We all know the experience of surfing the Internet with a web browser, receiving and sending emails etc., but what happens under the hood? We’ll try to explain some of that here. At least enough to understand the terms and concepts used by Little Snitch.
What is a connection?
We’re talking about network connections over and over again, so it’s time to explain the term. We’ll use an analogy, the telephone call. Imagine you have something you want to tell a friend and you decide to make a phone call. What happens?
- You choose your friend’s name from your contacts database. The database stores a number. Let’s assume you call your friend at work in a big company where the company has a phone number and each employee can be reached on an extension number. Your contacts database stores both, the phone number and the extension.
- You instruct your phone to call this number.
- Your friend’s phone rings and your friend answers the call.
- After a short greeting, you tell your friend the important news. Your friend responds and you talk for a while.
- One of the parties ends the call.
A network connection is roughly the same thing, just with data being exchanged instead of voice. Imagine an application on computer A wants to send data to an application on computer B:
- The application looks up the name of computer B in a global database (the Domain Name System (DNS)) and receives an Internet address (similar to the phone number of a big company). It somehow obtains the port number used by the application on computer B (similar to the extension number in our phone example). The port number may be well known (like many companies use the same extension for FAX) or it may be obtained from another database or negotiated in a previous communication.
- The application initiates the connection to this Internet address and port.
- Computer B receives the port number and checks whether a program is listening for this port. It finds the desired recipient and forwards the connection attempt to the application.
- The application on computer B accepts the connection.
- The applications usually exchange greetings and then data. There are no rules for who begins the conversation and who ends it.
- One of the two applications shuts down the connection.
How can we identify a connection?
While the important parameters of a phone call are the calling number and the called number (including any extensions) and who initiated the call (for billing purposes). The relevant information for network connections consists of the two Internet addresses and two port numbers and who established the connection.
Although this is true from the network’s point of view, Little Snitch goes beyond that. It does not only want to know the numbers, it wants to know names for the calling and called party. It therefore describes connections with the following information:
- Whether your computer initiated the connection (outgoing) or the other computer (incoming).
- The process (application or system service) communicating. We store it instead of the local Internet address and port number because it has more meaning to the user.
- The Internet address of the remote computer.
- The protocol used.
- The port number on the remote computer for outgoing connections or the port number on your own computer for incoming connections. Port numbers are usually hidden from the user, only shown on request.
- The name of the remote computer, if it can be uniquely determined.
Is all of the Internet connection based?
No. There are connection based and connectionless protocols. Here’s a list of the protocols you are likely to encounter:
- TCP (Transmission Control Protocol) — Most of the Internet uses this protocol. It is connection based and supports port numbers. In fact, our example above explains TCP. TCP is used for web pages (http and https), email and much more.
- UDP (User Datagram Protocol) — This protocol is often used for realtime multimedia data like videos or Voice-Over-IP. It has no concept of connections, but supports port numbers. In our telephone analogy, it is similar to sending SMS. UDP is used for computer name lookups, some file sharing protocols like Bittorrent, clock synchronization, Internet telephony and much more.
- ICMP (Internet Control Message Protocol) — This protocol is connectionless and does not support ports. It is rarely used by applications. Most of it is used by the computer’s operating system to manage other protocols like TCP and UDP. There’s one exception to this general rule: The
pingTerminal command uses ICMP to test whether a particular computer can be reached. Most of the ICMP data you see in Little Snitch is from ping requests.
Although not all protocols used over Internet are connection-based, Little Snitch can use the same set of parameters for all the protocols mentioned above. Since ICMP does not use ports, port numbers are set to zero for this protocol.
Let’s bring this to life
With the information explained above, we can follow a real-world example: What happens, when a web page is opened in a browser:
- You enter
http://www.obdev.at/index.htmlinto the address field of a web browser and type Enter.
- The browser dissects the URL into a schema (
http://), a hostname (
www.obdev.at) and a document path (
- The browser resolves the hostname
www.obdev.atto an Internet address. It uses the Domain Name System (DNS) for this purpose and receives the numeric address
- From the schema, the web browser knows that we want to connect to the
httpservice. This is a well known service and the Internet Assigned Numbers Authority (IANA) has assigned the port number 80 to this service.
- The web browser has obtained a remote IP address and remote port number now. That’s enough to establish a connection. The operating system supplements your computer’s IP address and a random local port number to this information and establishes a Transmission Control Protocol (TCP) connection.
- The remote computer (server) accepts the connection.
- The web browser sends the string
GET /index.html HTTP/1.0to the server. (Our example uses a very old web browser for simplicity. Today’s web browsers use HTTP 1.1 requests.)
- The server responds with the page content on the same connection.
- The server closes the connection.
- Your web browser can now render the page and repeat the procedure for resources referenced by the page such as images.
Was this help page useful? Send feedback.
© 2016-2019 by Objective Development Software GmbH