Difficult about the simple. The most popular L2 OSI model headers in Ethernet

❯ Why is this article needed?

I often encounter the need to quickly find information about various protocols and their headers, so I decided to create a kind of "cheat sheet" that I could return to again and again. I plan to publish two articles on this topic. In the first one, which you are reading now, we will discuss headers at the data link layer (L2) of the OSI model. In the second article, we will analyze headers at the network (L3) and transport (L4) layers.

❯ Why not consider higher levels?

At the moment, there are already quality materials on tekkix from other authors that thoroughly analyze higher levels, especially in the context of programming (e.g., HTTP/HTTPS). Therefore, I decided not to repeat myself and focus on less covered aspects, which are no less important for understanding network interactions.

❯ Headers at the L2 level

In this article, we will take a detailed look at what headers are included in an Ethernet frame at the L2 level. Let me remind you that the Ethernet specification was first developed by a group of companies: Digital Equipment Corp, Intel, and Xerox (Ethernet DIX). Nowadays, the most popular specifications are Ethernet II, IEEE 802.3, and IEEE 802.3 with a SNAP header.

Ethernet II

Ethernet II, also known as DIX Ethernet, is the most common format of Ethernet frames. It uses a type field (EtherType) to indicate the upper-level protocol, making it convenient for encapsulating various protocols. Ethernet II supports IPv4, IPv6, ARP, RARP, and PPPoE protocols.

IEEE 802.3

IEEE 802.3 defines standard Ethernet frames that use a length field to indicate the size of the data. This standard describes the physical and data link layers of Ethernet and supports protocols using LLC and SNAP.

IEEE 802.3 with SNAP header

IEEE 802.3 with SNAP (Subnetwork Access Protocol) header is used to encapsulate various network protocols into IEEE 802.3 frames. SNAP allows specifying a larger set of protocols through additional fields in the header. This format is needed to encapsulate protocols such as IPX, AppleTalk, CLNP, and SNA.

❯ Ethernet Frame Structure

Preamble

The first element in the frame is the preamble, which is a sequence of bits used to synchronize the receiver with the transmitter. The preamble consists of 7 bytes of alternating ones and zeros (10101010) and one byte that ends with the sequence 10101011. The preamble helps devices prepare to receive data by synchronizing the internal data transmission clocks.

In IEEE Ethernet 802.3 and IEEE 802.3 with SNAP, an additional SD or SFD field (Start of Frame Delimiter) is allocated.

In essence, the byte sequence and function of the preamble have not changed, but a separate field has been allocated to indicate the end of the preamble and the beginning of the frame itself.

Why don't we see the preamble in Wireshark?

In Wireshark, the preamble and the SD (Start of Frame Delimiter) field are not displayed because they do not carry meaningful information for traffic analysis.

MAC addresses

After the preamble, the MAC addresses follow in the Ethernet frame:

• Dst MAC address (destination address) — determines who the frame is intended for.

• Src MAC address (source address) — determines who the frame is coming from.

The MAC address consists of 6 bytes (48 bits). The first three bytes identify the manufacturer of the network device, and the second three bytes are a unique identifier of the device.

EtherType

The EtherType field in Ethernet II is 2 bytes long and indicates the type of upper-layer protocol (e.g., IPv4 (0x0800), ARP (0x0806), IPv6 (0x86DD)). On the receiving side, this field helps determine how to process the data.

All EtherTypes can be found at this link. However, in current realities, most types are no longer used, and the most popular ones are ARP, IPv4, and IPv6.

Payload

After the EtherType is the payload, which includes upper-layer headers and information.

❯ Frame Check Sequence (FCS)

The Frame Check Sequence, or FCS, is a method of checking data integrity. FCS is used to detect errors that may occur during data transmission and is calculated using the CRC-32 algorithm.

VLAN Tag (IEEE 802.1Q)

If it is necessary to divide one physical network into logical networks, a VLAN tag is added to the frame, which is located between the source MAC address and the EtherType field. The IEEE 802.1Q tag contains:

• Tag Protocol Identifier (TPID) (2 bytes): the value 0x8100 indicates the presence of a VLAN tag.

• Tag Control Information (TCI) (2 bytes): contains information about the frame priority, VLAN identifier, and other parameters.

TCI includes:

1. Priority Code Point (PCP) (3 bits) — indicates the priority of the frame.

2. Canonical Format Indicator (CFI) (1 bit) — indicates the format of the frame.

3. VLAN Identifier (VLAN ID) (12 bits) — identifies the VLAN.

Priority Code Point (PCP) in IEEE 802.1Q

The Priority Code Point (PCP) field in IEEE 802.1Q is a 3-bit field used to indicate the priority of a frame. It allows network devices to distinguish and handle traffic with different priority levels, which is important for Quality of Service (QoS) management. PCP values range from 0 to 7 and determine the priority of traffic handling, with 7 being the highest priority and 0 being the lowest.

