EE984 Laboratory Experiment 2: Protocol Analysis

Transcription

1 EE984 Laboratory Experiment 2: Protocol Analysis Abstract This experiment provides an introduction to protocols used in computer communications. The equipment used comprises of four PCs connected via a single hub to an Ethernet. Together with software protocol analysers, these facilities will enable you to gain an insight into protocol operations, and allow you to examine the effect of changing parameters within these protocols. The protocols to be examined will be at the MAC, Network and Transport layers of the Open Systems Interconnection (OSI) model - in particular TCP/IP protocols. Table of Content 1. Network Environment in the Networks Lab Tasks and Objectives Experimental Features Experimental Set-up tcpdump: network monitoring software traffic: traffic generating software listener: verifies the traffic generator operation ftp: creates TCP/IP packets within the sub-net Parsing program A simple introduction to a packet and headers Experimental Procedure Method of Assessment... 9 References

2 1. Network Environment in the Networks Lab The MSc Network Laboratory is located in the ESE PC Laboratory on level 4, (room 4SB.5.1). A number of experimental networks may be found in the laboratory (esenet[1-5],esenet[6-10] and esenet[11-14], where only the first four machines should be used in the case of the first two networks). Each experimental computer network consists of four PCs running the Linux operating system, connected to a single hub. The network is physically connected to but logically isolated from the main campus network for security reasons by employing a firewall. The firewall will still permit the user to access home directories and perform ftp transactions, but prohibits campus-wide operations such as password changes. Use the logon username and password given at the start of the laboratory session to access the workstations. On the machine you have normal access to familiar programs but in addition superuser privileges for monitoring traffic flowing on this local network using tcpdump. Access to all other workstations on the campus network is prohibited except to mount home directories and perform ftp operations. 2. Tasks and Objectives It is essential to do some background reading on the technical aspects of the network. To understand the experiment you must understand how Ethernet (CSMA/CD bus network) and TCP/IP work, in particular, the structure of the Ethernet frame, IP datagram and TCP segment. Please refer to the references if current course notes are insufficient. Using the network monitoring software (tcpdump) capture the statistics associated with a data transfer from one machine to another. Then write a piece of code to parse (filter) the data returned by the network monitor and decode and identify the various aspects of the packet. The code may be implemented using Java, C, C++ or even a high level scripting language such as TCL or csh and awk. Once the session is completed, analyse TCP/IP fields of all the frames captured to gain a clear undestanding of the protocol operations during the session. Record in your report some captured data and give a detailed explanation of the exchange of the TCP control segments. Your understanding of the conversation between the two workstations at a TCP level is crucial to the final outcome of your report. The experimental set-up is provided with a piece of software which generates traffic within the sub network. The above procedure should be repeated both with and without the synthetically generated traffic to investigate the effects on the TCP packets. Final reports should include discussion on the decoding of the frame, the encapsulation of the packet, and the effects of traffic levels on the packet. The discussion should be reinforced by use of examples. 2

3 3. Experimental Features 3.1. Experimental Set-up Features of the experiment are as follows: 4 PCs running LINUX; ESENET[1-5], ESENET[6-10], ESENET[11-14] a single hub to which each block of four machines are connected. a firewall for security purposes. superuser priveleges for tcpdump network monitoring software. a UDP traffic generator program (called traffic ). a listen program ( listener ) which verifies the traffic generator operation. a program such as ftp to generate the TCP/IP packets to be monitored a program written by you to parse the output data from tcpdump Figure 1: Experiment Overview Figure 1 shows the experimental overview. Which machine runs which piece of software is an arbitrary decision. In the set-up shown ESENET1 is running tcpdump, which is monitoring traffic from a campus machine to ESENET4. ESENT2 is running the traffic software that is sending UDP packets to ESENT3. ESENT3 is monitoring the UDP traffic it is receiving from ESENT tcpdump: network monitoring software tcpdump is a powerful network monitoring facility that allows you to capture the headers of packets on a network interface. In addition, tcpdump provides various options for protocol analysis. 3

