EE 610 Part 2: Encapsulation and network utilities Objective: After this experiment, the students should be able to: i. Understand the format of standard frames and packet headers. Overview: The Open Systems Interconnection (OSI) model was developed as a model for a computer communication architecture. It consists of seven protocol layers, each of which receives protocol data units (PDUs) from the layer above (except the application layer), performs its functions, and then adds its own header and passes the new PDUs to the layer below except the physical layer, which will send the packets out as electrical signals, optical waves, or other communication signals. This is the process of encapsulation. However, this seven layer OSI model has not flourished. Instead, the TCP/IP architecture has come to dominate. The TCP/IP protocol stack contains five layers. It is shown in Figure 1 together with the OSI model. The transport layer, consists of two protocols, namely, TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). It provides end-to-end connectivity and transports application-layer messages between two hosts. TCP provides a connection-oriented service which guarantees the delivery of application-layer PDUs to the destination in the order they are sent. It also provides congestion control mechanisms to adjust the transmission rate when the network is congested. UDP, on the other hand provides a connectionless service, which provides no guarantees on the delivery, and the receiver may then receive out-of-order packets. 1
Application Presentation Application Session Transport Transport (TCP, UDP) Network Network (IP) Data Link Network Access Physical Physical OSI Model TCP/IP architecture Figure 1: Correspondence of OSI and TCP/IP models (From W. Stallings, Data and Computer Communication, Prentice Hall, 1997. Fig. 1.11) The network layer uses the Internet protocol (IP) and other routing protocols to determine the route that a datagram (a network layer PDU) takes from source to destination and the need for fragmentation/reassembly. All devices on the Internet that have a network layer must run this IP protocol. IP datagrams may be fragmented if the size of the datagram is greater than the MTUs of one of the links on the path. One of the fundamental concepts of networking is encapsulation. In this experiment, you will be asked to interpret the headers of TCP segments encapsulated in IP datagrams in turn encapsulated in Ethernet frames. You will also have a chance to use some network utilities to get an idea of the performances of the network. 2
Background Materials: The physical layer process of a network device sends on the physical medium a series of bits that will be received by its peer physical layer process and the corresponding layer 2 PDU (also called frame) is sent to the layer 2 which proceeds by getting rid of the bit stuffing and then checking the CRC. We will assume that the frames that you get have gone through both bit un-stuffing and successful CRC checking. We will further assume that these frames are captured on an Ethernet interface so that the frame format is given by: Destination address (6 bytes) Source address (6 bytes) type (2 bytes) Data CRC Figure 2: A sample of Ethernet frame The role of layer 2 is to decide if the data that is present in the payload field of the frame should be sent to the layer 3, and if yes to which layer 3 protocol 1. In general they may be several layer 3 co-existing in a network. The most common one is IP. Question 1: Give several reasons why the data field of an Ethernet frame could be empty. Question 2: What is the Ethernet MTU? What does it mean? IP is defined in RFC 791. A summary of the contents of the IP header is given in Figure 3. The number on the top is the bit number and each row is equivalent to four bytes. You can find the meaning of each field in RFC 791. Figures 4 and 5 give the format of the headers of TCP and UDP. They are defined in RFC 793 and RFC 768 respectively. You can find all the RFCs mentioned on http://www.ietf.org/rfc.html. The numbers on top again represent the bit number and each row is equivalent to four bytes (32-bits). You will also need to refer to the ICMP RFC, namely RFC 792. 1 This is called de-multiplexing and is another fundamental concept of networking. 3
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 Version IHL Type of Service Total Length Identification Flags Fragment Offset Time to Live Protocol Header Checksum Source Address Destination Address Options Padding Figure 3: Example Internet Datagram Header 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 Source Port Destination Port Sequence Number Acknowledgment Number Data U A P R S F Offset Reserved R C S S Y I Window G K H T N N Checksum Urgent Pointer Options Padding data Figure 4: TCP Header Format 0 7 0 7 0 7 0 7 +--------+--------+--------+--------+ Source Destination Port Port +--------+--------+--------+--------+ Length Checksum +--------+--------+--------+--------+ Figure 5: UDP Header Format 4
Experiment: Protocol Header Analysis In this part of the experiment, all the frames provided will have the following format: 1) Ethernet frame header (14 bytes) 2) IP header 3) Transport layer headers (TCP or UDP) or ICMP header Question 3: Obtain three frames in bytes from the web site. Obviously the frames arrive as a series of bits. We show them to you as a series of bytes for your convenience. Analyze the frames by listing all the information containing in those frames in the format they should look like. For example, you should write an IP address in dot format and header length as an integer number. Any hexadecimal values should be preceded by 0x. Also, color the different parts of the frames to indicate if it contains layer 2, 3, 4 or data. The following is an example: Sample frame: 00 00 0c d9 fa 88 00 00 b4 a0 15 c1 08 00 45 00 00 28 04 04 40 00 80 06 42 a0 80 d3 a0 3c 80 0a 13 14 04 3a 00 15 54 f1 f2 09 d6 7d df 9d 50 10 40 5a b9 e8 00 00 Ethernet header: 00 00 0c d9 fa 88: Ethernet destination address is 00 00 0c d9 fa 88 (unicast). 00 00 b4 a0 15 c1: Ethernet source address: 00 00 b4 a0 15 c1 (unicast). 08 00: The payload type is IP (0x0800). (Note: 0x0806 is ARP) IP header: 45: This is an IP version 4 datagram, 45: The header length is 5x4 = 20 bytes. (There is no options in the IP header). 5
00 (0 0 0 0 0 0 0 0 in binary): This datagram has routine precedence (the lowest). The IP Precedence field is used by some routers to determine which datagram to drop, therefore datagramss with the lowest precedence will be dropped first. (0 0 0 0 0 0 0 0 in binary): the 3 type of service (ToS) bits 0 0 0 Normal delay 0 0 0 Normal throughput 0 0 0 Normal Reliability (0 0 0 0 0 0 0 0 in binary): The last two bits must be zero (for future use). 00 28: Total length of the IP datagram is 40 (0x0028) bytes. 04 04: The identification of this datagram is 0x0404 (for fragmentation purpose). 40 00: (0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0): 1 Don t Fragment flag set 0 More Fragment flag unset The Fragment offset is 0. This means that the datagram cannot be fragmented, and there are no fragments after this datagram. With a fragment offset equals to zero, we know that this is the only fragment of a datagram. 80: Time to live = 128 (0x80), meaning the datagram may exist at most for 128 more hops. 06: The Protocol on top is TCP (0x06) (Note: 0x01 is ICMP and 0x11 is UDP). 42 a0: This is the checksum of the datagram. 80 d3 a0 3c: Source IP address is 128.211.160.60. 80 0a 13 14: Destination IP address is 128.10.19.20. 6
TCP header: 04 3a: The Source port is 1082, which is an arbitrarily port number assigned by the operating system. 00 15: The Destination port is 21, which is the well-known port for FTP. 54 f1 f2 09: The Seq. no. is 1425142281. d6 7d df 9d: The Ack no. is 3598573469. 50: Data offset is 20 (5 x 4) bytes. Meaning the payload of TCP begins after the 20 th byte. This can be viewed as the length of the TCP header. 10 (0 0 0 1 0 0 0 0): Flags: URG 0 ACK 1 PSH 0. RST 0 SYN 0 FIN 0 Only the ACK flag is set, meaning that the value carried in the acknowledgement field is valid. (You should comment on all the flags that are set, i.e., equal to 1.) 40 5a: the receiver window size is 16474 (0x405a) bytes, meaning the receiver of this segment is willing to accept up to 16474 bytes at a time. b9 e8: Checksum of the whole TCP segment. 00 00: Urgent pointer (Not used in this segment). Data: none. Global comment on the given frame: It was a pure TCP ACK (no data). We see a lot of those when we monitor the Internet. There may be data in the frame, you just need to color the data portion and do not need to analyze it. You should try to include as much information about the frame as possible. Do not try to analyze the TCP options (see Figure 4). What To Turn In: 1. Answers for questions 1 to 2. 2. Answers for question 3. Make sure your frame is colored and each field is commented in details. 7