Networking Notes Part 1

8/3/2019 Networking Notes Part 1

http://slidepdf.com/reader/full/networking-notes-part-1 1/100

I n t r o d u c t i o n t o N e t w o r k i n g

M uhammad K ashif Riaz System A dministr ator L ogit ech Email: [email protected]

Web: www.logitech.net 1

Networking Introduction

What is a Network?

A network is simply a group of two or more Personal Computers linked together.

What Types of Netw orks Are There?

Many types of networks exist, but the most common types of networks are Local-

Area Networks (LANs), and Wide-Area Networks (WANs). In a LAN, computers

are connected together within a "local" area (for example, an office or home). In

a WAN, computers are further apart and are connected viatelephone/communication lines, radio waves or other means of connection.

How are Networks Categorized?

Networks are usually classified using three properties: Topology, Protocol and

Architecture.

Topology specifies the geometric arrangement of the network. Common

topologies are a bus, ring and star. You can check out a figure showing the threecommon types of network topologies here.

Protocol specifies a common set of rules and signals the computers on the

network use to communicate. Most networks use Ethernet, but some networks

may use IBM's Token Ring protocol. We recommend Ethernet for both home and

office networking.

Architecture refers to one of the two major types of network architecture: Peer-

to-peer or client/ server. In a Peer-to-Peer networking configuration, there is

no server, and computers simply connect with each other in a workgroup to sharefiles, printers and Internet access.

This is most commonly found in home configurations and is only practical for

workgroups of a dozen or less computers. In a client/server network there is

usually an NT Domain Controller, to which all of the computers log on. This server

can provide various services, including centrally routed Internet Access, mail

(including e-mail), file sharing and printer access, as well as ensuring security

across the network. This is most commonly found in corporate configurations,where network security is essential.






Network Cabling

Introduction

This section talks about the cabling used in today's networks. There's a lot of

different type of cabling in today's networks and I am not going to cover all of them, but I will be talking about the most common cables, which include UTPCAT5 straight through and crossover, Coax and a few more.

Cabling is very important if you want a network to work properly with minimum

problems and bandwidth losses. There are certain rules which must never be

broken when you're trying to design a network, otherwise you'll have problems

when computers try to communicate. I have seen sites which suffer from

enormous problems because the initial desgin of the network was not doneproperly !

In the near future, cabling will probably be something old and outdated since

wireless communication seems to be gaining more ground, day by day. With thatin mind, around 95% of companies still rely on cables, so don't worry about it toomuch :)

Let's have a quick look at the history of cabling which will allow us to appreciatewhat we have today !

The Beginning

We tend to think of digital communication as a new idea but in 1844 a man called

Samuel Morse sent a message 37 miles from Washington D.C. to Baltimore, using

his new invention ‘The Telegraph’. This may seem a far cry from today's

computer networks but the principles remain the same.Morse code is type of binary system which uses dots and dashes in different

sequences to represent letters and numbers. Modern data networks use 1s and

0s to achieve the same result. The big difference is that while the telegraph

operators of the mid 19th Century could perhaps transmit 4 or 5 dots and dashes

per second, computers now communicate at speeds of up to 1 Giga bit, or to putit another way, 1,000,000,000 separate 1s and 0s every second.

Although the telegraph and the teletypewriter were the forerunners of data

communications, it has only been in the last 35 years that things have really

started to speed up. This was borne out of the necessity for computers to

communicate at ever ncreasing speeds and has driven the development of faster

and faster networking equipment, higher and higher specification cables andconnecting hardware.

Development of new netw ork technology

Ethernet was developed in the mid 1970's by the Xerox Corporation at its Palo

Alto Research Centre (PARC) in California and in 1979 DEC and Intel joined forces

with Xerox to standardize the Ethernet system for everyone to use. The first

specification by the three companies, called the 'Ethernet Blue Book', was

released in 1980, it was also known as the 'DIX standard' after their initials.

It was a 10 Mega bits per second system (10Mbps, = 10 million 1s and 0s per

second) and used a large coaxial backbone cable running throughout the building,with smaller coax cables tapped off at 2.5m intervals to connect to the






workstations. The large coax, which was usually yellow, became known as 'Thick

Ethernet' or 10Base5 - the '10' refers to the speed (10Mbps), the 'Base' because

it is a base band system (base band uses all of its bandwidth for each

transmission, as opposed to broad band which splits the bandwidth into separate

channels to use concurrently) and the '5' is short for the system's maximum cablelength, in this case 500m.

The Institute of Electrical and Electronic Engineers (IEEE) released the official

Ethernet standard in 1983 called the IEEE 802.3 after the name of the working

group responsible for its development and, in 1985, version 2 (IEEE 802.3a) was

released. This second version is commonly known as 'Thin Ethernet' or 10Base2;

in this case the maximum length is 185m even though the '2' suggest that itshould be 200m.

Since 1983, various standard have been introduced because of the increasedbandwidth requirements, so far we are up to the Gigabit rate !

Unshielded Tw isted PairIntroduction

Unshielded Twisted Pair cable is most certainly by far the most popular cable

around the world. UTP cable is used not only for networking but also for the

traditional telephone (UTP-Cat 1). There are 6 different types of UTP categories

and, depending on what you want to achieve, you would need the appropriate

type of cable. UTP-CAT5 is the most popular UTP cable, it came to replace the

good old coaxial cable which was not able to keep up with the constant growing

need for faster and more reliable networks.

Characteristics

The characteristics of UTP are very good and make it easy to work with, install,

expand and troubleshoot and we are going to look at the different wiring schemes

available for UTP, how to create a straight through UTP cable, rules for safeoperation and a lot of other cool stuff !

So let's have a quick look at each of the UTP categories available today:






Category 1/2/3/4/5/6 – a specification for the type of copper wire (most

telephone and network wire is copper) and jacks. The number (1, 3, 5, etc) refers

to the revision of the specification and in practical terms refers to the number of

twists inside the wire (or the quality of connection in a jack).

CAT1 is typically telephone wire. This type of wire is not capable of supporting

computer network traffic and is not twisted. It is also used by phone companies

who provide ISDN, where the wiring between the customer's site and the phonecompany's network uses CAT 1 cable.

CAT2, CAT3, CAT4, CAT5 and CAT6 are network wire specifications. This type of

wire can support computer network and telephone traffic. CAT2 is used mostly for

token ring networks, supporting speeds up to 4 Mbps. For higher network speeds

(100Mbps plus) you must use CAT5 wire, but for 10Mbps CAT3 will suffice. CAT3,

CAT4 and CAT5 cable are actually 4 pairs of twisted copper wires and CAT5 has

more twists per inch than CAT3 therefore can run at higher speeds and greater

lengths. The "twist" effect of each pair in the cables will cause any interference

presented/picked up on one cable to be cancelled out by the cable's partner which

twists around the initial cable. CAT3 and CAT4 are both used for Token Ring, theonly difference is CAT3 can be as long as 100 meters while CAT4 can only be 200meters.

CAT6 wire was originally designed to support gigabit Ethernet (although there are

standards that will allow gigabit transmission over CAT5 wire, that's CAT 5e). It is

similar to CAT5 wire, but contains a physical separator between the 4 pairs tofurther reduce electromagnetic interference.

The next pages (check menu) show you how UTP cable is wired and the different

wiring schemes. It's well worth visiting and reading about.

Straight Thru UTP Cables

Introduction

We will be mainly focussing on the wiring of CAT5 cables here because they are

the most popluar cables around ! You will find info on wiring the classic CAT1

phone cables as well. It is very important you know how exactly to wire UTP

cables because it's the base of a solid network and will help you avoid hours of

frustration and troubleshooting if you do it right the first time :) On the other

hand, if you are dealing with a poorly cabled network, then you will be able tofind the problem and fix it more efficiently.

Wiring the UTP cables !

We are now going to look at how UTP cables are wired. There are 2 popular

wiring schemes that most people use today: the T-568A and T-568B, that differ

only in which color coded pairs are connected - pair 2 and 3 are reversed. Both

work equally well, as long as you don't mix them! If you always use only one

version, you're OK, but if you mix A and B in a cable run, you will get crossedpairs!






UTP cables are terminated with standard connectors, jacks and punchdowns. The

jack/plug is often referred to as an "RJ-45", but that is really a telco designation

for the "modular 8 pin connector" terminated with a USOC pinout used for

telephones. The male connector on the end of a patchcord is called a "plug" andthe receptacle on the wall outlet is a "jack."

As I've already mentioned, UTP has 4 twisted pairs of wires, we'll now look at thepairs to see what colour codes they have :

As you can see in the picture on the left, the 4 pairs are labeled. Pairs 2 & 3 are

used for normal 10/100Mbit networks, while Pairs 1 & 4 are reserved. In Gigabit

Ethernet, all 4 pairs are used.CAT5 cable is the most common type of UTP aroundthe world ! It's flexible, easy to install and very reliable when wired properly :)






The left and center pictures show the end of a CAT5 cable with an RJ-45

connector; used by all cables to connect to a hub or to your computer's network

card. The picture to the right shows a stripped CAT5 cable, indicating the 4

twisted pairs.

And to be a bit fancy, don't think that UTP CAT5 cable only comes in one boring

colour... those days are over ! You get a wide range of choices today :

T-568A & T-568B 4-pair Wiring

Ethernet is generally carried in 8-conductor cables with 8-pin modular plugs and

jacks. The connector standard is called "RJ-45" and is just like a standard RJ-11modular telephone connector, except it is a bit wider to carry more pins.

Note: Keep in mind that the wiring schemes we are going to talk about are all forstraight through cables only! Cross over cables are examined on a separate page!

The eight-conductor data cable contains 4 pairs of wires. Each pair consists of a

solid colored wire and a white wire with a stripe of the same color. The pairs aretwisted together. To maintain reliability on Ethernet, you should not untwist them

any more than necessary (like about 1 cm). The pairs designated for 10 and 100

Mbit Ethernet are Orange and Green. The other two pairs, Brown and Blue, canbe used for a second Ethernet line or for phone connections.

There are two wiring standards for these cables, called "T568A" (also called

"EIA") and "T568B" (also called "AT&T" and "258A"). They differ only in

connection sequence - that is, which color is on which pin, not in the definition of what electrical signal is on a particular color.

T-568A is supposed to be the standard for new installations, while T-568B is an

acceptable alternative. However, most off-the-shelf data equipment and cablesseem to be wired to T568B. T568B is also the AT&T standard. In fact, I have seen

very few people using T568A to wire their network. It's important not to mix

systems, as both you and your equipment will become hopelessly confused.






Pin Number Designations for T568B

Note that the odd pin numbers are always the white with stripe color (1,3,5,7).The wires connect to RJ-45 8-pin connectors as shown below:

Color Codes for T568B

Pin color - pair name

1 white/orange (pair 2) TxData +

2 orange (pair 2) ........ TxData -

3 white/green (pair 3) .. RecvData+

4 blue (pair 1)

5 white/blue (pair 1)

6 green (pair 3) ........... RecvData-

7 white/brown (pair 4)

8 brown (pair 4)

The wall jack may be wired in a different sequence because the wires are often

crossed inside the jack. The jack should either come with a wiring diagram or at

least designate pin numbers. Note that the blue pair is on the centre pins; this

pair translates to the red/green pair for ordinary telephone lines which is also in

the centre pair of an RJ-11. (green= wh/blu; red=blu)

Pin Number Designations for T568AThe T568A specification reverses the

orange and green connections so that pairs 1 and 2 are on the centre 4 pins,

which makes it more compatible with the telco voice connections. (Note that inthe RJ-11 plug at the top, pairs 1 and 2 are on the centre 4 pins.) T568A goes:






Color Codes for T568A

Pin color - pair name

1 white/green (pair 3) .. RecvData+

2 green (pair 3) .......... RecvData-

3 white/orange (pair 2) TxData +

4 blue (pair 1)

5 white/blue (pair 1)6 orange (pair 2) ......... TxData -

7 white/brown (pair 4)8 brown (pair 4)

The diagram below shows the 568A and 568B in comparison:

Where are they used ?

The most common application for a straight through cable is a connection

between a PC and a hub/switch. In this case the PC is connected directly to the

hub/switch which will automatically cross over the cable internaly, using special

circuits. In the case of a CAT1 cable, which is usually found in telephone lines,

only 2 wires are used, these do not require any special cross over since thephones connect directly to the phone socket.






The picture above shows us a standard CAT5 straight thru cable, used to connect

a PC to a HUB. You might get a bit confused because you might expect the TX+

of one side to connect to the TX+ of the other side but this is not the case. When

you connect a PC to a HUB, the HUB it will automatically x-over the cable for you

by using its internal circuits, this results Pin 1 from the PC (which is TX+) to

connect to Pin 1 of the HUB (which connects to RX+).This happens for the rest of

the pinouts aswell.

If the HUB didn't x-over the pinouts using its internal circuits (this happens when

you use the Uplink port on the hub) then Pin 1 from the PC (which is TX+) would

connect to Pin 1 of the HUB (which would be TX+ in this case). So you notice that

no matter what we do with the HUB port (uplink or normal), the signals assigned

to the 8 Pins on the PC side of things, will always remain the same, the HUB'spinouts though will change depending wether the port is set to normal or uplink.

This pretty much concludes our discussion on straight thru UTP cables !

CAT5 UTP X-Over Cable

Introduction

The cross-over (x-over) CAT5 UTP cable has to be one of the most used cables

after the classic straight-thru cable. The x-over cable allows us to connect two

computers without needing a hub or switch. If you recall, the hub does the x-over

for you internally, so you only need to use a straight thru cable from the PC tothe hub. Since now we don't have a hub, we need to manually do the x-over.

Why do w e need an x-over ?

When sending or receiving data between two devices, e.g computers, one will besending while the other receives. All this is done via the network cable and if you

look at a network cable you will notice that it contains multiple cables. Some of

these cables are used to send data, while others are used to receive data and this

is exactly what we take into account when creating an x-over cable. We basicallyconnect the TX (transmit) of one end to the RX (receive) of the other !

The diagram below shows this in the simplest way possible:

CAT5 X-ove r

There is only one way to make a CAT5 x-over cable and it's pretty simple. Thosewho read the "wiring utp" section know an x-over cable is a a 568A on one end

and a 568B on the other. If you haven't read the wiring section, don't worry






because I'll be giving you enough information to understand what we are talkingabout.

As mentioned previously, an x-over cable is as simple as connecting the TX fromone end to the RX of the other and vice versa.

Let's now have a look at the pinouts of a typical x-over CAT5 cable:

As you can see, only 4 pins are needed for a x-over cable. When you buy a x-

over cable, you might find that all 8 pins are used, these cables aren't any

different from the above, it's just that there are cables running to the unsed pins.

This won't make any difference in performance, but is just a habit some peoplefollow.

Here are the pinouts for a x-over cable which has all 8 pins connected:

Where else can I use a x-over ?

X-over cables are not just used to connect computers, but a variety of other

devices. Prime example are switches and hubs. If you have two hubs and you

need to connect them, you would usually use the special uplink port which, when

activated through a little switch (in most cases), makes that particular port not

cross the tx and rx, but leave them as if they where straight through. Whathappens though if you haven't got any uplink ports or they are already used ?

The X-over cable will allow you to connect them and solve your problem. The

diagram below shows a few examples to make it simpler:






As you can see in the above diagram, thanks to the uplink port, there is no needfor a x-over cable.

Let's now have have look at how to cope when we don't have an uplink to spare,in which case we must make a x-over cable to connect the two hubs:

All the above should explain a x-over cable, where we use it and why we need it.

I thought it would be a good idea to include, as a last picture, the pinouts of astraight thru and a x-over cable so you can compare them side by side:






10Base-T/ 2/ 5/ F/ 35 - Ethernet

Introduction

The 10Base-T UTP Ethernet and 10Base-2 Coax Ethernet were very popular

around the early to mid 1990's when 100Mbit network cards and hubs/switcheswere very expensive. Today's prices have dropped so much that most vendors

don't focus on the 10Base networks but the 100Base ones and, at the same time,

support the 10 BaseT and 10Base-2 standard. We will also talk about the10Base5/F and 35 shortly.

So what does 10 BaseT/ 2/ 5/ F/ 35 mean ?

To make it simpler to distinguish cables they are categorised; that's how we got

the CAT1, 2, 3 etc cables. Each category is specific for speed and type of

network. But since one type of cable can support various speeds, depending on

its quality and wiring, the cables are named using the "BaseT" to show exactly

what type of networks the specific cable is made to handle.

We are going to break the "10 Base T (and the rest) " into 3 parts so we canmake it easier to understand:

10

The number 10 represents the frequency in MHz (Mega HertZ) for which this

cable is made. In this case it is 10 MHz. The greater the MHz, the greater speeds

the cable can handle. If you try to use this type of cable for greater frequencies

(and, therefore, speeds) then it either will not work or become extremely

unreliable. The 10 MHz speed translates to 10Mbit per second, which in theory

means 1.2 MBytes per second. In practice though, you wouldn't get more than800 KBytes per second.

Base

The word "Base" refers to Baseband. Baseband is the type of communication used

by Ethernet and it means that when a computer is transmitting, it uses all the

available bandwith, whereas Broadband (cable modems) shares the bandwidth

available. This is the reason cable modem users notice a slowdown in speed when

they are connected on a busy node, or when their neighbour is downloading all

the time at maximum speed ! Of course with Ethernet you will notice a slowdownin speed but it will be smaller in comparison to broadband.

T/2/5/F /35

The "T" refers to "Twisted Pair" physical medium that carries the signal. This

shows the structure of the cable and tells us it contains pairs which are twisted.

For example, UTP has twisted pairs and this is the cable used in such cases. For

more information, see the "UTP -Unshielded Twisted Pair" page where you can

find information on pinouts for the cables.

10Base-T

A few years ago, the 10 BaseT cables used CAT3 cables, which are used for

speeds up to 10Mbit, but today you will find mostly CAT5 cables, which are good

for speeds up to 100 Mhz or 100Mbit, these cables are also used for 10Mbit






networks. Only 2 pairs of the UTP cable are used with the 10Base-T specificationand the maximum length is 100 meters.

10Base-2

This specification uses Coaxial cable which is usually black, sometimes also called

"Thinwire coax", "Thin Ethernet" or "RJ-58" cable. Maximum length is 185 meters

and it uses BNC connectors which, depending on the configuration, require special

terminators.

10Base-5

This specification uses what's called "Thick wire" coaxial cable, which is usually

yellow. The maximum length is 500 meters and special connectors are used to

interface to the network card, these are called AUI (Attachment Unit Interface)

connectors and are similar to the DB-15 pin connectors most soundcards use for

their joystick/MIDI port. Most networks use UTP cable and RJ-45 connectors or

Coaxial cable with BNC "T" connectors, for this reason special devices made their

way to the market that allow you to connect an AUI network card to thesedifferent cable networks.

The picture below shows you a few of these devices:

10Base-F

This specification uses fibre optic cable. Fibre optic cable is considered to be moresecure than UTP or any other type of cabling because it is nearly impossible to

tap into. It is also resistant to electro magnetic interference and attenuation.

Even though the 10Base-F specification is for speeds up to 10Mbits per second,

depending on the type of fibre and equiptment you use, you can get speeds of upto 2Gigabits per second !

10Base-35

The 10Base-35 specification uses broadband coaxial cable. It is able to carrymultiple baseband channels for a maximum length of 3,600 meters or 3.6 Kms.






Summary

To summarise, keep the following in mind:

• 10Base-T works for 10Mbit networks only and uses unshielded twisted pair

cable with RJ-45 connectors at each end and maximum length of 100

meters. They also only use 2 pairs of cables. • 10Base-2 works for 10Mbit networks only and uses Coaxial cable.

Maximum length is 185 meters and BNC "T" connectors are used to

connect to the computers; there are special terminators at each of the

coaxial cable. • 10Base-5 works for 10Mbit networks only and uses Thick Coaxial cable.

Maximum length is 500 meters and special "AUI" connectors (DB-15) are

used to interface with the network card. • 10Base-F works for 10Mbit networks only and uses cool fibre optic cable :)

100Base-(T) TX/ T4/ FX - Ethernet

Introduction

The 100Base-TX (sometimes referred to 100Base-T) cable is the most popular

cable around since it has actually replaced the older 10Base-T and 10Base-2

(Coaxial). The 100Base-TX cable provides fast speeds up to 100Mbits and is more

reliable since it uses CAT5 cable (see the CAT 1/2/3/4/5 page).There is also100Base-T4 and 100Base-FX available, which we discuss later.

So what does 100Base-TX/ T4/ FX mean ?

To make it simpler to distinguish cables they are categorised; that's how we got

the CAT1, 2, 3 etc cables. Each category is specific for speed and type of network. But since one type of cable can support various speeds, depending on

its quality and wiring, the cables are named using the "BaseT" to show exactlywhat type of networks the specific cable is made to handle.

We are going to break the "100Base-T? " into 3 parts so we can make it easier to

understand:

100

The number 100 represents the frequency in MHz (Mega HertZ) for which this

cable is made. In this case it is 100 MHz. The greater the MHz, the greater speeds

the cable can handle. If you try to use this type of cable for greater frequencies

(and, therefore, speeds) it will either not work or become extremely unreliable.

The 100 MHz speed translates to 100Mbit per second, which in theory means 12

MBytes per second. In practice though, you wouldn't get more than 4 MBytes persecond.

Base

The word "Base" refers to Baseband. Baseband is the type of communication used

by Ethernet and it means that when a computer is transmitting, it uses all the

available bandwith, whereas Broadband (cable modems) shares the bandwidth

available. This is the reason cable modem users notice a slowdown in speed when

they are connected on a busy node, or when their neighbour is downloading all






the time at maximum speed ! Of course with Ethernet you will notice a slowdownin speed but it will be smaller in comparison to broadband.

TX/ T4/ FX

The "T" refers to "Twisted Pair" physical medium that carries the signal. This

shows the structure of the cable and tells us it contains pairs which are twisted.

For example, UTP has twisted pairs and this is the cable used in such cases. The

100Base-T is used sometimes to refer to the 100Base-TX cable specification.

100Base-TX

The TX (sometimes refered as "T" only) means it's a CAT5 UTP straight through

cable using 2 of the 4 available pairs and supports speeds up to 100Mbits.Maximum length is 100 meters

100Base-T4

The T4 means it's a CAT5 UTP straight through cable using all 4 available pairs

and supports speeds up to 100Mbits. Maximum length is 100 meters.

100Base-FX

The FX means it's a 2 strand fiber cable and supports speeds up to 100Mbits.

Summary

To summarise, keep the following in mind:

• 100Base-TX/T4 works for 100Mbit networks only and uses unshielded

twisted pair cable with RJ-45 connectors at each end • All CAT5 UTP cables have 4 pairs of cables (8 wires). • 100Base-TX (sometimes called 100Base-T) uses 2 of the 4 available pairs

within the UTP cable, whereas the 100Base-T4 uses all 4 pairs. • 100Base-FX also works for speeds up to 100Mbits but uses fibre optic

cable instead of UTP.

Fiber Optic Cable

Introduction

In the 1950's more research and development into the transmission of visible

images through optical fibres led to some success in the medical world where it

was being used in remote illumination and viewing instruments. In 1966 Charles

Kao and George Hockham proposed the transmission of information over glass

fibre and realised that to make it a practical proposition, much lower losses in the

cables were essential.

This was the driving force behind the developments to improve the optical losses

in fibre manufacturing and today optical losses are significantly lower than theoriginal target set by Charles Kao and George Hockham.






The advantages of using fibre optics

Because of the Low loss, high bandwidth properties of fibre cables they can be

used over greater distances than copper cables. In data networks this can be as

much as 2km without the use of repeaters. Their light weight and small size also

make them ideal for applications where running copper cables would be

impractical and, by using multiplexors, one fibre could replace hundreds of copper

cables. This is pretty impressive for a tiny glass filament, but the real benefit in

the data industry is its immunity to Electro Magnetic Interference (EMI), and thefact that glass is not an electrical conductor.

Because fibre is non-conductive it can be used where electrical isolation is

needed, for instance, between buildings where copper cables would require cross

bonding to eliminate differences in earth potentials. Fibres also pose no threat in

dangerous environments such as chemical plants where a spark could trigger an

explosion. Last but not least is the security aspect, it is very, very difficult to tapinto a fibre cable to read the data signals.

Fibre construction

There are many different types of fibre cable, but for the purposes of this

explanation we will deal with one of the most common types, 62.5/125 micron

loose tube. The numbers represent the diameters of the fibre core and cladding,these are measured in microns which are millionths of a metre.






Loose tube fibre cable can be indoor or outdoor, or both, the outdoor cables

usually have the tube filled with gel to act as a moisture barrier to the ingress of water. The number of cores in one cable can be anywhere from 4 to 144.

Over the years a variety of core sizes have been produced but these days there

are three main sizes that are used in data communications, these are 50/125,

62.5/125 and 8.3/125. The 50/125 and 62.5/125 micron multi-mode cables are

the most widely used in data networks, although recently the 62.5 has become

the more popular choice. This is rather unfortunate because the 50/125 has beenfound to be the better option for Gigabit Ethernet applications.

The 8.3/125 micron is a single mode cable which until now hasn't been widely

used in data networking due to the high cost of single mode hardware. Things are

beginning to change because the length limits for Gigabit Ethernet over 62.5/125

fibre has been reduced to around 220m and now using 8.3/125 may be the only

choice for some campus size networks. Hopefully, this shift to single mode maystart to bring the costs down.






What's the difference between single-mode and multi-mode?

With copper cables larger size means less resistance and therefore more current,

but with fibre the opposite is true. To explain this we first need to understandhow the light propagates within the fibre core.

Light propagation

Light travels along a fibre cable by a process called 'Total Internal Reflection'

(TIR), this is made possible by using two types of glass which have different

refractive indexes. The inner core has a high refractive index and the outer

cladding has a low index. This is the same principle as the reflection you see

when you look into a pond. The water in the pond has a higher refractive index

than the air and if you look at it from a shallow angle you will see a reflection of

the surrounding area, however, if you look straight down at the water you cansee the bottom of the pond.

At some specific angle between these two view points the light stops reflecting off

the surface of the water and passes through the air/water interface allowing you

to see the bottom of the pond. In multi-mode fibres, as the name suggests, there

are multiple modes of propagation for the rays of light. These range from low

order modes, which take the most direct route straight down the middle, to high

order modes, which take the longest route as they bounce from one side to the

other all the way down the fibre. This has the effect of scattering the signal

because the rays from one pulse of light arrive at the far end at different times;

this is known as Intermodal Dispersion (sometimes referred to as Differential

Mode Delay, DMD). To ease the problem, graded index fibres were developed.

Unlike the examples above which have a definite barrier between core and

cladding, these have a high refractive index at the centre which gradually reduces

to a low refractive index at the circumference. This slows down the lower order

modes allowing the rays to arrive at the far end closer together, thereby reducingintermodal dispersion and improving the shape of the signal.

So what about the single-mode fibre?

Well, what's the best way to get rid of Intermodal Dispersion?, easy, only allow

one mode of propagation. So a smaller core size means higher bandwidth andgreater distances. Simple as that ! :)






Direct Cable Connection

Introduction

From the early PC days, Direct Cable Connection (dcc) was the most popular way

to transfer data from one PC to another. Of course, it might seem a bit of an "oldfashioned" way to transfer data these days but remember that back then mostPC's were running Dos 6.22 or Windows for Workgroups 3.11 if you were lucky !

Today, most computers are equipped with a network card and have an x-over or

hub which will allow you to transfer data a lot faster than a serial or parallel

cable. But still, there is always a time when you require a simple transfer via

serial or parallel and that's what this page is about.

There is a variety of programs which allow you to use the above mentioned

cables to successfully transfer data between PCs but you should know that you

can achieve your goal without them as well since Windows 95 and above supports

the direct cable connection method.

