Question re: packet headers

[Sho'Nuff]

I'll preface this with saying that this post may not be in the right place. If it is not, I hope the mods will move it to the correct forum.

I have a general question about network packet headers, which I'm hoping someone here might be able to answer. I am not a network engineer (as will become obvious), so no laughing if my question turns out to be at the left side of the difficulty bell curve.

My question is this:

Do internet protocol packets include UDP and RTP headers, as well as an IP header? My impression was that UDP packets, RTP packets, and IP packets were different packet structures with associated headers, but I'm questioning that understanding in view of a conversation I recently had with a colleague.

Thanks in advance.

 

[SecurityTheatre]

OK.

You need to have a basic understanding of OSI Layers.

here they are (with examples)

Layer 1 (Physical) - CAT6 UTP, Coax, Fibre, etc
Layer 2 (Link) - Ethernet
Layer 3 (Network) - IP, IPX, NetBEUI [eww]
Layer 4 (Transport) - TCP, UDP, ICMP
Layer 5 (Session) - RTP, SOCKS (often merged with layer 6 or 7)
Layer 6 (Presentation) - SSL, etc (often merged with layer 7)
Layer 7 (Application) - most applications. HTTP, Skype, SMTP, telephony etc


As you can see, it would be possible to have a telephony application use RTP over UDP via IP to transmit data over a twisted pair Ethernet.

There's your layers.

This post is using HTTP over SSL via SOCKS over TCP over IP via Ethernet on 802.11n CSMA/CD... Obviously the physical layer and data link layer change in transit. At the router, the network layer changes. At a load balancer, perhaps the transport layer changes too, and an application proxy might modify the whole stack through layer 6 or 7... then it gets to the endpoint.


To answer your question.

There is physical framing signals to do data sync on the wire (1000-BASE-T framing, T1 sync words, etc) for layer 1
There is an Ethernet header on the LAN (MAC address src/dest, FDDI nodes address, whatever) for layer 2
There is an IP header on the frame (IP address src/dest, checksum, etc) for layer 3
There is a UDP header on the packet (port src/dest, frame data, etc) for layer 4
there is an RTP header on the datagram (session information, etc) for layer 5
There might be headers for the application (username? data type? control info?) for layer 6-7

Stacks upon stacks of headers.

 

[imagoon]

Layer 2 I would add:

Layer 2 (Link) - Ethernet, D3, D4, ESF

Or even more fun the Layer 2+3 protocols PPP, ARP, ATM, MPLS, RARP, X.25
Or 3+4 like Appletalk, IPX,SPX

Headers are stack on top of each other sometimes moving up and down layers. They are bolted on during the build process then plucked back off at the other end. It is entirely possible to send a layer 2 protocol over a layer 3 protocol etc.

Like mentioned above the datagram moves up and down the stack. In basic connections like say and HTTP get it moves down the stack 7 to 1 getting headers along the way then the receiving end plucks them off. Also in a connection hitting the internet the lower level headers will get plucked off and rebuilt along the way. An example is the MAC address in layer 2, this doesn't make it out to the Internet because all the routers on the way will pluck off the layer 2 header, work with it and then create a new one for the next layer 2 hop (link is often referred to link-local for this reason) as it is only valid for the distinct connection. Another closer to home example would be your computer sending a packet to your router. What gets dumped on the line will have a completely different layer 1 and layer 2 packet header. Layer 3 may change if you use NAT.

So getting back to your question something like UDP being layer 4 would at minimum have [layer 1 physical link header][Layer 2 frame header mac address etc][layer 3, dest IP, source IP][UDP session headers]["data"]. As far as UDP is concerned and headers in Layers 5-7 is just "data." Firefox up at layer 7 however does care about the layer 7 headers (HTTP, HTTPS, etc)

 

[lif_andi]

Roughly and very quickly the process is like this: (stolen from google)

Data is created and sent from one of Layers 5,6 or 7 to Layer 4.

At Layer 4

Data is passed down to the transport layer (Layer 4) where it is encapsulated to include source and destination port numbers that identify the applications (such as FTP or e-mail) between which the data should be passed. At this point, the data is considered a segment.

At Layer 3
A segment is passed down to the network layer (Layer 3), where it is encapsulated and given source and destination IP addresses. At this point, the segment becomes a packet.

At Layer 2
A packet is passed down to the data link layer (Layer 2), where it is encapsulated and given a source and destination MAC address. A footer is also appended to the packet. The footer contains an error-checking mechanism called a cyclical redundancy check (CRC). At this point, the packet becomes a frame.
The cyclical redundancy check (CRC) is a mathematical calculation that allows the receiving computer to verify whether a packet is valid. When a sending host transmits a packet, it calculates a CRC by summing all the ones in the payload and storing this sum as a hexadecimal number, which is then stored in the trailer. When the receiving host reads the packet, it runs its own CRC, then compares it with the CRC stored in the trailer. If the two match, the packet is not damaged, and the receiving host processes the packet. If the CRCs do not match, the receiving host discards the entire packet.

At Layer 1
Frames are passed down to the physical layer (Layer 1) where they are sent across the transmission medium as a bit stream.

Removing headers
When a receiving host processes a packet, it reverses the packet-creation process and de-encapsulates or removes each header, beginning with Layer 1 and ending with Layer 7. All that is left at the end of this process is the original, unaltered data, which the host can then process.

 

[Sho'Nuff]

OK, so let me paraphrase. Headers are added and subtracted as one moves up and down the OSI food chain. Thus, an IP packet created at layer 3 will include header information for layers 4-7, which may be stripped off by a receiving system once the packet reaches its destination.

