Skip to content

general networking

(Written by Paul Cobbaut, https://github.com/paulcobbaut/, with contributions by: Alex M. Schapelle, https://github.com/zero-pytagoras/, Bert Van Vreckem, https://github.com/bertvv/)

While this chapter is not directly about Linux, it does contain general networking concepts that will help you in troubleshooting networks on Linux.

network layers

seven OSI layers

When talking about protocol layers, people usually mention the seven layers of the osi protocol: Application, Presentation, Session, Transport, Network, Data Link and Physical. We will discuss layers 2 and 3 in depth, and focus less on the other layers. The reason is that these layers are important for understanding networks. You will hear administrators use words like "this is a layer 2 device" or "this is a layer 3 broadcast", and you should be able to understand what they are talking about.

four DoD layers

The DoD (Deptartment of Defence) model, also known als the TCP/IP model, has only four layers, roughly mapping its network access layer to OSI layers 1 and 2 (Physical and Datalink), its internet (IP) layer to the OSI network layer, its host-to-host (tcp, udp) layer to OSI layer 4 (transport) and its application layer to OSI layers 5, 6 and 7.

Below an attempt to put OSI and DoD layers next to some protocols and devices.

short introduction to the physical layer

The physical layer, or layer 1, is all about voltage, electrical signals and mechanical connections. Most, if not all wired networks for connecting end devices these days use utp cables with RJ-45 connectors. For high capacity networks (between sites), you might use glass fiber. Early networks used coax cables, like the ones you still use to connect your tv to the cable network.

Wireless networks use radio signals to connect devices. The most common wireless network is what we call wifi, which uses the 2.4 GHz or 5 GHz frequency band. The physical layer of wifi is the radio signal that is sent between the antennas of the wireless access point (WAP) and the wireless device (mobile phone, laptop, tablet, etc.).

Devices like repeaters and hubs are also part of this layer. You cannot use software to 'see' a repeater or hub on the network. The only thing these devices are doing is amplifying electrical signals on cables. Passive hubs are multiport amplifiers that amplify an incoming electrical signal on all other connections. Active hubs do this by reading and retransmitting bits, without interpreting any meaning in those bits. These types of devices have become uncommon, as they are replaced by switches (see below).

This is all we have to say about layer 1 in this book.

On the data link layer, or layer 2, data is sent between devices in the form of frames. An Ethernet frame, for example, contains a source and destination mac address (media access control address), the data (payload) and a crc (cyclic redundancy check) to check for errors in the frame. The mac address is a unique 48-bit number that is burned into the network card and is used to identify the network card.

On this layer we find devices like bridges and switches. A bridge is more intelligent than a hub because a bridge can make decisions based on the mac address of computers. A switch also understands mac addresses and keeps a table of the devices directly attached to its ports. This table is used to forward frames only to the correct port. This makes a switch more intelligent than a bridge, since the latter would send out any incoming frame on all ports.

In this book we will discuss commands like arp and ip to explore this layer.

short introduction to the network layer

Layer 3 is about ip packets. This layer gives every host a unique 32-bit ip address. But ip is not the only protocol on this layer, there is also icmp, igmp, ipv6 and more. A complete list can be found in the /etc/protocols file.

On this layer we find devices like routers and layer 3 switches, devices that know (and have) an ip address.

In tcp/ip this layer is commonly referred to as the internet layer.

short introduction to the transport layer

We will discuss the tcp and udp protocols in the context of layer 4. The DoD model calls this the host-to-host layer.

layers 5, 6 and 7

The tcp/ip application layer includes layers 5, 6 and 7. Details on the difference between these layers are out of scope of this course.

network layers in this book

Stacking of layers in this book is based on the Protocols in Frame explanation in the wireshark sniffer. When sniffing a dhcp packet, we notice the following in the sniffer.

[Protocols in Frame: eth:ip:udp:bootp]

Sniffing for ntp (Network Time Protocol) packets gives us this line, which makes us conclude to put ntp next to bootp in the protocol chart below.

[Protocols in Frame: eth:ip:udp:ntp]

Sniffing an arp broadcast makes us put arp next to ip. All these protocols are explained later in this chapter.

[Protocols in Frame: eth:arp]

Below is a protocol chart based on wireshark's knowledge. It contains some very common protocols that are discussed in this book. The chart does not contain all protocols.

unicast, multicast, broadcast, anycast

unicast

A unicast communication originates from one end device and is destined for exactly one other end device (or host). It is common for hosts to have many unicast communications.

multicast

A multicast is destined for a group (of hosts).

Some examples of multicast are Realplayer (.sdp files) and ripv2 (a routing protocol).

broadcast

A broadcast is meant for everyone.

Typical example here is the BBC (British Broadcasting Corporation) broadcasting to everyone. In datacommunications a broadcast is most common confined to the lan.

Careful, a layer 2 broadcast is very different from a layer 3 broadcast. A layer two broadcast is received by all network cards on the same segment (it does not pass any router), whereas a layer 3 broadcast is received by all hosts in the same ip subnet.

anycast

The root name servers of the internet use anycast. An anycast signal goes the the(geographically) nearest of a well defined group.

With thanks to the nice anonymous wikipedia contributor to put these pictures in the public domain.

lan-wan-man

The term lan is used for local area networks, as opposed to a wan for wide area networks. The difference between the two is determined by the distance between the computers, and not by the number of computers in a network. Some protocols like atm (Asynchronous Transfer Mode) are designed for use in a wan, others like ethernet are designed for use in a lan.

lan

A lan (Local Area Network) is a local network. This can be one room, or one floor, or even one big building. We say lan as long as computers are close to each other. You can also define a lan when all computers are ethernet connected.

A lan can contain multiple smaller lan's. The picture below shows three lan's that together make up one lan.

man

A man (Metropolitan Area Network) is something inbetween a lan and a wan, often comprising several buildings on the same campus or in the same city. A man can use fddi (Fiber Distributed Data Interface) or ethernet or other protocols for connectivity.

wan

A wan (Wide Area Network) is a network with a lot of distance between the computers (or hosts). These hosts are often connected by leased lines. A wan does not use ethernet, but protocols like fddi, frame relay, ATM or X.25 to connect computers (and networks).

The picture below shows a branch office that is connected through Frame Relay with headquarters.

The acronym wan is also used for large surface area networks like the internet.

Cisco is known for their wan technology. They make routers that connect many lan networks using wan protocols.

pan-wpan

Your home network is called a pan (Personal Area Network). A wireless pan is a wpan.

internet - intranet - extranet

The internet is a global network. It connects many networks using the tcp/ip protocol stack.

The origin of the internet is the arpanet. The arpanet was created in 1969, that year only four computers were connected in the network. In 1971 the first e-mail was sent over the arpanet. E-mail took 75 percent of all arpanet traffic in 1973. 1973 was also the year ftp was introduced, and saw the connection of the first European countries (Norway and UK). In 2009 the internet was available to 25 percent of the world population. In 2011 it is estimated that only a quarter of internet webpages are in English.

An intranet is a private tcp/ip network. An intranet uses the same protocols as the internet, but is only accessible to people from within one organization.

An extranet is similar to an intranet, but some trusted organizations (partners/clients/suppliers/...) also get access.

tcp/ip

history of tcp/ip

In the Sixties development of the tcp/ip protocol stack was started by the US Department of Defense. In the Eighties a lot of commercial enterprises developed their own protocol stack: IBM created sna, Novell had ipx/spx, Microsoft completed netbeui and Apple worked with appletalk. All the efforts from the Eighties failed to survive the Nineties. By the end of the Nineties, almost all computers in the world were able to speak tcp/ip.

In the humble opinion of the authors, the main reason for the survival of tcp/ip over all the other protocols is its openness. Everyone is free to develop and use the tcp/ip protocol suite.

rfc (request for comment)

The protocols that are used on the internet are defined in rfc's. An rfc or request for comment describes the inner working of all internet protocols. The IETF (Internet Engineering Task Force) is the sole publisher of these protocols since 1986.

The official website for the rfc's is http://www.rfc-editor.org. This website contains all rfc's in plain text, for example rfc2132 (which defines dhcp and bootp) is accessible at http://www.rfc-editor.org/rfc/rfc2132.txt.

many protocols

For reliable connections, you use tcp, whereas udp is connectionless but faster. The icmp error messages are used by ping, multicast groups are managed by igmp.

These protocols are visible in the protocol field of the ip header, and are listed in the /etc/protocols file.

student@linux:~$ grep tcp /etc/protocols 
tcp     6       TCP             # transmission control protocol

many services

Network cards are uniquely identified by their mac address, hosts by their ip address and applications by their port number.

Common application level protocols like smtp, http, ssh, telnet and ftp have fixed port numbers. There is a list of port numbers in /etc/services.

student@linux:~$ grep ssh /etc/services 
ssh             22/tcp                 # SSH Remote Login Protocol
ssh             22/udp