Archive
IP fragmentation
Every physical medium has a maximum size of packets it can send. This is called MTU (Maximum Transmission Unit). For Ethernet this is usually 1500 bytes. If we send packets that are larger than 1500 bytes fragmentation is needed. Fragmentation is the method of dividing one large packet into several smaller packets.
1500 bytes is the maximum size including headers which means we have 1500 – 20 – 8 = 1472 bytes. 20 bytes are used by the IP header and in this example 8 bytes for ICMP. The Ethernet header doesn’t apply to this limit. If we were using TCP instead we would have 1500 – 20 – 20 = 1460 bytes available. The MTU for my Ethernet card is 1300, this is because I have Ciscos VPN client installed, it sets the MTU to 1300 to have room for IPSEC encapsulation. To find out what your MTU is use “netsh interface ipv4 show interfaces”
Let’s take a look at an IPv4 header.
There are three fields that we are specially interested in. Identification, flags and fragment offset. The identification field is used primarily for identyfing fragments. Fragments which belong to the same original IP datagram will have the same number in the identification field. The flags field has three bits.
- Bit 0: Reserved; must be zero (Sometimes refered to as the evil bit, see RFC 3514)
- Bit 1: Don’t fragment bit
- Bit 2: More fragments bit
If bit 1 is set, fragmentation is not allowed. This is useful for finding out the max size payload we can send. Bit 2 is set to indicate more fragments. All fragments that belong to an IP datagram will have the more fragments bit set except for the final fragment. This is so the end hosts can know when it has collected all the fragments of the IP datagram. The fragment offset field specifies the offset of a fragment. The first fragment will have an offset of 0. The next fragment will have an offset of 1280 if MTU = 1300 is used.
To verify that the max size is 1272 I will ping a host with a payload of 1272 bytes and the DF flag set, 1273 bytes will fail.
The ping is successful. This is what the packet looks like:
The frame is 1314 bytes long (1272 + 8 + 20 +14). Total length = 1300 ( 1272 + 8 + 20). The DF bit is set, bit nr two of the flags field. We can also see the ICMP header further down. Now let’s see when we try to use 1273 bytes:
The frame is not allowed since it is too large. Now lets generate some fragments, we will ping with a payload of 2544 bytes. This should generate exactly two frames.
Lets take a look in Wireshark:
Notice the identification field (17987). Also notice that the more fragments bit is set and that the fragment offset is 0. This is what the following frame looks like and it contains the actual ICMP header:
The identification field is the same (17987). The more fragments bit is not set since it’s the last fragment. The fragment offset is 1280. The first frame had 1280 bytes of data. This post should give you some insight to IP fragmentation. In a following post I will talk about TCP MTU discovery.
ARP (Address Resolution Protocol)
ARP is one of the most used protocols and every netwoork engineer should have a good understanding of it. The purpose of ARP is to find out the hardware address for a host for which we know the IP. ARP is in no way bound to Ethernet, it will function for other layer 2 protocols also. The topology I have used is very simple, it’s my own wireless network at home. See the picture below:
In Windows, to see what is in the ARP cache type “arp -a”. In windows Vista/7 the entry is valid for about 30 seconds.
Since I already have an entry for 192.168.1.254 (my router) I need to delete it to force an ARP request to be sent. I will capture the traffic with Wireshark. The command to do this is “arp -d”.
Lets look at an ARP header:
The numbers above the image are the octet boundaries, one octet is 8 bits. This can also be expressed as one byte. The first field which is 2 octets in size is hardware type. This field indicates what layer 2 protocol is being used, in this case Ethernet. This number will be one for Ethernet(0×0001). Protocol type is the layer 3 protocol in use which in our case is IP. IP has the number 0×0800. Hardware address length is one octet long and indicates the length of the hardware address. For Ethernet this is 6 bytes(48 bits). Protocol address length is the length of IP which is 4 octets. Opcode tells us what kind of ARP message this is, this will be a one for a request or a two for a reply. It can also be a three or four in the case of RARP (Reverse ARP).
Source hardware address and destination hardware address is in our case the MAC(Media Access Control) address. The protocol address is the source and destination IP address.
My computer now sends an ARP request (Opcode 0×0001). This is what it looks like:
192.168.1.254 is the router and .65 is my computer. Notice that the frame is a broadcast since we don’t know the MAC-address of the router. This is what the frame looks like in detail:
The router then sends a reply which is unicasted, the router knows the computers MAC-address since it was in the frame that it received. The frame looks like this:
This is the more detailed version:
The router will save the MAC for the computer in it’s own cache. If we are asking for the hardware address of the router that means we are interested in communicating with it so it is more effecient to save the information then to send a new request from the router to the computer.
I hope this post has given you some more detail about how ARP works.
