Hacker Fundamentals: The Everyman's Guide to How Network Packets Are Routed Across the Web
In general, hacking and information security is not just one discipline, but a number of them, and today we will look into some of the networking concepts.
In the last Hacker Fundamentals, we talked about the OSI model as well as a little on TCP/IP and the protocols that make up the suite. Now, we're going to expand on that now and take a look at the various parts of a network that you might have heard about, but might not understand.
We already covered how your data travels the OSI model, layer by layer, and talks with other machines on your local network. But how does that data leave your network? How does it know where to go? What's going on here?
Much of the 'talking' on a local network are broadcasts. This computer is asking for the MAC address of another one, or asking for a local IP address, or any number of things. But doesn't that mean the Internet should be flooded with various broadcast noise all over the place? As it turns out, no. You see, the job of a router is not only to route traffic, but to stop broadcasts. To explain this concept fully, let's look into some examples.
No routers were hurt in the writing of this article.
If you remember correctly, an IP address has two components, the network section and the host section. A subnet mask separates the IP address into those two segments (<network><host>). A subnet is expressed just like an IP address in a four octet form, the most common one being 255.255.255.0 where the '255' means those octets are describing the network and the '0' is describing the host.
Let's say you wanted to send data to another computer on your local network at home. Your internal IP address in this example is 22.214.171.124 and your destination IP address is 126.96.36.199. Also, let's assume your subnet mask is a standard 255.255.255.0.
The first thing that gets done is the computer looks at the address on the packet being sent. It then compares its address with the destination address. Notice the 172.10.1.x is the same on both, and the subnet mask has filled octets in the same locations as well ( 255.255.255.0). This tells the computer that the destination is on the same network it is on. Your computer knows it is host '20' and it needs to reach host '30' and it doesn't need to go through a router to get there.
Now your computer only needs to know the MAC address of host '30' to send this data on its way. If you recall the Media Access Control address is a physical layer function that addresses actual physical hardware on your computer. In a nutshell, it works like an IP address, only on your local network.
To perform this feat, your computer sends out a broadcast message to everyone on the network called an ARP, or Address Resolution Protocol. It's like your PC yelling "HELLO! I am looking for the computer 188.8.131.52".
Now each device on the network receives that message and looks at its own IP address in turn. The router (184.108.40.206) sees it is not the one being looked for and drops the message. Other computers on the network do the same thing until the computer that has the IP of 220.127.116.11 gets it, checks its address, and sees they match. It then replies back to the sending computer of 18.104.22.168 saying "HEY! That's me and my MAC address is AA00:BC33:3211".
In the picture below, the MAC address is called an "Ethernet address", reflecting the fact that it's addressing for the physical layer. However, common lingo is "MAC address".
Now the sending computer has the internal IP and MAC address of the receiving computer and can send its data over. But what happens if the two addresses are not on the same network?
Well, it's not as simple when we have to cross other networks, as there is a bit more going on behind the scenes, as you will see. Let's assume we are sending the same data as before and our source IP address is 22.214.171.124 and our destination IP address is 192.168.0.100. You should immediately notice by the subnet mask of 255.255.255.0 that these two addresses are on separate networks. See, we are getting there.
Just like in the first example, the sending computer looks at the destination address and compares it to its own. However, this time there is a problem—they don't match at all.
Now it knows that it can't just send out an ARP message like before, because remember what happened in the last example, when the routers address didn't match the address being asked? It simply dropped the packet. This is how routers stop broadcasts from traveling the entire Internet. In fact, without this design, the Internet would be flooded with so many broadcast messages from the millions of connected devices that it would crash and fail.
At this point, your computer knows an ARP just isn't going to cut it for the destination of 192.168.0.100, so it broadcasts another ARP. But this time is looks for what's called the default gateway. This is a node, or a router, that acts as an entry or exit point to another network.
Normally, when a computer cannot find a route for an IP address, it will send it along to the default gateway as a route of last resort. This is your modem/router at home. Your router will reply saying, "YO! I am the default gateway and my MAC address is xxxx:xxxx:xxxx!"
Your computer then adds the routers MAC address as the destination MAC address to the packet, and sends it over to the router for safe travels.
The router takes a look at the packet and knows the source IP came from its own network. But the destination is separate altogether. Because the destination is not the same as the router's own internal IP address, it knows the packet is not for it, but needs to travel through it.
The router then looks at its routing tables to find a way to get to the 192.168.0.x network. It leaves the source and destination IP address information inside the packet, and changes the new source MAC address to its own address and the destination MAC address to the next node deducted from the routing table.
This process continues over and over with each router that picks up the packets looking at the addresses, seeing it's not for their network and passing it along until it reaches the final destination of 192.168.0.100.
That router will strip of the source and destination MAC addresses that allowed the packets to travel, and replace the source with its own. It then ARPs to find the MAC address of the server being looked for and uses the reply to add the final MAC address of that machine, then sends it along.
Isn't that amazing? When you check your email or browse the web, this is happening all of the time, hundreds and thousands of packets traveling 10-20+ routers to span the world... all in just a few seconds.
When you are packet sniffing, you can grab this information midstream. Simply turn on Wireshark and watch and see how many packets zip around in a small amount of time.
Questions about all this? Comments? If you've got some knowledge, you can pass it onto the community—we are always welcome to it! Start a thread in our forum!