Network for newbies - 1

No replies
Joined: 2020/06/25

Computer networks are the veins of the information age,
protocols the language of the net.

To be able to build a computer network of course, you need some hardware. Depending on the kind of net you will need cables, modems, antennas or satellite receivers beside computers and network cards as well as router, gateways, firewalls, bridges, hubs and switches.

A hub is just a simple box you plug network cables in and it will copy all signals to all connected ports. This property will probably lead to an explosion of network traffic. That's reason why hubs are rarely used these days. Instead most of the time you will see switches building the heart of network. The difference between a hub and a switch is a switch
remembers the MAC address of the network card connected to the port and sends traffic only to the port it is destinated to.You can cable and construct computer networks in different ways. Nowadays the most common variant is the so called star network. Where all computer are connected to a central device. The disadvantage is that this device is a single point of failure and the whole network will break down if it gets lost. This disadvantage can be circumstanced by
using redundant, like multiple devices. Another possibility is to connect all computers in on long row one after the other, the so called bus network. The disadvantage of this topology is that each computer must have two network
network cards and depending on the destination the traffic gets routed through all computers of the net. If on of them fails or has too high a load the connections behide that host are lost.

Ring network should be mentioned, which as the name implies connects all computers in a circle. The ring network has the same disadvantage as a bus network except that the network will only fail partly if a computer gets lost as long as the net can route the traffic the other way round. So, i think it is the topology of backbones used by ISPs and large companies. Additionaly one often reads about LAN (Local Area Network), WAN (Wide Area Network) and sometimes even about MAN (Middle Area Network). A LAN is a local network that is most of the time limited to a building,
floor or room. In modern networks most computers are connected on a LAN over one or more switches. Multiple LANs connected over a router or VPN are called MAN. If the network spreads over multiple countries or even the whole world like the internet than it is defined as a WAN.

ISO/OSI Layer Model

According to the pure doctrine the ISO/OSI layer model, technically separates a computer network into seven layers.
OSI layer: 1, 2, 3, 4, 5, 6, 7. Layer name: physical, data-link, network, transport, session, presentation, application.
Task: cables, antennas etc., creates a point-to-point connection between two computers, provides for addresing of the destination system, takes care that the data is received in the right order and enables retransmission on packet loss,
used to address single application(using ports), conversion of data formats (byte order, compression, encryption), protocols that define the real service like HTTP.
Each layer has a clearly defined task and each packet passes them on after another in the OS kernel up to the layer.


Have you ever bought a normal network cable or card in a shop? Than the chance is nearly 100 per cent that you own ethernet hardware, because Ethernet is with huge margin the most used network technology today. You will see network components with different speed limits likr 1, 10, 100 MBit or gigabit and an ethernet can be constructed with different cable types like coaxial(old school), twisted pair or glass fiber.
Twisted pair cables can be divided into the variations STP (single twisted pair) and UTP (unshield twisted pair) as well as patch and crossover cables. the difference between stp and utp calbes is that fibers of the utp cables are unshielded and therfore they have a lower quality compared to stop cables. Patch and cross cables can be separed from each other by lookin at the plugs of the cable. A cross cable is used to directly connect two computers, a patch cable is used to connect a computer to a hub or switch. Modern network cards can automaticaly cross the fibers so cross cables are a dying race. Every network card in a Ethernet network has a MAC address that's world-wide unique and are used to address devices on the net. The mac address consists of six two digit hexadecimal numbers, which are separated by colons. like this bb:cc:aa:11:22:44 Its a common misbelief that a computer in a local TCP/IP network is reached over its IP address; in reality the MAC address is used for thi purpose. Another common misunderstanding is that the mac addresss cannot be spoofed. The OS is responsible to write the mac into the ethernet header and systems like GNU/Linux or BSDs have possibilities in their base system to change the mac with on command.

koka@debian:~$ sudo ifconfig eth0 hw ether a0:00:08:b2:3c:09

Beside the source destiantion mac address an Ethernet header consits of a type field and a checksum. The field defines the protocol that follows Ethernet e.g. 0x0800 for IP or 0x0806 for ARP. Last but not least the herm CSMA/CD should be explanied. CSMA/CD stands for carrier sense multiple access/collision detect and describes how a computer sends data over an Ethernet. First of all it listens on the wire if someone is currently sending something. If that's the case it just waits a couple of random seconds and tries again. If the channel is free it sends the data over the network. Should two stations be trasmiting data at the same data a collusion will result, therefore every sending station
must listen aftwards to detect a collusion, than randomly wait some seconds and retransmit the data.


A vlan (virtual local area network) separates several networks on a logical base. Only devices on the same vlan can see each other. VLANs where invented to define a network structure independently from its physical hardware, to prioritize connections and to minimize broadcast traffic. They were not developed with security in mind, but its a common myth that VLANs can add to your security. Don't rely on this myth, because several ways exist to circumvent the separation of a VLAN. Switches implement vlans in two different ways: through tagging of packets using IEEE 802.1q Header, that's inserted after the Ethernet header or simply defined by port. 802.1q is a newer variant, which allow the creation a vlan spread over several switches.

ARP (addres resolution protocol) translates between layer 2(Ethernet) and 3(IP). It is used to resolve mac addresses to ip addresses. The other way round is done by RARP(reverse address resolution Protocol). Imagine a source host ( tries to communicate with a destination host ( for the fist time than it will loudly shout over the broadcast address something like the following: "hello, here is koka, to all, listen! I wanna talk to ryu! Who has the MAC address of ryu?!"

