Hackernoon logoDeciding on what to do with a packet by@AaronKalair

Deciding on what to do with a packet

Aaron Kalair Hacker Noon profile picture

@AaronKalairAaron Kalair

Operations and Internal Tooling Engineer

When one device wants to send a packet to another, it has two options:

  1. If the recipient is on the same subnet, it can send the packet directly to them, it just needs to workout what the recipients MAC address is.
  2. If the recipient is on another subnet it will pass the packet onto a device that can forward it to its destination.

Option 1

The first thing the sending device needs to workout is, is the recipient on the same subnet as me?

To do this it uses the IP address and netmask that were defined when the interface was configured to workout the range of addresses that are on the same subnet as it.


eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
inet netmask broadcast
ether b8:27:eb:28:f5:e0 txqueuelen 1000 (Ethernet)

Using one of the various tools we can workout that this means, any IP in the range– are on the same subnet as us

If we know that a recipient is on the same subnet as us then we need to find out its MAC address, this is done using ARP requests.

The Address Resolution Protocol (ARP) is a protocol for mapping IP addresses to MAC addresses.

A device can issue an ARP request that asks, “Who has IP address X?”, this is sent to the broadcast address, meaning it’s delivered to every device on the subnet.

All the recipients inspect the message and discard the message unless they own the IP address in question. The owner of the IP address replies saying “IP address X is at MAC address Y”.

This response is normally then cached so that next time the sender doesn’t need to perform the lookup again.

We can generate some packets using ping and see what happens with WireShark

[email protected]:~$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=1.96 ms
64 bytes from icmp_seq=2 ttl=64 time=0.932 ms is on the same subnet as and so the first step is to issue an ARP request to find the MAC address of sees the ARP request is for itself, and responds indicating that the MAC address corresponding to that IP is it’s own.

Now the sender knows the MAC address of the recipient it can package up the message and send it to the recipient.

Option 2

If the sender determines the recipient isn’t on the same subnet, it needs to pass the message onto someone else who can get it to the destination.

Route tables provide information on where to send packets depending on their destination.

More specific routes are preferred over more general and there’s normally a default route for packets that match none of rules.

The ip route command on Linux shows the systems route table

router:~ $ ip route
default via dev wlan0 via dev eth2
nexthop dev eth0 weight 1
nexthop dev eth1 weight 1 dev wlan0 proto kernel scope link src

This shows that:

  • Any packets destined for the subnet gets sent out of the wlan0 interface which is directly connected to that subnet (there’s no via keyword) and so the device will lookup the destinations MAC address and pass the packet directly onto the matching device.
  • Any packets destined for get sent out of either interface eth0 or eth1, which are directly connected to the device. The route chosen depends on the Linux kernel version and how it implements Equal Cost Multipath (ECMP) Routing.
  • Any packets destined for with the exception of those destined for (as they have a more specific route which overrides this one) gets sent to the device at out of interface eth2 which can forward them on to their destination (the via keyword indicates this is an intermediate hop) and so an ARP request will be issued out of eth2 to lookup the MAC address of the device at the packet will simply be passed onto the device for forwarding to the destination.
  • Finally if none of these routes match your packet the default rule sends them to via the wlan0interface for forwarding to their destination.

We can build a simpler network, our own router and connect devices on different subnets to it, to illustrate how this works with Wireshark.

On our router (A)

[email protected]:~ $ sudo ip route dev eth2 proto kernel scope link src dev eth1 scope link

This router connects networks B and C which feature devices in the range and respectively which are reachable out of eth2and eth1. For simplicity we’ll concentrate on talking to a single device on these networks ( and ) but B and C could be switch connecting multiple devices.

On device B (

[email protected]:~ $ sudo ip route dev eth0 scope link via dev eth0

This device has a direct connection to the network out of the eth0 interface, and can reach the network via

On device C (

[email protected]:~ $ sudo ip route via dev eth0 dev eth0 scope link

This device has a direct connection to the network out of the eth0 interface, and can reach the network via

Now with Wireshark we can see them in action, lets send a request from Device B to C


Device B see’s that it has a route for via dev eth0 so it first issues an ARP request out of eth0 to find the MAC address of

It then attempts to establish a TCP connection to the destination ( and sends the packet to the router at by placing it’s MAC address as the destination.

The router, receives the packet and see’s that it can reach with the route dev eth1

It then issues an ARP request on eth1 to find the MAC address of

It places the MAC Address it just learnt as the destination, and forwards the packet to its destination.

Over at device C it then receives the packet and sends a reply back to device A. It consults its own route tables to find a route for can be reached via the eth0 interface, via dev eth0

It already has the MAC address of cached from before, so doesn’t need to issue an ARP request and simply places the cached MAC address as the destination.

The router will then repeat the process in reverse and forward the reply back to the sender!

And that’s it, with enough interconnected routers you can route packets between any networks you like.


Join Hacker Noon

Create your free account to unlock your custom reading experience.