Computer Networks/DV2 Lab

Transcription

1 Computer Networks/DV2 Lab Room: BB 219 Additional Information: Equipment for each group: - 1 Server computer (OS: Windows Server 2008 Standard) - 1 Client computer (OS: Windows XP Professional) - 1 Computer as Router / Gateway (OS: Linux) - 1 Switch - Network cables 1. Practical Training: Network planning and installation of a file server 2. Practical Training: Web server installation and dynamic Web pages 3. Practical Training: Installation and configuration of a Firewall 4. Practical Training: Installation of a VPN for the connection of two networks 5. Practical Training: Programming; Client/Server connection over Sockets 6. Practical Training: Network Monitoring Name: Matriculation No.: Supervisor Signature: 1. Introduction The most important characteristics of computer networks are security and reliability. A good example for higher level of security in computer networks is firewalls. They are usually placed between the network, which should be protected and the internet. However, when large networks are divided into smaller ones, additional firewalls could be set between the different subnets. These techniques provide higher security against external attacks, but none regarding internal problems, which are often caused by the network users. The security of a computer network directly impacts its reliability. The network reliability depends on more than one point, however. For example, defect hardware or falsely configured software could influence the functionality, respectively the reliability of a network. The worst case would be a complete breakdown of the whole network. Therefore, a major task of a network administrator is to periodically check the network regarding security leaks or malfunctions. One way to perform these checks is to analyse the traffic of the network. In this practical training we will be using the program "Wireshark" to aid us in analysing our network traffic. Contact: Joachim Zumbrägel BB 320 Tel: 0203/ joachim.zumbraegel@uni-due.de 1 2

2 2. Basics of Network Traffic Analysis 2.1 Network Sniffers The software "Wireshark" belongs to the category of the so called "sniffers" or "network sniffers", nevertheless it can be used for traffic analysis and traffic logging of LANs. "Wireshark" is an open source project released under the GNU General Public Licence. This piece of software offers a lot of functionalities which are not always easy to use if you don t have at least basic knowledge about network sniffers and network protocols. A network sniffer consists of a number of components. The underlying component is the capture driver, which is either directly connected to the NIC (Network Interface Card) driver or to the PPP-Adapter. The capture driver copies all network packets into a buffer, where different filters could be defined in order to restrict capturing only to packets, which match certain criteria. In addition, a certain time frame could be defined or a limit could be set for the number of packets, which should be captured. In this practical training WinPCap is used as the capture driver. A decoding component is required for analysing the captured data. After decoding, single packets can be combined in Data Streams, i.e. all packets with the same source-ip-address, destination-ip-address and ports. Additionally, the use of DNS for mapping IP-addresses to names can be helpful for analysis. Furthermore, there are a lot of other options and techniques, which are not used in our practical training and therefore not described here. Fig. 2.1: Wireshark 2.2 Protocols and Layers As previously mentioned, basic knowledge of network protocols is required, if one wants to work with a network sniffer program like "Wireshark". The major protocols in use are described in this document. Figure shows, which protocols belong to which layer of the ISO/OSI Model. 3 4

3 The different layers are described in details in Table 2.2 below. Application Transport Applications and network service programs, i.e. PING, HTTP-Server, DNS, etc. TCP: Realizes a reliable byte stream between two processes and takes care that the data is transmitted in the right order and integrity. UDP: Delivers Datagram without reliability Network This layer has the following capabilities (independent of the hardware): Addressing across different physical nets Distributing the data over the physical connections Dividing the data in packets (picketing) Embedding the packets into frames (framing) Fragmenting of packets (if required) Assembling of the fragments on the target computer Data-Link Physical Layer In this layer the packets are transferred from one NIC to another (NIC = Network Interface Card) The basic layer. Defines i.e. the transmission medium and rules for the transmission of single Bits. Table 2.2 Fig : Protocols Layer Not only the knowledge of protocols is useful for network traffic analysis, but understanding of the communication between different layers as well. The basic idea of the ISO/OSI layers model is that only neighbouring layers are capable of communicating. For that reason the TCP does not take care how a connection was established (i.e. Ethernet or ISDN). 5 6

