153


Figure 6.3 IP address example.
Binary
When decimal numbers are entered into the computer, the system converts these into binary format,
0s and 1s, which basically correlate to electrical charges—charged versus uncharged. IP addresses,
for example, are subnetted and calculated with binary notation. An example of an IP address with 24
bits in the mask is shown in Figure 6.3.
The first octet (206) indicates a Class C (Internet-assigned) IP address range with the format
network.network.network.host, with a standard mask binary indicating 255.255.255.0. This means
that we have 8 bits in the last octet for hosts.
The 8 bits that make up the last, or fourth, octet are understood by infrastructure equipment such as
routers and software in the following manner:
Bit: 1 2 3 4 5 6 7 8
Value: 128 64 32 16 8 4 2 1 = 255 (254 usable hosts)
In this example of a full Class C, we only have 254 usable IP addresses for hosts; 0 and 255 cannot
be used as host addresses since the network number is 0 and the broadcast address is 255.
Note that when a bit is used, we indicate it with a 1:
3 Bits: 1 1 1
Value: 128 64 32 16 8 4 2 1
When a bit is not used, we indicate this with a 0:
3 Bits: 0 0 0 0 0
Value: 128 64 32 16 8 4 2 1
As a result:
3 Bits: 1 1 1 0 0 0 0 0
Value: 128 64 32 16 8 4 2 1
We add the decimal value of the used bits: 128 + 64 + 32 = 224. This means that the binary value
11100000 equates to the decimal value 224.

DECIMAL BINARY
224 11100000


154

Hex
The hexadecimal system is a form of binary shorthand. Internetworking equipment such as routers
use this format while formulating headers to easily indicate Token Ring numbers, bridge numbers,
networks, and so on, to reduce header sizes and transmission congestion. Typically, hex is derived
from the binary format, which is derived from decimal. Hex was designed so that the 8 bits in the
binary 11100000 (Decimal=224) will equate to only two hex characters, each representing 4 bits.
To clarify, take a look at the binary value for 224 again:
• 1110000
In hex, we break this 8-bit number into 4-bit pairs:
• 11100000
Each bit in the 4-bit pairs has a decimal value, starting from left to right: 8 then 4 then 2 then 1 for
the last bit:
8 4 2 1 8 4 2 1
1 1 1 0 0 0 0 0
Now we add the bits that are ‘‘on,” or that have a 1 in each of the 4-bit pairs:
8 4 2 1 = 8 + 4 + 2 + 0 = 14 8 4 2 1 = 0 + 0 + 0 + 0 = 0
1 1 1 0 0 0 0 0
In this example, the decimal values that represent the hex characters in each of the 4-bit pairs are 14
and 0. To convert these to actual hex, use Table 6.2. Using this chart, the hex conversion for the
decimals 14 and 0 (14 for the first 4-bit pair and 0 for the second 4-bit pair) = e0.
Let’s look at one more example: We’ll convert the decimal number 185 to binary:
Bits: 1 0 1 1 1 0 0 1
Value:


128 64 32 16 8 4 2 1 = 185
Binary for 185:
10111001 (bits indicated
above)
Table 6.2 Decimal-to-Hex Conversion Table
DECIMAL HEX DECIMAL HEX
0 0 8 8
1 1 9 9
2 2 10 a
3 3 11 b
4 4 12 c


155

5 5 13 d
6 6 14 e
7 7 15 f
Then we’ll convert the binary number 10111001 indicated , to hex, which we break into 4-bit pairs:
• 1011 1001
Each bit in the 4-bit pairs has a decimal value, starting from left to right: 8 then 4 then 2 then 1 for
the last bit:
• 8 4 2 18 4 2 1
• 1 0 1 11 0 0 1
Now we add the bits that have a 1 in each of the 4-bit pairs:
8 4 2 1 = 8 + 0 + 2 + 1 = 11 8 4 2 1 = 8 + 0 + 0 + 1 = 9
1 0 1 1 1 0 0 1
Using the hex chart, the hex conversion for the decimals 11 and 9 (11 for the first 4-bit pair and 9 for
the second 4-bit pair) = b9, as shown here:
DECIMAL BINARY HEX

