There is some work "under the hood" to ensure that, when you type in a human friendly name like Google, it takes you to the website you're expecting it to.

So, what's happening under the hood?

What are URLs?

You may be familiar with what a URL is. It's a simple link to a bit of content on the web. People use URL's daily to share videos, pictures, sites, articles – almost anything on the internet.

URL is an acronym for Uniform Resource Locator, and we can break them down into multiple smaller "pieces". Here's what makes up a standard URL:

Anatomy of a URL showing the Scheme, Domain Name, Path, and Parameters

A URL is just an address for a resource. The resources differ like we discussed, but they're just pointers all over the internet to take you to content you want to view.

As you can see in the graphic above, the breakdown of a URL is often:

• Scheme: this is the protocol a browser uses to access your content. Normally for websites it's HTTP (insecure), or HTTPS (secure).
• Domain name: the website name ("www.google.com" here)
• Port: a network port (80 in this example)
• Path: a path to a particular resource on the server
• Parameters: often key-value pairs, to serve extra data to the web server.

What are IP Addresses?

Humans and computers navigate the web very differently. Whilst most humans use URL's like we just discussed, to communicate between computers, computers use the Internet Protocol (IP).

The IP is a set of rules that route and address data packets (all the data you want to view) to make sure it arrives to your computer.

The Internet Protocol relies on devices and domains, all having their own IP address to connect and identify all the different segments (packets!) of the internet.

An IP address is a series of standardised numbers that range from 0 to 255 – separated by dots.

If you want to see IP addresses in action, and are familiar with terminals, you can type ping google.com in whichever terminal you like and you can see the IP address of Google.com.

A screenshot from a PowerShell terminal, showing a ping command to 216.58.212.206, and 0% packet loss.

You can test this further by typing 216.58.212.206 directly into your browser and seeing if it takes you to Google.

Hopefully this small example highlights why we use URL's. If both addresses (IP address and domain name) took you to the same place, would you rather be asked to remember Google.com or 216.58.212.206?

Note that some IP addresses change day to day (called dynamic IP addresses) – so the above IP address may not work, depending on if the IP address is dynamic or static.

Static IP addresses are ones that don't change – but to assign a single IP address to every machine would be impractical. It would be a logistical nightmare, too, as some people only log onto computers once a month to send an email, for example.

We could very realistically run out of IP addresses on today's current technology if we gave every device a unique IP address (if you want to read how IP addresses are allocated in greater detail, read here).

What is a DNS?

If we know computers communicate via the Internet Protocol and communicate using IP Addresses, how do we turn google.com into the website we use so regularly?

The answer is using a Domain Name System (DNS). The job of the Domain Name System is to transform human readable domain names into IP addresses.

There are four servers specifically that we'll discuss.

DNS Recursor

A DNS Recursor is like a waiter in a restaurant. It acts like a "front facing" part of the system to receive orders (normally from browsers) where the waiter then heads into the back to get what is needed.

In reality, it's just a server that receives DNS queries from browsers and returns information.

There are 3 different places the DNS recursor can generally get the information from depending on if any data has been cached:

• Root nameserver
• TLD nameserver
• Authoritative nameserver

So let's discuss them one by one.

What is a Root Nameserver?

The root nameserver's main job is to return the Top-Level Domain (TLD) server. **

This is an important step to map hostnames into IP addresses.

The root nameserver essentially acts like a catalogue that points to more specific locations.

What is a Top-Level Domain (TLD) Server?

If the root nameserver acts like a catalogue, the TLD server acts like a page in a catalogue.

The TLD server generally returns the final part of the host-name, like com for example, in "google.com".

What is an Authoritative Nameserver?

This server is like a row entry on the specific page of the catalogue.

The authoritative nameserver now can return the IP address for the requested hostname from the browser, back to the DNS recursor – which can hand it back to the browser.

DNS can be super confusing, and to understand the whole process may take a little while, so let's tie it together with a final example.

Example Request

Let's break down an example request from a user, and hopefully tie together this pretty complex process.

Each step in the flow starts to point closer and closer to the final address the user will eventually end up hitting.

Diagram showing the steps in the request process

Let's break down what's going on in this graphic:

Step 1:

A user types 'kealanparr.com' into their browser, and the query hits the DNS recursor.

Step 2:

The DNS recursor then queries a Root nameserver

Step 3:

The Root nameserver then responds to the DNS recursor with the address of a Top Level Domain server (TLD) such as .com.

Step 4:

The DNS recursor then makes a request to the .com TLD.

Step 5:

The .com TLD server then responds with the IP address of the Domain’s nameserver, kealanparr.com.

Step 6:

The DNS recursor sends a query to the domain’s nameserver.

Step 7:

The IP address for kealanparr.com is then returned to the resolver from the Domain nameserver.

Step 8:

The DNS recursor responds to the web browser request with the IP address of the domain requested.

Step 9:

At this point, the DNS lookup has returned enough data for the browser to make the request for the web page.

• The browser makes a HTTP request to the IP address.
• The server at that IP returns the webpage content to be rendered in the browser.

Conclusion

I hope this article has helped you to understand a few networking principles that affect the websites you use everyday.

IP addresses, DNS, and more are all technologies most people use daily but may not be very familiar with.

Cloudflare has an article that was helpful as I researched for this article, which you can read here.

I tweet my articles here if you would like to read more.

We can define a socket as a quick connection which allows the transmission of data between two processes on the same machine or different machines over a network. It is commonly used in client-server interaction, as sockets allow applications to communicate using the built-in mechanisms of the hardware and operating system.

Many of the today’s most used software – including web browsers, file sharing software, and social media instant messaging applications like WhatsApp and others – fundamentally depend on the concept of sockets.

Usually, a socket program is comprised of two main programs called the client and server. Here, the client acts as the requester, where it requests some data. The server acts as the listener and provides the client the requested data as the response.

In Python, creating a client and server program is a simple task, as Python has many inbuilt modules to help with this.

How to Code the Server

First, let's code our server program. To keep it simple, let's assume that the server listens to the host on a particular port. Whatever data it receives, it just prints and send some random ASCII letters as a response.

# server.py
# Importing neccessary inbuilt modules
import socket
import random
import string

# Creating a socket instance
server_object = socket.socket(family=socket.AF_INET, type=socket.SOCK_STREAM)

# Connecting to the localhost
ip_address = '127.0.0.1'
port = 5555
server_object.bind((ip_address, port))
server_object.listen()

#Once the client connects to the particular port, the server starts to accept the request.
connection_object, _ = server_object.accept()


if connection_object:
    # Connected to client successfully
    print("SERVER CONNECTED TO CLIENT")

    # sending initial message to the client
    connection_object.send(b"type the message")

    # receiving message from the client
    data_receive = connection_object.recv(1024)

    while data_receive != b'stop':
        print("{}: {}".format("CLIENT MESSAGE: ", data_receive.decode('utf-8')))
        server_input = random.choice(string.ascii_letters)
        connection_object.send(server_input.encode('utf-8'))
        data_receive = connection_object.recv(1024)

In the above code, we created a socket instance for the server. You can see that family=socket.AF_INET defines the address family that this socket can accept – only IPv4 addresses. And type=socket.SOCK_STREAM defines that the socket accepts only TCP (Transmission Control Protocol) connections.

For the server socket instance to listen and accept requests, it needs an IP address and a port. So, we have ip_address = '127.0.0.1' and port = 5555. Here, we have localhost as our IP address as the server and client reside in the same machine.

In the next step, the server instance server_object establishes (binds) an address so that clients can use it to find the server. The bind((ip_address,port)) method assigns a local IP address and a port number to this server_object instance explicitly as the server programs listens on the published port port. A port and local IP address neds to be assigned.

It then starts to actively listens on that particular port. When the client connects to that port from the client side, the server instance accepts the client's request for a connection. It then creates a new connection_object and returns to the server instance.

This connection_object contains all the necessary information about the client and server. Now, we use this connection_object to send a message from the server to client. So we print a SERVER CONNECTED TO CLIENT message if the connection_object is created successfully.

Once the connection_object is created, then the instance sends an initial message type the message in bytes to the client and receives the request from the client.

In the while loop, the connection instance connection_object prints the client message. Then as a response it sends random ASCII letters and waits for the client request. This while loop will execute in the server program until the client sends the request message stop.

How to Code the Client

Up to this point, we have seen the server side code. Now, lets code the client side which is pretty simple.

# client.py

#importing socket module
import socket

# creating socket instance
client_object = socket.socket(family=socket.AF_INET, type=socket.SOCK_STREAM)

# target ip address and port
ip_address = '127.0.0.1'
port = 5555

# instance requesting for connection to the specified address and port
client_object.connect((ip_address,port))

# receiving response from server
data_receive = client_object.recv(1024)

# if response is not null
if data_receive:
    # Connection is successful
    print("CLIENT CONNECTED TO SERVER")
    print(data_receive.decode('utf-8'))


    while data_receive:
        # user input
        client_input = input().encode('utf-8')

        # sending request to the server
        client_object.send(client_input)

        # receiving response from the server
        data_receive = client_object.recv(1024)
        if data_receive:
            print("{}: {}".format("SERVER",data_receive.decode('utf-8')))

In the client side code, we have created a similar socket instance client_object, the target ip_address, and port, just like we created in the server side program.

The next step is to use the client_object instance and connect to the respective target address and port using the connect() method.

Once the connection is successful and the connection_object is created on the server side, then the server sends the response type the message which gets stored in the data_receive in the client side.

Since the server has sent the message, we use this message to confirm that the connection is successful. So, we print CLIENT CONNECTED TO SERVER and then print the message sent by the server type the message.

In the while loop, we first give the input in a string using the input() inbuilt function. Then we convert it to bytes using the encode('utf-8') method and store it in client_input (as the data can be sent only in bytes). We then send the client_input to the server using client_object.send(client_input).

We receive the response data from the server after sending the request to the server. The server will accept and give a response to the client until the user types stop as a request to the server.

Note: We have to first execute the server program and then the client program because when client wants to connect to the target, there should be a server listening, up and running.

Here's the execution of of server.py and then client.py:

Left-Side: Server Program, Right-Side: Client Program

As you can see, once the execution started, the server displayed SERVER CONNECTED TO CLIENT so the user can tell it's working, and sent the initial message to the client.

On the client side, when the client received the message, it displayed CLIENT CONNECTED TO SERVER and also printed type the message received from the client.

Since the client is waiting for the input from the user, once the user entered the input, it sends it to the server and the server prints the client message. It then sent the random ASCII letter as the response to the client.

The flow looped until the client sent the stop message as the request to the server. Once the server received the stop request, it terminated from the socket session.

Conclusion

In this tutorial, We understood socket is one of the most fundamental technologies of computer networking and learnt how to set up a socket program in Python using the socket module in client-side and server-side programs.

Secure Shell (SSH) is a widely used network protocol that provides a secure way to access remote servers and computers.

In Linux, SSH is an essential tool for remote administration and file transfer. In this article, we will go over the meaning of SSH in Linux, its history, features, configuration, and use cases.

What is SSH?

SSH is a cryptographic network protocol that allows secure communication between networked devices. It was developed as a replacement for Telnet, which sends all data, including passwords, in clear text, making it susceptible to eavesdropping and interception.

SSH provides encryption and authentication mechanisms to protect the confidentiality and integrity of network communications.

Brief History of SSH

The first version of SSH, SSH-1, was developed by Tatu Ylönen in 1995 as a response to the insecurity of Telnet and FTP.

In 1996, SSH Communications Security released a commercial version of SSH-1, which became widely used in the industry.

But SSH-1 had some security vulnerabilities, and in 1998, Ylönen developed SSH-2, which addressed these issues and became the most widely used version of SSH.

How SSH Works

SSH uses a client-server architecture, where the client initiates a connection to the server and requests a secure communication channel. The server responds by generating a pair of cryptographic keys, one public and one private.

The public key is sent to the client, while the private key is kept securely on the server. The client then encrypts a random session key using the server's public key and sends it back to the server. The server decrypts the session key using its private key and sends an acknowledgement to the client. From this point on, all data transmitted between the client and server is encrypted using the session key.

SSH Features

• Encryption: SSH uses strong encryption algorithms, such as AES, to protect the confidentiality and integrity of data transmitted over the network.
• Secure file transfer: It provides secure file transfer (SFTP) capabilities, which allow users to transfer files between remote servers securely.
• Remote login: SSH provides a secure way to login to remote servers and computers, without exposing login credentials to attackers.
• Port forwarding: It provides port forwarding capabilities, which allow users to access restricted services on remote servers through a secure communication channel.
• X11 forwarding: SSH provides X11 forwarding capabilities, which allow users to run graphical applications remotely, without having to install them locally.
• Agent forwarding: It also provides agent forwarding capabilities, which allow users to use SSH keys for authentication on remote servers, without having to enter their password every time.

SSH Configuration

SSH configuration involves various settings and options that can be customized to optimize the SSH connection and improve security. Here are some common SSH configuration tasks:

• Generating SSH keys: Before using SSH, users must generate a pair of cryptographic keys, one public and one private. The public key is shared with the server, while the private key is kept securely on the user's computer.
• Editing configuration files: Users can create and edit SSH configuration files to customize their SSH settings, such as specifying the preferred encryption algorithm or setting up port forwarding. The SSH configuration files are usually located in the /etc/ssh/ directory.
• Authentication methods: SSH supports various authentication methods, such as password authentication, public key authentication, and multi-factor authentication. Users can choose the most suitable authentication method based on their security needs.
• Secure SSH configuration: To ensure maximum security, users should follow best practices for secure SSH configuration, such as disabling root login, enforcing strong passwords, and limiting the number of failed login attempts. Users can also use tools like Fail2Ban to prevent brute-force attacks on SSH.
• Enabling X11 forwarding: SSH provides X11 forwarding capabilities, which allow users to run graphical applications remotely, without having to install them locally. To enable X11 forwarding, users can add the -X or -Y flag when connecting to the remote server.
• Port forwarding: SSH allows users to set up port forwarding, which can be useful for accessing restricted services on remote servers through a secure communication channel. Users can set up local or remote port forwarding, depending on their needs.
• Compression: SSH supports data compression, which can improve the performance of the SSH connection, especially when transferring large files or running resource-intensive applications. Users can enable compression by adding the -C flag when connecting to the remote server.

SSH Examples and Use Cases

• Remote server administration: SSH is commonly used for remote server administration, allowing users to execute commands and manage servers from a remote location.
• Secure file transfer: provides a secure way to transfer files between remote servers, without exposing the files or login credentials to attackers.
• Running graphical applications remotely: allows users to run graphical applications remotely, without having to install them locally, which can be useful for resource-intensive applications or when using a low-power device.
• Port forwarding for accessing restricted services: allows users to access restricted services on remote servers through a secure communication channel, by setting up port forwarding.
• Tunneling for secure communication: SSH allows users to set up encrypted tunnels for secure communication between two networked devices, which can be useful for accessing resources on a private network.

Conclusion

To end this article, here's a recap of what we covered and what you should know about SSH:

• SSH is a secure protocol for remote communication in Linux.
• SSH uses encryption to protect data and authentication mechanisms to verify users.
• SSH is a reliable and efficient way to communicate securely over the internet, and is a vital tool for Linux system administration and development.
• SSH provides remote login, secure file transfer, port forwarding, X11 forwarding, and agent forwarding capabilities.
• To use SSH, users must generate a pair of cryptographic keys, one public and one private.
• SSH configuration files can be customized to optimize the SSH connection and improve security.
• SSH supports various authentication methods, such as password authentication, public key authentication, and multi-factor authentication.
• To ensure maximum security, users should follow best practices for secure SSH configuration, such as disabling root login, enforcing strong passwords, and limiting the number of failed login attempts.
• SSH can be used for remote server administration, secure file transfer, running graphical applications remotely, port forwarding, and tunneling for secure communication.
• SSH is a widely used and supported protocol, with many SSH clients and servers available for different platforms.

Let's connect on Twitter and on LinkedIn. You can also subscribe to my YouTube channel.

Happy Coding!

But, once you've got it all running nicely, well that's when you should really be worried: because that's exactly when the bad guys start banging away at the door trying to find a way in.

In this article we're going to cover just enough of the most important networking fundamentals so that discussions of network security that you may encounter will make sense.

This article comes from The Complete LPI Security Essentials Exam Study Guide. You can also follow along using this video:

Understanding IPv4 and NAT Routing

IP networks (where IP stands for Internet Protocol) are the backbone of the Internet, connecting devices and transmitting data over the network.

IP is responsible for routing data packets from one device to another, and IP version 4 is the most widely used IP address format. IPv4 uses a 32-bit address, and consists of four 8-bit numbers called octets. IPv4 addresses are written in a decimal notation where each octet is separated by a dot.

An example of an IPv4 host address might look something like this:

192.168.2.34

Network Address Translation is a method used to allow private IPv4 addresses to access the Internet. NAT maps private IP addresses to a single public IP address, which is assigned by an Internet Service Provider (ISP).

When a device in a private network wants to access the Internet, it sends a request to the NAT gateway. The NAT gateway translates the private IP address of the device into the public IP address assigned by the ISP and forwards the request to the Internet.

NAT addressing explained in a diagram

When the response from the Internet is received, the NAT gateway translates the public IP address back into the private IP address of the device and sends the response to the device.

In this way, NAT enables multiple devices in a private network to share a single public IP address and access the Internet, while hiding their private IP addresses from the public. NAT also provides a basic level of security by hiding the internal network from the Internet.

Understanding IPv6

IP version 6 is the latest IP address format. IPv6 uses a 128-bit address, and is made up of eight 16-bit hexadecimal segments separated by colons.

Here is an example of what an IPv6 address might look like:

2001:0db8:85a3:0000:0000:8a2e:0370:7334

IPv6 was created because we were running out of IPv4 addresses – since IPv4's 32-bit addresses allow for a maximum of only 4.3 billion unique addresses.

This was great in the early days of the Internet, but as the number of Internet-connected devices has grown, the demand for unique IP addresses has surpassed the number available in the IPv4 address space.

To address this shortage, IPv6 was developed with its larger address space, allowing for 340 trillion, trillion, trillion unique addresses. This large address space ensures that there will be enough unique IP addresses for all Internet-connected devices forever. Literally.

Additionally, IPv6 addresses overcome some other limitations of IPv4, such as improved security, auto-configuration, and support for hierarchical address allocation and routing.

Defining Routing Protocols

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are two of the most common transport layer protocols used in IP networks.

TCP is a reliable connection-oriented protocol that provides error-checking and flow control. UDP is a connectionless protocol that provides fast data transmission but with less reliability.

ICMP (Internet Control Message Protocol) is a network layer protocol used to send error messages, test network connectivity (in particular, through a tool called ping), and perform other functions.

DHCP (Dynamic Host Configuration Protocol) is a protocol used to dynamically assign IP addresses to devices on a network. In a home or small business network, DHCP is usually performed by a router or a dedicated DHCP server, which is responsible for dynamically assigning IP addresses to devices on the network.

Here's how the process of DHCP typically works:

• When a device connects to the network, it broadcasts a request for an IP address.
• The DHCP server receives the request and assigns a unique IP address to the device, along with other network information such as the subnet mask, default gateway, and DNS server addresses.
• The device receives the assigned IP address and other network information from the DHCP server and uses it to configure its network settings.
• Finally, the DHCP server maintains a table of assigned IP addresses and the devices that have been assigned them, so it can ensure that each device on the network has a unique IP address.

In a home or small business network, the router or DHCP server is usually configured to automatically assign IP addresses to devices on the network. This eliminates the need for manual IP address configuration and makes it easy for devices to connect to the network.

With those basics, you'll be in a much better position to understand the stuff you hear and read about network security issues.

This article and the accompanying video are excerpted from my Complete LPI Security Essentials Exam Study Guide course. And there's much more technology goodness available at bootstrap-it.com.

That's what we will learn in this article. We will explore two ways to set a static IP in Ubuntu.

Static IP addresses find their use in the following situations:

• Configuring port forwarding.
• Configuring your system as a server such as an FTP server, web server, or a media server.

Pre-requisites:

To follow this tutorial you will need the following:

• Ubuntu installation, preferably with a GUI.
• sudo rights as we will be modifying system configuration files.

How to Set a Static IP Using the Command Line

In this section, we will explore all the steps in detail needed to configure a static IP.

Step 1: Launch the terminal

You can launch the terminal using the shortcut Ctrl+ Shift+t.

Step 2: Note information about the current network

We will need our current network details such as the current assigned IP, subnet mask, and the network adapter name so that we can apply the necessary changes in the configurations.

Use the command below to find details of the available adapters and the respective IP information.

ip a

The output will look something like this:

For my network, the current adapter is eth0. It could be different for your system

• Note the current network adapter name

As my current adapter is eth0, the below details are relevant.

6: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:df:c3:ad brd ff:ff:ff:ff:ff:ff
    inet 172.23.199.129/20 brd 172.23.207.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fedf:c3ad/64 scope link
       valid_lft forever preferred_lft forever

It is worth noting that the current IP 172.23.199.129 is dynamically assigned. It has 20 bits reserved for the netmask. The broadcast address is 172.23.207.255.

• Note the subnet

We can find the subnet mask details using the command below:

ifconfig -a

Select the output against your adapter and read it carefully.

IP is 172.23.199.129 and subnet mask is 255.255.240.0

Based on the class and subnet mask, the usable host IP range for my network is: 172.23.192.1 - 172.23.207.254.

Subnetting is a vast topic. For more info on subnetting and your usable IP ranges, check out this article.

Step 3: Make configuration changes

Netplan is the default network management tool for the latest Ubuntu versions. Configuration files for Netplan are written using YAML and end with the extension .yaml.

Note: Be careful about spaces in the configuration file as they are part of the syntax. Without proper indentation, the file won't be read properly.

• Go to the netplan directory located at /etc/netplan.

ls into the /etc/netplan directory.

If you do not see any files, you can create one. The name could be anything, but by convention, it should start with a number like 01- and end with .yaml. The number sets the priority if you have more than one configuration file.

I'll create a file named 01-network-manager-all.yaml.

Let's add these lines to the file. We'll build the file step by step.

network:
 version: 2

The top-level node in a Netplan configuration file is a network: mapping that contains version: 2 (means that it is using network definition version 2).

Next, we'll add a renderer, that controls the overall network. The renderer is systemd-networkd by default, but we'll set it to NetworkManager.

Now, our file looks like this:

network:
 version: 2
 renderer: NetworkManager

Next, we'll add ethernets and refer to the network adapter name we looked for earlier in step#2. Other device types supported are modems:, wifis:, or bridges:.

network:
 version: 2
 renderer: NetworkManager
 ethernets:
   eth0:

As we are setting a static IP and we do not want to dynamically assign an IP to this network adapter, we'll set dhcp4 to no.

network:
 version: 2
 renderer: NetworkManager
 ethernets:
   eth0:
     dhcp4: no

Now we'll specify the specific static IP we noted in step #2 depending on our subnet and the usable IP range. It was 172.23.207.254.

Next, we'll specify the gateway, which is the router or network device that assigns the IP addresses. Mine is on 192.168.1.1.

network:
 version: 2
 renderer: NetworkManager
 ethernets:
   eth0:
     dhcp4: no
     addresses: [172.23.207.254/20]
     gateway4: 192.168.1.1

Next, we'll define nameservers. This is where you define a DNS server or a second DNS server. Here the first value is 8.8.8.8 which is Google's primary DNS server and the second value is 8.8.8.4 which is Google's secondary DNS server. These values can vary depending on your requirements.

network:
 version: 2
 renderer: NetworkManager
 ethernets:
   eth0:
     dhcp4: no
     addresses: [172.23.207.254/20]
     gateway4: 192.168.1.1
     nameservers:
         addresses: [8.8.8.8,8.8.8.4]

Step 4: Apply and test the changes

We can test the changes first before permanently applying them using this command:

sudo netplan try

If there are no errors, it will ask if you want to apply these settings.

Now, finally, test the changes with the command ip a and you'll see that the static IP has been applied.

Static IP applied

How to Set a Static IP Using the GUI

It is very easy to set a static IP through the Ubuntu GUI/ Desktop. Here are the steps:

• Search for settings.
• Click on either Network or Wi-Fi tab, depending on the interface you would like to modify.
• To open the interface settings, click on the gear icon next to the interface name.
• Select “Manual” in the IPV4 tab and enter your static IP address, Netmask and Gateway.
• Click on the Apply button.

Manually setting a static IP using Ubuntu Desktop.

• Verify by using the command ip a

Static IP updated via GUI

Conclusion

In this article, we covered two methods to set the static IP in Ubuntu. I hope you found the article useful.

What’s your favorite thing you learned from this tutorial? Let me know on Twitter!

You can read my other posts here.

This post relies on basic knowledge of computer networks. Be sure to check my previous post about the five layers model if you need a refresher.

What is Wireshark?

Wireshark is a sniffer, as well as a packet analyzer.

What does that mean?

You can think of a sniffer as a measuring device. We use it to examine what’s going on inside a network cable, or in the air if we are dealing with a wireless network. A sniffer shows us the data that passes through our network card.

But Wireshark does more than that. A sniffer could just display a stream of bits - ones and zeroes, that the network card sees. Wireshark is also a packer analyzer that displays lots of meaningful data about the frames that it sees.

Wireshark is an open-source and free tool, and is widely used to analyze network traffic.

Wireshark can be helpful in many cases. It might be helpful for debugging problems in your network, for instance – if you can’t connect from one computer to another, and want to understand what’s going on.

It can also help programmers. For example, imagine that you were implementing a chat program between two clients, and something was not working. In order to understand what exactly is being sent, you may use Wireshark to see the data transmitted over the wire.

So, let’s get to know Wireshark.

How to Download and Install Wireshark

Start by downloading Wireshark from its official website:

https://www.wireshark.org/#download

Follow the instructions on the installer and you should be good to go.

How to Sniff Traffic with Wireshark

Launch Wireshark, and start by sniffing some data. For that, you can hit Ctrl+K (PC) or Cmd+K (Mac) to get the Capture Options window. Notice that you can reach this window in other ways. You can go to Capture->Options. Alternatively, you can click the Capture Options icon.

I encourage you to use keyboard shortcuts and get comfortable with them right from the start, as they'll allow you to save time and work more efficiently.

So, again, I’ve used Ctrl+K (or Cmd+K) and got this screen:

The Capture Options window in Wireshark (Source: Brief)

Here we can see a list of interfaces, and I happen to have quite a few. Which one is relevant? If you’re not sure at this point, you can look at the Traffic column, and see which interfaces currently have traffic.

Here we can see that Wi-Fi 3 has got traffic going through it, as the line is high. Select the relevant network interface, and then hit Enter, or click the button Start.

Let Wireshark sniff the network for a bit, and then stop the sniff using Ctrl+E / Cmd+E. Again, this can be achieved in other ways – such as going to Capture->Stop or clicking the Stop icon.

Consider the different sections:

Wireshark's sections (Source: Brief)

The section marked in red includes Wireshark’s menu, with all kinds of interesting options.

The main toolbar is marked in blue, providing quick access to some items from the menu.

Next, marked in green, is the display filter. We will get back to it shortly, as this is one of the most important features of Wireshark.

Then follows:

The Packet List Pane

The packet list pane is marked in orange. It displays a short summary of each packet captured.

(Note: the term Frame belongs to a sequence of bytes in the Data Link layer, while a Packet is a sequence of bytes from the Network layer. In this post I will use the terms interchangeably, though to be accurate, every packet is a frame, but not every frame is a packet, as there are frames that don't hold network layer data.)

As you can see in the image above, we have a few columns here:

NUMBER (No.) – The number of the packet in the capture file. This number won’t change, even if we use filters. This is just a sequential number – the first frame that you have sniffed gets the number 1, the second frame gets the number 2, and so on.

Time – The timestamp of the packet. It shows how much time has passed from the very first packet we have sniffed until we sniffed the packet in question. Therefore, the time for packet number 1 is always 0.

Source – The address where this packet is coming from. Don’t worry if you don’t understand the format of the addresses just yet, we will cover different addresses in future tutorials.

Destination – The address where this packet is going.

Protocol – The protocol name in a short version. This will be the top protocol – that is, the protocol of the highest layer.

Length – The length of each packet, in bytes.

Info – Additional information about the packet content. This changes according to the protocol.

By clicking on packets in this pane, you control what is displayed in the other two panes which I will now describe.

The Packet Details Pane

Click on one of the captured packets. In the example below I clicked on packet number 147:

Selecting a specific packet changes the packet details pane (Source: Brief)

Now, the packet details pane displays the packet selected in the packet list pane in more detail. You can see the layers here.

In the example above, we have Ethernet II as the second layer, IPv4 as the third layer, UDP as the fourth layer, and some data as a payload.

When we click on a specific layer, we actually see the header of that layer.

Notice that we don’t see the first layer on its own. As a reminder, the first layer is responsible for transmitting a single bit – 0 or 1 – over the network (if you need a refresher about the different layers, check out this post).

The packet bytes pane in Wireshark (Source: Brief)

Below the packet details pane, we have the packet bytes pane. It displays the data from the packet selected in the packet list pane. This is the actual data being sent over the wire. We can see the data in hexadecimal base, as well as ASCII form.

How to Use the Display Filter

Wireshark has many different functions, and today we will focus on one thing – the display filter.

As you can see, once you start sniffing data, you get a LOT of traffic. But you definitely don’t want to look at everything.

Recall the example from before – using Wireshark in order to debug a chat program that you’ve implemented. In that case, you would like to see the traffic related to the chat program only.

Let’s say I want to filter only messages sent by the source address of frame number 149 ( 192.168.1.3 ). I will cover IP addresses in future posts, but for now you can see that it consists four numbers, delimited by a dot:

The display filter in Wireshark (Source: Brief)

Now, even if you don’t know how to filter only packets sent from this IP address, you can use Wireshark to show you how it’s done.

For that, go to the right field we would like to filter – in this case, the source IP address. Then right click -> and choose filter -> Apply as Filter.

Applying a display filter (Source: Brief)

After applying the filter, you only see packets that have been sent from this address. Also, you can look at the display filter line and see the command used. In this way, you can learn about the display filter syntax (in this example, it is ip.src for the IP source address field):

Applying a display filter (Source: Brief)

Now, try to filter only packets that have been sent from this address, and to the address 172.217.16.142 (as in Frame 130 in the image above). How would you do that?

Well, you could go to the relevant field – in this case, the IP destination address. Now, right click -> Apply as Filter -> and select ...and Selected:

Applying a display filter (Source: Brief)

If you look at the display filter line after applying this filter:

Applying a display filter (Source: Brief)

You can also learn that you can use the && operand in order to perform and. You could also write the word and, instead, and get the same result.

Applying multiple conditions using && or and (Source: Brief)

How to Use Wireshark to Research the Ping Utility

Ping is a useful utility to check for remote servers’ connectivity.

This page explains how to use ping in Windows, and this page explains how to do that in OSX.

Now, we can try to ping <address> using the command line. By default, ping sends 4 requests and waits for a pong answer. If we want it to send a single request, we could use -n 1:

Using the command line to ping Google (Source: Brief)

You can see that Google has responded. The time it took for the message to return was 92 milliseconds. We will learn about the meaning of TTL in future posts.

Ping is useful to determine whether a remote service is available, and how fast it is to reach that service. If it takes a very long time to reach a reliable server such as google.com, we might have a connectivity problem.

Try it yourself

Now, try to use Wireshark to answer the following questions:

1) What protocol does the ping utility use?

2) Using only Wireshark, compute the RTT (Round Trip Time) – how long it took since your ping request was sent and until the ping reply was received?

Next, run the following command:

ping -n 1 -l 342 www.google.com

3) What is the main difference between the packet sent by this command, and the packet sent by the previous command? Where in Wireshark can you see this difference, inspecting the packets?

4) What is the content (data) provided in the ping request packet? What is the content provided in the ping response packet?

Let's solve it together

So the first question is:

What protocol does the ping utility use?

To answer that question, start sniffing in Wireshark, and simply run the ping command. Stop the sniff, and consider the packets pane:

Sniffing while running ping (source: Brief)

Wireshark marks the packets as Echo (ping) request and Echo (ping) reply.

Considering these packets, we can see they consist of Ethernet for the Data Link layer (though that may differ from one network to another), IPv4 as the Network layer, and then ICMP as the protocol for Ping itself. So the answer we found is: ICMP.

Next question:

Using only Wireshark, compute the Round Trip Time

Looking at the captured packets, we can see the Time column, and subtract the time of the Pong packet ( 7.888... ) from the time of the Ping packet ( 7.796...).

So in this case the RTT was: 92 ms. Of course, the value can be different when you run the ping utility.

What is the main difference between the packet sent by this command, and the packet sent by the previous command?

For question number 3, we are asked to run the following command:

ping -n 1 -l 342 www.google.com

Looking at the first run of ping, we can see the length of the packets are 74 bytes:

Sniffing while running ping (source: Brief)

Observing the packets sent after running ping with the -l 342 argument, we can see that the value is bigger:

Sniffing while running ping (source: Brief)

So the main difference is the amount of bytes sent as the data.

Question number four:

What is the content (data) provided in the ping request packet?

What is the content provided in the ping response packet?

Click on the request packet to observe the data sent:

Observing the data sent by the ping utility (source: Brief)

The answer for the ping request is a through w, over and over again.

Regarding the ping response – it is the same as the request.

Summary

Wireshark is a wonderful tool for anyone working with Computer Networks. It can help you understand how protocols work and also help you debug applications or network issues.

As you have seen, you can learn how things work by simply running Wireshark in the background while using them and then inspect the traffic. With this tool under your belt, the sky is the limit.

In future tutorials, we will also rely on our knowledge of Wireshark and use it to further understand various concepts in computer networks.

About the Author

Omer Rosenbaum is Swimm’s Chief Technology Officer. He's the author of the Brief YouTube Channel. He's also a cyber training expert and founder of Checkpoint Security Academy. He's the author of Computer Networks (in Hebrew). You can find him on Twitter.

Additional References

• Computer Networks Playlist - on my Brief channel.
• Wireshark's website.

Even more specifically, one amazing thing about the Internet is its ability to handle errors.

What do I mean by errors? When a packet or a frame is received by a machine, we say it contains an error if the data that had been sent is not the data that was received. For instance, a single 1 was mistakenly received as a 0 after its transmission.

This can happen due to many different reasons. Perhaps there was some disturbance in the wire where the data was transmitted – say, a child rode her bicycle over the wire. Perhaps there was some collision in the air as many people transmitted at once. Maybe it was a device's error.

Regardless of the specific reason, you still get valid data on the Internet. Without handling errors, you may read the last sentence and instead of errors read errbbb. Weird, isn't it? So how does the Internet handle errors?

There are two main approaches for handling errors – detection, and correction. We shall start by describing detection, and then talk about correction.

What is Error Detection?

When dealing with error detection, we are looking for a boolean result – True, or False. Is the frame/packet valid, or not. That is all. We don’t want to know where the error occurred. If the frame is invalid, we will simply drop it.

So when the receiver receives a frame, they will determine whether an error has occurred. If the frame is valid, they will read it. If the frame contains errors - the receiver will drop it.

_Error Detection: we only want to know if the frame/packet is valid or not. (Source: Brief)_

One method for error detection is using a checksum. A common implementation of a checksum is called CRC – Cyclic Redundancy Check.

In this post we will not trouble ourselves with the mathematical implementation of CRCs in the real world (if you're interested, check out Wikipedia). Rather, we'll simply try to understand the concept. To do so, let’s implement a very simple checksum mechanism ourselves.

Consider a protocol for transmitting 10-digit phone numbers between endpoints. This protocol is extremely simple: each packet includes exactly 10 bytes, each one representing a digit. For example, a packet might include the following digits:

5551234567

_A packet with a payload of 10 digits (Source: Brief)_

For simplicity's sake, we will omit the headers of the packet and focus solely on the payload.

Now, we will add a checksum. Say that we add all the digits. So in this example, we would calculate 5 + 5 +5 +1+… all the way through 7. We would get 43. This would be our checksum value.

Now, the sender won’t only send the phone number, but also the checksum value right after it. In this example, the sender would send:

_The packet's data is followed by a checksum. (Source: Brief)_

Now, as the receiver, you can do the same thing. You will read the phone number, and calculate the checksum. You will add the digits, and get 43.

Since you've received the correct result (that is, your calculation based on the data matches the checksum value sent in the packet), you can assume that the frame is valid.

_The sender compares their calculated checksum value and the checksum in the packet. If the values match, the packet is assumed to be valid (Source: Brief)_

What happens in case of an error? 🤔

Let’s say, for instance, that the digit 2 was replaced by an 8. Now, even though the sender sent the same stream as before ( 555123456743 ), you, as the receiver, see something a bit different:

_A packet containing an error (Source: Brief)_

Now, you are calculating the checksum, adding all the digits. You get 49. Since this value is different from the checksum value specified in the original frame, 43, the frame is considered to be invalid and you drop it.

_The sender compares their calculated checksum value and the checksum in the packet. If the values don't match, the packet is assumed to be invalid (Source: Brief)_

Are there problems with this method? 🤔

Yes, there are. Consider, for example, what happens if there are two errors – and instead of the original stream ( 555123456743 ), you receive the following:

_A packet received with two errors, resulting in the stream 456123456743 (Source: Brief)_

What happens when you add the digits?

Even though the digits are not the same as the original packet, the checksum will remain correct, and the frame will be regarded as valid.

_Despite the errors, the checksum value happens to be correct, resulting in a false assumption that the packet is valid (Source: Brief)_

Real checksum functions, such as CRCs, are of course much better implemented than the one in our example – but in extremely rare cases, such problems may occur.

Notice that using this kind of method, error detection, we don’t know where the problem occurred, but only whether the frame is valid or not. If the checksum value is invalid, we assume that the frame is invalid and drop it.

What is Error Correction?

As mentioned earlier, detection is not the only way to handle errors. Another approach might be to find the error and correct it. How can we do that?

An extremely simple way would be to transmit the data many times – let’s say, three times. For example, the stream 5551234567 would be transmitted as follows:

_Sending the same data multiple times (Source: Brief)_

So we basically sent the data three times.

Now, in case of an error in one digit, the receiver can look at the other two digits, and choose the one that appears two times out of three.

So, for instance, if we had a problem and 2 was replaced with an 8, the receiver would get this stream:

_An error in one of the occurrences of the data (Source: Brief)_

Now, as a receiver, you can say: “I have 2, 8, 2… so it was probably 2 in the original message”.

Is this problematic? Well, in some rare cases, we might get the same error twice. So it is possible, even though unlikely, that two of the original twos have been received as eights.

So while the sender sent this stream:

_Sending the same data multiple times (Source: Brief)_

The first 2 was mistakenly read as an 8, and also the second 2 was received as an 8:

_Two identical errors; Rare, but possible (Source: Brief)_

Now, it looks as if the original message included an 8, and not a 2.

What can you do in order to lower the probability of such scenario?

The most simple solution would be to simply send the data even more times. Let’s say, five times. So now we duplicate all the data, and send it 5 times in total…

_Sending the data five(!) times (Source: Brief)_

Now, say that two errors occurred, and again two of the 2 digits were replaced with 8s.

_Two identical errors; Rare, but possible (Source: Brief)_

Clearly, it is very unlikely to get the same error twice, but even in this case, we still get 2 three times, so as the receiver you can tell, with a high probability, that the original message contained a 2, rather than an 8.

What's the Overhead?

Now would be a good time to introduce the term overhead. When we say overhead, we basically mean data or time needed to convey the actual message. Let’s first understand what this term means in general, and then consider it in the context of handling errors.

Let’s say that I have a lesson to teach in my university. My goal is to teach the lesson itself, which is also called the payload in that context – that is, the actual data or message I would like to convey.

In order to teach the lesson, or to convey the payload, I first have to physically get to the university – so I get out of my home, walk to the bus station, wait for the bus, take the bus, get off the bus, walk to the building, wait for the lesson to start – and only then do I actually get to teach the lesson.

This entire process is overhead that I have to pay in order to deliver the payload, in this case – to teach the lesson.

_Overhead and Payload are two extremely important terms in Computer Networks (Source: Brief)_

The same applies in computer networks. Our payload is the data, and there is always some overhead associated with sending it.

Back to Handling Errors

In the context here – sending the data three times, as suggested earlier, means that for every byte of payload we have two bytes of overhead. If we send the data five times, then for every byte of payload, we have four bytes of overhead. That’s a LOT!

Consider error detection, on the other hand. In our example protocol for sending phone numbers, how much overhead did we have?

Recall that for every ten-digit phone number, that is ten bytes, we included a two-digit checksum value. In other words, we had two bytes of overhead for ten bytes of payload. It is clear that in our example, error detection yields much smaller overhead in comparison to error correction.

_In the sample protocol, for every ten-digit phone number (ten bytes of payload), we included a two-digit checksum value (two bytes of overhead) (Source: Brief)_

There are better ways to achieve error correction with high accuracy than to simply send the data so many times, but they are more complicated and out of scope for this post. Even with very complicated error correction techniques, they still require lots of overhead when compared to error detection.

Also, notice that except for the bytes sent as overhead in case of error correction, error detection is much simpler.

Error Correction vs Error Detection – Which is Better?

We already concluded that error detection is simpler, and with a smaller payload compared to error correction.

So, when would we prefer error correction?

One case might be when we have a one-way link. That is, a network where we can only transfer data in one direction.

For example, say you have a secret agent that you need to send a message to. The agent knows that they need to look up to the sky at exactly midnight, and they will see a series of flashes indicating the secret message.

The secret agent cannot reply, or their location and identity will be revealed. In addition, you don’t want to send the message over and over again, as not to draw much attention, and to make it harder for someone to intercept the message.

In this case, you definitely want your agent to receive the exact message that you’ve sent. Consider a case where you want to send them the message “do not place the bomb”.

_A sensitive message for a secret agent (Source: Brief)_

Of course, you don’t want to risk the unfortunate scenario of the agent reading the message as “do now place the bomb”, due to an error.

_An error may change the meaning of the message substantially (Source: Brief)_

If you use error detection, the agent might be aware that the message they received is invalid in case of an error, but they won’t be able to tell you that they need you to send the message again. As you want the agent to be able to read your message correctly and without sending any data back to us, error correction is preferred.

So, one-way link is one case where we prefer error correction. What about other cases?

Sometimes you just can’t send the data again, perhaps because it has been erased from the memory of your machine. That is, the data is deleted right after it has been sent. In this case, you'd clearly prefer error correction, as sending the data again, as we would do with error detection, is just impossible.

Also, if sending the data again is possible, but extremely expensive, error correction may be preferable.

For example, if you send a message to the moon, say, with a spaceship – it might be really expensive to send it over again in case of an error. Using error correction, you send the data only once and the receiver should be able to deal with it, even if an error occurred.

_Cases where correction is preferred (Source: Brief)_

In general, we prefer error correction when retransmitting the data is costly or impossible.

When would we prefer error detection?

Well, in case we can retransmit the data, we usually prefer error detection since it comes with very little overhead compared to error correction. Especially, when sending the data is relatively cheap.

For example, on the Internet, if an error occurs when you send a frame, no problem – you can simply send it again!

For example, when I covered the Ethernet protocol in a previous post, I mentioned that Ethernet protocol uses change detection, namely CRC32 – that is, 32 bits (or 4 bytes) of a checksum for every frame.

Note that it doesn’t mean that error detection is simply better. It just better fits the Internet than error correction. As mentioned before, error correction is preferable in other cases.

Wrapping Up

In this tutorial, we discussed various methods for handling errors. We looked at error detection, where we only know whether a frame is valid or not. We also considered error correction, where the receiver can restore the correct value of an erroneous frame. We also introduced the term overhead.

We then understood why we use error detection on the Internet, rather than error correction. Stay tuned for more posts in this series about Computer Networks 💪🏻

About the Author

Omer Rosenbaum is Swimm’s Chief Technology Officer. He's the author of the Brief YouTube Channel. He's also a cyber training expert and founder of Checkpoint Security Academy. He's the author of Computer Networks (in Hebrew). You can find him on Twitter.

Additional Resources

• Computer Networks Playlist - on my Brief channel
• CRC - Wikipedia
• The Complete Guide to Ethernet Protocol

It is useful in a variety of use cases, one of which is to actually get some hands-on experience when you learn Computer Networks. Wouldn't it be great if, when learning about Ethernet, for example, you could create, send, sniff and parse Ethernet frames on your own? Scapy is the perfect tool for that.

In addition, you can use Scapy for creating networking-based applications, parsing network traffic to analyze data, and many other cases.

This post assumes you have some background knowledge in Computer Networks, for example about the layers model. It also assumes you have some basic Python knowledge.

What will you learn?

In this post we will start from the very basics – what Scapy is, and how to install it.

You will learn how to sniff data and parse it with Scapy, and how to display it in a meaningful manner.

You will also learn how to create frames or packets, and how to send them. Altogether, you should have a new powerful tool under your belt.

How to Install Scapy

To install Scapy, you can simply use pip install scapy.

If you run into trouble, simply follow the official documentation.

How to Use Scapy

For now, let’s open up the command line and type in scapy.

You should expect something like the following:

_Running Scapy from the CLI (Source: Brief)_

Note that the warning messages are fine.

Since this is a Python environment, dir, help, and any other Python function for information retrieval are available for you. Of course, you can always combine Python code with your Scapy scripts.

How to Work with Packets and Frames in Scapy

Packets and frames in Scapy are described by objects created by stacking different layers. So a packet can have a variable number of layers, but will always describe the sequence of bytes that have been sent (or are going to be sent) over the network.

Let's create a frame that consists of an Ethernet layer, with an IP layer on top:

_Stacking Layers (Source: Brief)_

Look how easy that is! We’ve used the / operator in order to stack the IP layer on top of the Ethernet layer.

Note that when looking at this object, it only tells us non-default values. The type of Ethernet is 0x800 (in hexadecimal base) as this is the type when an IP layer is overloaded.

Let's look more deeply at the fields of the packet:

_With the show method we can observe all fields of the frame (Source: Brief)_

Pretty cool! 😎

How to Sniff with Scapy

Scapy also allows us to sniff the network by running the sniff command, like so:

_Sniffing with the sniff command (Source: Brief)_

After running sniff with count=2, Scapy sniffs your network until 2 frames are received. Then it returns – and in this case, the variable packets will store the frames that have been received.

The return value of sniff can be treated as a list. Therefore packets[0] will contain the first packet received, and packets[1] will contain the second:

_The return value of sniff is an iterable, so it can be accessed as a list (Source: Brief)_

A helper function summary is available too and will provide minimal information regarding the packet collection:

_Using summary we can get some information of the packet collection (Source: Brief)_

When looking at a specific frame, every layer or field can be accessed in a very elegant way. For instance, in order to get the IP section of the packet, we can access it like so:

_Accessing a specific layer (and its payload) (Source: Brief)_

Note that this shows us everything from the IP layer and above (that is, the payload of the IP layer). Let's now observe the source Ethernet address of this frame:

_Accessing a specific field (Source: Brief)_

Nice and easy. Now, you will learn how to run a specific command for every frame that you sniff.

First, create the callback function that will be run on every packet. For example, a function that will just print the source Ethernet address of the received frame:

_Defining a callback function that receives a frame as its argument (Source: Brief)_

Now, we can pass this function to sniff, using the prn argument:

_Run a callback function on every sniffed frame (Source: Brief)_

The Ethernet addresses have been printed as a result of print_source_ethernet being executed, where every time, it receives a sniffed frame as an argument.
Note that you can write the same in Python using a lambda function, as follows:

_Define the callback function using lambda (Source: Brief)_

If you prefer to write an explicit function like the one we’ve written above, that’s perfectly fine.

We usually want to filter traffic that we receive – and look only at relevant frames. Scapy’s sniff function can take a filter function as an argument – that is, a function that will be executed on every frame, and return a boolean value – whether this frame is filtered or not.

For example, say we would like to filter only frames that are sent to broadcast. Let’s write a simple filtering function that does just that:

_A simple filtering function (Source: Brief)_

Now, we can use the lfilter parameter of sniff in order to filter the relevant frames:

_Filtering frames based on a filter function (Source: Brief)_

In order to clarify, let’s draw this process:

_The process of sniffing and filtering with lfilter (Source: Brief)_

A frame f is received by the network card. It is then transferred to lfilter(f). If the filter function returns False, f is discarded. If the filter returns True, then we execute the prn function on f.

So we can now combine these two arguments of sniff, namely lfilter and prn, and print the source address of every frame that is sent to the broadcast address. Let’s do this now using lambda:

_Combining lfilter and prn 💪🏻 (Source: Brief)_

This is equivalent to writing the following line, without lambda:

sniff(count=2, lfilter=is_broadcast_frame, prn=print_source_ethernet)

Readable, quick, and useful. Have you noticed that I love Scapy? 🥰

Alright, so far we’ve learnt how to sniff frames. When sniffing, we know how to filter only relevant frames, and how to execute a function on each filtered frame.

How to Create Frames in Scapy

To create a frame, simply create an Ethernet layer using Ether(). Then, stack additional layers on top of it. For instance, to stack an IP layer:

_Creating a frame with two stacked layers (Source: Brief)_

Alternatively, we can just add raw data, as follows:

_Using Raw data as the payload (Source: Brief)_

If you want to specify a specific value, for instance the destination address of the frame, you can do it when you initially create the frame, like so:

_Creating a frame and specifying specific values (Source: Brief)_

Or, we can modify the specific field after creation:

_Modifying specific values (Source: Brief)_

How can we look at the frame we’ve just created? One way is to observe a frame using show, as we’ve done above. Another way of looking at a frame is by looking at its byte stream, just like in Wireshark. You can do this using the hexdump function:

_Viewing the hexadecimal byte stream (Source: Brief)_

Well, even better – we can just look at it inside Wireshark! By running wireshark(frame).

How to Send Frames in Scapy

You can send frames using sendp, as follows:

_Sending frames with sendp (Source: Brief)_

Let's sniff in wireshark while sending the frame to make sure that it’s actually sent:

_Observing the frame we've sent using Wireshark (Source: Brief)_

Note that we use sendp only when we send an entire frame, using the second layer and above. If you want to send a packet including only the third layer and above, use send instead.

Recap

In this post you got to know an awesome tool called Scapy. You saw how you can sniff, how to filter packets, and how to run a function on sniffed packets. You also learned how to create and send frames.

About the Author

Omer Rosenbaum is Swimm’s Chief Technology Officer. He's the author of the Brief YouTube Channel. He's also a cyber training expert and founder of Checkpoint Security Academy. He's the author of Computer Networks (in Hebrew). You can find him on Twitter.

Additional Resources

• Computer Networks Playlist - on my Brief channel
• Official Scapy documentation

If you're a developer (or an aspiring one), you'll likely use the internet every day. So you should learn a few useful networking commands.

To learn networking in Linux, you should also know how to use the Terminal. Because using terminal commands is way more powerful than using the UI. It'll also be faster and more efficient.

Prerequisites

A basic understanding of the Linux terminal is enough to learn networking in Linux.

How to Find the IP Address of Your Machine

This is the most basic question in networking and it's the starting point of learning networking.

But, Wait.

What's an IP Address?

IP stands for "Internet Protocol," which is the protocol (set of rules) governing how data are sent via the internet or a local network.

An IP address is basically a unique address to identify a device on the internet or on a local network.

Ok, now that we know what an IP address is, let's continue.

Being a professional web developer, I work on developing websites along with their backend services.

One day an intern asked me some questions about an interesting project he was working on. He wanted his site to be responsive on desktop, mobile, and tablet.

Though the site looked responsive, once I adjusted the browser window and switched to the mobile view on his laptop, the outcome on the phone after deployment was not so impressive.

So, he asked me for help,

"I wanted to check the site's responsiveness with my mobile in development mode. Is it possible?" he asked.

"Yes, it is. Connect your laptop and mobile on the same network. Find your laptop IP, and navigate to ip:<server_port> on your mobile browser", I replied.

So he opened a new tab in the browser and started typing "https://whatismy...", I stopped him and asked what he was searching for.

He told me he was finding his IP address.

"Use ifconfig command to find the IP address of your machine", I replied.

He opened up the terminal and tried out the command, like this:

ifconfig

Sample Output of the ifconfig command

"Oh, Man! I'm confused now. Which is my IP here?", was his next question.

So I explained to him about each block in the above output:

Before walking into each block, you can find that few items are common for all blocks. Let's learn about them.

Characteristics of Network Interface

The first line shows UP, LOOPBACK, RUNNING, NOARP, MULTICAST, etc. These are the characteristics of the network interface. For example, able to do BROADCAST, able to do MULTICAST. By default, the ifconfig command lists only the UP devices. The interface can also made down.

What is MTU?

MTU stands for Maximum Transmission Unit. It determines the maximum payload size of a packet that is sent. The default standard value is 1500 bytes. However, you can increase the payload size of the packet, which allows you to send more data and increase the data transfer rates.

inet row in ifconfig

inet is the internet(IPv4) address assigned to that particular interface. It will be set by DHCP client.

A Netmask is a 32-bit "mask" used to divide an IP address into subnets and specify the network's available hosts.

Broadcast address refers to all hosts on the specified network simultaneously.

Destination adress is the address of the remote host at the other end of the point-to-point link.

inet6 is the IPv6 address assigned to that particular interface.

prefixlen is called Prefix length which specifies the number of bits in the IP address that are to be used as the subnet mask.

scopeid is a id assigned for a zone. A scope is a topological area within which the IPv6 address can be used as a unique identifier for an interface or a set of interfaces.

RX and Tx

Rx / Tx packets – displays the number of received / transmitted packets
Rx / Tx bytes – displays the packets size in buckets
Rx / Tx errors – displays the amount of error packets
Rx / Tx drop – displays the amount of dropped packets
Rx / Tx overrun – displays the amount of overrun packets

All the items mentioned above are self-explanatory except overrun. Here's a quick definition of overrun.
An overrun is a packet that does not get sent out during a specific polling cycle. This is due to scheduling. It does not indicate a failure of the packet, merely that it was not sent. Overrun packets are re-scheduled for the next cycle, but it is possible that the same packet may be overrun once more.

Let's explore what's each block for.

The first block starting with enx... (previously called eth0) is for Ethernet connection. Since, I have not connected an ethernet cable, it does not show any data.

Ethernet block in ifconfig command

The block starting with lo is called LoopBack Interface. This is a special interface that the system uses to communicate with itself.

LoopBack Interface block in ifconfig command

The block starting with tun0 is called Tunneling Interface. It contains information about the VPN you are connected to.

Tunnel Interface block in ifconfig command

The block starting with wlp2s0 is called Wireless on PCI. This is the main interface that is connected to the WIFI of your Local network.

Wireless Interface block in ifconfig command

If you're connected to your Wifi, you have to use the last one.

How to Download a File Using the Linux Terminal

One fine day my boss sent a bunch of downloadable links to me and asked me to download and wrap them in a Zip file and send it back to him.

I thought it would be easy work, but then I realized that it had 100+ downloadable links 🥲.

Activating Zen mode, I started searching for a way to automate this. This is when I found out about the wget command. You can use this terminal command to download a resource from a link.

The wget command is highly flexible and you can use it in scripts and cron jobs. As wget is non-interactive, it can independently download resources in the background and does not require a user to be active or logged in.

The following command will download an image from the w3schools website, as an example, in your current folder:

wget https://www.w3schools.com/html/img_chania.jpg

Command to download file using Linux Terminal

You can pass another argument to specify the destination folder where the file should be downloaded, like this:

wget https://www.w3schools.com/html/img_chania.jpg /home/user/downloads/pics/

I wrote a script to download all the files using the wget command and handed them over to my boss in just 15 minutes. He was pretty amazed.

How to Find Out if Your System is Connected to the Internet Using a Terminal Command

You've likely faced this issue at least once in your lifetime.

My Laptop is connected to wifi. But why I'm not able to access the internet whereas the people around me can?

By default, most people typically try to disconnect and re-connect to the same or a different wifi network. 99% of the time this won't work, and you'll end up facing a "Hmm. We’re having trouble finding that site." message in Firefox, or "No internet" with a dinosaur game in Chrome.

This is when you just need to be patient to figure out the issue. You need to discover whether it's an issue with your system or your browser. You have to figure out if you're able to access the internet without using a browser.

You can achieve this by using the ping terminal command. It looks like this:

ping google.com

Sample output of ping command

You can use the ping command to check your network connectivity. This command takes the URL or IP address as an argument and sends data packets to that specified address. Then it prints the response from the server with the transition time. It will print the response continuously until you cancel that process (with CTRL + C). Finally it will return the following details:

1. Minimum Time taken to receive a response
2. Average Time taken to receive a response
3. Maximum Time taken to receive a response

We can specify the number of packets to send using the -c flag, like this:

ping google.com -c 10

And we can specify the packet size also using the -s flag:

ping google.com -s 40

We can also specify the next request time using the -i flag:

ping google.com -i 2

and many more.

After executing the above command, hopefully you should be able to find if your system is connected to the internet. Most probably, your browser will be the culprit. Reinstalling the browser will fix this issue.

How to Find the IP Address of a Website

Before we move on, you should be able to answer the following:

What is a DNS?

DNS stands for Domain Name System. Every website we use has a domain (for example google.com or freecodecamp.org). Each of these domain names will point to particular IP address of a server. DNS is basically a system that has a table that maps each domain with the IP address.

Now it's time to move back on track and learn how to find the IP address of a site.

nslookup (stands for “Name Server Lookup”) is a command to query the DNS server. It is a network administration tool for querying the Domain Name System (DNS) to get the domain name or IP address mapping or any other specific DNS record. System Admins and DevOps use it to troubleshoot DNS related issues.

Here's how to use it:

nslookup google.com

Sample output of nslookup command

How to Know Which User is Logged-In

Linux supports multiple users and lets you manage those users. Each time you can log in as a different user. And you can use the who command to know which user you have been logged in as.

who

It looks like this:

Terminal command to find Logged-In user in Linux Terminal

Conclusion

In this article, you have learned some basic networking commands in Linux.

You can subscribe to my newsletter on my personal site to receive more such insightful articles straight to your inbox. You'll also find a consolidated list of all my blogs.

How Classic Ethernet Works

Before describing the network devices, consider a network without special network devices. That is, a network using classic Ethernet where all computers are attached to a single cable.

_Four devices connected using classic Ethernet (Source: Brief)_

In this case, if computer A sends a message to another computer, for instance – B, the message is sent over the shared cable, and all devices receive it.

_With classic Ethernet, If A sends a message to B - all devices (except for A) receive this message (Source: Brief)_

Can you think of some problems with this network structure?

First, overload – all network frames are received by all computers. Let’s say A wants to send a frame to B. C also sees this frame, and has to realize that it is not destined to his address, and thus discard it. This process takes time and resources. The same process happens at machine D, of course.

Second, privacy – if C sees every message sent from A to B and vice versa, this means that the privacy is violated. We would rather have a network where only A and B see the messages sent between them.

Third, extensibility – this network is not really extensible. Assume that up to 10 computers can attach to this cable. What happens when you need to add one more computer? You'd have to replace the entire cable. This is expensive and inconvenient.

Well, the person who actually has to replace the cable is probably the I.T. person - you know, the one who makes sure that everything runs well in your network and is rarely noticed until something bad happens (at least when you work in an organization large enough to have I.T. people).

Just to be clear – we LOVE the I.T. person. We want their life to be good, we don’t want them to be running around buying cables all the time.

Fourth, collisions – let’s say A wants to send a message to B, and C wants to send a message to D. At the same time, both of them might start their transmission, and the messages will collide.

In this case, we get errors – much like the case where two people start to speak at the same time, and it is impossible to understand either of them.

Fifth, this network structure might lead to starvation – let’s say that A is transmitting a frame. If the other stations wish to avoid collisions, they will refrain from sending data. But now, machine A can keep on transmitting forever, thereby taking all the bandwidth to itself and not letting any other station speak. This is called starvation.

_Five major problems with classic Ethernet networks (Source: Brief)_

Well, this doesn’t seem like the best network, does it?

We'll now get to know network devices that help deal with these issues.

How Network Devices Solve These Problems

What is a Hub?

One device that solves only the extensibility issue is called a Hub. A hub is a device with multiple ports that single Ethernet cables are connected to:

_An Ethernet hub is a device with multiple ports, each connected to a single Ethernet cable (Source: Brief)_

So now, instead of having one cable with multiple ports with many computers attached to it, we have instead a single hub, and each computer is connected to it via a single cable. This makes the I.T. person's life much easier.

The hub simply takes the pulse it receives and multiplies it – that is, sends it to all other ports. For example, if A sends a frame to B, the hub will send this frame to B, C and D – all ports except A’s port.

The hub doesn’t understand Ethernet, and doesn’t know anything about MAC addresses. For the hub, all bits are just bits transmitted over the wire, and these bits should get to all other ends.

_A hub simply takes a bitstream and multiplies it to all ports but the source port (Source: Brief)_

Now, if you need to add a new computer to the network, you can simply connect it to the hub.

_To add a new device to the network, we simply connect it to the Hub (Source: Brief)_

What happens if the hub runs out of ports? No problem, we will connect it to another Hub, like so:

_In case you run out of ports, you can add another Hub (Source: Brief)_

Nice! This is a lot easier to maintain than classic Ethernet.

Yet, at least with classic hubs, all other issues still remain. Since all computers receive the frame sent from A to B, there is no privacy, the network is overloaded, collisions may occur, and the network is prone to starvation.

What we really want is a device that, when A sends a frame to B, forwards that frame to B and only B. This device is called a switch.

What is a Switch?

If all the stations are connected via a switch, and A sends a frame to B, only B receives it.

_With a Switch, if A sends a message to B - only B will receive it (Source: Brief)_

Notice that this means that all issues are indeed solved. The devices won’t be overloaded as every frame will get only to the relevant recipients. There are no privacy issues since, apart from the switch, only A and B see the frame. The network is easily extensible by plugging additional switches if needed.

_Similar to working with Hubs, the network is easily extensible by adding multiple Switches (Source: Brief)_

The switch can avoid collisions as every connection between a switch and an endpoint is a single collision domain – that is, the switch will refrain from sending more than one frame on a single wire at the same time.

_Every connection between the Switch and another device forms an independent collision domain (Source: Brief)_

Similarly, there will be no starvation as B and C can communicate with one another while A is sending data. Even if A keeps sending frames destined to the entire network, that is the broadcast address, the switch can allow messages sent by other hosts to be transferred in between.

But, how can this magical switch operate?

Let’s say we have just bought a brand new switch and plugged it into the network. A sends a frame destined to B. How does the switch know where computer B resides?

One option would be to manually configure the switch. That is, have a table mapping between a MAC address and the relevant port, and have someone manually configure that table.

_The Switch may hold a table mapping MAC addresses to physical ports (Source: Brief)_

When we say someone, we usually mean the I.T. person. And, well, we LOVE I.T. people. We wouldn’t want to make them do this tedious job every time.

In addition, I don’t know about you, but most people don’t usually have an I.T. person at home for every time they plug a device into their network.

Another option would be to send a special message from the switch to every port, and then the endpoints will reply with their MAC addresses. The major downside here is that we now have to make all devices aware of the switch. We need to change the devices’ behavior so they reply to that special message.

It would be so much better if the switch were just transparent – no endpoint would need to know that it’s there, but it would still do the job.

Apparently, this can indeed be achieved!

Consider this network, with a brand new switch that has just been added to the network. The switch stores a table, mapping a MAC address to a physical port. This table is empty.

_When a Switch joins a new network, the table mapping MAC addresses to physical ports is empty (Source: Brief)_

Now, A sends a frame to B.

The switch understands Ethernet, and can look at the Frame’s header and read the source address. Since this source address maps to “A”, and since the message has been sent from physical port number 2, the switch adds the mapping of A’s MAC address and port number 2 to its table.

_When machine A sends a frame, the Switch inspects the frame, reads the source address, and maps it with the corresponding physical port (Source: Brief)_

But what will the switch do with the frame? Well, for now, the switch doesn’t know where B resides, so the switch simply multiplies the frame and sends it to all ports, just like a hub would do. So for now, B, C and D all get the frame.

_Since the Switch's table doesn't include a record for B, a frame destined to B is actually sent to all ports but the source port - the same as a Hub would do (Source: Brief)_

Next, A sends another message to B. The switch looks at it, and already knows that A’s MAC address is plugged to port number 2. It still doesn’t know B, so this frame is sent to all other ports as well.

Now, C sends a frame to A. The switch looks at the source address, and adds the mapping between C’s MAC address and port number 5 to its table.

_Upon receiving a frame from C, the Switch parses its header, extracts the source address, and associates it with the corresponding physical port - port number 5 (Source: Brief)_

This time, since the frame is destined to A’s MAC address, and since the switch knows that address – the frame can be forwarded to port number 2, and port number 2 only. Yay! 👏🏻👏🏻👏🏻

Now, B sends a message to C. The switch creates a mapping between port number 7 and B’s MAC address, which appears at the source address field.

_The Switch keeps on learning the addresses gradually, filling in its internal mappings (Source: Brief)_

The switch can also forward the message to C, as it already knows C's address.

So, in general, the switch uses the source address field of Ethernet frames to dynamically learn what addresses reside behind every port.

Now, a question for you: Is it possible for two different addresses to map to a single port? For example, to have the address of computer A map to port number 3, and also have the address of computer B map to port number 3? 🤔

Well, the answer is yes. Consider the following network:

_A network diagram with five endpoints and three Switches (Source: Brief)_

Now, given that the switches know the network, when A sends a message to D, it will be sent to Switch 1, and then to Switch 2, and finally forwarded by Switch 2 to D. When Switch 2 sees the frame, what address does it see in the source address field?

The address of computer A, of course. Notice that switches are transparent, and never modify the MAC addresses. So Switch 2 learns that the MAC address of computer A resides behind port number 3.

Next, when computer B sends a frame to computer C, this message will also be transferred via switch 1 and then switch 2. So now, switch 2 learns that the MAC address of computer B resides behind port number 3 as well. So, in this case, both the MAC address of A and that of B reside behind port number 3.

_Given this network diagram, switch 2 registers both the MAC address of A as well as that of B - with port number 3 (Source: Brief)_

NOTE that a switch is not an additional hop! We are not talking about routing here. As we’ve said earlier, a switch is a transparent device. From the endpoints’ perspective, there is no switch – A “feels” as if it were directly connected to B, C and D.

All devices that are connected via one hop are said to be in the same network segment. So here, all computers and switches – A, B, C, D, switch 1 and switch 2 – all reside within the same segment.

In the resources section below, I’ve added a link to an exercise about hubs and switches. You are welcome to solve it in order to make sure everything is clear. If you have any questions, feel free to reach out 😊

Interim Summary

So far you learned about two network devices. First, a hub, which is basically a first layer device. That is, it only transmits bits from one port to other ports, without understanding any protocols.

Second, you got to know a second layer network device, namely a switch, which already "understands" the Ethernet protocol and MAC addresses. It uses that knowledge in order to transfer frames only to relevant ports, at least once it knows the network.

Security Twist 😈

Now that you understand how hubs and switches work under the hood, it's time to consider their security implications.

Assume that I am connected to a certain Ethernet segment, and you run on computer A. B sends a message to C. Is it possible for you to see that message?

_Four PCs, B is sending a frame to C (Source: Brief)_

In case the computers are connected via a hub, you certainly will see the message, as the hub simply forwards the frame to all ports (except for the source port) regardless of the destination address.

_A hub would simply multiply the frame and send it to A, C and D (Source: Brief)_

Furthermore, if the computers are connected via a switch, but the switch has not yet learned the address of the destination, this message will also be sent to your port – and, in general to all ports other than the source port, just like a hub would act.

_A new switch acts just like a hub until it learns the destination address (Source: Brief)_

So, in these cases, your network card will receive the frames, but will it handle them?

As I covered in a previous tutorial, the first field of an Ethernet frame is the destination address. By default, the network card will discard frames that are not destined to its address, or to a group which its system belongs to, such as the broadcast address.

_Ethernet frame structure - the devices first consider the destination address (Source: Brief)_

So, by default, if your network card happens to receive a frame that was not destined to it, the frame will be discarded. This is exactly where promiscuous mode comes in handy. When the network card is in promiscuous mode, it will not discard frames based on their destination MAC addresses.

Now, consider a network with a switch, and that switch has already learned all addresses of the network, thereby achieving privacy.

Let’s say that a malicious person works from computer C, and wants to see the communication being sent to computer B, even though the switch forwards those frames to B only.

_A network with a switch that has already learned the MAC addresses and their corresponding ports. Can a malicious person see private communication? (Source: Brief)_

Can the malicious person do something in order to steal the data?

Well, the malicious person can pretend that they have B’s address. That is, the malicious person will send a frame with the source address of B. It doesn’t really matter what the destination address of that frame would be.

_The malicious person sends a frame and impersonates B by specifying B's MAC address as the source address of the frame (Source: Brief)_

Now, the switch sees a frame being sent from B’s address and from C’s port, in our diagram, port 5, and changes the mapping of B’s address to port 5.

_As a result, the Switch changes the port associated with B's address (Source: Brief)_

As I mentioned earlier, it is indeed possible to have two different MAC addresses map to the same port number (for instance in case of an additional switch that connects the devices that have these addresses). But it is not possible to have B’s address mapped to two different ports.

_As far as the Switch is concerned, B and C may indeed both be attached to it via port 5, perhaps through another Switch (Source: Brief)_

Now, if A sends a message to B, it will actually get to C, but not to B! 😨

This technique is called MAC SPOOFING. The malicious entity is said to spoof B’s MAC address.

Is this technique very useful for the attacker? 🤔

Well, not really. Once B sends any frame at all to the network, the switch will replace the entry for B’s MAC address to that of the correct port number. So, for the attacker to keep receiving data, they will have to keep sending more frames on B’s behalf, thereby causing the switch to rewrite the table entry again and again.

This way, C will send a frame using B’s address, and the switch will map B’s MAC address to C’s port. Then, B will send a frame, and the switch will map B’s MAC address to B’s port again.

_Once B send any frame, the Switch will overwrite its entry and the original value will be restored (Source: Brief)_

Hence, B will receive some of the traffic, and this attack is easily noticeable.

There are many ways to defend a switch from such attacks. One would be to set the port with a maximum number of MAC addresses that are attached to it. For instance, if no other switch is supposed to be connected to a certain port, the maximum number of linked MAC addresses can be set to one.

How cool is that?! By understanding how a switch operates, we are able to estimate security issues that stem from its way of operation, as well as relevant countermeasures. 🤯

Conclusion

In this post you learned about two important network devices, a hub and a switch.

You learned that a hub simply multiplies the bitstream it receives to all ports other than the port that received the bitstream, whereas a switch forwards the frame only to the right port (once it has learned the network). You also learned how switches are able to achieve this ability automatically.

Lastly, you learned about a security problem that arises from the way switches operate, and how it may be mitigated.

About the Author

Omer Rosenbaum is Swimm’s Chief Technology Officer. He's the author of the Brief YouTube Channel. He's also a cyber training expert and founder of Checkpoint Security Academy. He's the author of Computer Networks (in Hebrew). You can find him on Twitter.

Additional Resources

• Computer Networks Playlist - on my Brief channel
• A DIY exercise about Hubs and Switches

When dealing with Computer Networks, there is one framework that puts everything into place – and that is the layers model.

In this post you'll learn why we need layers, as well as what the five layers model is. You will also understand the role of each layer in this model.

Why Layers?

Imagine you are given the task to design and implement the Internet! Where do you start? What do we actually want from a network, and an important one such as the Internet?

Well, we actually want quite a lot of things. To name a few:

• We want it to be fast – that is, allow fast communication. We don’t want to wait long for a message to get from one host to another.
• It should also be reliable – when sending a message, we want the receiver to actually receive it.
• The network should be extendable – that is, allow more devices to join. We wouldn’t want to start with two computers, and then not bee able to add a third one.
• The network should support different devices and connections – it should be able to connect a wired PC, wireless laptop, and a cellphone, for example.

And this is just a partial list.

So, how do we go about implementing the internet when we want to achieve so many different things?

Computer Networks are complex (Source: XKCD)

In order to simplify things and make networks flexible, the communication is divided into layers.

Each layer has its own responsibility. It provides services to an upper layer, and uses services provided by a lower layer.

Consider an example network consisting of three devices:

_An example network with three devices (Source: Brief)_

We have two layers:

Layer Alpha is responsible for transmitting data between hosts that are directly connected to each other. In the diagram above, it's between hosts A and B, or between hosts B and C.

Layer Beta is responsible for transmitting data between distant hosts. In the diagram, it's between hosts A and C.

What did we gain from this division? We gained a lot of flexibility.

Each layer can be developed and implemented by different people. The upper layer doesn’t care about the implementation of the lower layer, and vice versa.

For instance, the connection between hosts A and B could be a WiFi connection, while the connection between B and C could consist of a carrier pigeon. These are (completely) different implementations of Layer Alpha.

Notice that this way also enables us to have different specializations and expertise – an expert in training carrier pigeons does not necessarily have to be qualified at building solid WiFi network cards, or vice versa.

_The Alpha Layer may have different implementations on the same network (Source: Brief)_

Developers of Layer Beta don’t need to bother themselves with this difference. At this layer, host A needs to know that in order to reach host C, it first needs to send his message to host B, rather than, say, host D. Then, host B will forward it to host C.

This way, Layer Beta is only responsible for finding the route to send the message. It uses the service provided by Layer Alpha – transmitting data between directly connected hosts.

In general, networks are very complicated, and have various requirements. Dividing the communication into layers will allow us to simplify things and make communication more flexible.

Now that you understand why we need layers, we can go on to learn about the layers that are actually used in networks.

What is the Five Layers Model?

There have been a few layer models proposed along the years – most notably, the five layers model, the 7 layers model (aka OSI model), or the 4 layers model (aka the TCP/IP model).

They are way more similar than different, and I choose to focus on the five layers model as it is the most practical of all – and best describes the way the Internet actually works.

The First Layer – The Physical Layer

The first layer is responsible for transmitting a single bit – 0 or 1 – over the network.

To get some intuition as to what this layer is responsible for, consider the time of transmission. Assume that we have some kind of cable to transmit our data, and we use +5 Voltage to transmit 1, and -5 Voltage to transmit 0. What bits does the following diagram represent?

_A physical layer implementation encoding 1 as +5 Voltage and 0 as -5 Voltage (Source: Brief)_

Well, it might be 1001. That is the case if it takes this long to transmit a single bit (demonstrated by the dashed orange line in the diagram below):

_An example bitstream encoded by this signal (Source: Brief)_

However, it might also represent other bit streams. For instance, if it only takes half the time to transmit a single bit (demonstrated by the dashed green line below), then the bit stream might be 11000011:

_Another possible bitstream encoded by the same signal (Source: Brief)_

The difference lies in the time dedicated for transmitting a single bit. This is called the bitrate – that is, the number of bits that are conveyed per unit of time.

Of course, achieving a high bitrate is preferable, as it means we can send many bits in a short timeframe. But it is hard to achieve high bitrates without getting many errors.

This is only one of the things that the first layer needs to take into consideration. The important thing for now is the goal of this layer: to transmit and receive a single bit.

The Second Layer – The Data Link Layer

The second layer is responsible for transmitting data between two hosts that are directly linked, despite possible errors.

What do we mean by “directly linked”? For now, imagine that there is no device in between the two devices. So, if we have two computers here – computer A and computer B, and they are connected via computer M – then computer A and computer B are NOT directly linked. But computer A and computer M are directly linked, and so are computer M and computer B.

_Two remote hosts connected via another device (Source: Brief)_

Another way to put it is that computer A and computer M are one hop away from one another, whereas computer A and computer B are two hops away.

That is, in order to get from computer A to computer B we need two “hops” – one hop from A to M, and another hop from M to B.

_Every direct connection is called a Hop (Source: Brief)_

Going back to the second layer's responsibility – we mentioned it is responsible for transmitting data between two hosts that are directly linked, despite possible errors.

What do we mean by errors? The physical layer might provide erroneous data. For example, 1 instead of 0. So a stream of bits such as 000110, might be received as 001110.

Many reasons might cause these kind of errors. For instance, we can think of a truck literally running over the wire where the bits are transmitted, causing some problem. Regardless of the reason, the second layer must handle the communication despite these errors.

The second layer sends data in datagrams, that is, in chunks. Datagrams in this layer are called Frames. Frames will usually contain MAC addresses, which are physical addresses, one identifying the sender, and another identifying the receiver.

Why would we need a MAC address?

First, the receiving devices would like to know whether the frame is intended for them. The receiver wouldn’t like to waste precious time reading data intended for someone else. If the frame contains a MAC address that doesn’t belong to a receiver's device, that device can simply ignore this frame.

Second, for privacy reasons - we would like messages to arrive only at intended receivers, so only they can read the data.

Third, the sender would like the receiver to know who sent the frame. That way, the receiver will be able to send their response back to the sender, and not to someone else.

Note that we would like these addresses to be unique. That is, we want one address to identify a single device. That way, we know that if we send a message to a specific address it will be sent to the intended device only.

The Third Layer – The Network Layer

The third layer is responsible for routing – that is, determining the path where the data will “travel”.

You can think of this layer as the successful routing app, Google Maps. When you get in the car and use Google Maps, you tell the app your destination, and Google Maps finds out the best route for you to drive in.

Notice that Google Maps is dynamic – it won’t necessarily pick the same route each time. Sometimes, one path will have a traffic jam, so Google Maps will prefer another route.

We said that the second layer has physical addresses, called MAC addresses. The third layer is responsible for logical addresses, such as IP addresses.

In this layer, datagrams are called packets.

Consider the following network diagram:

_A network diagram with Computer A in France, Computer B in the US, and 10 routers in between (Source: Brief)_

We have two computers here – one in France, and one in the United States. Of course, they are not directly linked. Rather, they are linked via third layer devices called routers.

Which layer is responsible for each connection?

Consider the connection between Computer A and Router 1. The second layer is responsible for this connection. What about the connection between Router 2 and Router 5? Right, again, this is the second layer. The same applies for each connection between two directly linked devices.

The third layer is responsible for defining the route – that the message sent from Computer A to Computer B will go through Routers 1, 2, 5, 8 and 10, and not in another way.

Note that there may be different implementations for each layer. For instance, we may have different implementations of the second layer. So while the connection between computer A and Router 1 might be over an Ethernet cable, the connection between Router 1 and 2 might be wireless and use WiFi. The connection between Router 2 and Router 5 might use a carrier pigeon, while the connection between router 5 and 9 will also use WiFi.

_The second layer may be implemented differently on every link (Source: Brief)_

The third layer does not care about these changes, but the second layer definitely does. If the carrier pigeon that transmits data from Router 2 to Router 5 is sick, the second layer will have to handle it. The data link layer will also have to make sure the data transmitted over the air between routers 1 and 5 is valid and without errors.

Interim Summary

So far we have covered three of the five layers. To recap:

• The physical layer is responsible for transmitting a single bit, 1 or 0, over the network.
• The data link layer is responsible for transmitting data between directly linked devices, that is – devices connected via a single hop.
• The third layer is responsible for transferring data between hosts that are connected via multiple hops. It determines the route, the path that the packets will travel.

The Fourth Layer – The Transportation Layer

The fourth layer is an end-to-end layer. That is, it is responsible for communication from the source, all the way to the ultimate destination.

It allows multiplexing of multiple services. For example, one server may serve as a Web server, as well as a Mail server. When a client turns to that server, the client should be able to specify which service it would like to access. While the third layer specifies the address of the server, the transport layer identifies which service is relevant for the current communication.

In addition, the transport layer may ensure reliability. So when this layer receives data from the upper layer, it splits it into chunks, sends them, and makes sure that all those chunks arrive correctly at the other end.

Notice that the network layer is usually not reliable. Packets may arrive in incorrect order, they can arrive with incorrect data, or even not arrive at all. A reliable transportation layer makes sure that the data is correctly received.

In this layer, datagrams are called segments.

Consider the following network diagram once more:

_The network diagram again (Source: Brief)_

Which layer is responsible for what?

We have already said that the network layer is responsible for the route, that is, the path in which the packets travel. We also mentioned that the second layer is responsible for the transmission of the data between two, directly connected devices. For example, the link between Router 1 and Router 2.

The fourth layer views all of this network diagram as an abstract cloud. It doesn’t know the routers, and it doesn’t care about the structure of the network, or the routing. It assumes that the network can send a packet from one end to another:

_The fourth layer sees the network as an abstract cloud (Source: Brief)_

The transportation layer makes sure that the endpoints can communicate over different services – for example, web and email. In addition, it might make sure that the connection is reliable.

One example would be to acknowledge every received segment. For instance, when computer A sends a segment to computer B, computer B will send a special Acknowledgement segment, announcing that it has received the packet.

The Fifth Layer – The Application Layer

Last but definitely not least, we have the fifth layer, or Application Layer. This layer provides the service to the user’s application – web service, Voice over IP (VoIP), network games, streaming, and so on.

According to the layers model, the fifth layer doesn’t care at all about the network. It relies on the fourth layer, as well as the lower layers, to transmit the data from one endpoint to another. The fifth layer will use this service for the various needs of the application.

Different protocols will be used for different applications. For instance, HTTP protocol is commonly used for serving web pages on the World Wide Web. SMTP is a protocol used for emails, FTP for exchanging files, and there are many, many more.

What is Encapsulation?

The goal of networks is to transmit data from one host to another.

To achieve this goal, each layer adds its own header to the data. A header contains information specific for that layer, and it precedes the data itself.

Consider a case where we have a lookup service, used in order to find a person’s phone number, given the person's name. The data consists of the person’s first and last name.

Before the packet is sent, the fifth layer might add its own header, describing that this is a REQUEST packet. The header might also specify that this is a request to map from a person’s name to a phone number, and not vice versa.

_Header of the 5th layer, with data (Source: Brief)_

Then, the fifth layer passes the data to the fourth layer. Note, that the fourth layer regards everything as data – ones and zeroes. It doesn’t care if the fifth layer added a header, or what is written inside that header.

The fourth layer then adds its own header. For instance, it might specify that the requested service is the names-and-phones service. It may also include a sequential number for the packet, so it can be identified later.

_Header of the 4th layer, with data which includes the 5th layer's header (Source: Brief)_

Afterwards, the fourth layer will pass the packet to the third layer. Again, the third layer will regard everything it has received – including the data itself, the header added by the fifth layer, and the header added by the fourth layer – simply as a chunk of data.

Then, the third layer will add its own header. For instance, it may include the source address and destination address of the packet.

_Header of the 4th layer, with data which includes the 4th layer's header and data (Source: Brief)_

This process goes on. So, each layer adds its own header to the packet. This process is called *encapsulation.

On the other end, the receiver gets the packet and needs to read and remove the headers.

• The second layer may also include a trailer – an additional chunk of bits following the data, with some information.

Putting it All Together

Now that we have covered the five layers, let’s have one example using all of them together.

Let’s say we would like to send a video file to our friend who lives in France, while we are enjoying a trip in Argentina. For that, we are using an email service.

The fifth layer defines how the email will be transmitted. For example, it includes the email address of the sender, as well as the receiver. It contains a title, and the body of the message. It requires that we follow a specific template of an email address, that will be included in the header of this layer.

_The five layers model, with an example of sending an email (Source: Brief)_

Then, the fifth layer uses the fourth layer in order to split the email into chunks. Of course, each chunk will also carry the fourth layer's header. It is also used in order to specify that we are currently using an email service.

In this case, we definitely want the connection to be reliable – so the receiver will be able to play our video file correctly. Thus, the fourth layer will also handle reliability. On the receiver’s end, it might send an acknowledgment packet for every packet it receives.

The third layer will define the best route for every packet to be sent. It might choose different routes for different packets. Among other things, its header will contain the source and destination addresses for the packet.

The second layer will be responsible for every link between two directly connected devices. Its header will include the MAC addresses for each device.

The first layer is responsible for encoding all the ones and zeros, and to pass them over the line. And then, decoding and reading those ones and zeroes on the other end. On this layer, we don't really have a header, as it consists of single bits only.

This way, every layer uses the services provided by the lower layers, and the huge problem of transmitting data over the network becomes doable. How amazing is that?

Summary

In this post you learned what the five layers model is and why we need layers. You should now understand what each layer is responsible for, and you can fit every topic you encounter in Computer Networks into this model.

About the Author

Omer Rosenbaum is Swimm’s Chief Technology Officer. He's the author of the Brief YouTube Channel. He's also a cyber training expert and founder of Checkpoint Security Academy. He's the author of Computer Networks (in Hebrew). You can find him on Twitter.