4 As you should already know, the data in each layer is encapsulated by a layer specific frame. The encapsulation principle is as follows: Layer N (where N is a digit between 2 and 6) receives a packet from Layer N+1, processes it and encapsulates that packet with a header (and in some cases with a trailer). The last step is to deliver the newly encapsulated packet to Layer N-1. and therefore know, which computer is being addressed. Furthermore, a switch knows which computer is connected on which port. Using that information a switch passes packets only to the computer which is addressed. Therefore, a computer connected to a switch is never able to listen to the complete network traffic. By use of the MAC 1 address a network card is able to distinguish whether a received packet addresses the network card itself or another computer. If the received packet contains the MAC address of the network card, it is passed to the next higher protocol layer. All other packets are usually not accepted. Nevertheless the receiving of any packet is possible. For that the network card must be switched to a so called "Promiscuous Mode", which allows receipt of all packets and therefore traffic monitoring. 2.4 Header For traffic analysis, headers of the different protocols are very important. Figure 2.4 below describe the structure of the DIX Ethernet II Packet Frame. The numbers below each field represent the number of bytes each field occupies. Fig : Packet Encapsulation Fig shows the principle of packet encapsulation. Each layer stores in its packet header, layer specific information, in order for the packet to be processed correctly on the receiver s side. It is possible to define different options for the packet within the header i.e. priority, time to live (TTL), special routes, etc. 2.3 Computer communication A thing to consider before analysing the traffic of a network is how the computers are connected. If a direct physical connection through the same media or a connection via a HUB is established between the computers, then all computers are capable of receiving the complete network traffic. However, if the computers are connected through a switch this is no longer the case, because switches are capable of analysing the packets Preamble Destination Source Type Data Unit CRC Fig. 2.4: DIX Ethernet II Frame The preamble is used for bit synchronization and consists of 8 Bytes. The Destination and Source are MAC addresses of the receiver and sender respectively (example of a MAC address: 00-E0-7D-82-DD-86). Because the values are given in hexadecimal code 6 bytes are used for each MAC address representation. The Type field is used for the distinction of higher protocols (i.e. 0x0800 for IP und 0x0806 for ARP). Data Unit represents the actual data, which is allowed between 46 and 1500 bytes within a single frame. CRC (Cyclic Redundancy Check) is used to detect error that could occur during transmission. 1 MAC address (Media Access Control address) is a worldwide unique identification of a network adapter or network interface card (NIC). 7 8

5 2.5 ARP (Address Resolution Protocol) ARP is used for mapping MAC addresses to IP addresses. The Address Resolution Protocol uses a mapping table for this task. Before a connection is established over the Ethernet, IP asks ARP for the MAC address of an IP address. At first, ARP looks into its mapping table if an appropriate entry exists, if not ARP sends a broadcast to all connected nodes in order to get this information from another node. The answer to this request is stored into the mapping table. Host A Checking ARP-Cache Append ARP entry Send ARP request The figure below shows what an IP header consist of. The values in bracket next to each field are the number of Bits occupied by that field. Version (4) IHL (4) Priority & Type (8) Identification (16) Flags (3) Total Length (16) Fragment Offset (13) Time to Live (8) Protocol (8) Header Checksum (16) IP Options (0 or 32 if any) Source IP address (32) Destination IP address (32) Data (varies if any) Padding Router Send ARP answer Fig. 2.6: IP Header Append ARP entry Fig. 2.5: Function of the ARP 2.6 IP (Internet Protocol) The task of the Internet Protocol is to transport data packets from a sender to a destination over different networks. The transmission is packet oriented, connectionless and not guaranteed. This means that IP itself neither guarantees the receipt of a packet nor the right sequence of transmitted packets (i.e. packets can be lost due to network overload). The maximum length of IP-packets is limited to Bytes. Due to the fact that some nets (internetworking-components) are not able to handle such large packets the minimum length of an IP packet is defined by 576 Bytes. If a large packet is divided into smaller packets, it is called fragmentation. The procedure of rebuilding the large packet out of the smaller ones is called reassembling. Version Internet Header Length Type of Service Total Length Identification Flags Fragment Offset Time to live (TTL) Protocol Header Checksum Version, i.e. IPv4 or IPv6 Length of the Header in 32 Bit steps Service and transmission parameter. Hardly used. Length of the Datagram, max. 64 kbyte Number for identification, Indicates if the datagram is fragmented or not Defines the location of the fragment relative to the beginning of the datagram. This number (max=255, typical = 128) defines how man router stations are allowed to pass. Each routers decrements the number by one. If TTL is zero the packet will be destroyed. Defines the protocol of the higher protocol hierarchy i.e. UDP or TCP Used for fault checking. 9 10

