To successfully troubleshoot Transmission Control Protocol/Internet Protocol (TCP/IP) problems on a local area network (LAN), it is important to understand how IP datagrams and Address Resolution Protocol (ARP) messages are encapsulated when sent by a computer running a member of the Microsoft Windows Server 2003 family or Windows XP on LAN technology links such as Ethernet, Token Ring, Fiber Distributed Data Interface (FDDI), and Institute of Electrical and Electronics Engineers (IEEE) 802.11. For example, IP datagrams sent over an Ethernet network segment can be encapsulated two different ways. If two hosts are not using the same encapsulation, communication cannot occur. It is also important to understand LAN technology encapsulations to correctly interpret the Ethernet, Token Ring, and FDDI portions of the frame when using Microsoft Network Monitor.
Because IP datagrams are an Open Systems Interconnection (OSI) Network Layer entity, IP datagrams must be encapsulated with a Data Link Layer header and trailer before being sent on the physical medium. The Data Link Layer header and trailer provide the following services:
The particular way a network type (such as Ethernet or Token Ring) encapsulates data to be transmitted is called a frame format. The frame format corresponds to the information placed on the frame at the Logical Link Control (LLC) and Media Access Control (MAC) sublayers of the OSI Data Link Layer, and the frame format manifests itself as a header and trailer. If multiple frame formats exist for a given network type (such as Ethernet), the frame formats represent different header and trailer structures and are therefore incompatible with each other. In other words, all the nodes on the same network segment (bounded by routers) must use the same frame format to communicate.
This chapter is a discussion of Ethernet, Token Ring, FDDI, and IEEE 802.11 LAN technologies and their frame formats for IP datagrams and ARP messages. ARCnet is not discussed, as it is not a widely used networking technology.
Ethernet evolved from a 9.6 kilobit-per-second (Kbps) radio transmission system developed at the University of Hawaii called ALOHA. A key feature of ALOHA was that all transmitters shared the same channel and contended for access to the channel to transmit. This became the basis for the contention-based Ethernet that we know today.
In 1972, the Xerox Corporation created a 2.94-megabit-per-second (Mbps) network based on the principles of the ALOHA system. This new network, called Ethernet, featured carrier sense, in which the transmitter listens before attempting to transmit. In 1979, Digital, Intel, and Xerox (DIX) created an industry standard 10-Mbps Ethernet known as Ethernet II. In 1981, the IEEE Project 802 formed the 802.3 subcommittee to make 10-Mbps Ethernet an international standard. In 1995, the IEEE approved a 100-Mbps version of Ethernet called Fast Ethernet.
Ethernet existed before the IEEE 802.3 specification and, because there are multiple Ethernet standards, there are multiple ways of encapsulating data to be transmitted on an Ether-net network. This can be very confusing when two hosts on an Ethernet network segment cannot communicate, even though they are using the correct communication protocol (such as TCP/IP) and Application Layer protocol (such as File Transfer Protocol [FTP]).
More Info |
IP datagrams and ARP messages sent on an Ethernet network segment use either Ethernet II encapsulation (described in RFC 894) or IEEE 802.3 Sub-Network Access Protocol (SNAP) encapsulation (described in RFC 1042). These RFCs are included in the Rfc folder on the companion CD-ROM. |
The Ethernet II frame format was defined by the Ethernet specification created by Digital, Intel, and Xerox before the IEEE 802.3 specification. The Ethernet II frame format is also known as the DIX frame format. Figure 1-1 shows Ethernet II encapsulation for anIP datagram.
Figure 1-1: The Ethernet II frame format showing the Ethernet II header and trailer.
Ethernet II Header and Trailer
The fields in the Ethernet II header and trailer are defined as follows:
Note |
The Preamble field is not visible with Network Monitor. |
The EtherType field acts as the protocol identifier for the Ethernet II frame format. For an IP datagram, the field is set to 0x0800. For an ARP message, the EtherType field is set to 0x0806. The current list of defined EtherType field values can be found at http://www.iana.org/assignments/ethernet-numbers.
The FCS calculation consists of dividing a 33-bit prime number into the number consisting of the bits in the frame (not including the Preamble and FCS fields). The result of the division is a quotient and a remainder. The 4-byte FCS field is set to the remainder, which is always a 32-bit value. The FCS can detect 100 percent of all single-bit errors. Although it is mathematically possible to selectively change multiple bits in the frame without invalidating the value of the FCS field, it is highly improbable that the type of random noise and damage that occurs on networks will result in a frame with bits that are changed, but retains a valid FCS.
