2.1.1. TCP Segment Format:
The TCP header is 20 bytes long (up to 24 bytes with options):
- Source port: 2 bytes for port number of the sender application.
- Destination port: port number of the destinated application.
- Sequence number: A number used by TCP that puts data back in the correct order.
- Acknowledgment number: The next TCP octet expected.
- Header length: indicates where the data begins.
- Reserved: always set to zero.
- Code bits: (6-bits), control functions used to set up and terminate a session.
- Window: The window size the sender is willing to accept, in octets.
- Checksum: The CRC checks the header and data fields.
- Urgent: A valid field only if the Urgent pointer is put in the code bits. The value indicates the offset from the current sequence number, in octets, where the first segment of non-urgent data begins.
- Options: May be 0 or a multiple of 32 bits.
- Data:
2.2. User Datagram Protocol (UDP)
2.2.1. TCP vs UDP:
The cost in overhead to establish, maintain, an dclose a TCP connection would reduce efficient network. Use UDP instead of TCP when reliability is already handled at the Process/Application layer.
UDP is a connectionless protocol, it doesn't create a virtual circuit, nor does it contact the destination before delivering information.
2.2.2 UDP Segment Format:
- Source port;
- Destination port;
- Length of UDP header and data;
- Checksum of both UDP header and data;
- Data.
2.3. Key Concepts of Host-to-Host Protocols (TCP vs UDP, p 120)
2.4 Port Numbers (p 121)
The different port numbers that can be used are explained next:
- Numbers below 1024 are considered well-know port numbers and are defined in RFC 3232.
- Numbers 1024 and above are used by the upper layers to set up sessions with other hosts and by TCP.
2.4.1. TCP Session: Source port
The source make up a port number ro differentiate between sessions with different hosts. How would a server know where information is coming from if it didn't have a different number from a sending host. It's easy to imagine the receiving host getting throughly confused if all the hosts used the same source port number to get to FTP.
2.4.2. TCP Session: Destination Port
Sometimes when looking to an analyzer, we can see that only the source port is above 1024 and the destination port is a well-known port.
2.4.3. TCP Session: Syn Packet Acknowledgment
TCP protocols UDP Protocols
TELNET (23) SNMP (161)
SMTP (25) DNS (53)
HTTP (80)
FTP (21)
DNS (53)
HTTPS (443)
3. The Internet Layer' Protocols:
IP provide routing fnctionalities, and a single network interface to upper layers (no need to build different application's version for evry network Ethernet, Token Finder,..).
3.1. Internet Protocol (IP): (p 125)
Internet Protocol (IP) essentially is the Internet layer. The other protocols found here merely exist to support it. The following fileds make up the IP header:
- Version: IP version number;
- Header length: HLEN in 32-bits word;
- Priority and Type of Service: Type of service tells how the datagram should be handled. The first 3-bits are for priority;
- Total length: packet length including header and data;
- Identification: Unique IP-packet value;
- Flags: specifies whether fragmentation should occur;
- Fragment offset: provides fragmentation and reassembly if the packet is too large to put in a frame;
- Time to Live: This stopes IP packets from continuously circling the network looking for a home;
- Protocol: Port of upper-layer protocol (TCP is port 6, UDP is port 17 [hex]). Also supports Network layer protocols, like ARP and ICMP.
- Header checksum: CRC of the header;
- Source IP address: 32-bits IP address of sending station;
- Destination IP address: 32-bits of the destinated station;
- Options: Used for network testing, debugging, security, and more;
- Data: upper-layer data.
3.2. Internet Control Message protocol (ICMP): (p 128)
ICMP packets have the following characteristics:
- They can provide hosts with information about network problems;
- They are encapsulated within IP datagrams.
The following are some commen events and messages that ICMP relates to:
3.2.1. Destination Unreachable:
If a router can't send an packet, it uses ICMP to send back a message to the sender, advising it of the situation.
3.2.2. Buffer Full:
If a router's memory is full, it use it to send out this message.
3.2.3. Hops:
Uesed to inform the sender that its packet have been dropped by the last router after the hop packet get its limit.
3.2.4. Ping (Packet Internet Groper):
Ping uses ICMP echo request and reply messages to check the logical and physical connectivity of machines.
3.2.5. Traceroute:
Using ICMP time-outs to discover the path a packet takes as it traverses an internetwork.
3.3. Address Resolution Protocol (ARP):
It finds the hardware address of a host from a known IP address. ARP interogates the local network by sending out a broadcast asking the machine with the specified IP address to reply with its hardware address.
3.4. Reverse Address Resolution Protocol (RARP):
If a host is looking to its IP address, it send a RARP request to a RARP server with its MAC address, the server will respond with the answer and the identity crisis is over.
3.5. Proxy Address Resolution Protocol (Proxy ARP):
When a router turns down, the host won't immediately start sending ro another one -- it must be configurate. Proxy ARP can help machines on a subnet reach remote subnets without configuring routing. Proxy ARP is added as a service to the router, and is enabled by default. Using it imply host to have a larger ARP table in order to handle all the IP-to-MAC address mappings. Disable it if you don't have to use it.
4. IP Addressing (p 133)
4.1. The Hierarchical IP Addressing Scheme:
4.1.1. Network Addressing: (p 135)
Class A: Network . Host . Host . Host
Class B: Network . Network . Host . Host
Class B: Network . Network . Network . Host
Class D: Multicast
Class E: Research
4.1.1.1. Network Address Range: Class A
The first byte in a Class A must always be 0. It is between 0 and 127.
4.1.1.2. Network Address Range: Class B
In a Class B, the first bit of the first byte is 1, the second bit must always been 0.
Class B addresses are between 128 and 191.
4.1.1.3. Network Address Range: Class C
The first 2 bits of the first byte are set to 1, the third is always 0.
The range of addresses is from 192 to 223.
4.1.1.4. Network Address Range: Class D and E
you don't need them, Class D (224-239) is for multicast addresses.
Class E (240-255) is form scientific purposes.
4.1.1.5. Network Addresses: Special Purpose
- Network address of all 0s: Interpreted to mean "this network or segment".
- Network address of all 1s: Interpreted to mean "all networks".
- Network 127.0.0.1: reserved to loop back tests.
- Node address of all 0s: Interpreted to mean "network address" or any host on specified network.
- Node address of all 1s: Interpreted to mean "all nodes" on the specified network, ex: 128.2.255.255.
- Entire IP address set to all 0s: Used by Cisco routers to designate the default route.
- Entire IP address set to all 1s: Broadcast to all nodes on the current network.
Class A Addresses (p 137)
The network address 0000 0000 is reserved to designate the default route.
The address 127 is reserved for diagnostics.
4.1.2. Private IP Addresses:
Private IP addresses can be used on a private network, but they're not routable through the Internet. By using private IP addresses, users need a tiny group of bona fide IP addresses to connect their network to Internet. To accomplish that, they need Network Address Translation (NAT). Which convert a private IP address for use on the Internet.
Class A private address range is 10.0.0.0 through 10.255.255.255 .
Class B private address range is 172.16.0.0 through 172.31.255.255 .
Class C private address range is 192.168.0.0 through 192.168.255.255 .
5. Broadcast Addresses (141)
There is 4 type:
- Layer 2 broadcasts : These are sent to all nodes on a LAN. hardware broadcast has the address FF.FF.FF.FF.FF.FF.
- Broadcasts (layer 3): These are sent to all nodes on the network. Broadcast message are meant to reach all hosts on a broadcast domain. (Network Broadcast).
- Unicast : These are sent to a single destination hosts.
- Multicast : These are packets sent from a single source and transmitted to many devices on different networks.
Unicast it's a broadcast that goes from 255.255.255.255 to an actual destination IP address, it's directed to a specific host, like a DHCP client request.
Multicast does allow point-to-multipoint communication. It works by sending messages to IP multicast group addresses, routers then forward copies out every interface that has hosts 'subscribed' to that group address. Like EIGRP packets.
The range of multicast addresses starts with 224.0.0.0 and goes through 239.255.255.255 . This range falls within IP Class D.