In Ethernet speech it looks like this:

ARP, request who-has tell, length 28

The destination host now shrieks up and screams "hey that's me!" by sending his MAC address to the requesting host

ARP, Reply us-at a0:00:08:b2:3c:09, length 28


IP like Ethernet is a connection-less protocol, that means it doesn't know a relation between packets. It is used to define the source and destination host on layer 3, to find the quickest path between two communications partners by routing packets and handle erros with ICMP. An example error is the famous host not reachable packet.
Besides that it handles fragmentation by cutting packets bigger than MTU (Max Transmission Unit) into smaller ones. Last but not least does it implement a timeout loops. Every host called hop a packet passes subtracts the TTL by one and if it reaches 0 it should be thrown away and the source host gets a error via ICMP.
Today there are two variants of IP, IPV4 and IPV6. Both protocols differ widely and not only size of IP addresses. IPV6 can be extended through so called optional headers.

An IPV4 header looks like diagram. First we want to see how IP network addressing works. An IPV4 address ( consists of 4 bytes divided by dots. A byte is equal to 8 bit therefore each number of an IPV4 address can be 2 expand 8 or 256 in maximum. It starts with a zero in reality it can not be bigger than 255. Besides an IP address every IP network node needs a netmask the most common one is
The nestmask defines the size of the net and its used to calculate the net-start-address. The fist IP of a net is called net-start-adderss, the lost one is called broadcast-address, both cannot be used by hosts because they have a special functionality. Packets to the broadcast address are forwareded to every host on the network. If a computer wants to communicate to another one over an IP network it first all calculates its net-start-address with the use of its IP address
and network mask. Let's say the computer has the IP
In binary that is;

A network mask of in binary looks like:

Calculated in decimal this is, the net-start-address.

If you are not familiar with digital systems such as binary you could help yourself with a scientific calculator or a short google search.

The nestmask defines how many bits of an IP address are preserved for the net and how many of the host. In our example the first 24 bits are 1 that's the same as /24 for short, the so called CIDR block. If the complete last byte is accesible for hosts the net is classified as a class c, 2 byte make a class b, and 3 a class a otherwise the net is called
a subnet. Our example host computets the same AND-operation for the destination to obtain its net-start-address. If they differ the destination is in another network and the packet is send to the default gateway, otherwise the net
is looked up in the routing table and the packet is sent onver the specified device or to the next router depending on its conf.


Internet Control Message Protocol is used by IP for error handling. therefore it sets a type and a code field in its header to define the error. Most noobs know the protocol for the famous ICMP echo-request packet sent by the program ping, that hopes to receive an echo-reponse to test if a computer is reachable and measures the network latency.
Other ICMP mesages include redirect-host for telling a host that there is a better router to reach his destination.


Transmission Control Protocol provides session management. A new TCP session is initialized by the famous 3-ways-handshake tcp numbers all packets to ensure that they are processed in the same order they were transmitted by the source system. The destination host sends an acknowledgment to let the source know that the packet was received
correctly after checking a checksum otherwise the source retransmits the packet Last but not, lest tcp addresses programs on a host by the use of ports. The port of the sending instance is called source port the receiving destination port. Like http, ftp, irc etc, have default port under 1024 for exemple http server normally listens on port 80.

Beside ports one also needs to know about tcp flags, sequence and acknowledgment number and windowsize. Flags are used for session management to create or destroy a connection and to bid the destination to handle a packet with a higher priority. The sequence number is used to sort the received packets into the same order as they were send by the origin and to detect lost packets. Each packet gets an individual number that is incremented by one for every transmitted byte. the acknowledgment number as the name suggets acknowledges the counterpart that a packet with a certain sequence number has been received correctly. Therefore it uses the sequence number and adds one. The acknowledgment number contatins the next expected sequence number. The windows size defines the size of the OS cache of received, but not yet processed packets. A windows size of zero indicates the sending station is under pressure and asks to be freindly and to slow down or even stop sending more packets until a bigger windows size is received. Beside that the windows size defines the receive windows. A host accepts all packets lower than acknowledgment number + windowsize. The establishment of a TCP connection is divided into three actions the
3-ways-handshake. First of all the initiating computer sends a packet with SYN-flag set and as a exemple an initial sequence number of 1000. The initial sequence number must be as random as possible to avoid blind ip spoofing attacks, where the attacker guesses a sequence number without being able to read the network traffic.

The destination host responds with a packet where the SYN and ACK-flag are set. AS initial sequence number it chooses 5000 and the acknowledgment number contains the sequence number of the source host incremented by one (1001) Last but not least the source host sends a final packet with set ACK but not SYN flag set and uses the acknowledgment number of the SYN/ACK packet as sequence number as well as the sequence number of the previous packet plus one as acknowledgment number. This completes the 3-way-handshake. From now on both parties send packets with ACK flag set.send ACK packets. If a packets hists a closed port the destination must send a RST-packet to be conform to RFC793. This signal the source host that request was invalid. Lot of firewalls nowadays violate this standard by either simply silently dropping the packet or even generation a bogus ICMP message. The behavior is only useful for the attcker to determine the vendor and maybe even the version of the firewall precious information for an attack.