I am learning how the IP and TCP headers work. The following is my question:
Can a source address and destination address in an IP header be the same? or doesnt it make any sense?
Similarly, can a source and destination port be the same within a TCP header?
I tried searching google but I didnt find anything specific to my question, but rather how the protocols work.
Sure, source and destination IP address can be the same. That simply represents a connection between client and server (or 2 peers) on the same host.
Source and destination port can also be the same. If that happens, it would usually happen by coincidence.
But source and destination IP address being the same and source and destination port being the same? That doesn't make sense. That would represent a TCP connection connected to itself. Even if you wanted to do it (a kind of loopback connection), the protocol wouldn't be able to distinguish packets in one direction from packets in the other direction.
Related
I'm new to the networking world and I'm using Wireshark to learn stuffs about the network.
I was hanging around in Wireshark while I was using my VPN for circumventing the internet filter (living in a dictatorship country).
While I was using the VPN I see packets that their source or destination IP was neither my IP nor VPN server IP.
I considered two things about my problem:
1- I know my VPN uses its VPN server to send my whole packets to that server then forward them to my deserved destination, then take the response and send it to my client (is that correct?).
2- In Wireshark, I just can see the packets that their either source or destination address is my IP address.
My packets before using VPN:
As you can see, their either source or destination IP is my IP (192.168.1.101).
After using VPN, VPN:
Wireshark:
I tried filtering packets with my IP like this ip.addr == 192.168.1.101 to see only the packets that their either source or destination IP was my private IP, and guess what? nothing was changed. Why did this happen? Wasn't that supposed to filter my packets?
I also checked those packets' MAC and compared them with my MAC, and they were identical.
So my main question is why these kinds of wandering packets were showed by Wireshark? Is my VPN client insecure and trying to sending my data to other places? Or I'm wrong about how my VPN works?
Also, I appreciate it If somebody tells me more explanation about how my VPN or Wireshark works so that I have these types of packets in my Wireshark.
First of all your considerations, point no.1 is right, that's how a typical VPN works and point no.2 is wrong.
Wireshark can capture any packet (any source IP or destination IP) flowing in and out of a network adapter technically known as NIC card. NIC cards are the way through which you can connect to a network (Internet). A quick brief of NIC over here
A typical VPN client software would form a virtual NIC to encrypt and send your traffic through it. A quick brief of VPNs over here
So, to see the required traffic in Wireshark, you must capture traffic from an appropriate interface (NIC card). The answer over here might be helpful.
From what I've read, TCP sits on the layer between the application and IP, and handles setting up the packets, checking for errors, ordering etc so the application itself doesn't have to do it.
However, when I looked at the TCP header I became confused. From the way I understand it, some data is handed to TCP from the application, and is given a destination address to which to send the data. The TCP layer packages it up, and sends it on to the IP layer, who in turn hands it off, all the way on down to the physical layer.
But looking at the TCP header on Wikipedia, there is no mention of a destination address! There is only a destination port number which I am pretty sure is not an address.
So my question is, how does TCP get the addresses? And/or, how does IP get the address if TCP isn't passing them to it?
It's the Application that's running on top of Transport Layer that chooses everything.
If the Application is designed with reliability in mind, it chooses the connection oriented protocol like TCP.
The same applications tells TCP what the Source and Destination port should be, TCP alone cannot decide this.
Example: If you're accessing a website, your Application would be the browser, since accessing websites normally happens over HTTP/HTTPS and HTTP/HTTPS is designed to be reliable, it chooses TCP. Port 80(HTTP) or 443(HTTPS) are the standard ports used for accessing websites, so either of these ports are used in the Destination Port field while the Source Port can be any random higher number port.
This combination is used to identify something called Transport Layer VC(Virtual Circuit).
Coming to IP, the same application tells what the Destination IP address is, while the Source IP is the machine from where you are running the browser.
