Differences between revisions 12 and 13
Revision 12 as of 2004-10-29 13:49:09
Size: 8292
Editor: StephenFlynn
Comment:
Revision 13 as of 2004-11-01 15:30:43
Size: 8305
Editor: StephenFlynn
Comment: Formatting
Deletions are marked like this. Additions are marked like this.
Line 21: Line 21:
=== MAC address fields ===  === MAC address fields ===
Line 23: Line 23:
An Ethernet host is addressed by its Ethernet MAC address, a 6 byte number usually displayed as: 08:00:08:15:ca:fe (the delimiters vary, so you might see 08-00-08-15-ca-fe or the like). The first three bytes of the address are assigned to a specific vendor, see [http://www.iana.org/assignments/ethernet-numbers Ethernet numbers] at the ["IANA"] and [http://www.cavebear.com/CaveBear/Ethernet/vendor.html Michael A. Patton's list of vendor codes] for assigned vendor codes, and see [http://www.iana.org/assignments/ethernet-numbers Ethernet numbers] and [http://www.cavebear.com/CaveBear/Ethernet/multicast.html Michael A. Patton's list of multicast addresses], for assigned multicast addresses.  An Ethernet host is addressed by its Ethernet MAC address, a 6 byte number usually displayed as: 08:00:08:15:ca:fe (the delimiters vary, so you might see 08-00-08-15-ca-fe or the like). The first three bytes of the address are assigned to a specific vendor, see [http://www.iana.org/assignments/ethernet-numbers Ethernet numbers] at the ["IANA"] and [http://www.cavebear.com/CaveBear/Ethernet/vendor.html Michael A. Patton's list of vendor codes] for assigned vendor codes, and see [http://www.iana.org/assignments/ethernet-numbers Ethernet numbers] and [http://www.cavebear.com/CaveBear/Ethernet/multicast.html Michael A. Patton's list of multicast addresses], for assigned multicast addresses.
Line 25: Line 25:
A destination MAC address of ff:ff:ff:ff:ff:ff indicates a ["Broadcast"], meaning the packet is send from one host to any other on that network.  A destination MAC address of ff:ff:ff:ff:ff:ff indicates a ["Broadcast"], meaning the packet is send from one host to any other on that network.
Line 27: Line 27:
XXX - also describe multicast.  XXX - also describe multicast.
Line 29: Line 29:
=== Type / Length field ===  === Type / Length field ===
Line 31: Line 31:
The original DEC/Intel/Xerox Ethernet specification included a 16-bit type field to indicate what upper layer protocol should be used. Ethernet frames with less than 64 bytes of Ethernet header, user data, and FCS are padded to 64 bytes (which means 60 bytes of Ethernet header and user data), which means that if there's less than 64-(14+4) = 46 bytes of user data in the frame, extra user data is added to the frame. If the upper layer protocol implementation has to know exactly how much user data is in the packet, and expects the length of the Ethernet packet to indicate the amount of user data, it will not behave correctly with padded packets.  The original DEC/Intel/Xerox Ethernet specification included a 16-bit type field to indicate what upper layer protocol should be used. Ethernet frames with less than 64 bytes of Ethernet header, user data, and FCS are padded to 64 bytes (which means 60 bytes of Ethernet header and user data), which means that if there's less than 64-(14+4) = 46 bytes of user data in the frame, extra user data is added to the frame. If the upper layer protocol implementation has to know exactly how much user data is in the packet, and expects the length of the Ethernet packet to indicate the amount of user data, it will not behave correctly with padded packets.
Line 33: Line 33:
When constructing standards for LANs, the IEEE added a new header, the [http://standards.ieee.org/getieee802/802.2.html 802.2] LLC header, to packets in those LANs. It contained a destination "service access point", source "service access point", and packet type field, similar to the packet type field used in HDLC and HDLC-derived protocols such as X.25's LAPB; the destination service access point indicated the service to which the packet should be delivered, where a "service" is implemented as a protocol. (XXX - is the notion of service and protocol formalized in the OSI reference model? If so, we should perhaps have a page for the OSI model and describe that notion, and link to it.) I.e., it indicates the upper layer protocol that should be used.  When constructing standards for LANs, the IEEE added a new header, the [http://standards.ieee.org/getieee802/802.2.html 802.2] LLC header, to packets in those LANs. It contained a destination "service access point", source "service access point", and packet type field, similar to the packet type field used in HDLC and HDLC-derived protocols such as X.25's LAPB; the destination service access point indicated the service to which the packet should be delivered, where a "service" is implemented as a protocol. (XXX - is the notion of service and protocol formalized in the OSI reference model? If so, we should perhaps have a page for the OSI model and describe that notion, and link to it.) I.e., it indicates the upper layer protocol that should be used.
Line 35: Line 35:
This meant that the type field in Ethernet could be used for other purposes, if an 802.2 header appeared at the beginning of the user data, so the IEEE standard for Ethernet, IEEE 802.3, included after the source MAC address a 16-bit field indicating the length of the user data in the packet, for the benefit of protocols that couldn't infer the length of the user data from the length of the packet as received.  This meant that the type field in Ethernet could be used for other purposes, if an 802.2 header appeared at the beginning of the user data, so the IEEE standard for Ethernet, IEEE 802.3, included after the source MAC address a 16-bit field indicating the length of the user data in the packet, for the benefit of protocols that couldn't infer the length of the user data from the length of the packet as received.
Line 37: Line 37:
However, that standard also had to support the traditional use of that field as a type field. Ethernet packets could have no more than 1500 bytes of user data, so the field is interpreted as a length field if it has a value <= 1500 and a type field if it has a value > 1500. (XXX - the maximum length value is slightly smaller than the minimum type value.)  However, that standard also had to support the traditional use of that field as a type field. Ethernet packets could have no more than 1500 bytes of user data, so the field is interpreted as a length field if it has a value <= 1500 and a type field if it has a value > 1500. (XXX - the maximum length value is slightly smaller than the minimum type value.)
Line 39: Line 39:
Therefore, if the type/length field has a value 1500 or lower, it's a length field, and is followed by an 802.2 header, otherwise it's a type field and is followed by the data for the upper layer protocol.  Therefore, if the type/length field has a value 1500 or lower, it's a length field, and is followed by an 802.2 header, otherwise it's a type field and is followed by the data for the upper layer protocol.
Line 41: Line 41:
For a more detailed discussion of this, which mentions a ''third'' possibility used by NetWare, and mentions the SNAP header that can follow the 802.2 header, see [http://www.ee.siue.edu/~bnoble/comp/networks/frametypes.html Ethernet Frame Types: Provan's Definitive Answer], by Don Provan.  For a more detailed discussion of this, which mentions a ''third'' possibility used by NetWare, and mentions the SNAP header that can follow the 802.2 header, see [http://www.ee.siue.edu/~bnoble/comp/networks/frametypes.html Ethernet Frame Types: Provan's Definitive Answer], by Don Provan.
Line 43: Line 43:
Some examples of values in the type/length field:  Some examples of values in the type/length field:
Line 45: Line 45:
 * 0 - 45 invalid
 * 46 - 1500 length field (802.3 + 802.2)
 * 0x0800 IP(v4), Internet Protocol version 4
 * 0x0806 ARP, Address Resolution Protocol
 * 0x8137 IPX, Internet Packet eXchange (Novell)
 * 0x86dd IPv6, Internet Protocol version 6
  * 0 - 45 invalid
  * 46 - 1500 length field (802.3 + 802.2)
  * 0x0800 IP(v4), Internet Protocol version 4
  * 0x0806 ARP, Address Resolution Protocol
  * 0x8137 IPX, Internet Packet eXchange (Novell)
  * 0x86dd IPv6, Internet Protocol version 6
Line 52: Line 52:
See [http://www.iana.org/assignments/ethernet-numbers Ethernet numbers] and [http://www.cavebear.com/CaveBear/Ethernet/type.html Michael A. Patton's list of Ethernet type codes] for a list of assigned Ethernet type codes.  See [http://www.iana.org/assignments/ethernet-numbers Ethernet numbers] and [http://www.cavebear.com/CaveBear/Ethernet/type.html Michael A. Patton's list of Ethernet type codes] for a list of assigned Ethernet type codes.
Line 54: Line 54:
=== Frame Check Sequence (FCS) field ===  === Frame Check Sequence (FCS) field ===
Line 56: Line 56:
Ethernet uses a CyclicRedundancyCheck (CRC) algorithm to detect transmission errors. The FrameCheckSequence field is filled (using a CRC) by the sending host. If the receiving host detects a wrong CRC, it will throw away that packet.  Ethernet uses a CyclicRedundancyCheck (CRC) algorithm to detect transmission errors. The FrameCheckSequence field is filled (using a CRC) by the sending host. If the receiving host detects a wrong CRC, it will throw away that packet.
Line 60: Line 60:
 * See [http://en.wikipedia.org/wiki/Ethernet#History Wikipedia] for a brief history of Ethernet See [http://en.wikipedia.org/wiki/Ethernet#History Wikipedia] for a brief history of Ethernet
Line 64: Line 64:
 * Ethernet is the lowest software layer, so it only depends on hardware. Ethernet is the lowest software layer, so it only depends on hardware.
Line 68: Line 68:
 Small portion of the capture from opening ethereal.com in a web browser. Small portion of the capture from opening ethereal.com in a web browser.
Line 85: Line 85:
 Full capture from above example. Opening www.ethereal.com from the Firefox browser. Full capture from above example. Opening www.ethereal.com from the Firefox browser.
Line 107: Line 107:
 Capture only the Ethernet-based traffic to and from Ethernet MAC address 08:00:08:15:ca:fe: {{{ Capture only the Ethernet-based traffic to and from Ethernet MAC address 08:00:08:15:ca:fe:
 
