CS469 - Linux and Unix Administration and Networking


Packets are data-turduckens:

Bytes: ──▶
 │          ┌────────────────────────────────────┐       │
 │          │        ┌──────────────────────────┐│       │
 │ Ethernet │ IP     │ TCP    ┌────────────────┐││ Frame │
 │ Header   │ Header │ Header │ Data (payload) │││ Check │
 │          │        │        └────────────────┘││ Seq   │
 │          │        └──────────────────────────┘│       │
 │          └────────────────────────────────────┘       │

The entirety of the above is an Ethernet Frame. Note that the Data (the payload) is encapsulated inside of the TCP packet, which is encapsulated inside of the IP packet which is encapsulated inside of the Ethernet packet.

Compare the onion like structure of the above packet to the OSI model that has been discussed earlier. Ethernet is layer 2, IP is layer 3, TCP is layer 4 and whatever data is being transmitted may be layer 5-6.


Orginally 10BASE5 (thicknet), which was a coaxial cable run between computers as a shared medium (aka like a telephone party line.)

Eventually superceded by 10BASE2 (thin-coaxial), then by twisted pair technologies:
10BASE-T (10Mbps), 100BASE-TX (100Mbps) and 1000BASE-T (1000Mbps / 125MBaud). 10GBase-T (10000Mbps/800MBaud)

Mbps = Million(Mega) bits / second. Roughly divide by 10 to get Bytes / second (this accounts for packet overhead and other latencies.) Not to be confused with MBps = MegaBytes / second (note the capitalized B)

10/100/1000 speed in Mbit/s
BASE Base-band modulation transmission.
2/T/TX Transmission medium (2 = Coax, T/TX = Twisted pair)

Note that Ethernet is not a routable protocol. An Ethernet packet only can be delivered to a machine on the same local network segment. IP packets (which are routable) are encapsulated inside of Ethernet packets. To deliver an IP packet, an Ethernet packet containing the IP packet is formed and delivered to the next machine in the path to its destination, which then creates a new Ethernet packet and copies the IP packet into it for the next step. Each of these steps is called a "hop" along the path.

Ethernet devices:

Ethernet devices: eth#. i.e. eth0, eth1, etc. Some versions of Linux may have other names for ethernet devices (such as Red Hat based distributions.)

Ethernet devices have associated with them:

  • A 6 byte MAC (Machine Address Control) address, the hardware address of the physical NIC (Network Interface Controller).

    • Denoted by 6 2-hex digit numbers seperated by colons. (ex: b4:2e:99:3e:ac:0f)
  • An IPv4 and/or IPv6 address

    • IPv4 addresses are 4 bytes (32 bits), displayed as 4 numbers (0-255) separated by dots (.), e.g.: This is called dotted-quad notation.

    • IPv6 is 128 bits, displayed as 8 groups of 4 hex digits separated by colons (e.g.: 2001:0db8:85a3:0042:1000:8a2e:0370:7334) with methods to abbreviate them (by omitting zeros).

  • Sub-net mask (determines network and Host IP.) (ex:

  • Broadcast address (The address to which broadcast packets will be sent and recieved on) (ex:

  • MTU (Maximum Transmission Unit), i.e maximum size of a ethernet packet payload (data portion of the packet), in bytes. (ex: typically 1500, up to 9000 for Jumbo-frames)

Example ethernet device:

# Output of ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 fe80::b62e:99ff:fe3e:ac0f  prefixlen 64  scopeid 0x20<link>
        ether b4:2e:99:3e:ac:0f  txqueuelen 1000  (Ethernet)
        RX packets 640443  bytes 817854669 (779.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 759070  bytes 320194162 (305.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device memory 0xf7600000-f761ffff

An Ethernet frame is composed of:

With 802.1Q tag:

..preamble.. [ SFD | MAC dest | MAC src | 802.1Q tag | Ethertype | Payload | CRC ] ..interpacket gap..

