Networking
20 June 2011 1 Comment

Wireshark Filters for Ethernet Multicast and Broadcast

On the Ethernet level, multicast traffic (and broadcast, which is just a special case of multicast) can be recognized by the least significant bit of the most significant byte of the MAC address. If this bit is set to 1, then the Ethernet frame is multicast traffic, otherwise it is unicast.

Display Filter for Excluding Broadcast/Multicast Traffic

!(eth.dst[0] & 1)

A display filter is used for packet filtering while viewing captured traffic.

Capture Filter for Excluding Broadcast/Multicast Traffic

not broadcast and not multicast

Wireshark capture filters are specified before capturing commences, and use the same syntax as tcpdump, WinDump, Analyzer, and any other program that uses the libpcap/WinPcap library. Capture filters can exclude traffic from being captured at all.…

Tags: , display filter, eth.dst, ,
Networking
17 June 2011 3 Comments

The ARP Protocol Explained

Introduction

The Address Resolution Protocol, or ARP, is used for resolution of network-layer addresses (IP) to link-layer addresses (MAC). This post describes the basics of the ARP protocol, viewing and manipulating your arp cache is discussed in the next post.

Other posts on the ARP protocol are available here:

  • Viewing and manipulating the ARP cache on Windows and Linux.
  • An introduction to ARP cache poisoning.

ARP Basics

When a system wants to send data to another computer, it prepares an IP packet with the appropriate destination IP. This packet is passed down to the link-layer (usually Ethernet). This layer needs to encapsulate the IP packet in an Ethernet frame before it can be sent.

An Ethernet frame must be addressed to a destination hardware address (MAC address). But which MAC address corresponds with the destination IP address? This is looked up in the ARP cache. The ARP cache contains mappings of the form (IP - MAC).

Source and Destination Hosts on the Same Local Network

The sending host will first look up the destination IP address in its routing table. If the destination IP is on the same physical network (subnet) then there are no routers between the host…

Tags: , , arp entry, , , , , , , ,
General
10 June 2011 1 Comment

A Summary of IP Addressing Types

This is a summary of IP addressing types. We look at unicast, broadcast, multicast and anycast addressing of IP packets, and also describe the destination MAC addresses for each case. Some of the text and all of the images are courtesy of Wikipedia, I just added my comments.

There are four forms of IP addressing, each with its own unique properties:

Unicast

Available in: IPv4 and IPv6.

 

The most common addressing scheme of an IP address is unicast addressing – available in both IPv4 and IPv6. It normally refers to a single sender or a single receiver, and can be used for both sending and receiving. Usually, a unicast address is associated with a single device or host, but it is not a one-to-one correspondence. Some individual PCs have several distinct unicast addresses, each for its own distinct purpose. Sending the same data to multiple unicast addresses requires the sender to send all the data many times over, once for each recipient.

  • Most browsing traffic from your Internet router to your computer will be unicast TCP or UDP traffic; if you do a search at google.com the search results are sent only to your computer.
  • Any application that uses TCP must use unicast IP addressing,

Tags: anycast, , destination IP, , gateway, ip addressing, , , unicast