The FCS calculation provides only a bit-level integrity service, not a data integrity or authentication service. A valid FCS does not imply that only the node with the unicast address stored in the Source Address field could have sent it and that it was not modified in transit. The FCS calculation is well known and an intermediate node could easily intercept the frame, alter its contents, perform the FCS calculation, and place the new value in the FCS field before forwarding the frame. The receiver of the frame could not detect that the frame contents were altered using just the FCS field. For data integrity and authentication services, use Internet Protocol Security (IPSec). For more information on IPSec, see Chapter 22, "Internet Protocol Security (IPSec)."
The FCS field provides only bit-level error detection, not error recovery. When the receiver-calculated FCS value does not match the value of the FCS storedin the frame, the only conclusion that can be reached is that, somewhere in the frame, a bit or bits were changed. The FCS calculation does not produce any information on where the error occurred or how to correct it, but other types of CRC calculations do provide this information. An example of such a CRC calculation is the 1-byte Header Checksum field in the Asynchronous Transfer Mode (ATM) cell header, which provides error detection and limited errorrecovery services for the bits in the ATM header.
Note |
The FCS field is not visible with Network Monitor. |
The following Network Monitor trace (Capture 01-01, included in the Captures folder on the companion CD-ROM) shows the Ethernet II frame format for an IP datagram:
+ Frame: Base frame properties ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol + ETHERNET: Destination address : 001054CAE140 + ETHERNET: Source address : 00600852F9D8 ETHERNET: Frame Length : 74 (0x004A) ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol) ETHERNET: Ethernet Data: Number of data bytes remaining = 60 (0x003C) + IP: ID = 0xAE09; Proto = ICMP; Len: 60 + ICMP: Echo: From 192.168.160.186 To 192.168.160.01
Note |
The ETHERNET: Frame Length and ETHERNET: Ethernet Data fields are Network Monitor informational fields, and do not correspond to fields that are physically present in the Ethernet header. |
The Ethernet Interframe Gap
Unlike Token Ring and FDDI, Ethernet frame formats do not have a way to explicitly indicate the end of the frame. Rather, Ethernet frames use an implied postamble by leaving a gap between each Ethernet frame. This gap, known as the Ethernet interframe gap, is used to space Ethernet frames. The Ethernet interframe gap is a specific measure of the time required to send 96 bits of data (9.6 s on a 10-Mbps Ethernet network segment).
The Ethernet interframe gap is used as a postamble; after receiving bits of a frame, if the wire falls silent for 96 bit times, the last bit in the received frame occurred 96 bit times ago.
Ethernet Minimum Frame Size
All Ethernet frames must carry a minimum payload of 46 bytes. The Ethernet minimum frame size is a result of the Ethernet collision detection scheme applied to a maximum-extent Ethernet network. To detect a collision, Ethernet nodes must be transmitting long enough for the signal indicating the collision to be propagated back to the sending node. The maximum-extent Ethernet network consists of Ethernet segments configured using 10Base5 cabling and the IEEE 802.3 Baseband 5-4-3 rule.
The IEEE 802.3 Baseband 5-4-3 rule states that there can be a maximum of five physical segments between any two nodes, with four repeaters between the nodes. However, only three of these physical segments can have connected nodes (populated physical segments). The other two physical segments can be used only to link physical segments to extend the network length. Repeaters count as a node on the physical segment. When using 10Base5 cabling, each physical segment can be up to 500 meters long. Therefore, an Ethernet network's maximum linear length is 2500 meters.
Figure 1-2 shows Ethernet Node A and Ethernet Node B at the farthest ends of a 5-4-3 network using 10Base5 cabling.
Figure 1-2: The maximum-extent Ethernet network and the slot time.
When Node A begins transmitting, the signal must propagate the network length. In the worst-case collision scenario, Node B begins to transmit just before the signal for Node A's frame reaches it. The collision signal of Node A and Node B's frame must travel back to Node A for Node A to detect that a collision has occurred.
The time it takes for a signal to propagate from one end of the network to the other is known as the propagation delay. In this worst-case collision scenario, the time that it takes for Node A to detect that its frame has been collided with is twice the propagation delay. Node A's frame must travel all the way to Node B, and then the collision signal must travel all the way from Node B back to Node A. This time is known as the slot time. An Ethernet node must be transmitting a frame for the slot time for a collision with that frame to be detected. This is the reason for the minimum Ethernet frame size.
The propagation delay for this maximum-extent Ethernet network is 28.8 s. Therefore, the slot time is 57.6 s. To transmit for 57.6 s with a 10 Mbps bit rate, an Ethernet node must transmit 576 bits. Therefore, the entire Ethernet frame, including the Preamble field, must be a minimum size of 576 bits, or 72 bytes long. Subtracting the Preamble (8 bytes), Source Address (6 bytes), Destination Address (6 bytes), EtherType (2 bytes), and FCS (4 bytes) fields, the minimum Ethernet payload size is 46 bytes.
