Week 3: Protocol Data

Format of Data in Computer Communications

WireShark/TCPdump
Encapsulated Data
• Application Layer generates data
• Each lower layer adds a header to it.
• Layer 2 (data link layer) also adds a trailer to it.

Sending Receiving
application application

H H
L5 data L5 data
5 5
H H
L4 data L4 data
4 4
H H
L3 data L3 data
3 3
H H
T2 L2 data T2 L2 data
2 2

100010101001101101011010010101001 100010101001101101011010010101001
01 01
Medium

4/19/2025 Chao Gao (D.Sc.) 2

Layer 1 (physical layer)
• Information can be observed by an oscilloscope probing to the signal
wire/cable.
• Voltage level (high or low) and how it is changed representing binaries.
• Example: Ethernet LAN (IEEE802.3, clock=10MHz)

Physical layer header:

Preamble: 56 bits of alternating 1s and 0s
SFD: Start Frame Delimiter, flag (10101011)

Destination Source
Preamble SFD Address Address
Len/Type Data and padding CRC
7 bytes 1 byte 6 bytes 6 bytes 2 bytes 4 bytes

4/19/2025 Chao Gao (D.Sc.) 3

Layer 2 (data link layer)
• Today's LAN follows IEEE 802.3 standard (a.k.a., Ethernet), which
defines 5 fields in an 802.3 frame.
• The length of "Data and padding" field varies from 46 bytes to 1500 bytes
• The 6-byte address is called IEEE 802.3 physical address (MAC address)

Destination Source
Preamble SFD Address Address
Len/Type Data and padding CRC
7 bytes 1 byte 6 bytes 6 bytes 2 bytes 46-1500 bytes 4 bytes

H2 T2

4/19/2025 Chao Gao (D.Sc.) 4

Ethernet Address
• Example of an Ethernet address in hexadecimal notation
• First 3 bytes is called Organizationally Unique Identifier (OUI),
specifying who is the manufacturer; the last 3 bytes specify the serial
number.

04:01:02:01:2C:4B

6 bytes = 12 hex digits = 48 bits

4/19/2025 Chao Gao (D.Sc.) 13.5

Unicast, Multicast, Broadcast Addresses
• A Network Interface Card (NIC) always has a unicast address.
• The least significant bit of the first byte defines the type of address. If the bit is
0, the address is unicast; otherwise, it is multicast.
• See https://en.wikipedia.org/wiki/Multicast_address for a list of multicast
addresses.
• The broadcast destination address is a special case of the multicast address in
which all 48 bits are 1s.

Unicast=0; multicast=1

Byte 1 Byte 2 Byte 6

4/19/2025 Chao Gao (D.Sc.) 13.6

 Example 1

Define the type of the following destination addresses:

a. 4A:30:10:21:10:1A b. 47:20:1B:2E:08:EE
c. FF:FF:FF:FF:FF:FF

Solution
To find the type of the address, we need to look at the second hexadecimal
digit from the left. If it is even, the address is unicast. If it is odd, the address is
multicast. If all digits are F’s, the address is broadcast. Therefore, we have the
following:
a. This is a unicast address because A in binary is 1010.
b. This is a multicast address because 7 in binary is 0111.
c. This is a broadcast address because all digits are F’s.

4/19/2025 Chao Gao (D.Sc.) 7

 Example 2: OUI

Find the manufacturers of these unicast addresses:

a. B8:8D:F1:21:10:1A b. 00:5F:67:2E:08:EE
c. FF:FF:FF:FF:FF:FF d. 04:68:65:AB:CD:EF

Solution
To find the manufacturer of an IEEE802 address, we need to lookup the IEEE
OUI list (http://standards-oui.ieee.org/oui/oui.txt). This list shows the first 3
bytes of IEEE802 addresses and denoted as OUI number. From the list we see

a. B8-8D-F1 is assigned to "Nanjing BigFish Semiconductor Co., Ltd."

b. 00-5F-67 is assigned to "TP-Link Corporation Limited"
c. FF:FF:FF:FF:FF:FF is designed as broadcast address therefore no
manufacturer is assigned.
d. 04-68-65 is assigned to "Apple, Inc."