Priority Code Point (PCP) Values

Each PCP value corresponds to a specific class of service, allowing network administrators to configure traffic handling rules based on the type of data and its importance. Here is more detailed information about PCP values:

0. (Best Effort): Standard priority for most data that does not require special delivery conditions. This traffic is handled as resources become available.

Examples: regular web traffic, background downloads.

1. (Background): Low priority for data that can be delayed without serious consequences. Used for background tasks that are not time-critical.

Examples: data backups, file synchronization.

2. (Excellent Effort): Slightly higher priority compared to Best Effort. Used for traffic that is important but not time-critical.

Examples: email transactions, file sharing.

3. (Critical Applications): Medium priority for traffic that requires timely delivery. Used for applications that depend on specific time frames.

Examples: corporate applications, database transactions.

4. (Video, < 100 ms latency): High priority for latency-sensitive traffic. Used for video data requiring low latency.

Examples: video conferencing, streaming video.

5. (Voice, < 10 ms latency): Very high priority for traffic extremely sensitive to latency. Used for voice data transmission requiring minimal latency.

Examples: VoIP (Voice over IP), online calls.

6. (Internetwork Control): Highest priority for traffic related to network management and control. Used for important network protocols and management systems.

Examples: routing protocols, network updates.

7. (Network Control): The highest priority for critically important network traffic. Used for managing network infrastructure and critical system messages.

Examples: time synchronization protocols, emergency alerts.

Prioritization Settings

Network devices such as routers and switches can be configured to handle frames with PCP in mind. For example, they can provide more bandwidth or reduce latency for high-priority traffic (PCP 5-7) and handle low-priority traffic (PCP 0-2) with lower priority in queues.

Canonical Format Indicator (CFI) is a 1-bit field in the IEEE 802.1Q header that indicates the frame format. It is usually used for compatibility between different types of networks, such as Ethernet and Token Ring. In Ethernet frames, this field is usually set to 0. Let's take a closer look at its meaning and usage.

CFI field value:

0: Indicates that the frame has a canonical format (Canonical Format).

1: Indicates that the frame has a non-canonical format (Non-Canonical Format).

Canonical and Non-Canonical Formats

Canonical Format (Canonical Format) is used in Ethernet networks. In this format, bytes and bits in MAC addresses are written and transmitted in order from least significant to most significant (LSB-MSB, Little-Endian). This is the standard way of representing data in Ethernet frames.

Non-Canonical Format (Non-Canonical Format) is used in some other types of networks, such as Token Ring. In this format, bytes and bits in MAC addresses are written and transmitted in order from most significant to least significant (MSB-LSB, Big-Endian).

❯ Important Explanation

VLAN is located exactly between the src MAC address and the E-Type.

The value 0x8100 in the E-Type, which we can see, is the TPID field indicating the VLAN tag.

After the VLAN ID identifier, there is always an E-Type field indicating the upper-level protocol.

❯ Ethernet 802.3 Structure

The headers in this specification are similar to the headers in Ethernet II, but there are some differences.

As mentioned above, in IEEE Ethernet 802.3 and IEEE 802.3 with SNAP, the first header is also a preamble, and an additional SD or SFD field (Start of Frame Delimiter) is allocated at the end, indicating the start of the frame.

Instead of the EtherType header, Length is used — the frame length.

The Length field (frame length) in an Ethernet frame is used to indicate the size of the frame's payload. This field plays an important role in network data transmission. Let's look at why this field is needed and how it is used.

Length: Indicates the size of the data field in bytes. For example, if Length = 1500, it means that the frame's payload is 1500 bytes.

❯ Main functions of the Length field

1. Data size identification:

• The Length field indicates the exact size of the frame's payload, allowing the receiving device to determine where the payload ends and the Frame Check Sequence (FCS) begins. This is important for proper data processing.

2. Efficient bandwidth usage:

• Knowing the size of the data allows network devices to optimize bandwidth usage, minimizing transmission time and improving network performance.

3. Compatibility and data processing:

• In the IEEE 802.3 standard, the Length field helps determine how to handle frames of different lengths. This is especially useful when working with variable-length frames.

Difference from the EtherType field

In an Ethernet frame based on the DIX (Ethernet II) standard, the EtherType field is used instead of the Length field, which indicates the type of encapsulated data protocol (e.g., IPv4, IPv6).

In the IEEE 802.3 standard, the Length field indicates the length of the frame's payload.

❯ LLC header of the 802.2 standard

Wait a minute. We were discussing 802.3, where did 802.2 come from?

The IEEE 802.3 standard, which defines Ethernet specifications, uses the IEEE 802.2 LLC (Logical Link Control) header to ensure compatibility and support for a multi-layer network architecture. The main goal of the IEEE 802.2 LLC standard is to provide a unified method of logical link control that can be used by various types of networks, including Ethernet, Token Ring, and others. It provides an interface between the physical data transmission and higher-level network protocols.

