Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

Networking 101: Layers (Part 3 of 3) - fixedByVonnie

Networking 101: Layers (Part 3 of 3)

In my previous guide on network communication, there I showed you the big picture of network communication but you didn’t get to see any real packets.  It was still felt like a bunch of theory.  So today I decided to fire up Wireshark so I could show you exactly what’s happening behind the scenes.

Are you ready for this?

Let’s do it baby.

Packet captures!

Let’s look at some live packet captures on my Windows 8.1 computer.

After going to fixedbyvonnie.com you can see the DNS query reply from to my PC at

DNS is an Application Layer protocol that uses UDP so it doesn’t need the overhead of acknowledgements and sequence numbers to guarantee delivery.  If a DNS PDU fails, the host just resends the request.

Wireshark shows all the action in the bottom pane like this:

  • Frame (Physical Layer)
  • Ethernet II (Data Link Layer)
  • Internet Protocol Version 4 (Network Layer)
  • User Datagram Protocol (Transport Layer)
  • Domain Name System (response) Application Layer

In other words, WireShark shows the protocols at each layer rather than the layer name.  The output below shows the resolved hostname.

Looking at DNS in WireShark

If look at the next cluster of PDUs in the capture, you’ll see the TCP SYN, SYN ACK, ACK three way handshake between my computer and the server.

Wireshark Three-Way Handshake

Next you can actually see the HTTP request in the Application Layer for my homepage.  The root page is designated by a backslash and will usually called index.php to display the web document.

HTTP request for my homepage

Very cool!

Let’s move down the TCP/IP stack to the Transport Layer.

This is a HTTP request so it uses TCP to guarantee the segment arrives at the destination.

You can see the destination port is 80 wich is a webserver favorite.

You can also see the sequence number and acknowledgement number.  The sequence number is how TCP puts all the segments in order at the destination and the acknowledgement number is used to resend lost segments.

Looking at the Transport Layer in WireShark

Let’s move down to the juicy Network Layer.

Notice as we move down the TCP stack each layer adds to the previous layer.  This is encapsulation in action!

WireShark at the Network Layer

IP is all about IP addresses so it’s no surprise that we see the source and destination addresses in the IP header here.

Let’s see what happened at the Data Link Layer.

My source address is: 08:00:27:07:ca:05 and 52:54:00:12:35:02 is the destination address of my default gateway router.

Looking at MAC addresses in Wireshark at Layer 2

The last layer is the Physical Layer.  Wireshark shows you general facts about the highlighted frame.  (Frame 11 in this example).  It’s a summary of the frame contents.

Wireshark Frame Info

That’s it!

That’s how it works!

And guess what?

You now know how it works.

The Bottom Line

So here’s the big review:

  • Routers are layer 3 devices because they make forwarding decisions based on layer 3 addresses.
  • Switches are considered layer 2 devices because they make forwarding decisions based on layer 2 addresses.
  • Hubs, NICS, Wi-Fi cards, cables and connectors are at layer 1.

Layer 2 has MAC addresses, the NIC is also a Layer 2 device because it has the MAC address.  Switches are bridges with more ports they also work at layer 2 since they understand physical addresses.

At Layer 3 we use IPv4 and IPv6.  Routers live here and the protocol data units (PDUs) used here are called Packets.

And here’s a quick review of the terms:

  • MAC address and Physical Address and Layer 2 addresses are the same thing.
  • Frames are Protocol Data Units (PDUs) at Layer 2
  • Packets are PDUs at Layer 3
  • Segments are PDUs at Layer 4
  • Data is just called a PDU at the Application Layer

I hope these tutorials have been helpful.

It took me long time to really understand how this works but I hope I was able to shortcut that process for you.

The best way to really get comfortable with everything is NOT to memorize terms and definitions.  You need to bust open a protocol analyzer like Wireshark and start analyzing PDUs.  This is the best way to learn how devices communicate.

Using WireShark to understand Network Communication

Here’s what I would do:

To have the best packet capture you should clear your ARP cache and flush any DNS entries cached on your machine.  This will let you see the ARP broadcasts, replies and DNS queries in the packet capture.

First, I want you to view all the cached ARP entries on your computer.

arp -a

Remember, ARP is responsible for resolving IP addresses to MAC addresses.  The first time you send a PDU destined to a network off your LAN, TCP/IP sends an ARP broadcast asking everyone on the LAN for the MAC address of the default gateway.  Once it has the MAC it can send the PDU directly to the default gateway and get out to the internet.

To clear the ARP cache type:

arp -d

Windows ARP Cache

In the graphic above was the MAC address of my default gateway.

Next you should flush any previously resolved hostname to IP entries so you can see the DNS queries in your packet capture.

ipconfig /flushdns


By the way, “arp -a” and “arp -d” also work in Mac OS X but flushing your DNS is a completely different command:

In Mac OS X Yosemite type:

sudo discoveryutil mdnsflushcache

In Mac OS X Mavericks, Mountain Lion or Lion use:

sudo killall -HUP mDNSResponder

And in super old versions of Mac OS X type:

sudo dscacheutil -flushcache

Now you have everything you need to start analyzing your own packet captures

  1. Fire up your web browser
  2. Fire up Wireshark
  3. Select a capture interface
  4. Press e to start the capture
  5. Go to your favorite website
  6. Press e again to stop the capture.

My final challenge to you is this:
After you’ve looked at the packet captures, email me (vonnie@fixedbyvonnie.com) and tell me in your own words how networks communicate. If you can pull this off – you’ve proven to yourself that you have what it takes and you’ll make me proud!

The end!

Now you know the basics of networking.  Oh wait, one more thing: here are all the networking posts in the Networking 101 series so far:

Let me know what you thought about the series in the comments below.  Also please share any questions you have in the comments.

Thank you!


Connect with Vonnie on Twitter

Posted in What Is Tagged with: ,