Computer Networking Flowchart

In this post, I will go over a simple diagram and show a couple scenarios on the way data travels between two hosts

9 months ago   •   4 min read

By 0xBEN
Table of contents

Key Points

  • Computers communicate using IP addresses at layer 3 and MAC addresses at layer 2. If you pass a hostname, a DNS lookup will be performed to find the IP address of the receiving computer. DNS records are cached for faster lookups. Cached records have an expiration date, after which another lookup must be performed.
  • Computers keep an ARP table of IP addresses they have recently communicated with on the LAN. Each record in the ARP table has an expiration date, after which the host will need to be rediscovered.




Address Resolution Protocol (ARP)

ARP is a layer 2 protocol used to identify hosts at layer 3. Hosts communicate at layer 2 using MAC addresses. Hosts communicate at layer 3 using IP addresses. The reason ARP is a layer 2 protocol is due to the fact that a host sends a broadcast FF:FF:FF:FF:FF:FF to discover the MAC address belonging to an IP address.

If you need a quick refresher on network layers, see this post:

OSI Model Visualization
In this post, I provide a mock-up of the OSI model and briefly discuss the the differences with the TCP/IP model.




Seeing it in Action

I have some hosts networked together as pictured in this diagram:

I am also going to clear my ARP cache using this command: ip -s -s neigh flush all. Now, that my ARP cache is clear, I can do some tests.

10.0.0.2 to 10.0.0.14

I have a quick test container running python -m http.server 80 at 10.0.0.14. I am going to connect to the web server from my Kali VM.

Analyzing it with Wireshark

  • Frame 5058 is Kali asking for the MAC address of the default gateway (because I cleared it from the cache). Who has 10.0.0.1? Tell 10.0.0.2 in which case, 10.0.0.1 should respond telling 10.0.0.2 its MAC address
  • Frame 5360 is Kali asking for the MAC address of 10.0.0.14 using an ARP broadcast. Who has 10.0.0.14? Tell 10.0.0.2 in which case, 10.0.0.14 should respond telling 10.0.0.2 its MAC address
  • Frame 5361 is the test container responding to the request. 10.0.0.14 is at 56:2d:f9:6e:78:b9
  • Frames 5362 – 5373 are Kali and the web server establishing a TCP connection and transferring the HTTP data

Taking a Closer Look at Frame 5362

This is the SYN packet going from Kali to the web server. Let's take a deeper look at the layer 2 and layer 3 headers.

Layer 2

Since 10.0.0.14 is on the same LAN, the destination MAC address is that of the web server. It does not go to the default gateway, because it does not need to be routed.

Layer 3

We can see that the destination IP address is that of the web server.


10.0.0.2 to 10.9.9.35

I clear my ARP cache again. I am running a web server on 10.9.9.35 , so the tests will be the same, the IP addresses are different.

Analyzing it with Wireshark

  • Frame 450 is Kali asking for the MAC address of the default gateway. Who has 10.0.0.1? Tell 10.0.0.2 in which case, 10.0.0.1 should respond telling 10.0.0.2 its MAC address
  • Frame 451 is the default gateway responding 10.0.0.1 is at 42:67:ea:58:a3:e7
  • Frames 606 – 615 are Kali and the web server establishing a TCP connection and transferring the HTTP data

Taking a Deeper Look at Frame 606

This is the SYN packet going from Kali to the web server. Let's take a deeper look at the layer 2 and layer 3 headers.

Layer 2

Since 10.9.9.35 is on a foreign subnet, the destination MAC address is that of the default gateway. This is because the default gateway will receive the packet and route it to its destination.

Layer 3

Finally, we can see the destination address is that of the web server and the source address belongs to Kali.

Spread the word

Keep reading