Second question - "must" an IP packet include an RTP and UDP header? Or are UDP and RTP headers each simply one among many options at layers 4 and 5? From SecurityTheatre's post the answer seems straightforward, but I don't want to assume anything.

Also - many thanks for the help.

 

[imagoon]

OK, so let me paraphrase. Headers are added and subtracted as one moves up and down the OSI food chain. Thus, an IP packet created at layer 3 will include header information for layers 4-7, which may be stripped off by a receiving system once the packet reaches its destination.

Second question - "must" an IP packet include an RTP and UDP header? Or are UDP and RTP headers each simply one among many options at layers 4 and 5? From SecurityTheatre's post the answer seems straightforward, but I don't want to assume anything.

Also - many thanks for the help.

You have it backwards. IP packet will have 1-3. Not all protocols go to the top of the stack. ICMP hits 4 and stops so it only has headers for 1-4. You have one header for each protocol you use. So at layer 4, ICMP will not have a TCP or UDP header (barring encapsulation stuff.)

 

[lif_andi]

Google some images of IP packets and tcp/udp protocol and examine them. I think you might see understand this a little better that way.

 

[Gryz]

You have it backwards. IP packet will have 1-3.

That depends on your perspective.
If you look at it as the orginator of a packet (the application), pushing the packet downwards to level 1, then an IP packet has application data, layer 4-7 headers, and an IP header.
If you look at it from the perspective of transmission (the bottom), then a packet always has a layer-2 header (ethernet in this case) if it has an IP header.

You have one header for each protocol you use. So at layer 4, ICMP will not have a TCP or UDP header (barring encapsulation stuff.)

I understand what you are saying, but strictly this isn't true.
Look at GRE or VXLAN encapsulation.
You can have 2 or more IP headers, 2 or more UDP headers in a single packet that is transmitted over the wire. But let's not make this more complicated than it is.


The main thing to understand is the concept of encapsulation.
And I think it's most intuitive to start from the perspective of the application that is trying to send data across the network to another application.
To send data, you make use of a service that lies "lower" in the OSI stack. That service encapsulates your data, and then makes use of a yet lower service to transmit that data. That service will encapsulate with yet another header, and send it further down the stack. On and on, until finally the ethernet driver starts sending bits across a wire.
The receiving end does the opposite. The receiving service strips of a header, and passes the data to a higher service. And so on, until the data is finally passed up to the receiving application.

The encapsulation can go as deep as you want.

Some examples.
Typical encapsulation:
data -> TCP header -> IP header -> Ethernet header.
With VLANs:
data -> TCP header -> IP header -> VLAN header -> Ethernet header.
Over your ADSL link:
data -> TCP header -> IP header -> PPP header -> AAL5 header -> ATM cells.
Over a GRE tunnel that goes over a VXLAN:
data -> TCP header -> IP header -> GRE header -> IP header -> VXLAN header -> UDP header -> IP header -> Ethernet header.

And so on, and so on. Over the years, encapsulation schemes have become more and more complex.

 

[imagoon]

That depends on your perspective.
If you look at it as the orginator of a packet (the application), pushing the packet downwards to level 1, then an IP packet has application data, layer 4-7 headers, and an IP header.
If you look at it from the perspective of transmission (the bottom), then a packet always has a layer-2 header (ethernet in this case) if it has an IP header.

A pure IP packet wouldn't have or care about 4-7. Granted a pure layer 3 is rare hence why I used Layer 4 ICMP. ICMP will not have a 5-7 when called.

I understand what you are saying, but strictly this isn't true.
Look at GRE or VXLAN encapsulation.
You can have 2 or more IP headers, 2 or more UDP headers in a single packet that is transmitted over the wire. But let's not make this more complicated than it is.

hence the "barring encapsulation" comment.

The main thing to understand is the concept of encapsulation.
And I think it's most intuitive to start from the perspective of the application that is trying to send data across the network to another application.
To send data, you make use of a service that lies "lower" in the OSI stack. That service encapsulates your data, and then makes use of a yet lower service to transmit that data. That service will encapsulate with yet another header, and send it further down the stack. On and on, until finally the ethernet driver starts sending bits across a wire.
The receiving end does the opposite. The receiving service strips of a header, and passes the data to a higher service. And so on, until the data is finally passed up to the receiving application.

The encapsulation can go as deep as you want.

Some examples.
Typical encapsulation:
data -> TCP header -> IP header -> Ethernet header.
With VLANs:
data -> TCP header -> IP header -> VLAN header -> Ethernet header.
Over your ADSL link:
data -> TCP header -> IP header -> PPP header -> AAL5 header -> ATM cells.
Over a GRE tunnel that goes over a VXLAN:
data -> TCP header -> IP header -> GRE header -> IP header -> VXLAN header -> UDP header -> IP header -> Ethernet header.

And so on, and so on. Over the years, encapsulation schemes have become more and more complex.

Yes. I am well aware of this. I even mentioned in to the previous post about doing things like running layer 2 out over a WAN. Obviously at that point Layer 2 activity would be encapsulated in to anything from layer 1-5 to1-7 depending on how it was handled.

 

[SecurityTheatre]

Second question - "must" an IP packet include an RTP and UDP header? Or are UDP and RTP headers each simply one among many options at layers 4 and 5? From SecurityTheatre's post the answer seems straightforward, but I don't want to assume anything.

Also - many thanks for the help.

RTP and UDP are just protocols and they can vary.

The most common communications on the Internet are TCP. UDP is an alternative to this. You replace the TCP with UDP and you have a different kind of session, but all of them use IP at the lower level.

Pretty simply put, when an IP packet contains TCP, it has a flag that indicates what type of data is to be found below.

Here is a list of protocols supported by IP (this includes TCP, UDP, ICMP, IGMP and many others that are less common)

http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers