← Back to learning

Networking

Layers of Abstraction

The OSI model is a stack of abstractions. At the bottom, everything is voltage changes on a wire—bits. Each layer above solves a different problem without worrying about the layers below.

7Application— HTTP, FTP, DNS
6Presentation— encryption, compression
5Session— connections, sessions
4Transport— TCP, UDP, ports
3Network— IP, routing
2Data Link— Ethernet frames, MAC addresses
1Physical— voltage, bits on wire

Layer 1 (Physical) deals with raw bits—voltage levels, cable specs, timing. Layer 2 (Data Link) adds structure: how do we group bits into meaningful chunks? How do we address devices on a local network? How do we detect transmission errors?

The answer is frames.

Ethernet Frame

A frame is the data link layer's unit of transmission. It wraps raw data with addressing, type information, and error checking. The bits still travel as voltage on the wire—but now they have structure.

Think of it like an envelope. The payload is your letter. The MAC addresses are the "to" and "from" fields. The FCS is a seal that proves nothing was tampered with in transit.

Ethernet Frame Structure

Click on a segment to learn more

072+ bytes (payload varies) →1518 max
Click a segment above to see details
Sync
Addressing
Protocol
Data
Error Check

Breaking it down

Preamble7 bytes

A repeating pattern of 10101010. The receiver's NIC uses this to synchronize its clock with the incoming signal. Without it, the receiver wouldn't know where one bit ends and the next begins.

SFD1 byte

Start Frame Delimiter. The pattern 10101011. That final 11 breaks the pattern and signals: "the real frame starts now."

Destination MAC6 bytes

Where this frame is going. Switches read this to decide which port to forward to. FF:FF:FF:FF:FF:FF means broadcast—send to everyone.

Source MAC6 bytes

Where this frame came from. Switches also use this to build their MAC address tables.

EtherType2 bytes

What's inside the payload? Without this field, the receiver wouldn't know how to interpret the data.

0x0800 → IPv40x86DD → IPv60x0806 → ARP
Payload46-1500 bytes

The actual data—usually an IP packet. Minimum 46 bytes (padded with zeros if smaller). Maximum 1500 bytes (MTU). Larger data must be fragmented at a higher layer.

FCS4 bytes

Frame Check Sequence. A CRC-32 checksum over the entire frame. The receiver recalculates it—if it doesn't match, the frame is silently dropped. No retransmission at this layer; that's TCP's job.

Key insight

Ethernet is best-effort. Frames can be dropped, arrive out of order, or get corrupted. The data link layer doesn't care—it just moves frames between directly connected devices. Reliability comes from higher layers.

Unicast, Broadcast, Multicast

Not all frames are addressed the same way. The destination MAC determines who should process the frame.

Unicast

One-to-one. Frame addressed to a specific device's MAC address. Only that device processes it; others ignore it.

e.g., 00:1A:2B:3C:4D:5E
Broadcast

One-to-all. Frame sent to every device on the local network. Used when you don't know the destination MAC (like ARP requests).

FF:FF:FF:FF:FF:FF
Multicast

One-to-many. Frame sent to a group of devices that have subscribed to a multicast address. Used for streaming, routing protocols.

01:00:5E:xx:xx:xx (IPv4 multicast range)

How do NICs know whether to process a frame? They check the destination MAC. If it matches their own address, is broadcast, or matches a multicast group they've joined—they process it. Otherwise, they drop it silently.

Collision Domains

Early Ethernet used a shared medium—one wire, many devices. If two devices transmitted simultaneously, signals collided and corrupted each other. The set of devices that can collide is called a collision domain.

HubAll ports share one collision domain. A frame sent to one port is repeated to all ports. Collisions everywhere.
SwitchEach port is its own collision domain. The switch buffers frames and forwards only to the correct port. No collisions between ports.

CSMA/CD

How did devices handle collisions? Carrier Sense Multiple Access with Collision Detection:

1Listen — Is the wire idle?
2Transmit — If idle, send your frame
3Detect — While sending, check for collision
4Backoff — If collision, wait random time, retry

This is essentially a state machine. Each device transitions between states based on what it observes on the wire.

CSMA/CD State Machine
Click "Run" to see a transmission with collision
Idle
Waiting for data to send
Carrier Sense
Is the wire busy?
Transmitting
Sending frame, monitoring for collision
Collision!
Detected interference, sending jam signal
Backoff
Waiting random time before retry
Success
Frame transmitted successfully
Current: IdleWaiting for data to send
Transitions from Idle:
on data ready Carrier Sense

Here's what happens when multiple devices share a hub—each trying to greet everyone else:

8 Devices on a Hub

Each device sends "Hello" to all others (56 messages)

HUB
— Wire Idle —
D1
Idle
0/7
D2
Idle
0/7
D3
Idle
0/7
D4
Idle
0/7
D5
Idle
0/7
D6
Idle
0/7
D7
Idle
0/7
D8
Idle
0/7
Event LogTick 0
Click "Run Simulation" to start...
Idle
Sensing
Transmitting
Collision
Backoff

All 8 devices start simultaneously, each trying to greet every other device. Watch how collisions force random backoffs, eventually letting everyone speak.

Modern networks: Full-duplex switched Ethernet has eliminated collisions. Each device has a dedicated path to the switch. CSMA/CD is largely historical—but understanding it explains why Ethernet frames have minimum sizes and why the preamble exists.

Why 64 bytes minimum?

For collision detection to work, the sender must still be transmitting when the collision signal returns. If the frame is too short, the sender finishes before hearing the collision—and thinks it succeeded.

Collision detection timing
Frame too short — collision missed
TX
collision arrives
Sender finished at T=1. Collision signal arrives at T=2. Too late—sender thinks it worked.
Frame long enough — collision detected
TX (still sending...)
collision!
Sender still transmitting when collision arrives. Detected! Abort and retry.
The math: At 10 Mbps with max cable length (2500m), round-trip time is ~51μs. At 10 Mbps, that's 512 bits = 64 bytes. Any frame shorter than 64 bytes gets padded.

Why does the preamble exist?

Ethernet is asynchronous—the receiver's clock isn't synced with the sender's. The preamble gives the receiver time to lock onto the signal before real data arrives.

Clock synchronization
Without preamble — data corrupted
?
?
?
1
0
0
1
0
← first bits lost while receiver syncs
With preamble — clean data
1
0
1
0
1
0
1
0
preamble
1
1
SFD
1
0
1
1
0
0
1
0
← actual data (all intact)
The receiver's PLL (Phase-Locked Loop) uses the alternating 10101010 pattern to lock onto the signal frequency. By the time real data arrives, the clock is synced.

Error Detection with CRC

Remember the FCS field in the Ethernet frame? It contains a CRC-32 checksum. But why CRC instead of a simple sum of bytes?

The Problem with Simple Checksums

A simple checksum just adds up all the bytes. If the sum matches, the data is probably intact. But there's a fatal flaw: errors can cancel out.

Show examples in:
Simple Checksum Failure
Data:
45
32
18
27
Sum:
122
Simple checksum: add all values together. Click "Corrupt 2 Values" to see how two errors can cancel out.
Check Digit Calculation (like ISBN)
1/5
Value:978
Data: 978. We want to find a check digit so the result is divisible by 11.
Error Detection Limits
Error size:16
Original data + check digit:
1
2
3
4
5
6
7
8
9
0
-
82
Received (with 4 corrupted digits):
1
2
8
9
0
1
7
8
9
0
-
82
Verification (mod 97 check):
Original:1234567890 × 100 + 82=123456789082mod 97 =88
Received:1289017890 × 100 + 82=128901789082mod 97 =51≠ 0 → Error detected!
✓ Guaranteed detection. The math guarantees any 4 consecutive wrong digits will produce remainder ≠ 0.

How CRC Works

CRC treats the entire frame as a giant binary number and divides it by a special polynomial using XOR operations. The remainder becomes the checksum.

1Sender: Append N zeros to data (N = polynomial degree). Divide by polynomial. The remainder is the CRC.
2Sender: Append CRC to the original data and transmit.
3Receiver: Divide received (data + CRC) by the same polynomial.
4Receiver: If remainder = 0, data is intact. Otherwise, drop the frame.

Why Polynomial Division?

The mathematical properties of polynomial division guarantee detection of:

✓ All single-bit errors
Any one bit flipped → detected
✓ All double-bit errors
Any two bits flipped → detected
✓ All odd-count errors
1, 3, 5... bits flipped → detected
✓ Burst errors ≤ 32 bits
Consecutive corrupted bits → detected
Important: CRC detects errors but cannot correct them. If the CRC fails, the frame is silently dropped. Higher layers (like TCP) handle retransmission.

Ethernet's CRC-32

Ethernet uses the polynomial 0x04C11DB7, producing a 32-bit checksum. This detects any burst error up to 32 consecutive bits—more than enough for typical electrical noise on a cable.

Speed in Practice

Despite the math looking expensive, CRC is blazingly fast:

Software (lookup tables)
Pre-computed tables turn division into table lookups. A single CPU core can process ~3-5 GB/s.
Hardware (dedicated circuits)
Network cards have CRC logic in silicon. Your NIC computes CRC at line rate—100 Gbps+ with zero CPU overhead.

The XOR operations parallelize perfectly in hardware. A 1500-byte frame's CRC takes nanoseconds—the math never becomes the bottleneck.

MAC Addresses

Every network interface has a MAC address—a 48-bit (6 octet) identifier that's supposed to be globally unique. This is what goes in the Source and Destination fields of every Ethernet frame.

Structure

A MAC address is split into two halves:

1-3OUI (Organizationally Unique Identifier) — First 3 octets. Assigned to manufacturers by IEEE. Apple, Intel, Cisco each have their own prefixes.
4-6NIC-specific — Last 3 octets. Assigned by the manufacturer to each device they produce.

MAC Address Structure

AC
OUI 1
DE
OUI 2
48
OUI 3
12
NIC 1
34
NIC 2
56
NIC 3
OUI (Manufacturer)
NIC-specific
Manufacturer (OUI)
AC:DE:48
Apple Inc.
Device ID
12:34:56
Assigned by manufacturer
First Octet: Special Bits
10101100
= 0xAC
Bit 0I/G (Individual/Group)
0 → Unicast (single device)
Bit 1U/L (Universal/Local)
0 → Universally administered (IEEE)

Special Bits

The first octet contains two special bits that change how the address behaves:

Bit 0: I/G (Individual/Group)
0 = Unicast (one device)
1 = Multicast (group of devices)
Bit 1: U/L (Universal/Local)
0 = Burned-in by manufacturer
1 = Set by software (VM, container)

Special Addresses

FF:FF:FF:FF:FF:FFBroadcast — all devices must process
01:00:5E:xx:xx:xxIPv4 multicast range
33:33:xx:xx:xx:xxIPv6 multicast range

Bridging to Layer 3: ARP

MAC addresses work at Layer 2, but applications use IP addresses (Layer 3). ARP (Address Resolution Protocol) bridges this gap:

1Device wants to send to 192.168.1.50 but doesn't know its MAC address.
2Broadcasts ARP request: "Who has 192.168.1.50?"(sent to FF:FF:FF:FF:FF:FF)
3Target device replies: "That's me! My MAC is AC:DE:48:12:34:56"
4Sender caches the mapping and uses it for future frames.

Security note: ARP has no authentication. Anyone can claim to own any IP address, enabling ARP spoofing attacks. This is why public Wi-Fi is risky without VPN/HTTPS.