Ethernet Addresses and Names
The basic concept of Ethernet networking is that packets are given destination addresses by senders, and those addresses are read and recognized by the appropriate receivers. Devices on the network check every packet, but fully process only those packets addressed either to themselves or to some group to which the device belongs.
EtherPeek recognizes three types of addresses: physical addresses, logical addresses, and symbolic names assigned to either of these.
A physical address is the hardware-level address used by the Ethernet interface to communicate on the network. Every device must have a unique physical address. This is often referred to as its MAC (Media Access Control) address. An Ethernet physical address is six bytes long and consists of six hexadecimal numbers, usually separated by colon characters (:). For example:
Typically, a hardware manufacturer obtains a block of physical address numbers from the IEEE and assigns a unique physical address to each card it builds. The vendor block of addresses is designated by the first three bytes of the six-byte physical Ethernet address. In this way, Ethernet physical addresses are generally distinct from each other, although some networks and protocols will override this built-in mechanism with one of their own.
Note: A current list of vendor IDs is included in the default EtherPeek Name Table.
The following figure shows captured packets that use physical addresses to represent the source and destination:
Figure B.1 Physical addresses displayed in a Packet File window
A logical address is a network-layer address that is interpreted by a protocol handler. Logical addresses are used by networking software to allow packets to be independent of the physical connection of the network, that is, to work with different network topologies and types of media. Each type of protocol has a different kind of logical address, for example:
- an IP address (IPv4) consists of four decimal numbers separated by period (.) characters, for example:
- an AppleTalk address consists of two decimal numbers separated by a period (.), for example:
Depending on the type of protocol in a packet (such as IP or AppleTalk), a packet may also specify source and destination logical address information, either as extensions to the physical addresses or as alternatives to them.
For example, in sending a packet to a different network, the higher-level, logical destination address might be for the computer on that network to which you are sending the packet, while the lower-level, physical address might be the physical address of an inter-network device, like a router, that connects the two networks and is responsible for forwarding the packet to the ultimate destination.
The following figure shows captured packets identified by logical addresses under two protocols: AppleTalk (two decimal numbers, separated by a period) and IP (four decimal numbers from 0 to 255 separated by a period). It also shows symbolic names substituted for IP addresses (www0.wildpackets.com and ftp4.wildpackets.com) and for an AppleTalk address (Caxton).
Figure B.2 Logical AppleTalk and IP addresses and symbolic names
The strings of numbers typically used to designate physical and logical addresses are perfect for machines, but awkward for human beings to remember and use. Symbolic names stand in for either physical or logical addresses. The domain names of the Internet are an example of symbolic names. The relationship between the symbolic names and the logical addresses to which they refer is handled by DNS (Domain Name Services) in IP (Internet Protocol). EtherPeek takes advantage of these services to allow you to resolve IP names and addresses either passively in the background or actively for any highlighted packets.
In addition, EtherPeek allows you to identify devices by symbolic names of your own by creating a Name Table that associates the names you wish to use with their corresponding addresses.
To use symbolic names that are unique to your site, you must first create Name Table entries in EtherPeek and then instruct EtherPeek to use names instead of addresses when names are available.
Other classes of addresses
When one says "address," one typically thinks of a particular workstation or device on the network, but there are other types of addresses equally important in networking. To send information to everyone, you need a broadcast address. To send it to some but not all, a multicast address is useful. If machines are to converse with more than one partner at a time, the protocol needs to define some way of distinguishing among services or among specific conversations. Ports and Sockets are used for these functions. Each of these is discussed in more detail below.
Broadcast and multicast addresses
It is often useful to send the same information to more than one device, or even to all devices on a network or group of networks. To facilitate this, the hardware and the protocol stacks designed to run on the IEEE 802 family of networks can tell devices to listen, not only for packets addressed to that particular device, but also for packets whose destination is a reserved broadcast or multicast address.
Broadcast packets are processed by every device on the originating network segment and on any other network segment to which the packet can be forwarded. Because broadcast packets work in this way, most routers are set up to refuse to forward broadcast packets. Without that provision, networks could easily be flooded by careless broadcasting.
An alternative to broadcasting is multicasting. Each protocol or network standard reserves certain addresses as multicast addresses. Devices may then choose to listen in for traffic addressed to one or more of these multicast addresses. They capture and process only the packets addressed to the particular multicast address(es) for which they are listening. This permits the creation of elective groups of devices, even across network boundaries, without adding anything to the packet processing load of machines not interested in the multicasts. Internet routers, for example, use multicast addresses to exchange routing information.
Figure B.3 Broadcast packets are processed by all nodes on the network
Hardware Broadcast Address. The following destination physical address is the Ethernet Broadcast address:
A packet with this destination address will be accepted by all devices on the network.
Some protocol types have logical Broadcast addresses. When an address space is subnetted, the last (highest number) address is typically reserved for broadcasts. For example:
IP Broadcast Addresses typically uses 255 as the host portion of the address; for example:
AppleTalk Broadcast Addresses use 255 as the node portion of the address:
While conceptually very powerful, broadcast packets can be very expensive in terms of network resources. Every single node on the network must spend the time and memory to receive and process a broadcast packet, even if the packet has no meaning or value for that node.
Figure B.4 AppleTalk broadcast and multicast packets
Multicast Address. In Ethernet, addresses in which the first byte of the address is an odd-number are reserved for multicasting. In IPv4, all of the Class D addresses have been reserved for multicasting purposes. That is, all the addresses between 126.96.36.199 and 188.8.131.52 are associated with some form of multicasting. Multicasting under AppleTalk is handled by an AppleTalk router which associates hardware multicast addresses with addresses in an AppleTalk Zone.
Ports and sockets
Network servers, and even workstations, need to be able to provide a variety of services to clients and peers on the network. To help manage these various functions, protocol designers created the idea of logical ports to which requests for particular services could be addressed.
Ports and sockets have slightly different meanings in some protocols. What is called a port in TCP/UDP is essentially the same as what is called a socket in IPX, for example. EtherPeek treats the two as equivalent. ProtoSpecs uses port assignments and socket information to deduce the type of traffic contained in packets.