{{{ 
Line 112: Line 113:
 * A lot of tutorial information about Ethernet can be found at [http://www.ethermanage.com/ethernet/ethernet.html Charles Spurgeon's Ethernet Web Site]. A lot of tutorial information about Ethernet can be found at [http://www.ethermanage.com/ethernet/ethernet.html Charles Spurgeon's Ethernet Web Site].

Ethernet (IEEE 802.3)

Ethernet is the most common local area networking technology, and, with gigabit and 10 gigabit Ethernet, is also being used for metropolitan-area and wide-area networking.

It is specified by [http://standards.ieee.org/getieee802/802.3.html various IEEE 802.3 specifications].

Ethernet sends network packets from the sending host to one (["Unicast"]) or more (["Multicast"]/["Broadcast"]) receiving hosts.

You can find hardware related Ethernet information at the EthernetHardware page.

Packet format

A physical Ethernet packet will look like this:

Preamble

Destination MAC address

Source MAC address

Type/Length

User Data

Frame Check Sequence (FCS)

8

6

6

2

46 - 1500

4

As the Ethernet hardware filters the preamble, only the green fields are given to Ethereal or any other application. Most Ethernet interfaces also either don't supply the FCS to Ethereal or other applications, or aren't configured by their driver to do so.

  • === MAC address fields ===

    An Ethernet host is addressed by its Ethernet MAC address, a 6 byte number usually displayed as: 08:00:08:15:ca:fe (the delimiters vary, so you might see 08-00-08-15-ca-fe or the like). The first three bytes of the address are assigned to a specific vendor, see [http://www.iana.org/assignments/ethernet-numbers Ethernet numbers] at the ["IANA"] and [http://www.cavebear.com/CaveBear/Ethernet/vendor.html Michael A. Patton's list of vendor codes] for assigned vendor codes, and see [http://www.iana.org/assignments/ethernet-numbers Ethernet numbers] and [http://www.cavebear.com/CaveBear/Ethernet/multicast.html Michael A. Patton's list of multicast addresses], for assigned multicast addresses. A destination MAC address of ff:ff:ff:ff:ff:ff indicates a ["Broadcast"], meaning the packet is send from one host to any other on that network. XXX - also describe multicast. === Type / Length field === The original DEC/Intel/Xerox Ethernet specification included a 16-bit type field to indicate what upper layer protocol should be used. Ethernet frames with less than 64 bytes of Ethernet header, user data, and FCS are padded to 64 bytes (which means 60 bytes of Ethernet header and user data), which means that if there's less than 64-(14+4) = 46 bytes of user data in the frame, extra user data is added to the frame. If the upper layer protocol implementation has to know exactly how much user data is in the packet, and expects the length of the Ethernet packet to indicate the amount of user data, it will not behave correctly with padded packets.

    When constructing standards for LANs, the IEEE added a new header, the [http://standards.ieee.org/getieee802/802.2.html 802.2] LLC header, to packets in those LANs. It contained a destination "service access point", source "service access point", and packet type field, similar to the packet type field used in HDLC and HDLC-derived protocols such as X.25's LAPB; the destination service access point indicated the service to which the packet should be delivered, where a "service" is implemented as a protocol. (XXX - is the notion of service and protocol formalized in the OSI reference model? If so, we should perhaps have a page for the OSI model and describe that notion, and link to it.) I.e., it indicates the upper layer protocol that should be used. This meant that the type field in Ethernet could be used for other purposes, if an 802.2 header appeared at the beginning of the user data, so the IEEE standard for Ethernet, IEEE 802.3, included after the source MAC address a 16-bit field indicating the length of the user data in the packet, for the benefit of protocols that couldn't infer the length of the user data from the length of the packet as received.