6 Source IP address Destination IP address IP Options Padding Data Sender's IP address Receiver's IP address Are used in order to adapt services for higher protocols, i.e. security requests of the receiver. Length is not fixed. Since the IP options field varies in length depending on the configuration, we need to have this field set to occupy left over bits. This is because the header needs to be ended after a 32-bit word: no more, no less. The data being sent Data Offset Source Port (16) Destination Port (16) Reserved (6) Sequence Number (32) Acknowledgement Number (32) Flags (6) Window (16) Checksum (16) Urgent Pointer (16) IP Options (0 or 32 if any) Data (varies if any) Fig. 2.7: TCP Header Padding The next higher protocol level is the transport layer. There different protocols such as UDP, TCP and ICMP are located. 2.7 TCP (Transmission Control Protocol) TCP is a connection oriented transport protocol for use in a packet switched network. The Transmission Control Protocol (TCP) is on top of the Internet Protocol (IP). It provides the functionality of the transport layer and establishes a secure connection between sender and receiver before data exchange. The data of the higher layers is not changed by TCP, but spanned and sent as single data packets, which can be up to 65 KBytes big. Figure 2.7 illustrated how the TCP header is structured. Using port numbers for sender and receiver, TCP packets can be multiplexed. For each port number 2 bytes are reserved. The allocation of the numbers is dynamic. The data exchange between TCP and processes is handled by port numbers as well. For the sequence number 4 bytes are reserved. The sequence number and the acknowledgement number are used for flow control and the order of the data packets. While the connection is established, a random number is generated and exchanged by sender and receiver. This number is called the initial sequence number and it will be incremented while data exchange. For the acknowledgement number, 4 bytes are reserved, which are used for receiving acknowledgement of each packet. The header length is also specified, because it is not fixed. Each field within the TCP header will not be further explained in this paper. More information can be found in: "Computer Netzwerke", Anderw S. Tannenbaum, chapter 6.4 The end-to-end control uses a positive acknowledgement where all received packets are confirmed, the other packets will be resent. Using this mechanism a proper data exchange is warranted. The loss of data can be prevented by the flow control, because each data packet is numbered and confirmed. If a confirmation does not arrive in a specific time frame the packet is resent. If an error occurs the error mechanism is activated and requests the erroneous data again from the layers above. 2.8 UDP (User Datagram Protocol) The User Datagram Protocol is a transport protocol (layer 4) of the OSI reference model and it provides a connectionless data exchange between computers. UDP Source Port (16) UDP Destination Port (16) UDP Message Length (16) Checksum (16) Data (varies if any) Fig. 2.8: UDP Header 11 12

7 UDP has a minimum of protocol mechanism and it does not guarantee the delivery of the datagram to the remote machine, nor does it provide mechanisms for detecting duplicates or sequence interchanges. Therefore the functional range of UDP is much smaller than TCP. It is restricted to transport service, connection multiplexing and error handling. Regarding the transport service, correct data exchange is not assured using UDP, because it does not make use of any acknowledgement system. Therefore lost data packets cannot be resent. In contrast to TCP the UDP does not establish a connection between the machines, but it sends data packets through the network independent of each other. On the top layer of the TCP/IP Model, the so called application layer, are the protocols of the well known applications like: HTTP, FTP, POP3, PING, DHCP, DNS etc. To list the details of each protocol here, would go beyond the scope of the lab, but a short overview is very helpful for further understanding. 2.9 HTTP (Hyper Text Transfer Protocol) HTTP is a general, stateless, object-oriented protocol for data communication within the World Wide Web (WWW). The HTTP is a straight forward protocol. It describes a defined set of messages and replies, which are used for client and server communication during an HTML session. For each request of a web browser to a web server for a new document, a new connection is established. HTTP serves the addressing of objects using URL (Uniform Resource Locator). It completes the interaction between clients and servers and provides the adjustment of the formats between them. Example: FTP (File Transfer Protocol) The File Transfer Protocol (FTP) is used for data exchange between different machines across the internet and for easier data handling. FTP is based on the TCP, which means it uses TCP as an under laying protocol. The data transfer is controlled by the local system. The user rights on the remote system are dependent on the authentication using username and password. Example: ftp://ftp.uni-duisburg.de Example with user identification: ftp://user:password@ftp.uni-duisburg.de 2.11 PING (Packet Internet Grouper) PING is a small program, which implements the echo protocol. It is used in order to test the availability of remote computers. Therefore the ICMP (Internet Control Message Protocol) sends a request and waits for its response. With the ping command it can be verified if a specific computer is connected to the internet or not. If there is no reply of the pinged computer within a specified timeframe, implies that the ping request cannot reach the machine or the machine cannot reply the ping, which means that this computer is switched off or is protected by a firewall. 3. Wireshark Wireshark is a network packet analyzer. A network packet analyzer will attempt to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course). 3.1 Features The following are some of the many features Wireshark provides: Capture live packet data from a network interface Display packets with very detailed protocol information Open and Save packet data captured 13 14

