Net Bios

NetBIOS
Definition: NetBIOS is a software protocol for providing computer communication services on local networks. Microsoft Windows uses NetBIOS on Ethernet or Token Ring networks.
Software applications on a NetBIOS network locate each other via their NetBIOS names. A NetBIOS name is up to 16 characters long and in Windows, separate from the computer name. Applications on other computers access NetBIOS names over UDP port 137. The Windows Internet Naming Service (WINS) provides name resolution services for NetBIOS.
Two applications start a NetBIOS session when one (the client) sends a command to "Call" another (the server) over TCP port 139 on a remote computer. Both sides issue "Send" and "Receive" commands to deliver messages in both directions. The "Hang-Up" command terminates a NetBIOS session.
NetBIOS also supports connectionless communications via UDP datagrams. Applications listen on UDP port 138 to receive NetBIOS datagrams.
NetBIOS and NetBEUI are separate but related technologies. NetBEUI extends NetBIOS with additional networking capabilities.
Also Known As: Network Basic Input/Output System

Host name
A Windows machine's NetBIOS name is not to be confused with the computer's host name. Generally a computer running TCP/IP (whether it's a Windows machine or not) has a host name (also sometimes called a machine name or a DNS name). Generally the host name of a Windows computer is based on the NetBIOS name plus the Primary DNS Suffix, which are both set in the System Control Panel.
There may also be "connection specific suffixes" which can be viewed or changed on the DNS tab in Control Panel → Network → TCP/IP → Advanced Properties. Host names are used by applications such as telnet, ftp, web browsers, etc. In order to connect to a computer running the TCP/IP protocol using its HOST name, the host name must be resolved into an IP Address. Host name- or Fully Qualified Domain Name (FQDN)-IP address resolution is typically done by a Domain Name System (DNS) server.
Node types
The node type of a networked computer relates to the way it resolves NetBIOS names to IP addresses. There are four node types.
• B-node: 0x01 Broadcast
• P-node: 0x02 Peer (WINS only)
• M-node: 0x04 Mixed (broadcast, then WINS)
• H-node: 0x08 Hybrid (WINS, then broadcast)
The node type in use is displayed by opening a command line and typing ipconfig /all. A Windows computer registry may also be configured in such a way as to display "unknown" for the node type.
NetBIOS Suffixes
The NetBIOS suffix, alternately called the NetBIOS End Character (endchar) is the 16th character of a NetBIOS name. This character specifies the record or service type for the registered name record. The number of record types is limited to 255, the number that will fit into a single character. However in actual use the number of commonly used NetBIOS Suffixes is substantially smaller. The most common NetBIOS Suffixes:
ASCII Values of 16th characters of NetBIOS "names"
• 00: Workstation Service
• 03: Messenger Service
• 20: File Service (also called Host Record)
• 1B: Domain Master Browser - Primary Domain Controller for a domain
• 1C: Domain Controllers for a domain (group record with up to 25 IP addresses)
• 01: Master Browser
• 1E: Browser Service Elections

Remote Network Penetration via NetBios Hack/Hacking

These are basic techniques but very useful when penetration testing any Windows based network, the techniques were discovered on WinNT but are still very valid on Windows2000 and in some cases Windows2003 due to backwards compatibility.

This article is being written in a procedural manner. I have approached it much like an intruder would actually approach a network penetration. Most of the techniques discussed in this text are rather easy to accomplish once one understands how and why something is being done.

When targetting a given network, the first thing an intruder would do, would be to portscan the remote machine or network. A lot of information can be gathered by a simple port scan but what the intruder is looking for is an open port 139 – the Default NetBios port. It’s surprising how methodical an attack can become based on the open ports of a target machine. You should understand that it is the norm for an NT machine to display different open ports than a Unix machine.

Intruders learn to view a portscan and tell wether it is an NT or Unix machine with fairly accurate results. Obviously there are some exceptions to this, but generally it can be done.

Recently, several tools have been released to fingerprint a machine remotely, but this functionality has not been made available for NT.

Information gathering with NetBIOS can be a fairly easy thing to accomplish, albeit a bit time consuming. NetBIOS is generally considered a bulky protocol with high overhead and tends to be slow, which is where the consumption of time comes in.

If the portscan reports that port 139 is open on the target machine, a natural process follows. The first step is to issue an NBTSTAT command.

The NBTSTAT command can be used to query network machines concerning NetBIOS information. It can also be useful for purging the NetBIOS cache and preloading the LMHOSTS file. This one command can be extremely useful when performing security audits.

Interpretation the information can reveal more than one might think.

Usage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s] [interval]

Switches

   -a    Lists the remote computer's name table given its host name.

   -A    Lists the remote computer's name table given its IP address.

   -c    Lists the remote name cache including the IP addresses.

   -n    Lists local NetBIOS names.

   -r    Lists names resolved by broadcast and via WINS.

   -R    Purges and reloads the remote cache name table.

   -S    Lists sessions table with the destination IP addresses.

   -s    Lists sessions table conversions.

The column headings generated by NBTSTAT have the following meanings:

Input

     Number of bytes received.

Output

     Number of bytes sent.

In/Out

     Whether the connection is from the computer (outbound)

     or from another system to the local computer (inbound).

Life

     The remaining time that a name table cache entry will "live"

     before your computer purges it.

Local Name

     The local NetBIOS name given to the connection.

Remote Host

     The name or IP address of the remote host.

Type

     A name can have one of two types: unique or group.

     The last byte of the 16 character NetBIOS name often

     means something because the same name can be present

     multiple times on the same computer. This shows the last

     byte of the name converted into hex.

State

     Your NetBIOS connections will be shown in one of the

     following "states": 

State                   Meaning

Accepting         An incoming connection is in process.

Associated        The endpoint for a connection has been created

                      and your computer has associated it with an IP

                      address.

Connected         This is a good state! It means you're connected

                       to the remote resource.

Connecting        Your session is trying to resolve the name-to-IP

                       address mapping of the destination resource.

Disconnected      Your computer requested a disconnect, and it is

                        waiting for the remote computer to do so.

Disconnecting     Your connection is ending.

Idle              The remote computer has been opened in the current

                   session, but is currently not accepting connections.

Inbound           An inbound session is trying to connect.

Listening         The remote computer is available.

Outbound          Your session is creating the TCP connection.

Reconnecting      If your connection failed on the first attempt,

                        it will display this state as it tries to reconnect.

Here is a sample NBTSTAT response of my NT Box:

C:\>nbtstat -A 195.171.236.139

       NetBIOS Remote Machine Name Table

   Name               Type         Status

---------------------------------------------

MR_B10NDE      <00>  UNIQUE      Registered

WINSEKURE LABS <00>  GROUP       Registered

MR_B10NDE      <03>  UNIQUE      Registered

MR_B10NDE      <20>  UNIQUE      Registered

WINSEKURE LABS <1e>  GROUP       Registered

MAC Address = 44-45-53-54-00-00

Using the table below, what can you learn about the machine?

Name                   Number         Type           Usage

=========================================================================

        00             U              Workstation Service

        01             U              Messenger Service

<\\_MSBROWSE_> 01             G              Master Browser

        03             U              Messenger Service

        06             U              RAS Server Service

        1F             U              NetDDE Service

        20             U              File Server Service

        21             U              RAS Client Service

        22             U              Exchange Interchange

        23             U              Exchange Store

        24             U              Exchange Directory

        30             U              Modem Sharing Server Service

        31             U              Modem Sharing Client Service

        43             U              SMS Client Remote Control

        44             U              SMS Admin Remote Control Tool

        45             U              SMS Client Remote Chat

        46             U              SMS Client Remote Transfer

        4C             U              DEC Pathworks TCPIP Service

        52             U              DEC Pathworks TCPIP Service

        87             U              Exchange MTA

        6A             U              Exchange IMC

        BE             U              Network Monitor Agent

        BF             U              Network Monitor Apps

        03             U              Messenger Service

        00             G              Domain Name

        1B             U              Domain Master Browser

        1C             G              Domain Controllers

        1D             U              Master Browser

        1E             G              Browser Service Elections

        1C             G              Internet Information Server

 00            U              Internet Information Server

        [2B]           U              Lotus Notes Server

IRISMULTICAST  [2F]           G              Lotus Notes

IRISNAMESERVER [33]           G              Lotus Notes

Forte_$ND800ZA [20]           U              DCA Irmalan Gateway Service

Unique (U): The name may have only one IP address assigned to it. On a network device, multiple occurences of a single name may appear to be registered, but the suffix will be unique, making the entire name unique.

Group (G): A normal group; the single name may exist with many IP addresses.

Multihomed (M): The name is unique, but due to multiple network interfaces on the same computer, this configuration is necessary to permit the registration. Maximum number of addresses is 25.

Internet Group (I): This is a special configuration of the group name used to manage WinNT domain names.

Domain Name (D): New in NT 4.0.

An intruder could use the table above and the output from an nbtstat against your machines to begin gathering information about them. With this information an intruder can tell, to an extent, what services are running on the target machine and sometimes what software packages have been installed. Traditionally, every service or major software package comes with it’s share of vulnerabilities, so this type of information is certainly useful to an intruder.

The next step for an intruder would be to try and list the open shares on the given computer, using the net view command, Here is an example of the net view command used against my box with the open shares C:\ and C:\MP3S\

C:\>net view \\195.171.236.139

Shared resources at \\195.171.236.139

Sharename    Type         Comment

-----------------------------------------------------------------

C            Disk         Drive C:\

MP3S         Disk         My collection of MP3s

The command was completed successfully.

This information would give the intruder a list of shares which he would then use in conjunction with the net use command, a command used to enable a computer to map a share to it’s local drive, below is an example of how an intruder would map the C Share to a local G: drive which he could then browse:

C:\>net use G: \\195.171.236.139\C

The command was completed successfully.

C:\>G:

G:\>

However, If the intruder was targetting a large network rather than a single remote computer, the next logical step would be to glean possible usernames from the remote machine.

A network login consists of two parts, a username and a password. Once an intruder has what he knows to be a valid list of usernames, he has half of several valid logins.

Now, using the nbtstat command, the intruder can get the login name of anyone logged on locally at that machine. In the results from the nbtstat command, entries with the <03> identifier are usernames or computernames. Gleaning usernames can also be accomplished through a null IPC session and the SID tools

The IPC$ (Inter-Process Communication) share is a standard hidden share on an NT machine which is mainly used for server to server communication. NT machines were designed to connect to each other and obtain different types of necessary information through this share. As with many design features in any operating system, intruders have learned to use this feature for their own purposes. By connecting to this share an intruder has, for all technical purposes, a valid connection to your server. By connecting to this share as null, the intruder has been able to establish this connection without providing it with credentials.

To connect to the IPC$ share as null, an intruder would issue the following command from a command prompt:

c:\>net use \\[ip address of target machine]\ipc$ "" /user:""

If the connection is successful, the intruder could do a number of things other than gleaning a user list, but lets start with that first. As mentioned earlier, this technique requires a null IPC session and the SID tools. Written by Evgenii Rudnyi, the SID tools come in two different parts, User2sid and Sid2user. User2sid will take an account name or group and give you the corresponding SID. Sid2user will take a SID and give you the name of the corresponding user or group. As a stand alone tool, this process is manual and very time consuming. Userlist.pl is a perl script written by Mnemonix that will automate this process of SID grinding, which drastically cuts down on the time it would take an intruder to glean this information.