Installing Windows programs or components to transfer data is out of this

section's scope, but I have included some notes on what you should check before

attempting the Direct Connection via cable, this info is included in the "Important

DCC Info". We will also be learning how to create the cables required to meet our

goals and comparing the speed of the two (Serial and Parallel)

Because the page ended up being quite long, I decided to split it in order to makeit easier to read. Simply click on the subject you'd like to read about:

• Serial Direct Connecti on • Paral lel Direct Connection

Serial Direct Cable Connection

Serial Direct Connection

The Serial Direct Connection is the one which utilizes the COM ports of your

computers. Every computer has at least 2 COM ports, COM1 and COM2. The

"COM" stands for "Communications". It's pinouts are a lot simpler when comparedto the parallel port, but the speed is also a lot slower :)

To give you an idea of how fast (or slow) a serial port is, at its best you will getaround 12 to 14 KB per second. That's pretty slow when you're used to a network

connection, but let me show you how serial data is transferred so you can also

understand why it's a lot slower:






The above picture gives you an idea on how serial data is transferred. Each

coloured block that is numbered is sent from PC 1 to PC 2. PC 2 will receive the

data in the same order it was sent, in other words it will receive data block 1 first

and then 2, all the way to block 7. This is a pretty good representation of data

flow in a serial cable. Serial ports transmit data sequentially over one pair of wires (the rest of the wires are used to controll the transfer).

Another way you can think of it is like a one lane road where the road is wide

enough to only fit one car at a time (one data block at a time in our example

above), so you would imagine that the road cannont process several cars at one

time.

The Serial port

Most new computers have two COM ports with 9 pins each, these are DB-9 male

connectors. Older computers would have one DB-9 male connector and one DB-

25 male connector. The 25 pin male connector is pretty much the same as the 9pin, it's just bigger.

Let's have a look at a serial port to see what we are talking about:

Different pinouts are used for the DB-9 and DB-25 connectors and we will have alook at them in a moment. Let's just have another quick look at the COM ports of

a new computer:

Notice the COM ports, they are both DB-9 connectors, there is no more DB-25 !The connector above the two blue COM ports is an LPT or Parallel port.

The serial port of a computer is able to run at different speeds, thus allowing us

to connect different devices which communicate at different speeds with the

computer. The following table shows the speeds at which most computers' serialports are able to run and how many KB/sec they translate to:






Now we will have a look at the pin outs of both DB-9 and DB-25 connectors:

The Cable

All that's left now is the pinouts required to allow us to use the serial cable for

direct connection. There is a special term for this type of a cable, it's call a "null

modem" cable, which basically means you need to have TX and RX crossed over.

Because you can have different configurations, e.g DB-9 to DB-9, DB-9 to DB-25,

and DB-25 to DB-25, I have created different tables to show you the pinouts foreach one:

1) DB-9 to DB-9. You use this configuration when you need a cable with a DB-9connector on each end:






2) DB-9 to DB-25. You use this configuration when you need a cable with one DB-9 and one DB-25 connector on either end:

3) DB-25 to DB-25. You use this configuration when you need a cable with a DB-

25 connector on each end:






Well, that pretty much covers everything about serial direct connection via a nullmodem cable.

If you're using third party software to connect your computers, you probably

won't stumble into big problems, but if you're using Windows software be sure

you have unique names for each of your computers because Windows will treat

the direct connection as a "network" connection. This means you will be able to

see the other computer via Network Neighborhood.








What does the parallel port (LPT) look like ?

The picture below shows a parallel port, also known as LPT port, of a newcomputer.

With new computers, you will always find the LPT port right above the two COMports and it's usually colour coded purple. No matter what type of LPT port you

have, they all look the same, it's the electronic characteristics which changes

amongst the 4 different types of LPT ports and that's transparent to everyone. AllLPT ports are female DB-25 connectors.

So what are the different LPT ports ?

Before we get stuck into the pinouts of the LPT port, let's have a look at the

different types of LPT ports available. Again, depending on the LPT port, youwould expect different speed rates:

Because it might seem a bit confusing at the begining, I have include a bit more

techincal information on the various ports to help you understand more about

them. To keep it simple, I have categorised and colour coded them to show which

ports match the table above:

4 bit ports

The port can do 8 bit byte output and 4 bit nibble input. These ports are often

called "unidirectional" and are most commonly found on desktop bus cards (also

called IO expansion cards, serial/parallel cards, or even 2S+P cards) and olderlaptops. This is still the most common type of port, especially on desktop






systems. 4 bit ports are capable of effective transfer rates of about 40-60 KBytes

per second in typical devices but can be pushed upwards of 140 KBytes/sec withcertain design tricks.

8 bit ports

These ports can do both 8 bit input and output and are sometimes called

"bidirectional ports" but that term is often misused by vendors to refer to 4 bit

ports as well. Most newer laptops have 8 bit capability although it may need to be

enabled with the laptop's vendor-specific CMOS setup function. This is discussed

below. A relatively smaller percentage of LPT bus cards have 8bit capability that

sometimes must be enabled with a hardware jumper on the board itself. True 8

bit ports are preferable to 4 bit ports because they are considerably faster when

used with external devices that take advantage of the 8 bit capability. 8 bit ports

are capable of speeds ranging from 80-300 KBytes per second, again depending

on the speed of the attached device, the quality of the driver software and theport's electrical characteristics.

EPP ports

Can do both 8bit input and output at ISA bus speeds. These ports are as fast as 8

bit bus cards and can achieve transfer rates upwards of 600 KByte per second.

These ports are usually used by non-printer peripheral devices such as external

CDROMs, tape drives, hard drives, network adaptors and more.

ECP ports

Can do both 8 bit input and output at bus speeds. The specification for this port

type was jointly developed by Microsoft and Hewlett-Packard. ECP ports are

distinguished by having DMA capability, on-board FIFOs at least 16 bytes deep,some hardware data compression capability and are generally featured more than

other ports. These ports are as fast as 8 bit bus cards and can achieve transfer

rates upwards of 1 Mbyte per second and faster on PCs whose buses will support

it. The design is capable of faster transfer rates in the future.

Laplink cable is used to link two PCs with MSDOS 6.0 or later very effectively by

using INTERSVR.EXE (on Host) and INTERLNK.EXE (on GUEST) PCs. But it can

also be used to data-transfer at faster speed with DCC Feature of Win9x/Me/2000. Let's now have a quick look at the pinouts of an LPT port:






The Cable

As explained, there are different LPT ports, but the cable used is the same for all

types of LPT ports. Depending on your computer bios LPT settings you will be ableto achieve different speed transfers as outlined in the table above.

The picture below clearly shows the pin outs of the required cable:

One wire should be attached to the metal body of the Male pins on both sides,this is also shown as the "metal body" on the diagram.

Now, because I understand how much trouble someone can fall into when trying

to create a cable and get it to work properly, I have included the DirectParallel

Connection Monitor Utility, for all the DCC users to troubleshoot and test DCC

connection and cable on both computers. It provides detailed information about

the connection, the cable being used for the connection, the I/O mode (4-bit, 8-bit, ECP, EPP), the parallel port types, I/O address, and IRQ.

And that pretty much finishes the discussion on Parallel Cable Connections !






USB Direct Cable Connection

Introduction

Serial and Parallel Direct Cable Connections are considered to be a bit "old

fashioned" these days. USB Direct Cable Connection (DCC), on the other hand,belongs in the "new fashioned" category :) USB DCC is a few years old, but

because most people would use their network card to transfer data, the DCC

hasn't been very well known for the USB port, but does exist.... and the catch is

that you can't make it, but you must buy it ! But don't be tempted to leave the

page just as yet, there is a lot of information on USB which is always good toknow. Keep reading .... :)

Let's have a closer look and see what it's all about !

About USB

USB stands for Universal Serial Bus. Most peripherals for computers these dayscome in a USB version. The USB port was designed to be very flexible and for this

reason you are able to connect printers, external hard drives, cdroms, joysticks,scanners, digital cameras, modems, hubs and a lot of other cool stuff to it.

The Universal Serial Bus gives you a single, standardized, easy-to-use way to

connect up to 127 devices to a computer. The 127 number is a theoretical

number :) In practice it's a lot less ! The devices you connect can even power

through the USB port of your computer if they draw less than 500mA, which is

half an Ampere (I). A good example is my little Canon scanner, it only has one

cable which is used to power the scanner up and to transfer the data to thecomputer !

Currently there are 2 versions of the USB port, the initial version which is USB

v1.1 and the newer version USB v2 which has hit the market since the end of

2001. Most people have computers and devices which use the first version, but all

new computers will now come with USB v2. This new version of the USB port is

backwards compatible with the older version and also a lot faster.








As mentioned earlier, the USB port can power certain devices and also transfer

data at the same time. For this to happen, the USB port must have at least 4cables of which 2 are for the power, and 2 for the data.

The diagram is to help you understand what the cable contains:

The USB DCC (Final ly :) )

As I mentioned in the introduction of this page, the USB DCC cable cannot be

made, because it requires special electronic circuits built around the cable.

Parallel Technologies manufacture USB DCC cables and they call it the "NET-LinQ":

The USB DCC cable can also be used to connect a computer to your network. The

way it works is pretty simple. Assuming you have Computers A, B , C and D.

Computer A, B and C are connected via an Ethernet LAN and Computer D hasn't

got a network card to connect to the network. Using the NET-LinQ or other similar

cables you can connect Computer D with any of the other 3 computers as long as

they have a USB port, then by configuring the network protocols on Computer D,it will be able to see and connect to the rest of the network !

This completes the discusion about USB Direct Cable Connection.






Network Topologies

Introduction

Network topologies can take a bit of time to understand when you're all new to

this kind of cool stuff, but it's very important to fully understand them as they arekey elements to understanding and troubleshooting networks and will help youdecide what actions to take when you're faced with network problems.

I will try to be as simple as possible and give some examples you can relate to,so let's get stuck right into this stuff !

The Stuff :)

There are two types of topologies: Physical and Logical. The physical topology

of a network refers to the layout of cables, computers and other peripherals. Try

to imagine yourself in a room with a small network, you can see network cables

coming out of every computer that is part of the network, then those cables pluginto a hub or switch. What you're looking at is the physical topology of thatnetwork!

Logical topology is the method used to pass the information between the

computers. In other words, looking at that same room, if you were to try to see

how the network works with all the computers talking (think of the computers

generating traffic and packets of data going everywhere on the network) you

would be looking at the logical part of the network. The way the computers will be

talking to each other and the direction of the traffic is controlled by the variousprotocols (like Ethernet) or, if you like, rules.

If we used token ring, then the physical topology would have to change to meetthe requirements of the way the token ring protocol works (logically).

If it's all still confusing, consider this: The physical topology describes the layout

of the network, just like a map shows the layout of various roads, and the logical

topology describes how the data is sent across the network or how the cars are

able to travel (the direction and speed) at every road on the map.

The most common types of physical topologies, which we are going to analyse,

are: Bus, Hub/Star and Ring

The Physical Bus Topology

Bus topology is fairly old news and you probably won't be seeing much of these

around in any modern office or home.

With the Bus topology, all workstations are connect directly to the main backbone

that carries the data. Traffic generated by any computer will travel across the

backbone and be received by all workstations. This works well in a small network

of 2-5 computers, but as the numbers of computers increases so will the network

traffic and this can greatly decrease the performance and available bandwidth of your network.






As you can see in the above example, all computers are attached to a continuous

cable which connects them in a straight line. The arrows clearly indicate that the

packet generated by Node 1 is transmitted to all computers on the network,

regardless the destination of this packet.

Also, because of the way the electrical signals are transmitted over this cable, its

ends must be terminated by special terminators that work as "shock absorbers",

absorbing the signal so it won't reflect back to where it came from. The value of

50Ohms has been selected after carefully taking in consideration all the electrical

characteristics of the cable used, the voltage that the signal which runs throughthe cables, the maximum and minimum length of the bus and a few more.

If the bus (the long yellow cable) is damaged anywhere in its path, then it will

most certainly cause the network to stop working or, at the very least, cause bigcommunication problems between the workstations.

Thinnet - 10 Base2, also known as coax cable (Black in colour) and Thicknet - 10Base 5 (Yellow in colour) is used in these type of topologies.

The Physical HUB or STAR Topology






The Star or Hub topology is one of the most common network topologies found in

most offices and home networks. It has become very popular in contrast to the

bus type (which we just spoke about), because of the cost and the ease of

troubleshooting.

The advantage of the star topology is that if one computer on the star topology

fails, then only the failed computer is unable to send or receive data. Theremainder of the network functions normally.

The disadvantage of using this topology is that because each computer isconnected to a central hub or switch, if this device fails, the entire network fails !

A classic example of this type of topology is the UTP (10 base T), which normally

has a blue color. Personally I find it boring, so I decided to go out and get myself green, red and yellow colors :)

The Physical Ring Topology

In the ring topology, computers are connected on a single circle of cable. Unlike

the bus topology, there are no terminated ends. The signals travel around the

loop in one direction and pass through each computer, which acts as a repeater

to boost the signal and send it to the next computer. On a larger scale, multiple

LANs can be connected to each other in a ring topology by using Thick net coaxialor fiber-optic cable.

The method by which the data is transmitted around the ring is called token

passing. IBM's token ring uses this method. A token is a special series of bits that

contains control information. Possession of the token allows a network device totransmit data to the network. Each network has only one token.






The Physical Mesh Topology

In a mesh topology, each computer is connected to every other computer by a

separate cable. This configuration provides redundant paths through the newwork, so if one computer blows up, you don't lose the network :) On a large

scale, you can connect multiple LANs using mesh topology with leased telephonelines, Thick net coaxial cable or fiber optic cable.

Again, the big advantage of this topology is its backup capabilities by providingmultiple paths through the network.

The Physical Hybrid Topology

With the hybrid topology, two or more topologies are combined to form a

complete network. For example, a hybrid topology could be the combination of a

star and bus topology. These are also the most common in use.

Star-Bus

In a star-bus topology, several star topology networks are linked to a bus

connection. In this topology, if a computer fails, it will not affect the rest of the

network. However, if the central component, or hub, that attaches all computers






in a star, fails, then you have big problems since no computer will be able tocommunicate.

Star-Ring

In the Star-Ring topology, the computers are connected to a central component

as in a star network. These components, however, are wired to form a ringnetwork.

Like the star-bus topology, if a single computer fails, it will not affect the rest of the network. By using token passing, each computer in a star-ring topology has

an equal chance of communicating. This allows for greater network traffic

between segments than in a star-bus topology.

Data Transmission

Introduction

Routable protocols enable the transmission of data between computers in

different segments of a network. However, high volumes of certain kinds of

network traffic can affect network efficiency because they slow down transmission

speed. The amount of network traffic generated varies with the 3 types of datatransmissions:

• Broadcast

• Multicast • Unicast

We are going to have a look at each one of these data transmissions because it's

very important to know the type of traffic they generate, what they are used for

and why they exist on the network.






Before we proceed, please note that understanding the OSI Model (especially

Layer 2 and 3), Ethernet and the way a packet is structured is fundamental tounderstanding a broadcast, multicast or Unicast.

Media Access Control - MAC Addresses

Introduction

Media Access Control (MAC) addresses are talked about in various sections on the

site, such as the OSI-Layer 2, Multicast, Broadcast and Unicast. We are going to

analyse them in depth here so we can get a firm understanding of them sincethey are part of the fundamentals of networking.

MAC addresses are physical addresses, unlike IP addresses which are logical

addresses. Logical addresses require you to load special drivers and protocols in

order to be able to configure your network card/computer with an IP Address,

whereas a MAC address doesn't require any drivers whatsoever. The reason for

this is that the MAC address is actually "burnt-in" into your network card'smemory chipset.

The Reason for MAC

Each computer on a network needs to be identified in some way. If you're

thinking of IP addresses, then you're correct to some extent, because an IP

address does identify one unique machine on a network, but that is not enough.

Got you mixed up?

Check the diagram and explanation below to see why:

You see, the IP address of a machine exists on the 3rd Layer of the OSI model

and, when a packet reaches the computer, it will travel from Layer 1 upwards, so

we need to be able to identify the computer before Layer 3.

This is where the MAC address - Layer 2 comes into the picture. All machines on

a network will listen for packets that have their MAC address in the destinationfield of the packet (they also listen for broadcasts and other stuff, but that's






analysed in other sections). The Physical Layer understands the electrical signals

on the network and creates the frame which gets passed to the Data link layer. If

the packet is destined for the computer then the MAC address in the destination

field of the packet will match, so it will accept it and pass it onto the Layer above

(3) which, in turn, will check the network address of the packet (IP Address), to

make sure it matches with the network address to which the computer has been

configured.

Looking at a MAC

Let's now have a look at a MAC address and see what it looks like! I have takenmy workstations MAC address as an example:

When looking at a MAC address, you will always see it in HEX format. It is very

rare that a MAC address is represented in Binary format because it is simplytooooo long as we will see further on.

When a vendor, e.g. Intel, creates network cards, they don't just give them any

MAC address they like, this would create a big confusion in identifying who

created this network card and could possibly result in clashing with another MAC

address from another vendor e.g. D-link, who happened to choose the same MAC

address for one of their network cards !

To make sure problems like this are not experienced, the IEEE group split the

MAC address in half, and used the first half to identify the vendor, and the secondhalf is for the vendor to allocate as serial numbers:

The Vendor code is specified by RFC - 1700. You might find a particular vendor

having more than just one code; this is because of the wide range of productsthey might have. They just apply for more, as they need!

Keep in mind that even though the MAC address is "burnt-in" to the network

card's memory, some vendors will allow you to download special programs to

change the second half of the MAC address on the card. This is because the

vendors actually reuse the same MAC addresses for their network cards because

they create so many that they run out of numbers! But at the same time, the

chances of you buying two network cards which have the same MAC address areso small that it's almost impossible!






Let's starting talking bits and bytes!

Now that we know what a MAC address looks like, we need to start analysing it. A

MAC address of any network card is always the same length, that is, 6 Bytes long

or 48 Bits long. If you're scratching your head wondering where these figures

came from, then just have a look at the picture below which makes it a bit easier

to understand:

So that completes the discussion regarding MAC Addresses! I hope you have

understood it all because it's very important so you can expand your knowledge

and truly understand what happens in a network!

Unicast

Introduction

Compaired to broadcasts and Multicasts, a Unicast is very simple and one of themost common data transmissions in a network.

The Reason for Unicast

Well it's pretty obvious why they came up with Unicast; imagine trying to send

data between 2 computers on a network, using broadcasts! All you would get

would be a very slow transfer and possibly a congested network with lowbandwidth availability.

Data transfers are almost all of the times, Unicast. You have the sender e.g. a

web server and the receiver e.g. a workstation. Data is transferred between these

two hosts only, where as a broadcast or a multicast is destined either everyone or just a group of computers.






In example above, my workstation sends a request to the Windows 2000 Server.

The request is a simple Unicast because it's directed to one machine (the server)and nothing else. You just need to keep in mind that because we are talking

about a Ethernet network, the traffic, hence the packets, are seen by all

machines (in this case the Linux Server as well) but they will not process them

once they see that the destination MAC address in the packets do not match their

own and are also not set to FF:FF:FF:FF:FF:FF which would indicate that thepacket is a broadcast.






Data Transmission - Introduction To Multicast

Introduction

To understand what we are going to talk about, you must be familiar with how

MAC addresses are structured and how they work. The MAC Addresses page isavailable to help you learn more about them...

A multicast is similar to a broadcast in the sense that its target is a number of

machines on a network, but not all. Where a broadcast is directed to all hosts on

the network, a multicast is directed to a group of hosts. The hosts can choose

whether they wish to participate in the multicast group (often done with the

Internet Group Management Protocol), whereas in a broadcast, all hosts are partof the broadcast group whether they like it or not :).

As you are aware, each host on an Ethernet network has a unique MAC address,

so here's the million dollar question: How do you talk to a group of hosts (our

multicast group), where each host has a different MAC address, and at the same

time ensure that the other hosts, which are not part of the multicast group, don'tprocess the information? You will soon know exactly how all this works.

To keep things in perspective and make it easy to understand, we are going to

concentrate only on an Ethernet network using the IP protocol, which is what 80-90 % of home networks and offices use.

Breaking things dow n...

In order to explain Multicasting the best I can and to make it easier for youunderstand, I decided to break it down into 3 sections:

1) Hardw are/ Ethernet Multicasting 2) IP M ulticasting 3) Mapping I P Multicast to Ethernet Multicast

A typical multicast on an Ethernet network, using the TCP/IP protocol, consists of two parts: Hardware/Ethernet multicast and IP Multicast. Later on I will talk about






Mapping IP Multicast to Ethernet Multicast which is really what happens withmulticasting on our Ethernet network using the TCP/IP protocol.

The brief diagram below shows you the relationship between the 3 and how theycomplete the multicasting model:

Hardware/ Ethernet Multicasting

When a computer joins a multicast group, it needs to be able to distinguish

between normal Unicast (which are packets directed to one computer or one MAC

address) and multicasts. With hardware multicasting, the network card is

configured, via its drivers, to watch out for particular MAC addresses (in this case,

multicast MAC addresses) apart from its own. When the network card picks up a

packet which has a destination MAC that matches any of the multicast MACaddresses, it will pass it to the upper layers for further processing.

And this is how they do it:

Ethernet uses the low-order bit of the high-order octet to distinguish conventional

Unicast addresses from multicast addresses. A Unicast would have this bit set to

ZERO (0), whereas a multicast would be set to ONE (1)

To understand this, we need to analyse the destination MAC address of a Unicast

and multicast packet, so you can see what we are talking about:

When a normal (Unicast) packet is put on the network by a computer, it contains

the Source and Destination MAC address, found in the 2nd Layer of the OSI

model. The following picture is an example of my workstation (192.168.0.6)sending a packet to my network's gateway (192.168.0.5):








particular host-computer but the MAC address that can be recognised by

computers that are part of the multicast group. I should also note that you will

never find a source address that is a multicast MAC address; the source address

will always be a real one, to identify which computer the packet came from.

The IEEE group used a special Rule to determine the various MAC addresses that

will be considered for multicasting. This Rule is covered in the last section of this

page, but you don't need to know it now in order to understand Hardware

multicasting. Using this special rule it was determined that MAC address

01:00:5E:00:00:05 will be used for the OSPF protocol, which happens to be a

routing protocol, and then this MAC address also maps to an IP address which isanalysed in IP Multicast.

IP M ulticast

The IP Multicast is the second part of multicasting which combined with the

hardware multicasting, gives us a multicasting model that works for our Ethernet

network. If hardware multicasting fails to work, then the packet will never arrive

at the network layer upon which IP multicasting is based, so the whole modelfails.

With IP multicasting the hardware multicasting MAC address is mapped to an IP

Address. Once Layer 2 (Data link) picks the multicast packet from the network

(because it recognises it, as the destination MAC address is a multicast) it will

strip the MAC addresses off and send the rest to the above layer, which is the

Network Layer. At that point, the Network Layer needs to be able to understand

it's dealing with a multicast, so the IP address is set in a way that allows the

computer to see it as a multicast datagram. A host may send multicast

datagram’s to a multicast group without being a member.

Multicasts are used a lot between routers so they can discover each other on an

IP network. For example, an Open Shortest Path First (OSPF) router sends a

"hello" packet to other OSPF routers on the network. The OSPF router must send

this "hello" packet to an assigned multicast address, which is 224.0.0.5, and theother routers will respond.

IP Multicast uses Class D IP Addresses:

Let's have a look at an example so we can understand that a bit better:






The picture below is a screenshot from my packet sniffer, it shows a multicast

packet which was sent from my NetWare server, notice the destination IPaddress:

The screenshot above shows the packet which was captured, it's simply

displaying a quick summary of what was caught. But, when we look on the left wesee the above packet in much more detail.

You can clearly see the markings I have put at the bottom which show you that

the destination IP for this packet is IP Address 224.0.0.5. This corresponds to a

multicast IP and therefore is a multicast packet.

The MAC header also shows a destination MAC address of 01-00-5E-00-00-05

which we analysed in the previous section to show you how this is identified as a

multicast packet at Layer 2 (Data link Layer).

Some examples of IP multicast addresses:

224.0.0.0 Base Address (Reserved) [RFC1112,JBP]

224.0.0.1 All Systems on this Subnet [RFC1112,JBP]

224.0.0.2 All Routers on this Subnet [JBP]

224.0.0.3 Unassigned [JBP]

224.0.0.4 DVMRP Routers [RFC1075,JBP]224.0.0.5 OSPFIGP OSPFIGP All Routers [RFC2328,JXM1]

Remember that these IP Addresses have been assigned by the IEEE !

Now all that's left is to explain how the IP multicast and MAC multicast map

between each other...






Mapping IP Multicast to Ethernet Multicast

The last part of multicast which combines the Hardware Multicasting and IP

Multicasting is the Mapping between them. There is a rule for the mapping, andthis is it:

To map an IP Multicast address to the corresponding Hardware/Ethernet multicast

address, place the low-order 23 bits of the IP multicast address into the low-order

23 bits of the special Ethernet multicast address. The rest of the high-order bitsare defined by the IEEE (yellow color in the example)

The above rule basically determines the Hardware MAC address. Let's have a lookat a real example to understand this.

We are going to use Multicast IP Address 224.0.0.5 - a multicast for the OSPF

routing protocol. The picture below shows us the analysis of the IP address inbinary so we can clearly see all the bits:

It might seem a bit confusing at first, but let's break it down:

We have an IP Address of 224.0.0.5; this is then converted into binary so we can

clearly see the mapping of the 23 bits to the MAC address of the computer. The

MAC Address part which is in yellow has been defined by the IEEE group. So the

yellow and pink line make the one MAC Address as shown in binary mode, thenwe convert it from binary to hex and that's about it !

NOTE You should keep in mind that multicast routers should not forward any multicast

datagram with destination addresses in the following 224.0.0.0 and 224.0.0.255.The next page (multicasting list) gives a bit more information on this.






Multicast IP List

Introduction

This page contains all the Multicast IP Addresses and shows what protocol they

are mapped to. Should you ever use a packet sniffer to try and see what's on thenetwork and you capture a packet with a destination IP Address of 224.X.X.X,

then simply look up this list and you will know what the purpose of that packetwas :)

INTERNET MULTI CAST ADDRESSES

Host Extensions for IP Multicasting [RFC1112] specifies the extensions required of

a host implementation of the Internet Protocol (IP) to support multicasting.Current addresses are listed below.

The range of addresses between 224.0.0.0 and 224.0.0.255, inclusive, is

reserved for the use of routing protocols and other low-level topology discoveryor maintenance protocols, such as gateway discovery and group membership

reporting. Multicast routers should not forward

any multicast datagram with destination addresses in this range, regardless of itsTTL.

224.0.0.0 Base Address (Reserved) [RFC1112,JBP]

224.0.0.1 All Systems on this Subnet [RFC1112,JBP]

224.0.0.2 All Routers on this Subnet [JBP]

224.0.0.3 Unassigned [JBP]

224.0.0.4 DVMRP Routers [RFC1075,JBP]

224.0.0.5 OSPFIGP OSPFIGP All Routers [RFC1583,JXM1]

224.0.0.6 OSPFIGP OSPFIGP Designated Routers [RFC1583,JXM1]224.0.0.7 ST Routers [RFC1190,KS14]

224.0.0.8 ST Hosts [RFC1190,KS14]

224.0.0.9 RIP2 Routers [RFC1723,GSM11]

224.0.0.10 IGRP Routers [Dino Farinacci]

224.0.0.11 Mobile-Agents [Bill Simpson]

224.0.0.12 DHCP Server / Relay Agent [RFC1884]

224.0.0.12 - 224.0.0.255 Unassigned [JBP] 224.0.1.0 VMTP Managers Group [RFC1045,DRC3]

224.0.1.1 NTP Network Time Protocol [RFC1119,DLM1]

224.0.1.2 SGI-Dogfight [AXC]

224.0.1.3 Rwhod [SXD]224.0.1.4 VNP [DRC3]

224.0.1.5 Artificial Horizons - Aviator [BXF]

224.0.1.6 NSS - Name Service Server [BXS2]

224.0.1.7 AUDIONEWS - Audio News Multicast [MXF2]

224.0.1.8 SUN NIS+ Information Service [CXM3]

224.0.1.9 MTP Multicast Transport Protocol [SXA]

224.0.1.10 IETF-1-LOW-AUDIO [SC3]

224.0.1.11 IETF-1-AUDIO [SC3]

224.0.1.12 IETF-1-VIDEO [SC3]

224.0.1.13 IETF-2-LOW-AUDIO [SC3]

224.0.1.14 IETF-2-AUDIO [SC3]

224.0.1.15 IETF-2-VIDEO [SC3]

224.0.1.16 MUSIC-SERVICE [Guido van Rossum]

224.0.1.17 SEANET-TELEMETRY [Andrew Maffei]






224.0.1.18 SEANET- IMAGE [Andrew Maffei]

224.0.1.19 MLOADD [Braden]

224.0.1.20 any private experiment [JBP]

224.0.1.21 DVMRP on MOSPF [John Moy]

224.0.1.22 SVRLOC [Veizades]

224.0.1.23 XINGTV <[email protected]>

224.0.1.24 microsoft-ds <[email protected]>224.0.1.25 nbc-pro <[email protected]>

224.0.1.26 nbc-pfn <[email protected]>

224.0.1.27 lmsc-calren-1 [Uang]




224.0.1.31 ampr-info [Janssen]

224.0.1.32 mtrace [Casner]

224.0.1.33 RSVP-encap-1 [Braden]

224.0.1.34 RSVP-encap-2 [Braden]

224.0.1.35 SVRLOC-DA [Veizades]

224.0.1.36 rln-server [Kean]224.0.1.37 proshare- mc [Lewis]

224.0.1.38 - 224.0.1.255 Unassigned [JBP] 224.0.2.1 "rwho" Group (BSD) (unofficial) [JBP]

224.0.2.2 SUN RPC PMAPPROC_CALLIT [BXE1] 224.0.3.000-224.0.3.255 RFE Generic Service [DXS3]

224.0.4.000-224.0.4.255 RFE Individual Conferences [DXS3]

224.0.5.000-224.0.5.127 CDPD Groups [Bob Brenner]

224.0.5.128-224.0.5.255 Unassigned [IANA]

224.0.6.000-224.0.6.127 Cornell ISIS Project [Tim Clark]

224.0.6.128-224.0.6.255 Unassigned [IANA]

224.0.7.000-224.0.7.255 Where-Are-You [Simpson]

224.0.8.000-224.0.8.255 INTV [Tynan]224.0.9.000-224.0.9.255 Internet Railroad [Malamud] 224.1.0.0-224.1.255.255 ST Multicast Groups [RFC1190,KS14]

224.2.0.0-224.2.255.255 Multimedia Conference Calls [SC3] 224.252.0.0-224.255.255.255 DIS transient groups [Joel Snyder] 232.0.0.0-232.255.255.255 VMTP transient groups [RFC1045,DRC3] These addresses are listed in the Domain Name Service under MCAST.NET

and 224.IN-ADDR.ARPA.






Data Transmission - Broadcast

Introduction

The term "Broadcast" is used very frequently in the networking world. You will

see it in most networking books and articles, or see it happening on yourhub/switch when all the LED's start flashing at the same time!

If you have been into networking for a while you most probably have come across

the terms "broadcast" and "subnet broadcast”. When I first dived into the

networking world, I was constantly confused between the two, because they both

carried the "broadcast" term in them. We will analyse both of them here, to help

you understand exactly what they are and how they are used!

Broadcast

A Broadcast means that the network delivers one copy of a packet to each

destination. On bus technologies like Ethernet, broadcast delivery can beaccomplished with a single packet transmission. On networks composed of

switches with point-to-point connections, software must implement broadcasting

by forwarding copies of the packet across individual connections until all switcheshave received a copy. We will be focusing only on Ethernet broadcasts.

The picture below illustrates a router which has sent a broadcast to all devices onits network:

Normally, when the computers on the network receive a packet, they will first try

to match the MAC address of the packet with their own and if that is successful,

they process the packet and hand it to the OSI layer above (Network Layer), if

the MAC address is not matched, then the packet is discarded and not processed.

However, when they see a MAC address of FF:FF:FF:FF:FF:FF, they will processthis packet because they recognise it as a broadcast.

But what does a "broadcast" look like?






Check out the image below, which is taken from my packet sniffer:

Let's now have a closer look at the above packet:

The image above shows a broadcast

packet. You can clearly see that the "MAC

destination address" is set to

FF:FF:FF:FF:FF:FF. The "Address IP

destination" is set to 255.255.255.255,

this is the IP broadcast address and

ensures that no matter what IP address

the receiving computer(s) have, they will

not reject the data but process it.

Now you might ask yourself "Why would a

workstation want to create a broadcastpacket?”

The answer to that lies within the variousprotocols used on our networks!

Let's take for example Address Resolution

Protocol, or ARP. ARP is used to find out

which MAC address (effectively, which

network card or computer) has aparticular IP address bound to it. You will

find a detailed example of the wholeprocess in the IP Routing section.

For a network device such as a router to ask "Who has IP address

192.168.0.100? ", it must "shout" it out so it can grab everyone's attention,

which is why it will use a broadcast to make sure everyone listens and processesthe packet on the network.

In the example image above, the particular machine was looking for a DHCP

server (notice the "bootps" protocol under the UDP Header - Layer 4, which is

basically DHCP).

Subnet Broadcast or Direct Broadcast

A Subnet or Direct broadcast is targeted not to all hosts on a network, but to all

hosts on a subnet. Since a physical network can contain different

subnets/networks e.g 192.168.0.0 and 200.200.200.0, the purpose of this specialbroadcast is to send a message to all the hosts in a particular subnet.






In the example below, Router A sends a subnet broadcast onto the network.

Hosts A,B,C and the Server are configured to be part of the 192.168.0.0 network

so they will receive and process the data, but Host D is configured with a different

IP Adress, so it's part of a different network, it will accept the packet cause of its

broadcast MAC address, but will drop the packet when it reaches its NetworkLayer, where it will see that this packet was for a different IP network.

It is very similar to the network broadcast we just talked about but varies slightly

in the sense that its IP broadcast is not set to 255.255.255.255 , but is set to the

subnet broadcast address. For example, my home network is a Class C network :

192.168.0.0 with a subnet mask of 255.255.255.0 or, if you like to keep itsimple, : 192.168.0.0/24.

This means that the available valid hosts for this network are from 192.168.0.1 to

192.168.0.254. In this Class C network, as in every other network, there are 2

addresses which I can't use. The first one is preserved to identify the network(192.168.0.0) and the second one for the subnet broadcast (192.168.0.255).

The above packet, captured from my packet sniffer, shows my workstationbroadcasting to the subnet 192.168.0.0. From the broadcast address you can tell

that I am using a full Class C network range, otherwise the Destination IPwouldn't be 192.168.0.255.






The Packet decoder on the right shows

you the contents of each header fromthe above packet.

Looking at the MAC Header (Data link

Layer), the destination MAC address is

set to FF:FF:FF:FF:FF:FF and the IP

Header (Network Layer) has the

Destination IP set to 192.168.0.255

which is, as I said, the Subnet Broadcast Address. Again, all

computers on the network which are

part of the 192.168.0.0 subnet will

process this packet; the rest will drop

the packet once they see it's for a

network to which they do not belong.

In this example, I double clicked at my

"Network Places" and was searchingfor a computer; this forced my

workstation to send out a Subnet

Broadcast on the network asking if aparticular computer existed on the network.






Controlling Broadcasts and Unicasts

The first step in controlling broadcast and multicast traffic is to identify which

devices are involved in a broadcast or multicast storm. The following protocols

can send broadcast or multicast packets:

• Address Resolution Protocol (ARP) • Open Shortest Path First (OSPF) • IP RoutinControlling broadcasts and unicasts Information Protocol Version

1 (RIP1) • Service Advertising Protocol (SAP) • IPX Routing Information Protocol (RIP) • NetWare Link Services Protocol (NLSP) • AppleTalk Address Resolution Protocol (AARP)

After identifying the source of the broadcast or multicast storm, you mustexamine the packets to find out which protocol or application triggered the

broadcast or multicast storm. For example, if a single device is responsible for a

broadcast storm, you can examine the device's broadcast traffic to determine

exactly what the device was doing. For example, you can find out what the devicewas looking for or what the device was announcing.

Broadcast or multicast storms are often caused by a fault that occurs during the

device discovery process. For example, if an IPX-based printing environment has

been miss configured, a print driver client may continually send SAP packets to

locate a specific print server. Unanswered broadcast or multicast requests usuallyindicate that a device is missing or has been miss configured.

Examine the broadcast traffic on your company's network. Do you see numerous

unanswered, repeat queries? Do you see protocols (such as IP RIP1, SAP, and IPXRIP) that just "blab" all day even when no other devices may be listening?

Or, is the majority of the broadcast and multicast traffic on your company's

network purposeful? That is, does the broadcast and multicast traffic have a

request-reply communication pattern? For example, are broadcast lookupsanswered?

Do broadcast packets contain meaningful information? For example, if a network

has numerous routers, do broadcast packets contain routing update information?

Is the broadcast rate acceptable? Does your company's network need RIP

updates every 30 seconds, or can you increase the interval to one minute?

BROADCAST/ MULTICAST DOMAINS If your company's network is experiencing excessive broadcast or multicast

traffic, you should also check the scope of the broadcast or multicast domain. (A

broadcast or multicast domain is the range of devices that are affected by a

broadcast or a multicast packet.) Understanding broadcast and multicast domains

can help you determine how harmful a broadcast storm can be from any point onthe network.






The scope of a broadcast and multicast domain depends, to some degree, on the

network design. For example, the picture below shows two networks, a switchednetwork and a routed network:

On a switched network, Device 1

sends a broadcast or multicast

packet that is propagated to all

ports of the switch. (A typical

layer-2 switch does not filter

either broadcast or multicast

traffic.)

On a routed network, however, a

router does not forward

broadcast traffic. If Device 1

sends a broadcast packet, only

Device 2 and the router see the

broadcast packet. If appropriate,

the router processes thebroadcast packet and sends a

reply. Because the broadcast

packet is not forwarded, it doesnot affect Devices 3 or 4.






Protocols

Introduction - Definition

In the networking and communications area, a protocol is the formal specification

that defines the procedures that must be followed when transmitting or receivingdata. Protocols define the format, timing, sequence, and error checking used onthe network.

In plain English, the above means that if you have 2 or more devices e.g

computers which want to communicate, then they need a common "Protocol"

which is a set of rules that guide the computers on how and when to talk to eachother.

The way this "defenition" happens in computer land is by the RFC's ( Requests For

Comments) where the IETF (a group of enginners with no life) make up the new

standards and protocols and then the major vendors (IBM, Cisco, Mic rosoft,

Novell) follow these standards and implement them in their products to makemore money and try to take over this world !

There are hundreads of protocols out there and it is impossible to list them all

here, but instead we have included some of the most popular protocols around soyou can read up on them and learn more about them.

The table below (clickable) shows the most popular TCP/IP protocols. The OSImodel is there for you to see which layer each of these protocols work at.

One thing which you should keep in mind is that as you move from the lower

layers (Physical) to the upper layers (Applications), more processing time is

needed by the device that's dealing with the protocol.

Please note: All routing protocols can be found under the "Networking/Routing"menu option.

TCP/ IP Protocol Stack ..................The OSI M odel

...






Currently available protocols to read about are :

• TCP

• UDP

• ICMP

• DNS

• FTP

• TFTP

• Ethernet

• Internet Protocol (IP )

• RIP• OSPF

Transmission Control Protocol - TCP

Some common protocols which use TCP are: FTP,

Telnet, HTTP, HTTPS, DNS, SMTP and POP3. Whenpeople refer to "TCP/IP" remember that they are

talking about a suite of protocols and not just one (as

most people think). TCP/IP is NOT one protocol. Please

see the Protocols section for more information.

The Transmission Control Protocol (TCP) is defined by

IETF RFC 793

TCP - Transmission Control P rotocol

So TCP is one of the two protocols used at the Transport layer, so what exactly

does this "TCP" do? Well as the name suggests, it's used to transport (move) datafrom one host to another. What makes TCP so popular is the way it works in

order to send and receive data. Unlike UDP, TCP will check for errors in every

packet it receives to avoid data corruption. Let's have a close look at the maincharacteristics of this wonderful protocol.

Reliable Transport

It's a reliable transport because of the different techniques it uses to ensure that

the data received is error free. TCP is a robust protocol used for file transfers

where data error is no option. When you decide to download a 3MB file from a

website, you wouldn't want to find out after the download has finished that the

file has errors! Even though, in reality, this does happen it just shows that youcan't be perfect in some things *8-)

The picture below shows us the TCP header within a data packet. This is to showyou the different fields a TCP header contains:






Connection Oriented

What this basically means is that a connection is established between the two

hosts (computers) before any data is transferred and when I say "connection is

established" I mean that both computers know about each other and have agreed

on the exchange of data. This is where the famous 3-way handshake happens.

You will find the SYN,ACK bits in the TCP header diagrame above, they are

marked in RED (Code Bits field) and are 6 bits long. Thanks to this field, TCP is

connection oriented.

The following diagram explains the basic function of the 3-way handshake:






STEP 1: Host A sends a packet to Host B. This packet has the "SYN" bit enabled

and when Host B receives it and reads the packet, it sees the "SYN" bit which has

a value of "1" (in binary, this means ON) so it knows that Host A is trying tosynchronise with it.

STEP 2: Host B then sends a packet back to Host A and within this packet, the

"SYN and ACK" bits are enabled (value =1). The SYN that Host B sends means 'I

want to synchronise with you' and the ACK means 'I acknowlege your previous

SYN request'.

STEP 3: So... after all that, Host A sends another packet to Host B and has the"ACK" bit set to 1, which tells HOST B 'Yeah I acknowlege your previous request'.

And after all that, the connection is established (virtual circuit) and the datatransfer begins, and should end without any errors!

Flow Control

This is how the flow of data is controlled. You see, once the data transfer has

started, the flow of data between the two hosts is not constant but varies and

sometimes stops for a few seconds when one of the two hosts is busy doing othertasks as well.

For example, if Host B was a webserver from which people could download

games, then obviously Host A is not going to be the only computer downloading

from this webserver, so Host B must regulate the data flow to every computer

downloading from it. This means it might turn around to Host A and tell it to wait

for a while until more resources are available because it has another 20 users

trying to download at the same time! There is simply too much traffic for a smallcapacity.

Below is a diagram which will help you understand all this jargon about flowcontrol :








I am quickly going to explain what is happening in the above picture. It is obvious

that Host B is sending data to Host A, so with a window size equal to one this

means that Host B needs an "ACK" for each data segment it sends to Host A.

Once the first data segment is sent, Host A receives it and sends a "ACK 2" to

Host B. You might be wondering why "ACK 2" and not just "ACK" ? Well the "ACK

2" tells Host B 'I acknowledge (ACK) the packet you just sent me and I am ready

to receive the second (2) segment'. So Host B gets the second data segmentready and sends it off to Host A, expecting an "ACK 3" response from Host A so it

can send the third data segment which, as the picture shows, it receives the "ACK

3". However, if it received an "ACK 2" again, this would mean something went

wrong with the previous transmission and Host B will retransmit the lost segment.

We will see how this works in the Acknowledgments section. Let's now try a

different Window size to get a better understanding.... Hmmm.. let's say 3! Keep

in mind the way the "ACKs" work, otherwise you might find the following example

a bit confusing. If you can't understand it, read again the previous examplewhere the Window size was equal to one.

So, explaining what is happening here, we have a window size equal to 3, which

means that Host B can send 3 data segments to Host A before expecting an

"ACK" back. Host B sends the first 3 segments (Send 1, Send 2 and Send 3), Host

A receives them all in good condition and then sends the "ACK 4" to Host B. Thismeans that Host A acknowledged the 3 data segments Host B sent and awaits the

next data segments which, in this case, would be 4, 5 and 6.

Acknowledgments

Reliable data delivery ensures the integrity of a stream of data sent from one

machine to the other through a fully functional data link. This guarantees the data

won't be duplicated or lost. The method that achieves this is known as positive

acknowledgment with retransmission. This technique requires a receiving

machine to communicate with the transmitting source by sending an

acknowledgment message back to the sender when it receives data. The sender

documents each segment it sends and waits for this acknowledgment beforesending the next segment. When it sends a segment, the transmitting machine

starts a timer and retransmits if it expires before an acknowledgment is returnedfrom the receiving end.






The above figure shows us how the Acknowledgments work. Note that if you

carefully study the figure you will see clearly the window size of this transfer,

which is equal to 3. At first, Host B sends 3 data segments to Host A and they are

received in perfect condition so, based on what we learned 2 minutes ago, Host A

sends an "ACK 4" acknowledging the 3 data segments and requesting the next 3

data segments which will be 4, 5, 6. So Host B sends data segments 4, 5, 6 but 5

gets lost somewhere along the way and Host A doesn't receive it so, after a bit of

waiting, it realises that 5 got lost and sends an "ACK 5" to Host B, indicating that

it would like data segment 5 retransmitted. Now you see why this method iscalled "positive acknowledgment with retransmission".

At this point Host B sends data segment 5 and waits for Host A to send an "ACK"

so it can continue sending the rest of the data. Host A receives the 5th data

segment and sends "ACK 7" which means 'I received the previous data segment,

now please send me the next 3'. The next step is not shown on the diagram but itwould be Host B sending data segments 7, 8, 9.

More Overhead

As you can see, all the above discussion means that there is a lot more overhead

when using TCP in order to get the data transferred without errors. Everything

comes with a downside and this is TCP's. But since everyone has fast connectionsto the Internet, it really doesn't make that much of a performance impact.

And that completes our discussion on TCP !






User Datagram Protocol – UDP

Some common protocols which use UDP are: DNS,

TFTP, ARP, RARP and SNMP.When people refer to

"TCP/IP" remember that they are talking about a

suite of protocols, and not just one (as most

people think). TCP/IP is NOT one protocol. Please

see the Protocols section for more information.

The User Datagram Protocol (UDP) is defined by

IETF RFC768

UDP - User Datagram Protocol

The second protocol used at the Transport layer is UDP. Application developers

can use UDP in place of TCP. UDP is the scaled-down economy model and is

considered a thin protocol. Like a thin person in a car, a thin protocol doesn't takeup a lot of room - or in this case, much bandwidth on a network.

UDP as mentioned dosen't offer all the bells and whistles of TCP, but it does a

fabulous job of transporting information that doesn't require reliable delivery andit does so using far fewer network resources.

Unreliable Transport

UDP is considered to be an unreliable transport protocol. When UDP sends

segments over a network, it just sends them and forgets about them. It doesn't

follow through, check on them, or even allow for an acknowledgment of safearrival, in other words .... complete abandonment! This does not mean that UDP

is ineffective, only that it doesn't handle issues of reliability.

The picture below shows us the UDP header within a data packet. This is to showyou the different fields a UDP header contains:






Connection-less Oriented

For those who read about TCP, you would know it is a connection oriented

protocol, but UDP isn't. This is because UDP doesn't create a virtual circuit

(establish a connection before data transfer), nor does it contact the destination

before delivering information to it. No 3-way handshake or anything like thathere!

Since UDP assumes that the application will use its own reliability method, itdoesn't use any, which obviously makes things transfer faster.

Less Overhead

The very low overhead, compared to TCP, is a result of the lack of windowing or

acknowledgments. This certainly speeds things up but you get an unreliable (in

comparison to TCP) service. There really isn't much more to write about UDP so

i'll finish here.






Domain Name System (DNS) Introduction

Introduction

DNS is a very well known protocol. It is used for resolving host names and

domain names to IP addresses. The fact is that when you type www.firewall.cx itis translated into an IP address via special queries that take place from your PC,but I'll explain how that works later on.

Because there is a fair bit of material to cover for the DNS protocol, and I don't

want to confuse you with too much information on one page, I have broken itdown into 5 sections, each covering a specific part of the protocol.

People who want specific information on the DNS protocol can go straight to the

section they need, the rest of us who just want to learn it all can start reading in

the order presented:

Section 1: The DNS Protocol. How and why the DNS protocol was born. Pagecontains a bit of historical information and also compares DNS with the OSI

Reference model, where you will see the layers on which DNS works. Internet

DNS hierarchy is also analysed here, giving you the chance to understand howdomains on the Internet are structured.

Section 2: The DNS Resolution Process. What really happens when a host

requests a DNS resolution. Full analysis of the whole resolution process using a

real life example. Understand Name Servers and the role they play in the DNSsystem.

Section 3: The DNS Query Message Format. This section, along with the next one

gives you the DNS packet format in all its glory. Learn how DNS queries aregenerated and formatted. See, learn and understand the various fields within the

packets as your taken through a full detailed analysis of the packet structureusing the cool 3D diagrams.

Section 4: The DNS Response Message Format. This is the continuation of the

section above, dealing with the DNS response that's received. You will learn how

the response packet is generated, formatted and sent to the resolver. Again,

you're taken through a full detailed analysis of the packet structure using the cool3D diagrams.

Section 5: The DNS Server (BIND). Based on BIND for Linux, this section is

broken into a futher 6 pages:

• Section 5.1: Introduction to the DNS Server. Learn how a DNS server is

setup on a Linux machine. Over 85% of DNS servers on the Internet run

on Linux and Unix based systems while Microsoft and Novell DNS servers

follow the same structure. DNS Zones and Domains are also covered onthis page, this is essential for understanding how DNS Servers work.

• Section 5.2: The db.DOMAIN file. Complete analysis of the zone data file

for a Primary DNS server. See what is contains and understand how itsstructured.






• Section 5.3: The db.ADDR file. Complete analysis of the zone data file for

a Primary DNS server. See what is contains and understand how itsstructured.

• Section 5.4: Other common files. Analysing the rest of the files which arecommon to all DNS servers.

• Section 5.5: Slave DNS Server. Instructions on setting up a secondary

DNS server.

• Section 5.6: DNS Caching. The key to an efficient DNS server. This is a

must for any DNS Administrator. Learn how DNS caching helps improve

performance and reduce traffic. Includes analysis of specific parameters

within the DNS packet, which helps make DNS caching a reality, and find

out how to avoid problems that come with Domain redelegation or websitetransfers.

As you can see, there's plenty of stuff to cover. But don't despair because is all

cool stuff ! Grab something to drink and let's dive into the DNS waters ! You willbe amazed at the stuff you'll find :)

The DNS Protocol

Introduction

If you ever wondered where DNS came from, this is your chance to find out ! The

quick summary on DNS's history will also help you understand why DNS servers

are run mostly on Linux and Unix-type systems. We then get to see the layers of

the OSI Model on which DNS works and, towards the end of the page, you will

find out how the Domains (and DNS servers) are structured on the Internet toensure uptime and effectiveness.

The History

DNS began in the early days when the Internet was only a small network created

by the Department of Defence for research purposes. Host names (simple

computer names) of computers were manually entered into a file (called HOSTS)

which was located on a central server. Each site/computer that needed to resolve

host names had to download this file. But as the number of hosts grew, so did the

HOSTS file (Linux, Unix, Windows and NetWare still use such files) until it was far

too large for computers to download and it was generating great amounts of

traffic ! So they thought ... Stuff this .. let's find a better solution ... and in 1984the Domain Name System was introduced.

The Protocol

The Domain Name System is a 'hierarchically distributed database', which is a

fancy way of saying that its layers are arranged in a definite order and that its

data is distributed across a wide range of machines (just like the roots of a treebranch out from the main root).

Most companies today have their own little DNS server to ensure the computers

can find each other without problems. If you're using Windows 2000 and Active

Directory, then you surely are using DNS for the name resolutions of your

computers. Microsoft has created its own version of a "DNS" server, called a








port, something possible depending on the operating system and DNS server youare running.

In the following pages we'll be looking at the actual DNS packet format, where

you are able to see exactly the contents of DNS query, so we won't analyse thepacket structure here.

Next we'll take a close look at how the Internet domains and DNS servers are

structured to make sure the model works flawlessly and efficiently !

The Internet Domain Name Server Hierarchy

This interesting section will help you understand how domain names on the

Internet are structured and where DNS servers fit in to the picture. When you

think about the millions of domain names registered today, you probably thinkthat you have to be superhuman to manage such a structure of DNS servers !

Well that's not that case. The DNS structure has been designed in such a waythat no DNS server needs to know about all possible domains, but only thoseimmediately above and below it.

The picture below shows part of the Internet DNS hierarchical structure:

.......

Let's explain how it works :

Internic controls the "root" domain, which includes all the top level domains.

These are marked in a green oval for clarity. Within the green oval you have the

ROOT DNS servers, which know all about the authoritative DNS servers for the

domains immediately below them e.g firewall.cx, cisco.com, microsoft.com etc.

These ROOT DNS servers can tell you which DNS server takes care of firewall.cx,cisco.com, microsoft.com and the rest.

Each domain, including the ones we are talking about (cisco, firewall, microsoft),

have what we call a "Primary DNS" and "Secondary DNS". The Primary DNS is the

one that holds all the information about its domain. The Secondary acts as a

backup in case the Primary DNS fails. The process in which a Primary DNS server

sends its copy to the Secondary DNS server is called Zone Transfer and iscovered in the DNS Database section.










Explanation :

1. You open your web browser and enter www.cisco.com in the address field. At

that point, the computer doesn't know the IP address for www.cisco.com, so it

sends a DNS query to your ISP's DNS server (It's querying the ISP's DNS because

this has been set through the dial-up properties; if you're on a permanent

connection then it's set through your network card's TCP/IP properties).

2. Your ISP's DNS server doesn't know the IP for www.cisco.com, so it will askone of the ROOT DNS servers.

3. The ROOT DNS server checks its database and finds that the Primary DNS forCisco.com is 198.133.219.25. It replies to your ISP's server with that answer.

4. Your ISP's DNS server now knows where to contact Cisco's DNS server and find

out if www.cisco.com exists and its IP. Your ISP's DNS server sends a recursivequery to Cisco.com's DNS server and asks for an IP address for www.cisco.com.

5. Cisco's DNS server checks its database and finds an entry for

"www.cisco.com". This entry has an IP address of 198.133.219.25. In other

words, the webserver is running on the same physical server as the DNS ! If it

wasn't running on the same server, then it would have a different IP. (Just a

note, you can actually make it look like it's on the same physical server, but

actually run the web server on a different box. This is achieved by using someneat tricks like port forwarding)

6. Your ISP's DNS server now knows the IP address for www.cisco.com and sendsthe result to your computer.

7. Your computer now knows who it needs to contact to get to the website. So itsends an http request directly to Cisco's webserver and downloads the webpage.

I hope you didn't find it too hard to follow. Remember that this query is the most

common type. The other type of query (non recursive) follows the same

procedure, the difference is that the client does all the running around trying to

find the authoritative DNS server for the desired domain, I like to think of it as"self service" :)

DNS Query Message Format

Introduction

This section will deal with the analysis of the DNS packets. This will allow us to

see the way DNS messages are formatted and the options and variables they

contain. To understand a protocol, you must understand the information theprotocol carries from one host to another.

Because the DNS message format can vary, depending on the query and the

answer, I've broken this analysis into two parts. Part 1 analyses the DNS format

of a query, in other words, it shows how the packet looks when we ask a DNS

server to resolve a domain. Part 2 analyses the DNS format of an answer, where

the DNS server is responding to our query.

I find this method more informative and easy to understand rather thancombining the analysis of queries and answers.






DNS Analysis - Host Query

As mentioned in the previous sections of the DNS Protocol, a DNS query is

generated when the client needs to resolve a domain name into an IP Address.

This could be the result of entering "www.firewall.cx" in the url field of your web

browser, or simply by launching a program that uses the Internet and therefore

generates DNS queries in order to successfully communicate with the host orserver it needs.

Now, I've also included a live example (using my packet analyser), so you can

compare theory with practice for a better understanding. After this we will have a

look at the meaning of each field in the packet, so let's check out what a packetcontaining a DNS query would look like on our network:

This is the captured packet we are going to deal with. To generate this packet, I

typed "ping www.firewall.cx" from my linux prompt. The command generated this

packet, which was put on my network with the destination being a name server in

Australia. Notice the Port Destination which is set to 53, on which the port DNSworks, and the protocol used for the DNS Query, which is UDP.

Ethernet II (Check Ethernet Frames for more info.) is the most common type of

frame found on LANs, in fact it probably is the only type you will find on 85% of

all networks if you're only running TCP/IP and Windows or Unix-like machines.

This particular one contains a DNS section, which could be either a Query orResponse. We are assuming a Query, so it can fit nicely in our example.

We are going to take the DNS Section above and analyse its contents, which are

already shown in the picture above (Right hand side, labeled "Capture") takenfrom my packet analyser.

Here they are again in a cool 3D diagram:






From this whole packet, the DNS Query Section is the part we're interested in

(analysed shortly), the rest is more or less overhead and information to let theserver know a bit more information about our query.

The analysis of each 3D block (field) is shown in the left picture below so you can

understand the function of each field and the DNS Query Section captured by mywonderful packet sniffer on the right:






All fields in the DNS Query section except the DNS Name field (underlined in red

in the picture above), have set lengths. The DNS Name field has no set length

because it varies depending on the domain name length as we are going to see

soon.

For example, a query for www.cisco.com will require DNS Name field to be

smaller than a query for support.novell.com simply because the second domain islonger.

The DNS Name Field

To prove this I captured a few packets that show different lengths for the domain

names I just mentioned but, because the DNS section in a packet provides no

length field, we need to look one level above, which is the UDP header, in order

to calculate the DNS section length. By subtracting the UDP header length

(always 8 bytes - check UDP page for more information) from the bytes in the

Length field, we are left with the length of the DNS section:






The two examples clearly show that the Length Field in the UDP header varies

depending on the domain we are trying to resolve. The UDP header is 8 bytes in

both examples and all fields in the DNS Section, except for the DNS Name field,

are always 2 bytes.

The Flags/ Parameters Field

The Parameter Field (labeled Flags) is one of the most important fields in DNS

because it is responsible for letting the server or client know a lot of important

information about the DNS packet. For example, it contains information as to

whether the DNS packet is a query or response and, in the case of a query, if it

should be a recursive or non-recursive type. This is most important because aswe've already seen, it determines how the query is handled by the server.

Let's have a closer look at the flags and explain the meaning of each one. I've

marked the bit numbers with black on the left hand side of each flag parameter

so you can see which ones are used during a response. The picture on the right

hand side explains the various bits. You won't see all 16 bits used in a query asthe rest are used during a response or might be reserved:

As you can see, only bits 1, 2-5, 7, 8 and 12 are used in this query. The rest will

be a combination of reserved bits and bits that are used only in responses. When

you read the DNS response message format page, you will find a similar packet

captured which is a reponse to the above query and the rest of the bits used are

analysed.

And that just about does it for the DNS Query message format page. Next up is

the DNS Response message format page which I'm sure you will find just asinteresting!






DNS Response Message Format

Introduction

The previous page delt with the DNS Query message formats. We analysed them

in great detail and showed how various options are selected by the host using theFlags/Parameters field.

On this page we will see and analyse the responses we get from the generated

queries. These responses, in the case of a recursive query, come directly from the

DNS server to which we sent the query and, in the case of a non-recursive query,

will come from the last DNS server the client contacts in order to get the required

information.

Lastly, keep in mind that this page is the continuation of the previous page, so

it's important to understand the previous material ! If you have any doubts, readthe previous section again.

Now that we have all that out of the way ....let's grab a few DNS responses andget our hands dirty :)

DNS Analysis - Server Response

Here is the response (highlighted) to the previous DNS query sent to an

Australian DNS server (139.130.4.4), where I asked for the resolution of www.firewall.cx:

Something worth paying attention to is the time this query took to come back to

my Linux file server. The time taken, from the moment the packet was sent fromthe Linux file server, until it received the answer, was only 0.991 seconds !

During this short period of time the packet travelled from Greece to Australia,

reached the DNS server, which sent its queries to other DNS servers until it found

the answer and then generated a DNS response that was sent back to Greecewhere my home network is !

There are a lot of factors that contribute to this fairly fast reponse. The transportprotocol UDP, which does not require any 3-way handshake, the load of the DNS

server to which I sent the query, the load of DNS servers it then had to ask, the

speed at which all these servers and myself are connected to the Internet and the

general load between the routers that my packet had to travel in order to get toits various destinations !

As you can clearly see, there is a lot happening for just one DNS query and

response. Try to consider what happenes when you have 20,000,000 DNS queries

happening at once on the Internet and you have a good idea on how well thisprotocol and the underlying technology have been designed !

Following is the Ethernet II packet that runs on the local network. The structure isthe same, but varies in size, regardless of whether it's a DNS Query or Response:






Now, to make the analysis of the DNS Section easier I have also included the

DNS Query (left hand side) and DNS Response (right hand side). This allows youto compare what we sent and what we received :

By comparing the two packets, you can see that there are fields in the DNS

Response packet (marked with green arrows) that didn't exist in the Query. Let's

see again what each field means and anaylse them again as we did in theprevious page.

The DNS Section in a response packet is considerably larger and more complex

than that of a query. For this reason we are going to analyse it in parts rather

than all together. The query had only one section that required in-depth analysis

whereas the response has three since the first one is the original query sent.

Here is the DNS Section of a DNS response in 3D:






You can clearly see that everything after the light green 3D block labeled "DNS

Query Section" is new. We are going to focus on these 3 new blocks, which are

part of the DNS Response Section, as the rest has been covered in the previous

page.

DNS Response Section

The analysis of this section won't be too difficult because the format that is

followed in each 3D block of our DNS Response Section is identical. For this

reason, I have not analysed all 3 3D blocks, but only a few to help you get theidea.

The diagram below shows you the contents of the 3 3D blocks (sections) we are

looking at: Answers Section, Authoritative Name Servers Section and theAdditional Records Sections:

What we need to need understand is that each one of these three sections have

identical fields. Even though the information they contain might seem a bit

different, the fields are exactly the same and we will see this shortly.

In the picture above, I have only expanded the first part of the Answer section

which is underlined in green so you can compare the fields with the ones

contained in the left hand picture.






This next picture shows you the expanded version from the first part of the

Answers and Authoritative sections. I have already marked and labeled the fields

to prove to you that they are all identical and vary only in the information they

contain:

If you look carefully you

will notice that the

Resource Data field is

presented first, where

according to the analysis

of the sections in the

picture above (left side),

you would expect it last.

The truth is that it is last,

but it's presented first just

because my packet sniffer

likes to make the data

more readable and less

confusing.

This is also the reason the

first line of each part in

each section is used to

give you a quick summary

of the information

captured.

For example, looking at

line 1, part 1 in the

Answers Section

(underlined in green), you

get a summary of what's

to follow: www.firewall.cx,

type INET, cname firewall.

This proves that all fields

in all of these 3 sections

contained in the DNS

Response Section are

identical, but contain

different values/data.

You also might wonder why there are 2 parts in each section ?

Could there be more or less parts, depending on the domain name or is therealways 2 parts in each section ?

The answer is simple and logical, there are as many parts as needed, depending

always on the domain setup. For example, if I had more than two name servers






for the Firewall.cx domain, you would see more than two parts in theAuthoritative nameserver section and the other sections.

Our example has only 2 parts per section whereas the one we see below has a lotmore :

This DNS Response Section is based on a query generated for the IBM.COMdomain:

As you can see, our query

for IBM.COM gave us a

response which has 4 parts

per section !

Again, each part in every

section has identical fields,but different data/values.

You might have noticed a

pattern here as well. In

every DNS Response you

will find the same number of parts per section.

For example, the picture on

the left shows us 4 parts for

the Answers, Authoritative

and Additional records

sections and this is no

coincidence.

The reason this is no

coincidence - between the 3

sections (Answers,

Authoritative and Additional

records) is the Type field

and I will explain why.

The Type Field

The Type field determines the type or part of information we require about a

domain. To give you the simplest example, when we have a Type=A , we aregiven the IP Address of the domain or host (look at Answers section above),

whereas a Type=NS means we are given the Authoritative Name Servers that are

responsible for the domain (look at Authoritative Name Servers section above).

Looking at the picture below, which is from our first example (query for

firewall.cx) we can see exactly how the Type field is responsible for the data wereceive about a domain:








The above values the Type field can take are contained within the DNS database,

which is covered next.

Our discussion on the DNS Response message format is now complete !

File Transfer Protocol - FTP

Introduction

File transfer is among the most frequently used TCP/IP applications and it

accounts for a lot of the network traffic on the Internet. Various standard file

transfer protocols existed even before the Internet was available to everyone and

it was these early versions of the file transfer software that helped create today's

standard known as the File Transfer Protocol (FTP). Most recent specifications of the protocol are listed in RFC 959.

The Protocol

FTP uses TCP as a transport protocol. This means that FTP inherits TCP's

robustness and is very reliable for transferring files. Chances are if you download

files, you've probably used ftp a few hundred times without realising it ! And if you have a huge warez collection, then make that a couple of thousand times :)

The picture below shows where FTP stands in contrast to the OSI model. As I

have noted in other sections, it's important to understand the concept of the OSImodel, because it will greatly helpyou understand all this too :)

Now, we mentioned that FTP uses

TCP as a transport, but we didn't say

which ports it uses ! Port numbers 21

and 20 are used for FTP. Port 21 is

used to establish the connection

between the 2 computers (or hosts)

and port 20 to transfer data (via theData channel).

But there are some instances where

port 21 is used for both, establishing

a connection and data transfer and Iwill analyse them shortly.

The best thing you can do to "see" it

yourself is to grab a packet sniffer

which you will conveniently find in

our download section and try to

capture a few packets while you'reftp'ing to a site.






Both P orts - 20 and 21 - Active FTP Mode

I have included a screenshot from my workstation which clearly shows the 2 portsused. In the example,

Only Port 21 - Passive FTP Mode

Now, in the next picture I ftp'ed into my NetWare server here at home and guesswhat .... Only Port 21 was used ! Here is the screen shot:

Please click here to view the full picture.

Let me explain why this is happening:

FTP has two separate modes of operation: Active and Passive. You will use eitherone depending on whether your PC is behind a firewall.

Active Mode FTP

Active mode is usually used when there isn't any firewall between you and the

FTP server. In such cases you have a direct connection to the Internet. When you

(the client) try to establish a connection to a FTP server, your workstation

includes a second port number (using the PORT command) that is used when

data is to be exchanged, this is known as the Data Channel .

The FTP server then starts the exchange of data from its own port 20 to whatever

port was designated by your workstation (in the screen shot, my workstation

used port 1086), and because the server initiated the communication, it's not

controlled by the workstation client. This can also potentially allow uninvited data

to arrive to your computer from anywhere posing as a normal FTP transfer. Thisis one of the reasons Passive FTP is more secure.

Passive Mode FTP

Using normal or passive FTP, a client begins a session by sending a request to

communicate through TCP port 21, the port that is conventionally assigned for






this use at the FTP server. This communication is known as the Control Channelconnection.

At this point, a PASV command is sent instead of a PORT command. Instead of

specifying a port that the server can send to, the PASV command asks the server

to specify a port it wishes to use for the Data Channel connection. The server

replies on the Control Channel with the port number which the client then uses to

initiate an exchange on the Data Channel. The server will thus always be

responding to client-initiated requests on the Data Channel and the firewall cancorrelate these.

It's simple to configure your client FTP program to use either Active or Passive

FTP. For example, in Cute FTP, you can set your program to use Passive FTP by

going to FTP--> Settings --> Options and then selecting the "Firewall" tab :

If you remove the above options, then your workstation will be using (if possible)

Active FTP mode, and I say "if possible" cause if your already behind a firewall,

there is probably no way you will be using Active FTP, so the program will

automatically change to Passive FTP mode. So let's have a look at the process of

a computer establishing an FTP connection with a server: .






The above is assuming a direct connection to the FTP server. For simplicity

reasons, we are looking at the way the FTP connection is created and not worring

if it's a Passive or Active FTP connection. Since FTP is using TCP as a transport,

you would expect to see the 3-way handshake . Once that is completed and there

is data connection established, the client will send its login name and then

password. After the authentication sequence is finished and the user is

authenticated to the Server, it's allowed access and is ready to leach the site dry:)

Finally, below are the most commonly used FTP commands:

ABOR: abort previous FTP command

LIST and NLST: list file and directories

DELE: delete a file

RMD: remove a directory

MKD: create a directory

PWD: print current working directory ( show you which dir. your at)

PASS: send password

PORT: request open port number on specific IP address/port number

QUIT: log off from server

RETR: retrieve file

STOR: send or put file

SYST: identity system type






TYPE: specify type (A for ASCII, I for binary)

USER: send username

And that just about complete's our analysis on the FTP protocol !

Trivial File Transport Protocol - TFTP

Introduction

TFTP is a file transport protocol and its name suggests it's something close to the

FTP protocol (File Transfer Protocol), which is true .. to a degree. TFTP isn't very

popular because it's not really used on the Internet because of its limitations

which we'll explore next.

The Protocol

TFTP's main difference from FTP is the transport protocol it uses and the lack of

any authentication mechanisim. Where FTP uses the robust TCP to establish

connections and complete the file transfers, TFTP uses UDP which is unsecure and

has no error checking built in to it (unless they have implemented some type of

error checking in the program you are using to transfer files), this also explains

why you are more likely to find TFTP in a LAN, rather than a WAN (Wide Area

Network) or on the Internet.

The major limitations with TFTP

are authentication and directory

visibility, meaning you don't get

to see the files and directories

available at the TFTP server.

As mentioned, TFTP uses UDP

as a transport, as opposed to

TCP which FTP uses, and works

on port 69, you can clearly see

that in the cool 3D diagram onthe left.

Port 69 is the default port for

TFTP, but if you like, you can

modify the settings on your

TFTP server so it runs on adifferent port.

Now, to make things a bit clearer I have included a screen shot of my workstation

tftp'ing into a TFTP server which I have setup in my little network.






You can see my workstation (192.168.0.100) contacting the TFTP server

(192.168.0.1) on port 69 (destination port). In this first packet, my workstation is

contacting the server and requesting the file I entered before I connected to theserver. Click here for the full picture.