185 10111001 b9
224 11100000 e0
For quick reference, refer to Table 6.3 for decimal, binary, and hex conversions.
Table 6.3 Decimal, Binary, Hex Conversion Table
DECIMAL BINARY HEX
0 0000 0
1 0001 1
2 0010 2
3 0011 3
4 0100 4
5 0101 5
6 0110 6
7 0111 7
8 1000 8


156

9 1001 9
10 1010 a
11 1011 b
12 1100 c
13 1101 d
14 1110 e
15 1111 f
16 0001 0000 10
17 0001 0001 11
18 0001 0010 12
19 0001 0011 13
20 0001 0100 14

21 0001 0101 15
22 0001 0110 16
23 0001 0111 17
24 0001 1000 18
25 0001 1001 19
26 0001 1010 1a
27 0001 1011 1b
28 0001 1100 1c
29 0001 1101 1d
30 0001 1110 1e
31 0001 1111 1f
32 0010 0000 20
33 0010 0001 21
34 0010 0010 22
35 0010 0011 23
36 0010 0100 24


157

37 0010 0101 25
38 0010 0110 26
39 0010 0111 27
40 0010 1000 28
41 0010 1001 29
42 0010 1010 2a
43 0010 1011 2b
44 0010 1100 2c
45 0010 1101 2d
46 0010 1110 2e

47 0010 1111 2f
48 0011 0000 30
49 0011 0001 31
50 0011 0010 32
51 0011 0011 33
52 0011 0100 34
53 0011 0101 35
54 0011 0110 36
55 0011 0111 37
56 0011 1000 38
57 0011 1001 39
58 0011 1010 3a
59 0011 1011 3b
60 0011 1100 3c
61 0011 1101 3d
62 0011 1110 3e
63 0011 1111 3f
64 0100 0000 40


158

65 0100 0001 41
66 0100 0010 42
67 0100 0011 43
68 0100 0100 44
69 0100 0101 45
70 0100 0110 46
71 0100 0111 47
72 0100 1000 48

73 0100 1001 49
74 0100 1010 4a
75 0100 1011 4b
76 0100 1100 4c
77 0100 1101 4d
78 0100 1110 4e
79 0100 1111 4f
80 0101 0000 50
81 0101 0001 51
82 0101 0010 52
83 0101 0011 53
84 0101 0100 54
85 0101 0101 55
86 0101 0110 56
87 0101 0111 57
88 0101 1000 58
89 0101 1001 59
90 0101 1010 5a
91 0101 1011 5b
92 0101 1100 5c


159

93 0101 1101 5d
94 0101 1110 5e
95 0101 1111 5f
96 0110 0000 60
97 0110 0001 61
98 0110 0010 62

99 0110 0011 63
100 0110 0100 64
101 0110 0101 65
102 0110 0110 66
103 0110 0111 67
104 0110 1000 68
105 0110 1001 69
106 0110 1010 6a
107 0110 1011 6b
108 0110 1100 6c
109 0110 1101 6d
110 0110 1110 6e
111 0110 1111 6f
112 0111 0000 70
113 0111 0001 71
114 0111 0010 72
115 0111 0011 73
116 0111 0100 74
117 0111 0101 75
118 0111 0110 76
119 0111 0111 77
120 0111 1000 78


160

121 0111 1001 79
122 0111 1010 7a
123 0111 1011 7b
124 0111 1100 7c

125 0111 1101 7d
126 0111 1110 7e
127 0111 1111 7f
128 1000 0000 80
129 1000 0001 81
130 1000 0010 82
131 1000 0011 83
132 1000 0100 84
133 1000 0101 85
134 1000 0110 86
135 1000 0111 87
136 1000 1000 88
137 1000 1001 89
138 1000 1010 8a
139 1000 1011 8b
140 1000 1100 8c
141 1000 1101 8d
142 1000 1110 8e
143 1000 1111 8f
144 1001 0000 90
145 1001 0001 91
146 1001 0010 92
147 1001 0011 93
148 1001 0100 94


