Large ethernet frames (beyond jumbo)? - tcp

I am analyzing a log I captured with WireShark and I was surprised to find that one of the applications we use in-house that only talks to another host (both connected to a private, internal hub) sends/receives huge frames (on the order of 15K). I thought the max was 9K for jumbo frames. How can one generate these frames? The app uses tcp.

The app uses tcp.
...and the Ethernet adapter might be doing Large Segment Offload or Large Receive Offload, in which case the packets that the capture mechanism used by libpcap/WinPcap (which tcpdump/WinDump, Wireshark, etc. use to capture traffic) provides to the library and application might be "fake" packets corresponding to more than one packet "on the wire".

Related

How exactly does an ethernet switch work?

I understand that it's different than a hub in that instead of packets being broadcasted to all devices connected to the device, it knows exactly who requested the packet by looking at the MAC layer.
However, is it still possible to use a packet sniffer like Wireshark to intercept packets meant for other users of the switch? Or is this only a problem with ethernet hubs that doesn't affect switches due to the nature of how a switch works?
On a slightly off topic side note, what exactly is classified as a LAN? For example, imagine two separate ethernet switches are hooked up to a router. Would each switch be considered a separate LAN? What is the significance of having multiple LAN's within the same network?
it knows exactly who requested the packet by looking at the MAC layer.
More exactly, the switch uses the MAC destination address to forward a frame to the port associated with that address. Addresses are automatically learned by looking at the MAC source address on received frames.
A switch is stateless, ie. is has no memory who requested which data. A layer-2 switch also has no understanding of IP packets, addresses or protocols. All a basic switch does is learn source addresses and forward by destination address.
is it still possible to use a packet sniffer like Wireshark to intercept packets meant for other users of the switch?
Yes. You'll need a managed switch supporting port mirroring or SPANning. This doesn't intercept frames, it just copies them to the mirror port. If you need to actually intercept frames you have to put your interceptor in between the nodes (physically or logically).
With a repeater hub, every bit is repeated to every node in the collision domain, making monitoring effortless.
what exactly is classified as a LAN?
This depends on who you ask and on the context. A LAN can be a layer-1 segment/bus aka collision domain (obsolete), a layer-2 segment (broadcast domain), a layer-3 subnet (mostly identical with an L2 segment) or a complete local network installation (when contrasted with SAN or WAN).
Adding to #Zac67:
Regarding this question:
is it still possible to use a packet sniffer like Wireshark to
intercept packets meant for other users of the switch?
There are also active ways in which you can trick the Switch into sending you data that is meant for other machines. By exploiting the Switch's mechanism, one can send a frame with a spoofed source MAC, and then the Switch will transfer frames destined to this MAC - to the sender's port (until someone else sends a frame with that MAC address).
This video discusses this in detail:
https://www.youtube.com/watch?v=YVcBShtWFmo&list=PL9lx0DXCC4BMS7dB7vsrKI5wzFyVIk2Kg&index=18
In general, I recommend the following video that explains this in detail and in a visual way:
https://www.youtube.com/watch?v=Youk8eUjkgQ&list=PL9lx0DXCC4BMS7dB7vsrKI5wzFyVIk2Kg&index=17
what exactly is classified as a LAN?
So indeed this is one of the least-well-defined terms in Computer Networks. With regards to the Data Link Layer, a LAN can be defined as a segment, that is - a broadcast domain. In this case, two devices are regarded as part of the same segment iff they are one hop away from one another - that is, they can switch frames in the second layer.

