Chapter 13: Data Link Layer, LAN’s and Ethernet · Link Flow Control 4. Control access to shared channels – or the Multiple Access Problem. ... Local Area Network (LAN) Overview

Chapter 13: Data Link Layer, LAN’s and Ethernet

Objectives:

(a) Define the structure of an Ethernet address.

(b) State the minimum and maximum size of an Ethernet frame.

(c) Calculate the bandwidth available to users in various network configurations.

(d) Distinguish between the capabilities and uses of a hub, a bridge and a switch.

1. Introduction

To refresh our memory, from Chapter 11 we learned that the Data Link Layer is concerned with transferring data across a single link connecting two nodes. The Protocol Data Unit (PDU) at the Data Link Layer is termed a “frame.”

The roles and responsibilities assigned to the data link layer include:

1. Setting Frame Boundaries 2. Error Control 3. Link Flow Control 4. Control access to shared channels – or the Multiple Access Problem.

Any protocol employed at the data link layer must address each of these tasks. It may surprise you to know that over time there have been many different data link layer protocols. However, alternatives have lost their promise and there are two different Data Link Layer protocols which are dominant. One which is suited for wired connections, IEEE 802.3 known as “Ethernet” and one which is suited for wireless connections IEEE 802.11, known as “Wi-Fi.” Both accomplish the four roles and responsibilities above but handle the particulars differently. To better understand the functions that are performed at the Data Link Layer, we will examine how the Ethernet protocol addresses them in this chapter.

2. Local Area Network (LAN) Overview

A LAN consists of a collection of devices which have a shared transmission medium and must share the network’s transmission capacity. In the late 1960's and into the early 1970's, computers were stand-alone devices. A computer at, say, Stanford, had no way of communicating with a computer at, say, the Naval Academy. Research teams (largely funded by the DoD) began to explore methods for linking computers together, allowing them to transmit information back and forth, this exploration gave rise to what we know today as a LAN.

A breakthrough occurred when Robert Metcalfe proposed a technique for joining computers together which he called Ethernet. At heart, the computers were joined together by a wire allowing bits to flow between computers. The sketch below (from Metcalfe's 1976 conference paper) shows four computers (in red) joined together by a wire (in yellow). (Note that one of the four computers is drawn to be larger than the other three in order to show some internal details).

3. Ethernet

The four data link layer roles and responsibilities can be rephrased as four issues. Metcalfe's breakthrough proposal—Ethernet—handles these four issues.


250

First, if one computer sends data to another, there has to be a mechanism to allow the intended recipient to know where the block of data begins and ends. In other words, the recipient must be able to look at the collection of received bits—called a frame—and determine where the frame begins and ends. This is called the framing problem.

Second, in order to send a frame to a specific device, every device will need a unique address. This is the address problem.

Third, the receiver should be able to determine if the received frame has errors. This is called the error-control problem.

Fourth, we have to consider the possibility that more than one computer may place their frame on the wire at the same time. This will cause the electrical signals to collide, and both frames will be destroyed. This is called the multiple access problem.

Other competing proposals to join computers together into a local area network (Token Ring, Token Bus, ATM, FDDI) have since fizzled and died, leaving Ethernet as the only game in town for wired local area networks.

The original Ethernet transmitted at a bit rate of 10 mega-bits per second (Mbps), also known as Standard Ethernet. In 1995, a 100 Mbps Ethernet standard was introduced, dubbed Fast Ethernet. This was followed in 1998 by Gigabit Ethernet (with a data rate of 1 Gbps) and in 2002 by a 10 Gbps standard (10-Gigabit Ethernet). A 100 Gbps Ethernet standard was approved in 2010.

Note that we are dealing exclusively with transmitting data over a single link. Stated another way and with reference to the TCP/IP reference model: we are dealing with data link-layer roles. Additionally, note that Ethernet is implemented in a computer's Network Interface Card (NIC).

3.1 The Framing Problem All Ethernet variants (10 Mbps, 100 Mbps, 1 Gbps and 10 Gbps) use the same data link frame format, shown below.

Ethernet Frame

The Data Link layer frame is then organized into the Physical layer as shown below.

Organization of Physical and Data Link layer.

The fields for the diagrams above are described below:

Preamble: The preamble is not formally part of the Ethernet frame. It is added by the physical layer. It consists of the byte 10101010 repeated 7 times (56 bits of alternating 1s and 0s). The preamble allows the receiver to synchronize to the beginning of the frame.

Start Frame Delimiter (SFD): The SFD is not formally part of the Ethernet frame. It is added by the physical layer. It is the single byte: 10101011 Notice that the start frame delimiter follows the same pattern of alternating ones and zeroes as the preamble, except that it concludes with two consecutive 1's. These two consecutive 1's indicate that synchronization is over, and the real stuff is about to start: the next item will be the destination address.

The Destination and the Source Ethernet Addresses: Much more on this to follow!

Length or Type: This field usually specifies the kind of data the frame carries (e.g.: Is the data an IP packet?). In rare implementations, this field is used instead to serve as a Length Field, providing the number of bytes in the data field.


251

Data and padding: This holds the data that was received from the network layer. The minimum size of the "Data and Padding" field must be 46 bytes, and the maximum size of this field is 1500 bytes.

