Exploring the Packet Delivery Process
The previous sections discussed the elements that govern host-to-host communications.You also need to understand how these elements interact. This section covers host-to-host communications by providing a graphic representation.
Layer 1 Devices and Their Functions
Layer 1 defines the electrical, mechanical, procedural, and functional specifications for activating, maintaining, and deactivating the physical link between end systems. Some common examples are Ethernet segments and serial links like Frame Relay and T1. Repeaters that provide signal amplification are also considered Layer 1 devices.
Figure 1-56 shows some common Layer 1 devices.
Figure 1-56 Layer 1 Devices
Layer 2 Devices and Their Functions
Layer 2 defines how data is formatted for transmission and how access to the physical media is controlled. These devices also provide an interface between the Layer 2 device and the physical media. Some common examples are a NIC installed in a host, bridge, or switch. Figure 1-57 shows an example of Layer 2 devices.
Figure 1-57 Layer 2 Devices
Layer 2 Addressing
Host communications require a Layer 2 address. Figure 1-58 shows an example of a MAC address for a Layer 2 Ethernet frame.
Figure 1-58 Ethernet MAC Address
When the host-to-host communications were first developed, several network layer protocols were called network operating systems (NOS). Early NOS were NetWare, IP, ISO, and Banyan-Vines. It became apparent that a need for a Layer 2 address that was independent of the NOS existed, so the MAC address was created.
MAC addresses are assigned to end devices such as hosts. In most cases, Layer 2 network devices such as bridges and switches are not assigned a MAC address. However, in some special cases, switches might be assigned an address.
Layer 3 Devices and Their Functions
The network layer provides connectivity and path selection between two host systems that might be located on geographically separated networks. In the case of a host, this is the path between the data link layer and the upper layers of the NOS. In the case of a router, it is the actual path across the network. Figure 1-59 shows Layer 3 devices.
Layer 3 Addressing
Each NOS has its own Layer 3 address format. For example, the OSI reference model uses a network service access point (NSAP), while TCP/IP uses an IP address. This course focuses on TCP/IP. Figure 1-60 shows an example of Layer 3 addressing.
Figure 1-59 Layer 3 Devices
Figure 1-60 Layer 3 Addressing
Mapping Layer 2 Addressing to Layer 3 Addressing
For IP communication on Ethernet-connected networks to take place, the logical (IP) address needs to be bound to the physical (MAC) address of its destination. This process is carried out by the Address Resolution Protocol (ARP). Figure 1-61 shows an example of mapping a Layer 2 address to a Layer 3 address.
To send data to a destination, a host on an Ethernet network must know the physical (MAC) address of the destination. ARP provides the essential service of mapping IP addresses to physical addresses on a network.
Figure 1-61 Mapping Layer 2 to Layer 3
The term address resolution refers to the process of binding a network layer IP address of a remote device to its locally reachable, data link layer MAC address. The address is “resolved” when ARP broadcasts the known information (the target destination IP address and its own IP address). The broadcast is received by all devices on the Ethernet segment. When the target recognizes itself by reading the contents of the ARP request packet, it responds with the required MAC address in its ARP reply. The address resolution procedure is completed when the originator receives the reply packet (containing the required MAC address) from the target and updates the table containing all of the current bindings. (This table is usually called the ARP cache or ARP table.) The ARP table maintains a correlation between each IP address and its corresponding MAC address.
The bindings in the table are kept current by a process of aging out unused entries after a period of inactivity. The default time for this aging is usually 300 seconds (5 minutes), ensuring that the table does not contain information for systems that might be switched off or that have been moved.
ARP Table
The ARP table, or ARP cache, keeps a record of recent bindings of IP addresses to MAC addresses. Figure 1-62 shows an example of an ARP table.
Figure 1-62 ARP Table
Each IP device on a network segment maintains an ARP table in its memory. This table maps the IP addresses of other devices on the network with their physical (MAC) addresses. When a host wants to transmit data to another host on the same network, it searches the ARP table to see if an entry exists. If an entry does exist, the host uses it, but if not, ARP is used to get an entry.
The ARP table is created and maintained dynamically, adding and changing address relationships as they are used on the local host. The entries in an ARP table usually expire after a period of time, by default 300 seconds; however, when the local host
wants to transmit data again, the entry in the ARP table is regenerated through the ARP process.
Host-to-Host Packet Delivery
In Figure 1-63, an application on the host with a Layer 3 address of 192.168.3.1 wants to send some data to the host with a Layer 3 address of 192.168.3.2. The application wants to use a reliable connection. The application requests this service from the transport layer.
The transport layer selects TCP to set up the session. TCP initiates the session by passing a TCP header with the SYN bit set and the destination Layer 3 address (192.168.3.2) to the IP layer.
Figure 1-63 Packet Delivery
Figure 1-64 IP Layer Operation
Layer 2 needs to encapsulate the Layer 3 packet into a Layer 2 frame. To do this, Layer 2 needs to map the Layer 3 destination address of the packet to its MAC address. It does this by requesting a mapping from the ARP program.
ARP checks its table. In this example, it is assumed that this host has not communicated with the other host, so you see no entry in the ARP table. This results in Layer 2 holding the packet until ARP can provide a mapping. Figure 1-65 shows this operation.
Figure 1-65 ARP Table Lookup
The ARP program builds an ARP request and passes it to Layer 2, telling Layer 2 to send the request to a broadcast (all Fs) address. Layer 2 encapsulates the ARP request in a Layer 2 frame using the broadcast address provided by ARP as the destination MAC address and the local MAC address as the source. Figures 1-66 and 1-67 show this operation.
Figure 1-66 ARP Overview
Figure 1-67 ARP Request Sent
When host 192.168.3.2 receives the frame, it notes the broadcast address and strips the Layer 2 encapsulation. Figure 1-68 shows this operation.
Figure 1-68 ARP Response Received
The remaining ARP request is passed to ARP. Figure 1-69 shows this operation.
Figure 1-69 Layer 2 Passes to ARP
Using the information in the ARP request, ARP updates its table. Figure 1-70 shows this operation.
Figure 1-70 ARP Adds Sending Information to Table
ARP builds a response and passes it to Layer 2, telling Layer 2 to send the response to MAC address 0800:0222:2222 (host 192.168.3.1). Figure 1-71 shows this operation.
Figure 1-71 ARP Builds a Response
Figure 1-72 ARP Responds
When host 192.168.3.1 receives the frame, it notes that the destination MAC address is the same as its own address. It strips the Layer 2 encapsulation. Figure 1-73 shows this operation.
Figure 1-73 Layer 2 Recognizes MAC Address
The remaining ARP reply is passed to ARP. Figure 1-74 shows this operation.
Figure 1-74 Layer 2 Passes to ARP
ARP updates its table and passes the mapping to Layer 2. Figure 1-75 shows this operation.
Figure 1-75 ARP Updates the Table
Layer 2 can now send the pending Layer 2 packet. Figure 1-76 shows this operation.
Figure 1-76 Layer 2 Sends Packet Inside Frame to Start the Three-Way Handshake
At host 192.168.3.2, the frame is passed up the stack where encapsulation is removed. The remaining protocol data unit (PDU) is passed to TCP. Figure 1-77 shows this operation.
Figure 1-77 IP Packet Is Received
In response to the SYN, TCP passes a SYN ACK down the stack to be encapsulated. Figure 1-78 shows this operation.
Figure 1-78 Receiver Acknowledges Frame
The sender receives the ACK along with a SYN from the receiver that it must respond to. This is shown in Figure 1-79.
Figure 1-79 Sender Receives ACK
The sender sends the ACK to the receiver that it must respond to. This is shown in Figure 1-80.
Figure 1-80 Sender Acknowledges ACK and Completes the Three-Way Handshake
With the three-way handshake completed, TCP can inform the application that the session has been established. This is shown in Figure 1-81.
Figure 1-81 Session Is Open
Now the application can send the data over the session, relying on TCP for error detection. Figures 1-82 through 1-84 show this operation.
Figure 1-82 Data Flow Begins
Figure 1-83 Data Is Received
Figure 1-84 Data Is Acknowledged
The data exchange continues until the application stops sending data.
Function of the Default Gateway
In the host-to-host packet delivery example, the host was able to use ARP to map a destination’s MAC address to the destination’s IP address. However, this option is available only if the two hosts are on the same network. If the two hosts are on different networks, the sending host must send the data to the default gateway, which forwards the data to the destination. Figure 1-85 shows role of the default gateway in data transfers.
Figure 1-85 Role of the Default Gateway
Using Common Host Tools to Determine the Path Between Two Hosts Across a Network
Ping is a computer network tool used to test whether a particular host is reachable across an IP network. Ping works by sending Internet Control Message Protocol (ICMP) “echo request” packets (“Ping?”) to the target host and listening for ICMP “echo response” replies. Using interval timing and response rates, ping estimates the RTT (generally in milliseconds) and packet-loss rate between hosts. Figure 1-86 shows the ping output from a windows command line.
Figure 1-86 Ping
The syntax for a Windows ping is as follows:
ping [ - t] [ - a] [ - n Count] [ - l Size] [ - f] [ - i TTL] [ - v TOS] [ - r Count] [ - s Count] [{- j HostList | - k HostList}] [ - w Timeout] [ TargetName]
The syntax flags are as follows:
- -t: Specifies that ping continue sending echo request messages to the destination until interrupted. To interrupt and display statistics, press Ctrl-BREAK. To interrupt and quit ping, press Ctrl-C.
- -a: Specifies that reverse name resolution is performed on the destination IP address. If this is successful, ping displays the corresponding hostname.
- -n Count: Specifies the number of echo request messages sent. The default is 4.
- -l Size: Specifies the length, in bytes, of the Data field in the echo request messages sent. The default is 32. The maximum size is 65,527.
- -f: Specifies that echo request messages are sent with the Don’t Fragment flag in the IP header set to 1. The echo request message cannot be fragmented by routers in the path to the destination. This parameter is useful for troubleshooting path maximum transmission unit (PMTU) problems.
- -i TTL: Specifies the value of the Time-to-Live (TTL) field in the IP header for echo request messages sent. The default is the default TTL value for the host. For Windows XP hosts, this is typically 128. The maximum TTL is 255.
- -v TOS: Specifies the value of the Type of Service (TOS) field in the IP header for echo request messages sent. The default is 0. TOS is specified as a decimal value from 0 to 255.
- -r Count: Specifies that the Record Route option in the IP header is used to record the path taken by the echo request message and corresponding echo reply message.Each hop in the path uses an entry in the Record Route option. If possible, specify a Count that is equal to or greater than the number of hops between the source and destination. The Count must be a minimum of 1 and a maximum of 9.
- -s Count: Specifies that the Internet Timestamp option in the IP header is used to record the time of arrival for the echo request message and corresponding echo reply message for each hop. The Count must be a minimum of 1 and a maximum of 4.
- -j HostList: Specifies that the echo request messages use the Loose Source Route option in the IP header with the set of intermediate destinations specified in HostList.With loose source routing, successive intermediate destinations can be separated by one or multiple routers. The maximum number of addresses or names in the host list is nine. The HostList is a series of IP addresses (in dotted decimal notation) separated by spaces.
- -k HostList: Specifies that the echo request messages use the Strict Source Route option in the IP header with the set of intermediate destinations specified in HostList. With strict source routing, the next intermediate destination must be directly reachable (it must be a neighbor on an interface of the router). The maximum number of addresses or names in the host list is nine. The HostList is a series of IP addresses (in dotted decimal notation) separated by spaces.
- -w Timeout: Specifies the amount of time, in milliseconds, to wait for the echo reply message that corresponds to a given echo request message to be received. If the echo reply message is not received within the timeout, the “Request timed out” error message is displayed. The default timeout is 4000 (4 seconds).
- TargetName: Specifies the destination, which is identified by either IP address or host name.
- /?: Displays help at the command prompt.
The Windows arp command shown in Figure 1-87 displays and modifies entries in the ARP cache, which contains one or more tables that store IP addresses and their resolved Ethernet physical addresses. A separate table exists for each Ethernet or Token Ring network adapter installed on your computer. Used without parameters, arp displays help.
Figure 1-87 Displaying the ARP Table
The syntax for the command is as follows:
arp [ - a [ InetAddr] [ - N IfaceAddr]] [ - g [ InetAddr] [ - N IfaceAddr]] [ - d InetAddr [ IfaceAddr]] [ - s InetAddr EtherAddr [ IfaceAddr]]
The following are the parameters associated with the windows ARP command:
- -a [InetAddr] [-N IfaceAddr]: Displays current ARP cache tables for all interfaces. To display the ARP cache entry for a specific IP address, use arp -a with the InetAddr parameter, where InetAddr is an IP address. To display the ARP cache table for a specific interface, use the -N IfaceAddr parameter where IfaceAddr is the IP address assigned to the interface. The -N parameter is case-sensitive.
- -g [InetAddr] [-N IfaceAddr]: Identical to -a.
- -d InetAddr [IfaceAddr]: Deletes an entry with a specific IP address, where InetAddr is the IP address. To delete an entry in a table for a specific interface, use the IfaceAddr parameter where IfaceAddr is the IP address assigned to the interface. To delete all entries, use the asterisk (*) wildcard character in place of InetAddr.
- -s InetAddr EtherAddr [IfaceAddr]: Adds a static entry to the ARP cache that resolves the IP address InetAddr to the physical address EtherAddr. To add a static ARP cache entry to the table for a specific interface, use the IfaceAddr parameter where IfaceAddr is an IP address assigned to the interface.
- /?: Displays help at the command prompt.
The TRACERT (traceroute) diagnostic utility determines the route to a destination by sending ICMP echo packets to the destination. In these packets, TRACERT uses varying IP TTL values. Because each router along the path is required to decrement the packet’s TTL by at least 1 before forwarding the packet, the TTL is effectively a hop counter. When the TTL on a packet reaches zero (0), the router sends an ICMP “Time Exceeded” message back to the source computer.
TRACERT sends the first echo packet with a TTL of 1 and increments the TTL by 1 on each subsequent transmission until the destination responds or until the maximum TTL is reached. The ICMP “Time Exceeded” messages that intermediate routers send back show the route. Note, however, that some routers silently drop packets with expired TTL values, and these packets are invisible to TRACERT.
TRACERT prints out an ordered list of the intermediate routers that return ICMP “Time Exceeded” messages. Using the -d option with the tracert command instructs TRACERT not to perform a DNS lookup on each IP address, so that TRACERT reports the IP address of the near-side interface of the routers. Figure 1-88 shows a traceroute to yahoo.com.
Figure 1-88 Performing a Traceroute
The syntax for a windows traceroute is as follows:
tracert -d -h maximum_hops - j HostList - w Timeout target_host
The following are the parameters associated with the windows traceroute command:
- -d: Specifies to not resolve addresses to hostnames
- -h maximum_hops: Specifies the maximum number of hops to search for the target
- -j HostList: Specifies loose source route along the host list
- -w Timeout: Waits the number of milliseconds specified by timeout for each reply
- target_host: Specifies the name or IP address of the target host