ARP – Address Resolution Protocol

ARP resolves the mapping issue between two different size protocols.

It allows to MAP an IP(32 bit) and MAC(48 bit) together.

How does it work in a nutshell :

Let’s assume that we have two hosts on different networks – A and B, we want them to communicate with each other, what will happen when host A will try reaching the host B for the first time (arp cache empty) :

  1. As we can determine by ip and subnet mask combination that host B is on another network , Host A will send a broadcast packet which will contain the following fields :
  • HW : 1 (Ethernet)
  • Protocol : 0x0800 IP
  • HW length : (6) 48 bit
  • Protocol length : (4) 32-bit
  • OPCode : 1 (Request)
  • H/W Source : aa:aa:aa:aa:aa:aa – MAC of host A
  • Protocol source : 192.168.0.2 – IP of host A
  • HW Dest – ff:ff:ff:ff:ff:ff – MAC of broadcast address
  • Protocol dest 192.168.0.1 – ip of gateway 

Gateway will respond with ARP reply

  • HW : 1 (Ethernet)
  • Proocol : 0x0800 IP
  • HW length : 6 48 bit
  • Protocol length : (4) 32-bit
  • OPCode : 2 (Reply)
  • H/W Source : gg:gg:gg:gg:gg:gg – Gateways MAC 
  • Protocol source : 192.168.0.1 – IP of gateway
  • HW Dest – : aa:aa:aa:aa:aa:aa
  • Protocol dest : 192.168.0.2 – IP of host A

The same will happen from other side – if gateway has no ARP entry for host B it will broadcast the ARP request to same broadcast domain(let’s assume we are using only one router) it will get a response from the host and will save its address to arp cache.

After request reply exchange we will have the gateway in our arp-cache now we can send the packets to B using the gateway.

  1. Host A will send a packet to default gateway with destination MAC of default gateway and destination IP of host B.
  2. Before sending the packet further gateway will change the source MAC to its own, destination IP will be left the same.
  3. Host B will reply, MAC of gateway will be the dest MAC, and ip of host A will be dest IP.

We need not to forget about :

Gratuitous ARP – in case if machine is changing it’s MAC or services are being moved, we can have a wrong data cached in ARP caches of devices, to update it machine can send gratuitous arp requests.

https://wiki.wireshark.org/Gratuitous_ARP 

The TCP and UDP segment format

Putting this here just for reference as repeating Stanford Networking course.

Some of important fields in TCP Segment :

Destination port – tells the TCP layer which application should get the bytes on ether end.

Source port Says where the data should get back, when app starts sending the data it generates unique source port number – to be able to receive the data back. (to differentiate the connection between host A and B)

Sequence number Indicates the position of the byte stream in TCP Data field.

Acknowledgment Sequence Tells the other end which byte we are expecting next, also says that until now we have received all data correctly.

16 Bit Checksum – To detect corrupt data, bit errors on the wire for example.

Header length Tells how long the header is, also shows how many options are present.

Flags : ack, urg, push bit, reset flag, syn, fin 

Window Size – Could be 1 – means stop and wait, could be 0 means connection will be closed, could be 1500 or other value means that much of bytes we can send without the acknowledge.

The unique id of a TCP connection.

In IPv4 Header we have IP Dest. A.; IP Source A., Protocol ID=TCP = 104-bit globally unique ID.

As the first steps host a increments source port for every new connection.

Then TCP picks ISN (initial sequence number) to avoid overlap with previous connection with same ID.

UDP 

UDP has only 4 header fields unlike TCP which as 10.

Fields :

Source port, Destination PortLength, Checksum(Optional field) if it’s used then it’s calculated with UDP header and data otherwise it’s filled with 0 fields.

In a nutshell UDP is unreliable delivery – no acks, no way to detect missing datagrams, no flow control, packets may show up in any order, TCP has all those function and the issue of TCP is that TCP datagram is much bigger than UDP and carries a lot of features which might be not needed for apps like video streaming or DNS or features like flow control might be already implemented in APP itself. For example right now we are observing more and more intensive usage of protocol QUIC in network.