Additional References

• Computer Networks Playlist - on my Brief channel.
• The Seven Layer model explained in plain English
• The TCP/IP model – layers and protocol explained

And even if you’re a beginner and just getting started in web development, you might have seen the number “127.0.0.1:” while using a live server plugin.

You might be using it to test websites and web applications locally without knowing what exactly it is. Well, “127.0.0.1” is localhost and “localhost” is “127.0.0.1”.

In this article, you will learn what localhost is alongside its corresponding IP address, “127.0.0.1”.

What is Localhost?

In computer networking, host means a “server”. Just like you can put a website on the internet by hosting it on a server, you can make your own computer that server. This connection is called loopback. The IP address for that loopback is 127.0.0.1.

If you’ve put a website on the internet before, then you’ve dealt with hosting companies like Heroku, Hostinger, Netlify, and many others. These are what I refer to as “remote hosts” or virtual servers.

If you’ve served a website on your computer so you can test it without connecting to the internet, what you’re dealing with is a localhost.

So, by definition, localhost is the computer or hostname currently making a request to itself. In this case, the computer is also the virtual server.

What is the IP Address 127.0.0.1?

If you want to visit a website, you type the website address to your browser’s address bar, for example, https://freecodecamp.org.

The Domain Name Server (DNS) matches the address to a numeric IP address corresponding to that name. In the case of freeCodeCamp, this IP address is 104.26.2.33. This is how it is done for every website you visit.

Localhost is not an exception to this. So, if you type localhost to your browser’s address bar, it transforms to the IP address 127.0.0.1.

This 127.0.0.1 IP address is reserved for local servers on computers, so you will never find another IP address that starts with 127.

But localhost: what? Or 127.0.0.1: what?

Unlike HTTP and HTTPS which are protocols, localhost is a hostname. Remember that the website domain name is what follows the http or https, for example, https://www.google.com/ and https://www.freecodecamp.org/. So, something has to follow localhost: and 127.0.0.1:. That thing is the port number.

For example, in an Express app, that port number is the port variable you set. Something like this:

const port = 4000;

So if you type localhost:4000 in the browser address bar and hit ENTER, the web application you’re currently making will be served to you:

Also, if you type 127.0.0.1:4000, you will get the same response:

If you use the live server extension of VS Code, it uses a port 5500 attached to 127.0.0.1, followed by the filename:

Conclusion

I hope this article has helped you learned more about localhost, what its IP address is, and how it works to serve websites for local testing.

And yes! There’s no place like localhost. Properly put, “there’s no place like 127.0.0.1” :).

Keep coding…

Thanks to Bartosz Cytrowski for pointing out a key error regarding what localhost is. Your feedback improved the article!

Examples of TCP/IP networks are:

• HTTP (Hypertext Transfer Protocol).
• HTTPS (Hypertext Transfer Protocol Secure).
• FTP (File Transfer Protocol).

How Does File Transfer Protocol Work?

To transfer files between computers using FTP, you have to visit an FTP server (I'll explain what an FTP server is below).

Depending on the type of server you visit, you may be required to enter a username and password in order to access the files in the server. Server connections that do not require any sort of authentication before accessing the files are referred to as anonymous FTP.

When the user has successfully visited/logged in to an FTP server, they can either download or upload files on the server.

There are two general ways of gaining access to an FTP server:

• Through a web browser. You can do this by typing the address of the server in your browser. This address could look this: ftp.myftpfiles.com or https://www.myftpfiles.com. Once you are on the server, you can then interact with files uploaded to the server by the owner.
• Through an FTP client. We'll discuss FTP clients in the next section.

What Is an FTP Client?

An FTP client is software that creates a connection between the computer requesting access and the server where the files are stored.

There are numerous FTP client software available for use. They provide a graphical user interface (GUI) which we can interact with.

Below, we'll see what an FTP client looks like and how we can use it. We'll be making use of FileZilla.

In the image above, there are different text fields. The Host text field is where the address of the server is typed in.

The Username and Password text field are for servers that require authentication before granting access.

The Port text field is usually 21. This is a dedicated port for FTPs.

Once you've filled the necessary text fields, you can then click Quickconnect to connect to the server.

On the left side of the software is the local site which is my computer with a list of the existing directories.

On the right is the Remote site which is where all the information and files in a server will be shown.

What Is an FTP Server?

An FTP server is basically the computer where all the files are uploaded initially. Every server has an FTP address which a user can visit over a TCP/IP through a browser or an FTP client.

The server allows the visitor to download and upload files.

Are FTP Servers Secure?

Although a lot of FTP servers require authentication, they are not secure as the protocol lacks encryption. This makes it more likely that the files stored on an FTP server could be accessed by a third and unwanted party.

The most preferred and more secure protocol to FTP is the SFTP which stands for Secure File Transfer Protocol. Just like HTTP and HTTPS.

SFTP is more secure because the data stored on the server is encrypted.

Other alternatives include:

• FTPS (File Transfer Protocol Secure).
• HTTPS (Hypertext Transfer Protocol Secure).
• AS2 (Applicability Statement 2).

Advantages of Using FTP

Here are some of the advantages of using FTP:

• Faster transfer of files.
• Supported by numerous hosts.
• Supports transfer of large files.
• Ability to schedule transfers.
• Transfers can be resumed when interrupted.

Disadvantages of Using FTP

Here are some of the disadvantages of using FTP:

• FTP servers lack security.
• Major browsers like Chrome and Firefox no longer support FTP.
• User credentials and files are not encrypted.
• Some servers may contain harmful files.

Conclusion

In this article, we talked about the File Transfer Protocol which enables us to transfer files between computers over a network.

We saw what an FTP client and FTP server are. We also talked about why FTP servers are insecure and other secure alternatives we can make use of.

Lastly, we saw the advantages and disadvantages of using FTP.

Thank you for reading!

Network applications are computer applications that participate in a computer network. These applications talk to each other by plugging into the network.

For example, when you visit google.com, your browser acts as a network application that leverages the Internet to talk to the network application running on Google's computer.

Usually, the mechanics of this communication are abstracted away from an application developer.

On the surface, this communication might look like an Inter-Process Communication between two applications running on the same computer. But, network communication has a different set of challenges.

For example, communication can take an eternity in computer time. It takes 0.1337 secs (2 3.14 6400 / 30000) for light to travel around earth. Assuming a modest CPU that runs at 1GHz, it can perform 10^9 ops in 1 sec.

Suppose it takes a few ops for processes (running on the same machine) to communicate, roughly 10^-7 - 10^-8 secs. That translates to ~1 million times slower communication times with a computer sitting on the other side of Earth!

This article will look at how network applications talk to each other, specifically over the Internet. For a high-level overview of the Internet, see this article.

Introduction to Computer Networks

An additional complexity involved in network communication is the diversity of end systems out there (mobile phones, laptops, windows, mac). This complexity is managed by abstracting the differences and introducing a uniform set of rules called Protocols.

Protocols are the building blocks of communication between network applications. Some of the popular protocols include HTTP, TCP, IP, SMTP. Like how a human language (such as English) enables diverse people to communicate meaningfully, Protocols fill a similar gap in network communication.

Network communication is challenging due to the scale and uncertainty inherent in the network.

For example, links can be clogged, which results in the dropping of packets. One strategy to solve a complicated problem is to divide the problem into subproblems, solve the subproblems, and combine them to solve the original problem.

The Protocol Stack uses this idea to solve network communication.

Protocol Stack

Imagine you are building a website to sell pizza. When the user interacts with your website, the frontend needs to communicate with your backend server. Wouldn't it be nice if you could focus on building your online pizza store without having to worry about how that data is passed from the frontend to the backend server over the Internet?

The protocol stack takes care of the network communication for us. An application (frontend) uses the Application Layer to communicate with another application (backend).

The application layer uses the "services" provided by the Transport Layer to transmit information across the network. Transport Layer also uses services provided by the Network Layer to fulfill its service agreement.

In this way, the higher layer uses the services provided by the lower layers to communicate with other applications over the network. The Physical Layer constitutes the wires which carry the electrical signal.

In essence, the protocol stack contains various layers, where each layer focuses on solving part of the bigger problem.

Protocols describe the solution to the sub-problems, which gives us the name protocol stack. Generally, protocols define the rules of communication between two entities such as,

• Types of messages, for example, request and response messages
• Syntax of various message types such as fields in the messages
• The semantics of fields, that is the meaning of information in fields
• Rules for determining when and how messages are sent and responded to

Let's dive deeper into the protocol stack, starting from the top.

The Application Layer

Business applications use the Application Layer to communicate over a network. For example, placing an order on your online pizza store is done using the Application Layer. HTTP is one option to post the information on your backend server.

Application Layer Protocols define how applications running on different end systems pass messages to each other. In addition to the rules of communication (protocol), the applications also need a way to find each other, that is, to address each other. The address of an application is defined by:

1. IP Address: numerical label assigned to an end system
2. Port Number: an identifier that specifies the receiving process in the destination host. Port numbers are essential to account for multiple network applications running on a host. For example, two tabs in a web browser act as two different processes.

The address of an application defines its identity on the network, and the protocol defines the rules for communication. Together, these form the Socket address (protocol type, IP address, port number).

A socket is an interface between the application layer and the transport layer. It acts as an entry point into the network, that is an application sends messages into and receives network messages through its Socket.

In summary, applications talk to each other using Application Layer protocols. The Application Layer relies on the services provided by the Transport Layer to pass data between end systems. Pair of IP address and port number identifies an application. The information flows from an application into the network through its Socket.

Let's look at an example of two applications communicating over the Internet using HTTP.

HTTP is a popular application layer protocol. The communication is between my web browser and an application server (ilovecookies.com). When I enter this address in my web browser, it sends an HTTP request message to the application server.

HTTP request message sent by my web browser to ilovecookies.com server

A few things to notice about this request message:

• The type of request is GET
• The host it sends the message to is ilovecookies.com (human-readable version of IP addresses called hostnames)
• The source machine accepts specific response formats, languages, and so on.

This structure is part of the HTTP that defines communication rules between two applications. When the host application receives this message, it responds with a response message.

HTTP response message received by my web browser from ilovecookies.com server that contains the HTML for generating the webpage

We can observe that the response message contains protocol-specific data such as status code (200), content type, and so on and the HTML data (truncated to fit). The request-response pair constitutes the network communication between two applications that successfully lays out the webpage (ilovecookies.com) on my screen.

The Transport Layer

Next, let's go one level down the protocol stack and understand how the transport layer helps network communication.

The transport layer provides logical communication between applications running on different hosts: from an applications' perspective, it's as if the two hosts are directly connected. Note that the communication provided by the transport layer is logical and not physical: there's no direct link or wire between the end hosts.

The transport layer converts the application messages into smaller chunks, encapsulates each piece in a transport message containing headers, and passes the chunk to the network layer.

The reason behind breaking down information into pieces is efficient network utilization. The Internet is so vast that several parallel paths transmit data between two end hosts.

For example, there are two possible paths to travel between New York and Stamford. The Internet is a slightly extreme version of this idea.

Two alternative routes between New York and Stamford

The relative ordering of packets is a natural question around chunking and efficient network utilization: the chunks need to be put back in the same order at the receiving host. The transport layer in the receiving host is responsible for the stitching of pieces back in the proper order.

The transport layer also needs some additional data relevant to its functions. For example, relative sequence numbers are added to the chunks to stitch back the application message.

Another example of transport layer-specific information is the port number. On the receiving host, the destination port number is helpful to route the message to the correct application.

The Internet makes available two transport layer protocols:

• User Datagram Protocol (UDP)
• Transmission Control Protocol (TCP)

The two protocols vary slightly in the transport services they provide to the application layer.

The service requirements of an application govern what protocol you choose. For example, a payment system will need reliable communication (TCP), whereas a video streaming service might be okay with losing some information for faster streaming (UDP).

In summary, the transport layer splits the application messages into chunks and encapsulates them in messages containing transport layer-specific information. The pieces are put back in the correct order on the receiving system to recreate the message and passed to the appropriate application using the port number.

Let's continue the HTTP example communication between my web browser and application server.

TCP packet encapsulating HTTP request message and headers

You can observe the decoded bytes in the bottom right representing the HTTP GET request my browser makes for the application server. We see the HTTP request as a TCP payload field in this packet.

In addition, the packet is first in relative ordering with a sequence number of 1. It also contains the port number (65012) associated with the tab on my web browser and the destination port number (80) on the application server.

First (sequence number 1) and second (sequence number 1449 that starts at end of packet 1) TCP packets corresponding to HTTP response message received from ilovecookies.com server

The first two packets from the HTTP response (57 TCP packets) are displayed here. In the bottom right of both images, we can see the HTTP-specific information and some HTML corresponding to the webpage ilovecookies.com.

You can also see the transport layer-specific information such as the port numbers and the sequence numbers. Notice that the source and destination port numbers are flipped compared to the request message packets.

The Network Layer

In contrast to the transport layer, the network layer provides logical communication between two end hosts. Note the subtle difference between the transport and network layer services.

Left: logical communication provided by the transport layer, Right: logical communication provided by the network layer

The network layer takes a transport packet from the transport layer and encapsulates it in a network packet. The encapsulation is helpful to add information specific to the functioning of network layer protocol.

The network layer provides a best-effort service (timing, relative ordering, eventual delivery are not guaranteed) to move data between two hosts. The best-effort service is the motivation behind TCP. As the network layer protocols are inherently unreliable, TCP contains additional logic to ensure reliable data transfer.

The network layer is responsible for moving packets from a sending host to a receiving host. In addition to the end hosts, the network layer protocols also run on Routers, part of the network core. Routers are packet switching devices that are responsible for forwarding packets.

Left: packet switching device, Right: a small network consisting of 3 end hosts and 1 router connecting them together

Suppose end host 1 wants to send a packet to end host 2. End host 1 passes the packet to the router. The router looks at the information in the network packet and figures out that it needs to forward the packet on link 2, to which end host 2 is connected.

