Packet Flow
Welcome back to the next installment in our interview prep series. In our previous article, we covered the IPv4 header, and today we'll explore a crucial topic: packet flow.
Imagine we have two hosts directly connected to each other. Host A has a MAC address of 0A, and Host B has 0B. They've been assigned the IP addresses 10.1.1.1/24 and 10.1.1.2/24, respectively. As we discussed earlier, each host maintains an ARP table where it associates its IP address with its MAC address. These entries are retained for 4 hours. So, Host A would have an entry (10.1.1.1 – 0A), and Host B would have an entry (10.1.1.2 – 0B).
领英推荐
As network engineers, what's the first thing we do with two hosts? Right, we ping from one to the other. Let's say we initiate a ping, which is an echo request from Host A to Host B. This echo request (Type 8) is handed to the Layer 3 (L3) protocol, which encapsulates it into a packet. The IP header adds the source IP as 10.1.1.1 and destination IP as 10.1.1.2, with a protocol field set to 1, indicating the encapsulated data is ICMP. Additionally, it assigns a TTL value of 128 (for Windows), 255 (for Cisco IOS), or 64 (for Linux). Next, this packet moves to the Layer 2 (L2) protocol, which adds an Ethernet header. It reads the MAC address from the ARP table and fills in the source MAC as 0A. However, for the destination MAC address, it checks the destination IP and then the ARP table. Finding no entry, it holds this packet. The Ethernet header also includes a type field with a value of 0x0800 for IPv4 data. However, the frame isn’t fully encapsulated due to the lack of a destination MAC address.
At this point, L2 hands over the responsibility to the ARP protocol to fetch the MAC address of the destination host. ARP generates an ARP request packet with the source IP as 10.1.1.1, destination IP as 10.1.1.2, source MAC as 0A, destination MAC as 00 (empty), and an opcode of 1 (ARP request). This ARP request, encapsulated with source MAC 0A and destination MAC FF (broadcast), type 0x0806 (indicating ARP data), is sent through Layer 1 as bits on the physical medium. Host B receives and accepts this broadcast frame, removes the Ethernet header, and hands the payload to ARP. ARP identifies the packet as an ARP request for its IP address, adds the entry to its table, and generates an ARP reply. This reply contains the source IP as 10.1.1.2, destination IP as 10.1.1.1, source MAC as 0B, destination MAC as 0A, and an opcode of 2 (ARP reply).
Now, this ARP reply, with the correct MAC address of Host B, is encapsulated with an Ethernet header (source MAC 0B, destination MAC 0A, type 0x0806) and sent back to Host A. Host A accepts this frame, and ARP adds the entry to its table. Meanwhile, the ICMP echo request, now equipped with the destination MAC address, continues its journey. However, it's worth noting that an ICMP echo request sets a timer for 2 seconds. If it receives no reply within this timeframe, it will drop the request. This explains why the first packet may be dropped when pinging an unknown host, as ARP may take more than 2 seconds to retrieve the MAC address. Typically, Windows OS generates 4 ICMP echo requests, with pinging starting from the second packet once the MAC address is obtained via ARP.