The seven-layer OSI model for network communications splits communications process into seven separate layers:
|7||Application||Topmost layer, provides users a means to access network resources (only level seen by end user)|
|6||Presentation||Transforms data received into a format that is readable by the application layer. Handles encryption/description for secure data|
|5||Session||Manages communication sessions between computers. Manages connections with other devices. Half-duplex or full duplex.|
|4||Transport||Provide reliable data transport services to lower layers.|
|3||Network||Routes data between physical networks. Handles addressing, via IP. Handles packet fragmentation and error detection. Router level. Most complex layer.|
|2||Data Link||Transports data across a network. Provides addressing scheme to identify physical devices, bridges, switches, MAC addresses.|
|1||Physical||The physical medium for the network communication signals.|
(Please Do Not Touch Steve's Pet Alligator)
Different nodes or computers on the network are only connected at the physical level.
Hubs vs Switches vs Routers
Hubs are capable of operating in only half duplex mode. They aren't found in many modern networks (they're replaced by switches). Hubs are basically repeating devices, operating only at the physical layer.
Packets sent to one port, on a hub, are sent to all other ports. So sending data from 1 to 3 requires sending data from 1 to 2, 3, and 4. Packets not intended for a computer's MAC address are dropped.
Switches allow more fine-grained control over network traffic, you can send data from one port to another specific port, you have full duplex mode.
Switches also transfer the job of checking a packet's destination MAC address: it takes that job away from each computer, the job is now done by the switch.
Routers are much more advanced than switches and hubs. Routers operate at the Network level in the OSI model. They handle packets between two or more networks. Routers route traffic to direct the flow of traffic.
Routing protocols control what packets go to what networks. Routers use IP addresses to identify devices.
As an example, you might have 100 computers on a router. These might be split into two groups, 50 computers each. Splitting up networks this way is more efficient. But in addition to that the router also provides a way for computers to communicate across these networks.
Three classes of networks:
Broadcast packets are sent to all ports on a network segment. Broadcast addresses are on both Layer 2 (MAC address
FF:FF:FF:FF:FF:FF) and Layer 3 (IP address
Broadcast domain is network segment where computer can directly transmit to another computer without going through a router.
Multicast packets have a single source and multiple destinations. The implementation is highly dependent on the protocol used.
Multicast IP address range:
Unicast packets are transmitted from one computer to another directly. Example: web server request.
Traffic on the network often goes to computers other than the intended recipient. ARP is used to determine which MAC address corresponds to a particular IP address, and enables packet rerouting.
To find the MAC address that matches an IP address, the ARP broadcasts a packet to all devices within its broadcast domain. It then waits for the correct client to respond.
Only the intended recipient is really interested in the ARP broadcast. Everyone else doesn't care. So to keep from wasting the CPU's time with packets not intended for it, the network interface device handles that instead, and discards any packets not for this computer.
Promiscuous mode turns off this default throwing-packets-away behavior. Libpcap allows you to switch your network into promiscuous mode.
Sniffing on Hubs
When you sniff on a hub-based network, your reach is limitless. Hubs repeat all traffic, making it easy to see what's going on on the entire network. However, hub networks aren't scalable, meaning you don't often see hub networks.
Sniffing on Switched Networks
Sniffing on a switched network only shows you broadcast traffic, and traffic directly/specifically intended for your computer.
To capture traffic from a switch, you can use port mirroring, hubbing out, use a tap, or use ARP cache poisoning.
Port mirroring involves exactly what you'd think: changing one port to mirror another port. You can plug the sniffer into one port and see what's being sent to the other port.
Enabling port mirroring is done at the switch level. Switches are flexible, but be sure to keep bandwitch considerations in mind.
To hub out requires physical access to the target device. You segment the target device and the packet sniffer on the same network via a hub. This is essentially just a hacky, physical port mirroring technique.
Network taps, like phone taps, just put a listening device between two points on the network. They are physical devices, with 3 or 4 ports.
Main page: ARP Poisoning
Wiresharka Swiss-army knife for analyzing networks, network traffic, and pcap files.
Working with SSL/TLS/HTTPS:
Flags · Template:WiresharkFlag · e
Networkingpages and notes about computer networks.
Man in the Middle attack vectors on wired networks: Man in the Middle/Wired
Packet analysis with Wireshark: Packet Analysis
Linux networking: Linux/Networking
Using Aircrack: Aircrack
Many Ways to Crack a Wifi: Cracking Wifi
Notes on OpenVPN: OpenVPN
Setting Up a Static Key VPN: OpenVPN/Static Key
IP Version 6: IPv6
Flags · Template:NetworkingFlag · e
Wirelessall things wireless.
Flags · Template:WirelessFlag · e