CRC: Cyclic Redundancy Code used for error detection. More on this below.

Practice Problem 13.1

What is the minimum size of an Ethernet frame? (Do not include the physical layer header in your calculation.)

Solution:


What is the maximum size of an Ethernet frame? (Do not include the physical layer header in your calculation.)

Solution:


Why would padding ever be used in the field marked Data and padding?

Solution:

So, Ethernet frames must be at least 64 bytes and are not permitted to exceed 1518 bytes. Which raises the question: Why these size limitations?

The maximum Ethernet frame size is easy to appreciate. We limit the maximum frame to 1518 bytes for three reasons:

To prevent a single user from hogging the network Recall the picture on page 251 that shows four users sending their data over the same wire. Suppose you are one of those users, and you want to send a frame. With Ethernet, a user who wants to transmit a frame first listens on the wire to make sure no one else is already transmitting. If someone else is already transmitting, then it would make no sense for you to transmit at the same time: You would garble the transmission in progress, and your transmission would also garble. So, you patiently wait for the wire to go idle before you transmit. Since Ethernet users always politely wait for the shared wire to go idle before transmitting, a greedy user who starts transmitting could keep transmitting forever, never allowing others an opportunity to transmit their frames. To avoid this, a user is allowed to transmit at most 1518 bytes before they must stop and give other users an opportunity to transmit their frames.

Error control With Ethernet, if a single bit arrives in error, the entire frame is thrown away by the receiver. Since each bit represents an opportunity for error, the fewer bits we have, the fewer opportunities for error we have.

Historical reasons Data that arrives at the NIC must be buffered before it is sent to main memory. Although memory is very cheap today, memory was very expensive in the 1970s and 1980s when the Ethernet standard was developed.

The minimum Ethernet frame size—64 bytes—is based on technical considerations that are far less intuitive. We mentioned that when a host using Ethernet wants to transmit a frame, it first listens to see if anyone else is transmitting. Only if a host senses that the medium is "quiet" does it proceed with the transmission of its frame.

But even if a host takes care to ensure that the medium is quiet, collisions can still occur! For example, suppose two hosts want to transmit an Ethernet frame at the same time and both first listen to ensure the medium is not in use. Both stations will detect that the medium is not in use and both will start transmitting! These sorts of collisions are unavoidable.

Since collisions are unavoidable, we want to ensure that a user can tell if its transmission was involved in a collision. When Ethernet hosts start transmitting, they continue to listen to the channel to detect a collision. It is important for a host to know if its frame was involved in a collision since any frames involved in collisions will need to be retransmitted. Thus, we need to ensure that User-1 is still transmitting under the condition that the furthest away station (say, User-2) listens to the channel just before User-1's frame arrives, senses it idle and starts transmitting also.


252

Based on the maximum allowed separation between users and the speed of light (more precisely: the speed of propagation in the cable), it can be shown (we skip the derivation) that if the minimum frame size is set to 64 bytes (512 bits) a host will be able to tell if it was its frame that was involved in a collision.

3.2 The Address Problem Each Network Interface Card (NIC) is assigned a globally unique address—an Ethernet address—that is burned into the card's Read Only Memory (ROM). ROM is non-volatile memory whose contents cannot be altered by the user. All machines on an Ethernet LAN1 are guaranteed to have unique addresses. Moreover, no two hosts anywhere in the world have the same Ethernet address. So, when you buy a NIC (or, as is most often the case, a computer that contains a NIC), you are also buying a globally unique Ethernet address that only you possess. Ethernet Addresses are 6 bytes. It is important to realize that Ethernet addresses are also commonly referred to as physical addresses, hardware addresses and Medium Access Control (MAC) addresses—these terms are all synonyms! Practice Problem 13.4

(a) How many bits are in an Ethernet address?

(b) How many hexadecimal digits are needed to express an Ethernet address?

Solution: (a) (b)

Ethernet addresses are usually expressed in hexadecimal notation (sometimes with colons between the bytes). For example, an Ethernet address might be 06:01:03:02:2A:3D. Practice Problem 13.5

Two of these 48 bits in an Ethernet address are used for special purposes. Disregarding these two bits, how many possible Ethernet addresses exist?

Solution:


If there are 7 billion people in the world, and we disperse Ethernet addresses uniformly, how many addresses are available for each person?

Solution:

You should be convinced that we are in no danger of "running out" of Ethernet addresses! The uniqueness of Ethernet addresses is assured by the fact that the first 3 bytes of the address are assigned to a given manufacturer (or vendor), and this vendor must use these three bytes as the first three bytes in every NIC that the vendor manufactures. (The Institute of Electrical and Electronics Engineers—IEEE—is the group that actually does this assignment). For instance, all NICs manufactured by 3COM have Ethernet addresses starting with 02608C, all NICs manufactured by Cisco have Ethernet addresses starting with 00000C, etc. Practice Problem 13.7

How many possible Ethernet addresses exist for each individual vendor?

Solution:

Sometimes, a host may want to transmit a frame to every other user on the Ethernet LAN. A special address is reserved for this purpose. A host may send a frame to everyone by sending the frame to the broadcast address, which is the address consisting of all ones; i.e., a string of 48 consecutive 1’s.