Upper layer PDUs smaller than 46 bytes are padded to 46 bytes, ensuring the minimum Ethernet frame size. This padding is not part of the IP datagram or the ARP message, and is not included in any length indicator fields within the IP datagram or ARP message. For example, this padding is not included in the IP header's Total Length field, which indicates only the size of the IP datagram, and is used to discard the padding bytes.
The IEEE 802.3 frame format is the result of the IEEE 802.2 and 802.3 specifications, and consists of an IEEE 802.3 header and trailer and an IEEE 802.2 LLC header. Figure 1-3 shows the IEEE 802.3 frame format.
Figure 1-3: The IEEE 802.3 frame format showing the IEEE 802.3 header and trailer and the IEEE 802.2 header.
IEEE 802.3 Header and Trailer
The fields in the IEEE 802.3 header and trailer are defined as follows:
Note |
The Preamble and Start Delimiter fields are not visible with Network Monitor. |
IEEE 802.2 LLC Header
The fields in the IEEE 802.2 LLC header and trailer are defined as follows:
The DSAP and SSAP fields act as protocol identifiers for the IEEE 802.3frame format. The defined value for the DSAP and SSAP fields for IP is 0x06. However, it is not used in the industry. Instead, the SNAP header is used to encapsulate IP datagrams with an IEEE 802.3 header. The SNAP header is discussed in greater detail in the section entitled "IEEE 802.3 SNAP," later in this chapter. The current list of defined DSAP and SSAP values can be found at http://www.iana.org/assignments/ieee-802-numbers.
A Type 1 LLC operation (a 1-byte Control field) is a connectionless, unreliable LLC datagram. With an LLC datagram, LLC is not providing reliable delivery service on behalf of the upper layer protocol. A Type 1 LLC datagram is known as an Unnumbered Information (UI) frame and is indicated by setting the Control field to the value 0x03.
A Type 2 LLC operation (a 2-byte Control field) is a connection-oriented, reliable LLC session. Type 2 LLC frames are used when LLC is providing reliable delivery service for the upper layer protocol.
For IP datagrams and ARP messages, reliable LLC services are never used. Therefore, IP datagrams and ARP messages are always sent as a Type 1 LLC datagram with the Control field set to 0x03 to indicate a UI frame.
Differentiating an Ethernet II Frame from an IEEE 802.3 Frame
It is common for a network operating system to support multiple frame formats simultaneously. TCP/IP for the Windows Server 2003 family and Windows XP supports both Ethernet II and IEEE 802.3 frame formats for IP datagrams and ARP messages. There are many similarities between the Ethernet II and IEEE 802.3 frame formats, such as the following:
The ability to differentiate between the Ethernet II and the IEEE 802.3 frame formats lies in the first 2 bytes past the Source Address field. For the Ethernet II frame format, these 2 bytes are the EtherType field. For the IEEE 802.3 frame format, these 2 bytes are the Length field. The following algorithm is used to determine whether these 2 bytes are an EtherType field or a Length field:
This comparison can be made because there are no defined EtherType values less than 0x05DC. The lowest EtherType value is 0x0600, used to indicate the Xerox Network Systems (XNS) protocol.
Although there is a defined value of 0x06 for the Service Access Point (SAP) for IP, it is not used in the industry. RFC 1042 states that IP datagrams and ARP frames sent over IEEE 802.3, 802.4, and 802.5 networks must use the SNAP encapsulation.
The IEEE 802.3 SNAP was created as an extension to the IEEE 802.3 specification to allow protocols that were designed to operate with an Ethernet II header to be used in an IEEE 802.3–compliant environment. Figure 1-4 shows the IEEE 802.3 SNAP frame format.
Figure 1-4: The IEEE 802.3 SNAP frame format showing the SNAP header and an IP datagram.
To denote a SNAP frame, the DSAP and SSAP fields are set to the SNAP-defined value of 0xAA within the LLC header. Because all SNAP-encapsulated payloads are not using reliable LLC services, every SNAP frame is an LLC datagram. Therefore, the Control field is set to 0x03 to indicate a UI frame.
The SNAP header consists of the following two fields:
Because of the increased overhead of the LLC header (3 bytes total) and the SNAP header (5 bytes), the payload for an IEEE 802.3 SNAP frame has a maximum size of 1492 bytes and a minimum size of 38 bytes. Padding is added when needed to ensure that the payload is at least 38 bytes long.
