Вы находитесь на странице: 1из 20


What is Ethernet?
Ethernet is the most widely used local area network (LAN) technology. The original and most popular version of Ethernet supports a data transmission rate of 10 Mb/s. Newer versions of Ethernet called "Fast Ethernet" and "Gigabit Ethernet" support data rates of 100 Mb/s and 1 Gb/s (1000 Mb/s). An Ethernet LAN may use coaxial cable, special grades of twisted pair wiring, or fiber optic cable. "Bus" and "Star" wiring configurations are supported. Ethernet devices compete for access to the network using a protocol called Carrier Sense Multiple Access with Collision Detection (CSMA/CD).

The History of Ethernet

The first experimental Ethernet system was developed in the early 1970s by Bob Metcalfe and David Boggs of the Xerox Palo Alto Research Center (PARC). It interconnected Xerox Alto computers and laser printers at a data transmission rate of 2.94 Mb/s. This data rate was chosen because it was derived from the system clock of the Alto computer. In July 1976, Metcalfe and Boggs published their landmark paper entitled "Ethernet: Distributed Packet Switching for Local Computer Networks" in the Communications of the Association for Computing Machinery (ACM). US Patent number 4,063,220, "Multipoint data communications system with collision detection", was issued to Xerox Corporation on December 13, 1977. In 1979, Digital Equipment Corporation (DEC), Intel, and Xerox joined for the purpose of standardizing an Ethernet system that any company could use. In September 1980 the three companies released Version 1.0 of the first Ethernet specification called the "Ethernet Blue Book", or "DIX standard" (after the initials of the three companies). It defined the "thick" Ethernet system (10Base5), based on a 10 Mb/s CSMA/CD (Carrier Sense Multiple Access with Collision Detection) protocol. It is known as "thick" Ethernet because of the thick coaxial cable used to connect devices on the network. The first Ethernet controller boards based on the DIX standard became available about 1982. The second and final version of the DIX standard, Version 2.0, was released in November 1982. In 1983, the Institute of Electrical and Electronic Engineers (IEEE) released the first IEEE standard for Ethernet technology. It was developed by the 802.3 Working Group of the IEEE 802 Committee. The formal title of the standard was IEEE 802.3 Carrier Sense Multiple Access with Collision Detection (CSMA/CD) Access Method and Physical Layer Specifications. IEEE reworked some portions of the DIX standard, especially in the area of the frame format definition. However the 802.3 standard was defined in a manner that permitted hardware based on the two standards to interoperate on the same Ethernet LAN. In 1985, IEEE 802.3a defined a second version of Ethernet called "thin" Ethernet, "cheapernet", or 10Base2. It used a thinner, cheaper coaxial cable that simplified the cabling of the network. Although both the thick and thin systems provided a network

with excellent performance, they utilized a bus topology which made implementing changes in the network difficult, and also left much to be desired in regard to reliability. Also released in 1985 was the IEEE 802.3b 10Broad36 standard that defined transmission of 10 Mb/s Ethernet over a "broadband" cable system. In 1987, two standards were released. The IEEE 802.3d standard defined the Fiber Optic Inter-Repeater Link (FOIRL) that used two fiber optic cables to extend the maximum distance between 10 Mb/s Ethernet repeaters to 1000 meters. IEEE 802.3e defined a "1 Mb/s" Ethernet standard based on twisted pair wiring. This 1 Mb/s standard was never widely used. In 1990, a major advance in Ethernet standards came with introduction of the IEEE 802.3i 10Base-T standard. It permitted 10 Mb/s Ethernet to operate over simple Category 3 Unshielded Twisted Pair (UTP) cable. The widespread use of UTP cabling in existing buildings created a high demand for 10Base-T technology. 10Base-T also permitted the network to be wired in a "star" topology that made it much easier to install, manage, and troubleshoot. These advantages led to a vast expansion in the use of Ethernet. In 1993, the IEEE 802.3j standard for 10Base-F (FP, FB, & FL) was released which permitted attachment over longer distances (2000 meters) via two fiber optic cables. This standard updated and expanded the earlier FOIRL standard. In 1995, IEEE improved the performance of Ethernet technology by a factor of 10 when it released the 100 Mb/s 802.3u 100Base-T standard. This version of Ethernet is commonly known as "Fast Ethernet". Three media types were supported: 1) 100Base-TX operates over two pair of category 5 twisted pair cable, 2) 100Base-T4 operates over four pair of category 3 twisted pair cable, and 3) 100Base-FX operates over two multimode fibers. In 1997, the IEEE 802.3x standard became available which defined "full-duplex" Ethernet operation. Full-Duplex Ethernet bypasses the normal CSMA/CD protocol to allow two stations to communicate over a point to point link. It effectively doubles the transfer rate by allowing each station to concurrently transmit and receive separate data streams. For example, a 10 Mb/s full-duplex Ethernet station can transmit one 10 Mb/s stream at the same time it receives a separate 10 Mb/s stream. This provides an overall data transfer rate of 20 Mb/s. The full-duplex protocol extends to 100 Mb/s Ethernet and beyond. Also released in 1997 was the IEEE 802.3y 100Base-T2 standard for 100 Mb/s operation over two pairs of Category 3 balanced cabling. In 1998, IEEE once again improved the performance of Ethernet technology by a factor of 10 when it released the 1 Gb/s 802.3z 1000Base-X standard. This version of Ethernet is commonly known as "Gigabit Ethernet". Three media types are supported: 1) 1000Base-SX operates with a 850nm laser over multi-mode fiber, 2) 1000Base-LX operates with a 1300nm laser over single and multi-mode fiber, and 3) 1000Base-CX operates over short haul copper "twinax" shielded twisted pair (STP) cable. Also released in 1998 was the IEEE 802.3ac standard that defines extensions to support Virtual LAN (VLAN) tagging on Ethernet networks.

