| Memonic || ISO-OSI Layers ||Microsoft|| TCP/IP || Protocol |
7. Application Layer Processes using ports within sockets|
|API (Applications Programming Interface)
||4. Application messages or streams
| People ||
6. Presentation Layer|
Encoding and Formatting
|File System Drivers: Network clients using Network File, print, & messaging services
| Seem ||
5. Session Layer|
Channels of communication
LPP of X.700
| To ||
4. Transport Layer Sequence & divide/re-combine packets to assure reliability of connections
TDI (Transport Driver “Device” Interface)
||3. Transport of protocol packets
| Need ||
3. Network Layer|
Addressing & Routing Datagrams through
NDIS (Network Driver Interface Spec)
||2. Internet IP datagrams
2. Data Link Layer|
1. Logical Link Control (LLC) and
MAC sublayer through switches
| Physical (Network Interface Cards/Adapters)
||1. Network Access Interface frames map logical IP addresses to physical addresses of devices.
HDLC X.25 Frame Relay
1. Physical Layer |
Bits over transmission media cables
Application Layer Here user applications access
file (database), print, messaging (email), and other services plus support error recovery.
| A socket is the combination of IP address and port.
The Windows Sockets API access ports in the SERVICES file.
BSD UNIX was the first to open-read-write-close sockets to perform I/O.
Among the 1,024 ports
historically assigned by the IANA and tracked by
Network Ice, and
To check ports used, use netstat -a .
|FTP data to client
|| 20 |
FTP for binding
|| 21 |
|| 69 ? |
| Secure Shell (SSH)
|| 22 |
| Telnet remote logins
|| 23 |
|| 25 |
|| 37 |
| SIMAP (IMAP over SSL)
|| 993 |
| SSMTP (SMTP over SSL)
|| 465 |
| DNS [RFC 1034 & 1035]
|| 53 |
|| 68 |
|| 43 |
|| 79 |
| HTTP Server
|| 80 |
|| 113 |
|| 110 |
| SPOP3 (POP3 over SSL)
|| 995 |
| NNTP Network News Transfer Protocol
|| 119 |
|| 135,139,445 |
| RMI registry
|| 1099 |
NetBIOS session service
|| 137 - 139 |
| Direct Host (NetBIOSv2)
|| TCP/UDP 445 |
|| 143 |
|| 156 |
|| 389 |
|| 1002 |
| NIX-specific ports
|| 443 |
| HTTPS (SSL)
|| 512 - 515 |
| HTTP HTML Browsers || 1210 |
| SOCKS Proxy server|| 1080 |
| NIX-based NFS|| 2049|
| mySQL|| 3306|
| Oracle || 1521 |
| PnP|| 5000|
| IRC|| 6667|
| Web caching proxy servers
| Total || 65,536 ports (16 bit numbers) || Microsoft v3.0 of
NetBIOS was first developed in 1983 by Sytek for IBM.
It has a flat namespace. Its Broadcast makes setup easier.
||Command or Diagnostic
||NT Server Service
||Winnt\ System32\ Files
| My 15 user/16 system char. NetBIOS Name with seg. Scope ID
|| NBTSTAT -N
| Name Registration Request, Response, Renewal, Release
| My IP Address, Subnet, Gateway?
|| IPCONFIG /all
Return of subnet 0.0.0.0 indicates a duplicate address
| Register, Renew, Release associations of
IP Address with NetBIOS Name
| NET USE X: \\server\ ... UNC
NBTSTAT -R to puRge,
-C to show, then
CP, Services, Tools, WINS Manager, Mappings, Show Database
- Local cache
- WINS Windows Internet Name Server (an RFC 1001/2 NetBios Name Server) sends an internet group (of up to 25 domain names) to clients
Dynamic file Wins\
Wins.mdb, Winstmp.mdb, J50.log, J50.chk
- Local network broadcast
- Static Drivers\Etc\ LMHOSTS.SAM <IP address of> <master browser server NetBIOS name> #PREload #DOM: <remote PDC & BDC NetBIOS name>
| local or remote Hostname (Fully Qualified Domain Name)
to IP Address
| NSLOOKUP <hostname> gives DNS server & IP address for
- same as local?
- local (UNIX) HOSTS. file
- DNS Server (requested at 5, 10, 20, 40, 5, 10, 20 seconds)
resolved iteratively by domain.
- WINS NetBIOS-IP cache
- Local network Broadcast
| Network to local network Domain ID's
| TCP/IP and IPX/SPX binding to NIC MAC addresses
NWLINK CSNW Client Services for NetWare
| Service name to Sockets Port Name
Network redirector makes remote printers appear attached
character set (ASCII -
interpretation of graphics commands
data encryption (scrambling and descrambling the data as it is transmitted and received).
data compression (into zip format)
Session layer enable two computers to establish, synchronize, maintain, then end a session.
name-to-station address translation,
connection ID establishment,
data transfer (using session),
In Windows 9x and before, at the session layer TCP/IP must access the network
NetBT (NetBIOS over TCP/IP).
Windows 2000 uses WinSock sockets.
Session layer manages checkpoints to limit re-transmission (which improves thruput).
Transport layer ensures data is delivered error-free by
dividing and combining message segments in sequences;
resolving logical address/names by
starting sessions of TCP or UDP services used
for establishing end-to-end connection between Transport Layer peer computers.
sends acknowledgement for data packets received;
manages error and flow control.
Download TDIMon.exe to monitor TCP/UDP Protocol stack I/O activity
| Connection-oriented TCP Transmission Control Protocol [RFC 793]
use 3-way handshaking (acknowledgments and responses) to start and end each session:
- Initiating host sends data segment with synchronization SYN flag = on
- Receiving host acknowledges with a segment having
- Acknowledged Sequence number of the starting byte for a segment it may send.
- ACK byte sequence number of the next segment it expects to receive.
- Requesting host sends back a segment with the acknowledged sequence number and ACK number.
in order to guarantee the delivery of packets,
in the proper sequence, AND
provides a checksum feature that validates both the packet header and its data for accuracy.
To reduce the impact on performance, most hosts send an acknowledgment for every other segment.
capture data that travels across the network as packets,
- Source address
- Destination address
- Protocol headers
- The actual data payload
- A cyclical redundancy check, or CRC
|NetBEUI is reroutable outside a segment only on IBM Token Ring networks,
not on TCP/IP networks. It starts on Windows 2000 using registry entry
The NBF is for NetBIOS Frame — Microsoft's implementation of
NetBEUI v3, which overcomes the original 254-session connection limit.
DLC (Data Link Control protocol) used by HP JetDirect cards.
It is reroutable on TCP/IP networks.
UDP (User Datagram Protocol) [RFC 768]
supplies IP address & port number of destination makes for a connection-less oriented link
with no guarantees that packets were delivered.
This is used by applications that don't require ACK of receipt of (usually small amounts of) data.
This is faster because of no acknowledgement overhead.
UDP port 137 - NetBIOS-NS name service
UDP Port 138 - NetBIOS-DGM datagram service
UDP Port 69 - TFTP Trivial FTP
UDP Port 15 - NETSTAT to view a list of all current TCP/IP connections
UDP port 161 - Under SNMP
Simple Network Management Protocol methods,
agents (wiring hubs, routers, bridges)
act as traps to store information about significant events
in a MIB (Management Information Base).
SNMP managed devices respond to polling
from a Microsoft SMS Systems Management Server in its SNMP community or
generate interrupt messages.
UDP port 162 - SNMP traps received.
UDP Header Packet Structure: Source Port, Destination Port, Message Length, Checksum
Network Internet Layer 3
Handles logical addressing and translates logical names into physical addresses.
Encapsulates packets into datagrams (small network-transportable packets) using routing algorithms.
Concerned with routing -- addressing and looking for the best path on which to send information.
Prioritizes data and other Quality of Service (QoS) functions.
IP sends data to destinations over one or more gateway hops.
- Gateways: Max 126 character URL Domain name
- ping IPaddress to verify connections (127.0.0.1 loopback to itself)
- Use ROUTE.EXE to configure static gateways.
- route -add [destination network address] mask [netmask] [gateway].
- RIP Routing Internet Protocol and OSPF Open Shortest Path First are two common routing protocols
- Diskless workstations send RARP Reverse Address Resolution Protocol requests to find IP addresses for a known MAC address.
- When a host requests communications to be initiated,
ARP (Address Resolution Protocol [RFC 826]) obtains hardware MAC (Media Access Control) addresses of destination hosts
by examining subnet mask, Routing table, default gateway.
To collect data packets to analyse them with a spreadsheet program, use Performance Monitor.
- ARP checks the subnet mask to see if the address is local or remote.