8 Applied Display Filter(s) Filter Toolbar Import and Export packet data from and to a lot of other capture programs Filter packets on many criteria Search for packets on many criteria Colorize packet display based on filters Create various statistics Packet List Pane After we start the application Wireshark, by either double-click on the icon on the desktop or by navigating to Start Programs Wireshark Wireshark, we can examine the application's interface. Figure 3.1 shows the Wireshark's GUI (Graphical User Interface), which is divided in three frames: The upper pane is a list of the captured packets with a short description. By clicking on a packet the other two frames will print out some more information about that packet. The middle pane has a tree structure. It holds the information divided by protocols or more precisely the layers of a protocol family. The lowest pane shows the data of the chosen packet. By clicking on different fields in the middle frame the corresponding data will be highlighted in the lowest frame. Fig. 3.1: Wireshark GUI Packet Details Pane Packet Bytes Pane 3.2 Capturing Packets To show the packets and the information concerning the data, the network traffic has to be captured first; therefore Wireshark uses the Capture drivers. To begin capturing and select our capture interface we could either navigate to the Menu bar Capture or we can use the first three buttons on the left hand side in the toolbar, as illustrated in Fig

9 In the capture field we can define the Interface on which we want to capture traffic, the Buffer size of the captured data and some Capture Filters. We can also capture traffic directly to a single or multiple files or we can tell Wireshark, in the Stop Capture field, to stop the capturing process after certain limit is reached. Fig : Start capturing Now we can choose some capture options. If we go to Capture Options or click on the second icon from left to right in the toolbar, we access the Capture Options dialogue box, which is shown in Fig Capture Filters For analysing the captured traffic the filters are the tools, which aid us. Capture filters are used when we want to limit the number of packets that we are capturing. You can set them up to show only special packets. For example we may want to capture only ARP traffic or HTTP traffic or traffic coming only from our interface card. To emphasize their importance, imagine that within seconds some packets are captured and you want to find specific protocols or IP addresses. By use of a filter, one can easily limit the captured results to his desire. Alternatively, the options in View Coloring Rules can be used to colorize packets which fit a certain pattern. Another important option is Follow TCP Stream. You can find it under the Analyze menu. This feature allows the user to show up a contiguous data stream. To open the default list of capture filters in Wireshark, go to: Capture Capture Filters or you could also use the corresponding button on the toolbar. Fig. 3.3 shows how the Capture Filter dialogue box looks like. Fig : Capture Options 17 18

