Ethernet Frame Format: History
Please note this is an old version of this entry, which may differ significantly from the current revision.
Contributor: , , ,

Ethernet is a widely used networking technology that finds its application in local area networks (LANs), metropolitan area networks (MANs), wide area networks (WANs), and other fields, such as industry, avionics, telecommunication, and multimedia. The Ethernet technology was introduced in 1980, and the first standardization was conducted in 1983 by IEEE 802.3.

  • network security
  • packet sniffer
  • packet classification
  • FPGA

1. Introduction

The Internet of Things (IoT) has interconnected embedded technologies, causing networks to become more complex due to the growth of web applications and business transactions. Consequently, networks have become more susceptible to cyberattacks, which can lead to unauthorized access, denial of service, and theft or alteration of sensitive data [1][2][3]. Cyberattacks pose a threat in various fields, such as Industry 4.0 [4][5][6] and healthcare [7][8][9].
Firewalls and packet sniffers are two common types of network security systems that can be used to prevent cyberattacks and protect computer networks. Firewalls work by monitoring and controlling incoming and outgoing network traffic based on pre-defined rules, while packet sniffers analyze network traffic in real time to detect and isolate potential threats. With the increasing complexity of computer networks and the growing number of cyberattacks, it is becoming more important than ever to have effective network security measures in place. These devices aim to detect any malicious traffic by either comparing packets with known attack samples (the signature-based approach) or by identifying abnormal traffic that does not match with known legitimate packets (the anomaly-based approach).
The difference between a firewall (or intrusion prevention system, IPS) and a packet sniffer (or intrusion detection system, IDS) is that an IPS possesses, either physically or logically, two ports. When the network data enter one port, these are transparently transferred to the output of the other port if no threats are detected or blocked otherwise [10]. An IDS, on the other hand, works in passive mode, reading all data received at its input port, and sending alarm messages to a remote server when potential threats are detected [11][12]. For home or business networks, where the speeds rarely exceed 1 Gbps, firewalls and packet sniffers can be effectively implemented in software running on a server. In 2017, Nivedita and Kumar proposed an innovative approach for a firewall using a hybrid frame of Netfilter for Linux web servers [13]. In 2016, Nivethan and Papa proposed a new methodology that extended existing Linux-based firewalls to protect the US smart grid, specifically for systems that use the DNP3 protocol. The aim of this approach was to prevent cyberattacks and ensure the security of the smart grid, which is becoming increasingly important in today’s interconnected world [14]. In 2022, Tirumala and colleagues conducted a study on the hardware capabilities of Raspberry Pi network interfaces to handle high volumes of incoming traffic for protecting small- and medium-sized enterprises and smart homes [15]. In 2015, Phalguni and Krishna presented a software firewall for the application layer running on an ARM9-based single-board computer based on the Iptables/Netfilter frame in Linux [16]. In 2013, Oluwabukola et al. proposed Psniffer, a packet sniffer software application for network security in Java [17]. In 2008, Phang et al. presented V6SNIFF, an efficient packet sniffer capable of analyzing Ipv6 packets [18]. In 2017, Goyal et al. conducted a comparative study between the two most popular packet sniffing software tools (Tcpdump and Wireshark) [19].
Firewalls and packet sniffers that are based on software running on a standard computer are generally reliable in most situations. However, when the amount of data being transferred and the transfer speed increase beyond a certain threshold, these systems may lose their effectiveness. In such situations, it is preferable to use a hardware implementation since it can guarantee real-time operations and much higher data throughputs. It is common for commercial firewall and packet sniffer products to be based on application-specific integrated circuits (ASICs), which are highly optimized devices designed and manufactured for a specific application. They offer top performances in terms of speed, power consumption, and production cost per unit. However, ASICs are also known for their complex design and high non-recurrent design costs, which make them ideal for high production volumes. Field-programmable gate arrays (FPGAs) are more suitable for products designed for small production volumes and research projects. These semiconductor devices feature quick design steps and negligible non-recurrent engineering costs. In 2019, Niemiec et al. conducted a survey addressing the open research challenges that need to be tackled for the adoption of FPGAs in accelerating virtualized network functions [20]. In 2011, Wicaksana and Sasongko presented a prototype of a hardware stateless firewall designed using Cyclone II FPGA working at 91 MHz [21]. According to these authors, the implementation only included packet classification, and due to the absence of an efficient FIFO buffer, it hinders high-speed data transfer. In 2017, Lin et al. presented an Ethernet firewall based on a FPGA that achieves a data throughput of 950 Mbit/s. The FPGA can be interfaced to ARM devices to realize a management server [22]. In 2012, Prajapati and Khare proposed a framework for a firewall hardware on a FPGA designed in Verilog that can handle IPv4 and IPv6 network data [23]. In 2020, the same authors presented a reconfigurable firewall based on a Xilinx Virtex-6 FPGA. This firewall achieves a throughput of 142 Gbit/s at a clock rate of 442.6 MHz for a minimum packet size of 40 bytes [24]. Mohammed and Ueno proposed a FPGA-based firewall in 2018, which was based on a Xilinx Kintex-7 XC7K325T device. The proposed firewall exploits content addressable memory to achieve a much better performance than a Linux firewall based on Iptables [25]. In 2021, Hilgurt presented a brief overview of various approaches, methods, and techniques used for designing a FPGA-based IDS [26]. In 2022, Stój et al. introduced an Ethernet packet sniffer based on a Xilinx Kintex-7 FPGA platform, which was designed for network intrusion detection in Industry 4.0 [27]. In 2013, Pal et al. proposed E-Sniff, a small special-purpose embedded system for capturing and logging network data based on a Cyclone II FPGA [28]. In 2005, Song and Lockwood published a paper on an efficient packet classification system for network intrusion detection using a FPGA that achieved a data rate of 2.5 Gbit/s [29]. Faria et al.’s FPGA-based Ethernet sniffer for real-time networks, which they proposed in 2009, can be interfaced via USB to a host computer for the generation of graphics and statistical data [30]. In 2016, Fiessler and colleagues proposed a hybrid packet classification approach called HyPaFilter. This approach handles simple operations in hardware designed with a FPGA, while complex operations are dealt with using a Linux-based software firewall [31].