In 1999, the release of the 802.3ab 1000Base-T standard defined 1 Gb/s operation over four pairs of category 5 UTP cabling.

Ethernet Standards
The current IEEE 802.3 standards may be ordered from the following web address: http://standards.ieee.org/catalog/IEEE802.3.html. (As of July 2001, IEEE began a trial program which grants free access to the IEEE 802 standards through the following web address: http://standards.ieee.org/getieee802/.) The following standard was available as of July 2001: IEEE Std 802.3-2000: This document is 1562 pages long and consolidates all approved 802.3 standards as of its release in 2000. Recently approved standards that were incorporated into this document include IEEE Std 802.3ab-1999 (1000Base-T), IEEE Std 802.3ac-1998 (VLAN tagging), and IEEE Std 802.3ad-2000 (Link Aggregation). In January 2000, IEEE formed an 802.3ae working group to develop 10 Gb/s Ethernet. Refer to the 802.3ae web page for information on this activity.

Ethernet Frame Format

A frame is "the unit of transmission in a link layer protocol, and consists of a link-layer header followed by a packet." A data packet on the wire is called a frame and consists of just a long string of binary 0's and 1's. A frame viewed on the actual physical wire would show Preamble and Start Frame Delimiter, in addition to the other data. These are required by all physical hardware. However, these bits are stripped away at OSI Layer 1 by the Ethernet adapter before being passed on to the OSI Layer 2.

A physical ethernet packet will look like this: Preamble Destination MAC address 6 bytes Source MAC address Type/Length/Size


8 byes

6 bytes

2 bytes



Preamble - A sequences of 56 bits having alternating 1 and 0 values that are used for synchronization. They serve to give components in the network time to detect the presence of a signal, and being reading the signal before the frame data arrives. A preamble will have 1- byte start frame delimiter also that indicates a sequence of 8 bits having the bit configuration 10101011 that indicates the start of the frame. Destination MAC address & Source MAC address - The Destination MAC Address field identifies the station or stations that are to receive the frame. The Source MAC Address identifies the station that originated the frame. The 802.3 standard permits these address fields to be either 2-bytes or 6-bytes in length, but virtually all Ethernet implementations in existence today use 6-byte addresses. A Destination Address may specify either an "individual address" destined for a single station, or a "multicast address" destined for a group of stations. A Destination Address of all 1 bits refers to all stations on the LAN and is called a "broadcast address". Type - is a two-octet field in an Ethernet frame. It is used to indicate which protocol is encapsulated in the payload of an Ethernet Frame. Payload - This field contains the data transferred from the source station to the destination station or stations. The maximum size of this field is 1500 bytes. If the size of this field is less than 46 bytes, then use of the subsequent "Pad" field is necessary to bring the frame size up to the minimum length. CRC - This field contains a 4-byte cyclical redundancy check (CRC) value used for error checking. When a source station assembles a MAC frame, it performs a CRC calculation on all the bits in the frame from the Destination MAC Address through the payload fields (that is, all fields except the preamble, and crc). The source station stores the value in this field and transmits it as part of the frame. When the frame is received by the destination station, it performs an identical check. If the calculated value does not match the value in this field, the destination station assumes an error has occurred during transmission and discards the frame.

* Minimum packet length/size is 64 bytes & it breaks down like this: Destination address Source address Ethernet type or size Payload or user data CRC 6 bytes - 6 bytes - 2 bytes - 46 bytes - 4 bytes _________ = 64 bytes -


NOTE : Lot of people subtract CRC & tell minimum packet size as 60 bytes also. * Maximum packet length/size is 1518 bytes & it breaks down like this:

Destination address Source address Ethernet type or size Payload or user data CRC

6 bytes 6 bytes 2 bytes - 1500 bytes 4 bytes ___________ = 1518 bytes


NOTE : Lot of people subtract CRC & tell maximum packet size as 1514 bytes also. NOTE : The original Ethernet standards defined the minimum frame size as 64-bytes and the maximum as 1518-bytes. These numbers include all bytes from the Destination MAC Address field through the CRC field. The Preamble field is not included when quoting the size of a frame. The IEEE 802.3ac standard released in 1998 extended the maximum allowable frame size to 1522-bytes to allow a "VLAN tag" to be inserted into the Ethernet frame format.

Ethernet Frame Format Extensions 1. VLAN Tagging

In 1998, the IEEE approved the 802.3ac standard that defines frame format extensions to support Virtual Local Area Network (VLAN) Tagging on Ethernet networks. The VLAN protocol permits insertion of an identifier, or "tag", into the Ethernet frame format to identify the VLAN to which the frame belongs. It allows frames from stations to be assigned to logical groups. This provides various benefits such as easing network administration, allowing formation of work groups, enhancing network security, and providing a means of limiting broadcast domains, Refer to IEEE standard 802.1Q for definition of the VLAN protocol. The 802.3ac standard defines only the implementation details of the VLAN protocol that are specific to Ethernet. If present, the 4-byte VLAN tag is inserted into the Ethernet frame between the Source MAC Address field and the Length/Type field. The first 2-bytes of the VLAN tag consist of the "802.1Q Tag Type" and are always set to a value of 0x8100. The 0x8100 value is actually a reserved Length/Type field assignment that indicates the presence of the VLAN tag, and signals that the traditional Length/Type field can be found at an offset of 4-bytes further into the frame. The last 2-bytes of the VLAN tag contain the following information The first 3-bits are a User Priority Field that may be used to assign a priority level to the Ethernet frame. The next 1-bit is a Canonical Format Indicator (CFI) used in Ethernet frames to indicate the presence of a Routing Information Field (RIF). The last 12-bits are the VLAN Identifier (VID) which uniquely identifies the VLAN to which the Ethernet frame belongs.

With the addition VLAN tagging, the 802.3ac standard permitted the maximum length of an Ethernet frame to be extended from 1518-bytes to 1522-bytes. The following illustrates the format of an Ethernet frame that has been "tagged" with a VLAN identifier per the IEEE 802.3ac standard:

Length/ Start Dest. Source Type = Tag Control Length / Preamble Frame MAC MAC 802.1Q MAC Client Dat Information Type (7-bytes) Delimiter Address Address Tag (0-n bytes) (2-bytes) (2-bytes) (1-byte) (6-bytes) (6-bytes) Type (2-byte)

2. Extension Field
With introduction of the 802.3z standard for Gigabit Ethernet in 1998, an extension field was added to the end of the Ethernet frame to ensure it would be long enough for collisions to propagate to all stations in the network. The extension field is appended as needed to bring the minimum length of the transmission up to 512 bytes (as measured from the Destination Address field through the extension field). It is required only in half-duplex mode, as the collision protocol is not used in full-duplex mode. Non data bits, referred to as "extension bits", are transmitted in the extension field so the carrier is extended for the minimum required time. The following illustrates a frame with an extension field appended:

Preamble (7-bytes)

Start Dest. Source Length / Frame MAC MAC MAC Client Data Type Delimiter Address Address (0-n bytes) (2-bytes) (1-byte) (6-bytes) (6-bytes)

Frame Pad Check (0-p E Sequence bytes) (4-bytes)

Interframe Gap
Ethernet devices must allow a minimum idle period between transmission of frames known as the interframe gap (IFG) or interpacket gap (IPG). It provides a brief recovery time between frames to allow devices to prepare for reception of the next frame. The minimum interframe gap is 96 bit times, which is 9.6 microseconds for 10 Mb/s Ethernet, 960 nanoseconds for 100 Mb/s Ethernet, and 96 nanoseconds for 1 Gb/s Ethernet.

Frame Bursting
With introduction of the 802.3z standard for Gigabit Ethernet in 1998, a burst mode of operation was added that optionally allows a station to transmit a series of frames without relinquishing control of the transmission medium. Burst mode may be used only with Gigabit and higher Ethernet speeds and applies to half-duplex mode only. It improves the performance of Gigabit Ethernet when transmitting short frames.

After successfully transmitting one frame, a station operating in burst mode may continue to initiate transmission of additional frames until it reaches a "burst limit" of 65,536 bit times (8192 byte times). An interframe gap period is inserted between each frame in the burst. But instead of allowing the medium to go idle between frames, the transmitting station fills the interframe gaps with extension bits. Extension bits are "non data" symbols that maintain an active carrier, and are readily distinguished from data bits by receiving stations, The first frame of a burst is transmitted as normal and includes an "extension field" as required. Subsequent frames in the burst do not require an extension field. If a collision occurs, only the first frame in the burst will be affected and require retransmission. The following illustrates an example of frame bursting:

MAC Frame w/ Extension |----------------|-----------------

Interframe MAC Interframe MAC ... Gap Frame Gap Frame Burst Limit ------------------| Duration of Carrier Event ------------------|

IP Address
An Internet Protocol (IP) address is a numerical label that is assigned to devices participating in a computer network that uses the Internet Protocol for communication between its nodes. An IP address serves two principal functions: host or network interface identification and location addressing. The Internet Protocol routes data packets between networks. Data from an upper layer protocol is encapsulated as packets/datagrams (the terms are basically synonymous in IP). Because of the abstraction provided by encapsulation, IP can be used over a heterogeneous network, i.e., a network connecting computers may consist of a combination of Ethernet, ATM, FDDI, Wi-Fi, token ring, or others. Each link layer implementation may have its own method of addressing (or possibly the complete lack of it), with a corresponding need to resolve IP addresses to data link addresses. Although IP addresses are stored as binary numbers, they are usually displayed in human-readable notations, such as (for IPv4), and 2001:db8:0:1234:0:567:1:1 (for IPv6).

MAC Address
Media Access Control address (MAC address) is a unique identifier assigned to most network adapters or network interface cards (NICs) by the manufacturer for identification, and used in the Media Access Control protocol sub-layer. If assigned by the manufacturer, a MAC address usually encodes the manufacturer's registered identification number. It may also be known as an Ethernet Hardware Address (EHA), hardware address, adapter address, or physical address.

There are three numbering spaces, managed by the Institute of Electrical and Electronics Engineers (IEEE), which are in common use for formulating a MAC address: MAC-48, EUI-48, and EUI-64. The IEEE claims trademarks on the names "EUI-48" and "EUI-64", where "EUI" stands for Extended Unique Identifier. mac address format The standard (IEEE 802) format for printing MAC-48 addresses in human-friendly form is six groups of two hexadecimal digits, separated by hyphens (-) or colons (:), in transmission order, e.g. 01-23-45-67-89-ab, 01:23:45:67:89:ab. Same for EUI-64. This 48-bit address space contains potentially 2 raised to 48 possible MAC addresses. A universally administered address is uniquely assigned to a device by its manufacturer; these are sometimes called "burned-in addresses" (BIA). The first three octets (in transmission order) identify the organization that issued the identifier and are known as the Organizationally Unique Identifier (OUI).[2] The following three (MAC-48 and EUI-48) or five (EUI-64) octets are assigned by that organization in nearly any manner they please, subject to the constraint of uniqueness. A locally administered address is assigned to a device by a network administrator, overriding the burned-in address. Locally administered addresses do not contain OUIs. Universally administered and locally administered addresses are distinguished by setting the second least significant bit of the most significant byte of the address. If the bit is 0, the address is universally administered. If it is 1, the address is locally administered. If the least significant bit of the most significant byte is set to a 0, the packet is meant to reach only one receiving NIC. This is called unicast. If the least significant bit of the most significant byte is set to a 1, the packet is meant to be sent only once but still reach several NICs. This is called multicast. Ethernet uses MAC-48 format. Usually most of the ethernet card will have some kind of in built memory (srom, eprom, eeprom etc) to store its MAC address & other useful info like device version no, release no etc, for example both RTL8139 & davicom dm9102A have EEPROM to store the MAC address. So the driver/firmware has to read the EEPROM to get the MAC address of the device & also MAC address from EEPROM will be autoloaded into the device register once the power is applied to the card, hence driver is not required to udpate/write the MAC address into device register explicitely. But there are some card like TI davinci EMAC has no EEPROM or any memory assosiated with it, to store the MAC address & hence driver has to get the MAC address from the vendor (usualy in such case the MAC address will be written on the board or the ethernet card) & it should also update/write the MAC address into device register, else the card may not work.

