Application layer is the interface top layer of the networking architecture. It serves as the gate between the programs that are running on your computer and the underlying network transport layers. At this layer components necessary to share resources (services) with the network and to gain access to network resources.
Two APIs live here WinSock and NetBIOS.
WinSock is used to support TCP/IP apps like IIS, FTP, and PING
NetBIOS is used to support Windows networking architecture like Network Neighborhood and net use.
WinSock uses ports as the connection point for the service or client registering with the winsock interface. A port is a logical connection point and can be used by a client to identify to which service the client wants to talk. (pages 56 and 57 Figure 3.1 and 3.2)
Common Services with Port Numbers and Protocols (page 59 & 60 Table 3.1)
NETSTAT
NetBIOS is the basis for Microsoft networking. Meaning, you must be able to handle the basic NetBIOS functions : name management, session management, and connectionless & connection-oriented data transfer (page 33)
TCP/IP has no problem dealing with data transfer, or session management. However, it does have a hard time handling name management. TCP/IP handles this using NetBIOS over TCP/IP (NBT).
NBT handles direction of NetBIOS traffic to either TCP or UDP, depending if traffic is connection-oriented or not.
Connection-oriented requires a connection (TCP). NBT requests TCP to create a session and then tracks the session to ensure it remains active. Ok so this deals with the transfer, still an issue with name management. NBT handles name management by providing a name service that runs on a seperate port that all NetBIOS systems know about. This enables NetBIOS to register names and the name receives the service.
Name management , registering of name, resolution and releasing, is all handling normally by broadcasts, this service uses UDP ports (137 and 138)
NetBIOS port numbers and protocols (page 62 Table 3.2)
So, this all works by the application you are using talks to the regular NetBIOS API. This API passes the request to the NBT layer, which calls on the NetBIOS port numbers to actually perform the services.
NBTSTAT
For everything to work, you need some means or methog of resolving the NetBIOS name or Hostname to a TCP/IP address. Winsock interface uses only IP addresses to communicate, well this is also true for NetBIOS communications and TCP/IP utilities.
The order of resolving the type of name is normally determined by the command that you use. If you use a NetBIOS command, the resolution is in the NetBIOS order. If you use the hostname it is hostname resolution that you use.
(ie) If you use a TCP/IP utility like FTP you use host name resolution. Likewise, if you use NET USE (NetBIOS command) you use the NetBIOS name resolution.
NetBIOS Name Cache list of NetBIOS names already been resolved to TCP/IP address. These names can be configured to be either static or dynamic.
NetBIOS Name Server (NBNS) systems that exist on network. They have a service running that takes a name query for a NetBIOS name and resolves it to an IP address (WINS) Windows Internet Naming Service.
Broadcast NetBIOS has always been based on broadcast. A broadcast can be used to resolve addresses that cannot be found. Most routers DON'T pass NetBIOS broadcasts--this would cause too much traffic at the router and prevent it from sending real data. (Broadcast Storm at router).
LMHOSTS is a LAN manager hosts file that was used in LAN Manager to enable systems to resolve TCP/IP addresses. (WINS)
HOSTNAMES decides whether you are trying to talk to yourself.
C:\>hostname
rlghncwt1ef
DNS (Domain Name Service) runs on a computer and resolves hostnames to IP addresses, or IP addresses to hostnames (reverse lookup) (nslookup)
C:\>nslookup 56.88.21.239
Server: gnjdns1.usps.gov
Address: 56.5.0.110
*** gnjdns1.usps.gov can't find 56.88.21.239: Non-existent domain
Application layer has two main APIs: WinSock and NetBIOS. The application layer, the top layer of the network, has services and clients.
The transport layer is responsible for taking the data from WinSock and putting it into packages that can be sent on the network. It is also responsible for creating the data segments it is sending to WinSock on the remote computer, and also addressing the packets to a TCP/IP address.
It comes through WinSock interface, passed to UDP or TCP. This layer knows what the data came from. It is sent to appropriate protocol, then all the WinSock interface needs to do is tell the transport protocol to which IP address to send.
The data from WinSock becomes the data segment and then both a header and pseudo header are created.
A header is a special data structure added to the data Windock sent down. It contains information about the about the destination and host computers and the protocols (TCP or UDP) being used.
A pseudo header is used to tell IP where the information is to be sent.
TCP is a connection-oriented protocol, with a mechanism that guarantees delivery of information from one host to another. (see page 68 Figure 4.1)
TCP header includes:
Source Port (16 bits) specifies the WinSock port sending the information
Destination Port (16 bits) specifies the WinSock port to use on the receiving host
Sequence Number (32 bits) specifies the sequence position of the first dat byte in the segment. This enables the hosts to guarantee delievery by providing unique numbers for each segment that can be acknowledged by that number.
Acknowledgment Number (32 bits) specifies the next Sequence number expected by the sender of the segment. (TCP indicates this field is active by setting the ACK bit (ACK bit is always set after a connection is established.)
Data Offset (4 bits) specifies the number of 32-bit words in the TCP header. Options arer padded with 0-value octets to complete a 32-bit word when necessary (Tells the system what the header is and what is data)
Reserved (6 bits) Must be zero, reserved for future use.
Control Bits (6 bits) there are six control bits.
URG if set (1), the Urgent Pointer field is significatnt. If set to (0), the field is ignored.
ACK if set, the Acknowledgement Number field is significant.
PSH initiates a push function
SYN synchronizes sequencing conuters for the connection. This bit is set when a segment requests the opening of a connection.
FIN No more data, closes connectionWindow (16 bits) specifies the number of bytes, starting with the byte specified in the Acknowledgment Number field, (what the sender of the segment can currently accept).
Checksou (16 bits) is an error control checksum that covers the header and data fields. (Doesn't cover any padding required to have the segment consist of an even number of octets)
Urgent Pointer (16 bits) idnetifies the Sequence number of the octet following urgent data. The urgent pointer is a positive offset from the Sequence number of the segment.
Options (variable) available for a variety of functions, including end of options list, no-operation, maximum segment size, and maximum segment size option data.
Padding (variable) 0-value octets are appended to the header to ensure that header ends on a 32-bit word boundary.
UDP is a connectionless protocol, no guarantees for delivery. (see page 70 figure 4.2)
UPD Header includes (much simpler than TCP header because UDP is a connectionless protocol)
Source Port (16 bits) this field is optional and specifies the source WinSock port when enableing the receiver of the datagram to send a response if neccesary, otherwise, source port value is (0) zero.
Destination Port (16 bits) specifies the destination WinSock port at rmeot host
Length (16 bits) the length in bytes of the datagram, including the header and data. The minimum value is 8 to allow for a header. And the datagram is limited to a maximum length of 65,535 bytes (which makes 65,527 bytes available for data.
Checksou (16 bits) is a checksum value (optional)
Regarless if transport protocol is TCP or UDP, the headers are bundled with the data to create either a TCP segment or a UDP header, which is passed to the IP layer. A pseudo header prevent IP layer from having to open the packet.
Pseudo headers are used to tell the underlying layers (IP in this case) what to do with the packet. It includes source and destination addresses, the protocol used, and the segment length. All this information is forwarded with TCP or UDP segments to IP to provide the information required to move the information across the network and to the corrct protocol on the other host (see page 71 figure 4.3)
TCP provides reliable communication between processes that run on interconnected hosts. It is not concerned with routing data through the internetwork, the network infrastructure is the responsibility of the IP layer. It identifies hosts by using IP addresses and does not concern itself with physical addresses.
The main functions of TCP are
- session establishment
- Byte stream communications
- sliding windows
TCP uses a three-way handshake. The handshake not only creates the session, but also allows the hosts to exchange data about their capabilities. (see page 72 figure 4.4.)
Here's how the three-way handshake works. It starts when one host is asked by WinSock to open a connection (session). TCP segment is generated to start the session and the SYN control bit is turned on. This tell the other host that a session is requested. The host includes in TCP header the starting Sequence number for this connection and the current window size. TCP segment is now sent to the other host, who acknowledges the segment, and includes its window size. The segment sent to acknowledge the first host also includes the SYN control bit and finally, the process ends when the first host acknowledges the receipt of the other's segment. After the host have completed their communications, the connection is closed in a similar manner, except that a FIN control bit is set rather than the SYN bit.
Data is sent as a continuous stream because the upper-layered protocols do not concern themselves with the formatting of the data to fit the underlying topology. TCP must have some method for dealing with a large volume of data that has no boundries. Every byte (8 bits) in a stream is assigned a Sequence number, enabling every byte sent to be acknowledged. TCP then bundles the data stream it sends into segments; a segment contains chunks of data.
The TCP header specifies the segment Sequence number for the first byte in the data field, and each segment as an Acknowledgement number. When TCP sends each segment it retains a copy of the segment in a queue (transmit window), where it remains until an acknowledgement is received. (Segments not acknowledge are retransmitted).
Very necessary because the way the Internet (Intranet) works. Each segment sent can take a different route to destination host, due to busy or down routers. Data must be buffered on the sending host until the remote host has acknowledged receipt of segment.
This buffer is the sliding window that enables byte stream communications and enables TCP to guarantee the delivery of segments of data. (as previous discussed the sliding window size between the two host is established the Session Establishment and is also included in the TCP header of each and every segment sent. (The host sending sets the size of its send window to match the other host's receive window).
This is how it works. A portion of the data falls into the "window". This is the only data TCP layer can work with. The window cannot slide (move to cover the next segment) until all data currently in the window is sent and acknowledged. When the acknowledgement is received by the sender, its transmission window slides past the acknowledged data and the next segments are transmitted.
If the packet is lost, the retransmit timer expires on the sending host, the segment is retransmitted and the retransmit timer is set to two times the original value. (maximum number of retries is about 16 seconds) If the data cannot be retransmitted, TCP reports the condition and you receive an error message.
If segments are received out ot order, the receiving host sets the delayed acknowledgment timer for the segment it did receive, and waits for other segments to arrive. If the delayed acknoledgment timer (hard coded to 200 ms) expires, TCP on the receiving host sends an acknowledgement for the segment it did receive.
The sliding window can be adjusted but use caution. If a window size is too small, only a few packets can be sent at a time which means the system transmits the packets and then must wait for an acknowledgement of receipt. Likewise, if the window size is too large, network traffic delays the transmission. The default size is around 8 k. UDP does not use a sliding window.
UDP provides an alternative transport for processes that do not require reliable delivery. UDP is a datagram protocol that does not guarantee data delivery or duplicate protection. UDP uses far less overhead than TCP.
You might consider using UDP to TCP in the following situations:
- Messages that require no acknowledgment. SNMP alerts use UDP.
- Messages between hosts are sporadic. SNMP messages are sent at irregular intervals.
- Reliablility is implemented at the process level. NFS is an example of a process that performs its own reliablility function and runs over UDP to enhance network performance. (Some applications confirm receipt at the application layer)
The Transport Layer handles TCP sessions and both connection-oriented transmissions and connectionless transfers.