The following Network Monitor trace (Capture 01-02, included in the Captures folder on the companion CD-ROM) shows the IEEE 802.3 SNAP frame format for an ARPRequest frame:
+ Frame: Base frame properties ETHERNET: 802.3 Length = 50 + ETHERNET: Destination address : FFFFFFFFFFFF + ETHERNET: Source address : 00AA004BB147 ETHERNET: Frame Length : 50 (0x0032) ETHERNET: Data Length : 0x0024 (36) ETHERNET: Ethernet Data: Number of data bytes remaining = 36 (0x0024) LLC: UI DSAP=0xAA SSAP=0xAA C LLC: DSAP = 0xAA : INDIVIDUAL : Sub-Network Access Protocol (SNAP) LLC: SSAP = 0xAA: COMMAND : Sub-Network Access Protocol (SNAP) LLC: Frame Category: Unnumbered Frame LLC: Command = UI LLC: LLC Data: Number of data bytes remaining = 33 (0x0021) SNAP: ETYPE = 0x0806 SNAP: Snap Organization code = 00 00 00 SNAP: Snap etype : 0x0806 SNAP: Snap Data: Number of data bytes remaining = 28 (0x001C) + ARP_RARP: ARP: Request, Target IP: 192.168.50.2
Note |
The ETHERNET: Data Length, ETHERNET: Ethernet Data, LLC: Frame Category, LLC: LLC Data, and SNAP: Snap Data fields are Network Monitor informational fields and do not correspond to fields that are physically present in the Ethernet header. |
By default, TCP/IP for the Windows Server 2003 family and Windows XP uses Ether-net II encapsulation when sending and receiving frames on an Ethernet network.TCP/IP for the Windows Server family 2003 and Windows XP receives both types offrame formats but, by default, only responds with Ethernet II encapsulated frames. To send IEEE 802.3 SNAP encapsulated IP and ARP messages, use the following registry setting:
ArpUseEtherSNAP
Location: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices TcpipParameters Data type: REG_DWORD Valid range: 0–1 Default value: 0 Present by default: No
ArpUseEtherSNAP either enables (when set to 1) or disables (when set to 0) the use of the IEEE 802.3 SNAP frame format when sending IP and ARP frames. ArpUseEtherSNAP is disabled by default, meaning that IP and ARP frames are sent with Ethernet II encapsulation. Regardless of the ArpUseEtherSNAP setting, both types of frame formats are received.
With ArpUseEtherSNAP disabled, TCP/IP for the Windows Server 2003 family andWindows XP recognizes a SNAP-encapsulated ARP Request message and responds with an Ethernet II–encapsulated ARP Reply frame. The assumption is that the node sending the ARP Request message will recognize the Ethernet II encapsulation on the ARP Reply and use Ethernet II encapsulation for subsequent communications. If the node sending the ARP Request does not switch, IP communication between the node sending the ARP Request and the node sending the ARP Reply is impossible.
With ArpUseEtherSNAP enabled, TCP/IP for the Windows Server 2003 family andWindows XP switches to Ethernet II encapsulation if one of the following two scenarios occurs: a SNAP-encapsulated ARP Request frame is responded to with an Ethernet II–encapsulated ARP Reply frame, or an Ethernet II–encapsulated ARP Request is received.
Within the Source Address and Destination Address fields of the Ethernet II and IEEE 802.3 frame formats, special bits are defined, as Figure 1-5 shows.
Figure 1-5: The special bits defined for Ethernet source and destination MAC addresses.
The Individual/Group Bit
The Individual/Group (I/G) bit is used to indicate whether the address is a unicast(individual) or multicast (group) address. For a unicast address, the I/G bit is set to 0. For a multicast address, the I/G bit is set to 1. The broadcast address is a special case of multicast and its I/G bit is set to 1. The I/G bit is also known as the multicast bit.
The Universal/Locally Administered Bit
The Universal/Locally (U/L) Administered bit is used to indicate whether the IEEE allocated the address. For a universal address allocated by the IEEE, the U/L bit is set to 0. Universal addresses are guaranteed to be universally unique because network adapter manufacturers obtain universally unique vendor identifiers from the IEEE and assign unique 3-byte serial numbers to each network adapter. The 6-byte physical address of a network adapter, as programmed into the adapter during the manufacturing process, is a universally administered address.
For a locally administered address, the U/L bit is set to 1. Some network adapters allow you to override the network adapter's physical address and specify a new physicaladdress. In this case, the new address must have the U/L bit set to 1 to indicate that it is locally administered.
The U/L bit is significant only for unicast addresses (the I/G bit is set to 0). When the I/G bit is set to 1, this bit does not imply a locally or universally administered address. The U/L bit is relevant for both the Source Address and Destination Address.
Routing Information Indicator Bit
The Routing Information Indicator bit indicates whether MAC-level routing information is present. This bit is meaningful only for Token Ring addresses. Token Ring has a MAC-level routing mechanism known as Token Ring source routing. Even though this bit is meaningless for Ethernet addresses, it is still reserved and set to 0 to prevent problems when employing a translating bridge or Layer 2 switch between an Ethernet segment and a Token Ring ring.
