"Network Programming" Data Link Layer Protocol_Ethernet Protocol Learning

The content of the "Preface" article is an explanation of the data link layer Ethernet protocol.

"Attribution Column"Network Programming

"Homepage Link"Personal Homepage

"Author" Mr. Maple Leaf (fy)

1. Introduction to Ethernet Protocol

The Ethernet protocol is the data link layer protocol in the TCP/IP system

The Ethernet protocol is at the data link layer:

Problems solved by the link layer

• The problem solved by the network layer is: sending data from one host across the network to another host, that is, data routing (path selection)
• After the network layer data packets are encapsulated into IP messages, they still have to be delivered downward to the next layer: the data link layer.
• The data link layer then encapsulates the IP message into a data frame, and then sends it to the network by the data link layer. At this time, the so-called "data packets" truly enter the network.
• That is, what runs on the network (network cable) is data frames, not IP packets.
• The IP protocol at the network layer provides decisions for data routing (providing the ability to transmit across networks, which may not be possible if you have the ability), but it is the data link layer (the real thing) that forwards data.
• Forward the data frame to the next-hop host that is directly connected to the current host (two hosts are directly connected, which means that the two hosts belong to the same network segment, so forwarding the data to the next-hop host actually belongs to the category of LAN communication , and this is actually a problem that the link layer needs to solve)

That is, the problem to be solved by the data link layer is:Forward the data frame to the next-hop host directly connected to the current host, that is, to solve the problem between two directly connected hosts. Communication issues

Note: Different protocol layers have different names for data packets. In the transport layer, it is called segment, in the network layer, it is called datagram, and in the link layer, it is called frame.

The essence of cross-network transmission is the result of forwarding by countless subnets (local area networks)

To thoroughly understand cross-network forwarding, we must first understand the principles of packet forwarding in a LAN.

basic concept

• "Ethernet" is not a specific network, but a technical standard: it includes both data link layer content and some physical layer content.
• For example: Ethernet specifies network topology, access control methods, transmission rates, etc.
• For example: the network cable in Ethernet must use twisted pair; the transmission rate is 10M, 100M, 1000M, etc.
• Ethernet is currently the most widely used local area network technology. Alongside Ethernet are token ring networks, wireless LAN, etc.

LAN technology

The communication technologies used by different LANs may be different. There are three common LAN technologies:

• Ethernet: Ethernet is a local area network (LAN) technology and is the most commonly used LAN technology. Ethernet is characterized by high data transfer rates and low cost
• Token Ring: Token Ring is an early LAN technology that uses a mechanism called token passing to control data transmission (only the device holding the token can send data)
• Wireless LAN (WLAN) and Wireless Wide Area Network (WAN) are wireless network technologies. WLAN uses radio waves instead of wired cables to connect devices, allowing devices to access a local area network wirelessly.

MAC address

• Two hosts on the same LAN can communicate directly
• Each host has its own "name": each host has a network card, and each network card has its own address. This address is called a MAC address, which indicates its uniqueness in the LAN (unique to the host)
• The MAC address is 48 bits long and 6 bytes long. It is generally represented by a hexadecimal number plus a colon (for example: 08:00:27:03:fb:19)

Check the MAC address of your host in Linux: Use the ifconfig command to check. ether corresponds to "ether" (but the MAC address on the actual cloud server may not be the real one) MAC address, the MAC address may be simulated by virtual technology)

Ethernet communication principles

All hosts in the Ethernet share a communication channel. When one host in the local area network sends data, all hosts in the local area network can receive the data.

• For example, when host A in the local area network wants to send data to host E, in fact, every host in the local area network can receive the data sent by host A.
• Each host compares its own MAC address with the destination MAC address in the data frame. If it finds that the destination MAC address in the data frame does not match its own MAC address, it directly discards the message without delivering it upward (at the data link layer). throw away)
• Only in the end, only host E will deliver the data sent by host A upwards.

Replenish

• Network packet capture tool (LAN packet capture), it can not only capture the data packets of its own host, but also capture the packets of other hosts in the LAN.
• The principle is: the network card has a mode called promiscuous mode. The network card set to promiscuous mode can receive all data frames passing through it, regardless of whether the data packet belongs to its own host. As long as the data frame is received, it will be delivered directly upwards.