Different modes of Ethernet

Network interface cards are usually programmed to listen for three types of messages*. They are messages sent to their specific address, messages broadcast to all NICs, and

messages that qualify as a multicast for the specific card. There are three types of addressing: Unicast - A transmission to a single interface card. Multicast - A transmission to a group of interface cards on the network. Broadcast - A transmission to all interface cards on the network. RFC 919 and 922 describe IP broadcast datagrams. Limited Broadcast - Sent to all NICs on the some network segment as the source NIC. It is represented with the TCP/IP address. This broadcast is not forwarded by routers so will only appear on one network segment. Direct broadcast - Sent to all hosts on a network. Routers may be configured to forward directed broadcasts on large networks. For network, the broadcast is All other messages are filtered out by the NIC software unless the card is programmed to operate in promiscuous mode. Promiscuous mode - In an Ethernet local area network (LAN), promiscuous mode is a mode of operation in which every data packet transmitted can be received and read by a network adapter irrespective of whether the packet is addressed to that NIC. Promiscuous mode must be supported by each network adapter as well as by the input/ output driver in the host operating system. Promiscuous mode is often used to monitor network activity (like running tcpdump command). Note: For a single NIC, the unicast, broadcast and multicast addresses are different. * The "listening" happens at the Data Link Layer (by some daemon and the OS ) and hence, only the MAC address is available at this point, not the IP address.

Autonegotiation is an Ethernet procedure by which two connected devices choose common transmission parameters, such as speed and duplex mode. Every device declares its technology abilities, that is, its possible modes of operation. The two devices then choose the best possible mode of operation that are shared by the two devices, where higher speed (100 Mbits/s) is preferred over lower speed (10 Mbits/s), and full duplex is preferred over half duplex at the same speed. Parallel detection is used when a device that is capable of autonegotiation is connected to one that is not. This happens if the other device does not support autonegotiation or autonegotiation is disabled via software. In this condition, the device that is capable of autonegotiation can determine the speed of the other device, and then choose the same speed for itself. This procedure cannot determine the presence of full duplex, so half duplex is always assumed. The standards for 1000BASE-T (4-pair Cat5) and 1000BASE-TX (2-pair Cat6) require autonegotiation to be always present and enabled.

Understanding the TCP-IP protocol in brief

Consider a browsing application, the client wants to access google.com. It will send the request along with the domain name to the TCP/IP layer. Here, the TCP header containing source and destination port numbers will be added to the data and sent to the IP layer. The IP layer encapsulates the packet received from the TCP layer in another packet by appending the source and destination* IP address in another header. The IP data packet is placed inside an ethernet data packet. This data packet includes the source address of the network interface card (NIC) of the client machine or its MAC address. At this point, the destination MAC address is not known. The ethernet packet is transmitted over the network line. Across the internet, at the server's end, a router receives the packet and forwards it to the appropriate server (in our case, http) after resolving the MAC address (by ARP). The packet travels from data-link to application layer, the data being extracted at the last layer. Appropriate service is rendered by sending the requested web page in the form of data which again travels through TCP, IP, MAC layers, in that order. This time, the previous source addresses at each layer become the destination. Finally, the client receives the required data. * - the resolution of IP address from the domain name is performed by the client's named server.

Address Resolution Protocol (ARP)

Address Resolution Protocol (ARP) is a required TCP/IP standard defined in RFC 826, "Address Resolution Protocol (ARP)." ARP resolves IP addresses used by TCP/IP-based software to media access control addresses used by LAN hardware. ARP provides the following protocol services to hosts located on the same physical network:

Media access control addresses are obtained by using a network broadcast

request in the form of the question "What is the media access control address for a device that is configured with the enclosed IP address?"

When an ARP request is answered, both the sender of the ARP reply and the
original ARP requester record each other's IP address and media access control address as an entry in a local table called the ARP cache for future reference. Hardware addressing Hardware built for use on LANs must contain a unique address programmed into the device by the manufacturer. For Ethernet and Token Ring LAN hardware, this address is known as a media access control address. Each media access control address identifies the device within its own physical network with a 6-byte number programmed into read-only memory (ROM) on each physical hardware device, such as a network adapter. Media access control addresses are typically displayed in hexadecimal (for example, 00-AA-00-3F-89-4A). Authority and registration of media access control addresses are overseen by the Institute of Electrical and Electronics Engineers (IEEE). Currently, the IEEE registers and assigns unique numbers for the first three bytes of the media access control address to individual manufacturers. Each manufacturer can then assign the last three bytes of the media access control address to individual network adapters. How ARP resolves media access control addresses for local traffic The following illustration shows how ARP resolves IP addresses to hardware addresses for hosts on the same local network.

