An Introduction to the Internet Protocols

NELUG meeting 16/2/2000
Richard Mortimer

Overview

• Internet connects millions of machines around the world.
• Allows machines to find/talk to each other.
• No one machine knows the whole of the network (knowledge is distributed).
• Supports the "languages" (protocols) that various applications use to talk to each other - done in layers.
• Example:

  applications
  protocol layer - http, ftp, nfs
  tcp		udp
  ip			icmp
  Hardware layer (ethernet, token ring, ppp)

  applications

  These are the user and system programs which talk to each other using IP.

  protocol layer

  These are application/domain specific languages which the various applications understand. These hide the gory details of ip, tcp and udp from the user.

  tcp/udp

  These are basic protocols that the higher level protocols use.

  ip

  The basic unit of information transmission. The higher layers use one or more ip packets to transfer data.

  icmp

  internet control message protocol - a close friend of ip which is used to pass various control messages between different machines. This is normally only used by the operating system.

  hardware layer

  This is the actual hardware which is used to transmit network packets.

IP addresses

• Each machine on the internet has a (unique) IP address.
• Written as four digits with values between 0 & 255 e.g. 129.234.200.99.
• To talk to a machine you address packets of data with your address (source) and the targets address (destination).

Subnets (and netmasks)

• Subnets are used to group a number of machines which are directly connected together.
• A netmask defines the subnet by separating the network and subnet parts of the address parts form the host part.
• For example a netmask of 255.255.255.0 specifies a subnet which has up to 254 (0 and 255 are special addresses) hosts connected to it.
• Historically networks were classed as either class A (netmask 255.0.0.0), B (255.255.0.0) and C (255.255.255.0). These represent the way in which addresses were allocated to individual institutions. i.e a university may have a class B network allocated and it is responsible for allocating all of the addresses within that range.
• In most cases you should probably assume that you are connected to a class C network and set the netmask appropriately.

DNS - Domain Name Service

• IP addresses are not easy to remember (names are easier).
• The Domain Name Service provides a mapping from names to IP addresses.
• Makes the net more user friendly.
• Allows particular name to move between machines - e.g. to a new service provider.
• Multiple names may map to the same address (often used for web sites).

Routing

• Machines are not directly connected to all other machines.
• To talk to non local machines you go via a gateway (often an ISP).
• That gateway machine is connected to other gateways.
• Any machine can act as a gateway if it has two or more network interfaces.So to talk to machine z you may have to go via
  me -> a -> b -> c -> z
  or maybe
  me -> w -> x-> z
• Routing protocols allow machines to work out the best way to get to another machine.
• This allows problems to be worked around (i.e. broken gateway machine).
• In most cases we only need to know one gateway machine (our ISP) - this is known as the default route.

Protocols

• IP (internet protocol) is the core internet message format.
• This consists of the header and a message body.
• The message body carries sub protocols.
• The most widely used are:
  • tcp - transmission control protocol - a reliable bidirectional stream of data.
  • udp - user datagram protocol - an unreliable packet based protocol.

tcp (also known as tcp/ip)

• tcp uses IP packets to construct a reliable bidirectional data stream.
• It handles lost, corrupted and reordered IP packets presenting a stream of data to the application.
• This is a connection oriented protocol, i.e. the user makes a connection and may then use that connection until it breaks it (or someone else does).
• http (hypertext transmission protocol), ftp (file transfer protocol), telnet all use this protocol.

udp (also known as udp/ip)

• udp does not provide a connection oriented protocol.
• Instead each packet of data has to be individually addressed and
• The user is responsible for handling lost packets (corrupted packets are detected by the IP layer and discarded).
• This is useful where a machine must talk to multiple machines and where it does not want the overhead of a connection oriented protocol.
• Examples: nfs (network file system), tftp (trivial file transfer protocol).

ports

• An ip address allows a packet to be delivered to a specific machine.
• But the machine must work out which application should receive that packet.
• Ports are used to do this (both tcp and udp use these).
• A port is effectively an address within a machine. They are usually specified as an ip addr/port/protocol combination i.e. 129.234.200.7:23 (tcp)
• Programs bind to a port to say that they wish to receive packets which are addressed to that port or that they wish to transmit packets from that port.
• A port is identified by a 16 bit integer e.g. 0 to 65535.
• There are a number of well known ports:

  7/tcp

  echo - echos back everything that is sent to it

  7/udp

  echo - echos back everything that is sent to it

  23/tcp

  telnet - remote terminal protocol

  25/tcp

  smtp - simple mail transfer protocol

  Note that tcp and udp have separate port numberings.
• Most systems define well known ports in the file /etc/services.

arp - address resolution protocol

• Machines on the local area network must be able to address each other directly (in terms of hardware addresses).
• arp allows machines to find others and to dynamically account for new machines which are added/removed.
• Put simply it maps ip addresses to mac (ethernet) addresses.
• Only those machines which you are currently (or have recently been) talking to are kept in the arp cache.

Diagnostic/fault finding tools

ping

• Ping uses low level packets to talk to a machine to check if it is responding (these are not actually IP packets (they are icmp packets) but are very closely related).
• This is useful to check if things are setup correctly.
• It also helps to diagnose slow/busy links.
• Example use of ping (localhost is loopback interface which talks to your own machine)

  richm@patricia richm]$ ping localhost
  PING localhost (127.0.0.1) from 127.0.0.1 : 56(84) bytes of data.
  64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.2 ms
  64 bytes from 127.0.0.1: icmp_seq=1 ttl=255 time=0.2 ms
  64 bytes from 127.0.0.1: icmp_seq=2 ttl=255 time=0.1 ms
  ...
  64 bytes from 127.0.0.1: icmp_seq=8 ttl=255 time=0.1 ms
  
  --- localhost ping statistics ---
  9 packets transmitted, 9 packets received, 0% packet loss
  round-trip min/avg/max = 0.1/0.1/0.2 ms

• Note that when using ping on a dialup connection expect to see times or 100 or 200ms.
• If a machine is very busy or there is congestion somewhere in the network some packets may get lost. This is normal but if a large percentage of packets are being lost then connection to that machine may be very difficult.

ifconfig

• ifconfig is used to configure network interfaces.
• It is seldom used by the user - scripts turn you configuration into appropriate ifconfig commands.
• It can be useful to look at your current network setup. e.g.

  [richm@patricia richm]$ /sbin/ifconfig -a
  eth0      Link encap:Ethernet  HWaddr 00:00:C0:A0:CE:14  
            inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:0 errors:0 dropped:0 overruns:0 frame:0
            TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:100 
            Interrupt:7 Base address:0x290 Memory:d0000-d2000 
  
  lo        Link encap:Local Loopback  
            inet addr:127.0.0.1  Mask:255.0.0.0
            UP LOOPBACK RUNNING  MTU:3924  Metric:1
            RX packets:1024 errors:0 dropped:0 overruns:0 frame:0
            TX packets:1024 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:0 

  This shows two interfaces:

  eth0

  an ethernet interface

  lo

  the loopback interface - this is present on all machines and always has address 127.0.0.1 (localhost)

netstat

• netstat shows network statistics.
• with no parameters it shows the current connections (we are only concerned with "internet connections" here. UNIX domain sockets are covered in many books on networking.
• Example (from Solaris netstat):

  ws-csm2:819 $ netstat -f inet
  
  TCP: IPv4
     Local Address        Remote Address    Swind Send-Q Rwind Recv-Q  State
  -------------------- -------------------- ----- ------ ----- ------ -------
  ws-csm2.658          patricia.nfsd         8760      0 24820      0 ESTABLISHED
  ws-csm2.56332        patricia.32784        8760      0 24820      0 ESTABLISHED
  localhost.56334      localhost.32804      32768      0 32768      0 ESTABLISHED
  localhost.32804      localhost.56334      32768      0 32768      0 ESTABLISHED
  localhost.56337      localhost.56331      32768      0 32768      0 ESTABLISHED
  ws-csm2.56904        tux.39504             8760      0 24820      0 ESTABLISHED
  ws-csm2.56906        tux.44245             8760      0 24820      0 ESTABLISHED

netstat -r

• This shows the current routing table (where the computer will send packets based on their destination addresses) e.g.

  richm@patricia richm]$ netstat -r
  Kernel IP routing table
  Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
  192.168.1.1     *               255.255.255.255 UH        0 0          0 eth0
  192.168.1.0     *               255.255.255.0   U         0 0          0 eth0
  loopback        *               255.0.0.0       U         0 0          0 lo
  default         *               0.0.0.0         U         0 0          0 eth0

• Note the "default" entry - any packet addressed to an address which does not appear in the routing table goes to the default route.
• Sometimes it is useful to use "netstat -nr" to stop and addresses being converted to machine names. Try this is netstat -r appears to hang.

traceroute

• Traceroute is useful for diagnosing routing problems.
• It determines the route which a packet is taking to get to a specified machine.
• There may be 10 to 20 hops on the way to a machine.
• Some gateways are setup to not respond to traceroute. In these cases you will get a * in the listing.
• Example:

  # traceroute webserver
  traceroute to webserver (129.234.200.161): 1-30 hops, 38 byte packets
   1  gateway (129.234.202.7)  2.81 ms  1.97 ms  3.49 ms
   2  isp-relay1 (192.165.23.27)  14.0 ms  13.4 ms  14.1 ms
   3  isp-relay2 (192.165.23.10)  17.7 ms  17.0 ms  17.7 ms
   4  webserver (129.234.200.161)  24.7 ms  *  19.7 ms

tcpdump (snoop is similar on Solaris)

• tcpdump analyses network packets on your local network and prints summaries of their contents.
• It is useful when looking for a subtle network problem.
• *** Care *** this program has access to all of the traffic on your network. If used inappropriately it can decode all manner of information. Unauthorised use can get you in serious trouble.

arp

• The arp command allows you to examine the arp cache and find out the hardware addresses of local machines.
• Example:

  # arp -a
  
  Net to Media Table: IPv4
  Device   IP Address               Mask      Flags   Phys Addr 
  ------ -------------------- --------------- ----- ---------------
  hme0   ws-csm2              255.255.255.255       08:00:20:34:9a:15
  hme0   patricia             255.255.255.255       00:d0:58:00:d8:e1
  hme0   tux                  255.255.255.255       08:00:20:89:7e:34
  hme0   nelug                255.255.255.255       08:00:20:43:0f:a4

nslookup

• To test that DNS lookups are working correctly nslookup can be used to perform name lookups

• patricia:15 $ nslookup
  Default Server:  ws-csm2.nelug.org
  Address:  129.234.200.161
  
  > phileas
  Server:  ws-csm2.nelug.org
  Address:  129.234.200.161
  
  Name:    phileas.nelug.org
  Address:  129.234.202.176
  
  >