161

149 1001 0101 95
150 1001 0110 96

151 1001 0111 97
152 1001 1000 98
153 1001 1001 99
154 1001 1010 9a
155 1001 1011 9b
156 1001 1100 9c
157 1001 1101 9d
158 1001 1110 9e
159 1001 1111 9f
160 1010 0000 a0
161 1010 0001 a1
162 1010 0010 a2
163 1010 0011 a3
164 1010 0100 a4
165 1010 0101 a5
166 1010 0110 a6
167 1010 0111 a7
168 1010 1000 a8
169 1010 1001 a9
170 1010 1010 aa
171 1010 1011 ab
172 1010 1100 ac
173 1010 1101 ad
174 1010 1110 ae
175 1010 1111 af
176 1011 0000 b0


162


177 1011 0001 b1
178 1011 0010 b2
179 1011 0011 b3
180 1011 0100 b4
181 1011 0101 b5
182 1011 0110 b6
183 1011 0111 b7
184 1011 1000 b8
185 1011 1001 b9
186 1011 1010 ba
187 1011 1011 bb
188 1011 1100 bc
189 1011 1101 bd
190 1011 1110 be
191 1011 1111 bf
192 1100 0000 c0
193 1100 0001 c1
194 1100 0010 c2
195 1100 0011 c3
196 1100 0100 c4
197 1100 0101 c5
198 1100 0110 c6
199 1100 0111 c7
200 1100 1000 c8
201 1100 1001 c9
202 1100 1010 ca
203 1100 1011 cb
204 1100 1100 cc



163

205 1100 1101 cd
206 1100 1110 ce
207 1100 1111 cf
208 1101 0000 d0
209 1101 0001 d1
210 1101 0010 d2
211 1101 0011 d3
212 1101 0100 d4
213 1101 0101 d5
214 1101 0110 d6
215 1101 0111 d7
216 1101 1000 d8
217 1101 1001 d9
218 1101 1010 da
219 1101 1011 db
220 1101 1100 dc
221 1101 1101 dd
222 1101 1110 de
223 1101 1111 df
224 1110 0000 e0
225 1110 0001 e1
226 1110 0010 e2
227 1110 0011 e3
228 1110 0100 e4
229 1110 0101 e5
230 1110 0110 e6
231 1110 0111 e7
232 1110 1000 e8



164

233 1110 1001 e9
234 1110 1010 ea
235 1110 1011 eb
236 1110 1100 ec
237 1110 1101 ed
238 1110 1110 ee
239 1110 1111 ef
240 1111 0000 f0
241 1111 0001 f1
242 1111 0010 f2
243 1111 0011 f3
244 1111 0100 f4
245 1111 0101 f5
246 1111 0110 f6
247 1111 0111 f7
248 1111 1000 f8
249 1111 1001 f9
250 1111 1010 fa
251 1111 1011 fb
252 1111 1100 fc
253 1111 1101 fd
254 1111 1110 fe
255 1111 1111 ff
Protocol Performance Functions
To control the performance of session services, distinctive protocol functions were developed and
utilized to accommodate the following communication mechanics:

• Maximum Transmission Unit (MTU). The MTU is simply the maximum frame byte size
that can be transmitted from a network interface card (NIC) across a communication medium.
The most common standard MTU sizes include:


165

Ethernet = 1500
Token Ring = 4464
FDDI = 4352
ISDN = 576
SLIP = 1006
PPP = 1500
• Handshaking. During a session setup, the handshaking process provides control information
exchanges, such as link speed, from end to end.
• Windowing. With this function, end-to-end nodes agree upon the number of packets to be
sent per transmission, called the window size. For example, with a window size of three, the
source station will transmit three segments, and then wait for an acknowledgment from the
destination. Upon receiving the acknowledgment, the source station will send three more
segments, and so on.
• Buffering. Internetworking equipment such as routers use this technique as memory storage
for incoming requests. Requests are allowed to come in as long as there is enough buffer
space (memory address space) available. When this space runs out (buffers are full), the
router will begin to drop packets.
• Source Quenching. In partnership with buffering, under source quenching, messages sent to
a source node as the receiver’s buffers begin to reach capacity. Basically, the receiving router
sends time-out messages to the sender alerting it to slow down until buffers are free again.
• Error Checking. Error checking is typically performed during connection-oriented sessions,
in which each packet is examined for missing bytes. The primary values involved in this
process are checksums. With this procedure, a sending station calculates a checksum value

and transmits the packet. When the packet is received, the destination station recalculates the
value to see if there is a checksum match. If a match is made, the receiving station processes
the packet; if, on the other hand, there was an error in transmission, and the checksum
recalculation does not match, the sender is prompted for packet retransmission.
Networking Technologies
Media Access Control Addressing and Vendor Codes
As discussed in previous chapters, the media access control (MAC) address is defined in the MAC
sublayer of the Data Link layer of the OSI model. The MAC address identifies the physical hardware
network interface and is programmed in read-only memory (ROM). Each interface must have a
unique address in order to participate on communication mediums, primarily on its local network.
MAC addresses play an important role in the IPX protocol as well (see Chapter 2). The address itself
is 6 bytes, or 48 bits, in length and is divided in the following manner:
• The first 24 bits equals the manufacturer or vendor code.
• The last 24 bits equals a unique serial number assigned by the vendor.
The manufacturer or vendor code is an important indicator to any hacker. This code facilitates target
station discovery, as it indicates whether the interface may support passive mode for implementing a
stealth sniffer, which programmable functions are supported (duplex mode, media type), and so on.


166

During the discovery phase of an analysis, refer to the codes listed in Appendix G on page 877 when
analyzing MAC vendor groups in sniffer captures.
Ethernet
For quick frame resolution reference during sniffer capture analyses, refer to the four Ethernet frame
formats and option specifications shown in Figure 6.4. Their fields are described here:
Preamble. Aids in the synchronization between sender and receiver(s).
Destination Address. The address of the receiving station.
Source Address. The address of the sending station.
Frame Type. Specifies the type of data in the frame, to determine which protocol software module

should be used for processing. An Ethernet type quick reference is given in Table 6.4.

Figure 6.4 Ethernet frame formats.
Table 6.4 Ethernet Type Reference
ETHERNET

DECIMAL

HEX

DECIMAL
ETHERNET
OCTAL

DESCRIPTION
0000 0000–05DC – – IEEE802.3 Length
Field
0257 0101–01FF – – Experimental
0512 0200 512 1000 XEROX PUP
0513 0201 – – PUP Address
Translation


167

0400 – – Nixdorf
1536 0600 1536 3000 XEROX NS IDP
0660 – – DLOG
0661 – – DLOG
2048 0800 513 1001 Internet IP (IPv4)

2049 0801 – – X.75 Internet
2050 0802 – – NBS Internet
2051 0803 – – ECMA Internet
2052 0804 – – Chaosnet
2053 0805 – – X.25 Level 3
2054 0806 – – ARP
2055 0807 – – XNS Compatability
2056 0808 – – Frame Relay ARP
2076 081C – – Symbolics Private
2184 0888–088A – – Xyplex
2304 0900 – – Ungermann–Bass Net
Debugger
2560 0A00 – – Xerox IEEE802.3 PUP
2561 0A01 – – PUP Address
Translation
2989 0BAD – – Banyan VINES
2990 0BAE – – VINES Loopback
2991 0BAF – – VINES Echo
4096 1000 – – Berkeley Trailer nego
4097 1001–100F – – Berkeley Trailer
encap/IP
5632 1600 – – Valid Systems
16962 4242 – – PCS Basic Block
Protocol
21000 5208 – – BBN Simnet


