Friday, June 25, 2010

TCP/IP Network stack packets Home Network

At my home, I use a Broadband connection, behind a wireless router(Netgear).
There is a certain IP address assigned to my Laptop, for e.g. on this
wireless network.
Similarly there must be some IP address for the broadband modem I use as well.
I want a tool (for windows) which helps me in clearly visualizing, what happens
when I send a request to a website and how does the data get back to me
(and not to any other laptop connected to this wireless network), i.e.
how are the IPs resolved to make sure that I receive the data which I had
requested and not anyone else.

In case there is no such tool, a clearly written explanation would also suffice.

Ans : 
Wireshark is indeed the best way to see how this works from a packet by packet connection. However you seem to be interested in what happens inside the router, when it is translating from the external IP address to the internal address.

To see this you would need to do a wireshark capture on both sides of the router, on the client side and on the link between the cable modem(or dsl or fios)  and router. You can capture this with a hub ( not a switch, they are getting harder to find now ) that you plug the cable modem, the router and a pc running the capture software into.

Basically the router performs a species of network address translation (NAT) known by several different names (cisco calls it  protocol address translation or PAT. 

I will explain the basics, but here is a wikipedia article.

When your pc connects to a web server , it does the dns and packet connection descried by billbach above.

It then sends a tcp packet to the resolved ip address. resolves as to me here...

The packet looks sort of like this. I am skipping a lot of stuff, like mac addresses, flags, data... etc.

Source ip     destination ip      destination tcp port    source tcp port         80                           1032

That source tcp port will be the key to how pat works.

Your pc keeps track of the above in it's tcp connection table. You can see the tcp connection table in windows by typing netstat -an, or just netstat -a to see the dns names, but it takes longer.

If you have connected to google from your pc you will see this in the netstat -an results.


Now when that packet gets to your router, the default gateway, it does a bit of trickiness to convert that packet to the external ip address handed out by your isp. Lets say that is You can find out what it really is by going to, or checking the status inside the router configuration gui.  It changes the source ip to its external interface, and it also modifies the tcp source port to a unique identifyer. How unique is up to the router, but it only needs to be uniqe in terms of destination and tcp port. So it looks like this...

Source ip     destination ip      destination tcp port    source tcp port         80                           32234

This is how sees the connection, and it sends packets back on this tcp connction like this.

Source ip     destination ip      destination tcp port    source tcp port         32234                         80.

This packet gets back to the router ( and it then checks it's PAT table and sees that this remote ip/source port/destination corresponds to the original connection and sends it back to the pc as 

Source ip     destination ip      destination tcp port    source tcp port          1032                        80.

So, in short it keeps track of the ip-tcp source port-tcp destination port combinations in a table for both sides of the connection, and manages its many internal ip addresses using them.

This is TCP, it does the same for UDP, and does something a little different for icmp (ping for instance). Icmp is a little tricky, if a lot of users are getting icmp source quenches from the same external hosts, then a router might have problems getting back to the right pc.  They definitely can have problems with protocols without ports. IPSEC vpn clients can have a lot of problems, especially if there are multiple clients behind the router going to the same external vpn concentrator. You might need to flash your router with new code to make it work. I did : -) .

SO, check out the wikipedia article. It is good.

No comments:

Blog Archive