In my previous guide on network communication, there I showed you the big picture of network communication but you didn’t get to see any real packets. It was still felt like a bunch of theory. So today I decided to fire up Wireshark so I could show you exactly what’s happening behind the scenes.
Are you ready for this?
Let’s do it baby.
Let’s look at some live packet captures on my Windows 8.1 computer.
After going to fixedbyvonnie.com you can see the DNS query reply from 18.104.22.168 to my PC at 10.0.2.15.
DNS is an Application Layer protocol that uses UDP so it doesn’t need the overhead of acknowledgements and sequence numbers to guarantee delivery. If a DNS PDU fails, the host just resends the request.
Wireshark shows all the action in the bottom pane like this:
- Frame (Physical Layer)
- Ethernet II (Data Link Layer)
- Internet Protocol Version 4 (Network Layer)
- User Datagram Protocol (Transport Layer)
- Domain Name System (response) Application Layer
In other words, WireShark shows the protocols at each layer rather than the layer name. The output below shows the resolved hostname.
If look at the next cluster of PDUs in the capture, you’ll see the TCP SYN, SYN ACK, ACK three way handshake between my computer and the server.
Next you can actually see the HTTP request in the Application Layer for my homepage. The root page is designated by a backslash and will usually called index.php to display the web document.
Let’s move down the TCP/IP stack to the Transport Layer.
This is a HTTP request so it uses TCP to guarantee the segment arrives at the destination.
You can see the destination port is 80 wich is a webserver favorite.
You can also see the sequence number and acknowledgement number. The sequence number is how TCP puts all the segments in order at the destination and the acknowledgement number is used to resend lost segments.
Let’s move down to the juicy Network Layer.
Notice as we move down the TCP stack each layer adds to the previous layer. This is encapsulation in action!
IP is all about IP addresses so it’s no surprise that we see the source and destination addresses in the IP header here.
Let’s see what happened at the Data Link Layer.
My source address is: 08:00:27:07:ca:05 and 52:54:00:12:35:02 is the destination address of my default gateway router.
The last layer is the Physical Layer. Wireshark shows you general facts about the highlighted frame. (Frame 11 in this example). It’s a summary of the frame contents.
That’s how it works!
And guess what?
You now know how it works.
The Bottom Line
So here’s the big review:
- Routers are layer 3 devices because they make forwarding decisions based on layer 3 addresses.
- Switches are considered layer 2 devices because they make forwarding decisions based on layer 2 addresses.
- Hubs, NICS, Wi-Fi cards, cables and connectors are at layer 1.
Layer 2 has MAC addresses, the NIC is also a Layer 2 device because it has the MAC address. Switches are bridges with more ports they also work at layer 2 since they understand physical addresses.
At Layer 3 we use IPv4 and IPv6. Routers live here and the protocol data units (PDUs) used here are called Packets.
And here’s a quick review of the terms:
- MAC address and Physical Address and Layer 2 addresses are the same thing.
- Frames are Protocol Data Units (PDUs) at Layer 2
- Packets are PDUs at Layer 3
- Segments are PDUs at Layer 4
- Data is just called a PDU at the Application Layer
I hope these tutorials have been helpful.
It took me long time to really understand how this works but I hope I was able to shortcut that process for you.
The best way to really get comfortable with everything is NOT to memorize terms and definitions. You need to bust open a protocol analyzer like Wireshark and start analyzing PDUs. This is the best way to learn how devices communicate.
Using WireShark to understand Network Communication
Here’s what I would do:
To have the best packet capture you should clear your ARP cache and flush any DNS entries cached on your machine. This will let you see the ARP broadcasts, replies and DNS queries in the packet capture.
First, I want you to view all the cached ARP entries on your computer.
Remember, ARP is responsible for resolving IP addresses to MAC addresses. The first time you send a PDU destined to a network off your LAN, TCP/IP sends an ARP broadcast asking everyone on the LAN for the MAC address of the default gateway. Once it has the MAC it can send the PDU directly to the default gateway and get out to the internet.
To clear the ARP cache type:
In the graphic above 10.0.2.2 was the MAC address of my default gateway.
Next you should flush any previously resolved hostname to IP entries so you can see the DNS queries in your packet capture.
By the way, “arp -a” and “arp -d” also work in Mac OS X but flushing your DNS is a completely different command:
In Mac OS X Yosemite type:
sudo discoveryutil mdnsflushcache
In Mac OS X Mavericks, Mountain Lion or Lion use:
sudo killall -HUP mDNSResponder
And in super old versions of Mac OS X type:
sudo dscacheutil -flushcache
Now you have everything you need to start analyzing your own packet captures
- Fire up your web browser
- Fire up Wireshark
- Select a capture interface
- Press e to start the capture
- Go to your favorite website
- Press e again to stop the capture.
My final challenge to you is this:
After you’ve looked at the packet captures, email me (firstname.lastname@example.org) and tell me in your own words how networks communicate. If you can pull this off – you’ve proven to yourself that you have what it takes and you’ll make me proud!
Now you know the basics of networking. Oh wait, one more thing: here are all the networking posts in the Networking 101 series so far:
- Networking 101: The lowdown on how networks really work Part 1
- Networking 101: The lowdown on how networks really work Part 2
- Networking 101: Layers Part 1
- Networking 101: Layers Part 2
- Networking 101: Layers Part 3 (you’re reading it!)
Let me know what you thought about the series in the comments below. Also please share any questions you have in the comments.