Recent Changes - Search:

Tips & Tricks

Windows Tips

Apple Tips

Linux Tips

Networking Tips

Business

powered by PmWiki

MSTips /

TCPIPGuide

Hide Contents

Table of Contents

A Guide TCP/IP

ADDRESS RESOLUTION PROTOCOL(ARP)

LOCAL IP ADDRESS

When 2 computers try to communicate, an ARP request is initiated. If the IP address is on the local network, the source host checks its ARP cache to see if it already has the hardware address(MAC address) of the receiving host. If not, a broadcast is sent to all local hosts. If the receiving host finds that the IP address of the source host matches it's own then it sends a reply to the source host with it's hardware address. When received by the source host, it's ARP cache is updated to include this info. If no hosts respond to the broadcast then the request is discarded.

REMOTE IP ADDRESS

This is a little different. When the destination address is found to be a remote host, the source host checks the local routing table for a path to the receiving host. If one is not found then a broadcast is sent to the router(gateway). The router replies with its hardware address and then the packet is sent to the router. Essentially the router follows the same pattern. It checks its cache for a path to the receiving host. If one is found then it forwards the packet. If not, it sends a broadcast and waits for a reply from the host. It may again determine that it is a remote host and then the !!INTERNET PROTOCOL(IP)

MORE INFORMATION

ARP entries can be static or dynamic. If a dynamic entry is not used within 2 minutes then it is deleted. If it is used then it will remain for 10 minutes. A static entry will hang around until the computer is rebooted, it is deleted with arp -d, or a new hardware address is received via broadcast in which case the entry becomes dynamic.

ARP COMMANDS

  1. arp -a or arp -g
    Both of these commands do the same thing. They display the contents of your current arp cache.
  2. arp -s ip_address hardware_address
    This commands a static entry to the arp cache.
  3. arp -d ip_address
    Removes and entry from the arp cache.

INTERNET PROTOCOL(IP)

BACKGROUND

IP is a connectionless protocol, which means that a session is not created before sending data. IP is responsible for addressing and routing of packets between computers. It does not guarantee delivery and does not give acknowledgement of packets that are lost or sent out of order as this is the responsibility of higher layer protocols such as TCP.

IP HEADER STRUCTURE

VERSION:
This field uses 4 bits to denote the version of IP.
HEADER LENGTH:
4 bits denote the number of 32-bit words in the header. Them minimum length is 20 bytes.
TYPE OF SERVICE:
8 bits that indicate the quality of service that the packet should receive. Includes precedence, delay, throughput and reliability.
TOTAL LENGTH:
16 bits denote the total length of the packet.
IDENTIFICATION:
16 bits are used as a unique identifier so the packet can be reassembled in the event that it is fragmented.
FRAGMENTATION FLAGS:
3 bits used in the fragmentation process.
FRAGMENT OFFSET:
13 bits used to determine the location of the fragment in regards to the original IP packet.
TIME TO LIVE(ttl):
8 bits that indicate the maximum number of hops that a packet can travel before being thrown away.
PROTOCOL:
8 bits are used to identify the original upper-layer protocol used.
HEADER CHECKSUM:
16 bits used to check for errors in the header only.
SOURCE ADDRESS:
32 bits that indicate the IP address of the sending host.
DESTINATION ADDRESS:
32 bits that indicate the IP address of the receiving host.
OPTIONS AND PADDING:
stores IP options.

TRANSMISSION CONTROL PROTOCOL(TCP)

BACKGROUND

As opposed to IP, TCP is connection oriented and assures reliable delivery of packets. When the destination host receives a segment it sends back an acknowledgment(ack). If an ack is not received by the source host within a certain period of time then the data is retransmitted. TCP uses sockets and ports to exchange data between applications. Ports provide a specific and universal location for message delivery, while sockets use the host ip address, port number and the type of service (TCP or UDP) to create a reliable connection. TCP uses sliding windows to buffer data between hosts. A buffer that is too large or small can cause poor network performance. For example, if you are shotgunning a beer your throat is like the buffer. If your throat isn't opened wide enough then the beer travels to your stomach very slowly. If your throat is open too wide, then some of the beer packets get lost in your lungs or you just throw up. You then have to retransmit the beer back to your stomach.