4 tcpdump [ -adeflnnopqstvx ] [ -c count ] [ -F file ] [ -i interface ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ expression ] The man page for tcpdump should be consulted for a full description of the facility. Read the man page carefully and try out various options until you are confident in its use. As an example: tcpdump -x dst host eses25 and src host esenet4 outputs the hexadecimal (-x) TCP/IP packet headers for communications from esenet4 (dst host) to eses25 (src host) (but not back!). Additionally using the -e option will also print out the MAC level header including the Ethernet address traffic: traffic generating software traffic generates UDP packets and sends them to a specified destination. The software simulates a network under high traffic load. The software is invoked using the command line arguments: traffic [hostipaddress] [packetsize] [hostname] A typical command line would be traffic esenet11 which loads the mini network by about 1Mbit/s, sending the traffic to the host esenet11 with the IP address listener: verifies the traffic generator operation Invoked by typing simply listen provides an indication of the number and size of UDP packets being received per second, the program must be run on the machine to which the traffic generator is sending the UDP packets to function. Your group will be supplied with traffic and listen on a floppy disk. Copy these files to the floppy disk in a Linux shell using Dos commands with the prefix m (or use the linux commands if you are familiar with them). For example mcopy a:\traffic 4

5 To run the program you may need to refer to it as./traffic (i.e., traffic is in the current directory) and also change the permissions on it:- chmod 777./traffic 3.5. ftp: creates TCP/IP packets within the sub-net Use sftp (secure ftp) to get a reasonably large file from a campus account and monitor the connection between the selected ESENET machine and campus machine by using the appropriate command line invocation of tcpdump. Sftp needs to be used because the laboratory is behind the firewall. By using sftp to connect to any valid campus machine (e.g. UNIX1) and supplying your username and password you will access your files Parsing program A parser is a program, which filters specific data items from a larger collection of data, some of the information is therefore not required for display. This program is absent from the set of features provided for the experiment and must be written by you. 4. A simple introduction to a packet and headers Suppose you want to send a registered letter to your friend in London. The following actions happen: Layer 3. You write the letter, put it in a stamped addressed envelope, and then take it to a post office. Layer 2. A clerk deals with the registration details and stamps a code on the envelope. Layer 1. The letter is transported from the source to the destination using the address. Layer 2. A postman takes note of the registration details and passes the letter to your friend. Layer 3. Your friend opens the envelope and reads the letter. The same kinds of operation happen when computers exchange information with one another. The required information is packaged, encoded and passed through various layers before it is sent to another computer. In each layer some control information is added to the original message. The control information and the original message are then passed on to the neighbouring layer where it is treated as a single piece of data for transmission. 5

6 The control information added at each layer is based on a protocol, or in other words a set of rules. They identify the source and destination, the sequence number of the message, what to do with the message when received, whether to acknowledge it, and so on. In order to transmit one message, there is actually a 'conversation' between the computers, which goes through several phases like establishing the link, transferring the message, reliability control (error checking) and eventually terminating the conversation. Figure 2 shows the headers, which are present in the experiment. TCP header information is used to fragment and guarantee delivery and in order reconstruction of packets. This `rides on top' of basic internet protocol (IP) which offers no guarantee of delivery. Below this is the link level header, which deals with addressing within the campus Ethernet LAN. If you understand the protocol, have the means to capture packets and the ability to decode the packets captured, you can eavesdrop and understand a conversation between computers. In default mode tcpdump only allows the header to be observed. Figure 2: Packet Header 6

7 A typical output from tcpdump which is monitoring traffic between esenet4 and eses25 (and eses25 and esenet4, where eses25 is a host in other of the networks) is shown below, the example was for a remote login from esenet4 to eses25. The link level header can be output by using the tcpdump -e option. The region shown in bold is the Ethernet addresses of the two machines produced using the command line: tcpdump -x -e host eses25 and host esenet4 04:22: :80:c8:90:5f:b4 8:0:69:b:2f:f7 ip 67: esenet > voice.login: P : (1) ack win <nop,nop,timestamp to (DF) [tos 0x10] a f081 9bf5 a483 9bf5 d3c1 03ff 0201 c e3 5b9d d78 f a 02a5 f0a7 000d 1c3b 66 The non hexadecimal region (second line) says that tcp port 1023 on esenet4 sent a packet to a login port on voice. The P indicates the PUSH flag is set, the packet sequence number was and one byte was sent. The notation is `first:last(nbytes)' which means `sequence numbers first up to but not including last which is nbytes bytes of user data'. There was a piggyback acknowledgement. The available receive window is bytes. Please man tcpdump for a more complete explanation. The hexadecimal region: a f081 9bf5 a483 9bf5 d3c1 03ff 0201 c e3 5b9d d78 f a 02a5 f0a7 000d 1c3b 66 This example can be broken down as follows, starting from the top left start ip header hex 4 is the version (4 dec). hex 5 is the header length (5 dec) in 32 bit words). 7

8 hex 10 is the type of service (16 dec) i.e.reliability/speed. hex 0035 is the total length (53 dec). hex 9a01 is the identification as to which datagram the packet belongs. hex 4000 describes how to fragment the datagram. hex 40 is the time to live (64 dec). hex 06 is the protocol. hex f081 is the header checksum. hex 9b f5 a4 83 is the source address ( ) esenet4 hex 9b f5 d3 c1 is the destination ( ) voice end ip header verify for yourself the following from the textural part of the tcpdump output start TCP header hex 03ff is the esenet4 port number (dec 1023) hex c is the sequence number (dec ) hex 48e3 58e7 is the piggyback acknowledgement (dec ) hex 8018, 8 is the tcp header length 018 is the flag field hex 7d78 is the available receive window (dec 32120) the rest are optional fields. 5. Experimental Procedure Become familiar with tcpdump and run it on one of the four machines in the experimental sub-net. Monitor traffic from one of the free ESENET machines to a campus machine and also the return path from the campus machine back to the ESENET machine using the correct expression primitive (see man pages). Once invoked tcpdump should return `monitoring eth0', until TCP traffic becomes present. To make traffic on the link, FTP another machine from CAMPUS and transfer a data file (any file will do). The machine running tcpdump, which is monitoring the link should then display a number of packet headers of the format shown in section 5. Once this is verified, examine and discuss the findings. Now repeat the experiment, but this time redirect the output to a file for later examination. Section 4 gave a brief explanation of the meanings of the hex output seen from tcpdump. Write a program that takes the tcpdump output (that you redirected to a file) and automatically sorts such things as source address, packet size, TTL etc. The specific 8

9 operation of the program is left to you the designer, but could for example use the following syntax: parse tcpdump_output.text [-t TTL_stamp packetsize] [-s source_address] etc.. to output for example: Once this has successfully been accomplished, the traffic program discussed in section 4.3 should be run on one of the two remaining free machines and the UDP packets should be directed towards the remaining idle machine. The tcpdump output should again be parsed but this time in the presence of the generated traffic. With your knowledge of CSMA/CD which parameters in the header would you expect to change and why? Is this verified by the experimental data? Would you expect to observe packet loss in the congested experimental network? 6. Method of Assessment Assignment only. The report will be graded according to the following breakdown. 20% parser program 50% demonstration of an understanding of the protocols 30% report presentation The report should be limited in size to a maximum of 20 pages, excluding appendices, which may be used to present code etc. The report should be submitted by Friday of Week 16 (Spring Term) at the latest. References [1] Computer Networks, 3rd edition, A Tanenbaum, (Prentice Hall) pp , and [2] Data and Computer Communication, 4th edition, W Stallings, (Macmillan) pp , , and

10 [3] Data Communications Computer Networks and Open Systems, 4th edition, F Halsall, (Addison-Wesley) pp , , and [4] Internetworking with TCP/IP, Vol. 1, D E Comer, (Prentice-Hall International). An expert book on TCP/IP and its popular underlying network, Ethernet. [5] You can also easily find relevant tutorial materials on Ethernet (CSMA/CD) and TCP/IP on the Internet Dr. J.C. Woods, October Updated 2002 by Dr S. Monaghan; Updated 2003 by Dr K. Yang 10