Prevent unwanted computers from connecting to your wireless network

 
Contact  |  Sitemap  |  Language:

How network works - How computers become part of a network.

How computers become part of a network - Today the IP-protocol is the most common protocol on Ethernet networks. Often the protocol name TCP/IP is used, that may be little miss leading. The IP part is correct but there are a lot more protocols been used than only the TCP protocol on today's networks. As common as the TCP protocol the UDP protocol is. But lets start with the IP-packets. In an IP-packets is where the IP-addresses comes in. If two computers sits on the same Ethernet network and knows each other IP-addresses they will not be able to communicate if they do not know each other MAC-addresses since they need the MAC-address to send Ethernet packets.


ARP Protocol - To find out another computers MAC-address the computer sends out an ARP packet. ARP (Address Resoluting Protocol) is used to map IP-addresses against MAC-addresses. ARP packets to find out another computers MAC-address are sent as broadcast packets. If an ARP request is sent out asking "Who has this IP-address" the computer that have the requested IP-address responds with an ARP reply saying "IP-address x.x.x.x is on MAC-address YY-YY-YY-YY-YY-YY".

Now the asking computer can put together an Ethernet packet with the correct destination address and an IP-packet inside the Ethernet packet and send that to the other computer.


ARP Table - To prevent sending ARP request every time a IP-packet shall be sent to the other computer every computer holds a table, called the ARP table, that stores the mapping between IP-addresses and MAC-addresses. But since an IP-address not have to be static all computers will reset or flush there ARP tables typically once every 20 minute.


MAC-addresses and IP-addresses are unique - It is not allowed for multiple MAC-addresses to be mapped to the same IP-address since then a computer can not tell who is who. At the same time there can not be multiple computers with the same IP-address. Every computer on the local network must have an unique IP-address for that network. MAC-addresses however are unique not only on a local network but unique over the hole world (shall be at least and are to a great extent). Network equipment vendors acquire unique MAC-address assignment ranges from IEEE (Institute of Electrical and Electronics Engineers).


Without an IP-address a computer can not communicate using IP-traffic. Before a computer can start communicate using the IP-protocol the computer needs to know what IP-address to use as its own. An IP-address can be assigned manually. This works fine if the computer always is used on the same network all the time and if the computer is active. But if the computer needs to change network from time to time and have a static (manually) assigned IP-address there is now way for the computer to know if the static assigned IP-address already are in use by another computer or are in a valid range on the different networks.


DHCP (Dynamic Host Configuration Protocol) - To solve this problem there is a mechanism called DHCP (Dynamic Host Configuration Protocol). This protocol also involves a server on the network that is often called DHCP server. DHCP servers often resides within routers. A router can be a simple broadband firewall/router or a computer on the network, assigned the service task to act as a DHCP server. To acquire a valid IP-address from a DHCP server the computer can ask the DHCP server for an address to use.


DHCP IP-address hand out


DHCP Server - When a computer connects to the network, it first has to ask the network if there is a DHCP server available willing to hand out valid IP-addresses. The connecting computer sends out a DHCP-DISCOVER packet. The DHCP protocol (a variant of the BOOT-P protocol) uses broadcast packets that reaches all computers on the network. DHCP servers will then reply by sending a DHCP-OFFER packet.

Some networks may have multiple DHCP servers and they all will send out a DHCP-OFFER packet if they have IP-addresses to hand out. The connecting computer can choose freely between the offers and picks one to acquire an IP-address by sending a DHCP-REQUEST to one of the DHCP servers. The DHCP server will then reply with a DHCP-ACK packet that holds information about what IP-address the connecting computer can use.


Gratuitous ARP - The connecting computer can not be sure that the newly handed out IP-address from the DHCP sever can be used before asking all the other computers on the network. This is because the DHCP server have no control over computers that have been manually assigned static IP-addresses. The connecting computer have to send out a "provoking" ARP (Gratuitous ARP) packet, claiming the IP-address. If another computer already uses this IP-address it has to send out a "already in use" ARP packet defending its IP-address and letting the connecting computer know that this address are already in use.


ARP Probe - The provoking ARP is a quite "strong" way of claiming an IP-address. The connecting computer may use a more friendly variant called ARP "probe". Similar to the "provoking" ARP, if the address is already in use a ARP reply occur to defend the IP-address.


If the IP-address is already in use - If the IP-address is already in use by another computer the connecting computer can not use the IP-address handed out by the DHCP server and will inform the DHCP server by sending a DHCP-DECLINE packet letting the DHCP server know that the connecting computer do not accept this address. Then the connecting computer will start all over again, finding a DHCP server and then ask for a IP-address.


Share files and printers on the network. What's been discussed so far is the fundamental functions and building blocks over how modern networking works on an Ethernet network. When an IP-address have been accepted by the network other functions as sharing network resources may be setup and started.


NetBIOS - One mechanism for sharing network resources that have been around for many years are the NetBIOS (Network Basic Input Output System). NetBIOS was developed by IBM. The basic NetBIOS functions do not need or rely on the IP-protocol but have today migrated over to IP-traffic (now called NetBT, NetBIOS over TCP) and are bundled into something called SMB (Server Message Block) and later extended by Microsoft to become CIFS (Common Internet File System).


CIFS - CIFS is what today's computer uses to share their resources on the network. In Microsoft Windows, when you using the Windows File Explorer and opens "My Network Places" - "Entire Network" - "Microsoft Windows Network"... you are using the CIFS protocol and functionality to browse and connect to other computers on the network.


Naming - One of the fundamental functions in the CIFS protocol is how to give names to computers. This functionality still using the name registration procedure from NetBIOS/NetBT protocol. There are similarities between how ARP and IP-addresses are negotiated and how the NetBIOS/NetBT name negotiations works. When a connecting computer announces its name, a series of name registration packets are sent. These packets are broadcasted so every other computer on the network will hear these announcements. It is now up the computers on the network to defend there names if a connecting computer claiming another computers name. When a connecting computer receives a name defending NetBIOS/NetBT packet from another computer the connecting computer is not allowed to keep on using that name.



How will LANeye benefit from this?

LANeye uses defending ARP to block connecting computers a valid IP-address. LANeye listening to the network traffic and will hear all the ARP packets. If a connecting computer sends out a "provoking" ARP and the connecting computers MAC-address is not on the familiar list, LANeye will send out a defending ARP, claiming that the IP-address the connecting computer asking for is already in use (even if that is not really true).

LANeye do not care what IP-address the connecting computer asks fore. As long the computer are not a familiar computer LANeye will send defending ARPs.

When LANeye sends the defending packet LANeye uses a made up computer MAC-address. When defending an IP-address the defending packet must contain the MAC-address that identifies the defending computer. In LANeye "Advanced Settings" there is something called "Twilight zone" with the MAC-address that LANeye uses when sending defending packets.


Defending packets are only sent when a computer tries to connect to the network. Once a computer have successfully connected to the network LANeye will not "through out" any computers from the network.


LANeye uses name defending NetBIOS packet to block connecting computers to be part of the local network. Without a name no CIFS functionality and computers and other shared resources will not show up in the Windows File Explorer, neither can resources be shared or accessed. If the IP-address blocking is turned off but the NetBIOS blocking on a connecting computer will get a valid IP-address but not a valid NetBIOS name. The connecting computer will be able to surf the Internet but not be able to access share files, printers and other shared resources.




Read more on this topic

4.   HOW NETWORK WORKS - How computers become part of a network

How computers announces their network presence by broadcasts.

External Links

OUI assignment by IEEE

IEEE assigns MAC-address ranges

DHCP spec RFC2131

DHCP Spec RFC2131 at RFC-Editior.org

ARP spec RFC826

ARP Spec RFC826 at RFC-Editior.org

NetBT spec RFC1001

NetBT Spec RFC1001 at RFC-Editior.org

NetBT spec RFC1002

NetBT Detailed Spec RFC1002 at RFC-Editior.org

Network Intrusion Detection Software

Free to try

Price: $59 USD

Free to try

Price: $131 USD

Register to keep posted

Register to receive LANeye email news.
To register, download and install LANeye. From within the program, use the registration dialog.


TELL A FRIEND ABOUT LANeye
Copyright © 2003-2017 ProPrat, Stockholm Sweden  |  www.proprat.com  |