Because you don't get a listing of the files and directories, you must know which

file you want to download ! In the response I received (2nd packet) the server

gets straight into business and starts sending the file. No authenticationwhatsoever !

Note: The workstation usally won't send back any acknowlegement (because

UDP, which is the transport protocol, by nature, never sends acknowledgements),

but the software developers can incorporate such a feature by forcing the

workstation to send a small packet which the TFTP server is able to pickup as anacknowledgement of the previous data packet it sent to the workstation.

In the example I provide, you can see my workstation sending small packets to

the server after it receives one packet from it. These small acknowledgements

have been added by the software company who created the program I was usingfor this example.

Below is a screen shot of the program I used to TFTP (TFTP Client) to the server:

Notice how I entered the file I wanted to downloaded (server.exe), and selected

the name which the file will be saved as on my local computer (Local File). If I

didn't provide the Remote File name, I would simply get an error poping up at the

server side, complaing that no such file exists. You can also send files using TFTP,as it's not just for downloading :)






So where is TFTP used ?

TFTP is used mostly for backing up router configuration files like Cisco and its IOS

images, it is also used for diskless booting PC's where, after the workstation has

booted from the network card's ROM, TFTP is used to download the program itneeds to load and run from a central server.

Below is a diagram which shows what takes place during a TFTP session:

.....

In this diagram we are assuming that there is no error checking built into thesoftware running at both ends (client and server).

And that pretty much sums it all up for the TFTP protocol.

Internet Control Message Protocol - ICMP

Introduction

The Internet Control Message Protocol, or ICMP as we will be calling it, is a very

popular protocol and actually part of an Internet Protocol (IP) implementation.

Because IP wasn't designed to be absolutely reliable, ICMP came into the scene toprovide feedback on problems which existed in the communication environment.

If I said the word 'Ping' most people who work with networks would recognisethat a 'ping' is part of ICMP and in case you didn't know that, now you do :)

ICMP is one of the most useful protocols provided to troubleshoot network

problems like DNS resolutions, routing, connectivity and a lot more. Personally, I

use ICMP a lot, but you need to keep its limits in mind beause you might end upspending half a day trying to figure out why you're not getting a 'ping reply'

('echo reply' is the correct term) from, for example, www.firewall.cx when, in

fact, the site's webserver is configured NOT to reply to 'pings' for security reasons!

Cool Note

A few years ago there was a program released, which still circulates around the

Internet, called Click ( I got my hands on version 1.4). Click was designed to run

on a Windows platform and work against Mirc users. The program would utilise

the different messages available within the ICMP protocol to send special error

messages to Mirc users, making the remote user's program think it had lostconnectivity with the IRC server, thus disconnecting them from the server ! The






magic is not what the program can do, but how it does it ! This is where a truenetworking guru will be able to identify and fix any network security weakness.

The Protocol

ICMP is defined in RFC (Request For Comments) 792. Looking at its position in

the OSI model we can see that it's sitting in the Network layer (layer 3) alongside

IP. There are no ports used with ICMP, this is because of where the protocol sits

in the OSI model. Ports are only used for protocols which work at the Sessionlayer and above:

The ICMP protocol uses

different 'messages' to identify

the purpose of an ICMP packet,

for example, an 'echo' (ping) is

one type of ICMP message.

I am going to break down the

different message descriptions

as they have been defined bythe RFC792.

There is a lot of information to

cover in ICMP so I have broken

it down to multiple pages rather

than sticking everything into one

huge page that would bore you!

Also, I haven't included all the messages which ICMP supports, rather I selected a

few of the more common ones that you're likely to come across. You can alwaysrefer to the RFC792 to get the details on all messages.

We will start with a visual example of where the ICMP header and information areput in a packet, to help you understand better what we are dealing with :)

The structure is pretty simple, not a lot involved, but the contents of the ICMP

header will change depending on the message it contains. For example, the

header information for an 'echo' (ping) message (this is the correct term) isdifferent to that of a 'destination unreachable' message, also a function of ICMP.






NOTE: If you were to run a packet sniffer on your LAN and catch a "ping" packet

to see what it looks like, you would get more than I am showing here. There will

be an extra header, the datalink header, which is not shown here because that

header will change (or more likely be removed) as the packet moves from your

LAN to the Internet, but the 2 headers you see in this picture will certainly remainthe same until they reach their destination.

So, that now leaves us to analyse a few of the selected ICMP messages !

The picture below shows all the ICMP messages. The messages in green are theones which we cover here.

Please click on the ICMP message you wish to read about.

ICMP - Echo or Echo Reply

Introduction

Aaaaa... The famous ping :)

Analysis

As mentioned in the previous page, an Echo is simply what most people call a'ping'. The Echo Reply is the 'ping reply'. ICMP Echos are used mostly for

troubleshooting. When there are 2 hosts which have communication problems, a

few simple ICMP Echo requests will show if the 2 hosts have their TCP/IP stacks

configured correctly and if there are any problems with the routes packets are

taking in order to get to the other side.

The 'ping' command is very well known, but the results of it are very often

misunderstood and for that reason I have chosen to explain all those otherparameters next to the ping reply, but we will have a look at that later on.

Let's have a look at what an ICMP-Echo or Echo Reply packet looks like:






If the above packet was an ICMP Echo (ping), then the Type field takes a value of 8. If it's an ICMP Echo Reply (ping reply) then it would take a value of 1.

The picture below is a screen shot I took when doing a simple ping from my

workstation:






Okay, now looking at the screen shot above, you can see I 'pinged'

www.firewall.cx. The first thing my workstation did was to resolve that URL to an

IP address. This was done using DNS. Once the DNS server returned the IP

address of www.firewall.cx, the workstation generated an ICMP packet with theType field set to 8.

Here is the proof:






The picture above is a screenshot from my packet sniffer the same time this

experement was taking place. The packet displayed is one of the 4 packets whichwere sent from my workstation to the webserver of firewall.cx

Notice the ICMP type = 8 Echo field right under the ICMP Header section. This

clearly shows that this packet is being sent from the workstation and not

received. If it was received, it would have been an 'Echo Reply' and have a valueof 1.

The next weird thing, if anyone noticed, is the data field. Look at the screen shot

from command prompt above and notice the value there and the value the packetsniffer is showing on the left. One says 32 Bytes, and the other 40 Bytes !

The reason for this is that the packet sniffer is taking into account the ICMP

header files (ICMP type, code, checksum and identifier), and I'll prove it to youright now.

Look at the top of this page where we analysed the ICMP headers (the 3d

picture), you will notice that the lengths (in Bits) of the various fields are as

follows: 8, 8, 16, 16, 16. These add up to a total of 64 Bits. Now 8 Bits = 1 Byte,

therefore 64 Bits = 8 Bytes. Take the 32 Bytes of data the workstation'scommand prompt is showing and add 8 Bytes .... and you have 40 Bytes in total.

ICMP - Destination Unreachable

Introduction

This ICMP message is quite interesting, because it doesn't actually contain one

message, but six ! This means that the ICMP Destination unreachable futher

breaks down into 6 different messages.

We will be looking at them all and analysing a few of them to help you get theidea.

To make sure you don't get confused, keep one thing in mind: The ICMP

Destination unreachable is a generic ICMP message, the different code values or

messages which are part of it are there to clarify the type of "Destination






unreachable" message was received. It goes something like this: ICMPDestination <Code value or message> unreachable.

The ICMP - Destination net unreachable message is one which a user would

usually get from the gateway when it doesn't know how to get to a particularnetwork.

The ICMP - Destination host unreachable message is one which a user would

usually get from the remote gateway when the destination host is unreachable.

If, in the destination host, the IP module cannot deliver the packet because the

indicated protocol module or process port is not active, the destination host maysend an ICMP destination protocol / port unreachable message to the source host.

In another case, when a packet received must be fragmented to be forwarded by

a gateway but the "Don't Fragment" flag (DF) is on, the gateway must discard the

packet and send an ICMP destination fragmentation needed and DF setunreachable message to the source host.

These ICMP messages are most useful when trying to troubleshoot a network.

You can check to see if all routers and gateways are configured properly and have

their routing tables updated and synchronised.

Let's look at the packet structure of an ICMP destination unreachable packet:






Please read on as the following example will help you understand all the above.

The Analysis

When you open a DOS command prompt and type "ping 200.200.200.200",assuming that your workstation is NOT part of that network, then it would

forward the ICMP Echo request to the gateway that's configured in your TCP/IP

properties. At that point, the gateway should be able to figure out where toforward the ICMP Echo request.

The gateway usually has a "default route" entry, this entry is used when the

gateway doesn't know where the network is. Now, if the gateway has no "default

route" you would get an "ICMP Destination net unreachable" message when you

try to get to a network which the gateway doesn't know about. When you'reconnected to the Internet via a modem, then your default gateway is the modem.

In order for me to demonstrate this, I set up my network in a way that shouldmake it easy for you to see how everything works. I have provided a lot of pictures hoping to make it as easy as possible to understand.

I will analyse why and how you get an "ICMP - Destination net unreachable"message.






In the example above, I've setup my workstation to use the Linux server as a

default gateway, which has an IP of 192.168.0.5. The Linux server also has adefault gateway entry and this is IP: 192.168.0.1 (the Windows 2000 Server).

When my workstation attempts to ping (send an ICMP Echo request) to IP

200.200.200.200, it realises it's on a different network, so it sends it to the Linux

server, which in turn forwards it to its default gateway (the Win2k server) so it

can then be forwarded to the Internet and eventually I should get a ping reply

(ICMP Echo reply) if the host exists and has no firewall blocking ICMP echorequests.

Here is the packet which I captured:






When looking at the decoded section (picture above) you can see in the ICMP

header section that the ICMP Type is equal to 8, so this confirms that it's an ICMP

Echo (ping). As mentioned earlier, we would expect to receive an ICMP echoreply.

Check out though what happens when I remove the default gateway entry fromthe Linux server .....

Now what I did was to remove the default gateway entry from the Linux server.

So when it gets a packet from my workstation, it wouldn't know what to do with

it. This is how you get the gateway to generate an "ICMP Destination netunreachable" message and send it back to the source host (my workstation).

Here is a screen shot from the command prompt:








Let's now take a look what the packet sniffer caught :

The decoder on the left shows that

the Linux server (192.168.0.5) sent

back to my workstation

(192.168.0.100) an ICMP

Destination unreachable message

(look at the ICMP type field, right

under the ICMP header) but if you

also check out the ICMP Code

(highlighted field), it's equal to 0,

which means "net unreachable".

Scrolling right at the top of this

page, the first table clearly shows

that when the code field has a value

of 0, this is indeed a "netunreachable" message.

It is also worth noticing the

"Returned IP header" which exists

within the ICMP header. This is the

IP header of the packet my

workstation sent to the Linux server

when it attempted to ping

200.200.200.200, and following

that is 64 bits (8 bytes) of the

original data.

I hope I haven't confused you too

much :)






ICMP - Source Quench

Introduction

The ICMP - Source quench message is one that can be generated by either a

gateway or host. You won't see any such message pop up on your workstationscreen unless you're working on a gateway which will output to the screen all

ICMP messages it gets. In short, an ICMP - Source quench is generated by a

gateway or the destination host and tells the sending end to ease up because itcannot keep up with the speed at which it's receiving the data.

Analysis

Now let's get a bit more technical: A gateway may discard internet datagrams (or

packets) if it does not have the buffer space needed to queue the datagrams for

output to the next network on the route to the destination network. If a gateway

discards a datagram, it may send an ICMP - Source quench message to the

internet source host of the datagram.

Let's have a look at the packet structure of the ICMP - Source quench message:






A destination host may also send an ICMP - Source quench message if datagrams

arrive too fast to be processed. The ICMP - Source quench message is a request

to the host to cut back the rate at which it is sending traffic to the internet

destination. The gateway may send an ICMP - Source quench for every message

that it discards. On receipt of an ICMP - Source quench message, the source host

should cut back the rate at whic h it is sending traffic to the specified destination

until it no longer receives ICMP - Source quench messages from the gateway. Thesource host can then gradually increase the rate at which it sends traffic to the

destination until it again receives ICMP - Source quench messages.

The gateway or host may also send the ICMP - Source quench message when it

approaches its capacity limit rather than waiting until the capacity is exceeded.

This means that the data datagram which triggered the ICMP - Source quenchmessage may be delivered.

That pretty much does it for this ICMP message.

ICMP - Redirect Message

Introduction

The ICMP - Redirect message is always sent from a gateway to the host and theexample below will illustrate when this is used.

Putting it simply (before we have a look at the example) the ICMP - Redirect

message occurs when a host sends a datagram (or packet) to its gateway

(destination of this datagram is a different network), which in turn forwards the

same datagram to the next gateway (next hop) and this second gateway is on

the same network as the host. The second gateway will generate this ICMPmessage and send it to the host from which the datagram originated.

There are 4 different ICMP - Redirect message types and these are:

The format of this ICMP message is as follows: ICMP - Redirect (0, 1, 2, 3 or 4) message.




Our example:

The gateway (Win2k Server) sends a redirect message (arrow No. 3) to the host

in the following situation:

Gateway 1 (the linux server), receives an Internet datagram (arrow No. 1) from a

host on the same network. The gateway checks its routing table and obtains the

address of the next gateway (hop) on the route to the datagram's Internetdestination network and sends the datagram to it (arrow No. 2).

Now, gateway 2 receives the datagram and, if the host identified by the Internet

source address of the datagram (in other words, it checks the source IP of the

datagram, which will still be 192.168.0.100), is on the same network, a redirect

message (arrow No. 3) is sent to the host. The redirect message advises the host

to send its traffic for the Internet network directly to gateway 2 as this is a

shorter path to the destination. The gateway then forwards the originaldatagram's data (arrow No. 1) to its Internet destination (arrow No.4).

For datagrams (or packets) with the IP source options and the gateway address

in the destination address field, a redirect message is not sent even if there is a

better route to the ultimate destination than the next address in the source route.

Analysis

Let's have a look at the structure of an ICMP - Redirect message:

Documents

Networking Notes Part 1