Reasons for the appearance of the LLC header in the IEEE 802.3 standard

1. Protocol unification:

• The IEEE 802.2 LLC header provides a unified way of handling data at the data link layer for various types of networks. This allows different network technologies to use a common method of logical link control.

2. Support for multi-layer architecture:

• The LLC header allows Ethernet and other networks to integrate into a multi-layer network architecture, where data can be transmitted and processed at various levels of the OSI network model.

3. Routing and data management:

• The DSAP and SSAP fields in the LLC header allow specifying destination and source services or protocols, ensuring proper routing and data processing at the data link layer. This is especially important for networks with a large number of protocols.

4. Compatibility:

• The use of the IEEE 802.2 LLC standard in Ethernet (IEEE 802.3) ensures compatibility with other network standards that also use LLC.

Main functions of the LLC header

1. Service identification:

• The DSAP and SSAP fields in the LLC header are used to indicate the destination and source services or protocols, ensuring proper routing and data handling.

2. Logical Link Control:

• The Control field is used for flow control, acknowledgments, and connection management.

LLC Header Structure

The LLC header includes three main fields:

1. DSAP (Destination Service Access Point): 1 byte.

2. SSAP (Source Service Access Point): 1 byte.

3. Control: 1 or 2 bytes, depending on the frame type (information, supervisory, or unnumbered).

Description of LLC Header Fields

1. DSAP (Destination Service Access Point):

• The DSAP field indicates the destination service or protocol.

Examples of values: 0x06 for IP, 0x42 for STP (Spanning Tree Protocol).

2. SSAP (Source Service Access Point):

• The SSAP field indicates the source service or protocol.

Examples of values: 0x06 for IP, 0x42 for STP.

3. Control:

The Control field is used for logical link control and can have different formats depending on the frame type:

• Information frames (I-frames) are used for data transfer and acknowledgments;

• Supervisory frames (S-frames) are used for flow control and acknowledgments;

• Unnumbered frames (U-frames) are used for establishing and terminating logical connections.

Example of LLC Header Usage

When computer A sends data to computer B over Ethernet using LLC, the header might look like this:

• The DSAP and SSAP fields indicate the sender and receiver services or protocols, such as IP;

• The Control field manages data transmission, for example, it contains frame numbers and flow control commands.

The LLC header plays a key role in providing logical link control at the data link layer. It helps identify services and protocols that manage data flow and acknowledgments, ensuring efficient and organized interaction between devices in the network.

❯ IEEE Ethernet 802.3 Structure with SNAP Headers

SNAP (Subnetwork Access Protocol) Header is an extension of the LLC (Logical Link Control) header in network frames. It is used to provide additional information about the protocol encapsulated in the frame. The SNAP header allows the use of protocols that are not supported by standard DSAP and SSAP fields, and extends the protocol identification capabilities.

Main Aspects of the SNAP Header

1. Purpose:

• The SNAP header is used to identify protocols that cannot be identified using standard DSAP and SSAP values. This extends the range of supported protocols.

2. Structure:

• The SNAP header is added after the LLC header and has a fixed size of 5 bytes. It includes fields for organization, protocol identifier, and protocol type.

3. SNAP Header Fields:

• Organizationally Unique Identifier (OUI) — 3 bytes. Identifies the organization that assigns the protocol value;

• Protocol Identifier — 2 bytes. Identifies the specific protocol encapsulated in the frame.

Example of using SNAP Header

The SNAP header is often used in Ethernet frames to encapsulate protocols such as IPX or AppleTalk that do not have standard DSAP and SSAP values.

Example of a frame structure with LLC and SNAP headers

• DSAP: Usually set to 0xAA, indicating the use of SNAP.

• SSAP: Usually set to 0xAA, indicating the use of SNAP.

• Control: Usually set to 0x03, indicating an unnumbered frame.

• OUI: Organizationally Unique Identifier (e.g., 0x000000 for standard protocols).

• Protocol Identifier: Identifier of the specific protocol (e.g., 0x0800 for IPv4).

Example of a SNAP frame for IPv4

SNAP header extends the capabilities of the LLC header, allowing the identification and encapsulation of additional protocols that are not supported by the standard DSAP and SSAP fields. This provides greater flexibility and compatibility in networking technologies, supporting a wider range of protocols and services.

❯ Conclusion

In conclusion, headers at the L2 level of the OSI model play a key role in ensuring the correct transmission of data in Ethernet networks. The preamble and SFD help synchronize devices and indicate the start of the frame, MAC addresses identify devices, and the EtherType and Length fields indicate the type and size of the data. The FCS checksum verifies the integrity of the frame, and VLAN tagging and PCP priorities help manage quality of service and create logically isolated networks.

Knowledge of these headers will help you better understand the operation of Ethernet and manage network infrastructure more effectively.