TABLE OF CONTENTS To communicate on a network, computers must use the same protocol. For example, many computers run standard Ethernet (IEEE 802.3) at the data-link layer [2] to communicate with their default router and other computers on the same physical network (Comer 1995). Ethernet provides a method for conveying bits of data over network cables, using the unique hardware identifiers associated with network cards (a.k.a. MAC addresses or Ethernet addresses) to direct the data to their destination. The format of a standard Ethernet frame is shown in Figure 9.1. [3]
The preamble and start-of-frame fields are functional components of the protocol, and are of little interest from an investigative or evidentiary standpoint. The source and destination Ethernet addresses are 6 bytes that are associated with the network cards on each computer. The length field contains the number of bytes in the data field each frame must be at least 64 bytes long to allow network cards to detect collisions accurately (Held 1998). The padding in the Ethernet frame ensures that each datagram is at least 64 bytes long and the cyclic redundancy check (CRC) is used to verify the integrity of the datagram at the time it is received. [4]
To communicate with machines on different networks, computers must run higher level protocols such as Internet Protocol (IP) at the network layer and Transport Control Protocol (TCP) at the transport layer. TCP/IP provides a method for conveying datagrams of data...