At this point, the intruder knows what services are running on the remote machine, which major software packages have been installed (within limits), and has a list of valid usernames and groups for that machine. Although this may seem like a ton of information for an outsider to have about your network, the null IPC session has opened other venues for information gathering. The Rhino9 team has been able to retrieve the entire native security policy for the remote machine.

Such things as account lockout, minimum password length, password age cycling, password uniqueness settings as well as every user, the groups they belong to and the individual domain restrictions for that user – all through a null IPC session. This information gathering ability will appear in Rhino9’s soon to be released Leviathan tool. Some of the tools available now that can be used to gather more information via the IPC null session will be discussed below.

With the null IPC session, an intruder could also obtain a list of network shares that may not otherwise be obtainable. For obvious reasons, an intruder would like to know what network shares you have available on your machines. For this information gathering, the standard net view command is used, as follows:

c:\>net view \\[ip address of remote machine]

Depending on the security policy of the target machine, this list may or may not be denied. Take the example below (ip address has been left out for obvious reasons):

C:\>net view \\0.0.0.0

System error 5 has occurred.

Access is denied.

C:\>net use \\0.0.0.0\ipc$ "" /user:""

The command completed successfully.

C:\>net view \\0.0.0.0

Shared resources at \\0.0.0.0

Share name   Type         Used as  Comment

---------------------------------------------------------------------

Accelerator  Disk                  Agent Accelerator share for Seagate backup

Inetpub      Disk

mirc         Disk

NETLOGON     Disk                  Logon server share

www_pages    Disk

The command completed successfully.

As you can see, the list of shares on that server was not available until after the IPC null session had been established. At this point you may begin to realize just how dangerous this IPC connection can be, but the IPC techniques that are known to us now are actually very basic. The possibilities that are presented with the IPC share are just beginning to be explored.

Multiplexing

MULTIPLEXING

Multiplexing is the process where multiple channels are combined for transmission over a common transmission path.

There are two types of multiplexing techniques:-

• FDM (Frequency Division Mux)
• TDM (Time Division MUX)

WDM: Wavelength Division Multiplex and Multiplexer

In fiber-optic communications, wavelength-division multiplexing (WDM) is a technology which multiplexes multiple optical carrier signals on a single optical fiber by using different wavelengths (colors) of laser light to carry different signals. This allows for a multiplication in capacity, in addition to enabling bidirectional communications over one strand of fiber. This is a form of frequency division multiplexing (FDM) but is commonly called wavelength division multiplexing.

"Wavelength Division Multiplexing (WDM) is a technique that multiple signals are carried together as separate wavelengths (color) of light in a multiplexed signal".

WDM is used in optical fiber networks. WDM and FDM (Frequency Division multiplex) are both based on the same principles but WDM applies to wavelengths of light in optical fiber while FDM is used in electrical analog transmission. A WDM optical system using a diffraction grating is completely passive, unlike electrical FDM, and thus is highly reliable. Further, a carrier wave of each WDM optical channel is higher than that of an FDM channel by a million times in frequency (THz versus MHz).

Wavelength Division Multiplexer is a device that combines optical signals from multiple different single-wavelength end devices onto a single fiber. Wavelength Division Multiplexer carries two to four wavelengths per fiber. The original WDM systems were dual-channel 1310/1550 nm systems. Typically, the same device can also perform the reverse process with the same WDM techniques: de-compose the data stream with multiple wavelength into multiple single wavelength data streams, a process call De-multiplexing. Therefore, it is very often a Wavelength Division Multiplexer and De-multiplexer are in the same box.
Click the picture to enlarge.

Time division multiplexing samples a number of different information channels sequentially for transmission on a single carrier. Frequency division multiplexing generally involves summing a multitude of independent sub-carrier frequencies, each with its retinue of modulation sidebands. In polarization division multiplexing, two different information signals are modulated onto carriers of the same frequency, which are propagated with their electrostatic fields oriented orthogonally. Wavelength division multiplexing incorporates independently modulated carriers of different frequencies sharing a common transmission medium. It is this latter technique to which the present study directs itself.

Figure 1 depicts a traditional fiber optic wavelength division multiplexing scheme. Three infrared sources (lasers or light emitting diodes-LEDs) of different wavelengths are modulated independently with their respective channel intelligence. Although any number of optical carrier frequencies might be used, common practice is to generate carriers at wavelengths typically near 850, 1300, and 1550 nm.

As you can see in Figure 2,3 these wavelengths represent low loss windows for typical single-mode glass fiber. Optical star couplers combine the three modulated carriers onto a single glass or plastic light pipe. At the receive end of the fiber, couplers split the output beam into three identical components, each containing elements of all three signals. Bandpass filters at the coupler outputs let each of three photo detectors "see" and respond to a single carrier frequency. De-multiplexing could be achieved as readily using wavelength selective couplers.

Edit PDF File

How to Edit PDF Files

The PDF file format was originally created by Adobe in the early ’90s and there are now over 450+ million PDF documents on the Internet according to Google. Compare this with the DOC format that was created in early ’80s (much before PDF) but there are only 75 million .doc files on the web today.

Why PDF Files are Popular:
There are several reasons why PDF files are so popular for exchanging all sorts of documents including presentation portfolios, CAD Drawings, invoices and even legal forms.