In this example, two TCP/IP hosts, Hosts A and B, are both located on the same physical network. Host A is assigned the IP address of and Host B is assigned the IP address of When Host A tries to communicate with Host B, the following steps resolve Host B's software-assigned address ( to Host B's hardware-assigned media access control address:

1. Based on the contents of the routing table on Host A, IP determines that the
forwarding IP address to be used to reach Host B is Host A then checks its own local ARP cache for a matching hardware address for Host B.

2. If Host A finds no mapping in the cache, it broadcasts an ARP request frame to

all hosts on the local network with the question "What is the hardware address for" Both hardware and software addresses for the source, Host A, are included in the ARP request. Each host on the local network receives the ARP request and checks for a match to its own IP address. If a host does not find a match, it discards the ARP request.

3. Host B determines that the IP address in the ARP request matches its own IP
address and adds a hardware/software address mapping for Host A to its local ARP cache.

4. Host B sends an ARP reply message containing its hardware address directly
back to Host A.

5. When Host A receives the ARP reply message from Host B, it updates its ARP
cache with a hardware/software address mapping for Host B. Once the media access control address for Host B has been determined, Host A can send IP traffic to Host B by addressing it to Host B's media access control address. How ARP resolves media access control addresses for remote traffic ARP is also used to forward IP datagrams to local routers for destinations that are not on the local network. In this situation, ARP resolves the media access control address of a router interface on the local network. The following illustration shows how ARP resolves IP addresses to hardware addresses for two hosts on different physical networks connected by a common router.

In this example, Host A is assigned an IP address of and Host B uses an IP address of Router interface 1 is on the same physical network as Host A and uses the IP address Router interface 2 is on the same physical network as Host B and uses the IP address When Host A tries to communicate with Host B, the following steps resolve Router interface 1's software-assigned address ( to its hardware-assigned media access control address:

1. Based on the contents of the routing table on Host A, IP determines that the
forwarding IP address to be used to reach host B is, the IP address of its default gateway. Host A then checks its own local ARP cache for a matching hardware address for

2. If Host A finds no mapping in the cache, it broadcasts an ARP request frame to

all hosts on the local network with the question "What is the hardware address for" Both hardware and software addresses for the source, Host A, are included in the ARP request. Each host on the local network receives the ARP request and checks for a match to its own IP address. If a host does not find a match, it discards the ARP request.

3. The router determines that the IP address in the ARP request matches its own IP
address and adds a hardware/software address mapping for Host A to its local ARP cache.

4. The router then sends an ARP reply message containing its hardware address
directly back to Host A.

5. When Host A receives the ARP reply message from the router, it updates its ARP
cache with a hardware/software address mapping for Once the media access control address for Router interface 1 has been determined, Host A can send IP traffic to Router interface 1 by addressing it to the Router interface 1

media access control address. The router then forwards the traffic to Host B through the same ARP process as discussed in this section. The ARP cache To minimize the number of broadcasts, ARP maintains a cache of IP address-to-media access control address mappings for future use. The ARP cache can contain both dynamic and static entries. Dynamic entries are added and removed automatically over time. Static entries remain in the cache until the computer is restarted. Each dynamic ARP cache entry has a potential lifetime of 10 minutes. New entries added to the cache are timestamped. If an entry is not reused within 2 minutes of being added, it expires and is removed from the ARP cache. If an entry is used, it receives two more minutes of lifetime. If an entry keeps getting used, it receives an additional two minutes of lifetime up to a maximum lifetime of 10 minutes. You can view the ARP cache by using the arp command. To view the ARP cache, type arp -a at a command prompt. To view arp command-line options, type arp /? at a command prompt. Note There is a separate ARP cache for each network adapter.

Linux Commands ifconfig The "ifconfig" command allows the operating system to setup network interfaces and allow the user to view information about the configured network interfaces. Examples ifconfig eth0 View the network settings on the first Ethernet adapter installed in the computer. ifconfig -a Display info on all network interfaces on server, active or inactive. ifconfig eth0 down If eth0 exists would take it down causing it cannot send or receive any information. ifconfig eth0 up If eth0 exists and in the down state would return it back to the up state allowing to to send and receive information. ifconfig eth0 netmask broadcast Assign eth0 with the above values for IP, netmask and broadcast address. ifup Bring a network interface up Examples

ifup -a
Bring up all the interfaces defined with auto in /etc/network/interfaces ifup eth0 Bring up interface eth0