Every router has a forwarding table stored in RAM (built dynamically) to resolve the correct forwarding link for the packet. For example, the routing table for the above setup will look like this:

Routers use the information (destination host address) from the network packet to index (bitwise XOR) into this table. You can see the routing table on your computer by running the following commands:

Mac: netstat -nrf inet Linux: netstat -nr Windows: Get-NetRoute -AddressFamily IPv4

Notice a particular entry in your routing table, default or 0.0.0.0, called the default gateway. A packet is routed to the default gateway if none of the entries match the destination address.

The Internet contains tons of such devices which forward packets to enable logical communication between two end hosts.

As everyone shares the routers and wires carrying the data on the Internet, routers contain queues that hold incoming packets as outgoing packets are processed (/forwarded) by the router. Unreliability is introduced in the network layer protocols if the queues are full, which can get packed as the traffic increases.

The Internet network protocol is called Internet Protocol (IP). The major components of the Internet network layer are,

1. IP: defines addressing conventions (IPv4, IPv6), packet format, packet handling convention
2. Routing protocols: determine the path a packet takes from source to host
3. ICMP: facility to report errors in packets and respond to requests for certain network layer information

In summary, the network layer provides logical communication between two end hosts. Network layer protocols run on end hosts and network core devices such as routers. Routers forward network packets, which help form the logical communication between two end hosts.

Let's continue with our example of communication with ilovecookies.com.

We have seen that my web browser creates an HTTP request message (application layer protocol) and passes it down to the transport layer, which uses TCP protocol for end-to-end communication between my web browser application and a server application (ilovecookies.com).

An IP packet encapsulates a TCP packet

We can see that the network packet encapsulates the TCP packet, which encapsulates the application packet. The green highlighted text represents the contents of the network packet, yellow the transport packet, and the remaining text starting at GET is the application packet.

The network packet fields are relevant to its functioning. For example, the source address is my machines' IP address, and the destination address is the ilovecookies.com server address.

The encapsulation and the layer-specific information contained in the packets also relate to the idea of logical communication between hosts and applications running on them.

For instance, the network packet includes the IP addresses of the end machines, whereas the transport packet only contains the port numbers. The transport layer relies on the network layer to move data between the end machines. Once the data reaches the receiving device, the transport layer takes over and routes the packet to the correct application using the port numbers contained in the transport packet.

The Link Layer

Compared to the layers we have seen so far, the link layer has a narrower scope: it provides services to move packets over the individual links in the end-to-end path.

For example, links are the red dotted lines (see above illustrations). The link-layer enables the node-to-node movement of network layer packets over a single link in the path.

A link-layer protocol defines:

• format of packets exchanged between nodes at ends of the link
• actions taken on packets by those nodes

A network adapter implements the link layer protocols. Network adapter constitutes the physical hardware that enables a computer to connect to a network and exchange information.

Try running this command to see the list of network adapters in your computer:

Mac: networksetup -listallhardwareports Linux: lshw -class network -short Windows: Get-NetAdapter -Name *

In the output, you will notice that each device has a link-layer address known as the MAC address. The adapters' ROM contains MAC addresses assigned at the time of manufacture that are considered permanent. Each node (hosts and routers) has a link-layer address along the path.

Earlier we talked about IP address, which are also an identifier for the devices. The situation is similar to having multiple identifiers: home address and social security number. There are several reasons why nodes have MAC addresses and network-layer addresses.

• The protocols in different layers are supposed to be substitutable. For example, IPX doesn't use a network layer address.
• IP addresses are stored in RAM and reconfigured every time the adapter is moved or powered up, that is, temporary.
• Suppose the protocol omits MAC addresses. The adapter would need to pass each packet it receives up the protocol stack. The network layer would check for an IP address match. But, this can be inefficient if done too many times: Interrupts help pass packets which can be expensive.

In summary, for the layers to be largely independent building blocks in network architecture, many layers need to have their addressing scheme.

As a quick recap, we have come across three types of address until now:

• Hostnames for the application layer (ilovecookies.com). These are converted into corresponding IP addresses using DNS.
• The IP address for the network layer
• MAC address for the link layer

Like the Domain Name System, which helps resolve IP addresses from hostnames, Address Resolution Protocol (ARP) is useful for determining (destination) MAC addresses from an IP address.

ARP builds a table in RAM which contains a mapping of IP address to MAC address. The protocol includes specifications (such as a particular packet) for creating this table automatically.

The network layer passes the packet and MAC address (from the ARP table) of the destination node to the link layer. The link-layer encapsulates the packet in a link-layer packet and moves it along the link to the destination node.

A network containing two hosts and one router

Suppose in the above setup the host 222.222.222.220 wants to send a packet to the other host 222.222.222.222. The network layer uses ARP to resolve the corresponding MAC address as 49-BD-D2-C7-56-A2 and passes the packet and MAC address to the link layer. The link layer moves the packet over the link between the two hosts.

Next, consider a more complex scenario where a host wants to send a packet to another host on a different network. For example, a packet from my computer to ilovecookies.com travels from my home network to another network.

A router connecting two subnets. The router contains two adapters for linking and two IP addresses, identifying it on each subnet

There are two things to notice about this picture. First, the router has two IP addresses. As the router participates in two different networks, it requires two IP addresses to identify it in the respective network. For more details, see this.

Second, the two separate networks are known as subnets. A subnet is a logical grouping of network devices that makes network device management more accessible.

Suppose in this setup the host 222.222.222.222 wants to send a packet to the host 111.111.111.111, which involves making a cross-network trip. It will not locate the destination host (111.111.111.111) in its subnet, and it forwards the packet to the default gateway (router).

The network layer uses the ARP table to resolve the MAC address as 88-B2-2F-54-1A-0F. The router uses its routing table to deliver the packet to the link connecting to the other subnet. Once again, the ARP table helps resolve the MAC address of the destination host, and the packet moves along the link.

In summary, the adapter part of your computer hardware implements the link layer protocols. The link-layer protocol defines an addressing scheme called MAC addresses, and the ARP is used to map IP addresses to MAC addresses. The link-layer encapsulates network layer packets and moves them over a link.

One of the popular link layer protocols is Ethernet. Let's continue our example (ilovecookies.com) to examine the Ethernet protocol in action.

An Ethernet packet encapsulating an IP packet

We can observe the Ethernet packet contains destination and source MAC addresses (omitted), and it encapsulates the IP packet.

Recap

Let's summarize what we saw in this article using the picture below.

End to end network communication between host A and host B

Computer applications running on two different systems (called hosts) communicate using protocols.

Protocols are rules which govern the communication between two hosts. The protocol stack solves multiple sub-problems to solve the problem of network communication. Each layer focuses on solving a sub-problem using the services offered by the lower layers in the abstraction hierarchy.

The application layer protocols work at the highest level of abstraction. An application communicates by sending messages that adhere to the rules of an application protocol (for example HTTP).

DNS is used to map hostname (www.ilovecookies.com) to an IP address. These messages are pushed through the socket interface to be transmitted over the network using the transport layer.

The transport layer exposes a logical communication between two applications running on different hosts. It breaks down application messages into smaller pieces and encapsulates them in packets containing extra information (headers).

The application message is created from these packets and pushed through the socket interface using the port number on the packet. These packets are sent over the network by relying on the network layer.

Next, the network layer takes over, providing logical communication between two hosts. It also encapsulates the transport packet in a network packet.

The Internet contains packet switching devices that forward network packets, using routing tables stored in RAM and built dynamically using routing protocols. The network layer relies on the link layer to move packets.

Link-layer is responsible for moving packets over individual links. Hardware devices, called adapters, implement link-layer protocols and have a permanent address associated with them, called MAC address. MAC address serves as the identifier for this layer. The Address Resolution Protocol (ARP) maps IP addresses to MAC addresses.

Finally, the link layer passes packets to the physical layer, which constitutes the wires over which the information travels.

Thank you for reading! I hope you learned something new about computer networks today.

Sources

Millions of people use the Internet every second of the day, and it has changed many aspects of our lives – from creating new jobs and a new way of working to influencing how news is consumed and how decisions are made.

Although it's been around for quite a while now, the underlying technologies that power it have not changed that much since its invention.

In this article you'll learn about the Internet Protocol, or IP - what it is, how it works, and the differences between its different versions.

How computers communicate over the Internet

Computers, and devices in general, connect and communicate with one another on the Internet in a couple different ways: either with the help of a large number of undersea cables or wirelessly.

Information gets broken down into packets, or smaller pieces of data, that get transferred by routers to the correct destination and back.

However, for computers to communicate in the first place, there needs to be a set and universally agreed upon common language of communication that all devices understand.

This need for a standardized method of communication during data exchange led to the creation of protocols.

One of the key protocols is the Internet Protocol, or IP.

The Internet Protocol has a particular syntax that defines a set of rules and a specified format for how communication will take place between devices over various networks. It essentially makes communication between computers possible.

Those rules cover a large number of things, like:

• identifying and locating each device on a network
• having devices then talk to each other
• dictating how the format and transfer of packets of data will look like
• determining how each packet will reach the desired destination
• choosing the fastest and most efficient path possible for the router to take, and
• deciding how to handle errors when they occur.

Each and every device connected to a network needs a way to identify itself across various networks.

When you want to send a letter to someone, you need a way of identifying that person's home so the postal service knows where to deliver the letter. You don't want the letter to be delivered to the wrong person!

This is why, when sending a letter, you include the recipient's unique home address as the destination address and also your unique home address, which is the return address.

Each house has a unique address that sets it apart and identifies it.

Similarly, the way to identify computers and devices on the Internet so we can transmit and exchange data, is by knowing their IP address.

To send an e-mail to someone, you need to know their computer's IP address. The e-mail gets broken down into smaller chunks, or packets. The way they reach the correct destination is because each packet also includes IP information.

When sending something over the Internet there needs to be a destination address and a return address on each packet. IP addresses are how computers find one another and know their respective locations.

The Internet Protocol is in charge of defining the format of IP addressing.

What is an IP address?

An IP address is a network address, and every device that connects to a computer network gets one.

An IP address is a unique sequence of numbers assigned to a device that's written in a certain format. It globally identifies every device in the interconnected network.

As mentioned earlier, packets get routed to the correct and intended destination and devices are able to send and receive information over the Internet because each device is assigned a unique IP address.

You'll likely not ever have to deal directly with IP addresses or know any by heart in order to send information over the Internet - it's all happening behind the scenes.

If you're curious and want to know your IP address, head to Google.com and type in "What's my IP" and you'll see your unique address in the first result.

That being said, there are are few different types of IP addresses, which you'll see in the following sections.

Private vs Public IP addresses

Everyone has two kinds of IP addresses: public and private.

The public one is given to your home router by your Internet Service Provider (ISP) and it's the primary address for your whole local network.

In your home you may have more than one laptop, smartphone, or tablet. Each device has its own IP address, but they are all also under the same main, public IP address.

This is how all devices in your home get connected to the Internet – via the main public IP address.

A public IP address is unique, meaning there are no two identical IP addresses used at a given moment.

As mentioned above, if you have many devices in your home, then each has its own IP address. This address is a private IP address, and it cannot access the Internet directly.

As these devices connect to the Internet via the router (which has a public IP address), the router needs a way to identify and recognise each device separately, before it connects it to the Internet.

The way the router does this is by assigning an individual private IP address to each device. Then it remembers that address each time the device wants to get connected to the Internet.

Dynamic VS Static IP Addresses

Public IP addresses are split into two categories: dynamic and static.

Once a device gets connected to the Internet, your Internet Service Provider gives you one of their available IP addreses for the duration of the time you stay connected. This is how the device will be able to send and receive data.

The next time you connect to the Internet, your ISP will provide you with a different IP address. This means that each time you connect to the Internet, you have a different IP address. This is why this type of IP address is called dynamic - it's ever changing.

On the other hand, a static IP address never changes. It's a permanent address. The address is provided once and you can expect it to stay the same.

Static IP addresses are often used by DNS Servers. A DNS server is a large computer that stores files that make up a website. Their job is to send those files each time they are requested by a user who wants to view the website.

IPv4 vs IPv6 – What's the Difference?

What is an IPv4 address?

IPv4 is the first, and most widely used, version of the Internet Protocol.

It was first launched in 1980 and is used to this day.

It's a 32-bit address and it's made up of 4 blocks – with each block being separated by a dot.

It looks something like this:

XXX.XXX.XXX.XXX

Each block can fit up to 3 digits, and the numbers in the block range from 0 to 255, in decimal values.

An example of an IP address is:

142.250.185.206

Here's another example:

69.171.250.35

These decimal numbers are converted to binary, a machine language, which is the only language computers can directly understand.

These decimal numbers, in binary, are actually 4 blocks of 8 binary digits (or bits).

This is why it is called a 32-bit address – it's an address made up of a sequence of 32 binary digits.

For example, the address you saw earlier,142.250.185.206 is:

10001110.11111010.10111001.11001110

in binary, under the hood.

So, 2^32 is a total of 4,294,967,296 unique addresses. That is the limit of IP addresses IPv4 can provide for each device to connect to the Internet.

You would think that this large number is more than enough. But, as the population continues to grow and each person owns more and more devices (and each device needs its own IP address) we have been running out of addresses for quite some time now.

What is IPv6?

IPv6 is the latest version of the Internet Protocol which was first deployed in 1998.

It's the successor of IPv4 and there will be a slow shift towards it in the future.

Whereas IPv4 is a numeric address, IPv6 uses hexadecimal, alphanumeric characters - meaning it contains numbers and letters.

In the way IPv4 uses 4 blocks that each contain up to 3 digits, IPv6 uses 8 blocks that contain 4 hexadecimal characters each.

In IPv4, each block is separated by a do t(.). In IPv6 each block is separated by a colon (:).

So, an IPv6 address looks something like this:

XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX

For example:

2001:0db8:85a3:0000:0000:8a2e:0370:7334

It's a 128-bit address, meaning that there are 2^128 addresses available.

That means there are 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses we can use on the Internet.

That is 340 undecillion addresses, which we hope will be more than enough for everyone!

Conclusion

And there you have it! You now know the basics of the Internet Protocol. It's the underlying technology all computers and devices use to be able to connect with one another and receive and exchange information.

You also learned the basic differences between IPv4 and IPv6. And in a nutshell, IPv6 provides far more IP addresses than IPv4 does.

If you are interested in learning more about how the Internet works, check out this video on freeCodeCamp's YouTube channel that explains the fundamentals of computer networking.

Thanks for reading and happy learning 😊