Token Ring Network (Brief Description)

• In a Token Ring network, tokens are passed between nodes in a fixed order. Each node can access the shared resource when it has the token, which is then passed to the next node. When a node completes access to the shared resource, it passes the token to the next node (in order)
• In a token ring network, only the host holding the token can send data (the token is equivalent to a mutex lock)

2. Ethernet frame format (header)

The Ethernet frame format is as follows:

Field explanation:

• The source address and destination address refer to the hardware address of the network card (also called the MAC address), which is 48 bits in length and is solidified when the network card leaves the factory.
• The frame protocol type field has three values, corresponding to IP protocol, ARP protocol and RARP protocol respectively.
• At the end of the frame is the CRC check code

How does a MAC frame separate the header and payload? ?

• Simple and crude: fixed word length
• The frame header and frame trailer of the Ethernet MAC frame are both fixed length (18 bytes). Therefore, when the bottom layer receives a MAC frame, it directly extracts the fixed-length frame header and frame trailer of the MAC frame. At this time, the remaining is the payload

How does a MAC frame decide which upper layer protocol to deliver the payload to? (How to use separately)

• There is a 2-byte type field in the header of the MAC frame. This field is filled with the protocol number. If it is0800, it is delivered to the IP protocol.< a i=2> is delivered to the ARP protocol, is delivered to the RARP protocol08060838
• Therefore, after separating the header and payload, the payload can be delivered to the corresponding upper layer protocol based on this field.

data collision

• Since all hosts in the Ethernet share a communication channel, only one host is allowed to send data at the same time, otherwise the data sent by each host will interfere with each other.
• From a system perspective, the communication channel shared by each host here is a critical resource. This critical resource can only be used by one host at a time.
• In the same LAN, if multiple hosts generate data at the same time (at the same time), the data sent will interfere with each other, causing data collision. The data will become invalid data and can only be discarded.
• Every LAN can be regarded as a collision domain. If there is interference between the data sent by a host and the data sent by other hosts, we call this Two hosts collided in this collision domain

How do you know a data collision has occurred? ?

• It is detected through the collision detection algorithm, and a collision is solved through the collision avoidance algorithm.

• If a collision is detected, the protocol at the data link layer will trigger the policy. The host where the data collided will not send data and will wait for a while before sending again.

• The probability of data collision is relatively low. If there are too many hosts in the LAN or too much data is sent, collisions will easily occur.

A LAN cannot be very large, why? ?

• If the LAN is too large, it means there are many hosts, and the probability of collision at any time increases.

If a local area network is too large, a device called a switch must be introduced. The switch works at the data link layer.

• One of the functions of a switch is isolation. The switch can identify local collisions and does not forward the collision data.
• For example, a data collision occurs between host A and host D. The switch recognizes the data collision and does not forward the colliding data to the network on the right. The probability of collision on the network on the right is reduced to a certain extent.
• The switch effectively divides the collision domain (divides the collision domain)

When a host sends data, is it better to send a larger amount of data or a shorter amount? ?

• If the amount of data is long, collisions are likely to occur, and if the amount of data is short, the efficiency will be low.
• Therefore, the data frame sent must have a certain range size, neither too large nor too small.
• In the Ethernet protocol, there are regulations on the payload size of sent data. The minimum payload is 46 bytes and the maximum is 1500 bytes.
• If the amount of data sent is less than 46 bytes, padding bits need to be added after the data. More than 1500 bytes cannot be sent.

Maximum transmission unit MTU

The maximum payload sent is 1500 bytes, 1500 bytes is the MTU

• Maximum transmission unit (Maximum Transmission Unit，MTU) refers to the size of the largest payload that the data link layer can transmit in network communications. The size of the MTU is usually specified by the network device or network protocol, and it limits the amount of data that can be transferred at one time
• The default size of MTU is generally 1500 bytes. The MTU of different data link layer standards is different.
• If the data to be sent at one time exceeds the MTU, the data needs to be fragmented at the IP layer

Use the ifconfig command under Linux

3. The impact of MTU on upper-layer protocols

The impact of MTU on IP protocol

• Due to the MTU limitation of the data link layer, larger IP data packets need to be fragmented.
• Sharding has already been discussed in the IP protocol, so I won’t go into details again.

The impact of MTU on UDP protocol

• If the IP header does not carry the option field, the length of the IP header is 20 bytes, while UDP uses a fixed-length 8-byte header.
• So if the data carried by UDP at one time exceeds 1500 − 20 − 8 = 1472 bytes, the data needs to be fragmented at the IP layer
• So this means that if the UDP datagram is fragmented at the network layer, the probability of the entire data being lost greatly increases.

The impact of MTU on the TCP protocol

For TCP, fragmentation will also increase the probability of TCP packet loss, but unlike UDP, TCP needs to be retransmitted after packet loss, so TCP should try to reduce data retransmission caused by fragmentation.