For example, suppose the Routing Information Indicator bit is not reserved at the value of 0 for Ethernet addresses, and this bit is set to 1 through a universal or locally administered address. When the address is translated to a Token Ring address, the Routing Information Indicator bit is set to 1 when there is no source routing information present, which can cause the Token Ring node to drop the frame.
The following Network Monitor trace (Capture 01-03, included in the Captures folder on the companion CD-ROM) shows the special bits for Ethernet MAC addresses:
+ Frame: Base frame properties ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol ETHERNET: Destination address : 01005E400009 ETHERNET: .......1 = Group address ETHERNET: ......0. = Universally administered address ETHERNET: Source address : 00E034C0A060 ETHERNET: .......0 = No routing information present ETHERNET: ......0. = Universally administered address ETHERNET: Frame Length : 591 (0x024F) ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol) ETHERNET: Ethernet Data: Number of data bytes remaining = 577 (0x0241) + IP: ID = 0xDBD2; Proto = UDP; Len: 577 + UDP: IP Multicast: Src Port: Unknown, (3985); Dst Port: Unknown (20441); Length = 557 (0x22D)
Token Ring is a ring access network technology originally proposed by Olaf Soderblum in 1969. IBM purchased the rights to the original design and created and released its Token Ring product in 1984. Key elements of the original IBM design were the use of proprietary connectors, twisted-pair cable out to the network node, and structured wiring systems using centralized active hubs.
In 1985, the IEEE Project 802 created the 802.5 subcommittee and Token Ring became an international standard. IBM created Token Ring to replace Ethernet as the most popular LAN technology. Although Token Ring is in many ways a superior technology to Ethernet, a combination of cost issues and marketing has made it less popular than Ethernet.
The original specification was for a 4 Mbps transmission rate, but that was followed by an additional specification at 16 Mbps. On the same ring, all nodes must operate at the same speed. Common implementations use 4-Mbps rings connected together, using 16-Mbps rings as a high-speed backbone.
More Info |
IP and ARP encapsulation over Token Ring networks are described in RFC 1042, which can be found in the Rfc folder on the companion CD-ROM. |
The IEEE 802.5 frame format is the result of the IEEE 802.2 and 802.5 specifications, and consists of an IEEE 802.5 header and trailer and an IEEE 802.2 LLC header. The IEEE 802.5 frame format is shown in Figure 1-6.
Figure 1-6: The IEEE 802.5 frame format showing the IEEE 802.5 header and trailer and the IEEE 802.2 header.
IEEE 802.5 Header and Trailer
The fields in the IEEE 802.5 header and trailer are defined as follows:
Note |
The Start Delimiter field is not visible with Network Monitor. |
Two bits within the Frame Control field are reserved.
The FCS is checked as it passes each node on the ring. If the FCS fails at any node, the Error bit in the End Delimiter field is set to 1 and the receiving node does not copy the frame.
Because there is no Length field in the IEEE 802.5 frame, the End Delimiter is used to locate the end of the payload and the position of the FCS and Frame Status fields.
Two copies of each indicator are needed because the FCS field does not protect the Frame Status field.
The Address Recognized and Frame Copied indicators are not used as acknowledgments for reliable data delivery. The sending Token Ring network adapter uses these indicators to retransmit the frame, if necessary.
Note |
The FCS, End Delimiter, and Frame Status fields are not visible withNetwork Monitor. |
IEEE 802.2 LLC Header
The fields in the IEEE 802.2 LLC header are defined and used in the same way as theIEEE 802.2 LLC header for the IEEE 802.3 frame format, as discussed in the sectionentitled "IEEE 802.3," earlier in this chapter.
As described earlier in this chapter, the value of 0x06 is defined as the SAP for IP. However, it is not defined for use in RFC 1042 and not used in the industry. Therefore, similar to the case of IEEE 802.3 frames, to send an IP datagram over an IEEE 802.5 network, the IP datagram must be encapsulated using SNAP, as Figure 1-7 shows.
Figure 1-7: The IEEE 802.5 SNAP frame format showing the SNAP header and an IP datagram.