4/19/2025 Chao Gao (D.Sc.) 8

Length or Type?
• If the value of this two bytes is less than 0x0800, it indicates the length.
Otherwise indicating type.
• Detail type number can be seen here:
http://www.iana.org/assignments/ethernet-numbers.
• E.g., 0x0800: IPv4, 0x814C: SNMP, 0x86DD: IPv6

4/19/2025 Chao Gao (D.Sc.) 9

WireShark Demo 1
• WireShark is a free software which can capture all the traffic/frames on
a LAN which your PC is attached.

4/19/2025 Chao Gao (D.Sc.) 10

WireShark: download, install, and start
• Download at http://www.wireshark.org/.
• Start WireShark after the installation.

4/19/2025 Chao Gao (D.Sc.) 11

WireShark: choose right interface
• The right interface is the one connected by a cable. Usually it is the first
one in the list:

4/19/2025 Chao Gao (D.Sc.) 12

WireShark: filter function
• It’s normal that a lot of traffic are captured, too much to see what you
want to see. It is necessary to use filter function to get rid of those not
interested.
• "Display Filter" can be seen right below the menu bar.

4/19/2025 Chao Gao (D.Sc.) 13

WireShark: use filter function (1)
• First filter often applied is the IP address filtering: only the packets
to/from your PC are of your interest.
• You can simply apply "ip.addr == x.y.z.t" to filter out all other packets.

4/19/2025 Chao Gao (D.Sc.) 14

WireShark: use filter function (2)
• You can even set filter for outgoing/incoming packets. The filter
command is "ip.src==x.y.z.t", or "ip.dst==x.y.z.t"

4/19/2025 Chao Gao (D.Sc.) 15

WireShark: use filter function (3)
• It is possible to combine two or more filter commands in a logical
expression. For example, if you like to see all the outgoing HTTP traffic,
you can use "ip.src==x.y.z.t && http"

4/19/2025 Chao Gao (D.Sc.) 16

WireShark result: L5 header

4/19/2025 Chao Gao (D.Sc.) 17

WireShark: online help
• A display filter wiki: http://wiki.wireshark.org/DisplayFilters.
• Complete reference of display filter:
http://www.wireshark.org/docs/dfref/.

• WireShark has another filtering function called "Capture Filter", which is

applied not to capture some kind of traffic at all. Information about
"Capture Filter" can be found here:
http://wiki.wireshark.org/CaptureFilters.

4/19/2025 Chao Gao (D.Sc.) 18

Network Layer: IP header
• L3 header, which should be seen right after the L2 header (Data Link
layer header)

Sending Receiving
application application

H H
L5 data L5 data
5 5

H H
L4 data L4 data
4 4
H H
L3 data L3 data
3 3
H H
T2 L2 data T2 L2 data
2 2

100010101001101101011010010101001 100010101001101101011010010101001
01 01
Medium

4/19/2025 Chao Gao (D.Sc.) 19

IPv4 Datagram Format
• IPv4 header has first 20 bytes as baese header, and 0-40 bytes of
options.
IPv4
Data
header

VER HLEN TOS Total length

4bits 4bits 8bits 16bits
Identification Flag Fragment offset
16bits 3bits 13bits
TTL Protocol Header checksum
8bits 8bits 16bits
Source address
32bits
Destination address
32bits

Options (up to 40 bytes)

Data (up to 65516 bytes)

4/19/2025 Chao Gao (D.Sc.) 20.20

 Header length in number of 32-bit words,
usually it is 0101(5)

0100 (4) for IPv4

VER HLEN TOS Total length

4bits 4bits 8bits 16bits
Identification Flag Fragment offset
16bits 3bits 13bits
TTL Protocol Header checksum
8bits 8bits 16bits
Source address
32bits
Destination address
32bits

32 bits

4/19/2025 Chao Gao (D.Sc.) 21

 VER HLEN TOS Total length
4bits 4bits 8bits 16bits
Identification Flag Fragment offset
16bits 3bits 13bits
TTL Protocol Header checksum
8bits 8bits 16bits
Source address
32bits
Destination address
32bits

The total length field defines the total length (in bytes)
of the datagram including the header.

