Notes on Ethernet
100BASE-TX
100BASE-TX is an Ethernet physical layer standard for 100Mb/s over two-pair twisted pair Category 5 cables using 8-pin RJ45 connectors.
Pair 2 (yellow/orange), on pins 1 (+, striped) and pin 2 (-, solid) is used for transmit. Pair 3 (green), on pins 3 (+, striped) and 6 (-, solid) is used for receive.
Binary symbols are transmitted on the wire at 125MBd with three voltage levels, +1V, 0V and -1V using MLT-3. A 0 is signaled by staying at the same voltage level, and a 1 is signaled by cyclicly transitioning through (-1V, 0V, +1V, 0V) to the next voltage level. This means a series of 1s generate a 31.5Mhz signal.
A 100MHz binary signal (e.g. packet data) is encoded using 4B5B as a 125Mhz signal for wire transmission. A nibble is encoding as 5 bits with at least two 1 bits present. This allows the receiver to perform clock recovery. It also introduces additional command symbols to signal beginning and end of packet.
The Ethernet frame is organized into bytes. Within bytes, the least significant bit is transmitted first. FIXME: This isn't the whole story due to 4B5B encoding.
The Ethernet frame begins with 7 bytes of preamble, 0x55, and the start of frame delimiter, 0xd5. It ends with a 32-bit frame check sequence (CRC). In 100BASE-TX on the line, the frame is preceeded by the start-of-stream delimiter J/K and followed by the end-of-stream delimiter T/R.
TODO: Capture J/K on LA.
Address Resolution Protocol (ARP)
ARP can be used to look up the Etherent address associated to an IP address. This is necessary because a host on an Ethernet network cannot send a packet directly to an IP address.
The host performing the lookup sends a broadcast ARP packet with target Ethernet address. The host with that Ethernet address replies with its IP address. The ARP request and reply packets have the following format:
- 6-byte Ethernet destination address
- 6-byte Ethernet source address
- 2-byte frame type 0x0806
- 2-byte hardware address type. 1 for Ethernet.
- 2-byte protocol address type. 0x0800 for IP.
- 1-byte size of hardware address. 6 for Ethernet.
- 1-byte size of protocol address. 4 for IP.
- 2-byte operation. 1 for ARP request, 2 for ARP reply.
- 6-byte sender Ethernet address
- 4-byte sender IP address
- 6-byte target Ethernet address
- 4-byte target IP address
There is duplicate information, for example, the sender's Ethernet address. For looking up an IP address from an Ethernet address, the Ethernet frame is a 14 byte Ethernet header plus a 28 byte of ARP request/reply payload.
Link Layer Access
The Linux packet interface provides access to packets at the link layer (e.g. Ethernet frames). To create a packet socket:
fd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
If the socket type is SOCK_RAW, the link layer header is included, and if it is SOCK_DGRAM, it is not.
recvfrom can be used to recieve packets. The source address is a struct sockaddr_ll:
struct sockaddr_ll {
unsigned short sll_family; /* Always AF_PACKET */
unsigned short sll_protocol; /* Physical-layer protocol */
int sll_ifindex; /* Interface number */
unsigned short sll_hatype; /* ARP hardware type */
unsigned char sll_pkttype; /* Packet type */
unsigned char sll_halen; /* Length of address */
unsigned char sll_addr[8]; /* Physical-layer address */
};
For more information, see packet(7).
sendto can be used to send link layer packets. For the destination address, from packet(7): When you send packets, it is enough to specify sll_family, sll_addr, sll_halen, sll_ifindex, and sll_protocol. The other fields should be 0.
BSD provides link layer access through the BSD Packet Filter (BPF) interface, and SVR4 through the Datalink Provider Interface (DLPI). libpcap is a portable library for link level packet access. tcpdump is built on libpcap.