168

24576 6000 – – DEC Unassigned

(Exp.)
24577 6001 – – DEC MOP
Dump/Load
24578 6002 – – DEC MOP Remote
Console
24579 6003 – – DEC DECNET Phase
IV Route
24580 6004 – – DEC LAT
24581 6005 – – DEC Diagnostic
Protocol
24582 6006 – – DEC Customer
Protocol
24583 6007 – – DEC LAVC, SCA
24584 6008–6009 – – DEC Unassigned
24586 6010–6014 – – 3Com Corporation
25944 6558 – – Trans Ether Bridging
25945 6559 – – Raw Frame Relay
28672 7000 – – Ungermann–Bass
download
28674 7002 – – Ungermann–Bass
dia/loop
28704 7020–7029 – – LRT
28720 7030 – – Proteon
28724 7034 – – Cabletron
32771 8003 – – Cronus VLN
32772 8004 – – Cronus Direct
32773 8005 – – HP Probe
32774 8006 – – Nestar
32776 8008 – – AT&T
32784 8010 – – Excelan

32787 8013 – – SGI Diagnostics


169

32788 8014 – – SGI Network Games
32789 8015 – – SGI Reserved
32790 8016 – – SGI Bounce Server
32793 8019 – – Apollo Domain
32815 802E – – Tymshare
32816 802F – – Tigan, Inc.
32821 8035 – – Reverse ARP
32822 8036 – – Aeonic Systems
32824 8038 – – DEC LANBridge
32825 8039–803C – – DEC Unassigned
32829 803D – – DEC Ethernet
Encryption
32830 803E – – DEC Unassigned
32831 803F – – DEC LAN Traffic
Monitor
32832 8040–8042 – – DEC Unassigned
32836 8044 – – Planning Research
Corp.
32838 8046 – – AT&T
32839 8047 – – AT&T
32841 8049 – – ExperData
32859 805B – – Stanford V Kernel
exp.
32860 805C – – Stanford V Kernel
prod.

32861 805D – – Evans & Sutherland
32864 8060 – – Little Machines
32866 8062 – – Counterpoint
Computers
32869 8065 – – Univ. of Mass. @
Amherst
32870 8066 – –
Univ. of Mass. @


170

Amherst
32871 8067 – – Veeco Integrated
Auto.
32872 8068 – – General Dynamics
32873 8069 – – AT&T
32874 806A – – Autophon
32876 806C – – ComDesign
32877 806D – – Computgraphic Corp.
32878 806E–8077 – – Landmark Graphics
Corp.
32890 807A – – Matra
32891 807B – – Dansk Data Elektronik
32892 807C – – Merit Internodal
32893 807D–807F – – Vitalink
Communications
32896 8080 – – Vitalink TransLAN III
32897 8081–8083 – – Counterpoint
Computers

32923 809B – – Appletalk
32924 809C–809E – – Datability
32927 809F – – Spider Systems Ltd.
32931 80A3 – – Nixdorf Computers
32932 80A4–80B3 – – Siemens Gammasonics
Inc.
32960 80C0–80C3 – – DCA Data Exchange
Cluster
32964 80C4 – – Banyan Systems
32965 80C5 – – Banyan Systems
32966 80C6 – – Pacer Software
32967 80C7 – – Applitek Corporation
32968 80C8–80CC – – Intergraph Corporation


171

32973 80CD–80CE – – Harris Corporation
32975 80CF–80D2 – – Taylor Instrument
32979 80D3–80D4 – – Rosemount
Corporation
32981 80D5 – – IBM SNA Service on
Ether
32989 80DD – – Varian Associates
32990 80DE–80DF – – Integrated Solutions
TRFS
32992 80E0–80E3 – – Allen–Bradley
32996 80E4–80F0 – – Datability
33010 80F2 – – Retix
33011 80F3 – – AppleTalk AARP