    However, that standard also had to support the traditional use of that field as a type field. Ethernet packets could have no more than 1500 bytes of user data, so the field is interpreted as a length field if it has a value <= 1500 and a type field if it has a value > 1500. (XXX - the maximum length value is slightly smaller than the minimum type value.) Therefore, if the type/length field has a value 1500 or lower, it's a length field, and is followed by an 802.2 header, otherwise it's a type field and is followed by the data for the upper layer protocol.

    For a more detailed discussion of this, which mentions a third possibility used by NetWare, and mentions the SNAP header that can follow the 802.2 header, see [http://www.ee.siue.edu/~bnoble/comp/networks/frametypes.html Ethernet Frame Types: Provan's Definitive Answer], by Don Provan. Some examples of values in the type/length field:

    • 0 - 45 invalid
    • 46 - 1500 length field (802.3 + 802.2)
    • 0x0800 IP(v4), Internet Protocol version 4
    • 0x0806 ARP, Address Resolution Protocol
    • 0x8137 IPX, Internet Packet eXchange (Novell)
    • 0x86dd IPv6, Internet Protocol version 6

    See [http://www.iana.org/assignments/ethernet-numbers Ethernet numbers] and [http://www.cavebear.com/CaveBear/Ethernet/type.html Michael A. Patton's list of Ethernet type codes] for a list of assigned Ethernet type codes. === Frame Check Sequence (FCS) field ===

    Ethernet uses a CyclicRedundancyCheck (CRC) algorithm to detect transmission errors. The FrameCheckSequence field is filled (using a CRC) by the sending host. If the receiving host detects a wrong CRC, it will throw away that packet.

History

See [http://en.wikipedia.org/wiki/Ethernet#History Wikipedia] for a brief history of Ethernet

Protocol dependencies

Ethernet is the lowest software layer, so it only depends on hardware.

Example traffic

Small portion of the capture from opening ethereal.com in a web browser.

  • No.     Time        Source                Destination           Protocol Info
          1 0.000000    192.168.2.3           mail.packet0.com      TCP      1061 > http [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460
          2 0.063590    mail.packet0.com      192.168.2.3           TCP      http > 1061 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1380
          3 0.063665    192.168.2.3           mail.packet0.com      TCP      1061 > http [ACK] Seq=1 Ack=1 Win=16560 Len=0
          4 0.064056    192.168.2.3           mail.packet0.com      HTTP     GET / HTTP/1.1
          5 0.163470    mail.packet0.com      192.168.2.3           TCP      http > 1061 [ACK] Seq=1 Ack=399 Win=6432 Len=0
          6 0.193849    mail.packet0.com      192.168.2.3           HTTP     HTTP/1.1 200 OK (text/html)
          7 0.201317    mail.packet0.com      192.168.2.3           HTTP     Continuation
          8 0.201408    192.168.2.3           mail.packet0.com      TCP      1061 > http [ACK] Seq=399 Ack=2761 Win=16560 Len=0
          9 0.208895    192.168.2.3           mail.packet0.com      TCP      1062 > http [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460
         10 0.280617    mail.packet0.com      192.168.2.3           HTTP     Continuation
         11 0.287876    mail.packet0.com      192.168.2.3           HTTP     Continuation

Example capture file

Full capture from above example. Opening www.ethereal.com from the Firefox browser.

  • attachment:ethereal.com.pcap

Ethereal

The Ethernet dissector is fully functional.

Preference Settings

(XXX add links to preference settings affecting how Ethernet is dissected).

Display Filter

A complete list of Ethernet display filter fields can be found in the [http://www.ethereal.com/docs/dfref/e/eth.html display filter reference]

  • Show only the Ethernet-based traffic:

     eth 

    Show only the Ethernet-based traffic to and from Ethernet MAC address 08:00:08:15:ca:fe:

     eth.addr==08.00.08.15.ca.fe 

Capture Filter

Capture only the Ethernet-based traffic to and from Ethernet MAC address 08:00:08:15:ca:fe:

  •  ether host 08:00:08:15:ca:fe 

A lot of tutorial information about Ethernet can be found at [http://www.ethermanage.com/ethernet/ethernet.html Charles Spurgeon's Ethernet Web Site].

Discussion

Ethernet (last edited 2011-04-25 22:24:29 by BillMeier)