The article directories

  • 1. The network card
    • 1.1 Working Principles of nics
    • 1.2 NIC Classification
    • 1.3 Nic Manufacturer
  • 2. Introduction of Wireshark
    • 2.1 Schematic diagram of the Wireshark
      • 2.1.1 Differences between promiscuous Mode and Monitoring Mode
      • 2.1.2 Packet filter
      • 2.1.3 Tracking the cache
      • 2.1.4 Decoding function
  • 3. Summary

1. The network card

A NetWork adapter (NIC) is a Local Area NetWork (LAN) interface that connects computers to transmission media. It works at the physical layer (L1). It is a network interface board in the main box, because of its existence, so that the local machine can communicate with the external LAN connection. Any computer, want to carry on the Internet, communication function, must use network card. The written language of a network adapter is network adapter/network interface card. As shown in Figure 1, the Inter I250 network adapter diagram.



Figure 1 Intel I350 Network adapter

  • LAN LAN

    Used for internal communication and information transmission. Typically Ethernet technology is used to build a network within the local scope of a company, learning, etc. LAN can be divided into wired (twisted pair, optical fiber, cable, etc.) LAN and wireless (radio wave) LAN.
  • The nic is located on the host



    Figure 2 Nic location on the host

1.1 Working Principles of nics

LAN (Local area network) can communicate using Ethernet protocol standard Ethernet frame format. In addition, switches and routers that support the standard protocol can be used on the network. When using cables to connect a LOCAL area network (LAN), a PC can use Ethernet twisted-up cables to connect to a switch, which then connects to a router, which eventually handles communications across heterogeneous subnets and sends them to the Internet. Data transmitted over the Ethernet exists in data frames (Ethernet frames -Ethernet II format) at the data link layer (the system Interconnection-network model developed by the TCP/IP network model or the Open Systems Interconnection (OSI)). When the local computer sends data, data frames /MAC frames are written to the cache of the network card in parallel, and then the network card encodes the data to be transmitted in the cache (the common encoding formats include Manchester, 4B5B, 4D-PAM5, etc., as shown in Figure 2), and finally converts the data into electrical signals on the transmission media UTP cable for network transmission.



Figure 3 Ethernet encryption modes with different transmission rates

When data is received, the opposite process is used. The Ethernet transmits bits in the Little Endian order. That is, for a byte (8 bits), data is transmitted from the lowest bit.

  • In little endian mode, the high byte is stored at the high memory address, and the low byte is stored at the low memory address

The byte order used by the binary data transmitted on the network is also called the network byte order. In the TCP/IP network model, data is transmitted in the Big Endian order.

  • In big-endian mode, the low byte is stored at the high memory address, and the high byte is stored at the low memory address

This is why in network programming, the data needs to be converted to network byte order before sending. Suppose there is an IPv4 address in dotted decimal notation192.168.1.254, the storage sequence of data in memory in big-endian mode and small-endian mode is shown in Figure 3 below.



Figure 4 Comparison of data sequence between big endian and little endian

1.2 NIC Classification

There are many types of nics. According to the control of the data link layer, there are Ethernet nics, token ring nics, and ATM nics. In terms of the physical layer, there are wireless nics, optical nics, and coaxial nics. They have different control, addressing and frame structure in data link layer. There are different physical link modes, different encoding modes, different signal transmission media and different level bits.

1.3 Nic Manufacturer

The well-known network card manufacturers are Intel, Realtek, Broadcom, VIA, and SIS. The most common one is Intel, its official websiteIntel ® Ethernet Network AdaptersTo see the current variety of network adapters. See Figure 3. There are various nic parameters, such as transmission rate, nic working mode (VF promiscuous mode, non-promiscuous mode), CPU consumption and other detailed parameters.



Figure 5 Various Types of Intel Network adapters

2. Introduction of Wireshark

Protocol Analysis (also known as Network Analysis -Network Analysis) is the process of accessing a Network communication system, capturing data traveling through the Network, collecting Network statistics, and decoding the packets into a readable form. Wireshark is the most widely used network protocol analyzer. Essentially, a protocol analyzer eavesdives on network traffic. The Wireshark is used to diagnose network communication faults, test networks, and collect network performance trend data. Its website isThe WiresharkOn the home page of the website is the following description:



Figure 6 Wireshark official website

In summary, Wireshark is a tool for analyzing network protocols. The analyzer is typically installed on the network and configured to capture the problematic communication sequence. By reading the data packets transmitted in the cable system, the defects and errors in the communication process can be identified.

