Differences between revisions 6 and 7
Revision 6 as of 2004-09-25 09:15:56
Size: 2877
Editor: UlfLamping
Comment:
Revision 7 as of 2004-09-25 09:37:30
Size: 3400
Editor: UlfLamping
Comment: add some more description and an ethernet packet outline
Deletions are marked like this. Additions are marked like this.
Line 8: Line 8:
Ethernet sends network packets from the sending host to one or more receiving hosts. Ethernet sends network packets from the sending host to one (["Unicast"]) or more (["Multicast"]/["Broadcast"]) receiving hosts.

A physical Ethernet packet will look like this:

||<#FFc0c0> Preambel ||<#c0FFc0> Destination MAC address ||<#c0FFc0> Source MAC address ||<#c0FFc0> Type ||<#c0FFc0> User Data ||<#FFc0c0> Frame Check Sequence (FCS) ||
||<:#FFc0c0> 8 ||<:#c0FFc0> 6 ||<:#c0FFc0> 6 ||<:#c0FFc0> 2 ||<:#c0FFc0> 46 - 1500 ||<:#FFc0c0> 4 ||

As the Ethernet hardware filters the preambel and the FCS, only the green fields are given to Ethereal or any other application.
Line 24: Line 31:
An Ethernet packet will look like:

|| Preambel || Destination MAC address || Source MAC address || Type || User Data || Frame Check Sequence (FCS) ||
||<:#FF8080> 8 ||<:> 6 ||<:> 6 ||<:> 2 ||<:> x ||<:> 4 ||
Ethernet uses a CyclicRedundancyCheck (CRC) algorithm to detect transmission errors. The FrameCheckSequence field is filled (using a CRC) by the sending host. If the receiving host detects a wrong CRC, it will throw away that packet.

Ethernet (IEEE 802.3)

Ethernet is the most common local area networking technology, and, with gigabit and 10 gigabit Ethernet, is also being used for metropolitan-area and wide-area networking.

It is specified by [http://standards.ieee.org/getieee802/802.3.html various IEEE 802.3 specifications].

Ethernet sends network packets from the sending host to one (["Unicast"]) or more (["Multicast"]/["Broadcast"]) receiving hosts.

A physical Ethernet packet will look like this:

Preambel

Destination MAC address

Source MAC address

Type

User Data

Frame Check Sequence (FCS)

8

6

6

2

46 - 1500

4

As the Ethernet hardware filters the preambel and the FCS, only the green fields are given to Ethereal or any other application.

An Ethernet host is addressed by it's Ethernet MAC address, a 6 byte number usually displayed as: 08:00:08:15:ca:fe (the delimiters vary, so you might see 08-00-08-15-ca-fe or alike). The first three bytes of the address are assigned to a specific vendor, see [http://www.iana.org/assignments/ethernet-numbers Ethernet numbers] at the ["IANA"] for assigned and special addresses.

A destination MAC address of ff:ff:ff:ff:ff:ff indicates a ["Broadcast"], meaning the packet is send from one host to any other on that network.

XXX - also describe multicast.

Ethernet uses a 16bit type field to indicate which upper layer protocol should be used. Some examples:

  • 0 - 45 invalid
  • 46 - 1500 length field (Ethernet-II)
  • 0x0800 IP(V4), internet protocol version 4
  • 0x0806 ARP, address resolution protocol
  • 0x8137 IPX, internet packet exchange (Novell)

Ethernet uses a CyclicRedundancyCheck (CRC) algorithm to detect transmission errors. The FrameCheckSequence field is filled (using a CRC) by the sending host. If the receiving host detects a wrong CRC, it will throw away that packet.

History

XXX - add a brief description of Ethernet history

Protocol dependencies

  • Ethernet is the lowest software layer, so it only depends on hardware.

Example traffic

XXX - Add example traffic here (as plain text or Ethereal screenshot).

Ethereal

The Ethernet dissector is fully functional.

Preference Settings

(XXX add links to preference settings affecting how Ethernet is dissected).

Example capture file

XXX - Add a simple example capture file. Keep it short, it's also a good idea to gzip it to make it even smaller, as Ethereal can open gzipped files automatically.

Display Filter

A complete list of Ethernet display filter fields can be found in the [http://www.ethereal.com/docs/dfref/e/eth.html display filter reference]

  • Show only the Ethernet-based traffic:

     eth 

    Show only the Ethernet-based traffic to and from Ethernet MAC address 08:00:08:15:ca:fe:

     eth.addr==08.00.08.15.ca.fe 

Capture Filter

  • Capture only the Ethernet-based traffic to and from Ethernet MAC address 08:00:08:15:ca:fe:

     ether host 08:00:08:15:ca:fe 

Discussion

Ethernet (last edited 2011-04-25 22:24:29 by BillMeier)