2. Ethernet Frame Format

Ethernet is a widely used networking technology that finds its application in local area networks (LANs), metropolitan area networks (MANs), wide area networks (WANs), and other fields, such as industry, avionics, telecommunication, and multimedia. The Ethernet technology was introduced in 1980, and the first standardization was conducted in 1983 by IEEE 802.3 [32]. The data transfer rate of Ethernet has evolved from the initial 2.94 Mbps up to 100 Gbps [33]. In Ethernet networking, the data are described according to different levels of abstraction in the OSI model [34]. At level 2 (data link layer) of the OSI model, the data are described in the form of frames. The format of an Ethernet II frame is displayed in Figure 1. It always starts with a preamble and a start frame delimiter (SFD), and it ends with a frame checksum (FCS), a four-byte CRC that detects any corrupted data in the frame. The header of the Ethernet frame consists of the following fields: a destination and source media access control (MAC) address, a VLAN tag (an optional field), and the protocol type of level 3 (network layer), while the payload represents the data of the network layer. The packet formats of two of the most important protocols of the network layer, ARP, and IP, are presented in Figure 2 and Figure 3, respectively. The IP header also includes the protocol of the level 4 layer (transport layer), whose data are present in the IP payload. Three different protocols of the transport layer were considered, namely TCP, UDP, and ICMP, and their packet formats are presented in Figure 4, Figure 5 and Figure 6, respectively.
Figure 1. The format of an Ethernet II frame. The length of each field of the frame is reported as the number of bytes.
Figure 2. The format of an ARP packet. The length of each field of the frame is reported as the number of bytes.
Figure 3. The format of an IP packet. The different fields of this packet are presented in rows of 32 bits.
Figure 4. The format of a TCP packet. The different fields of this packet are presented in rows of 32 bits.
Figure 5. The format of an UDP packet. The different fields of this packet are presented in rows of 32 bits.
Figure 6. The format of an ICMP packet. The different fields of this packet are presented in rows of 32 bits.
The fields that are most important from the perspective of cybersecurity for the TCP-IP and UDP-IP packets are the IP source and destination addresses, along with the source and destination ports. The IP address, along with the MAC address, is used to identify a device within a network. Moreover, while the IP address is used as a global address, the MAC address is utilized as a local address. When data are directed on the internet, the IP address is used, and when the local area network (LAN) has been reached, the IP address is translated to the MAC address, and the data is delivered to the intended device. Similarly, the source and destination port numbers are utilized to define the application or service involved, so that the operating system can deliver the packet to the appropriate process. The importance of these parameters for cybersecurity is two-fold. Being able to read them enables a potential attacker to infer who is communicating with whom (in terms of network hosts) and what kind of dialogue is happening, even if the contents (payload) are encrypted. It is not possible to obscure IPs and ports without modified protocols, such as IPSec [35], or by encapsulation performed by specific applications, such as virtual private networks (VPNs). Obscuring IPs and ports using these techniques may interfere with the functionality of a firewall or a packet sniffer. Therefore, encrypted IP and port numbers were not considered. An attacker that can alter these parameters can hide their own identity by spoofing the source address, usually with the goal of bypassing firewall rules that would block packets bearing their real address.