2.1 Schematic diagram of the Wireshark

The data packets transmitted on the network enter the network protocol analyzer system through the network adapter. The network adapter and driver used by the protocol analyzer must support Promiscuous Mode Operation. Because only a network adapter running in promiscuous mode can capture “broadcast packets, multicast packets, unicast packets, error packets, and so on” that are transmitted across the network to other devices, the two work together. Figure 7 shows the schematic diagram of the analyzer.



Figure 7 schematic diagram and elements of a protocol analyzer

As described above, the network adapter used by the profiler needs to support “promiscuous mode” so that the profiler can be used to capture packets circulating on the network adapter. The Intel I325 NIC specification specifically states that this NIC supports the following parameters: VF Promiscuous modes, which indicates that the Intel I325 NIC is in Promiscuous mode and supports VLAN, unicast, and multicast. See Figure 8.



Figure 8 Intel I325 nics support VF promiscuous mode

2.1.1 Differences between promiscuous Mode and Monitoring Mode

Be clear about the difference between promiscuous mode and surveillance mode: Surveillance mode is for wireless cards only, promiscuous mode is for wireless and wired. Monitor mode allows the card to listen for wireless packets without having to associate an access point. Promiscuous mode allows the card to listen on all packets, even if they are not targeted. \

2.1.2 Packet filter

The packet filter can tell the protocol analyzer what type of packets it wants to capture. Figure 7 above shows the flow direction of the packet flow. If we want to capture a specific type of protocol packet, we can set a specific filter at the “capture filter” in Figure 7, and the final packet flow through the filter will be the desired specific type of packet flow. That is, the data on top of the capture filter. The capture filter here is also called a pre-filter. The capture filter function corresponds to the [Capture]-[Capture Filter] menu bar in the Wireshark or the Capture filter function on the Wireshark main page. See Figure 9.



Figure 9 Capture filters in Wireshark

As you can see in Figure 7, one layer above capture Filters is a Display Filter, which is similar to the Filter feature in the upper left corner of the Wireshark interface. As shown in Figure 10, using the display filter makes it easier to parse out the specific packet we want. Because the previous “capture filter” obtains a large number of packets, we need to use the “display filter” to filter out the information of a specific packet that we finally need.



Figure 10 shows the Filter function in the Filter and Wireshark

Display filter supports several filter options: Source MAC address, destination MAC address, source IP address, destination IP address, TCP/UDP transport protocol, application layer protocol (HTTP, DHCP, etc.), source Port Port, destination Port Port, and so on. See Figure 11.



Figure 11 Display filters in the Wireshark

  • The Wireshark website describes the following: Wireshark’s most powerful feature is its vast array of display filters (over 242000 fields in 3000 protocols as of Version 3.0.6). They let you drill down to the exact traffic you want to see and are the basis of many of Wireshark’s The most powerful feature of Wireshark is its extensive list of display filters (242,000 fields for 3000 protocols since version 3.0.6). They give you insight into the exact traffic you want to look at and are the basis for Wireshark’s other features, such as coloring rules.

2.1.3 Tracking the cache

Each protocol analyzer internally maintains a “trace buffer” memory space region. It is used for staging packets that are copied from the network. Packets flow from the capture filter into the protocol analyzer’s trace cache, where packets can be viewed immediately after they are captured or kept on disk in other file formats. For example, after the Wireshark analyzer is opened, click “Start Capture” to view the captured data packets immediately. These packets are placed in the “trace buffer” of the protocol analyzer. The size of the Wireshark built-in trace buffer has not been found. However, there must be a size limit.

2.1.4 Decoding function

The decoding function of the protocol analyzer allows us to read and analyze packets in the trace buffer in an intuitive and readable manner. Decoder is a tool that translates packets. As shown in Figure 12, the decoding function of the protocol analyzer can separate the header, source IP address, destination IP address, packet protocol, packet length, packet details, and so on. Without the decoding capability of the protocol analyzer, other tools are needed to view and read packets. Therefore, the decoding function of protocol analyzer provides us with great convenience.



Figure 12 Decoding function of the Wireshark

3. Summary

This section mentions the important role played by the network card in the computer, and explains the network card for each computer network communication function and role. Network cards allow us to compute, access the Internet, and communicate with other computers. The Wireshark protocol analyzer is used to capture and analyze the data packets that flow into the local computer. Therefore, the Wireshark is very close to the network adapter. Without the network adapter, there is no protocol analyzer. This is why this article describes the network adapter before explaining the Wireshark.