ARP or Address Resolution Protocol is used to map a network address like the IP address to the ethernet address (MAC, Media Access Control address or hardware address). Routers use ARP or MAC addresses to enable communication inside networks (w/in subnets).
Here's the output on my Ubuntu virtual machine (10.163.36.80) running on my desktop:
$ arp -e Address HWtype HWaddress Flags Mask Iface _gateway ether 28:6f:7f:68:92:40 C enp0s3 10.163.36.13 ether fc:4d:d4:39:f8:e8 C enp0s3
And this displays any missing or substituted IP addresses (that is, we can see that gateway is mapped to 10.163.36.1. And I just happen to know that 10.163.36.13 points to my physical desktop computer.
$ arp -an ? (10.163.36.1) at 28:6f:7f:68:92:40 [ether] on enp0s3 ? (10.163.36.13) at fc:4d:d4:39:f8:e8 [ether] on enp0s3
IP is a way to uniquely identify a host on a network. If that network is subnetted, then a host's IP address will be a part of the subnet and not exposed directly to the Internet.
E.g., my IP address on my desktop is 10.163.36.13/24 (
ip a), via a wired
connection (eno1) and my neighbor's IP address is 10.163.36.65/24. We're both
on the same subnet, but if we both, using our respective wired connected
computers, Google 'what's my IP address', then we both get back 18.104.22.168.
This is the same for the virtual machine I'm using that's running Ubuntu,
connected via a bridge network.
Thus, w/o any additional information, all traffic coming from our computers and going out to the Internet looks like it's coming from the same IP address (22.214.171.124). And in reverse, all traffic coming from outside our network first goes to 126.96.36.199 before it's routed to our respective computers.
On the other hand, my laptop, just a few feet away from me, is connected to UK wireless, and not wired, and has this IP address: 10.47.142.2/16 (wlp3s0). You can see there's a different pattern with this IP address, and later we'll learn how we know that, as a result, this laptop is on an different subnet. In the meantime, if I use a browser on this laptop and ask Google for my IP address, it'll tell me: 188.8.131.52.
ICMP or Internet Control Message Protocol is a protocol used to send error messages, e.g., to check if a host is down. When we use ping, we're using the ICMP protocol.
TCP or Transmission Control Protocol is responsible for the transmission of data and for making sure the data arrives at its destination w/o errors.
UDP or User Datagram Protocol performs a similar function as TCP, but it doesn't error check. If data is lost, then it's lost but it's still sent. UDP is useful for conducting voice over internet calls or for streaming video, such as through YouTube. In fact, YouTube uses a type of UDP transmission called QUIC, which adds a level of encryption to the protocol. QUIC was developed by Google.
The above protocols, as well as others, each contain header information. The first part of the header will contain source address, then comes destination address, and so forth. Aside from a few other parts, this is the primary information that an IP header contains.
TCP and UDP headers will contain a bit more information, including port information for both source and destination, sequence (SYN) information for data packets, acknowledgment (ACK) information for the ACK number, as well as data and error checking if it's TCP.
A port associates a process with a network service. Ports provide a way to distinguish and filter all traffic through an IP address. E.g., all traffic going to IP address X.X.X.X:80 indicates that this is http traffic for the http service. Other common ports include:
There's a complete list on your Linux systems and it's located in the following file:
See also the Wikipedia page: List of TCP and UDP port numbers
On my virtual machine on my desktop (bridge connection), I can see the network information for my machine (some output removed / truncated for clarity):
$ ip a 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:f2:36:19 brd ff:ff:ff:ff:ff:ff inet 10.163.36.80/24 brd 10.163.36.255 scope global dynamic enp0s3 valid_lft 685860sec preferred_lft 685860sec inet6 fe80::a00:27ff:fef2:3619/64 scope link valid_lft forever preferred_lft forever
$ ifconfig enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.163.36.80 netmask 255.255.255.0 broadcast 10.163.36.255 inet6 fe80::a00:27ff:fef2:3619 prefixlen 64 scopeid 0x20<link> ether 08:00:27:f2:36:19 txqueuelen 1000 (Ethernet) RX packets 101740 bytes 14652618 (14.6 MB) RX errors 0 dropped 356 overruns 0 frame 0 TX packets 1784 bytes 178630 (178.6 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
The above two commands report IP information a little different.
reports that my IP address is:
That information includes both the IP address, the netmask information, and the
broadcast information. That is, that
/24 is important info.
ifconfig, the information is reported separately:
We'll learn how to interpret this soon.
Int the meantime, here's the routing table on my Ubuntu Bridge VM:
$ ip route default via 10.163.36.1 dev enp0s3 proto dhcp src 10.163.36.80 metric 100 10.163.36.0/24 dev enp0s3 proto kernel scope link src 10.163.36.80 10.163.36.1 dev enp0s3 proto dhcp scope link src 10.163.36.80 metric 100
And then on my physical machine:
$ ip route default via 10.163.36.1 dev eno1 proto dhcp metric 100 10.163.36.0/24 dev eno1 proto kernel scope link src 10.163.36.13 metric 100 169.254.0.0/16 dev eno1 scope link metric 1000
Since both machines are on the same network, they both state the following path:
ip routeoutput, you'll notice the IP address 169.254.0.0/16. This is called the link-local address. This is a local address that is assigned to a device in the absence of either static or dynamic IP assignment (via, e.g., a router).
The ip command is a relatively new command that is replacing other commands, like arp and ifconfig. Read the man page in ip for more info, and compare to this command, which gives the same info as above but organized a bit differently:
$ route -n Kernel IP routoing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.163.36.1 0.0.0.0 UG 100 0 0 eno1 10.163.36.0 0.0.0.0 255.255.255.0 U 100 0 0 eno1 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eno1
In any case, we can put this information together, and say something like this:
10.163.36.13/24 : subnet address / subnet mask 10.163.36.255 : broadcast address 10.163.36.1 : router/gateway 169.254.0.0/16 : Link-local address
This all translates into:
10.163.36.13 <----> 10.163.36.0/24 <---> 10.163.36.1 <---> 184.108.40.206 IP Address Network Gateway Public Subnet Router Router Mask
Don't do this on a public network, but you can tell me what this means:
$ png -b 10.163.36.255 WARNING: pinging broadcast address PING 10.163.36.255 (10.163.36.255) 56(84) bytes of data. --- 10.163.36.255 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2046ms $ arp -a ? (10.163.36.176) at 3c:07:54:5a:99:0e [ether] on eno1 ? (10.163.36.80) at 08:00:27:f2:36:19 [ether] on eno1 ? (10.163.36.19) at 00:40:58:06:b3:fd [ether] on eno1 ? (10.163.35.124) at e8:39:35:8d:bb:03 [ether] on eno1 lcli-310.prt.uky.edu (10.163.36.41) at 00:26:73:29:fe:25 [ether] on eno1 kls4mapprt.prt.uky.edu (10.163.36.6) at a4:5d:36:b6:1a:34 [ether] on eno1 ? (10.163.36.77) at 0c:4d:e9:b8:cd:fc [ether] on eno1 ? (10.163.36.92) at 00:21:b7:5a:19:f6 [ether] on eno1 ? (10.163.36.43) at 00:21:b7:04:50:fc [ether] on eno1 ? (10.163.36.49) at 0c:4d:e9:98:e9:e8 [ether] on eno1 ? (10.163.36.69) at 50:9a:4c:7f:47:6d [ether] on eno1 ? (10.163.36.8) at 48:4d:7e:de:bd:c6 [ether] on eno1 ? (10.163.36.31) at 68:5b:35:cb:b1:da [ether] on eno1 _gateway (10.163.36.1) at 28:6f:7f:68:92:40 [ether] on eno1 celt.prt.uky.edu (10.163.36.160) at 00:26:73:1d:e9:99 [ether] on eno1 ? (10.163.36.142) at 00:3e:e1:c4:4a:a6 [ether] on eno1 ? (10.163.36.95) at 78:7b:8a:db:9c:b2 [ether] on eno1
Here's how to disable and then enable a connection on a machine. Note that eno1 is the name of my network card/device. You'd have to replace it with the name of yours. If it's a wireless card, it should begin with a 'w':
sudo ip link set eno1 down sudo ip link set eno1 up
We're not going to get into subnetting with IPv6, but if you're interested, this is a nice article: