Network capture : Structure of network frames

 

Link Layer ( 2 )

 

Ethernet v2.0 MAC header :

 

Address fields :

Each MAC frame contains two address fields :
The Destination Address field and the Source Address field, in that order. The Destination Address field specifies the destination address for which the frame is intended. The Source Address field identifies the station from which the frame was initiated. The representation of each address field shall be as follows :

1. Each address field has 48 bits in length. While IEEE 802 specifies the use of either 16- or 48-bit addresses, no conformant implementation of IEEE 802.3 uses 16-bit addresses. The use of 16-bit addresses is specifically excluded by this standard.

2. The first bit ( LSB ) shall be used in the Destination Address field as an address type designation bit to identify the Destination Address either as an individual or as a group address. If this bit is 0, it indicates that the address field contains an individual address. If this bit is 1, it indicates that the address field contains a group address that identifies none, one or more, or all of the stations connected to the LAN. In the Source Address field, the first bit is reserved and set to 0.

3. The second bit is used to distinguish between locally or globally administered addresses. For globally administered ( or U, universal ) addresses, the bit is set to 0. If an address is to be assigned locally, this bit is set to 1. Note that for the broadcast address, this bit is also a 1.

4. Each octet of each address field shall be transmitted least significant bit first.

 

Address designation :

A MAC sublayer address is one of two types :
. Individual address : The address associated with a particular station on the network.
. Group address : A multidestination address, associated with one or more stations on a given network.

There are two kinds of multicast address :
1. Multicast group address : An address associated by higher-level convention with a group of logically related stations.
2. Broadcast Address : A distinguished, predefined multicast address that always denotes the set of all stations on a given LAN.

All 1ís in the Destination Address field shall be predefined to be the Broadcast Address. This group shall be predefined for each communication medium to consist of all stations actively connected to that medium; it is used to broadcast to all the active stations on that medium. All stations shall be able to recognize the Broadcast Address. It is not necessary that a station be capable of generating the Broadcast Address.
The address space shall also be partitioned into locally administered and globally administered addresses. The nature of a body and the procedures by which it administers these global ( U ) addresses is beyond the scope of this standard.

 

 

I/ G = 0

Individual address

I/ G = 1

Group address

U/ L = 0

Globally administered address

U/ L = 1

Locally administered address

 

Preamble

7 Bytes
The preamble is needed, that the recipient or recipients ( network card ) synchronize with the transmitter ( network card ) and therefore the start frame delimiter and the following Ethernet data frame can be interpreted correctly.

These fields are not forwarded to the software by the network card !

Start Frame Delimiter

Start Frame Delimiter is 1 octet long and is the sequence 10101011 binary.
It immediately follows the preamble pattern and indicates the start of a frame.

This field is not forwarded to the software by the network card !

Destination address

The destination address field specifies the station(s) for which the frame is intended. It may be an individual or multicast ( including broadcast ) address.

Source address

The source address field specifies the station sending the frame. The source address field is not interpreted by the CSMA/ CD MAC sublayer.

Ethernet
Length / Type Field

Internet protocol, e.g. IPv4 = 0800H

This two-octet field takes one of two meanings, depending on its numeric value. For numerical evaluation, the first octet is the most significant octet of this field.

Length interpretation :
If the value of this field is less than or equal to the value of 1500 ( 05DC HEX ), then the length/ type field indicates the number of MAC client data octets contained in the subsequent data field of the frame.
Type interpretation :
If the value of this field is greater than or equal to 0600 HEX, then the Length/ Type field indicates the nature of the MAC client protocol.

Regardless of the interpretation of the Length/ Type field, if the length of the data field is less than the minimum required for proper operation of the protocol, a PAD field ( a sequence of octets ) will be added at the end of the data field. The length/ type field is transmitted and received with the high order octet first.

MAC Client Data

The data consist of :
. IPv4 header
. TCP header
. User data IEC 60870-5-104

. PAD fields ( Trailer ), if available

The client data must have a minimum length, so that the Ethernet data frames starting with the destination address and including the trailer, has a minimum frame length of 60 bytes. If the frame length is less than 60 bytes, the client data have to be filled with PAD fields ( padding bits ) up to the required minimum length. This will be done automatically by the network card.

Frame Check Sequence

4 Bytes
The content of the Ethernet data frames starting with the destination address and including the client data is secured with a block checksum. The receiver ( network card ) recognizes therefore each transmission failure.

These fields are not forwarded to the software by the network card !

 

Network Layer ( 3 )

 

IPv4 header :

For more detailed information about the IPv4 header,
read the document <RFC 791 : Internet Protocol> on the IETF Site.

 

 

Version

This field indicates the format of the IP header.
( e. g. Internet Protocol Version = 4 )

IHL

The internet header length is the length of the IP header counted in double words ( 32 bit units ), and thus points to the beginning of the data area. The minimum value for a correct header is 5 ( = 20 bytes ).

Type of service

bit 0 : Reserved
bit 1 : Reserved
bit 2 : R ( Reliability )
bit 3 : T ( Throughput )
bit 4 : D ( Delay )
bit 5 - 7 : PRECEDENCE

The Type of Service provides an indication of the abstract parameters of the quality of service desired. These parameters are to be used to guide the selection of the actual service parameters when transmitting a datagram through a particular network. Several networks offer service precedence, which somehow treats high precedence traffic as more important than other traffic ( generally by accepting only traffic above a certain precedence at time of high load ). The major choice is a three way tradeoff between low-delay, high-reliability, and high-throughput.

R : 0 = normal reliability,   1 = high reliability
T : 0 = normal throughput, 1 = high throughput
D : 0 = normal delay,        1 = low delay

Total length

Total Length is the length of the datagram, measured in octets, including internet header and data.

Identification

An identifying value assigned by the sender to aid in assembling the fragments of a datagram.

Flags

bit 5 : MF ( more fragments )
bit 6 : DF ( don't fragment )
bit 7 : reserved, must be zero

Various control flags

MF : 0 = last fragment,     1 = more fragments
DF : 0 = may fragmented, 1 = don't fragment

Fragment offset

This field indicates where in the datagram this fragment belongs. The fragment offset is measured in units of 8 octets ( 64 bits ). The first fragment has offset zero.

Time to live

This field indicates the maximum time the datagram is allowed to remain in the internet system. If this field contains the value zero, then the datagram must be destroyed. This field is modified in internet header processing. The time is measured in units of seconds, but since every module that processes a datagram must decrease the TTL by at least one even if it process the datagram in less than a second.

Protocol

This field indicates the next level protocol used in the data portion of the internet datagram. ( e. g. Transmission Control Protocol = 6 ).

Header checksum

A checksum on the header only. Since some header fields change ( e.g., time to live ), this is recomputed and verified at each point that the internet header is processed.

Source address

Identifies the IP address from which the frame is initiated. ( sender )

Destination address

IP address for which the frame is intended. ( receiver )

Options ( variable )

The option field is variable in length.
The options may appear or not in datagrams. They must be implemented by all IP modules ( host and gateways ). What is optional is their transmission in any particular datagram, not their implementation. In some environments the security option may be required in all datagrams.

Padding ( variabel )

The field is variable in length.
The internet header padding is used to ensure that the internet header ends on a 32 bit boundary. The padding is composed of zeros.

 

Version :

 

0   reserved  
1 - 3   unassigned  
4 IPv4 Internet Protocol version 4 [ RFC 791 ]
5 ST ST Datagram Mode [ RFC 1190 ]
6 IPv6 Internet Protocol version 6 [ RFC 1752 ]
7 TP/ IX TP/ IX : The Next Internet [ RFC 1475 ]
8 PIP The P Internet Protocol [ RFC 1621 ]
9 TUBA TUBA [ RFC 1347 ]
10 - 14   unassigned  
15   reserved  

 

Transport Layer ( 4 ) :

 

TCP header :

For more detailed information about the TCP header,
read the document <RFC 793 : Transmission Control Protocol> on the IETF Site.

 

 

Source port

Identifies the port from which the frame is initiated.

Destination port

Destination port for which the frame is intended.

Sequence number

The sequence number of the first data octet in this segment ( except when SYN is present ). If SYN is present the sequence number is the initial sequence number ( ISN ) and the first data octet is ISN + 1.

Acknowledgment number

If the ACK control bit is set this field contains the value of the next sequence number the sender of the segment is expecting to receive. Once a connection is established this is always sent.

Data offset

The number of double words ( 32 bit units ) in the TCP Header. This indicates where the data begins. The TCP header ( even one including options ) is an integral number of 32 bits long.

Reserved

Reserved for future use. Must be zero.

Control bits

URG : Urgent pointer field significant
ACK : Acknowledgment field significant
PSH : Push function
RST : Reset the connection
SYN : Synchronize sequence numbers
FIN  : No more data from sender

Window

The number of data octets beginning with the one indicated in the acknowledgment field which the sender of this segment is willing to accept.

Checksum

The checksum field is the 16 bit one's complement of the one's complement sum of all 16 bit words in the header and text. If a segment contains an odd number of header and text octets to be checksummed, the last octet is padded on the right with zeros to form a 16 bit word for checksum purposes. The pad is not transmitted as part of the segment. While computing the checksum, the checksum field itself is replaced with zeros.

Urgent pointer

This field communicates the current value of the urgent pointer as a positive offset from the sequence number in this segment. The urgent pointer points to the sequence number of the octet following the urgent data. This field is only be interpreted in segments with the URG control bit set.

Options ( variable )

The option field is variable in length.
Options may occupy space at the end of the TCP header and are a multiple of octets in length. All options are included in the checksum. An option may begin on any octet boundary.

Padding ( variable )

The field is variable in length.
The TCP header padding is used to ensure that the TCP header ends and data begins on a 32 bit boundary. The padding is composed of zeros.

 

User data

Data frame will be displayed hexa-decimal.

 

UDP header :

For more detailed information about the UDP header,
read the document <RFC 768 : User Datagram Protocol> on the IETF Site.

 

 

Source port

Identifies the port from which the frame is initiated.

Destination port

Destination port for which the frame is intended.

Length

Is the length of the datagram, measured in octets, including this header and data. This means the minimum value of the length is eight.

Checksum

Checksum is the 16-bit one's complement of the one's complement sum of a pseudo header of information from the IP header, the UDP header, and the data, padded with zero octets at the end ( if necessary ) to make a multiple of two octets.

 

User data

Data octets will be displayed hexa-decimal and as ASCII characters.

 


MAYR Software

Wuerzburger Ring 39,  D 91056 Erlangen

Manual LIAN 98


LIAN 98 Protocol Router, Simulator and Analyzer
© Copyright 2001, 2006, 2011 by Werner Mayr. All Rights reserved.