(Kinetics)
33012 80F4–80F5 – – Kinetics
33015 80F7 – – Apollo Computer
33023 80FF–8103 – – Wellfleet
Communications
33031 8107–8109 – – Symbolics Private
33072 8130 – – Hayes
Microcomputers
33073 8131 – – VG Laboratory
Systems
33074 8132–8136 – – Bridge
Communications
33079 8137–8138 – – Novell, Inc.
33081 8139–813D – – KTI
8148 – – Logicraft
8149 – – Network Computing
Devices
814A – – Alpha Micro
33100 814C – – SNMP
814D – – BIIN


172

814E – – BIIN
814F – – Technically Elite
oncept
8150 – – Rational Corp
8151–8153 – – Qualcomm
815C–815E – – Computer Protocol Pty

Ltd
8164–8166 – – Charles River Data
System
817D – – XTP
817E – – SGI/Time Warner
prop.
8180 – – HIPPI–FP
encapsulation
8181 – – STP, HIPPI–ST
8182 – – Reserved for HIPPI–
6400
8183 – – Reserved for HIPPI–
6400
8184–818C – – Silicon Graphics prop.
818D – – Motorola Computer
819A–81A3 – – Qualcomm
81A4 – – ARAI Bunkichi
81A5–81AE – – RAD Network
Devices
81B7–81B9 – – Xyplex
81CC–81D5 – – Apricot Computers
81D6–81DD – – Artisoft
81E6–81EF – – Polygon
81F0–81F2 – – Comsat Labs
81F3–81F5 – – SAIC
81F6–81F8 – – VG Analytical


173


8203–8205 – – Quantum Software
8221–8222 – – Ascom Banking
Systems
823E–8240 – – Advanced Encryption
Syste
827F–8282 – – Athena Programming
8263–826A – – Charles River Data
System
829A–829B – – Inst Ind Info Tech
829C–82AB – – Taurus Controls
82AC–8693 – – Walker Richer &
Quinn
8694–869D – – Idea Courier
869E–86A1 – – Computer Network
Tech
86A3–86AC – – Gateway
Communications
86DB – – SECTRA
86DE – – Delta Controls
86DD – – IPv6
34543 86DF – – ATOMIC
86E0–86EF – – Landis & Gyr Powers
8700–8710 – – Motorola
34667 876B – – TCP/IP Compression
34668 876C – – IP Autonomous
Systems
34669 876D – – Secure Data
880B – – PPP
8847 – – MPLS Unicast
8848 – – MPLS Multicast

8A96–8A97 – – Invisible Software
36864 9000 – – Loopback


174

36865 9001 – – 3Com (Bridge) XNS
Sys Mgmt
36866 9002 – – 3Com (Bridge) TCP–
IP Sys
36867 9003 – – 3Com (Bridge) loop
detect
65280 FF00 – – BBN VITAL–
LanBridge cache
FF00–FF0F – – ISC Bunker Ramo
65535 FFFF – – Reserved

• Frame Length. Indicates the data length of the frame.
• DSAP (Destination Service Access Point). Defines the destination protocol of the frame.
• SSAP (Source Service Access Point). Defines the source protocol of the frame.
• DSAP/SSAP AA. Indicates this is a SNAP frame.
• CTRL. Control field.
• Ethernet Type. Indicates the data length of the frame.
• Frame Data. Indicates the data carried in the frame, based on the type latent in the Frame
Type field.
• Cyclic Redundancy Check (CRC). Helps detect transmission errors. The sending station
computes a frame value before transmission. Upon frame retrieval, the receiving station must
compute the same value based on a complete, successful transmission.
The chart in Figure 6.5 lists the Ethernet option specifications as they pertain to each topology, data
transfer rate, maximum segment length, and media type. This chart can serve as a quick reference

during cable breakout design.


175


Figure 6.5 Ethernet option specifications for cable design.


Figure 6.6 The Token Frame format.
Token Ring
For quick frame resolution reference during sniffer capture analyses, refer to the two Token Ring
frame formats, Token Frame and Data/Command Frame, shown in Figures 6.6 and 6.7, respectively.
A Token Frame consists of Start Delimiter, Access Control Byte, and End Delimiter fields, described
here:
• Start Delimiter. Announces the arrival of a token to each station.
• Access Control. The prioritization value field:
• 000 Normal User Priority
• 001 Normal User Priority
• 010 Normal User Priority
• 011 Normal User priority
• 100 Bridge/Router
• 101 Reserved IBM
• 110 Reserved IBM
• 111 Station Management
• End Delimiter. Indicates the end of the token or data/command frame.


176


The Data/Command Frame format is composed of nine fields, defined in the following list.
• Start Delimiter. Announces the arrival of a token to each station.
• Access Control. The prioritization value field:
• 000 Normal User Priority
• 001 Normal User Priority

Figure 6.7 The Data/Command Frame format.
• 010 Normal User Priority
• 011 Normal User priority
• 100 Bridge/Router
• 101 Reserved IBM
• 110 Reserved IBM
• 111 Station Management
• Frame Control. Indicates whether data or control information is carried in the frame.
• Destination Address. A 6-byte field of the destination node address.
• Source Address. A 6-byte field of the source node address.
• Data. Contains transmission data to be processed by receiving station.
• Frame Check Sequence (FCS). Similar to a CRC (described in Chapter 3), the source
station calculates a value based on the frame contents. The destination station must
recalculate the value based on a successful frame transmission. The frame is discarded if the
FCS of the source and destination do not match.
• End Delimiter. Indicates the end of the Token or Data/Command frame.
• Frame Status. A 1-byte field specifying a data frame termination, and address-recognized
and frame-copied indicators.
Token Ring and Source Route Bridging
When analyzing Token Ring source route bridging (SRB) frames, it is important to be able to
understand the frame contents to uncover significant route discovery information. To get right down
to it, in this environment, each source station is responsible for preselecting the best route to a
destination (hence the name source route bridging). Let’s investigate a real-world scenario and then
analyze the critical frame components (see Figure 6.8).

Assuming that Host A is required to preselect the best route to Host B, the steps are as follows:
1. Host A first sends out a local test frame on its local Ring 0×25 for Host B. Host A assumes
that Host B is local, and thus transmits a test frame on the local ring.
2. Host A sends out an explorer frame to search for Host B. No response from Host B triggers
Host A to send out an explorer frame (with the first bit in MAC address or multicast bit set to
1) in search for Host B. Each bridge will forward a copy of the explorer frame. As Host B
receives


177


Figure 6.8 Token Ring source route bridging scenario.
• each explorer, it will respond by adding routes to the frame from the different paths the
particular explorer traveled from Host A.
3. Host A has learned the different routes to get to Host B. Host A will receive responses from
Host B with two distinct routes:
• Ring 0×25 to Bridge 0×A to Ring 0×26 to Bridge 0×B to Ring 0×27 to Host B
• Ring 0×25 to Bridge 0×C to Ring 0×28 to Bridge 0×D to Ring 0×27 to Host B
Communication will begin, as Host A knows how to get to Host B, typically choosing the first route
that was returned after the explorer was released. In this case, the chosen router would be Route 1:
Ring 0×25 to Bridge 0×A to Ring 0×26 to Bridge 0×B to Ring 0×27 to Host B.
Let’s examine two significant fields of our new Token Ring frame, shown in Figure 6.9, and defined
here:
• Route Information Indicator (RII). When this bit is turned on (set to 1), it indicates that the
frame is destined for another network, and therefore includes a route in the Route Information
Field (RIF).

Figure 6.9 New Token Ring Frame format.
• Route Information Field (RIF). The information within this field is critical, as it pertains to

the route this frame will travel to reach its destination. Let’s examine the RIF subfields and
then compute them in our previous example in Figure 6.10.