Networking Tutorial

IP Addressing and Ports

Internet Protocol (IPv4) use 32-bit addresses with 16-bit port numbers to uniquely a host process on computers, the address is usually shown as four sets of numbers, ie 192.168.0.1, while the port is a simple number from 1 to 65,536.  Domain names such as www.magsys.co.uk are a higher level over IP addresses, but are not supported by ComCap, at present.  Computers may have specific IP addresses allocated to them or temporary addresses from a DHCP server that may change each time the computer is booted.  ComCap needs fixed IP addresses so don't use DHCP. When ComCap starts, it will report allocated IPv4 addresses, similarly to:

192.168.1.120/255.255.255.0 on vEthernet (PC20 main) (Hyper-V Virtual Ethernet Adapter #2)

192.168.1.121/255.255.255.0 on vEthernet (PC20 main) (Hyper-V Virtual Ethernet Adapter #2)

192.168.1.122/255.255.255.0 on vEthernet (PC20 main) (Hyper-V Virtual Ethernet Adapter #2)

IP ports numbered below 1,204 are pre-allocated to specific internet protocols (sometimes different for TCP and UDP), 514 for syslog, 21 for telnet, etc, while higher port numbers are used automatically by the computer for specific connections or may be specified by users for unique connections.

IPv6 is a newer internet protocol that uses longer 128-bit addresses or 16-bytes (although only 64-bit are for public routing).  IPv6 addresses are shown in hex pairs separated by colons, so 0123:4567:89ab:cdef:0123:4567:89ab:cdef could be a possible IPv6 address, but they are always shown in abbreviated form by removing leading zeros and most colons if there are four zeros. Magenta's IPv6 addresses are 2a00:1940:1:2:: and 2a00:1940:2:2::which are /64, Google is 2001:4860:: which is a massive /32 block.  Public IPv6 addresses currently all start with 2, local IPv6 address usually start with fe80:: or fda1::. The last 64-bits of the IPv6 address may be allocated randomly by Windows, so a PC might be fe80::1543:d1a8:2ece:d919  internally, and  2a00:1940:1:2:1543:d1a8:2ece:d919 publicly, or it may be specified statically such as 2a00:1940:1:2::127 if used for TCP Server.  One special IPv6 address is :: which is equal to 0:0:0:0:0:0:0:0, and means all IPv6 addresses, like 0.0.0.0 is all IPv4 addresses.

There is display convention for displaying and sometimes entering IPV6 addresses of using square brackets, to avoid confusion with the port at the end which historically was separated by a semicolon.  Local IPv6 addresses also sometimes have a scope prefix following %, which should be used if seen.  When ComCap starts, it will report allocated IPv6 addresses, similarly to:

[2a00:1940:1:2::127]//64 on vEthernet (PC20 main) (Hyper-V Virtual Ethernet Adapter #2)

[2a00:1940:1:2:1543:d1a8:2ece:d919]//64 on vEthernet (PC20 main) (Hyper-V Virtual Ethernet Adapter #2)

[2a00:1940:1:2:99fd:7b31:23b9:d193]//128 on vEthernet (PC20 main) (Hyper-V Virtual Ethernet Adapter #2)

[2a00:1940:1:2:ad36:442e:e4:e5ed]//128 on vEthernet (PC20 main) (Hyper-V Virtual Ethernet Adapter #2)

[fda1:7d3:fbbf:1:1543:d1a8:2ece:d919]//64 on vEthernet (PC20 main) (Hyper-V Virtual Ethernet Adapter #2)

[fda1:7d3:fbbf:1:99fd:7b31:23b9:d193]//128 on vEthernet (PC20 main) (Hyper-V Virtual Ethernet Adapter #2)

[fda1:7d3:fbbf:1:ad36:442e:e4:e5ed]//128 on vEthernet (PC20 main) (Hyper-V Virtual Ethernet Adapter #2)

[fe80::1543:d1a8:2ece:d919%16]//64 on vEthernet (PC20 main) (Hyper-V Virtual Ethernet Adapter #2)

[fe80::e456:e8e9:9795:ec78%32]//64 on vEthernet (Default Switch) 2 (Hyper-V Virtual Ethernet Adapter #3)

In logs, ComCap will usually added the port, ie .'Connected OK to [2a00:1940:1:2::127]:514' .

If using a browser with IPv6 address, the square brackets are needed, ie http://[2a00:1940:2:2::139]/ is the Magenta Systems home page (but will not display due to no SSL certificate for the address)  but generally the square brackets are ignored when entered an IPv6 address in a settings field.

Host and Domain Names - TCP and UDP Clients

Although all network connected devices have an IP address, at least for publicly available devices it is usual for them to also have a host or domain name, with DNS (dynamic name server) being used to map names to IP addresses. Local area networks also support NETBIOS names, which are computer names.  Host names are often hierarchical, being composed of a domain and sub domain, ie www.magsys.co.uk.  While host names are often more convenient to use, the need to look-up an IP address using  a DNS server adds an extra failure possibility and sometimes a security vulnerability if the DNS server is compromised.  ComCap allows an IP address or Domain Name when specifying the remote address for TCP Client and UDP Client.  