10 Fig. 3.3: Capture Filters The several tables below describe some frequently used capture filters: [src dst] host <ip-address host-name> This primitive allows you to filter on a host IP address or name. You can optionally precede the primitive with the keyword src dst to specify that you are only interested in source or destination addresses. If these are not present, packets where the specified address appears as either the source or the destination address will be selected. src host Packets coming from dst host Packets going to host Packets coming from and going to src host Packets coming from Table List of Default Filters Name of selected filter Actual Filter string command of selected filter ether [src dst] host <ehost> This primitive allows you to filter on Ethernet host addresses. You can optionally include the keyword src dst between the keywords ether and host to specify that you are only interested in source or destination addresses. If these are not present, packets where the specified address appears in either the source or destination address will be selected. ether src host 00:01:FF:22:B1:32 ether dst host 00:01:FF:22:B1:32 ether host 00:01:FF:22:B1:32 Table [tcp udp] [src dst] port <port> Packets coming from 00:01:FF:22:B1:32 Packets going to 00:01:FF:22:B1:32 Packets coming from and going to 00:01:FF:22:B1:32 This primitive allows you to filter on TCP and UDP port numbers. You can optionally precede this primitive with the keywords src dst and tcp udp which allow you to specify that you are only interested in source or destination ports and TCP or UDP packets respectively. The keywords tcp udp must appear before src dst. Packets coming from and going to port 80 port 80, independent if it uses TCP or UDP tcp dst port 80 Packets going to TCP-Port 80 udp port 4987 Packets coming from and going to UDP-Port 4987 Table Table below shows the logical operator used when defining capture filters in Wireshark

11 Examples for logical expressions: ip and less 80 IP packets equal or less than 80 Bytes ether proto \ip && len > 512 Ethernet-Packets transporting IP packets, which are bigger than 512 Bytes dst host && port 80 Packets which have as destination and are transmitted over port 80 Logical Operators: && Logical AND between 2 expressions Logical OR between 2 expressions! NOT operator General declaration of logical output for Capture Filters *(Everyting in square brackets [ ] means it is optional) [not] primitive (and or) [not] primitive [!] primitive ( && ) [!] primitive Table Display Filters Display filters allow you to concentrate on the packets you are interested in while hiding the currently uninteresting ones. They allow you to select packets by many different criteria. Wireshark provides a simple but powerful display filter language. You can compare values in packets as well as combine expressions into more specific expressions. Fig. 3.4: Display Filters We could define filters directly to the Display Filter Toolbar or choose a filter from the "Expression " dialog box as shown in Fig Comparison operators in display filters: Operator Analogue Meaning eq == Equal not! Not ne!= Not Equal gt > Greater Than lt < Less Than ge >= Greater then or Equal to le <= Less than or Equal to 21 22

12 Syntax of display filters: <protocol>.<element>.<subelement> <operator> <value> An element is an available field name for filtering of the selected protocol. We can take a look at them by expanding the field for any protocol in the "Filter Expression" dialog box. Examples: ip.addr eq displays all IP packets that have the address as source or destination. eth.src eq 00:01:FF:22:B1:32 - displays all Ethernet Frames that have a source station with MAC address 00:01:FF:22:B1:32 4. Exercises In the document the ARP (Address Resolution Protocol) was explained. With the use of the command: arp a in the command prompt console, you get a print of the actual ARP table. 1. Try to find all IP addresses and the corresponding MAC addresses of all computers in your network. Please write them down in the table below. Keep in mind that the ARP table is not static. It contains only the addresses, which were required by an established communication. Server (Windows) Client (Windows) Firewall (Linux) IP-Address MAC-Address Now that you know all IP and MAC addresses you should take a look at the network traffic. 2. Start Wireshark, choose Capture Options. Set the capture to stop after 100 packets are captured. While capturing you have to generate some traffic e.g. by accessing a website. Try to get familiar with the program by testing some functions. If you face any problems do not hesitate to ask. 3. Start Wireshark on the server computer. The rest of the group should generate different traffic on the client computer. For Example: accessing websites, FTP servers, Ping or telnet and so on. With the help of the data retrieved by Wireshark try to find out which services, which servers and which pages were accessed by the client computer

13 It also works vice versa, starting Wireshark on the client and generating traffic from the server. Notes: 4. Since now you are able to identify the captured packets, we can take a look at the security aspects. Once again start Wireshark and start monitoring the traffic. The tutor will join your network and enter his account ( Try to get the password he is using for his account. Literature: Andrew S. Tanenbaum: Computernetzwerke ", Prentice-Hall, 1998 W.E. Proebster:"Rechnernetze Technik Protkolle Systeme Anwendungen", Oldenbourg 2002 Anatol Badbach, Erwin Hoffmann:"Technik der IP-Netze", Hanser 2001 Links: