Ethernet addressing
At the data link layer, data frames usually rely on the MAC address for data exchange, which requires global uniqueness just like the public network IP address, so that each host can be identified. So how does the MAC address do this? What is its format?
MAC address, the English full name is Medium Access Control, literally translated as Media Access Control, which is usually fixed on each Ethernet network card (NIC, Network Interface Card). The MAC (hardware) address is 48 bits (6 bytes) long and is in hexadecimal format. The figure below illustrates a 48-bit MAC address and its components.
Example: 00-01-6C-06-A6-29 or 00:01:6C:06:A6:29 An
Organizationally Unique Identifier (OUI) is assigned to a vendor by the IEEE (Institute of Electrical and Electronics Engineers) and it consists of 24 bits. The manufacturer then uses the remaining 24 bits ( EUI, Extended Unique Identifier ) to assign a globally unique global management address to each network card it produces. Generally speaking, large manufacturers will purchase multiple OUIs.
I/G (Individual/Group) bit, if I/G=0, it is the MAC address of a certain device, that is, a unicast address; if I/G=1, it is a multicast address (multicast+broadcast=multicast broadcast).
G/L (Global/Local, also known as U/L bit, where U means Universal) bit, if G/L=0, it is the global management address, assigned by IEEE; if G/L=1, it is the local The management address is the address designated by the network administrator to strengthen their own network management.
For the position of the I/G and G/L bits , there are currently two statements, or two formats.
For data transmission, the data is transmitted bit by bit in each byte, and the next byte is transmitted only after one byte is transmitted.
IEEE 802.3: Ethernet Media Access Control Protocol (CSMA/CD) and physical layer technical specifications.
IEEE 802.4: Token-Bus media access control protocol and physical layer technical specifications.
IEEE 802.5: Token-Ring media access control protocol and physical layer technical specifications.
IEEE 802.6: Metropolitan area network media access control protocol DQDB (Distributed Queue Dual Bus) and physical layer technical specifications.
In the first type , the high bit of each byte comes first, the low bit comes after, the I/G bit and G/L are respectively in the lowest bit and the second lowest bit in the byte, the highest bit is sent first, and it is still the highest bit when it arrives at the opposite end
The second type , the low bit of each byte comes first, the high bit comes after, the I/G bit and G/L are respectively the lowest bit and the second lowest bit in the byte, the lowest bit is sent first, and it is still the lowest bit when it reaches the opposite end
The two seem to be different, but the result is still the same. If you still don't understand, you can draw a picture on the draft paper, it is not difficult to understand.
Because packets are transmitted on the Ethernet line in "Big Endian" byte order (that is, the highest byte is transmitted first, please refer to related documents for byte order), and the bit order is "Little Endian" (that is, the lowest byte is transmitted first). ).
Pay attention to the 47th bit on the figure, this bit indicates whether the MAC address is a globally unique address or a local address, 0 indicates a globally unique address, and 1 indicates a locally unique address. This bit is also called the G/L bit.
For the fixed MAC address on the network device, because it uniquely identifies the device, it can only be a unicast address, that is, the 48th bit of the Source address in the MAC frame can only be 0.
We often say that there are 2 to the 48th power of MAC addresses available for network devices, and these addresses can be as many as assigning an address to every grain of sand on the earth. In fact, this number should be discounted, because although there are so many MAC addresses, but It is really used on the network card and the only one in the world is 2 to the 46th power: the 48th bit must be 0, and the 47th bit must be 0.
This also leads to an interesting phenomenon: just find a PC and observe its network card address. The hexadecimal number of the first byte is generally a multiple of 4; check the OUI assigned by IEEE (http:// standards.ieee.org/develop/regauth/oui/oui.txt ), the hexadecimal number of the first byte is generally a multiple of 4 (the early Ethernet did not have the concept of a local address, so the G/ in the allocated OUI L bit may also be 1), in this case it is not a multiple of 4, but it must be a multiple of 2, because the 48th bit can only be 0.
Regarding the multicast address, there is such a misunderstanding: the first byte of the MAC address must be 0x01 to indicate the multicast address, even the TCP/IP detailed explanation says so (see the first paragraph of 12.4.2 in the Chinese version). IEEE 802.3 has clearly stated that as long as the 48th bit is 1, it means a multicast address, so no matter whether the first byte of the MAC address is 0x01, 0xC1 or 0x33, it means that the MAC address is a multicast address (starting with 0x33 means that IPV6 corresponds to Layer 2 multicast address). The reason for this misunderstanding is that so far, the first byte of most multicast MAC addresses is 0x01 . like:
01-80-C2-00-00-00 (used by STP protocol)
01-80-C2-00-00-01 (used by PAUSE frame of MAC Control)
01-80-C2-00-00-02 (Slow Protocol: 802.3ah OAM/LACP protocol uses this address, this address has a story, how many software will have problems processing this address!)
01-00-5E-xx-xx-xx (the Layer 2 multicast address corresponding to the IP multicast address).
The destination MAC is the Ethernet frame of the multicast MAC address, only the switch will receive it, and ordinary terminal equipment will not receive it.
See http://standards.ieee.org/develop/regauth/grpmac/public.html for a complete list
The reason why most of the multicast addresses start with 01-80-C2 and 01-00-5E is because the protocols using these multicast addresses are under the names of the leading brothers IEEE and IANA, and their OUIs are 00- 80-C2 and 00-00-5E are 01-80-C2 and 01-00-5E. Of course, in addition to the multicast addresses occupied by the leading brother, there are also 01-00-0C- For addresses such as CC-CC-CC, this address is occupied by Cisco, and Cisco's OUI is 00-00-0C.
===========
The data frame that the host network card should receive:
- Destination MAC is own unicast frame
- broadcast frame
- Join the multicast frame corresponding to the multicast
Let the network card not check the receiver address of the packet, and receive all the packets regardless of whether it is its own. This mode is called promiscuous mode.
The network card driver in the Linux system will check the destination mac address of the message after receiving the message, and distinguish broadcast, multicast, and unicast. If it is a unicast message, compare whether the destination mac address of the message is the same as the mac of this network card, and if not, set the message as PACKET_OTHERHOST. In the ip_rcv function, the packets of type PACKET_OTHERHOST are discarded directly. Therefore, in the promiscuous mode, the network card receives a message that is not its own (only the network card) mac, it will only be processed at the link layer, and will not go to the network layer. Detailed analysis can refer to the document: https://segmentfault.com/a/1190000021291692
ifconfig eth1 promisc ------ Enable promiscuous mode
ifconfig eth1 -promisc ------ Disable promiscuous mode
ifconfig eth1 | grep PROMISC ------ Check whether promiscuous mode is enabled
ip link set eth1 promisc on ------ Turn on promiscuous mode
ip link set eth1 promisc off ------ Turn off promiscuous mode
ip link show eth1 | grep PROMISC ------ Check whether promiscuous mode is turned on
Ethernet is carrier sense (CSMA/CD). What's the meaning. In layman's terms, it means "when one person clicks, everyone is listening, and he answers when he clicks, and keeps silent if he doesn't click." It is a broadcast link, shared channel mode.
2. The filtering feature of the network packet, the filtering is divided into two layers, the first is the hardware filter (HW Filter), and the second is the software filter (SW Filter). The rejection of hosts B, C, and D in the figure above refers to hardware filtering. Its filtering and judging condition is whether the MAC address matches. It is aimed at the MAC address and belongs to the second layer of OSI - the processing of the link layer. The judgment condition of software filtering is whether the IP address matches. It belongs to the third layer filtering in the OSI protocol layering. It is precisely because of some differences that would not produce a response in the original, but will produce a response in promiscuous mode. Provides means to detect promiscuous patterns.
The above table is a very classic statistical table of filtering characteristics under Linux, where gr bit refers to group bit, multicast bit. All addresses where the lowest bit of the first byte is 1, such as 01-12-0f-00-00-02. Of course, the broadcast address FF:FF:FF:FF:FF:FF is also a kind of multicast. The last two lines are not answered in normal mode, but are answered in promiscuous mode. So the last two lines can be used to detect promiscuous patterns. The MAC address filled in the specific detection is shown in the table below. Just use the red circle two lines.
The last two lines belong to the multicast address range (00:00:5e:00:00:00 - 00:00:5e:7f:ff:ff), refer to the above table, use FF:FF:FF:FF:FF for the destination address :FE or FF:FF:00:00:00:00 can detect whether promiscuous mode is enabled regardless of whether it is Windows or Linux.
3、最后一步就是构造测试包,目前linux系统好像没有现成的可以构造目的地址的工具,需要自己写程序或使用第三方工具。可以构造一个arp包或者ip包,设置目的mac地址为上表红圈中地址即可。
Some are shown below 内联代码片.
struct pack
{
unsigned char h_dest[ETH_ALEN];//目标mac地址,填写FF:FF:FF:FF:FF:FE
unsigned char h_source[ETH_ALEN];//源mac地址,及发送者本机mac
unsigned short h_proto;//以太网包的类型,0x0806 arp或者 0x0800 ip包
..... //arp 或 ip 包内容
}
There are many reference codes, and it is necessary to send the package. I will not spend a lot of time writing it here. You can also refer to http://ptool.googlecode.com/svn/trunk/