Host and Domain Names - TCP Servers

TCP Server and UDP Server are different, they always listen on a local IP address for remote clients to make a connection, and the remote may use that IP address or a host or domain name that points to that IP address.  The server itself may be unaware of domain name or names pointing to it's address, it simply answers connections to the IP address.  The exception is for SSL/TLS, where the server needs a certificate that should include the host or domain name of the server, to prove it's identity. In Capture Settings, Network Options this name is specified as 'Certificate Domain Name'.

UDP

User Datagram Protocol (UDP) is a connectionless network protocol using IP that sends packets of data without any handshaking or acknowledgement, but very efficiently, with the hope that a server is listening for it.  Each packet or datagram is generally self contained and variable length, usually the length of data being sent (often without any line ending).  Because UDP is connectionless, applications may stop and start without any hindrance, albeit potentially with lost data.  UDP should be loss free on local area networks, but is more problematic across wide area networks where the error correction of TCP is needed to cope with lost packets.

UDP is used for two common protocols, Syslog generally using port 514, and SNMP using port 162.  UDP has one other benefit, two or more appliances or clients may send UDP data to the same server.

When ComCap is set-up for UDP Server, it will accept any UDP data on the specified port but can optionally filter packets from different remote IP addresses to different capture channels, keeping data from different sources separate.  UDP Server can listen on one specified port, on addresses 0.0.0.0 or :: meaning all addresses on the PC, or on just one specific selected address.

While UDP is connectionless, ComCap Echo to Remote will optionally ping the remote host before sending UDP packets to establish it exists, although this does not mean a UDP server is listening on the remote computer, just that the computer is running.

TCP Overview

Transmission Control Protocol (TCP) is a connection oriented protocol using IP that has initial handshaking when making a connection that opens a two way reliable stream between two computers, with error correction and packet acknowledgements.  If one computer disconnects or there is a network failure somewhere, the other computer will also disconnect (although this may be after a timeout).  TCP packets are variable size with lines of data often split into two or more packets, or combined into a single packet, so it's essential each line is clearly terminated, usually with CR and LF.  A TCP connection needs to be negotiated between two computers, the one that starts is called the client while the one waiting for connections is the server.

TCP Client

TCP Client originates a connection to a remote server and waits for a response, usually for about 40 seconds before failing.  If the connection fails, the client therefore needs to keep retrying to establish the connection, with ComCap allowing a configurable wait between attempts and limiting the number of retries.  TCP Client can connect to a specified port on a single specific remote IP address or host name.

ComCap can optionally ping the remote TCP Server first to establish the computer is accessible, waiting 10 seconds for a response (much shorter than the timeout for a TCP connection, but even if the ping works, there may be no server available so the connection may still fail.  TCP Client is a one-one connection between two specific computers.

TCP Server

TCP Server listens for incoming connections from remote TCP Clients on a specified IP port.  When a TCP Client connects, the two-way connection is established on a new IP port, allowing further clients to connect to the original IP port.  TCP Server can listen on one specified port, on addresses 0.0.0.0 or :: meaning all addresses on the PC, or on just one specific selected address.

ComCap4 required multiple TCP Server channels to be set-up on the same port if multiple clients where expected to connect and send data. ComCap5 improves this with a new channel type TCP Multi Server where a single channel will accept hundreds of simultaneous remote clients. TCP Server channels will optionally filter connections from different remote IP addresses to different capture channels, keeping data from different clients separate.  TCP Multi Server saves data from all remote clients in the same capture file.  

Ethernet and Packets

Ethernet is the physical hardware layer used by IP for cabled networks, also called IEEE 802.3, supported by ethernet network adaptors each with a unique 48-bit MAC address. Each ethernet packet comprises a header with the source and destination MAC addresses and protocol (usually IP, but also ARP, ICMP, IPX, IPv6).  For IP protocol, the packet header adds the source and destination IP addresses, time to live, checksum and protocol (UDP, TCP, etc).  For UDP and TCP protocols, the packet header also adds the source and destination ports, data length and checksum. TCP protocol also adds flags to open and close connections and sequence numbers used for error detection and correction. The header overhead (and minimum size) for a UDP packet is 42 characters, for TCP it's 54 characters. The Ethernet hardware level adds a frame preamble and frame check sequence, but these are removed before software sees the packet.

Serial to Network Converters or Ethernet Device Servers

To overcome the restricted length of RS232 serial port cables (about 30 metres), in recent years serial ethernet device servers have evolved which convert serial port data to network protocols, usually TCP/IP. Usually small modem sized units, but sometimes just large plugs, these converters usually have a small internal web server used to configure the IP address and port and serial port parameters, and support TCP Client and TCP Server protocols. Some support two or more serial ports.

Such converters are offered by Brainboxes, Lantronix, Lavalink and RE Smith.

Note ComCap can itself be used as serial to network converter, by capturing from one or more serial ports and echoing data using network protocols.  There are also open source free software network converters, such as 'COM Port to TCP Redirector' from http://com0com.sourceforge.net/.