Data encapsulation concepts

In the previous sections, you learned a lot about the processes that occur within the OSI model and the TCP/IP protocol suite. As an aspiring network professional, it’s important to understand the various fields found within Ethernet, IPv4, IPv6, TCP, and UDP headers. Over the next few subsections, you will discover the importance of each field within its corresponding protocol header.

Ethernet header

At the Data Link layer, when a packet is received from the Network layer, it is encapsulated with a layer 2 header and trailer. The following diagram shows each field within an Ethernet header:

Figure 1.23 – Ethernet header

The following are the roles and functions of each field found within an Ethernet header:

• Preamble and SFD: The preamble is made up of 7 bytes and the Start Frame Delimiter (SFD) is 1 byte in size, so the entire field is a total of 8 bytes in size. This field within an Ethernet frame is used to synchronize messages being transmitted between a sender and receiver over a network. This field is also used to indicate the start of the frame to the receiver.
• Destination MAC address: This field is 48 bits (6 bytes) in length and contains the layer 2 physical address (MAC address) of the next device to receive the message.
• Source MAC address: This field is 48 bits (6 bytes) in length and contains the layer 2 physical address of the sender of a frame.
• Type / Length: This field is 2 bytes in length and contains details that are used to identify the upper layer protocol (IPv4, IPv6) that is encapsulated within a frame.
• Data: The data field ranges between 46 to 1,500 bytes and contains the raw data from the Application layer of the networking model. All Ethernet frames are required to be at least 64 bytes in length. If the frame is less than 64 bytes, additional bits, known as a pad, are inserted to increase the size of the frame to the minimum length.
• FCS: The Frame Check Sequence (FCS) field is made up of 4 bytes in length and it’s used to verify the integrity of a frame and detect errors.

Important note

Frames that are less than 64 bytes are known as runts, while frames that are greater than 1,500 bytes are known as jumbo frames or giants.

Combining all the fields of an Ethernet header except for the preamble and SFD fields provides a frame length between 64 to 1,518 bytes. Next, you will learn about the fields within the IPv4 and IPv6 headers.

IP headers

At the Network layer of the OSI model and Internet layer of the TCP/IP protocol suite, when a segment is received from the Transport layer, it is encapsulated with a layer 3 header that is commonly referred to as an IP header. The following diagram shows the field within an IPv4 header:

Figure 1.24 – IPv4 header

The following is a description of each field within an IPv4 header:

• Version: This field is made up of 4 bits and is used to identify the message as an IPv4 packet.
• Internet Header Length: This field is made up of 4 bits and is used to indicate where the header section ends and the data section starts.
• Differentiated Services or DiffServ (DS): This field is made up of 1 byte (8 bits) and is used to determine the priority of the packet on the network. Within the DS field, the 6 most significant bits (from the left to right in a binary number) are used to present the Differentiated Service Code Point (DSCP), while the 2 least significant bits (from right to left in a binary number) are used to represent the Explicit Congestion Notification (ECN) details.
• Total length: This field is made up of 16 bits (2 bytes) and is used to indicate the total size of the IPv4 packet.
• Identification: This field is made up of 16 bits (2 bytes) and is used to provide identification numbering to each fragmented packet that belongs to an original message.
• Flags: This field is made up of 3 bits and is used to indicate whether the packet is to be fragmented or not.
• Fragment offset: This field is made up of 13 bits and is used to indicate the sequencing position of a fragmented packet.
• Time To Live (TTL): The TTL field is made up of 1 byte (8 bits) and is used to determine the life of the packet as it is transmitted between a sender and receiver over the network. Each time a layer 3 device such as a router receives a packet, it decreases the TTL value by 1 before forwarding it to the next device toward the destination. If the TTL value of a packet reaches 0, it is discarded on the network.
• Protocol: This field is made up of 1 byte (8 bits) and is used to indicate the payload type that is enclosed within the packet.
• Header checksum: This field is made up of 2 bytes (16 bits) and is used to determine whether there’s any corruption within the IPv4 header.
• Source IP address: This field contains the source IPv4 address of the sender, which is 32 bits (4 bytes) in length.
• Destination IP address: This field contains the destination IPv4 address of the intended recipient, which is 32 bits (4 bytes) in length.
• Options: This field is optional as it’s not always used.

