From charlesreid1

Network Protocols

The seven-layer OSI model for network communications splits communications process into seven separate layers:

NetworkStack  · e

Layer Name Function
7 Application Topmost layer, provides users a means to access network resources (only level seen by end user)
6 Presentation Transforms data received into a format that is readable by the application layer. Handles encryption/description for secure data
5 Session Manages communication sessions between computers. Manages connections with other devices. Half-duplex or full duplex.
4 Transport Provide reliable data transport services to lower layers.
3 Network Routes data between physical networks. Handles addressing, via IP. Handles packet fragmentation and error detection. Router level. Most complex layer.
2 Data Link Transports data across a network. Provides addressing scheme to identify physical devices, bridges, switches, MAC addresses.
1 Physical The physical medium for the network communication signals.

(Please Do Not Touch Steve's Pet Alligator)

Different nodes or computers on the network are only connected at the physical level.

Hubs vs Switches vs Routers


Hubs are capable of operating in only half duplex mode. They aren't found in many modern networks (they're replaced by switches). Hubs are basically repeating devices, operating only at the physical layer.

Packets sent to one port, on a hub, are sent to all other ports. So sending data from 1 to 3 requires sending data from 1 to 2, 3, and 4. Packets not intended for a computer's MAC address are dropped.


Switches allow more fine-grained control over network traffic, you can send data from one port to another specific port, you have full duplex mode.

Switches also transfer the job of checking a packet's destination MAC address: it takes that job away from each computer, the job is now done by the switch.


Routers are much more advanced than switches and hubs. Routers operate at the Network level in the OSI model. They handle packets between two or more networks. Routers route traffic to direct the flow of traffic.

Routing protocols control what packets go to what networks. Routers use IP addresses to identify devices.

As an example, you might have 100 computers on a router. These might be split into two groups, 50 computers each. Splitting up networks this way is more efficient. But in addition to that the router also provides a way for computers to communicate across these networks.

Network Classes

Three classes of networks:

  • broadcast
  • multicast
  • unicast


Broadcast packets are sent to all ports on a network segment. Broadcast addresses are on both Layer 2 (MAC address FF:FF:FF:FF:FF:FF) and Layer 3 (IP address X.Y.Z.255).

Broadcast domain is network segment where computer can directly transmit to another computer without going through a router.


Multicast packets have a single source and multiple destinations. The implementation is highly dependent on the protocol used.

Multicast IP address range: to


Unicast packets are transmitted from one computer to another directly. Example: web server request.

Promiscuous Sniffing

Traffic on the network often goes to computers other than the intended recipient. ARP is used to determine which MAC address corresponds to a particular IP address, and enables packet rerouting.

To find the MAC address that matches an IP address, the ARP broadcasts a packet to all devices within its broadcast domain. It then waits for the correct client to respond.

Only the intended recipient is really interested in the ARP broadcast. Everyone else doesn't care. So to keep from wasting the CPU's time with packets not intended for it, the network interface device handles that instead, and discards any packets not for this computer.

Promiscuous mode turns off this default throwing-packets-away behavior. Libpcap allows you to switch your network into promiscuous mode.

Sniffing on Hubs

When you sniff on a hub-based network, your reach is limitless. Hubs repeat all traffic, making it easy to see what's going on on the entire network. However, hub networks aren't scalable, meaning you don't often see hub networks.

Sniffing on Switched Networks

Sniffing on a switched network only shows you broadcast traffic, and traffic directly/specifically intended for your computer.

To capture traffic from a switch, you can use port mirroring, hubbing out, use a tap, or use ARP cache poisoning.

Port Mirroring

Port mirroring involves exactly what you'd think: changing one port to mirror another port. You can plug the sniffer into one port and see what's being sent to the other port.

Enabling port mirroring is done at the switch level. Switches are flexible, but be sure to keep bandwitch considerations in mind.

Hubbing Out

To hub out requires physical access to the target device. You segment the target device and the packet sniffer on the same network via a hub. This is essentially just a hacky, physical port mirroring technique.

Network Taps

Network taps, like phone taps, just put a listening device between two points on the network. They are physical devices, with 3 or 4 ports.

ARP Poisoning

Main page: ARP Poisoning