Analysis of Ethernet frame structure

Because a project is required to analyze the data packets received by the network adapter, it is necessary to understand the Ethernet frame structure and parse it. It is found that there is a lot of knowledge about the general network, therefore, if you have read the relevant information, make a record to make a memo.

Ethernet is currently the most popular wired LAN technology. In particular, the exchange LAN developed 90 years later in the last century has increased the effective data rate, at the same time, general and cheap hardware such as hubs and switches contribute to its popularity. The format of the data frame over Ethernet is shown in:

Data Field: In switched Ethernet, a host sends an IP datagram to another host in the LAN, which is encapsulated in the Ethernet frame structure as its payload, the maximum transmission unit (MTU) of Ethernet is 1500 bytes, that is, it limits the maximum size of an IP datagram to 1500 bytes. If it exceeds 1500 bytes, it is necessary to enable the IP protocol's partition policy for transmission. At the same time, the minimum length of the data field is 46 bytes. If not, it must be filled to 46 bytes. For example, IP datagram and padding are removed by the network layer using the IP datagram header length field.

MAC address field: 6 bytes of a 128-bit Mac physical address, used to identify each host in the LAN, the destination MAC can be the physical address of a machine, can be a FF-FF-FF-FF-FF-FF broadcast MAC address.

Pre-sync code: the first 7 bytes are 10101010, And the last byte is 10101011. It is used to synchronize the clock of the sender and receiver. It mainly has different Ethernet types, and the sending and receiving rates are not completely accurate for frame rate transmission. Therefore, clock synchronization is required before transmission.

CRC: cyclic redundancy check, used to enable the receiver's Nic adapter to check whether the received data frame has an error and whether there is a bits flip error. If an error is introduced, it will be discarded, this is where the NIC adapter responds directly from the hardware. This field is obtained by the adapter from ing computation of other bits except the pre-sync code in the frame when the sender sends the message.

Type field: this is a well-designed hierarchical design that reduces coupling between network protocols. This allows Ethernet multiplexing of network layer protocols and supports different network layer protocols besides the IP protocol, or a protocol (such as ARP) That is hosted in an Ethernet frame ). The Receiver performs multi-path Decomposition Based on this field to resolve the Ethernet frame. The data field is handed over to the corresponding upper-Layer Protocol, so that the Ethernet is used as the data link layer protocol.

Through the above analysis, we can see that the front synchronization code is used by the synchronous clock when the network adapter receives frames, and will not be displayed by the receiver. The CRC field is used to verify frames. If the verification fails, it is discarded, only qualified data frames are received by the NIC, so CRC fields are not managed. Therefore, the key to parsing Ethernet data frames is to obtain the type field, and then submit the data of the data field to the upper-layer protocol for Processing Based on the Type field. Save the destination MAC address and source MAC address for subsequent use.

According to 802.3, the Ethernet Type field (ethertype field) is two octal fields. In quantitative evaluation, the first eight-byte field is the most important. When the field value is greater than or equal to the decimal value 1536 (that is, the hexadecimal value is 0600), The ethertype field represents the type of the Mac client protocol (ethertype interpretation. This field value is taken from the IEEE ethertype field register. The ethertype field is a limit space, so its allocation is limited. Only those who develop new data transmission protocols need to use the ethertype field, regardless of whether they actually produce any device. The ieee rac ethertype field is approved by the Authority for inspection and approval. The detailed definitions are as follows:

Ethernet type value (hexadecimal) Protocol

0x0000-0x05dc IEEE 802.3 Length

0x0101-0x01ff Experiment

0x0600 Xerox NS IDP

0x0660 0x0661dlog

0x0800 Internet Protocol (IP)

0x0801 x.75 Internet

0x0802 NBS Internet

0x0803 ECMA Internet

0x0804 chaosnet

0x0805 X.25 level 3

0x0806 Address Resolution Protocol (ARP: Address Resolution Protocol)
0x0808 Frame Relay ARP (Frame Relay ARP) [rfc1701]
0x6559 raw frame relay [rfc1701]
0x8035 dynamic darp (drarp: Dynamic RARP) Reverse Address Resolution Protocol (RARP: Reverse Address Resolution Protocol)
0x8037novell Netware IPX

0x809bethertalk

0x80d5 ibm sna services over Ethernet

0x80f3appletalk address parsing protocol (AARP: appletalk Address Resolution Protocol)

0x8100 Ethernet automatic protection switch (EAPS: Ethernet Automatic Protection Switching)

0x8137 Internet Packet Exchange (IPX: Internet Packet Exchange)

0x814c Simple Network Management Protocol (SNMP: Simple Network Management Protocol)

0x86dd Internet Protocol V6 (IPv6, Internet Protocol version 6)

0x8809 OAM
The meanings of several important fields are as follows:
Includest ADDR: Destination MAC address of the Ethernet OAM packet, which is the multicast MAC address 0180c2000002. Transmit source ADDR: the source MAC address of the Ethernet OAM packet, which is the bridge MAC address of the sender. This address is a unicast MAC address.
Protocol type: the protocol type of the Ethernet OAM packet. The value is 0x8809.
Protocol subtype: The Protocol subtype of the Ethernet OAM packet, Which is 0x03.
 Flags: Flags domain, which contains the status information of the Ethernet OAM object.
Authorization code: this field specifies the packet type of the oampdu. 0x00 indicates information oampdu, 0x01 indicates event notification oampdu, and 0x04 indicates loopback control oampdu. The role of several common oampdu packets is as follows:
Information oampdu messages are used to send the status information (including local information, remote information, and custom information) of the Ethernet OAM object to the remote Ethernet OAM object to maintain the Ethernet OAM connection. Event Notification oampdu (Event Notification oampdu) packets are generally used for link monitoring and are used to generate alerts for failures on links connecting local and remote Ethernet OAM entities.  Loopback control oampdu
Loopback control oampdu (loop control oampdu) packets are mainly used for remote loop back control. loop back control oampdu packets are used to control the OAM loop back status of remote devices, the message contains information about enable or disable the remote loop function.

0x880b Point-to-Point Protocol (PPP: Point-to-Point Protocol)

0x880c Common Exchange Management Protocol (gsmp: General switch Management Protocol)

0x8847 Multi-Protocol Label Switching (unicast) MPLS: Multi-Protocol Label Switching <unicast>)

0x8848 Multi-Protocol Label Switching (Multicast) (MPLS, Multi-Protocol Label Switching <multicast>)

0x8863 PPP over Ethernet (discovery phase) (pppoe: PPP over Ethernet <discovery stage>)

0x8864 PPP over Ethernet (PPP session phase) (pppoe, PPP over Ethernet <PPP session stage>)

0x88bb Lightweight Access Point Protocol (lwapp: Light Weight Access Point Protocol) 0x88cc connection layer Discovery Protocol (lldp: Link Layer Discovery Protocol)

EAP (eapol: EAP over LAN) on 0x8e88 LAN)

0x9000 configure the test protocol (loopback)

0x9100 VLAN tag protocol identifier (VLAN tag protocol identifier)

0x9200 VLAN tag protocol identifier (VLAN tag protocol identifier)

0 xFFFF Reserved

The commonly used Ethernet protocols and functions are labeled. You only need to determine this type of field to parse the Ethernet data frame and submit it to the upper-layer protocol for further processing.

Analysis of Ethernet frame structure