#1. PDF files are generally more compact (smaller in size) than the source document and they easily preserve the original formatting. You can open a PDF file, that was created using a Windows PC, on a Mac or a Linux machine and your document will still look the same everywhere.

#2. Unlike Word and other popular document formats, the contents of a PDF file cannot be modified easily. You can also prevent other users from printing a physical copy of your PDF document.

#3. And the biggest advantage -- you can view PDF files on almost any computer (or mobile phone) using the web browser or with the help of free software like Adobe Acrobat Reader.
Edit PDF Files with Free Alternatives to Adobe Acrobat

While PDF Files are “read only” by default, there are ways by which you can edit certain elements* of a PDF document for free without requiring the source files or any of the commercial PDF editing tools.

[*] This article will primarily focus on tools that let you alter the actual contents of a PDF file. If you are looking to manipulate the PDF file structure itself like rearranging pages or merging multiple PDFs into one, please refer to the previous Adobe PDF Guide.

1. Online PDF Editor for Basic Tasks
There are situations when you need to make only minor changes in a PDF file. For instance, you want to hide your personal phone number from a PDF file before posting it on the web or want to annotate a page with sticky notes.



You can perform such edits pretty easily with PDF Escape, an online PDF editor that’s free and also lets you edit password-protected PDF documents in the browser.
With PDF Escape, you can hide* parts of a PDF file using the whiteout tool or add annotations with the help of custom shapes, arrows, text boxes and sticky notes. You can add hyperlinks to other PDF pages / web documents.

[*] Hiding is different from redaction because here we aren’t changing the associated metadata of a PDF file but just hiding certain parts of a PDF file by pasting an opaque rectangle over that region so that that stuff beneath the rectangle stays invisible.

2. Edit PDF Metadata (Author, PDF Title, etc.)
If you like to edit the meta-data associated* with a PDF document, check out Becy PDFMetaEdit. It’s a free utility that can help you edit details like the PDF document title, author name, creation data, keywords, etc. of any PDF file.





The tool can also be used for encrypting PDF documents such that only users who know the password can read the contents of your PDF files. And since this PDF metadata cum bookmarks editor can be executed from the command line, you can use it to update information in multiple PDF files in a batch.

[*] If you planning to post your PDF files on the web, you should consider adding proper metadata to all the files as that will help improve the organic rankings of your PDF files in Google search results.

3. Edit Text in a PDF File

If you want to edit large amounts of text in a PDF file but don’t have access to the source documents, your best bet is that you convert the PDF file into an editable Word document or an Excel spreadsheet depending on the contents of the PDF.

Then edit these converted PDFs in Microsoft Office (or Google Docs) and export the modified files back into PDF format.

If your PDF document is mostly text, you may use the desktop version of Stanza to convert that PDF into a Word document but if the document includes images, charts, tables and other complex formatting, try the online PDF to Word converter from BCL Research or the one from NitroPDF -- the former offers instant conversion while the latter service can take up to a day though its yields more accurate results.

4. Advanced PDF Editing (Images, text, etc.)

Now that you know the basic tools, let’s look at another set of PDF editors that are again free but can help you do some more advanced editing with PDF documents. This refers to stuff like replacing images on a PDF file, adding signatures, removing blocks of text without breaking the flow of the document, etc.



PDF XChange is a free PDF viewer cum editor that you may use for typing text directly on any PDF page. PDF XChange also supports image stamps so you may use the tool for signing a PDF file or for inserting images anywhere on a PDF page.

Then you have Inkscape, a free vector drawing tool (like Adobe Illustrator) that can natively import and export PDF content.

Video Demo: Edit PDF Files with Inkscape

With Inkscape, you can select any object on a PDF page (including text, graphics, tables, etc.) and move them to a different location or even remove them permanently from the PDF file. You can also annotate PDF files with Inkscape or draw freehand on a page using the built-in pencil tool.

The next tool in the category of advanced PDF editors is OpenOffice Draw with the PDFImport extension. OpenOffice Draw supports inline editing so you can easily fix typos in a PDF document or make formatting related changes like replacing color, increasing or decreasing the text size, replacing the default font-family, etc.

Like Inkscape, the OpenOffice toolbox also includes support for annotations, shapes, images, tables, charts, etc. but here you have more choices and the software also looks less complex.

The OpenOffice suite is a little bulky (they don’t provide a standalone installer for Draw) but if you have the bandwidth, OpenOffice is the best tool for manipulating PDF documents when you don’t have the budget for Adobe Acrobat.

Encoding is the process of transforming information from one format into another. The opposite operation is called decoding. This is often used in many digital devices

There are a number of more specific meanings that apply in certain contexts:

• Encoding (in cognition) is a basic perceptual process of interpreting incoming stimuli; technically speaking, it is a complex, multi-stage process of converting relatively objective sensory input (e.g., light, sound) into subjectively meaningful experience.

Data Encoding

This outlines basics of encoding analog or digital data using analog or digital signals.

Encoding signals

• Basics - Fourrier analysis of periodic signal into harmonic components
• Three parameters to sinusoid function:
• amplitude
• frequency
• phase
• frequency and phase are "angle" parameters
• varying these parameters over time allows encoding of a signal
• Encoding signals -
• analog/analog encoding (modulation)
• rationales :
• 1. necessity (may require high frequencies to transmit over medium)
• 2. ability to use FDM
• AM - Amplitude modulation
• value of amplitude encodes modulating signal
• increased amplitude of modulating signal increases power of output power, but not bandwidth
• DSBTC - double sideband transmitted carrier
• Waveform:
• s(t) = [1+n_a x(t)]cos(2 pi f_c t) where
• s(t) = output signal
• x(t) = input signal (normalized)
• f_c = carrier frequency
• cos(2 pi f_c t) = carrier signal (normalized)
• n_a = modulation index, ratio of amplitude of input signal to carrier (so that the modulating signal, n_a x(t) has amplitude <>
• 1 = dc component to avoid loss of information (otherwise the peak negative amplitudes would cause the output signal to cross the axis)
• multiply carrier signal by modulating signal plus a dc component to obtain output
• output has redundancy in that the output is the sum of the carrier signal plus symmetric components spaced at f_m from the carrier frequency (where f_m is the modulating signal's frequency)
• spectrum of AM signal is f_c +- spectrum of modulating signal: the upper sideband (above f_c) is the mirror image of the lower sideband (spectrum below f_c). Both are 1/2 power replicas of the original spectrum, with the lower sideband frequency-reversed.
• Power transmitted = P_t = P_c(1+n_a^2/2), where P_c is the carrier power. Hence, n_a should be as large as possible, so that most of the signal power carries information, but remaining <>
• Bandwidth needed B_t = 2B_m, where B_m is original bandwidth
• SSB - Single Sideband
• Since the spectrum of the AM signal has redundant information in the two sideband, and no information in the carrier signal, less power and less bandwidth can be used to transmit the same information by sending only one sideband. Half the bandwidth of DSBTC is used, and less power. Synchronization in the carrier signal is lost.
• DSBSC - Double Sideband Supressed Carrier
• Less power is used since carrier is not sent, but the same bandwidth is used and carrier sync lost.
• VSB - Vestigial Sideband
• One sideband is transmitted, and a reduced-power carrier.
• FM - Frequency modulation (a form of angle modulation)
• time derivative of phase angle encodes modulating signal
• Waveform:
• s(t) = A_c cos[2 pi f_c + phi(t)],
• where phi'(t) = n_f m(t) is the derivative of the phase, and
• A_c, f_c = carrier amplitude, frequency
• m(t) = input modulating signal
• Increased amplitude of input signal does not increase output power, but does increase bandwidth required.
• Bandwidth required is, in theory, infinite, since the spectrum will contain components at f_c + K f_m for K=0,1,...
• In practice, Carson's rule for FM says that B_t = 2[(n_f A_m)/(1 pi B_m) + 1]B_m
• PM - Phase modulation (a form of angle modulation)
• value of phase angle encodes modulating signal
• Waveform:
• s(t) = A_c cos[2 pi f_c + n_p m(t)],
• where n_p = the phase modulation index (to normalize
• n_p m(t) to the range 0..2 pi)
• A_c, f_c = carrier amplitude, frequency
• m(t) = input modulating signal
• Bandwidth required is, in theory, infinite, since the spectrum will contain components at f_c + K f_m for K=0,1,...
• In practice, Carson's rule for PM says that B_t = 2(n_p A_m + 1)B_m
• PAM - pulse amplitude modulation
• Thm: analog samples taken at more than twice the highest significant signal frequency will contain all the information of the original signal. The original signal may be reconstructed from the samples by use of a low-pass filter.
• Bell's Dimension PBX products use this - analog samples are taken at twice the frequency of the signal, and only very short pulses reflecting these samples is transmitted.
• analog/digital encoding (pulse code modulation, PCM)
• PCM - pulses of PAM are quantized into discrete levels, then these levels are encoded in log (# levels) bits and sent. Two choices : sampling rate and number of levels
• Noise -
• quantizing noise - the original signal cannot be recovered since the pulses have been quantized.
• SNR = 6n + 1.8 dB, where n = #bits/sample
• Non-linear encoding - reduces quantizing distortion of weak signals by having finer gradations of discrete levels at the lower signal power levels, and coarser at higher power.
• Companding function - same effect as n-l encoding may be had by compressing the analog signal before digitizing and expanding it after decoding. The companding function will giver greater gain to the weaker signals and less gain to strong signals.
• Differential Encoding - only encode difference in signal rather than its absolute value
• Delta Modulation (DM) - binary staircase function used to approximate the signal - on each time interval, either the staircase function goes up a quantum or down a quantum, (encoded as a 1 or a 0).
• note: there is no limit on the amplitude of the signal encoded
• note: similar to chain coding for contours in discrete 2-D.
• Two choices : sampling rate and quantum size
• Noise - two types: quantizing and slope overload
• Large delta increases quantizing noise
• Small delta increases slope overload noise
• Predictive encoding - like DM only use an extrapolated value for point from which the difference is calculated. This is a generalized version of DM, with DM the special case where the predicted value is the same as the previous value, ie, a zero-order (constant) extrapolation function is used. DM has problems with rapid changes in the first derivative; in general, PDM using an nth order predictive encoding will have problems with rapid changes in the (n+1)th derivative.
• digital/analog encoding (shift keying)
• ASK - V amplitude levels can encode lg V bits per signal unit
• FSK - V frequency levels can encode lg V bits per signal unit
• PSK/QPSK - V phases can encode lg V bits per signal unit. QPSK uses four phases offset 90 degrees.
• QAM - Mixed PSK and ASK, use pairs (p,a) to describe signal units, where p is the phase and a is the amplitude. This can keep power requirements lower and discrimination better than either technique alone.
• PPM - pulse position modulation May be used with either analog or digital transmission to encode digital signals Signal is divided into frames, each frame has N slots (plus some synchronization overhead every so often) In each frame, exactly one slot has a pulse in it, A<>0; the other slots have A = 0 (no pulse). This allows lg N bits/frame to be encoded. It is useful when power requirements must be kept low and the transmission medium may be pulsed easily (e.g., lasers in deep-space communication)
• digital/digital encoding
• Needs - synch, no dc component
• Evaluation
• spectrum - max frequency (increased bandwidth requirement)
• dc component (drift, direct coupling required)
• synchronization
• signal-based error-detection
• susceptibility to interference (expressed as bit error rate)
• cost/complexity
• Methods
• Level (L) - use same form to represent same bit value (1's always look the same, 0's always look the same)
• Differential - use a change in signal element form to indicate a 1 (Mark or M), or a 0 (Space or S)
• Examples -
• NRZ-L: 1 = high, 0 = low
• NRZ-M: 1 = transition at start of bit, 0 = no transition
• NRZ-S: 1 = no transition, 0 = transition at start of bit
• RZ: 1 = pulse to high, dropping back to low, 0 = low
• bipolar: like NRZ except marks (1's) alternate polarity +1-1+1 (aka Bipolar AMI - alternate mark inversion) (sometime RZ technique used) (note: this will be shown below using _ for 0, + for a positive pulse, and - for a negative pulse)
• pseudoternary - like bipolar only spaces (0's)
• biphase-L (Manchester): always transition in middle of bit, 1 = high/low, 0 = low/high
• differential Manchester: always transition in middle of bit, 1 = no transition, 0 = transition at start of bit
• biphase-M: always transition at start of bit, 1 = transition in middle of bit, 0 = no transition
• biphase-S: always transition at start of bit, 1 = no transition, 0 = transition in middle of bit
• delay (Miller): 1 = transition in middle of bit, 0 = no transition if followed by a 1, transition at end of bit if followed by a 0
• PPM - (see above under digital/analog encodings)

§      Method      Waveform               Comments

§                     

§      data:    0 1 1 0 1 0 0 0 1

§                     

§      NRZ-L    __----__--______--        dc component

§                     

§      NRZ-M    __--____--------__        dc component

§                     

§      NRZ-S    ------____--__----        dc component

§                     

§      RZ       __-_-___-_______-_        dc component, twice B/W

§                     

§      bipolar  __++--__++______--        three levels, e.d.

§                     

§      Manch.   _--_-__--__-_-_--_        synch, twice BW, e.d.

§                     

§      D.Man.   -__--_-__-_-_-_--_        synch, twice BW, e.d.

§             

§      Bip.-M   --_-_-__-_--__--_-        synch, twice BW, e.d.

§                     

§      Bip.-S   -_--__-_--_-_-_-__        synch, twice BW, e.d.

§                     

§      Miller   ___--____---__---_        synch, 3/2 BW, e.d., complex

§      

§ Scrambling

§ To add synchronization capabilities to bipolar-AMI, which looses synchronization when a long string of 0's is sent, a run of 0's may be encoded by one of two fixed strings of 0's and 1's of the same length. These are distinguished from normal data by having one (or more) code violations (having two pulses of the same polarity in a row) in short succession, so that the receiver may detect these substituted patterns and decode them as a run of 0's.

§ Examples -

§ Bipolar with 8 Zero Substitution (B8ZS) - whenever 8 consecutive 0's are encountered in the data, then the 8 0's are replaced with the pattern 000VB0VB, where {V,B} = {+,-} with V the polarity of the last mark (causing a code violation) and B a pulse of the opposite polarity of the preceeding one. Popular in the USA. Requires only memory of polarity of last pulse and number of consecutive 0's seen, buffering the last 5 bits.

§ EX:

§            data    = 011001000000000000100

§                                   

§                            ^^^^^^^^        - run of 8 0's

§                                   

§            encoded = 0+-00+000+-0-+0000-00

§                                   

§                           ^---^^-^         - code violations

§                                   

§                            ||||||||        - special pattern

§                                  

§ High-density Bipolar - 3 Zeros (HDB3) - Popular in Europe and Japan. Starts with Bipolar-AMI, and substitutes 4 consecutive 0's with one of four patterns, according to both the polarity of the preceding pulse and the number of pulses since the last substitution (so that no dc component is introduced). Requires memory of polarity of last pulse, parity of number of pulses seen since last substitution, and number of consecutive 0's seen. Must buffer 4 bits.

§                              Pulses since last substitution

§                                   

§           Preceding Polarity         Odd         Even

§                                   

§                   -                  000-        +00+

§                                   

§                   +                  000+        -00-

§                                  

§            IN GENERAL                000V        BOOV

§                                  

§ EX:

§            data = 011001000000100000100

§                                   

§                         ^^^^   ^^^^    - runs of 4 zeros each

§                                   

§            HDB3 = 0+-00+-00-00+000+0-00

§                                   

§                         ^--^  ^---^        - code violations

§                                   

§                         ||||   ||||        - special patterns

§                                  

§ Note: since repeating a pulse of the same polarity to cause a code violation will introduce dc bias, this must be remedied - B8ZS does this by balancing the number of positive and negative pulses in its substitution pattern, but the pattern is long, so 7 0's in the data can go through unsubstituted. HDB3 compensates for imbalance its shorter pattern could introduce by a more complex method for choosing the pattern used, so that the net imbalance is never bad. It does this by insuring that the unbalanced substitution patterns are always of alternating polarity.

Manchester Phase Encoding (MPE)

802.3 Ethernet uses Manchester Phase Encoding (MPE). A data bit '1' from the level-encoded signal (i.e. that from the digital circuitry in the host machine sending data) is represented by a full cycle of the inverted signal from the master clock which matches with the '0' to '1' rise of the phase-encoded signal (linked to the phase of the carrier signal which goes out on the wire). i.e. -V in the first half of the signal and +V in the second half.

The data bit '0' from the level-encoded signal is represented by a full normal cycle of the master clock which gives the '1' to '0' fall of the phase-encoded signal. i.e. +V in the first half of the signal and -V in the second half.

The above diagram shows graphically how MPE operates. The example at the bottom of the diagram indicates how the digital bit stream 10110 is encoded.

A transition in the middle of each bit makes it possible to synchronize the sender and receiver. At any instant the ether can be in one of three states: transmitting a 0 bit (-0.85v), transmitting a 1 bit (0.85v) or idle (0 volts). Having a normal clock signal as well as an inverted clock signal leads to regular transitions which means that synchronisation of clocks is easily achieved even if there are a series of '0's or '1's. This results in highly reliable data transmission. The master clock speed for Manchester encoding always matches the data speed and this determines the carrier signal frequency, so for 10Mbps Ethernet the carrier is 10MHz.

Differential Manchester Encoding (DME)

A '1' bit is indicated by making the first half of the signal, equal to the last half of the previous bit's signal i.e. no transition at the start of the bit-time. A '0' bit is indicated by making the first half of the signal opposite to the last half of the previous bit's signal i.e. a zero bit is indicated by a transition at the beginning of the bit-time. In the middle of the bit-time there is always a transition, whether from high to low, or low to high. Each bit transmitted means a voltage change always occurs in the middle of the bit-time to ensure clock synchronisation. Token Ring uses DME and this is why a preamble is not required in Token Ring, compared to Ethernet which uses Manchester encoding.

Non Return to Zero (NRZ)

NRZ encoding uses 0 volts for a data bit of '0' and a +V volts for a data bit of '1'. The problem with this is that it is difficult to distinguish a series of '1's or '0's due to clock synchronisation issues. Also, the average DC voltage is 1/2V so there is high power output. In addition, the bandwidth is large i.e. from 0Hz to half the data rate because for every full signal wave, two bits of data can be transmitted (remember that with MPE the data rate equals the bit rate which is even more inefficient!) i.e. two bits of information are transmitted for every cycle (or hertz).

After 50m of cable attenuation the signal amplitude may have been reduced to 100mV giving an induced noise tolerance of 100mV.

Return to Zero (RZ)

With RZ a '0' bit is represented by 0 volts whereas a '1' data bit is represented by +V volts for half the cycle and 0 volts for the second half of the cycle. This means that the average DC voltage is reduced to 1/4V plus there is the added benefit of there always being a voltage change even if there are a series of '1's. Unfortunately, the efficiency of bandwidth usage decreases if there are a series of '1's since now a '1' uses a whole cycle.

Non Return to Zero Invertive (NRZ-I)

With NRZ-I a '1' bit is represented by 0 volts or +V volts depending on the previous level. If the previous voltage was 0 volts then the '1' bit will be represented by +V volts, however if the previous voltage was +V volts then the '1' bit will be represented by 0 volts. A '0' bit is represented by whatever voltage level was used previously. This means that only a '1' bit can 'invert' the voltage, a '0' bit has no effect on the voltage, it remains the same as the previous bit whatever that voltage was.

This can be demonstrated in the following examples for the binary patterns 10110 and 11111:

Note how that a '1' inverts the voltage whilst a '0' leaves it where it is. This means that the encoding is different for the same binary pattern depending on the voltage starting point.

The bandwidth usage is minimised with NRZ-I, plus there are frequent voltage changes required for clock synchronisation.

With fibre there are no issues with power output so a higher clock frequency is fine whereas with copper NRZ-I would not be acceptable.

4B/5B

4B/5B encoding is sometimes called 'Block coding'. To get around this problem, an intermediate encoding takes place before the MLT-3 encoding. Each 4-bit 'nibble' of received data has an extra 5th bit added. If input data is dealt with in 4-bit nibbles there are 2⁴ = 16 different bit patterns. With 5-bit 'packets' there are 2⁵ = 32 different bit patterns. As a result, the 5-bit patterns can always have two '1's in them even if the data is all '0's a translation occurs to another of the bit patterns. This enables clock synchronisations required for reliable data transfer.

Notice that the clock frequency is 125MHz. The reason for this is due to the 4B/5B encoding. A 100MHz signal would not have been enough to give us 100Mbps, we need a 125MHz clock.

5B/6B

Same idea as 4B/5B but you can have DC balance (3 zero bits and 3 one bits in each group of 6) to prevent polarisation. 5B/6B Encoding is the process of encoding the scrambled 5-bit data patterns into predetermined 6-bit symbols. This creates a balanced data pattern, containing equal numbers of 0's and 1's, to provide guaranteed clock transitions synchronization for receiver circuitry, as well as an even power value on the line.

5B6B encoding also provides an added error-checking capability. Invalid symbols and invalid data patterns, such as more than three 0's or three 1's in a row, are easily detected

For 100VG-AnyLAN for instance, the clock rate on each wire is 30MHz, therefore 30Mbits per second are transmitted on each pair giving a total data rate of 120Mbits/sec. Since each 6-bits of data on the line represents 5 bits of real data due to the 5B/6B encoding, the rate of real data being transmitted is 25Mbits/sec on each pair, giving a total rate of real data of 100Mbits/sec. For 2-pair STP and fiber, the data rate is 120Mbits/sec on the transmitting pair, for a real data transmission rate of 100Mbits/sec.

8B/6T

8B/6T means send 8 data bits as six ternary (one of three voltage levels) signals. 3/4 (6/8) wave transitions transitions per bit i.e. the carrier just needs to be running at 3/4 of the speed of the data rate.