ifdown Take a network interface down Examples ifdown -a Bring down all interfaces that are currently up. Note: the 'if' in the command names stands for 'interface'. system-config-network A tool to configure the devices (wired and wireless) on your system for the network. Usage: su -c 'system-config-network' or form System menu -> Administration -> Network This displays the Network Configuration window. Next, select the various options for configuring the devices listed. To allow the device to be controlled by the Network Manager, tick the appropriate option. This saves manual activation/deactivation of the device which otherwise needs to be done by the ifup/ifdown commands on the CLI or by selecting the respective options on the system-config-network window. Once the devices are configured to be controlled by the Network Manager, they will be displayed if we click on the Network Manager icon on the launcher panel. tcpdump Dump traffic on a network. Examples tcpdump host hope In the above example tcpdump would print all packets arriving at or departing from hope. tcpdump -i eth0 Capture data on eth0 interface. No data captured if eth0 is disconnected, the command will be running always listening to data on the network. ping Sends ICMP ECHO_REQUEST* packets to network hosts. Example: ping google.com - Would ping the host google.com to see if it is alive. ping google.com -c 1 - Would ping the host google.com once and return to the command line as shown below.

PING google.com ( 56(84) bytes of data. 64 bytes from www.google.com ( icmp_seq=1 ttl=63 time=0.267 ms --- google.com ping statistics --1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.267/0.267/0.267/0.000 ms * - Internet Control Message Protocol (ICMP) defined by RFC 792 and RFC 1122 is used for network error reporting and generating messages that require attention. The ICMP message consists of an 8 bit type, an 8 bit code, an 8 bit checksum, and contents which vary depending on code and type. The below table is a list of few ICMP messages showing the type and code of the messages and their meanings. Type Codes Description Purpose 0 0 Echo reply Query 3 0 Network Unreachable Error 3 1 Host Unreachable Error 8 0 Echo request Query lsmod, rmmod, modprobe lsmod is a program which nicely formats the contents of the /proc/modules, showing what kernel modules are currently loaded. rmmod is a simple program to remove a module from the Linux Kernel modprobe - program to add and remove modules from the Linux Kernel /var/log/messages Consists log of certain commands run on the system. It is useful to check the status of network related commands like ifup, ifdown i.e., for debugging purposes. Understanding the linux ethernet driver model Understanding Network Device: Networking stack in Linux do see interfaces as network device. This is represented by a structure net_device. Some important fields of the structure:

struct net_device { char *name; unsigned long base_addr; unsigned char addr_len; unsigned char dev_addr[MAX_ADDR_LEN]; unsigned char broadcast[MAX_ADDR_LEN]; unsigned short hard_header_len; unsigned char irq; int (*open) (struct net_device *dev);

int (*stop) (struct net_device *dev); int (*hard_start_xmit) (struct sk_buff *skb, struct net_device *dev); struct net_device_stats* (*get_stats)(struct net_device *dev); void *priv; }; Description of the fields: name The name of device. If the first character of name is null, register_netdev assigns it the name ethn, where n is suitable numeric. For example if your system already has eth0 and eth1, your device will be named eth2. base_addr The I/O base address. addr_len Hardware address (MAC address) length. It is 6 bytes for Ethernet interfaces. dev_addr Hardware address (Ethernet address or MAC address) broadcast device broadcast address. It is FF:FF:FF:FF:FF:FF for Ethernet interfaces hard_header_len The hardware header length is the number of octets that lead the transmitted packet before IP header, or other protocol information. The value of hard_header_len is 14 for Ethernet interfaces. irq The assigned interrupt number. open This is a pointer to a function, which opens the device. This function is called whenever ifconfig activates the device (for example ifconfig eth0 up). The open method should register any system resources it needs (I/O ports, IRQ, DMA etc), turn on the hardware and increment module usage count. stop This is a pointer to a function, which stops the interface. This function is called whenever ifconfig deactivates the device (for example ifconfig eth0 down). The stop method releases all the resources acquired by open function. hard_start_xmit This function transfers a given packet on the wire. The first argument of the function is a pointer to structure sk_buff. Structure sk_buff is used to hold packet in Linux networking stacks. get_stats This function provides interfaces statistics. Output of command ifconfig eth0 has most of the fields from get_stats. priv Private data to the driver. Driver owns this field and can use it at will. Note: There is no member function for receiving packet. This is done by device interrupt handler. fig. basic structure