OSI Layers explained

I'm trying to understand Network layers. There are five layers, application, transport, network, link and physical layer. I have studied from various sources but I couldn't understand clearly, especially transport, network and link layers. Can you explain those layers for a dummy person like me? Thanks.
So I think the hardest part people have with the OSI model is that they look at some of the layers and forget its talking about communication... application layer specifically people get confused as to what its talking about.
Application references the protocols applications use to communicate.
Examples being ftp, http, etc.
As stated above, the original OSI model (which is really just theory, nothing actually implements it exactly as it would be too inefficient) has 2 more layers in between application and transport (which are most likely wrapped into the application layer). These are Presentation and Session.
Presentation is responsible for things like HTTP's Accept-Encoding: gzip, deflate. encryption and character encoding are said to be Presentation layer, so SSL/TLS falls under this category (the s in https).
HTTP Sessions is literally would be a literal example of the Session layer (anything that keep your application state alive across connections). If a protocol is connection oriented, it might not have a session layer, which is why HTTP is probably the only example I can think of at the moment.
As you can see HTTP was the answer to all 3 of these top layers, which is why they have all been combined into Application layer in newer versions of the model. Cisco still uses the 7 layer model, but Microsoft uses the 5 layer you're using.
Transport is TCP... it contains information about reordering packets and can adjust the amount of packets per window, allows the computer to know if anything was lost and ask for re-transmission, etc.
UDP is also an example of the transport layer, however its a lot simpler of a protocol, no re-transmission of packets are done on UDP.
Network is the IP protocol (also IPX/SPX from the old netware days, and ICMP (pings) and IGMP (routers)) this allows for addressing computers that rely outside the a collision domain (things separated by switches or routers).
Link or DataLink layer is ethernet, (or ATM, or FDDI) which addresses computers physically connected to a hub or directly with a network cable to each other.
This layer adds the MAC addressing in ethernet and the frame part of a packet is the header it uses.
Physical layer (in original OSI model) is just your cables and network equipment.
Pretty much the only people who still talk about OSI is network techs.
They may still say Layer 2 or Layer 3 switches, etc which is in reference to OSI.. Layer 2 is an ethernet switch, a layer 3 switch adds routing.
The best way to see how this is used is to load up wireshark and snoop your own network traffic. It will actually show you the parts of a packet that are responsible for most of the layers.
Knowing the OSI model is not really overly useful, but it can help you organize the stages of network communication in your mind and help you troubleshoot.
Knowing the protocols and how they interact is extremely useful, learn how tcp negotiates connections, IP addressing and subnet masking, HTTP and Ethernet can help you whether you are a developer or a server admin, or network admin or even a DBA. There is nothing like a bad network card to ruin your weekend or even a whole month if no one thinks to check it, and the only way to tell is use tcpdump, and wireshark to see errors in the Ethernet frames.
The OSI reference model
The OSI model is used to connect to the open systems—these are the systems that are open and communicate with other systems. By using this model, we do not depend on an operating system anymore, so we are allowed to communicate with any operating system on any computer. This model contains seven layers, where each layer has a specific function and defines the way data is handled on certain different layers. The seven layers that are contained in this model are the Physical layer, Data Link layer, Network layer, Transport layer, Session layer, Presentation layer, and the Application layer.
THE PHYSICAL LAYER
This is the first layer in the OSI model and contains a definition of the network's physical specification, including the physical media (cables and connectors) and basic devices (repeaters and hubs). The layer is responsible for the input raw bits transmission data stream into zeros and for the ones that are on the communication channel. It then places the data onto the physical media. It is concerned with data transmission integrity and makes sure that the bits that are sent from one device are exactly the same as the data that is received by the other device
THE DATA LINK LAYER
The main role of the Data Link layer is to provide a link for raw data transmission. Before the data is transmitted, it is broken up into data frames, and the Data Link layer transmits them consecutively. The receiver will send back an acknowledge frame for each frame that has been sent if the service is reliable.
This layer consists of two sublayers: Logical Link Control (LLC) and Media Access Control (MAC). The LLC sublayer is responsible for transmission error checking and deals with frame transmission, while the MAC sublayer defines how to retrieve data from the physical media or store data in the physical media.
We can also find the MAC address, also called as the physical address, in this layer. The MAC address is used to identify every device that connects to the network because it is unique for each device.
The MAC address contains twelve hexadecimal characters, where two digits are paired with each other. The first six digits represent the organizationally unique identifier and the remaining digits represent the manufacturer serial number. If you are really curious to know what this number means, you can go to www.macvendorlookup.com and fill the text box with our MAC address to know more about it.
THE NETWORK LAYER
The Network layer is responsible for defining the best way to route the packets from a source to the destination device. It will generate routing tables using Internet Protocol (IP) as the routing protocol, and the IP address is used to make sure that the data gets its route to the required destination. There are two versions of IP nowadays: IPv4 and IPv6. In IPv4, we use 32-bit addresses to address the protocol and we use 128-bit addresses in IPv6. You are going to learn more about Internet Protocol, IPv4, and IPv6 in the next topic.
THE TRANSPORT LAYER
The Transport layer is responsible for transferring data from a source to destination. It will split up the data into smaller parts, or in this case segments, and then will join all the segments to restore the data to its initial form in the destination.
There are two main protocols that work in this layer: the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP).
TCP supplies the delivery of data by establishing a session. The data will not be transmitted until a session is established. TCP is also known as the connection-oriented protocol, which means that the session has to be established before transmitting the data.
UDP is a method of delivering data with the best efforts, but does not give a guaranteed delivery because it does not establish a session. Therefore, UDP is also known as the connection-less protocol. In-depth explanation about TCP and UDP can be found in the next topic.
THE SESSION LAYER
The Session layer is responsible for the establishment, maintenance, and termination of the session. We can analogize the session like a connection between two devices on the network. For example, if we want to send a file from a computer to another, this layer will establish the connection first before the file can be sent. This layer will then make sure that the connection is still up until the file is sent completely. Finally, this layer will terminate the connection if it is no longer needed. The connection we talk about is the session.
This layer also makes sure that the data from a different application is not interchanged. For example, if we run the Internet browser, chat application, and download manager at the same time, this layer will be responsible for establishing the session for every single application and ensure that they remain separated from other applications.
There are three communication methods that are used by this layer: the simplex, half-duplex, or full-duplex method.
In the simplex method, data can only be transferred by one party, so the other cannot transfer any data. This method is no longer common in use, since we need applications that can interact with each other.
In the half-duplex method, any data can be transferred to all the involved devices, but only one device can transfer the data in the time, after it completes the sending process. Then, the others can also send and transfer data.
The full-duplex method can transfer data to all the devices at the same time. To send and receive data, this method uses different paths.
THE PRESENTATION LAYER
The Presentation layer role is used to determine the data that has been sent, to translate the data into the appropriate format, and then to present it. For example, we send an MP3 file over the network and the file is split up into several segments. Then, using the header information on the segment, this layer will construct the file by translating the segments.
Moreover, this layer is responsible for data compression and decompression because all the data transmitted over the Internet is compressed to save the bandwidth. This layer is also responsible for data encryption and decryption in order to secure communication between two devices.
THE APPLICATION LAYER
The Application layer deals with the computer application that is used by a user. Only the application that connects to a network will connect to this layer. This layer contains several protocols that are needed by a user, which are as follows:
The Domain Name System (DNS): This protocol is the one that finds the hostname of an IP address. With this system, we do not need to memorize every IP address any longer, just the hostname. We can easily remember a word in the hostname instead of a bunch of numbers in the IP address.
The Hypertext Transfer Protocol (HTTP): This protocol is the one that transmits data over the Internet on web pages. We also have the HTTPS format that is used to send encrypted data for security issues.
The File Transfer Protocol (FTP): This protocol is the one that is used to transfer files from or to an FTP server.
The Trivial FTP (TFTP): This protocol is similar to FTP, which is used to send smaller files.
The Dynamic Host Configuration Protocol (DHCP): This protocol is a method that is used to assign the TCP/IP configuration dynamically.
The Post Office Protocol (POP3): This protocol is an electronic mail protocol used to get back e-mails from POP3 servers. The server is usually hosted by an Internet Service Provider (ISP).
The Simple Mail Transfer Protocol (SMTP): This protocol is in contrast with POP3 and is used to send electronic mails.
The Internet Message Access Protocol (IMAP): This protocol is used to receive e-mail messages. With this protocol, users can save their e-mail messages on their folder on a local computer.
The Simple Network Management Protocol (SNMP): This protocol is used to manage network devices (routers and switches) and detect problems to report them before they become significant.
The Server Message Block (SMB): This protocol is an FTP that is used on Microsoft networks primarily for file and printer sharing.
This layer also decides whether enough network resources are available for network access. For instance, if you want to surf the Internet using an Internet browser, the Application layer decides whether access to the Internet is available using HTTP.
We can divide all the seven layers into two section layers: the Upper Layer and Lower Layer. The upper layer is responsible for interacting with the user and is less concerned about the low-level details, whereas the lower layer is responsible for transferring data over the network, such as formatting and encoding.
There are FIVE LAYERS in TCP/IP Model and SEVEN LAYERS in OSI Reference Model.
The primary difference between our five-layer model and the seven-layer OSI model is that the OSI model abstracts the application layer into three layers total.
The physical layer represents the physical devices that interconnect computers. This includes the specifications for the networking cables and the connectors that join devices together along with specifications describing how signals are sent over these connections. The physical layer is all about cabling, connectors and sending signals.
The second layer in our model is known as the data link layer. Also called the network interface or the network access layer. The data link layer is responsible for defining a common way of interpreting the signals, so network devices can communicate. Lots of protocols exist at the data link layer, but the most common is known as Ethernet.
The third layer, the network layer is also sometimes called the Internet layer. It's this layer that allows different networks to communicate with each other through devices known as routers.
The most common protocol used at this layer is known as IP or Internet Protocol. IP is the heart of the Internet and most small networks around the world.
While the data link layer is responsible for getting data across a
single link, the network layer is responsible for getting data
delivered across a collection of networks.
While the network layer delivers data between two individual nodes, the transport layer sorts out which client and server programs are supposed to get that data. The transport layer Protocol is known as TCP or Transmission Control Protocol and UDP or User Datagram Protocol.
The big difference between the two is that TCP provides mechanisms to
ensure that data is reliably delivered while UDP does not.
The network layer, in our case IP, is responsible for getting data
from one node to another. The transport layer, mostly TCP and UDP, is
responsible for ensuring that data gets to the right applications
running on those nodes.
The fifth layer is known as the application layer. There are lots of different protocols at this layer, and as you might have guessed from the name, they are application-specific. Protocols used to allow you to browse the web or send receive emails are some common ones. Application Layer Protocols are HTTP, SMTP, etc.
You can think of layers like different aspects of a package being
delivered. The physical layer is the delivery truck and the
roads. The data link layer is how the delivery trucks get from
one intersection to the next over and over. The network layer
identifies which roads need to be taken to get from address A to
address B. The transport layer ensures that the delivery
driver knows how to knock on your door to tell you your package has
arrived. And the application layer is the contents of the
package itself.

Emulate UDP/TCP/IP connections of 40,000 or more

I need to simulate a massive amount of TCP/IP ethernet traffic. For example, I want to simulate the environment that an ISP has where there might be 40,000 different IP addresses sending TCP/UDP IP traffic to different remote hosts. This is my ideal setup:
Traffic generator - > the device I want to test (one inbound interface and one outbound interface) - > traffic receiver.
The device I want to test is a network traffic monitor/QOS appliance. It effectively sits 'in-line', one interface would be connected to the traffic generator and the other interface connected to the traffic receiver. This in-line interface is effectively a bridge and is not assigned an IP address. It can monitor & apply QOS rules on all traffic passing over that bridge interface.
Layer 4 control is important, so that I can set port numbers (80, 443, 22 etc). Layer 7 application information would be ideal as the device I am testing also does deep packet inspection.
Methods I have already tried include using iperf but in order to simulate 40,000 IP addresses I would need to configure 40,000 virtual interfaces on both the traffic generator and the traffic receiver manually, and I have found that iperf is limited to about 1000 simultaneous connections(on my set up). I have also tried replaying large PCAP files, but then I do not have control over the packets to test QOS capabilities.
Other software/solutions I have looked into are:
http://mininet.org/ (can't handle the amount of connections I need).
ns-3
I am looking for someone to point me in the right direction. Thank you.
There are commercial products for this kind of thing. Short of a home-brew setup with a combination of apache bench, siege, and tcpreplay (which would take significant effort to implement).
See www.spirent.com or www.ixiacom.com.

Which network layer is in charge of reassembling fragmented datagrams?

Recently I dug a bit deeper into the matter of network protocols and the OSI model, when noticed, that incoming TCP datagrams (correct me if this is the wrong term) are splitted into several parts, when they exceed a certain size - in this case it's propably my router's MTU. I captured those datagrams using SharpPcap in order to extract some information i am looking for, if you are wondering where I got this information from.
Anyway I was wondering if the reassembly of fragmented packets shouldn't be task of the IP layer, since it definitely provides information to accomplish this (id, fragmentation flags, fragment offset). Furthermore I read, that the TCP layer is to be interpreted as a stream-based protocol. But this actually implies, that it's up to the TCP layer to care about filling the application's buffer the right way, so that the initial piece of information is reconstructed and may be flushed "up" all further layers.
Before I made this observation I actually thought, that the TCP layer should care about reassembling those datagrams, but none of the mentioned layers does...
This leads to the following question(s):
Why are the TCP datagrams I receive not reassembled and what layer SHOULD actually take care about this?
The ip layer handles fragmentation and reassembly, http://en.wikipedia.org/wiki/IP_fragmentation.
When you use a tool like SharpPcap that uses winpcap/airpcap/libpcap, you are receiving the raw datagrams from the device you are capturing on. For many adapters this is an ethernet datagram that then contains an ip frame etc.
This is in contrast to data received after processing by the networking stack, where the reassembly is performed.
So, its expected that you won't get reassembled datagrams from SharpPcap (or many other capture libraries) because the data is being captured at the adapter level, not inside of our as an output of the networking stack that is performing reassembly.
You can perform the reassembly after capture either yourself or using a library that provides this functionality. You could also add such a component to Packet.Net (the packet processing library that SharpPcap is using) to provide this reassembly.

XBee Send To All

I have a simple xbee network operating where there are a bunch of slaves operating remotely and all talking to one master, who is connected to the server computer. That works no problem.
The slaves all send their ID as part of the packet and I'd like to have the master deliberately send an Ack after a delay. I'm trying to figure out how to do this efficiently and it seems that the only plausible way that doesn't involve reprogramming the master before each Ack is to send the Ack to all slaves and have them ignore the packet if it's not meant for them.
That solution is ok - I just can't figure out the command to use to do this. Is there some sort of Serial sendAll command? All of the devices are on the same ATID.
Typically in this situation, you would configure the master in API mode so you would get "Receive Explicit" frames with source addressing information, and could send with the "Transmit Explicit" frame type, and include addressing information in your frames.
If you use AT mode (transparent serial mode), then you're stuck having to change the DH and DL parameters on your coordinator every time you want to change who you send to. You should avoid using broadcast packets, since each one results in lots of network traffic (IIRC, each router will send the broadcast packet three times).
I do not know of a good XBee library on the Arduino, but it might be possible to port Digi's Open Source ANSI C XBee Host Library to that platform.

Resources