IP in Network Layer and TCP in Transport Layer cannot choose anything, it's the Application that tells them what to choose, considering they are the chosen ones.
I recently found that packets are encapsulated within ethernet frames. Packets use IP addresses, frames use MAC addresses.
Why aren't IP addresses used in ethernet frames for routing? I understand that when trying to access a basic website, the computer goes to a DNS to find the IP address relevant to the user-entered domain name. How do computers find the correct MAC address?
Really, how are MAC addresses used in routing internet traffic?
Thanks
IP packets aren't always encapsulated in Ethernet frames. There are other physical media such as ISDN, etc. When packets are routed, IP addresses are used to determine the next hop and the physical address is used to physically identify the interface serving as the next hop. Only the former (determining next-hop) is usually called routing.
To answer your second part, MAC addresses are discovered through ARP (Address Resolution Protocol) in IPv4 & ND6 (Neighbor Discovery) in IPv6.
Update:
The destination IP address in the IP header is the final destination. In the process of routing (at each hop), you get the next hop's IP address to (eventually) reach the final destination from the routing table (this could be a default gateway's IP address). To send the packet to the next hop, you need its MAC address. While hopping through intermediate links, the IP address in the IP header don't change - only the MAC addresses change.
Bit late but still here is my answer :) ...
To send data you need two address, the MAC address and the IP address.
Basically the sending host will ARP for a MAC address, this occurs when the local host doesn't know the MAC address of the host it has an IP address for or it will ARP for the default gateway MAC address (if it doesn't already know it) if the IP address in on a different subnet/ network. Once it obtains a MAC address the IP packet is encapsulated in a L2 frame and sent across the media. If the IP packet is meant for a host on a different subnet/ network, it will be sent to the default gateway, this router will de-encapsulate the L2 frame (remove and discard it) check the IP address and will forward it. For the router to do this it needs a MAC address to send it over the media, It will look up the next hop in it's routing table, encapsulate the IP packet with the same source and destination IP address that was sent from the original host into a new L2 frame. This time the MAC address for the source address will be that of the forwarding interface of the router, and the receiving interface of the next hop will be the destination MAC address. This will continue from hop to hop until it reaches the final host, each time the MAC addresses will change, but the original IP address will remain the same.
Here's the key point -- there can be more types of packets than INTERNET traffic. You could be using IPX, which is non-routable. How do clients identify each other? By the MAC address.
Routing != Addressing, which is really where the MAC comes into play.
In order to be routed, the OSI model adds a layer to allow for path discovery to the next gateway. This layer is responsible for routing, but knows nothing about the MAC address.
As a side note, at the hardware level, MAC addresses ARE used by switches, but not for routing. From How Stuff Works:
The switch gets the first packet of data from Node A. It reads the MAC
address and saves it to the lookup table for Segment A. The switch now
knows where to find Node A anytime a packet is addressed to it. This
process is called learning.
In this way, a switch can make sure that traffic is only outputted to the correct port. This isn't accomplishing routing so much as reducing network congestion. Only broadcasts and traffic destined specifically for that MAC address should be sent out the port.
Recently I have been thinking about the same and came upon this question. Here is my answer to this question. Actually MAC address is needed for correctly sending the packet to right destination. This is specially true when packet is needed to sent over a VLAN. There can be multiple switches/routes connected on that VLAN over multiple physical interfaces. However IP Routing is unaware of these physical interface. It only knows about the logical connectivity. For example, route 10.10.10.0/24 is reachable via VE/VIF0.10(logical VLAN interface) and/or nexthop neighbor is 20.20.20.1. There could be multiple interfaces under VLAN 10. Then to which interface packet is sent out? This is where ARP comes in the picture. ARP helps to discover the MAC address associated with the next-hop IP address. When switch/router learns the nexthop MAC. along with that it learns the physical interface also via which that MAC is reachable. Hence while routing packet, firstly MAC corresponding to the destination IP is searched and then the physical interface associated with that MAC is searched. Finally packet is sent out via that physical interface. The MAC corresponding to that destination IP is used as destination MAC. In absence of this, routed packets will always be flooded in the outgoing VLAN.