The following Network Monitor trace (Capture 01-04, included in the Captures folder on the companion CD-ROM) shows the IEEE 802.5 SNAP frame format for an IP datagram:
+ Frame: Base frame properties TOKENRING: Length = 66, Priority Normal (No token) LLC Frame TOKENRING: Access control = 16 (0x10) Original, Frame, Priority: Normal (No token) TOKENRING: .....000 Reservation bits: Reservation = Normal, No token needed. TOKENRING: ....0... Monitor bit = Original (non-repeated) TOKENRING: ...1.... Token bit = Frame TOKENRING: 000..... Priority bits: Priority = Normal, No token needed. TOKENRING: Frame control = 64 (0x40), LLC Frame TOKENRING: ....0000 Control bits = Normal Buffered TOKENRING: 01...... Frame type = LLC Frame + TOKENRING: Destination address : 400030370AF4 + TOKENRING: Source address : 10007038213A TOKENRING: Frame length : 66 (0x0042) TOKENRING: Tokenring data: Number of data bytes remaining = 52 (0x0034) LLC: UI DSAP=0xAA SSAP=0xAA C LLC: DSAP = 0xAA : INDIVIDUAL : Sub-Network Access Protocol (SNAP) LLC: SSAP = 0xAA: COMMAND : Sub-Network Access Protocol (SNAP) LLC: Frame Category: Unnumbered Frame LLC: Command = UI LLC: LLC Data: Number of data bytes remaining = 49 (0x0031) SNAP: ETYPE = 0x0800 SNAP: Snap Organization code = 00 00 00 SNAP: Snap etype : 0x0800 SNAP: Snap Data: Number of data bytes remaining = 44 (0x002C) + IP: ID = 0xCA3D; Proto = TCP; Len: 44 + TCP: ....S., len: 0, seq:364446-364446, ack: 0, win: 16384, src:50982 dst: 21
Note |
The TOKENRING: Frame length, TOKENRING: Tokenring data, LLC: Frame Category, LLC: LLC Data, and SNAP: Snap Data fields are Network Monitor informational fields and do not correspond to fields that are physically present in the Token Ring header. |
For a 10-millisecond (ms) token-holding time, the maximum sizes for IP datagrams are 4464 bytes for 4-Mbps Token Ring network adapters and 17,914 bytes for 16-Mbps Token Ring network adapters. If Token Ring source-routing bridges are present, the maximum size of IP datagrams can be 508, 1020, 2044, 4092, and 8188 bytes.
More Info |
For more information on Token Ring MTUs, see RFC 1042 in the Rfc folder on the companion CD-ROM. |
Within the Source Address and Destination Address fields of the IEEE 802.5 frame format, special bits are defined, as shown in Figure 1-8.
Figure 1-8: The special bits defined on Token Ring source and destination MAC addresses.
The Individual/Group Bit
Identical to Ethernet, the I/G bit for Token Ring addresses is used to indicate whether the address is a unicast (individual) or multicast (group) address. For unicast addresses, the I/G bit is set to 0. For multicast addresses, the I/G bit is set to 1.
The Universal/Locally Administered Bit
Identical to Ethernet, the U/L Administered bit for Token Ring addresses is used to indicate whether the IEEE has allocated the address. For universal addresses allocated by the IEEE, the U/L bit is set to 0. For locally administered addresses, the U/L bit is set to 1. The U/L bit is relevant for both the Source Address and Destination Address fields.
Functional Address Bit
The Functional Address bit indicates whether the address is a functional address (when set to 0) or a nonfunctional address (when set to 1). Token Ring defines the following two types of multicast addresses:
The Functional Address bit is significant only if the I/G bit is set to 1.
Routing Information Indicator Bit
The Routing Information Indicator bit indicates whether MAC-level routing information is present. In the case of Token Ring, the Routing Information Indicator bit indicates the presence of a source-routing header between the IEEE 802.5 header and the IEEE 802.2 LLC header. Token Ring source routing is not OSI Network Layer routing, but rather a MAC sublayer routing scheme that allows a sending node to discover and specify a route through a defined series of rings and bridges within a Token Ring network segment.
The following Network Monitor trace (Capture 01-04, included in the Captures folder on the companion CD-ROM) shows the special bits for Token Ring addresses:
+ Frame: Base frame properties TOKENRING: Length = 66, Priority Normal (No token) LLC Frame + TOKENRING: Access control = 16 (0x10) Original, Frame, Priority: Normal (No token) + TOKENRING: Frame control = 64 (0x40), LLC Frame TOKENRING: Destination address : 400030370AF4 TOKENRING: Destination Address I/G Bit = Individual address TOKENRING: Destination Address U/L bit = Locally administered address TOKENRING: Destination Address Functional bit = Functional address TOKENRING: Source address : 10007038213A TOKENRING: Source Address Routing bit = No routing information present TOKENRING: Source Address U/L bit = Universally administered address TOKENRING: Frame length : 66 (0x0042) TOKENRING: Tokenring data: Number of data bytes remaining = 52 (0x0034) + LLC: UI DSAP=0xAA SSAP=0xAA C + SNAP: ETYPE = 0x0800 + IP: ID = 0x21E0; Proto = TCP; Len: 44 + TCP: ....S., len: 0, seq:1891988225-1891988225, ack: 0, win: 8192, src:50982 dst: 3180
FDDI is a network technology developed by the American National Standards Institute (ANSI). FDDI is an optical fiber-based token passing ring with a bit rate of 100 Mbps. It was designed to span long distances and, in most implementations, it acts as a campus-wide high-speed backbone. FDDI offers advanced features beyond Token Ring, such as the ability to self-heal a break in the ring and the use of guaranteed bandwidth.
Although not developed by the IEEE as part of the 802 standards, the FDDI specification is quite similar to the IEEE 802.3 and 802.5 specifications; it defines the MAC sublayer of the OSI Data Link Layer and the Physical Layer, and it uses the IEEE 802.2 LLC sublayer. Copper Data Distributed Interface (CDDI) is a version of FDDI that operates over twisted-pair copper wire.
More Info |
RFC 1188 describes IP encapsulation over FDDI networks. You can find RFC 1188 in the Rfc folder on the companion CD-ROM. |
The FDDI frame format is the result of the IEEE 802.2 and ANSI FDDI specifications, and consists of an FDDI header and trailer and an IEEE 802.2 LLC header. Figure 1-9 shows the FDDI frame format.
Figure 1-9: The FDDI frame format showing the FDDI header and trailer and IEEE 802.2 header.
FDDI Header and Trailer
The fields in the FDDI header and trailer are defined as follows:
Note |
The Preamble and Start Delimiter fields are not visible with Network Monitor. |
Similar to Token Ring, the Address Recognized and Frame Copied indicators are not used as acknowledgments for reliable data delivery. Rather, the sending FDDI network adapter uses these indicators to retransmit the frame if necessary.
Note |
The FCS, End Delimiter, and Frame Status fields are not visible withNetwork Monitor. |
IEEE 802.2 LLC Header
The fields in the IEEE 802.2 LLC header are defined and used in the same way as the IEEE 802.2 LLC header for the IEEE 802.3 and IEEE 802.5 frame format discussed earlier in this chapter.
Payload
The payload for an FDDI frame consists of a PDU of an upper layer protocol. The entire FDDI frame from the Preamble field to the Frame Status field can be a maximum size of 4500 bytes. Once you subtract the FDDI and IEEE 802.2 LLC headers, the maximum payload size is 4474 bytes with a 3-byte LLC header, and 4473 bytes with a 4-byte LLC header.
As described earlier in this chapter, the value of 0x06 is defined as the SAP for IP.However, it is not defined for use in RFC 1188 and not used in the industry. Therefore, similar to the case of IEEE 802.3 frames and IEEE 802.5 frames, to send an IP datagram over an FDDI network, the IP datagram must be encapsulated using the SNAP header, as shown in Figure 1-10.
Figure 1-10: The FDDI SNAP frame format showing the SNAP header and an IP datagram.
The following Network Monitor trace (Capture 01-05, included in the Captures folder on the companion CD-ROM) shows the FDDI SNAP frame format for an IP datagram:
+ Frame: Base frame properties FDDI: Length = 81, type = 0x57 (LLC). FDDI: Frame control bits = 87 (0x57) FDDI: ..01.... = LLC frame FDDI: 0....... = Asynchronous frame FDDI: .1...... = 48-bit addresses + FDDI: Destination address : 00608C14AF25 + FDDI: Source address : 00608C13182A FDDI: Frame Length : 81 (0x0051) FDDI: Fddi Data: Number of data bytes remaining = 68 (0x0044) LLC: UI DSAP=0xAA SSAP=0xAA C LLC: DSAP = 0xAA : INDIVIDUAL : Sub-Network Access Protocol (SNAP) LLC: SSAP = 0xAA: COMMAND : Sub-Network Access Protocol (SNAP) LLC: Frame Category: Unnumbered Frame LLC: Command = UI LLC: LLC Data: Number of data bytes remaining = 65 (0x0041) SNAP: ETYPE = 0x0800 SNAP: Snap Organization code = 00 00 00 SNAP: Snap etype : 0x0800 SNAP: Snap Data: Number of data bytes remaining = 60 (0x003C) + IP: ID = 0xA665; Proto = ICMP; Len: 60 + ICMP: Echo: From 192.168.44.01 To 192.168.44.254
Note |
The FDDI: Frame Length, FDDI: Fddi Data, LLC: Frame Category, LLC: LLC Data, and SNAP: Snap Data fields are Network Monitor informational fields and do not correspond to fields that are physically present in the FDDI header. |
The maximum-sized IP datagram that can be sent on an FDDI network is 4352 bytes. This number of bytes is the result of taking the maximum FDDI frame size of 4500 bytes and subtracting the FDDI header and trailer (22 bytes), the LLC header (3 bytes), and the SNAP header (5 bytes), and reserving 117 bytes for future purposes.
IP datagrams and ARP messages sent over FDDI networks also have the following constraints:
RFC 1188 does not define how frame priorities are used or how the FDDI node deals with the values of the Address Recognized and Frame Copied indicators.
FDDI nodes send ARP Requests using the Ethernet ARP Hardware Type value of 0x00-01, but can receive ARP Requests using the ARP Hardware Types of 0x00-01 and 0x00-06 (IEEE networks). The use of the Ethernet ARP Hardware Type value is designed to allow FDDI hosts and Ethernet hosts in a bridged or Layer 2 switched environment to send and receive ARP messages.
Because FDDI MAC addresses are defined in the same way as Ethernet MAC addresses, the special bits on FDDI MAC addresses are the same as those defined for Ethernet MAC addresses.
The Network Monitor trace shown in Capture 01-05 (included in the Captures folder on the companion CD-ROM) shows the special bits in the FDDI header.
IEEE 802.11 is a set of standards for wireless LAN technologies. The original 802.11 standard defines wireless networking using either 1 Mbps or 2 Mbps bit rates in the Industrial, Scientific, and Medical (ISM) 2.54 gigahertz (GHz) frequency band. IEEE 802.11b defines a maximum bit rate of 11 Mbps in the 2.54 GHz ISM band. IEEE 802.11a defines a maximum bit rate of 54 Mbps in the 5.8 GHz band. IEEE 802.11b is by far the most widely deployed of the IEEE 802.11 standards.
At the MAC sublayer, IEEE 802.11 (all versions) uses a combination of congestion avoidance and Request to Send (RTS), Clear to Send (CTS), and Acknowledgment (ACK) frames to ensure that only one wireless node is transmitting at a time and that the sent frame is successfully received.
IEEE 802.11 wireless nodes can communicate in the following ways:
To identify a wireless network in either operating mode, IEEE 802.11 uses a Service Set Identifier (SSID).
Because wireless networking uses broadcast radio waves, a wireless node within range of a transmitting wireless node can capture IEEE 802.11 frames and interpret the data. To provide a level of security that is equivalent to a wired network, IEEE 802.11 uses Wired Equivalent Privacy (WEP) to provide data confidentiality (encryption) for IEEE 802.11 payloads.
The IEEE 802.11 frame format consists of an IEEE 802.11 header and trailer and an IEEE 802.2 LLC header. Figure 1-11 shows the IEEE 802.11 frame format.
Figure 1-11: The IEEE 802.11 frame format showing the IEEE 802.11 header and trailer and the IEEE 802.2 header.
IEEE 802.11 Header and Trailer
The fields in the IEEE 802.11 header and trailer for a data frame sent by wireless nodes or by a wireless AP to a wireless node are defined as follows:
IEEE 802.2 LLC Header
The fields in the IEEE 802.2 LLC header are defined and used in the same way as the IEEE 802.2 LLC header for the IEEE 802.3, IEEE 802.5, and FDDI frame formats discussed earlier in this chapter.
Payload
The payload for an IEEE 802.11 frame can be a maximum size of 2312 bytes. IEEE 802.11 payloads can be MAC management frames (such as beacon frames sent by wireless APs), control fames (such as RTS, CTS, and ACK frames), or data frames containing the PDU of an upper layer protocol (such as an IP datagram). If the payload of a data frame is encrypted with WEP, the upper layer PDU is preceded by a plaintext 4-byte Initialization Vector (IV) field and followed with an encrypted 4-byte Integrity Check Value (ICV) field, lowering the maximum upper layer PDU size to 2304 bytes. The IV and ICV fields are not shown in Figure 1-11.
Frame Control Field
Figure 1-12 shows the Frame Control field.
Figure 1-12: The Frame Control field in the IEEE 802.11 header.
The Frame Control field contains the following subfields:
An IP datagram sent over an IEEE 802.11 network must be encapsulated with a SNAP header. Figure 1-13 shows SNAP encapsulation for IP datagrams sent over an IEEE 802.11 link (rather than between wireless APs).
Figure 1-13: The IEEE 802.11 SNAP frame format showing the SNAP header and an IP datagram.
Note |
Because IEEE 802.11 network adapters are represented inside theWindows Server 2003 family and Windows XP as Ethernet adapters, IEEE 802.11 frames captured with Network Monitor are displayed with an Ethernet II header. |
LAN technology encapsulations provide delimitation, addressing, protocol identification, and bit-level integrity services. IP datagrams and ARP messages sent over Ethernet links are encapsulated using either the Ethernet II or IEEE 802.3 SNAP frame formats.IP datagrams and ARP messages sent over Token Ring links are encapsulated using the IEEE 802.5 SNAP frame format. IP datagrams and ARP messages sent over FDDI links are encapsulated using the FDDI SNAP frame format. IP datagrams and ARP messages sent over IEEE 802.11 links are encapsulated using the IEEE 802.11 SNAP frame format.
Part I - The Network Interface Layer
Part II - Internet Layer Protocols
Part III - Transport Layer Protocols
Part IV - Application Layer Protocols and Services