Without 802.1Q tag:

..preamble.. [ SFD | MAC dest | MAC src | Ethertype | Payload | CRC ] ..interpacket gap..

  • The preamble: 7 octets of ones and zeros, used to synchronize timing with devices on the network. (10101010 ...)

  • Start of frame deliminator (SFD): An octet specifying the start of the Ethernet header. (10101011)

  • MAC destination (6 octets)

  • MAC source (6 octets)

  • Optional 802.1Q tag (4 octets) used for tagging ethernet frames for Virtual LANs

  • Ethertype (Indicates what protocol is encapsulated in the ethernet frame) or the length (2 octets)

  • Payload (46/42 bytes - 1500 octets, up to 9000 for Jumbo Frames)

    • This is where the IP packet and all its contents would be.
  • Frame Check Sequence - 32 bit CRC (Cycle Redundancy Check) (4 octets)

    • Used to verify that the data in the packet arrived w/o errors.
  • Interpacket gap (12 octets)

    • Dead, unused space between packets.

ARP - Address Resolution Protocol

ARP is the protocol that is used to translates network (internet) layer (IPv4) addresses into link layer (Ethernet) addresses.

  • Defined by RFC826 in 1982

  • The IPv6 equivalent is NDP - Neighbor Discovery Protocol.

> arp

  • manipulate and display ARP cache



  • ARP table maintained by the kernel


  • Like /etc/hosts, but for ethernet addresses (man 5 ethers)
  • Only really useful to prevent an ARP spoofing attack against important hosts such as a gateway.

ARP spoofing / cache poisoning

An attack where false arp messages are broadcast onto a network in an attempt to appear to be some other machine (usually a gateway), so that traffic might be redirected to the attacking machine, which then may inspect the traffic and perform additional attacks, such as man in the middle attacks, or denial of service (DOS).

DNS - Domain Name System

Translates names into IP addresses

  • Defined RFC882 - 1983, extended by RFC1034/1035 - 1987

> hostname [hostname]

  • set (requires root) or show the systems hostname

> dig hostname

  • another DNS lookup util

> host hostname

  • DNS lookup util

> nslookup [- dnsserver] [hostname]

  • Yet another DNS lookup util (older, almost deprecated.) Provides a command interface, can connect directly to a specific DNS server.



  • The DNS resolver library configuration file, defines the nameservers to use for DNS resolution. Optionally provides domains to search if the hostname is not a fully qualified domain name. (i.e. if I use 'cs' as a host to search, it can automatically append indstate.edu to search 'cs.indstate.edu' if the domain or search options are provided.)

  • Reading: man 5 resolv.conf

domain <local domain>    # Default domain to search if omitted
search <domain>          # Additional optional domains to search.
nameserver <ip address>  # One or more nameservers to use for DNS resolution, searched in order of appearance in the file.
  • Example /etc/resolv.conf configuration:
    search indstate.edu
    domain indstate.edu


  • Search file for hostname to IPs (man 5 hosts)
    <ip-address>    <fqdn>  [<aliases...>]


  • Network definition file (man 5 networks). Used to define a name for a network address, such as (all the machines on subnet 14 of ISU's network.)
    <name>  <number> [<aliases>]

ARP/DNS Example:

Host A wishes to send a message to host B (assumes both A and B are on the same network segment):

  • Host A converts the name for Host B into an IP address (IP-B) through the DNS.

  • Host A then checks its ARP cache for an entry for IP-B:

  • If found, then A sends a IP packet encapsulated in an Ethernet frame with B's MAC address.

  • Else:

    • A sends a ARP request (MAC destination FF:FF:FF:FF:FF:FF) for info on IP-B.

    • B responds with its MAC address and IP.

    • A may then add the entry to its cache.

If B is not on the same network segment as A, then A uses it's IP routing tables to determine the gateway machine to send the packet to, performing roughly the same steps as above, except for the gateway machine in place where B would be.