• A TCP datagram cannot be infinitely large, and is still subject to MTU.
• The maximum message length of a single datagram for TCP, calledMSS（Max Segment Size）
• During the process of establishing a TCP connection, both communicating parties will conduct MSS negotiation.
• Ideally, the MSS value is exactly the maximum length at which IP will not be fragmented (this length is still subject to the MTU of the data link layer)
• When both parties send SYN, they will write the MSS value they can support in the TCP header.
• Then after both parties learn the other party's MSS value, they choose the smaller one as the final MSS.
• The value of MSS is in the 40-byte variable length option of the TCP header.

The relationship between MSS and MTU is as follows:

• Assume that if the IP header does not carry the option field, the length of the IP header is 20 bytes; if the TCP header does not carry the option field, the length of the IP header is 20 bytes
• That is, the maximum payload of TCP 1500-20-20 = 1460 bytes, that is, the maximum value of MSS

4. ARP protocol

4.1 The role of ARP protocol

ARP (Address Resolution Protocol) is a protocol that obtains a MAC address based on an IP address. ARP is a protocol between the data link layer and the network layer

For example:

• For example, data is forwarded from host B to host C through various routes.
• Every two connected nodes belong to the same subnet, but if you want to send data to another node, you must know the other party's MAC address.
• However, each node only knows the IP address of the next directly connected node, so each host must obtain the MAC address of the next host in some way. Only by knowing the MAC address of the other party can it send data to the other party.

In fact, in most cases we only know the IP address of the other party, so we need to use the ARP protocol to obtain the MAC address of the target host based on the IP address.
Note: ARP is not a pure data link layer protocol, but a protocol between the data link layer and the network layer.

Positioning of ARP protocol

Between the data link layer and the network layer

4.2 ARP protocol header

ARP protocol header is as follows:

Field explanation:

• Hardware type: refers to the network type of the link layer, 1 is Ethernet
• Protocol type: refers to the address type to be converted, 0x0800 is the IP address
• Hardware address length: 6 bytes for Ethernet addresses because MAC addresses are 48 bits
• Protocol address length: 4 bytes for IP address because IP address is 32 bits
• op field: 1 indicates ARP request, op field 2 indicates ARP response

It can also be seen from the data format of ARP that ARP is the upper layer protocol of the MAC frame protocol. Since the length of the ARP packet is less than 46 bytes, the ARP packet needs to be filled with an 18-byte padding field when encapsulating it into a MAC frame.

ARP request process

In the same LAN, host A wants to send data to host B (knows the IP address), but host A does not know the MAC address of host B. At this time, host A will trigger an ARP request, broadcast the ARP request to the LAN, and then wait. Host B sends an ARP reply to Host A, and finally learns the MAC address of Host B.

The process of host A constructing an ARP request is as follows:

• Host A constructs an ARP request, so the op field in the ARP request is set to1
• The hardware type field in the ARP request is set to1, indicating Ethernet communication
• The protocol type in the ARP request is set to0800, which means using the IP address of another host to obtain the MAC address of another host
• The hardware address length and protocol address length in the ARP request are set to 6 and 4 bytes respectively, because the length of the MAC address is 48 bits and the length of the IP address is 32 bits.
• The sending Ethernet address and sending IP address in the ARP request correspond to host A's own MAC address and IP address.
• The destination Ethernet address and destination IP address in the ARP request correspond to the MAC address and IP address of host B. However, since host A does not know the MAC address of host B, the binary sequence of the destination Ethernet MAC address is set to all ones. , indicating broadcasting in the LAN

The ARP request is constructed as follows:

After the ARP request is constructed, it needs to be delivered to the Ethernet protocol to encapsulate the MAC frame before it can be sent to the Ethernet.

• When encapsulating the MAC frame header, the Ethernet source MAC address corresponds to the MAC address of host A, and the Ethernet destination MAC address corresponds to the MAC address of host B.
• However, since host A does not know the MAC address of host B, the binary sequence of the Ethernet destination address in the MAC frame header can only be set to all 1s (all hexadecimal F), indicating broadcasting in the LAN.
• encapsulates an ARP request packet, so the frame type field in the MAC frame is set to 0806, which represents ARP request
• Since the length of the ARP request packet is only 28 bytes, which is less than 46 bytes, a 18-byte padding field (PAD) needs to be added to the payload of the MAC frame.

The encapsulated data frame is as follows:

After encapsulating the MAC frame, it can be sent to the LAN.

• Every host in the LAN receives the data frame,Every host unpacks the data frame
• After these hosts recognize that the frame type field in the MAC frame is0806, they know that this is an ARP request or response packet, and then transfer the payload of the MAC frame to Upward delivery to ARP protocol
• The ARP protocol unpacks the ARP request, first checks the OP field, and determines that this is an ARP request.
• Then extract the destination IP address field in the ARP packet and match it with the IP address of your own host. If it does not match, the packet is directly discarded.
• Only hosts with matching IP addresses will build ARP responses.

ARP reply process

Host B constructs an ARP response: (The same places will not be repeated)

• The op field in the ARP response is set to 2, which represents the ARP response
• The source MAC address and source IP address in the ARP response correspond to the MAC address and IP address of host B.
• The destination Ethernet address and destination IP address in the ARP response correspond to the MAC address and IP address of host A (obtained from the ARP request)

The ARP reply construction is completed as follows:

After the ARP response is constructed, it needs to be delivered to the Ethernet protocol to encapsulate the MAC frame before it can be sent to the Ethernet.

• When encapsulating the MAC frame header, the Ethernet source MAC address corresponds to the MAC address of host B, and the Ethernet destination MAC address corresponds to the MAC address of host A.
• encapsulates an ARP reply packet, so the frame type field in the MAC frame is set to 0835, which represents ARP reply
• Since the length of the ARP request packet is only 28 bytes, which is less than 46 bytes, a 18-byte padding field (PAD) needs to be added to the payload of the MAC frame.

The encapsulated data frame is as follows:

After the MAC frame is encapsulated, Host B can send the encapsulated MAC frame to the LAN

• Every host in the LAN can receive this MAC frame at the bottom layer, and only host A delivers the payload of the unpacked MAC frame upward to the ARP protocol.
• After ARP receives this packet, it finds that the op field in the ARP packet is 2, so it determines that this is an ARP reply, and then extracts the source MAC address and source IP address in the ARP packet.
• At this time, host A obtains the MAC address of host B.

ARP cache table

ARP cache table (Address Resolution Protocol Cache Table) is a cache table used to store the mapping relationship between IP addresses and MAC addresses

• When a host needs to communicate with another host, it will first check its own ARP cache table to see if there is a mapping relationship between the IP address and MAC address of the target host.
• If so, use the mapping relationship directly for communication.
• If not, an ARP request broadcast is sent asking other hosts on the LAN to obtain the MAC address of the target host.
• After receiving the ARP request, the target host will send an ARP response and send its IP address and MAC address to the requester. The requester will store this mapping relationship in its own ARP cache table.

In other words, when one host needs to communicate with another host, does not make an ARP request every time, but First go to the ARP cache table to see if there is the MAC address of another host

Notice: The mapping relationship in the ARP cache table has a certain validity period. If the mapping relationship is not used again within the validity period, the system will automatically delete the entry to keep the ARP cache table updated and valid (that is, the ARP cache table will continue to Update, overwrite the old mapping relationship)

To view the ARP cache table in Linux, use the commandarp -a

ARP spoofing

ARP spoofing (ARP spoofing) is a network attack technique, also known as ARP cache poisoning (ARP cache poisoning)

The attacker deceives other hosts on the network by forging ARP responses to map his or her MAC address to the IP addresses of other hosts.

It's roughly as follows:

• The ARP protocol is a protocol that converts IP addresses into MAC addresses and is used when communicating in a local area network. When a host needs to communicate with another host, it sends an ARP request broadcast asking for the MAC address of the target host.
• After receiving the ARP request, the target host will send an ARP response and send its IP address and MAC address to the requester.
• After receiving the ARP request, the target host will send an ARP response and send its IP address and MAC address to the requester.
• In an ARP spoofing attack, the attacker sends a forged ARP response to map his or her MAC address to the IP address of another host.
• In this way, when other hosts need to communicate with the target host, they will send data to the attacker through the mapping relationship in the ARP cache table instead of the real target host.
• Attackers can use this method to conduct malicious behaviors such as data theft and man-in-the-middle attacks.

RARP protocol

• RARP (Reverse Address Resolution Protocol, Reverse Address Resolution Protocol) is a protocol corresponding to ARP
• Contrary to the ARP protocol which resolves IP addresses to MAC addresses, the RARP protocol resolves MAC addresses to IP addresses

--------------------- END ----------------------

「 作者 」 枫叶先生
「 更新 」 2023.10.28
「 声明 」 余之才疏学浅，故所撰文疏漏难免，
          或有谬误或不准确之处，敬请读者批评指正。