THREE-WAY HANDSHAKE

A TCP session begins with a three-way - Handshake that is. This process synchronizes the sending and receiving of data.

  1. The source host sends a segment with the SYN flag set "on".
  2. The destination host sends a reply with SYN flag "on", a sequence number and an ACK that relays the next packet that the destination host is expecting.
  3. The source host sends and ACK with received sequence number and an acknowledgment number. The session is ended with a similar process.

TCP HEADER STRUCTURE

  • Source port – identifies the sending port
  • Destination port – identifies the receiving port
  • Sequence number – has a dual role
    • If the SYN flag is present then this is the initial sequence number and the first data byte is the sequence number plus 1
    • if the SYN flag is not present then the first data byte is the sequence number
  • Acknowledgement number – if the ACK flag is set then the value of this field is the sequence number that the sender of the acknowledgement expects next.
  • Data offset – specifies the size of the TCP header in 32-bit words. The minimum size header is 5 words and the maximum is 15 words thus giving the minimum size of 20 bytes and maximum of 60 bytes. This field gets its name from the fact that it is also the offset from the start of the TCP packet to the data.
  • Reserved – for future use and should be set to zero
  • Flags (aka Control bits) – contains 8 bit flags
    • CWR – Congestion Window Reduced (CWR) flag is set by the sending host to indicate that it received a TCP segment with the ECE flag set (added to header by RFC 3168).
    • ECE (ECN-Echo) – indicate that the TCP peer is ECN capable during 3-way handshake (added to header by RFC 3168).
    • URG – indicates that the URGent pointer field is significant
    • ACK – indicates that the ACKnowledgement field is significant
    • PSH – Push function
    • RST – Reset the connection
    • SYN – Synchronize sequence numbers
    • FIN – No more data from sender
  • Window – the number of bytes that may be received on the receiving side before being halted from sliding any further and receiving any more bytes as a result of a packet at the beginning of the sliding window not having been acknowledged or received. Starts at acknowledgement field.
  • Checksum – The 16-bit checksum field is used for error-checking of the header and data [1]

USER DATAGRAM PROTOCOL(UDP)

BACKGROUND

UDP is one of the core protocols of the Internet protocol suite. Using UDP, programs on networked computers can send short messages sometimes known as datagrams (using Datagram Sockets) to one another. UDP is sometimes called the Universal Datagram Protocol. It is commonly used with applications such as NETSTAT, TFTP, SNMP, NETBIOS name service and NETBIOS datagram service. Like TCP, UDP uses ports to provide the location to send packets.

SOURCE PORT:
This field identifies the sending port when meaningful and should be assumed to be the port to reply to if needed. If not used, then it should be zero.
DESTINATION PORT:
This field identifies the destination port and is required.
MESSAGE LENGTH:
A 16-bit field that specifies the length in bytes of the entire datagram: header and data. The minimum length is 8 bytes since that's the length of the header. The field size sets a theoretical limit of 65,527 bytes for the data carried by a single UDP datagram. The practical limit for the data length which is imposed by the underlying IPv4 protocol is 65,507 bytes.
CHECKSUM:
The 16-bit checksum field is used for error-checking of the header and data.

TCP PORTS

TCP uses the notion of port numbers to identify sending and receiving application end-points on a host, or Internet sockets''. Each side of a TCP connection has an associated 16-bit unsigned port number (1-65535) reserved by the sending or receiving application. Arriving TCP data packets are identified as belonging to a specific TCP connection by its sockets, that is, the combination of source host address, source port, destination host address, and destination port. This means that a server computer can provide several clients with several services simultaneously, as long as a client takes care of initiating any simultaneous connections to one destination port from different source ports.

Port numbers are categorized into three basic categories: well-known, registered, and dynamic/private. The well-known ports are assigned by the Internet Assigned Numbers Authority (IANA) and are typically used by system-level or root processes. Well-known applications running as servers and passively listening for connections typically use these ports. Some examples include: FTP (21), ssh (22), TELNET (23), SMTP (25) and HTTP (80). Registered ports are typically used by end user applications as ephemeral source ports when contacting servers, but they can also identify named services that have been registered by a third party. Dynamic/private ports can also be used by end user applications, but are less commonly so. Dynamic/private ports do not contain any meaning outside of any particular TCP connection.