This entry is adapted from the peer-reviewed paper 10.3390/electronics12214412

References

  1. Sudar, K.M.; Deepalakshmi, P.; Nagaraj, P.; Muneeswaran, V. Analysis of cyberattacks and its detection mechanisms. In Proceedings of the IEEE Fifth International Conference on Research in Computational Intelligence and Communication Networks (ICRCICN), Bangalore, India, 26–27 November 2020; pp. 12–16.
  2. Agarwal, S.; Oser, P.; Lueders, S. Detecting IoT devices and how they put large heterogeneous networks at security risk. Sensors 2019, 19, 4107.
  3. Katsikas, S.; Gkioulos, V. Security, privacy, and trustworthiness of sensor networks and internet of things. Sensors 2020, 20, 3846.
  4. Lezzi, M.; Lazoi, M.; Corallo, A. Cybersecurity for Industry 4.0 in the current literature: A reference framework. Comput. Ind. 2018, 103, 97–110.
  5. Corallo, A.; Lazoi, M.; Lezzi, M. Cybersecurity in the context of industry 4.0: A structured classification of critical assets and business impacts. Comput. Ind. 2020, 114, 103165.
  6. Mullet, V.; Sondi, P.; Ramat, E. A review of cybersecurity guidelines for manufacturing factories in industry 4.0. IEEE Access 2021, 9, 23235–23263.
  7. Coventry, L.; Branley, D. Cybersecurity in healthcare: A narrative review of trends, threats and ways forward. Maturitas 2018, 113, 48–52.
  8. Anwar, R.W.; Abdullah, T.; Pastore, F. Firewall best practices for securing smart healthcare environment: A review. Appl. Sci. 2021, 11, 9183.
  9. Giansanti, D. Cybersecurity and the digital-health: The challenge of this millennium. Healthcare 2021, 9, 62.
  10. Neupane, K.; Haddad, R.; Chen, L. Next generation firewall for network security: A survey. In Proceedings of the IEEE SoutheastCon, St. Petersburg, FL, USA, 19–22 April 2018; pp. 1–6.
  11. Khraisat, A.; Gondal, I.; Vamplew, P.; Kamruzzaman, J. Survey of intrusion detection systems: Techniques, datasets and challenges. Cybersecurity 2019, 2, 20.
  12. Siswanto, A.; Syukur, A.; Kadir, E.A. Network traffic monitoring and analysis using packet sniffer. In Proceedings of the IEEE International Conference on Advanced Communication Technologies and Networking (CommNet), Rabat, Morocco, 12–14 April 2019; pp. 1–4.
  13. Nahar, N.; Kumar, R. An improved Linux firewall using a hybrid frame of netfilter. In Proceedings of the IEEE International Conference on Trends in Electronics and Informatics (ICEI), Tirunelveli, India, 11–12 May 2017; pp. 657–662.
  14. Nivethan, J.; Papa, M. A Linux-based firewall for the DNP3 protocol. In Proceedings of the IEEE symposium on technologies for homeland security (HST), Boston, MA, USA, 10–12 May 2016; pp. 1–5.
  15. Tirumala, S.S.; Nepal, N.; Kumar Ray, S. Raspberry pi-based intelligent cyber defense systems for SMEs and smart-homes: An exploratory study. EAI Endorsed Trans. Smart Cities 2022, 6, e4.
  16. Phalguni, J.; Santosh Krishna, M. Design of a Firewall Based on Linux Netfilter using ARM9. Int. J. Sci. Eng. Technol. Res. 2015, 4, 7744–7748.
  17. Oluwabukola, O.; Oludele, A.; Ogbonna, A.C.; Chigozirim, A.; Amarachi, A. A Packet Sniffer (PSniffer) application for network security in Java. In Proceedings of the Informing Science and Information Technology Education Conference; Informing Science Institute: Santa Rosa, CA, USA, 2013; pp. 389–400.
  18. Phang, S.Y.; Lee, H.; Lim, H. Design and implementation of V6SNIFF: An efficient IPv6 packet sniffer. In Proceedings of the IEEE Third International Conference on Convergence and Hybrid Information Technology, Busan, Republic of Korea, 11–13 November 2008; Volume 2, pp. 44–49.
  19. Goyal, P.; Goyal, A. Comparative study of two most popular packet sniffing tools-Tcpdump and Wireshark. In Proceedings of the IEEE 9th International Conference on Computational Intelligence and Communication Networks (CICN), Girne, Northern Cyprus, 16–17 September 2017; pp. 77–81.
  20. Niemiec, G.S.; Batista, L.M.S.; Schaeffer-Filho, A.E.; Nazar, G.L. A survey on FPGA support for the feasible execution of virtualized network functions. IEEE Commun. Surv. Tutor. 2019, 22, 504–525.
  21. Wicaksana, A.; Sasongko, A. Fast and reconfigurable packet classification engine in FPGA-based firewall. In Proceedings of the IEEE International Conference on Electrical Engineering and Informatics, Bandung, Indonesia, 17–19 July 2011; pp. 1–6.
  22. Lin, S.; Zhang, D.; Fu, Y.; Wang, S. A design of the ethernet firewall based on FPGA. In Proceedings of the IEEE 10th International Congress on Image and Signal Processing, BioMedical Engineering and Informatics (CISP-BMEI), Shanghai, China, 14–16 October 2017; pp. 1–5.
  23. Prajapati, G.S.; Khare, N. A framework of an internet firewall for IPv6 using FPGA. Int. J. Comput. Appl. 2012, 50, 22–24.
  24. Prajapati, G.S.; Khare, N. A Novel Parallel Approach for Disjoint Rule Generation and Optimization (DRGO) in Reconfigurable Firewall Using FPGA. Natl. Acad. Sci. Lett. 2020, 43, 321–325.
  25. Mohammed, R.K.; Ueno, Y. An FPGA-based Network Firewall with Expandable Rule. Indones. J. Electr. Eng. Comput. Sci. 2018, 10, 1310–1318.
  26. Hilgurt, S. A Concise Review of FPGA-Based Hardware Solutions for Network Intrusion Detection. In Proceedings of the IEEE 8th International Conference on Problems of Infocommunications, Science and Technology (PIC S&T), Kharkiv, Ukraine, 5–7 October 2021; pp. 164–168.
  27. Stój, J.; Ziębiński, A.; Cupek, R. FPGA based Industrial Ethernet Network Analyser for Real-time Systems Providing Openness for Industry 4.0. Enterp. Inf. Syst. 2022, 16, 1711–1731.
  28. Pal, R.; Gotiya, R.; Singh, P.; Agrawal, A. Design of A Embedded Ethernet Packet Sniffer. Int. J. Innov. Technol. Explor. Eng. (IJITEE) 2013, 2, 84–88.
  29. Song, H.; Lockwood, J.W. Efficient packet classification for network intrusion detection using FPGA. In Proceedings of the 2005 ACM/SIGDA 13th International Symposium on Field-Programmable Gate Arrays, Monterey, CA, USA, 20–22 February 2005; pp. 238–245.
  30. Faria, J.; Oliveira, A.; Pedreiras, P.; Santos, R. FPGA-based Ethernet sniffer for Real-Time networks. Eletrónica e Telecomunicações 2009, 5, 61–68.
  31. Fiessler, A.; Hager, S.; Scheuermann, B.; Moore, A.W. HyPaFilter: A versatile hybrid FPGA packet filter. In Proceedings of the Symposium on Architectures for Networking and Communications Systems, Santa Clara, CA, USA, 17–18 March 2016; pp. 25–36.
  32. IEEE 802.3. Available online: https://en.wikipedia.org/wiki/IEEE_802.3 (accessed on 4 August 2023).
  33. Sommer, J.; Gunreben, S.; Feller, F.; Kohn, M.; Mifdaoui, A.; Saß, D.; Scharf, J. Ethernet—A survey on its fields of application. IEEE Commun. Surv. Tutor. 2010, 12, 263–284.
  34. Briscoe, N. Understanding the OSI 7-layer model. PC Netw. Advis. 2000, 120, 13–15.
  35. Tiller, J.S. A technical Guide to IPSec Virtual Private Networks; CRC Press: Boca Raton, FL, USA, 2017.
More
This entry is offline, you can click here to edit this entry!
ScholarVision Creations