4/19/2025 Chao Gao (D.Sc.) 20.22

IP datagram carrying higher layer data
• Protocol field (10th byte) indicates what higher layer protocol is carried.
VER HLEN TOS Total length
4bits 4bits 8bits 16bits
Identification Flag Fragment offset
16bits 3bits 13bits
TTL Protocol Header checksum
8bits 8bits 16bits
Source address
32bits
Destination address
32bits

SCTP TCP UDP Transport layer

ICMP IGMP OSPF

IP
Data
header
Network layer
The value of the "protocol" field
defines to which (upper layer)
protocol the data belong.

4/19/2025 Chao Gao (D.Sc.) 20.23

Table 20.4 Protocol values
Full table can be seen: https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers

Value (decimal) Protocol

1 ICMP
2 IGMP
6 TCP
17 UDP
89 OSPF

4/19/2025 Chao Gao (D.Sc.) 20.24

Example 20.1
An IPv4 packet has arrived with the first 8 bits as shown:
01000010
The receiver discards the packet. Why?

Solution
There is an error in this packet. The 4 leftmost bits (0100)
show the version, which is correct. The next 4 bits (0010)
show an invalid header length (2 × 4 = 8). The minimum
number of bytes in the header must be 20. The packet has
been corrupted in transmission.

4/19/2025 Chao Gao (D.Sc.) 20.25

Example 20.2
In an IPv4 packet, the value of HLEN is 1000 in binary.
How many bytes of options are being carried by this
packet?

Solution
The HLEN value is 8, which means the total number of
bytes in the header is 8 × 4, or 32 bytes. The first 20 bytes
are the base header, the next 12 bytes are the options.

4/19/2025 Chao Gao (D.Sc.) 20.26

Example 20.3
In an IPv4 packet, the value of HLEN is 5, and the value of
the total length field is 0x0028. How many bytes of data are
being carried by this packet?

Solution
The HLEN value is 5, which means the total number of
bytes in the header is 5 × 4, or 20 bytes (no options). The
total length is 40 bytes, which means the packet is carrying
20 bytes of data (40 − 20).

4/19/2025 Chao Gao (D.Sc.) 20.27

TTL value
• TTL value is used by Internet routers to avoid faulty routing.
• A sending host will initiate this value as a certain number (Windows
128, Linux 64)
• Every router (hop) will reduce this number by 1.
• If the number reaches zero, the current router drops the IP packet, and
sends an "ICMP time-exceeded" message to the source.

4/19/2025 Chao Gao (D.Sc.) 28

Example 20.4
An IPv4 packet has arrived with the first few hexadecimal digits as
shown.
0x45000028000100000102 . . .
How many hops can this packet travel before being dropped? The
data belong to what upper-layer protocol?

Solution
To find the time-to-live field, we skip 8 bytes. The time-to-live field is
the ninth byte, which is 01. This means the packet can travel only one
hop. The protocol field is the next byte (02), which means that the
upper-layer protocol is IGMP.

4/19/2025 Chao Gao (D.Sc.) 20.29

Example 20.10
• Figure 20.13 shows an example of a checksum calculation for an IPv4
header without options. The header is divided into 16-bit sections. All
the sections are added and the sum is complemented. The result is
inserted in the checksum field.

VER HLEN TOS Total length

4bits 4bits 8bits 16bits
Identification Flag Fragment offset
16bits 3bits 13bits
TTL Protocol Header checksum
8bits 8bits 16bits
Source address
32bits
Destination address
32bits

4/19/2025 Chao Gao (D.Sc.) 20.30

Figure 20.13 Example of checksum calculation in IPv4

4/19/2025 Chao Gao (D.Sc.) 20.31

WireShark Demo 2: explore IP header

4/19/2025 Chao Gao (D.Sc.) 32

Task: verify the Header and CheckSum
• Check all the fields we have talked about in the previous screenshot.
• In the previous slide WireShark reports that this IP frame has some
problem. Identify the problem and verify it by calculating the CheckSum.

4/19/2025 Chao Gao (D.Sc.) 33