TCP/IP ADDRESSING

BACKGROUND

Every IP address can be broken down into 2 parts, the Network ID(netid) and the Host ID(hostid). All hosts on the same network must have the same netid. Each of these hosts must have a hostid that is unique in relation to the netid. IP addresses are divided into 8 octets with each having a maximum value of 255. We view IP addresses in decimal notation such as 124.35.62.181, but it is actually utilized as binary data so convert addresses back and forth is sometimes needed.

CLASSES

CLASSRANGE
A1-126
B128-191
C192-223

IP addresses can be class A, B or C. Class A addresses are for networks with a large number of hosts. The first octet is the netid and the 3 remaining octets are the hostid. Class B addresses are used in medium to large networks with the first 2 octets making up the netid and the remaining 2 are the hostid. A class C is for smaller networks with the first 3 octets making up the netid and the last octet comprising the hostid.

SUBNETTING

BACKGROUND

A subnet mask blocks out a portion of an IP address and is used to differentiate between the hostid and netid. The default subnet masks are as follows:

CLASSDEFAULT SUBNET# OF SUBNETS# OF HOSTS PER SUBNET
Class A255.0.0.012616,777,214
Class B255.255.0.016,38465,534
Class C255.255.255.02,097,152254

PRACTICAL EXPLANATION

The table above shows the default subnet masks. What subnet mask do you use when you want more that 1 subnet? Lets say, for example, that you want 8 subnets and will be using a class C address. The first thing you want to do is convert the number of subnets into binary, so our example would be 00001000. Moving from left to right, drop all zeros until you get to the first "1". For us that would leave 1000. It takes 4 bits to make 8 in binary so we add a "1" to the first 4 high order bits of the 4th octet of the subnet mask(since it is class C) as follows: 11111111.11111111.11111111.11110000 = 255.255.255.240. There is our subnet mask.

Lets try another one...Lets say that you are the network administrator you have stores in 20 different neighborhoods and you want to have a separate subnet on your network for each store. It will be a class B network. First, we convert 20 to binary - 00010100. We drop all zeros before the first "1" and that leaves 10100. It takes 5 bits to make 20 in binary so we add a "1" to the first 5 high order bits which gives: 11111111.11111111.11111000.00000000 = 255.255.248.0. The following table shows a comparison between the different subnet masks. [2]

Netmask Quick Reference

#Bits#HostsUsable hostsNetmask
/4268435456268435454240.0.0.0
/5134217728134217726248.0.0.0
/66710886467108862252.0.0.0
/73355443233554430254.0.0.0
/81677721616777214255.0.0.0 class A network
/983886088388606255.128.0.0
/1041943044194302255.192.0.0
/1120971522097150255.224.0.0
/1210485761048574255.240.0.0
/13524288524286255.248.0.0
/14262144262142255.252.0.0
/15131072131070255.254.0.0
/166553665534255.255.0.0 class B network
/173276832766255.255.128.0
/181638416382255.255.192.0
/1981928190255.255.224.0
/2040964094255.255.240.0
/2120482046255.255.248.0
/2210241022255.255.252.0
/23512510255.255.254.0
/24256254255.255.255.0 class C network
/25128126255.255.255.128
/266462255.255.255.192
/273231255.255.255.224
/281614255.255.255.240
/2986255.255.255.248
/3042255.255.255.252
/31  point to point links only
/3211255.255.255.255 single IP address

STATIC ROUTING

BACKGROUND

A router or gateway is a hardware device that forwards packets from one logical network to another. IP Tables uses a routing table to determine which networks that packets can be forwarded to and will only forward them to networks that it has been configured to do so. When a packet is to be sent, IP Tables determines whether or not the IP address is local or remote. If it is local, it forward the packet. If it is remote, it consults the routing table to determine the path to the remote host. If there is no entry in the routing table, then the default gateway is used instead. The routing table is checked at the router and the process repeats. A packet can be forwarded from router to router. Each one of these steps is called a "hop". If a route to the remote host is never found then an error message will return. On NT, multiple gateways can be configured and if "Dead Gateway Detection" is set to "on" then IP will attempt to use the next default gateway.

Routing can be either static or dynamic. Static routing involves manually programming the routing table into the router. If you have a large network, this can be a real hassle especially if your network constantly changes and the tables have to keep getting updated.

routing image
Routing Schematics

If 2 network adapters are added to a computer, it can be used as a router. A computer that acts as a router is called multihomed. The default gateway of Host A in this example would be the local side of the router which would be 134.62.8.1. Conversely, Host B's gateway would be 134.62.20.1.

