Network Interface

6 min read

Parent
🖥️
Network Hardware
Switches, hubs, and interfaces
Current
📡
Network Interface
Connecting a computer to the wire

Network Interface

Part of Networking

The hardware and software boundary between a computer and its network connection.

Why This Matters

The network interface is the point where a computer meets the network. It is both a hardware component (the physical circuitry that sends and receives signals) and a software abstraction (the operating system driver that presents a consistent programming interface regardless of the underlying hardware). Understanding the network interface helps you configure networking correctly, diagnose connection problems, and understand how operating systems manage network access.

Every computer that participates in a network has at least one network interface. Modern computers often have several: a wired Ethernet interface, a wireless 802.11 interface, and possibly others (Bluetooth, cellular modem). Each interface has its own MAC address, IP configuration, and operating parameters that must be configured correctly for the machine to communicate.

The interface is also the point where network performance is measured and controlled. Bandwidth limits, packet filtering, traffic shaping, and security policies are applied at the interface level.

Hardware Components

The physical network interface consists of several functional blocks, each with a specific role.

The Media Access Controller (MAC) implements the data link layer protocol — for Ethernet, this means framing, addressing, and CSMA/CD collision handling. The MAC generates and strips Ethernet headers, computes and verifies CRC checksums, and manages the MAC address table (in switches) or validates received frames (in end devices).

The Physical Layer Interface (PHY) converts between the digital bits processed by the MAC and the analog signals transmitted on the physical medium. For twisted-pair Ethernet, the PHY includes line drivers that generate the differential voltage signals, line receivers that detect incoming signals, equalization circuits that compensate for cable attenuation, and clock recovery circuits that extract timing from the received signal. Auto-negotiation is also handled by the PHY.

The transformer isolation (magnetics) electrically isolates the circuitry from the cable. This isolation protects the electronics from voltage differences between the ends of a cable run, which can be significant in large buildings. It also protects against lightning-induced surges and meets electrical safety requirements. The magnetics are often built into the RJ-45 connector housing for convenience.

The DMA engine (Direct Memory Access) allows the network interface to read from and write to system memory without CPU involvement. When the CPU is not involved in each data transfer, the CPU is free to do other work, and network throughput is limited by memory bandwidth rather than CPU speed. Modern NICs can transfer data at full Gigabit Ethernet speeds without significant CPU load precisely because DMA handles the data movement.

Operating System Interface

The operating system presents each network interface as a named device. In Linux, wired Ethernet interfaces are typically named eth0, eth1, or the newer predictable naming scheme (enp3s0, eno1). Wireless interfaces are named wlan0 or wlp2s0. These names are assigned by the kernel based on the driver and hardware enumeration order.

The operating system driver sits between the hardware MAC and the network stack. When the MAC receives a frame, it raises an interrupt (or signals the DMA completion); the driver reads the frame from DMA memory and passes it up to the IP stack. Going the other direction, the IP stack passes packets to the driver, which prepends the Ethernet header, writes the frame to DMA memory, and instructs the MAC to transmit.

Interface configuration includes: IP address and subnet mask, default gateway, DNS server addresses, MTU (Maximum Transmission Unit), and optional parameters like transmit queue length. This configuration is set either manually (static configuration) or automatically via DHCP.

In Linux, interface configuration commands include:

  • ip addr show — list all interfaces and their addresses
  • ip link show — list interfaces and their link state (up/down)
  • ip addr add 192.168.1.10/24 dev eth0 — assign an IP address
  • ip route add default via 192.168.1.1 — set the default gateway
  • ip link set eth0 up — bring an interface up
  • ip link set eth0 down — take an interface down

In Windows, network interfaces are configured through Network and Sharing Center or via PowerShell (Get-NetAdapter, New-NetIPAddress, etc.).

Promiscuous Mode and Packet Capture

Normally, a network interface discards all frames whose destination MAC address is not its own address (or the broadcast address). Promiscuous mode disables this filtering, allowing the interface to pass all received frames to the operating system regardless of destination address. This is required for network monitoring and packet capture.

Network analysis tools (Wireshark, tcpdump) use promiscuous mode to capture all traffic on the local network segment. On a hub-based network, this captures all traffic because the hub broadcasts to all ports. On a switch-based network, promiscuous mode only captures traffic destined for the monitoring machine plus broadcasts and multicasts — switched networks do not send unicast traffic for one host to another host’s port.

To capture all traffic on a switched network, you need either port mirroring (configuring the switch to send a copy of specified ports’ traffic to the monitoring port) or a network tap (a passive device inserted inline that sends copies of traffic to the monitoring interface).

Wireless monitoring mode is separate from promiscuous mode. Monitor mode (sometimes called RFMON mode) places the wireless interface into a state where it captures all raw 802.11 frames it receives, regardless of the network they belong to. This requires specific driver support and not all wireless interfaces support it.

Interface Performance and Offloading

Modern NICs offload many tasks from the CPU to hardware. TCP checksum offloading computes and verifies TCP checksums in hardware rather than software. TSO (TCP Segmentation Offloading) allows the driver to pass large TCP buffers to the NIC, which segments them into individual frames — eliminating the CPU overhead of constructing thousands of individual frames per second. LRO/GRO (Large/Generic Receive Offloading) coalesces multiple received frames into larger buffers before passing them to the protocol stack, reducing interrupt overhead.

These offloading features are normally enabled by default and transparent to users. However, when using network monitoring tools, offloading can produce unexpected results — a frame capture shows a single large “super-frame” that never actually exists on the wire. When debugging at the packet level, temporarily disabling offloading (with ethtool -K eth0 tso off gso off gro off on Linux) produces captures that more accurately reflect actual wire traffic.

Ring buffers are the mechanism by which the NIC and the operating system exchange packets. The NIC fills a receive ring buffer with incoming frames; the driver drains the ring and passes frames to the IP stack. If the driver cannot drain the ring fast enough (because of CPU load or driver inefficiency), the ring fills and incoming frames are dropped. Increasing ring buffer sizes (ethtool -G eth0 rx 4096) can reduce drops during traffic bursts.

Interrupts vs. polling: Traditional NICs raise an interrupt for each received frame, which has high overhead at very high frame rates. NAPI (New API) in Linux uses a hybrid approach: after the first interrupt, the driver switches to polling mode and processes available frames in batches before re-enabling interrupts. This dramatically improves performance at high packet rates.