0600 as DIX/Ethernet II format.
OK! So assuming it’s Ethernet II how does is carry an IP datagram
When transporting an IP datagram over Ethernet, we can distinguish between two situations:
the destination machine is on the local Ethernet segment, and,
(ii) the destination machine is not on the local Ethernet segment.
In the first case the datagram can be placed into an Ethernet frame with the destination Ethernet address set to the Ethernet address of the destination machine.
The second case is more difficult since, even if we know the destination machine’s Ethernet address, sending a frame with this destination address will not work because the frame can only traverse the local network. However IP is clever enough to know this since it can compare the destination IP address with its own network address. When it sees that it is outside the local area network it simply sends this datagram to the gateway. The gateway is a machine that is both on the local network and is connected to the external network (i.e. it can route traffic which needs to travel outside the LAN).
4. Using the route command list the various networks of which IP is aware. Traffic which is destined to travel outside the LAN must be routed to the default route via the gateway. What is the IP address of this gateway?
Capturing and Analysing Ethernet Traffic
In this section we will use Wireshark to capture live traffic from the network. The purpose of this will be to see IP working over Ethernet.
Complete the following steps:
To start you will need to run Wireshark with super-user privileges. To do this use the following command (typing in your password when asked):
sudo wireshark &
Remember that the ampersand at the end of the command runs wireshark in the background, meaning that you immediately regain control of the terminal.
Next find out the name of your neighbour’s machine and make a note of it.
Start capturing traffic on the Ethernet interface by selecting the
Capture->Interfaces menu and clicking the start button for eth0.
Find the first response to the GET request and expand the IP datagram and Ethernet II frame details. Verify that the source and destination addresses in both the IP datagram and the Ethernet II frame are reversed.
Answer: YES NO
Address Resolution Protocol (ARP)
In the previous section we have seen that given the destination IP address that IP can figure out the IP address of the next machine in the chain of communication i.e. either the destination machine itself or the gateway. However we have not seen how IP can find out the Ethernet address of the next machine in the chain. To do this it must have a way of translating (or resolving) IP addresses to Ethernet addresses. The protocol it uses for this is the Address Resolution Protocol (ARP).
The ARP protocol typically maintains a cache of IP-to-Ethernet address translation pairs on your computer of the most recent translations that it has performed. The arp command (in both MSDOS and Linux/Unix) is used to view and manipulate the contents of this cache. Since the arp command and the ARP protocol have the same name, it’s understandably easy to confuse them. But keep in mind that they are different - the arp command is used to view and manipulate the ARP cache contents, while the ARP protocol defines the format and meaning of the messages sent and received, and defines the actions taken on message transmission and receipt.
20. Using the arp command on your machine, list the entries in the ARP cache on your machine. Cut-and-paste the list below.
21. Is there an entry for your neighbour’s machine? Why?
22. Is there an entry for the website you just connected to? Why?
23. Using the arp command with the –d option invalidate/delete the entry for your neighbour’s machine. Note you should verify that the entry is deleted. Give the command below.
Now once again carry out the full packet capture that you performed earlier when you ssh’d to your neighbour’s machine. Once you have logged out of your neighbour’s machine you should stop the packet capture.
In the captured traffic, find the first two ARP packets and answer the following questions:
24. What are the hexadecimal values for the source and destination addresses in the Ethernet frame containing the ARP request message? What type of address is the destination address?