ROUTE COMMANDS

  1. route add (IP_Address) mask (Subnet_Mask) (Gateway_address)
    Add a route.
  2. route -p add (IP_Address) mask (Subnet_Mask) (Gateway_address)
    Add a persistent route. This type of entry is stored in the registry and are not affected by a power cycle.
  3. route delete (Subnet_Mask) (Gateway_address)
    Delete a route.
  4. route change (Subnet_Mask) (Gateway_address)
    Change a route.
  5. route print
    Shows the contents of the routing table.
  6. route -f
    Erases all routes.

ROUTING INFORMATION PROTOCOL (RIP)

Dynamic routing which uses the Routing Information Protocol (RIP). RIP measures the distance from source to destination by counting the number of hops(routers or gateways) that the packets must travel over. RIP sets a maximum of 15 hops and considers any larger number of hops unreachable. RIP's real advantage is that if there are multiple possible paths to a particular destination and the appropriate entries exist in the routing table, it will choose the shortest route. RIP uses an update interval which broadcasts its routing table over UDP port 520 after a specified period of time.

RIP image
RIP Schematics

Router 1 and router 2 would broadcast their routing tables to each other every x seconds depending on what the update interval is set. Each router would then add any new routes to its table dynamically. If a route already exists then the router would see if the new route has less hops and takes the course of least resistance.

Microsoft claims that RIP is best used on smaller networks. This is because larger networks can have large number of entries in their routing tables. Due to the fact that RIP packets can be a maximum of 512 bytes, larger tables would have to be sent as multiple packets which can slow down the network considerably.

DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP)

DHCP automatically assigns IP addresses to computers on a network. When a client is configured to receive an IP address automatically, it will send out a broadcast to the DHCP server requesting an address. The NT server will then issue a "lease" and assign it to that client. The time period that a lease will last can be specified on the server. The main benefit of DHCP is to cut down overhead relating to System Administration. Is Decreases amount of time spent configuring computers especially in environments where computers get moved around i.e. Road warriors working remotely can bring in their laptops or mobile devices to any department or branch they are assigned, plug them into the network transparently. If IP addresses where manually assigned, the staff member would have to contact Network Administrator and have them assign and address or the sales staff would have to manually configure the IP address before being able to plug into the network. Either way a clear advantage is had by using DHCP.

HOW DOES IT WORK?

  1. The client sends a broadcast that requests an IP address. Since it is not configured for TCP/IP yet it uses a source address of 0.0.0.0 and a destination address of 255.255.255.255. The broadcast contains the computer's name and the MAC address so the DHCP server knows where to reply. This is called the IP lease request.
  2. The DHCP server/s send an offer. This broadcast contains the IP address, client's hardware address, subnet mask, duration of lease and the IP address of the responding DHCP server. This process is called a IP lease offer.
  3. The client takes a look at the first offer that it receives and sends a message to all DHCP servers to let them know that it has chosen an offer. This is known as the IP lease selection.
  4. The DHCP server then sends an acknowledgement to the client, all other DHCP servers withdraw their offers and the clients now have an IP address. If an unsuccessful acknowledgement is received, the client sends out another lease request. The client stores its IP info in HKEY_LOCAL_MACHINE\SYSTEM\CurrentConrolSet\Services\adapter\Parameters\Tcpip.

LEASE RENEWAL

DHCP clients will attempt to renew their leases when %50 of the lease has expired. The client will send a DHCPREQUEST message to the server that assigned the lease. Assuming the DHCP server isn't on fire or anything it will send out a DHCPACK with the new lease. If the server is unavailable, then the client can continue functioning as it has %50 remaining still. The client will continue as normal until the lease reaches %87.5 used at which time it broadcast to all DHCP servers and attempt to get a new lease. If the client receives a DHCPNACK message or the lease expires then the client must start all over again and will get a different IP address. If the lease expires and the client is unable to get a new one then the user will be whining to their IS dept. about it because they will not be able to communicate over the network.

IPCONFIG

Below are the ipconfig switches that can be used at a command prompt.