Hope this helps.
Thanks.
Answer: MAC addresses are not used in the process of routing of a packet.
segment -> transport layer (TCP ports)
packets -> network layer (IP addresses)
frame -> data link layer (MAC addresses)
bits -> physical layer (electric/optical signals)
Create your own packet/segment visit http://wirefloss.com/wireit/
There are 2 models (TCP/IP and ISO/OSI)
In detail:
Your app has some data. This is encapsulated by mentioned layers. Encapsulation means that a header with fields is added at each layer. If your data never leave the local network the MAC address will be the same. Once your data needs to be delivered outside your network the frame header is stripped by router and is replaced by router fields.
UPDATE 2021: Some people seems never heard of ISO OSI model and put this answer as incorrect.
When sending data using UDP, a destination port is needed to be specified.
If sending by TCP, a source port should also be specified.
Are there different ports for input and output? E.g., if I specify port 1234, can I use it for both input and output or should I use different ports for output and input?
EDIT:
To clarify my question:
- I send data from port X.
- Someone sends data to me to port X.
Are those two different ports or is the same one used?
When sending data using UDP, a
destination port is needed to be
specified.
Correct.
If sending by TCP, a source port
should also be specified.
Incorrect. The system will allocate one for you automatically if not specified. This is the normal usage.
Are there different ports for input and output?
No. The local port you are bound to is used for both.
And all this applies to both UDP and TCP.
The source port is a port that exists only on the computer that is initiating the connection, whereas the destination port exists only on the computer that is receiving it (though both are visible to both endpoints). Both TCP and UDP have both source and destination ports. Usually the source port is selected automatically by the socket library from the unused ports on the computer. There are very few good reasons for selecting a specific source port, and it will often be changed by the Internet gateway (router) as a part of the Network Address Translation (NAT) process.
Edit: To clarify, both the source and destination ports are used for both input and output. Which port is on your computer depends on which end of the TCP connection you are on. If you are on the receiving end, then the destination port is on your computer. When you are looking at the connection from your perspective, it will be the source port, and will be used for both input and output. The same principle applies to UDP as well, except that there are no "connections" per se, merely an exchange of raw data between ports.
TCP needs both a source and a destination port because it forms a connection between the two clients, whereas UDP is connectionless; You simply send data to a destination port and it either arrives or not.
So with TCP, you open a "channel" between two computers. You send data through it and possibly receive some back.
With UDP, if you want to receive data, then yes you need a "separate" port that listens for incoming data.
I'm looking for some Linux code to find an IP address from an Ethernet address. I suppose I have to do some inverse ARP trickery but I don't find any example...
http://compnetworking.about.com/od/networkprotocolsip/f/convertipmacadd.htm
Try sending an IP broadcast (e.g. ping 192.168.1.255 if your subnet is 192.168.1.0/24) to prime your ARP cache, followed by arp -a to spit it all out.
For computers that you have communicated with, you can look at their arp entry. This is available in text format in /proc/net/arp for example. Finding an IP address for a MAC that you know but haven't communicated with is significantly more difficult. The closest match, protocol-wise, would be RARP but that's hardly ever in use so your are not likely to get a response.
You can always scan your local subnet to make sure you get a full view in your arp table. See for example fping for an efficient way to do this. Note that hosts don't actually need to respond to the pings in question to appear in the ARP table, so this is useful even in the presence of local firewalls etc.
Take a look at Thomas Habet's Arping. I've not tried it, but the basic idea is to send an ICMP Ping network packet to the MAC address in question using a broadcast destination IP address in the IP header. Only the host with the specified MAC address will reply and the reply will (usually) contain its IP address. It won't always work but it might be good enough for you. See the project readme for limitations.