Data Link Layer

A layer that enables data transmission between two nodes on the same network.

Ethernet Protocol

A set of rules governing the communication and exchange of data between two nodes on the same network

Framing: a technique that divides a data stream into smaller parts
Physical addressing: a technique that adds (encapsulates) the source and destination's MAC address to each frame
Error control: a technique that detects and corrects the error (If possible)
Flow controls: a technique that synchronizes the receiving and sending speed between nodes
Access control: a technique that allows multiple devices to use the same communication channel

Two sub-layers

Logical Link Control
- Multiplexing
  - A technique that combines multiple data streams over a single medium
- De-multiplexing
  - A technique that reverts one input data signal back to multiple data streams
- Flow control
  - A technique that manages how much data it can transmit between the sender and receiver
- Error detection
  - A technique that checks whether the receiver has received correct data or not
Media Access Control and its primary purpose is framing

Bridge

A device that has 2 ports and forwards data packets between devices (Uses MAC addresses and stores that in a lookup table)

L2 Switch

A device that has more than 2 ports and forwards data packets between devices (Uses MAC addresses and stores that in a lookup table)

Physical Segmentation

Physically divide a large network into smaller networks

Logical Segmentation

Logically divide a large network into smaller networks (This type of segmentation is software-based)

Media Access Control Address (MAC Address)

A 12-digit hexadecimal number assigned to the network interface card (A physical address used to identify devices). You can find the manufacturer of a device by its MAC Address

Examples

00:11:22:AA:CC:DD
0011.22AA.CCDD
00-11-22-AA-CC-DD

Cyberattacks

ARP Poisoning
- A cyberattack where a threat actor sends malicious ARP over a local area network (LAN) to link a threat actor’s MAC address with a legitimate device IP on the network (In case of man in the middle, the packet is sent to the default gateway and the victim)
Spanning Tree Attack
- A threat actor plugs a rouge L2 switch and manipulates other devices' priority value; all traffic goes to the threat actor device
VLAN Hopping
- Switch Spoofing
  - A threat actor plugs a rouge L2 switch to a mis-configured network, the rouge L2 switch forms an unauthorized trunk connection and gains access to the VLAN
- Double Tagging
  - A threat actor modifies the Ethernet frames tags, which allows packets to be sent through any VLAN
DHCP Snooping
- A threat actor plugs a rouge DHCP server and issues IPs to the end users

PCAP Example

The python web server uses the default network interface that has a specific MAC address

from http.server import SimpleHTTPRequestHandler
from socketserver import TCPServer
from io import BytesIO
from gzip import GzipFile
from datetime import datetime
from contextlib import suppress

with suppress(Exception):
    from netifaces import gateways, ifaddresses, AF_INET, AF_LINK
    print("The default network interface is: ",gateways()['default'][AF_INET][1])
    print("The default network interface mac address is: ",ifaddresses(gateways()['default'][AF_INET][1])[AF_LINK])

class Server(SimpleHTTPRequestHandler):
    def do_GET(self):
        compressed = False
        content = b'<HTML><h1>Hello World!</h1></HTML>'
        if len(content) > 0:
            if 'accept-encoding' in self.headers:
                if 'gzip' in self.headers['accept-encoding']:
                    bytes_ = BytesIO()
                    with GzipFile(fileobj=bytes_, mode='w', compresslevel=5) as f:
                        f.write(content)
                        f.close()
                        content = bytes_.getvalue()
                        compressed = True
        self.send_response(200)
        if compressed:
            self.send_header('content-encoding', 'gzip')
        self.send_header('content-length', len(content))
        self.end_headers()
        self.wfile.write(content)

    def log_message(self, format, *args):
        print("[{}] - {}:{} - {} {}".format(datetime.now().strftime("%m/%d/%Y %H:%M:%S"), self.client_address[0],self.client_address[1],args[0],args[1]))

TCPServer(('0.0.0.0', 80), Server).serve_forever()

Clint/Server IP Addresses

The MACs are added to each packet

Layer	Protocol	PDU	Info	Ports	IPs	MACs
Transport Layer	TCP	Segments	3 Way handshake Process (SYN)	Src Port: 35310 Dst Port: 80
Network Layer	IP	Packets	3 Way handshake Process (SYN)	Src Port: 35310 Dst Port: 80	Src IP: 10.0.0.3 Dst IP: 10.0.0.2
Data Link Layer	Ethernet	Frames	3 Way handshake Process (SYN)	Src Port: 35310 Dst Port: 80	Src IP: 10.0.0.3 Dst IP: 10.0.0.2	Src MAC: bc:35:db:cf:1b:03 Dst MAC: bc:f2:b8:57:86:02
Physical Layer	Coax	Bits	01001000 01010100 01010100	01001000 01010100	01001000 01010100	01001000 01010100