  • ipconfig /all - will display all of your IP settings.
  • ipconfig /renew - forces the DHCP server, if available to renew a lease
  • ipconfig /release - forces the release of a lease.

SETTING UP A DHCP SERVER

How many subnets will the DHCP server serve? If it is more than 1 then you have to make sure that all routers are configured as DHCP relay agents or else only the local subnet will get leases. Next the "scope" needs to be defined. If there multiple DHCP servers, each one will need to have its own not necessarily unique scope of IP addresses. According to Microsoft, each DHCP server should be configured with %75 of the scope reserved for the local subnet and the remaining %25 for remote subnets. This provides redundancy in case a client can't obtain a lease from the local server, then it can get one from a remote server. DHCP server must have static entries for its IP settings.

  1. A scope must be defined. Note that each DHCP server must have unique scopes defined or else duplicate IP addresses may be assigned. There are 3 scope options:
    • Global - This option is used when all DHCP clients will use the same IP setting, such as the same subnet mask.
    • Scope - These options are only available to clients that are using an address specified by the scope.
    • Client - Used for clients that use reserved addresses.
  2. The server may be configured to always assign a particular address to a client.
  3. "Map out" any static IP addresses on the network in the "exclusion range" fields.

The DHCP server database is backed up every hour(default) and can be restored when needed. It can also be compacted in order to keep it running efficiently. NT 4.0 does this automatically, whereas it must be done manually with earlier versions of NT.

DHCP RELAY AGENT

This service is used when routers separate clients from a DHCP server. An NT server on the same subnet as the clients can be configured so that it automatically sends all DHCP messages directly to the DHCP server. Included in the message to the server is the address of the originating client so that the DHCP server can respond directly back to the client. This service is basically a middle-man.

NETBIOS

When talking about Netbios, we typically refer to the concept of a Netbios Name which is the name assigned to your computer. Netbios allows applications to talk to each other using protocols such as TCP/IP that support Netbios. Netbios is also a session/transport layer protocol that is typically seen in other forms such as Netbeui and NetBT. These are the main functions that Netbios serves which are:

  • Starting and stopping sessions.
  • Name registration
  • Session layer data transfer( reliable)
  • Datagram data transfer (unreliable)
  • Protocol driver and network adapter management functions

NETBIOS NAMING

A Netbios name is either a unique name or a group name, the difference being that a unique name is is used for communication with a specific process on a computer, whereas a group name is for communication with multiple clients/computers. Netbios name resolution resolves a computer's Netbios name to an IP address. Microsoft offers several different ways to resolve Netbios names and each will be discussed below.

  • LOCAL BROADCAST - If the destination host is local, then first the Netbios name cache is checked and a broadcast is not sent. If it is not found here, then a name query broadcast is sent out that includes the destination Netbios name. Each computer that receives the broadcast checks to see if it belongs to the name requested. The computer that owns the name then uses ARP to determine the MAC address of the source host. Once obtained a name query response is sent. NOTE: Some routers do not support the fowarding of these broadcasts as they use UDP ports 137 and 138.
  • NETBIOS NAME SERVER - When using a Netbios name server, the cache is checked first and if the name is not found the destination host's name is sent to the name server. After the name server resolves the name to an IP address, it is returned to the source host. When the source host receives the information it uses ARP to resolve the IP address of the destination host to it's MAC address.
  • LMHOSTS FILE - A text file that is used to manually configure Netbios names. In NT, it is located in the \system32\Drivers\Etc directory. The file is configured with keywords listed below:
    • #PRE - Denotes entries to be preloaded to the cache, which cuts down on broadcast traffic.
    • #DOM:domain name - provides logon validation, browsing and account synchronization.
  • HOSTS FILE
  • DNS

NBSTAT COMMANDS

  1. nbstat -n Lists all registered Netbios names.
  2. nbstat -c Shows the Netbios cache.
  3. nbstat -R Reloads the Netbios name cache from the lmhosts file.

Additional Reading

http://www.learntosubnet.com/

References

1. ^ Transmission Control Protocol - Retrieved 31 August 2007
2. ^ Ex-Designz - Retrieved 1 September 2007

All text is available under the terms of the GNU Free Documentation License
Privacy Policy | About Wikitec | Disclaimer | Copyright

Edit - History - Print - Recent Changes - Search
Page last modified on 2008-01-11 09:28