Understanding the sk_buff data structure: All network-related queues and buffers in the kernel use a common data structure, struct sk_buff. This is a large struct containing all the control information required for the packet. When a sk_buff is allocated, also its data space is allocated from kernel memory. sk_buff allocation is done with alloc_skb() or dev_alloc_skb(); drivers use dev_alloc_skb(); (free

by kfree_skb() and dev_kfree_skb()). However, sk_buff provides an additional management layer. The data space is divided into a head area and a data area. This allows kernel functions to reserve space for the header, so that the data doesn't need to be copied around. Typically, therefore, after allocating an sk_buff, header space is reserved using skb_reserve(). skb_pull(int len) removes data from the start of a buffer (skipping over an existing header) by advancing data to data+len and by decreasing len. This structure is used by several different network layers (MAC or another link protocol on the L2 layer, IP on L3, TCP or UDP on L4), and various fields of the structure change as it is passed from one layer to another. L4 appends a header before passing it to L3, which in turn puts on its own header before passing it to L2. Appending headers is more efficient than copying the data from one layer to another. One of the first things done by each protocol, as the buffer passes down through layers, is to call skb_reserve to reserve space for the protocol's header. When the buffer passes up through the network layers, each header from the old layer is no longer of interest. The L2 header, for instance, is used only by the device drivers that handle the L2 protocol, so it is of no interest to L3. Instead of removing the L2 header from the buffer, the pointer to the beginning of the payload is moved ahead to the beginning of the L3 header, which requires fewer CPU cycles. fig. Header's pointer initializations while moving from layer2 to layer3 fig. Before and after: (a)skb_put, (b)skb_push, (c)skb_pull, and (d)skb_reserve fig. Buffer that is filled in while traversing the stack from the TCP layer down to the link layer Note that the skb_reserve function does not really move anything into or within the data buffer; it simply updates the two pointers: static inline void skb_reserve(struct sk_buff *skb, unsigned int len) { skb->data+=len; skb->tail+=len; } skb_push adds one block of data to the beginning of the buffer, and skb_put adds one to the end. Like skb_reserve, these functions don't really add any data to the buffer; they simply move the pointers to its head or tail. The new data is supposed to be copied explicitly by other functions. skb_pull removes a block of data from the head of the buffer by moving the head pointer forward. Different ethernet functions:

open(): Before the interface can carry packets, the kernel must open it and
assign an address to it. The kernel opens or closes an interface in response to the ifconfig command. When ifconfig is used to assign an address to the

interface, it performs two tasks. First, it assigns the address by means of ioctl(SIOCSIFADDR) which is device independent and performed by the kernel. Next, it sets the IFF_UP bit in dev->flag by means of ioctl(SIOCSIFFLAGS), to turn the interface on, which invokes the driver's open method. Additional to acquiring the required system resources (like IRQ, DMA...), open must increment the module usage count and enable device's transmission mode. stop(): When the interface is shut down, ifconfig uses ioctl(SIOCSIFFLAGS) to clear IFF_UP, and the stop method is called. It just reverses the operations of open like release the acquired resources, decrement the usage count, disable the transmission of packets. For this reason, the function implementing stop is often called close or release. tx(): Whenever the kernel needs to transmit a data packet, it calls the hard_start_xmit method to put the data on an outgoing queue. Kernel puts the data (packet) in the form of a structure called socket buffer structure (struct sk_buff). Device driver does not modify this data and it does some sanity checks only. Then it transmits the data by calling highly hardware dependent routines of the device. Note1: The hard_start_xmit function is protected from concurrent calls by a spinlock (xmit_lock). Note2: The hardware interface (ethernet card) has limited memory for outgoing packets. When this memory is exhausted, the driver will tell the kernel (netif_stop_queue) not to start any more transmissions until the hardware is ready to accept new data. Once the driver has stopped its queue, it must arrange to restart the queue at some point in the future, when it is again able to accept packets for transmission. To do so, it should call netif_wake_queue method. Note3: If the current system time exceeds the devices trans_start time (which is set while a packet is transmitted) by atleast the timeout period, the networking layer will eventually call the drivers tx_timeout method. That methods job is to clear up the problem and to ensure the proper completion of any transmissions that were already in progress. rx(): (a) When a packet is arrived at hardware, it triggers the corresponding interrupt. The interrupt handling routine of driver is called. (b) This routine receives a pointer to the data and its length (packet), which are already available in memory. Its responsibility is to send the packet to the upper layers of networking code in the form of sk_buff. set_multicast_list(): device method called by the kernel whenever the list of valid multicast addresses associated with the device changes so that the driver can update the hardware filter according to the new information. It is also called when dev->flags is modified, because some flags (eg., IFF_PROMISC) may also require you to reprogram the hardware filter. Note1: The list of valid multicast addresses is present in dev->mc_list (of type dev_mc_list). Note2: If multicast routing is enabled, the n/wing software sets IFF_ALLMULTI flag in dev_flags to tell the driver to retrieve all the multicast packets from the n/w. If the flag is set, dev->mc_list shouldn't be used to filter multicast packets.

Note3: Unless the driver sets IFF_MULTICAST flag in dev->flags, the interface won't be asked to handle multicast packets. Understanding the basic of pci-mapped devices See here.