The Network and Internet layers can also be encapsulated within an IPv6 header on the segment to create a packet. The following are the fields within an IPv6 header:

Figure 1.25 – IPv6 header

As shown in the preceding diagram, there are fewer fields within an IPv6 header compared to those found within an IPv4 header. The following is a description of each field found within an IPv6 header:

• Version: This field is 4 bits in length and is used to identify this packet as an IPv6 packet on the network.
• Traffic class: This field is 8 bits (1 byte) in length. It has the same functionality as the DS field found within an IPv4 packet.
• Flow control: This field is 20 bits in length and is sometimes referred to as the Flow Label. This field is used to inform the routers on the network to use the same type of handling for IPv6 packets that has the same flow control/flow label information.
• Payload length: This field is 16 bits (2 bytes) in length. It is used to represent the length of the enclosed data or payload in the IPv6 packet.
• Next header: This field is 8 bits (1 byte) in length. It is used to indicate the payload type that is enclosed within the IPv6 packet.
• Hop limit: This field is 8 bits (1 byte) in length and it has the same role and functions as the TTL field found within an IPv4 packet.
• Source IP address: This field contains the 128-bit IPv6 address of the sender.
• Destination IP address: This field contains the 128-bit IPv6 address of the receiver.

Next, we will learn about the fields found within a TCP header of a segment.

TCP header

Some application layer protocols use Transmission Control Protocol (TCP) as the preferred Transport layer protocol to ensure data is delivered between a sender and a receiver. The following diagram shows the fields within a TCP header:

Figure 1.26 – TCP header

The following is a description of each field within a TCP header:

• Source port: This is a 16-bit (2-byte) field that contains the source service port number of the source application layer protocol.
• Destination port: This is a 16-bit (2-byte) field that contains the destination service port number for the destination application layer protocol.
• Sequence number: This is a 32-bit (4-byte) field that is used during the reassembly process on the receiver device.
• Acknowledgment number: This is a 32-bit (4-byte) field that is used to indicate that the message (data) has been received. This value will be the sequence number + 1.
• Header length: This is a 4-bit field that is sometimes referred to as the data offset field. It indicates the length of the TCP header.
• Reserved: This is a 6-bit field reserved for future usage.
• Control bits: This is a 6-bit field that is used to specify various TCP flags such as URG, ACK, PSH, RST, SYN, and FIN. These are sometimes referred to as the Flag field.
• Window: This is a 16-bit (2-byte) field that indicates the number of bits or bytes that can be accepted during data transmission between a sender and receiver.
• Checksum: This is a 16-bit (2-byte) field that is used to detect any errors within the TCP header.
• Urgent: This is a 16-bit (2-byte) field that is used to indicate urgency on the TCP header.
• Options: This is an optional field within the TCP header that can range between 0 and 320 bits in length.
• Application layer data: This field contains the data that’s been received from the application layer protocol.

The following six TCP flags are found within the control bit field within a TCP header:

• URG: Indicates urgency on the TCP segment
• ACK: Indicates acknowledgment of a message
• PSH: Performs the push function
• RST: Used to reset a connection
• SYN: Indicates a synchronization message with a synchronization sequence number
• FIN: Indicates to gracefully terminate (finish) a session

Next, let’s learn about the fields found within the UDP header of a segment.

UDP headers

Not all application layer protocols use TCP – many use the User Datagram Protocol (UDP) to ensure low overhead and faster transmission. The following diagram shows the fields within a UDP header:

Figure 1.27 – UDP header

As shown in the preceding diagram, there are fewer headers within a UDP header compared to TCP. As a result, UDP provides less overhead on the network. The following is a description of each field within a UDP header:

• Source port: This is a 16-bit (2-byte) field that contains the source service port number of the source application layer protocol
• Destination port: This is a 16-bit (2-byte) field that contains the destination service port number for the destination application layer protocol
• Length: This is a 16-bit (2-byte) field that indicates the length of the UDP header
• Checksum: This is a 16-bit (2-byte) field that is used for detecting any errors within the TCP header
• Application layer data: This field contains the data that’s been received from the application layer protocol

With that, you have explored the various fields found within various protocol headers such as Ethernet, IP, TCP, and UDP. In the next section, we will learn how to start analyzing network packets using Wireshark.