The incoming data stream is split into 8-bit patterns. Each 8-bit data pattern with two voltage levels 0 volts and V volts is examined. This 8-bit pattern is then converted into a 6-bit pattern but using three voltage levels -V, 0 and V volts, so each 8-bit pattern has a unique 6T code. For example the bit pattern 0000 0000 (0x00) uses the code +-00+- and 0000 1110 (0x)E) uses the code -+0-0+. There are 3⁶ = 729 possible patterns (symbols). The rules for the symbols are that there must be at least two voltage transitions (to maintain clock synchronisation) and the average DC voltage must be zero (this is called 'DC balance' that is the overall DC voltage is summed up to 0v, the +V and -V transitions are evenly balanced either side of 0V) which stops any polarisation on the cable.

The maximum frequency that the 6T codes could generate on one carrier is 37.5MHz. FCC rules do not allow anything above 30MHz on cables and Category 3 cable does not allow anything above 16MHz (which is what 100BaseT4 was designed for). The 100BaseT4 standard uses 8B/6T encoding on three pairs in a round robin fashion such that the maximum carrier frequency on any single pair is 37.5/3 = 12.5MHz.

8B/10B

Each octet of data is examined and assigned a 10 bit code group. The data octet is split up into the 3 most significant bits and the 5 least significant bits. This is then represented as two decimal numbers with the least significant bits first e.g. for the octet 101 00110 we get the decimal 6.5. 10 bits are used to create this code group and the naming convention follows the format /D6.5/. There are also 12 special code groups which follow the naming convention /Kx.y/.

The 10 bit code groups must either contain five ones and five zeros, or four ones and six zeros, or six ones and four zeros. This ensures that not too many consecutive ones and zeros occurs between code groups thereby maintaining clock synchronisation. Two 'commas' are used to aid in bit synchronisation, these 'commas' are the 7 bit patterns 0011111 (+comma)and 1100000 (-comma).

In order to maintain a DC balance, a calculation called the Running Disparity calculation is used to try to keep the number of '0's transmitted the same as the number of '1's transmitted.

This uses 10 bits for each 8 bits of data and therefore drops the data rate speed relative to the line speed, for instance in order to gain a data rate of 1Gbps the line peed has to be 10/8 x 1 = 1.25Gbps .

MLT-3

This scheme was specified by ANSI X3T9.5 committee. It is used by FDDI and TP-PMD to obtain 100MB/s out of a 31.25MHz signal.

UTP is low pass in nature, meaning that it hinders high frequency signal (like a low-pass filter). So it is not feasible to merely increase the clock frequency by 10 to 100MHz and use Manchester encoding to give us 100Mbps. In addition, the FCC (Federal Communications Commission) have severely curtailed the power that is allowed to be emitted above 30MHz. We have to use another encoding technique in order to transmit high data rates across UTP.

If you take an averaging spectrum analyser and look at the output signal of the 10Mbps Ethernet phase-encoded signal, you will see a power peak at 10MHz where there is a stream of '1's or '0's, you will see a smaller harmonic at 30MHz and if there is a stream of '1's and '0's, you will see a peak at 5MHz. Now 100BaseT uses a master clock running at 125MHz instead of 10MHz. The equivalent peaks would then be at 125MHz, 375MHz and 62.5MHz. Transmission electronics designed to work within the FCC rules will block the frequencies higher than 30MHz.

To get around this issue we need to concentrate the signal power below 30MHz if possible. To do this the encoding method Multi-Level Transition 3 (MLT-3) is used. This involves using the pattern 1, 0, -1, 0. If the next data signal is a '1' then the output 'transitions' to the next bit in the pattern e.g. if the last output bit was a '-1', and the input bit is a '1', then the next output bit is a '0'. If the next data signal is a '0' then there is no transition which means that the next output bit is the same as last time, in our case a '0'.

The cycle length of the output signal is therefore going to be 1/4 that of the MPE method so that instead of the main signal peak being at 125MHz as measured by the averaging spectrum analyser, it will be at 31.25MHz which is near enough to be OK as far as FCC are concerned. 5 bits are transmitted for every 4 bits of data so that the data bit rate is actually 125Mb/s for 100Mb/s data throughput.

There is an issue with this in that you can end up with a series of '0's or '1's which force the local circuitry to count the bits using its own free running clock rather than have the check of the clock synchronisation from the transmit source.

PAM-5

This employs multi-level amplitude signalling. To encode 8 bits, 2⁸ = 256 codes or symbols, are required since there are 256 possible pattern combinations. A five level signal (e.g. -2v, -1v, 0v, 1v and 2v) called Pulse Amplitude Modulation 5 is used (This works in a similar manner to MLT-3). Bearing in mind that there are 4 separate pairs being used for transmission and reception of data, this gives us a possibility of 5⁴ = 625 codes to choose from when using all four pairs. Actually only four levels are used for data, the fifth level (0v) is used for the 4-dimensional 8-state Trellis Forward Error Correction used to recover the transmitted signal from the high noise.

If you plot time (nanoseconds) against voltage you will see an 'eye pattern' effect showing the different signal levels. Comparing a plot for MLT-3 against PAM-5 will demonstrate how that the separate levels for PAM-5 are less discreet. This is why extra convolution coding is used called Trellis coding, which uses Viterbi decoding for error detection and correction.

2 bits are represented per symbol and the symbol rate is 125Mbps in each direction on a pair because the clock rate is set at 125MHz. This gives 250Mbps data per pair and therefore 1000Mbps for the whole cable.

This type of encoding is used by Gigabit Ethernet. The data signals have distinct and measurable amplitude and phases relative to a 'marker signal'. Using this two way matrix allows more data bits per cycle, in the case of Gigabit Ethernet 1000Mbps is squeezed into 125MHz signals. The electronics are more complex and the technology is more susceptible to noise.

Thnx To Mr. R. E. Newman-Wolfe, University of Florida