- If Local
- host ARP checks own cache for the address of the destination host. NT maintains a separate ARP cache for each IP address requested:
- Dynamic entries have a potential lifetime of 10 minutes but are automatically deleted after 2 minutes unless Registry parameter ARPCacheLife overrides this default # of Seconds.
- Static entries remain in cache until computer is restarted
To manually check the cache:
arp -a or arp -g
To add a static entry to the ARP cache:
arp -s IPaddress MACaddress
- Entry can be manually deleted with arp -d
- ARP uses address FF FF FF FF FF FF to broadcast a request for the address to all local hosts on the same physical node
- Each host on the local network reads the broadcast and ignores it if it doesn't own the IP address requested.
If the host sees that it owns the IP address requested, the host sends its hardware address in a reply to the source host.
- If Remote
- Address Resolution:
- Source host checks its local ARP routing table for a route to the destination host or network.
- If no mapping is found, ARP broadcasts a request to default gateways.
If a gateway router responds with the destination host's address, ARP sends the data packet to the responding router.
The router then does its own Resolution.
- After destination host receives the request, it formulates an ICMP echo reply vice versa.
- To manually retrieve system information from a remote computer, finger a remote IP address which supports the finger service.
- To determine what route a packet takes to get from the source to the destination, use Windows TRACERT or UNIX traceroute or
Net.Medic from Vital Signs Software.
- ICMP (Internet Control Message Protocol
[RFC 792] by Jon Postel specifies the Error and Query IP datagrams sent by a gateway:
- IGMP (Internet Group Management Protocol
[RFC 1112] is used by IP hosts to send (unreliable) IP datagrams to inform multicast routers that hosts of a specific multicast group are available on a given network.
Organizes raw data into a logical structure of frames (addressable units of information) thru NIC's fed by Switches and Bridges.
Concerned with physical (as opposed to network logical) addressing,
network topology, line discipline (how end systems will use the network link),
data transmission synchronization: ordered delivery (sequencing) of frames,
Flow control: waits for a positive ACK.
Performs error notification.
Defines the logical network topology through which frames travel with CRC for error checking.
Bridges extend the network and can translate protocols between two mixed protocol networks.
Switches (Intelligent hubs such as Cisco's Catalyst product family)
contain Application-Specific Integrated Circuits (ASICs) to route
Point to Point to individual workstations.
Switches join groups of ports on a LAN switch to form a Virtual LAN (VLAN).
This segmentation separates users and services into smaller groups to reduce broadcast traffic and wasted bandwidth.
Carrier Sense Multiple Access
CSMA/CA Collision Avoidance sends a signal before broadcasting. Is used by Appletalk.
CSMA/CD Collision Detection (a contention method) is used by Ethernet (IEEE 802.3)
sends a signal after listening for 9.6 microseconds.
If the device detects a collision again, it does exponential back-off—waiting twice as long as the last try to re-transmit the message.
Because of attenuation, collision-detection sensing is limited to a distance of 2500 meters (1.5 miles).
Token Bus 802.4 & Token Ring IEEE 802.5 for graceful degredation under load
- The lower MAC Media Access Control sublayer provides the 48 bit (6 octet)
“Physical Address” such as hex 00-10-5A-E2-EF-81 burnt into the ROM on each NIC ( Network Interface Card).
The first octet, the OUI (Organizationally Unique Identifier) is issued by the Institute of Electrical and Electronic Engineers (IEEE).
For example, “08.00.20” is for Sun Microsystems; “00.00.0C” is for 3Com.
- The higher LLC Logical Link Control software driver sublayer
ensures that each frame is encapsulated in the correct frame type (such as IEEE 802.2).
Two types of LLC sub-layer frames, both containing source and distination Service Access Point (SAP).
- The Subnetwork Access Protocol (SNAP) sets the Destination and Source SAP fields to AA hex, the Control field to 03,
Type code to identify itself and whether the frame is backward compatible to Ethernet Version II.
This is used by Apple/Novell's ODI Open Driver Interface.
- Microsoft's NDIS Network Device Interface Specification uses SAP.
Establishes, maintains, and terminates point-to-point data links.
Signal Encoding: Puts raw data bits on the wire and pulls them off the transmission medium.
Cables, Connectors, Terminators, Transeivers, Repeaters, Passive Hubs, Active Hubs, Switches send data to specific lines
Controls the transmission technique, pin layout, and connector type.