1 A Local a local area network (LAN) is a network of computers and other associated devices connected on a common communications link (i.e. cable, wireless) spanning over a relatively small area such as a room, building, or campus. LANs are capable of transmitting data at very fast rates within a limited distance.


253

Therefore the Ethernet broadcast address in hexadecimal is:

FF:FF:FF:FF:FF:FF Referring back to the Ethernet frame image, any frame transmitted by any user arrives at the NIC of all other directly connected users! Stated another way, the NIC receives all frames that are sent on the wire. But it only forwards some of the frames up to the host's network layer. Specifically, the NIC only forwards to the network layer:

Frames addressed to its own unique address. When a frame arrives at the NIC, the NIC checks the frame to see the destination address. If the destination address of the frame matches its NIC address, then the NIC “realizes” that this data is intended for itself, and passes the frame to the network layer. If the destination address in the frame does not match its NIC address, the frame is discarded.

Frames addressed to the broadcast As mentioned, a frame sent to the broadcast address (48 ones) will be accepted by every NIC.

All frames if the NIC is placed in "promiscuous" mode. A vulnerability of Ethernet is the ease with which an Ethernet card can be programmed to accept all frames, even frames addressed to other users. So, any user who sets their NIC to promiscuous mode can examine the traffic sent by all other users.

3.3 The Error Control Problem Recall from the picture of the Ethernet frame shown on the second page of this chapter that the last four bytes are used for the Cyclic Redundancy Code (CRC). The CRC is used for error detection. Ethernet can only detect errors; it cannot correct errors. If a frame arrives with errors, it is simply discarded. (Higher-layer protocols may later recognize the loss of data and take action to remedy the problem, such as by requesting retransmission. Ethernet, though, simply discards frames containing errors without giving the matter a second thought.) Ethernet's CRC algorithm hinges on a special number that mathematicians have devised. This number, given the name CRC-32, is special because it almost never divides evenly into other numbers, i.e., it almost always leaves a remainder when it is divided into another number. When the NIC crafts a frame to transmit, it fills the four byte CRC field with the specific bits that will make the total frame (including the CRC field) perfectly divisible (with no remainder) by CRC-32. When this frame is received by the destination, the destination NIC divides the received frame by CRC-32. If the frame arrives without errors, the result of the division will be zero and the frame will be accepted. If any bits were flipped en-route from source to destination the resulting division will leave a remainder and the frame will be discarded. 3.4 The Multiple Access Problem Ethernet hosts share access to a channel. For that reason, Ethernet is termed a Multiple Access (MA) scheme. Since there are multiple hosts sharing a medium Ethernet hosts listen to (i.e., sense) the channel before transmitting. This way they do not start transmitting their frame while another frame transmission from some other host is already in progress. For that reason, Ethernet is termed a Channel Sense Multiple Access (CSMA) scheme.2 Even after an Ethernet host starts transmitting, it continues to sense the channel for collisions. Collisions can occur if two hosts sense the channel idle at the same time and start transmitting. When a host detects that its frame is colliding, it immediately stops transmitting (what's the point of continuing to transmit a frame if we already know it's garbled?). For this reason, Ethernet is termed a Channel Sense Multiple Access with Collision Detection (CSMA/CD) scheme. The shared channel is also known as a collision domain. If users have the ability to collide with each other, they are in the same collision domain. Suppose we have 4 users on a 10 Mbps Ethernet. The 4 users share the 10 Mbps capacity of the network. If all 4 users have a lot to say, then each user will, on average, get to use the network ¼ of the time. As a rough approximation, we can say that each of the 4 users will get to send at 2.5 Mbps. From each user’s perspective, they are on a 2.5 Mbps network, not a 10 Mbps network. Make sure you are clear on why things work this way: In Ethernet, users might share a medium, and any user’s transmission will prevent all others on that same shared medium from transmitting. When one of the four users in our scenario above transmit,

2 Since a signal in this context is carrying our data, it is referred to as a carrier signal, when we sense the channel we are sensing to detect the presence or absence of the carrier signal. Thus, CSMA is most often called Carrier Sense Multiple Access.


254

the other three users will be prevented from transmitting because they will first sense the channel and will not intentionally collide with another user. As a back-of-the-envelope calculation, we can say that the bandwidth 3 available to a user is given by:

Total BW available in the collision domainBW per user =

Number of users sharing the collision domain

It’s interesting to note that this is an “apparent” bandwidth. As a user in the example above you will feel like you are getting a quarter of the total bandwidth available all of the time. In actuality you are “taking turns” with the other users. When it’s your turn you get all the bandwidth, when it’s not your turn you get nothing. The turn taking happens very quickly, so it is not obvious to a user. But this is more like taking turns at the water fountain than splitting a pizza with friends and getting an increasingly smaller share when there are more friends.


What is the bandwidth available to each of the users on the 10 Mbps Ethernet shown below?

Solution:


What is the bandwidth available to each of the users on the 10 Mbps Ethernet shown below?

Solution:

4. Connecting Users on an Ethernet LAN

Ethernet first used a bus topology with heavy garden-hose size coaxial cable. In a bus topology, all users are connected in a straight-line configuration, as in the example on the prior page. Later, the communication medium transitioned to unshielded twisted pair (UTP), which was ubiquitous in most office buildings. There has been a proliferation of the types of devices for interconnecting LANs

4.1. Hubs A hub is the central element in a “star” or “spoke” network topology. While the Ethernet first used a bus topology, consider that most office buildings were already set up such that telephone lines ran from a central switching cabinet to

3 In networking, the term bandwidth has two meanings. One meaning of bandwidth is data rate, measured in bits per second. That is the meaning which we use in this chapter. Later in this course (in the Wireless Module) we will encounter the other meaning of the term bandwidth.


255

individual desks. Similarly UTP wires could run to individual machines and all terminate in a central electrical cabinet that served as a hub. Here, the term hub was simply meant as a “center of activity,” the way the term is still used as in “Denver is a hub for United Airlines.” The picture that follows illustrates this idea.

From, Forouzan, Data Communications and Networking, McGraw Hill, 2007

An Ethernet hub from NETGEAR.

Now, devices called Ethernet hubs are used to connect the twisted pairs from each host together. Using the hub pictured above, we can connect four hosts together simply by plugging each host's NIC into one of the hub's four ports.

When using a hub, we can consider the hosts to be, for practical purposes, electrically soldered together at the hub. When a single station transmits, the signal that arrives at one port are sent out on all other ports. A frame arriving on one port is not buffered or stored—it is simply transmitted out on all of the other ports. Fault isolation is easy with hubs—we merely have to unplug the problem host. Adding and removing hosts is also easy—we just plug in new users and unplug hosts that we want to remove from the LAN.

It is important to note that a hub is a physical layer device. It only recognizes the existence of bits. When bits arrive on one port, they are sent out on all of the remaining ports. A hub does not understand that some bits that arrive are Ethernet addresses and some bits that arrive are CRC, and so forth. To a hub, everything is just bits.


Consider the 10 Mbps Ethernet shared by the busy users in the network below. The network uses three 4-port hubs. How much bandwidth is available to each user?

Solution:


256

4.2 Bridges A bridge is a device designed for use between LANS’s. A bridge is similar to a hub in that it can be used to connect multiple hosts or multiple LANs. A bridge can be used to connect two or more Ethernet LANs like a hub, but—unlike a hub—a bridge can divide up the hosts into separate collision domains. When a frame arrives, the bridge looks at the source and destination Ethernet addresses. The bridge then decides whether the frame should be forwarded (and if so, to which outgoing port). Since a bridge looks at and understands data link addresses, it operates at the data link layer (Layer 2).

In virtually all cases, there is a need to expand beyond the confines of a single LAN. Why not have a single much larger LAN? There are several advantages to connecting multiple LANS together. The main advantage of utilizing bridges over hubs is improved performance. We may want to split a single heavily loaded LAN into separate LANs to improve performance by limiting collisions and forwarding only when we have to. Bridges have a few ancillary advantages. Bridges enhance reliability, since a single bad user (outputting continuously) will not disable all hosts; if bridges are used, the bad user will only kill its segment. Additionally, bridges can be used to enhance security, since we can isolate portions of the network and only forward frames where they must go.

To make this distinction clear, consider the picture below, which shows two Ethernet LANs joined together by a bridge.

1 2 3 4 5 6 9 10 11 12 13 14 Suppose Host 3 wants to send a frame to Host 5. Host 3 sends the frame out on the left LAN and it arrives at all users on that LAN, including the bridge. The bridge will inspect the frame, and see that it is destined for Host 5. The bridge knows that Host 5 is on the left LAN and must have already received the frame (since everyone on the left LAN received the frame). The important point: the bridge will not forward the frame to the right-side LAN since the bridge knows that Host 5 is not on the right-side LAN.


Consider users employing 10 Mbps Ethernet. How much bandwidth does each user get in each of the three scenarios below.

(a) Scenario 1:

(b) Scenario 2:

(c) Scenario 3:

Solution: (a) (c)

(b)


257

We should note that the results of the preceding calculations are, at best, approximations. We are presuming that a bridge port provides as much traffic on a LAN as a typical user. For example, in the picture above, consider the top-left collision domain. This collision domain has three users, plus the bridge port. The bridge port, however, is conveying the traffic from nine other users (the users on the other three LANs), so it may not be the case that the bridge port contributes the same amount of traffic in this collision domain as the other three users. Nevertheless, since bridges are often used to separate users who do not communicate very often, assuming a bridge port acts as a typical user often yields satisfactory results.

4.3 Switched Ethernet Look at Scenario 3 above, which shows 12 users on a 4-port bridge. In this case the 12 users are divided into four collision domains, with three users (and a bridge port) within each collision domain.

What would happen if we had the 12 users on a 12-port bridge? In this case each user would be in its own collision domain (sharing it only with the bridge).

An N-port bridge that serves a number of hosts N is referred to as a “Layer-2 switch" or an "L-2 switch”.

Consider the scenario depicted below, which shows 7 users connected to a 9-port bridge. From here on out, whenever the number of users is less than or equal to the number of ports (as is the case here), we will use the term Layer-2 switch, or simply switch, instead of the term bridge.

Do collisions still occur? The answer is Yes, but only between a user and the switch. In the scenario above, all hosts can successfully transmit at the same time since each port is now a separate collision domain.

Note that L-2 switches, like bridges, look at frame addresses, and operate at the data link layer. While many people use the two terms interchangeably, a switch is most often used to connect individual computers, whereas bridges usually connect LANs. Thus, in this taxonomy, with L-2 switches each computer is in its own collision domain, whereas with bridges each connected LAN forms a collision domain.


You have set up an Ethernet LAN for 10 users. For simplicity, assume the network has an efficiency of 100% and that resources are shared equally among users. How much bandwidth is available to each user if: (a) The 10 users are connected on a 10 Mbps Ethernet to a hub

(b) The 10 users are connected on a 10 Mbps switched Ethernet

Solution:

(a)

(b)


You want to set up an Ethernet LAN for a group of 10 offices at the Pentagon. Each office requires 2 digital telephone lines (64 kbps each). Additionally, each office must support a peak web browsing demand of 40,000 bytes/min.

(a) What is the total bit rate demand of the LAN?

(b) Would a standard 10 Mbps Ethernet suffice?

Solution: (a)

(b)


258


Match the column on the left with the description on the right:

Network Interface Card (a) Looks at MAC address and then forwards the frame on the correct port

Hub (b) Copies incoming bits to all other ports

Switch (c) Piece of equipment with a unique address that translates bits to signals and transmits the signals on the medium.


If an entire IP packet has 8096 bytes, how many Ethernet frames are required to transmit this packet?

Solution:

Practice Problem 13.16 Answer True or False to the following statements:

(a) An Ethernet address is normally expressed in decimal.

(b) An Ethernet address is burned into hardware and never changes

(c) An Ethernet address is used at the network layer to address packets.

(d) An Ethernet address, MAC address, and Hardware address are all the same thing.

(e) When I log on to different networks my Ethernet Address can change every time.

5. Technological Innovations In the years since Ethernet’s introduction there have major technological innovations that seek to enhance performance, increase network spends and more. Here are three examples which have sought to build off of existing standards and infrastructure vice reinventing the wheel. 5.1 Fast Ethernet (1995) Fast Ethernet uses the same frame format as “standard Ethernet.” Fast Ethernet is backward-compatible with standard Ethernet. And, perhaps surprisingly, it uses the same minimum and maximum frame lengths as standard Ethernet. Also, it has the same maximum physical length as standard Ethernet (100 meters for UTP). There is a big difference: Fast Ethernet operates at 100 Mbps. How do we raise the data rate? The details are rather technical, and have to do with the improvements in technology over the years. The original Ethernet operates at 10 Mbps, but required a special type of signaling called Manchester encoding. Advances in transmission media allowed for a signaling scheme that supported higher data rates. Better clock circuitry allowed us to raise the transmission speed without worrying about loss of synchronization. Instead of using one twisted pair, we use four twisted pairs: 1 to the switch, 1 from the switch, and 2 that are switchable to support the current direction of traffic flow.

Finally, 3-level signaling is used at the physical layer. Instead of sending a 0 or 1, we can send 0, -1 or +1.


259

5.2 Switches We can consider a switch a technological innovation. A hub, often in a building wiring closet is the center of activity with a line to each individual host. With that infrastructure already in place replacing the hub with a switch is both easy and efficient as the switch would dramatically boost our performance and apparent bandwidth moving each user onto their own collision domain. In fact since the advent of Layer 2 switches bridge sales have suffered commercially! 5.3 Wireless Local Area Networks Mentioned briefly at the start of the chapter, many of these principals can be applied to Wireless Local Area Networks. A different data link layer protocol is employed, 802.11 (Wi-Fi) instead of Ethernet. A different frame size, error control and multiple access solution are necessary to address the challenges of the wireless environment but the addressing solution is the same. It is common for the three devices we discussed- hubs, bridges, and switches- to support a wireless LAN and connect to other wired LANs so that the networks we interact with can be thought of as hybrid. Think of the Naval Academy. Bancroft Hall was extensively wired to support Ethernet when “the internet came to the hall.” There is no reason to migrate to Wi-fi in the hall, however when Midshipman began being issued laptops there was the option decide how they would connect in the classroom. With new students passing through every period, the desire for portability and other factors led to implementing Wi-fi in the Classrooms vice Ethernet. (Although your instructor’s workstation connects via Ethernet as it previously had!)


260

THIS PAGE INTENTIONALLY LEFT BLANK


261

CH. 13 Problems Name:_________________________ 1. What are the advantages of dividing an Ethernet LAN with a bridge?

2. What is the relationship between a switch and a bridge?

3. Suppose the Ethernet data link layer receives 38 bytes of data from the network layer. How many bytes of padding must be added to the data?

4. What is the ratio of the smallest possible number of bytes in the Data & Padding portion of an Ethernet frame to the size of the frame? What is the ratio of the largest possible number of bytes in the Data and Padding portion of an Ethernet frame to the size of the frame?

5. Sketch the Ethernet frame required to send the text string “Hello World” from Alice (whose MAC address is 11:22:33:44:55:66) to Bob (whose MAC address is AA:BB:CC:DD:EE:FF). Assume that any padding bytes consist of all-zeroes, and that the Length/Type field is used as a Length field. RECALL: Fill in the boxes in the table below to sketch your frame starting at the upper left corner and filling in to the right. Each box represents ONE byte of information, and boxes should be filled with hex values. Note: some boxes may be empty.

Your error correction bits are 0101 1100 1010 1010 1111 1110 1011 1101.

There are 16 boxes across which represents the display in wireshark.


262

6. Consider the network below, which shows four 10 Mbps LANs connected by two bridges, labeled B1 and B2. Assume all users (labeled 1 through 7) are very chatty and equally chatty.

LAN 4 B 1 B 2 LAN 1 LAN 2 LAN 3

(a) What is the effective data rate seen by user 4?

(b) What is the effective data rate seen by user 5?

(c) What is the effective data rate seen by user 6?

(d) What is the effective data rate seen by user 6 if the two bridges are replaced with hubs?

7. Two standard (10 Mbps) Ethernet topologies are illustrated in Figure 1 and Figure 2 for a network consisting of six

computers

Figure 1

Figure 2

(a) How much bandwidth does each user get for the network topology depicted in Figure 1?

(b) How much bandwidth does each user get for the network topology depicted in Figure 2?

6 7

1 2 3 4 5


263

Security Exercise 13

Part 1: Your Ethernet Address

A computer is connected to a network by a Network Interface Card (NIC), also termed a network adapter. That is, the NIC is the physical interface between a computer and the networking medium. The networking medium, in turn, might be a wire, a fiber optic strand, or free space (in the case of wireless networks).

Each NIC is assigned a globally unique address burned into the card's Read Only Memory. All machines on an Ethernet LAN are guaranteed to have unique addresses. No two Ethernet users anywhere in the world can have the same global address. Addresses are 6 bytes, of which 46 bits are used for the unique address.

The NIC interfaces with the physical media, so this globally-unique address is often called the physical address. Since physical devices are often termed hardware, a NIC’s unique address is also frequently referred to as a hardware address. Finally, since the NIC controls access between the computer and the networking media, its address is also termed a Media Access Control (MAC) address. Since most NICs conform to the Ethernet standard, the NIC address is also called an Ethernet address. Thus, the NIC address goes by four different names which are often used interchangeably:

Physical Address Hardware Address MAC Address Ethernet address

In Windows, not in the VM, open a command prompt. (To open a command click the Start button and in the search box type cmd and press Enter.)

At the command prompt, type: getmac /v

Question 1: Ignoring VMware virtual adapters, and Wi-Fi, what is your computers' Ethernet address (aka Local Area Connection or physical address)?

Recall that a MAC address is 48-bits. The first 3 bytes provide the address of the NIC manufacturer (or vendor). The Institute of Electrical and Electronics Engineers (IEEE) assigns blocks of addresses to various manufacturers. For a listing of vendor codes, see http://standards.ieee.org/develop/regauth/oui/oui.txt

(Note: This is a long text file and may take long to download. A copy is provided on the course website under Resources.)

Question 2: What vendor manufactured your Ethernet card?

Question 3: Ward Hall has a policy that midshipmen can only connect their original issued computers to the USNA network. Suppose you go to Best Buy, buy a new computer and connect it to the network. Will Ward Hall be able to tell? If so, how?

Can you "spoof" your MAC address—i.e., have your computer tell the rest of the world your MAC address is different from the actual value burned into ROM? The answer is: Yes, it is very easy to spoof your MAC address—it requires a change to one line of the easy-to-edit Windows registry. However, you should not do this since even a small screw-up while editing the Windows registry can irreparably damage your computer. Bottom line, unless you are a CS major with a 4.0 QPR and ten computers (so you have a few to spare), you should never edit the Windows registry.

Part 2: Using ping to Determine the Largest Possible Ethernet Frame Size

ping is a tool that can be used to determine whether our computer can reach another computer across the Internet. From the Windows command prompt, type:

ping www.cnn.com

You should see something similar to:

C:> ping www.cnn.com

Pinging turner.map.fastly.net [151.101.32.73] with 32 bytes of data: Reply from 151.101.32.73: bytes=32 time=4ms TTL=49 Reply from 151.101.32.73: bytes=32 time=4ms TTL=49


264

Reply from 151.101.32.73: bytes=32 time=4ms TTL=49 Reply from 151.101.32.73: bytes=32 time=4ms TTL=49 Ping statistics for 151.101.32.73: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 4ms, Maximum = 4ms, Average = 4ms

ping is a probing tool that sends a packet from our computer to the designated target computer (in this case, the computer with the name www.cnn.com) and waits for a reply. The output above tells us several things:

our ping packet contains 32 bytes of data (it also happens to contain another 28 bytes of header information). we conducted a total of 4 probes. we received replies to all four of our probes. the round trip time for our four probes were each 4 milliseconds.

Looking at the ping reply above, notice that www.cnn.com is also referred to as “151.101.32.73”. This latter sequence of four numbers (separated by decimals) is, as you might already know, the computer’s IP address. Thus, the computer named www.cnn.com has IP address 151.101.32.73. We will discuss IP addresses in the next lecture.

When we use the ping command, we, by default, ping the target host with 32 bytes of data. We can change the size of the ping packet by using the –l option (dash and letter l). For example, if I type:

ping -l 100 www.cnn.com

I will see something along these lines (but note that IP addresses can and do vary over time):

Pinging turner.map.fastly.net [151.101.32.73] with 100 bytes of data: Reply from 151.101.32.73: bytes=100 time=4ms TTL=49 Reply from 151.101.32.73: bytes=100 time=4ms TTL=49 Reply from 151.101.32.73: bytes=100 time=4ms TTL=49 Reply from 151.101.32.73: bytes=100 time=4ms TTL=49 Ping statistics for 151.101.32.73: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 4ms, Maximum = 4ms, Average = 4ms

Notice that I pinged www.cnn.com with 100 bytes of data. If I had typed:


I would have pinged with 150 bytes of data.

Hmmm... I wonder what would happen if I tried to ping www.cnn.com with a very large packet. This would mean that the computer would have to stop for a long time and deal with my request. So, the services of www.cnn.com would be then be denied to others. I might just call this an attack...hmmm...a denial of service attack ...yea, that’s the ticket. I try to ping with a 50,000 bytes by typing:


and I see:

Pinging www.cnn.com [151.101.32.73] with 50000 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.

Ping statistics for 151.101.32.73: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Gasp! My plans for world domination are foiled! The target rejected my ping packets!

Why? Well, Ethernet, which is the local area network technology used by just about everyone (including us!) will only allow the data packet to be at most a certain size. This maximum size is called the Maximum Transfer Unit (MTU). Well…what if we want to send a block of data bigger than Ethernet’s MTU? In general, there is no problem with this; the large block of


265

data is broken up (i.e., fragmented) into pieces (each of which is less than or equal to Ethernet’s MTU), and these pieces are then sent individually. The pieces (fragments) are then put back together when they all arrive at the destination.

In general, there is no hitch, except for one wrinkle: hosts will often ignore ping packets that were fragmented. Why, you ask? Well, in the mid 1990’s, it was discovered that if a ping packet was fragmented, it could be forced back together at the destination in such a way that the final size of the reconstituted packet was larger than the maximum permissible IP packet size, causing the host’s operating system to crash. This scenario was given the somewhat unpleasant name: The Ping of Death.

The Bottom Line: You can crash someone's computer if you send them a ping that is so large that it cannot fit in one Ethernet frame, i.e., you can crash someone's computer if you send them a ping that exceeds Ethernet's MTU. Most operating systems are on to this behavior, and will not permit reception of a fragmented ping.

In summary, if you send a very large ping packet, it will need to be fragmented to fit inside Ethernet’s MTU, but these fragments will then be ignored by the destination since there is no good reason someone should want to send me a ping packet that was so big that it had to be fragmented.

What is Ethernet’s Maximum Transfer Unit?

What is the largest block of data that Ethernet will allow me to send without requiring fragmentation? (Note: this would be the largest size of data plus padding that can fit into an Ethernet frame. Anything larger than this would require more than one Ethernet frame – i.e. fragmentation). To see, we can use the –f option in the ping command. This option will mean that the packet will not be fragmented, so, if the packet is bigger than Ethernet’s MTU, it won’t be sent. For example, if I type

ping -f -l 50000 www.cnn.com

the packet will not be fragmented because the 'don't fragment' option (-f) has been used.

Question 4: What is the maximum number of unfragmented bytes you can send to www.cnn.com? Use the ping command with –f and –l options following the example above.

Note that when using the ping command, there are 28 additional bytes of header information added to the number of bytes specified in the ping command. In the example above of 50,000 bytes, a total of 50,000 + 28 = 50,028 bytes are actually sent.

Question 5: What is then the Ethernet’s MTU? (hint: consider the additional bytes in using the ping command above.)

Question 6: After you have completed Question 4, review the notes where we discusses the maximum size of an Ethernet frame. Does your answer to Question 4 match what the notes say the maximum amount of data that can fit inside the data field of an Ethernet frame?

Part 3: Wireshark

Spurred by the Snowden revelations, The Guardian published an article titled "The NSA is turning the Internet into a total surveillance system." Others speculate that the NSA may be monitoring essentially all Internet traffic. Concerning the NSA's surveillance of Internet traffic, security expert Brian Reid opined that "This isn’t a wiretap, it’s a country-tap.”

Our objective today is not to examine why such surveillance is done, but rather to gain a sense of how such surveillance is done. Toward that end, we will gain basic familiarity with a packet sniffer named Wireshark. A packet sniffer is, in essence, a wiretap that allows you to monitor the traffic passing a particular point in a computer network. A packet sniffer not only allows you to analyze or inspect individual packets as binary or hexadecimal symbols, but also attempts, where possible, to convert binary packets into a human-readable format.

Packet sniffers allow the user to determine who is communicating with whom, and what they are saying, topics of great concern to network security specialists and the people who keep them busy.

Packet sniffing, as with most things, can be used for good purposes or for malicious purposes. A hacker can certainly use a packet sniffer to detect who is communicating with whom, and the nature of the communication (so-called metadata). Any unencrypted content (to include unencrypted passwords) can also be read. The NSA uses packet sniffers to thwart terrorist plots. In June 2013 General Keith Alexander, the Director of the NSA, testified that the NSA's surveillance programs had foiled at least 50 terrorist attacks worldwide.

Computer engineers use packet sniffers for good purposes also: A network can be analyzed to determine if there is excessive congestion, troubleshooting of faults can be facilitated, unauthorized network users can be detected, etc. A. Getting Started


266

Wireshark is a packet sniffer that will capture packets and display them using a nice Graphical User Interface (GUI). Wireshark is a passive program; it does not transmit packets onto the network. It merely analyzes what traffic is going past your NIC.

Start up VMware Workstation and power-on your Cyber2 VM. Then launch Wireshark be selecting:

Applications > Internet > Wireshark (as root)

Launch Wireshark.

Under File, Click Open and highlight the file named packets:

and then click Open.


267

Now, after opening the file you should see something much more interesting. (If your display looks slightly different from that shown on the next page, don’t worry. If it looks radically different, let the instructor know.)

This shows you all the packets that were in the file that was provided. Three pains...I mean panes...are provided. Referring to the figure above, we see the following:

Packet List Pane: This displays a summary of each packet captured. Each line represents a packet. You can see that the packets are numbered—Number 1, Number 2, etc. (This pane presents so-called metadata. From metadata we can determine such things as: Who is initiating the communication? Who is the intended recipient? What is the overall goal of the communication—is it an attempt to access a web site? Is it an attempt to send an email? Is it a file transfer?

By clicking on a packet in this pane, you control what is displayed in the two lower panes. In the figure above, the first line (Packet 1) is highlighted in green, and the two other panes give details about this packet.

Packet Details Pane: Displays more details about the packet that you highlighted in the Packet List Pane.

Packet Bytes Pane: Displays gory details about the packet selected in the Packet List Pane, and highlights the field selected on the Packet Details Pane. Whereas the top pane reveals the metadata, this pane reveals all of the contents.

Take a moment to memorize the names of these three panes, so that when you see, for instance, “Packet Details Pane” you don’t have to think: Which one was that again?

Okay, let’s look at the Packet List Pane (which one was that again?).

At the top of the Packets List Pane, starting at the left, we have number (No) column. As mentioned, each packet that was captured is sequentially numbered by Wireshark.

Question 7: How many packets were captured?

Next over, we have the Time column. By default, this column indicates the relative time that each packet was received, with the first packet arriving at t = 0.

Question 8: What is the number of the packet that was received closest to 10 seconds from the start?

Let’s look at packet 5182. Look at the Packet Details pane for this packet:


268

This shows the protocols used by this packet. So, for instance, we see that this packet used Ethernet, The Internet Protocol (IP) and the Transmission Control Protocol (TCP). By clicking on the plus sign we can expand and collapse each of the listed protocols.

The bottom pane, the Packet Byte pane, shows the data in the selected packet (in this case, packet 5182) in hexadecimal.

Now, let’s look at the Ethernet protocol in more detail. Click the arrow next to Ethernet and you should see this:

Question 9: Look at the first 12 hexadecimal numbers in the Packet Bytes Pane. It reads:

00 01 02 c6 3b 6a

This is the very start of the Ethernet frame. Referring to the Ethernet frame format from your notes, what is the meaning of these 12 hexadecimal numbers?

Question 10: Look at the next 12 hexadecimal numbers in the Packet Bytes Pane. It reads:

00 04 80 74 09 00

This is the next part of the Ethernet frame. Referring to the Ethernet frame format from your notes, what is the meaning of these 12 hexadecimal numbers?

Question 11: Do your answers for Questions 8 and 9 match the info provided in the middle pane?

Question 12: Can Wireshark be used to determine the NIC card numbers of people using the network?

Look at the next four hexadecimal numbers in the Packet Bytes Pane. It reads:

08 00

Question 13: Referring to the Ethernet frame format from your notes, what is the meaning of these 4 hexadecimal numbers?

Now, using your favorite Windows browser, go to the following website and look up what type of frame 0800 refers to:

http://www.cavebear.com/archive/cavebear/Ethernet/type.html

(Note: you MUST capitalize the “E” in Ethernet in this address.)

Question 14: Based on your search, what type of information is carried in the data field of this Ethernet frame?

Question 15: Go back to Wireshark (in the VM), and look closely at packet number 2. What destination hardware address was used in this frame? What is special about this destination address? You may need to review the class notes.


269

Security Exercise 13 Answer Sheet Name:

Question 1:

Question 2:

Question 3:

Question 4:

Question 5:

Question 6:

Question 7:

Question 8:

Question 9:

Question 10:

Question 11:

Question 12:

Question 13:

Question 14:

Question 15:

THIS PAGE INTENTIONALLY LEFT BLANK

Documents

Chapter 13: Data Link Layer, LAN’s and Ethernet · Link Flow Control 4. Control access to shared channels – or the Multiple Access Problem. ... Local Area Network (LAN) Overview