Concerned with voltage levels, data rates, timing of voltage changes.
| LAN Local Area Network:
(Windows Explorer Network Neighborhood)
baseband Ethernet signaling uses the entire bandwidth.
Broadband (802.7) signaling uses only part of the bandwidth, allowing several signals to be sent at the same time (like cable TV).
Token logical Ring uses 9 pin connectors on STP cable set at 4 or 16Mbps reaching IBM 8228 MSAU's Multi Station Access Units .
ArcNet token ring max. 121 m between max. 32 stations on UTP 105 Ohm impedence or max. 303 m between 8 nodes on RG-62/U coax cable with 93 Ohm terminators.
FDDI IEEE 802.8 sends tokens synchronously (without waiting) thru dual or single MIC's Medium Interface Connectors around primary and counter-rotating secondary rings up to 13 km.
Fiber Optic Testing
MAN Metropolitan Area Network (TV cable) IEEE 802.6
Wireless IEEE 802.11 RadioLAN
ATM is an implementation of the Broadband/ISDN protocol. It defines fixed cells, each 53 bytes (5 byes for routing information and 48 bytes data).
Infrared Data Association (IrDA) architecture is for the bottom 5 layers.
- 1972-3, Robert Metcalfe (later co-founder of 3Com) and colleagues at the Xerox Palo Alto Research Center (PARC)
designed and announced the first Ethernet network, named the ALTO ALOHA Network.
- September 1980: Ethernet II 10base5 thicknet thick coax from 2.5 m to 500 m (8.25 to 1,650 feet) The BNC (British Naval Connector) connectors are attached with vampire taps .
Transceiver box with Male
DIX connectors attach to the server.
- 1985: 10base2 thinnet IEEE 802.3 thin coax from 2.5 m to 180 m
(1992 RFC 1340)
bus topology of RG-58AU coaxial cable threads with no more than 30 devices (T-connectors) and electrical Continuity of 50 ohms with a 50 ohm resistor terminator at each end (of which ONLY ONE is earthed).
(25+ Ohm impedence between center & shell of T connectors)
Minimum 1 meter and maximum 300 meters per cable segment.
Volt meters should see -.9 to -1.2 for carrier sense. Variation from this indicates that one or more cards are ignoring the carrier signal.
high = -.2 to -.5, low = -1.6 to -1.9, -1.7v on streaming (continuously sending) NIC's.
Noise should be lower than 0.04v per cable segment when all workstations are turned off.
- For both types: Max 4 repeaters (3 with nodes) among 5 segments.
- 10 Mbps (10baseT) star Hub with (using only lines 1,2,3,6 of) RJ-45 connectors and 22, 23, or 26 AWG American Wire Guage EIA Electrical Industries Association Category 5 data grade UTP Unshielded Twisted Pair cables carrying 85 to 110 ohms as individual segments.
- 100 Mbps VG Voice Grade AnyLAN of 4 pairs (8 lines) of cat 3-5 UTP max. 250 meters to a cascaded star topology. Uses demand 2 priority access and supports Token Ring packets.
- 100 Mbps (100baseT4) VG Voice Grade AnyLAN of 4 pairs (8 lines) of cat 3-5 UTP max. 250 meters to a cascaded star topology. Uses demand 2 priority access and supports Token Ring packets.
- 100baseTX of two pairs cat 5 UTP
- 10baseFL to Fiber Optic star Hub concentrators of up to 1,024 segments max. 2,000 meters each
- Monitor traffic and TCP/IP statistics with command
NETSTAT -e -s
- IEEE 802.3z and 802.3ab standards for Gigabit Ethernet have been finalized.
WAN Wide Area Network
( Explorer Internet Neighborhood)
requires Windows NT RAS Remote Access Service:
- Serial lines (RFC 1055) (with modems)
over dial-up, digital, or leased lines.
NT4 doesn't support obsolete UNIX SLIP Serial Line Internet Protocol clients
PPP Point to Point datalink protocol [RFC 1547 & 1661] is more secure.
L2TP (Level 2 Tunneling Protocol) [ RFC 2661] supported by Win2K is even better.
- Packet-switched networks:
- Frame Relay
- ATM Asynchronous Transfer Mode
constantly transmits delay-sensitive audio, video, data in cells of 53 octets (5 octet header) over fiber optic or copper between switched PPP circuits
of a IEEE 802.9 BISDN Broadband Integrated Services Digital Network mbone. Programmers use CAPI to access ISDN cards.