DO NOT REPLICATE. Analyze IP. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze all the fields of IP.

Transcription

1 Advanced TCP/IP Overview There is one primary set of protocols that runs networks and the Internet today. In this lesson, you will work with those protocols: the Transmission Control Protocol (TCP) and the Internet Protocol (IP). In order to manage the security of a network, you must become familiar with the details of how TCP/IP functions, including core concepts, such as addressing and subnetting, and advanced concepts, such as session establishment and packet analysis. Objectives To better understand advanced TCP/IP concepts, you will: 2A 2B 2C 2D 2E 2F Define the core concepts of TCP/IP. Given a machine running TCP/IP, you will define the core concepts of TCP/IP, including the layering models, RFCs, addressing and subnetting, VLSM and CIDR, and the TCP/IP suite. Analyze sessions of TCP. Given a Windows Server 2003 computer, you will examine control flags, sequence numbers, and acknowledgement numbers, and you will use Network Monitor to view and analyze all of the fields of the three-way handshake and session teardowns. Analyze IP. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze all the fields of IP. Analyze ICMP. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze all the fields of ICMP. Analyze TCP. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze all the fields of TCP. Analyze UDP. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze all the fields of UDP. LESSON 2 Data Files tftp.cap fragment.cap ping.txt ping.cap ftp.txt ftp.cap Lesson Time 6 hours Lesson 2: Advanced TCP/IP 31

2 2G 2H Analyze fragmentation. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze network traffic fragmentation. Complete a full session analysis. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze a complete FTP session, frame by frame. 32 Tactical Perimeter Defense

3 Topic 2A TCP/IP Concepts In order for two hosts to communicate, there must first be an agreed-upon method of communication for both hosts to use. The protocol that the Internet was built on, and the protocol that all hosts on the Internet use is TCP/IP, or Transmission Control Protocol/Internet Protocol. Because the two hosts agree on the protocol they will use, we can go right into the details of the protocol itself. The TCP/IP Model In order for data to move from one host to another, it must be transmitted and received. There are several ways this could happen, in theory. The data file could be sent as a whole file, intact, from one host to another. The data file could be split in half and sent, sending and receiving two equal sized pieces. The data file could be split into many smaller pieces, all sent and received in a specific sequence. It is this last method that is actually used. For example, if a user is at a host and wants to view a web page on a different host, the request and subsequent response will take many small steps to complete. In Figure 2-1, you can see the four layers of the TCP/IP Model, along with the browser s request for a web page going to the web server. Figure 2-1: A web request moving along the TCP/IP Model. The four layers of the TCP/IP Model are: The Application Layer The Transport Layer The Internet Layer (also called the Network Layer) The Network Access Layer (also called the Link Layer) Many of the Concepts in this topic were covered in the prerequisite courses, but are provided here for review. host: A single computer or workstation; it can be connected to a network. server: A system that provides network service such as disk storage and file transfer, or a program that provides such a service. A kind of daemon that performs a service for the requester, which often runs on a computer other than the client machine. Lesson 2: Advanced TCP/IP 33

4 network: Two or more machines interconnected for communications. OSI: (Open Systems Interconnection) A set of internationally accepted and openly developed standards that meet the needs of network resource administration and integrated network components. The reason that there are alternate names for these layers is that there has never been an agreed-upon standard for the names to which the industry agrees. Each of these layers are detailed as follows: The Application Layer is the highest layer in the model, and communicates with the software that requires the network. In our example, the software is the web page request from a browser. The Transport Layer is where the reliability of the communication is dealt with. There are two protocols that work at this layer, TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). An immediate difference between the two is that TCP does provide for reliable delivery of data, whereas UDP provides no such guarantee. The Internet Layer (or Network Layer) provides the mechanism required to address and move the data from one host to the other. The primary protocol you will examine at this layer is IP (Internet Protocol). The Network Access Layer (or Link Layer) is where the data communication interacts with the physical medium of the network. This is the layer that does the actual sending and receiving of the data. As you saw in Figure 2-1, as the web page request was initiated on the host, it moved down the layers, was transmitted across the network, and moved up the layers on the web server. These are the layers on which all network communication using TCP/IP is based. There is a different set of layers, however, called the OSI Model. The OSI Model The TCP/IP Model works well for TCP/IP communications, but there are many protocols and methods of communication other than TCP/IP. A standard was needed to encompass all of the communication protocols. The standard developed by the International Organization for Standardization (ISO) is called the OSI Model. The Open Systems Interconnect (OSI) Model has seven layers, compared to the four layers of the TCP/IP Model. The seven layers of the OSI Model are: The Application Layer The Presentation Layer The Session Layer The Transport Layer The Network Layer The Data Link Layer The Physical Layer 34 Tactical Perimeter Defense

5 The names of these layers are fixed, as this is an agreed upon standard. The details of each layer are as follows: The Application Layer is the highest layer of the OSI Model, and deals with interaction between the software and the network. The Presentation Layer is responsible for data services such as data compression and data encryption/decryption. The Session Layer is responsible for establishing, managing (such as packet size), and ending a session between two hosts. The Transport Layer is responsible for error control and data recovery between two hosts. Both TCP and UDP work at this layer. The Network Layer is responsible for logical addressing, routing, and forwarding of datagrams. IP works at this layer. The Data Link Layer is responsible for packaging data frames for transmission on the physical medium. Error control is added at this layer, often in the form of a Cyclic Redundancy Check (CRC). This layer is subdivided into the LLC (Logical Link Control) and MAC (Media Access Control) sublayers. The MAC sublayer is associated with the physical address of the network device and the LLC sublayer makes the association between this physical address (such as the 48-bit MAC address if using Ethernet) and the logical address (such as the 32-bit IP address if using IP) at the Network Layer. The Physical Layer is responsible for the actual transmission and receipt of the data bit stream on the physical medium. The OSI Model and the TCP/IP Model do fit together. In Figure 2-2, you can see that the two primary layers of concern in the TCP/IP Model (the Transport and Internet Layers), match directly with the Transport and Network Layers of the OSI Model, while the other two TCP/IP Model layers encompass two or more layers of the OSI Model. Figure 2-2: A comparison of the OSI and TCP/IP Models. As the data from one host flows down the layers of the model, each layer attaches a small piece of information relevant to that layer. This attachment is called the header. For example, the Network Layer header will identify the logical addresses (such as IP addresses) used for this transmission. This process of adding a header at each layer is called encapsulating. Figure 2-3 shows a visual representation of the header and the encapsulation process. packet: A block of data sent over the network transmitting the identities of the sending and receiving stations, errorcontrol information, and message. Lesson 2: Advanced TCP/IP 35

6 Figure 2-3: Headers and the encapsulation process as data moves down the stack. When the second host receives the data, and as the data moves up the layers, each header will let the host know how to handle this piece of data. After all the headers have been removed, the receiving host is left with the data as it was sent. RFCs With all the standards defined in the previous section, you may be asking where to go to find the standards. The answer is to the RFCs. A Request For Comments (RFC) is the industry location for standards relating to TCP/IP and the Internet. RFCs are freely available documents to read and study, and if you ever want to go directly to the source, be sure to use the RFC. Although you will find RFCs listed all over the Internet, to view them all online go to: This is the website with a searchable index of all RFCs. There are several RFCs you should be familiar with, and that you should know by name to look up. This way you will not have to search hundreds of responses to find what you need. The RFCs you should know are: The Internet Protocol (IP): RFC 791. The Internet Control Messaging Protocol (ICMP): RFC 792. The Transmission Control Protocol (TCP): RFC 793. The User Datagram Protocol (UDP): RFC 768. The Function of IP The Internet Protocol (which works at the Network layer of both the OSI and the TCP/IP models), by definition, has a simple function. IP identifies the current host via an address and using addressing, moves a packet of information from one host to another. Each host on the network has a unique IP address, and each packet the host sends will contain its own IP address and the IP address to which the packet is destined. The packets are then directed, or routed, across the network, using the destination address, until they reach their final destination. The receiving host can read the IP address of the sender and send a response, if required. 36 Tactical Perimeter Defense

7 Although it sounds straightforward, and does work, there are drawbacks. For instance, when packets are sent from one host to another, they may be received out of order. IP has no mechanism for dealing with that problem. Also, packets can get lost or corrupted during transmission, again a problem IP does not manage. These problems are left to an upper protocol to manage. Often that protocol will be TCP, as you will see in the following topic. Binary, Decimal, and Hexadecimal Conversions Even though you may be familiar with the concept of binary math, you may wish to review this section briefly. In binary, each bit has the ability to be either a1or a 0. In computers, these bits are stored in groups of 8. Since each bit can be either a 1 or a 0, each location is designated a power of 2. A byte, therefore, has binary values from 2 0 through 2 7. In Figure 2-4, you can see the value of each of the 8 bits in a byte. When the bits are presented as a byte, the value of each of the 8 locations is added to present you with the decimal equivalent. For example, if all 8 bits were 1s, such as , then the decimal value would be 255 or Here are a few other quick binary to decimal conversions: Binary is decimal 192 or Binary is decimal 128 or Binary is decimal 130 or Binary is decimal 90 or The IP addresses that are either manually or dynamically assigned to a host are 32-bit fields, often shown as four decimal values for ease of reading. For example, a common address would be Each number is an 8-bit binary value, or an octet. In this example, the first octet is 192, the second 168, the third 10, and the fourth 1. Even though the fourth octet is given a decimal value of 1, it is still given an 8-bit value in IP addressing. Each bit of the 32-bit address must be represented, so the computer sees a decimal 1 in an IP address as Keeping this in mind, the full decimal IP address of is seen to the computer as binary IP address: In tools that are designed to capture and analyze network traffic, the IP address is often represented in its hexadecimal (Hex) format. The ability to view and recognize addressing in Hex format is a useful skill to have when you are working with TCP/IP. In hexadecimal format, the IP address is C0-A8-0A- 01. The following is a quick summary on Hex conversions. Lesson 2: Advanced TCP/IP 37

8 To convert the decimal address to hexadecimal, convert each of its octets, then combine the results, as follows: 1. Divide 192 by 16. The result is 12, with a remainder of 0. Because decimal 12 is the same as Hex C and decimal 0 is the same as Hex 0, decimal 192 is equal to Hex C0. 2. Divide 168 by 16. The result is 10, with a remainder of 8. Because decimal 10 is the same as Hex A and decimal 8 is the same as Hex 8, decimal 168 is equal to Hex A8. 3. Decimal 10 is the same as Hex A. 4. Decimal 1 is the same as Hex Combining the results of each conversion shows that decimal is equal to Hex C0A80A01. Another way to derive this result is to first convert from decimal to binary, then convert binary to hexadecimal four bits at a time, and finally, combine the results, as shown here: 1. Decimal 192 is the same as binary Decimal 168 is the same as binary Decimal 10 is the same as binary Decimal 1 is the same as binary Binary 1100 (the first four bits of the first octet) is the same as Hex C. 6. Binary 0000 is the same as Hex Binary 1010 is the same as Hex A. 8. Binary 1000 is the same as Hex Binary 0000 is the same as Hex Binary 1010 is the same as Hex A. 11. Binary 0000 is the same as Hex Binary 0001 is the same as Hex Combining the Hex equivalents shows that decimal is equal to Hex C0A80A01. IP Address Classes There are five defined classes of IP addresses: Class A, Class B, Class C, Class D, and Class E. The details of each class are as follows: Class A IP addresses use the first 8 bits of an IP address to define the network, and the remaining 24 bits to define the host. This means there can be more than 16 million hosts in each Class A network (2 24 2, because all 1s and all 0s cannot be used as host addresses). All Class A IP addresses will have a first octet of 0xxxxxxx in binary format is an example of a Class A IP address. Class B IP addresses use the first 16 bits to define the network, and the remaining 16 bits to define the host. This means there can be more than 65,000 hosts in each Class B network (2 16 2). All Class B IP addresses will have a first octet of 10xxxxxx in binary format is an example of a Class B IP address. Class C IP addresses use the first 24 bits to define the network, and the remaining 8 bits to define the host. This means there can be only 254 hosts 38 Tactical Perimeter Defense

9 in each Class C network (2 8 2). All Class C IP addresses will have a first octet of 110xxxxx in binary format is an example of a Class C IP address. Class D IP addressing is not used for hosts, but is often used for multicasting (which will be discussed later), where there is more than one recipient. The first-octet binary value of a Class D IP address is 1110xxxx is an example of a Class D IP address. Class E IP addressing is used for experimental functions and for future use. It does have a defined first-octet binary value as well. All Class E IP addresses have a first octet binary value of 11110xxx is an example of a Class E IP address. Figure 2-4: IP address classes and their first-octet values. Private IP Addresses and Special-function IP Addresses There are several ranges of IP addresses that are not used on the Internet. These addresses are known as private, or reserved, IP addresses. Defined in RFC 1918, any host on any network can use these addresses, but these addresses are not meant to be used on the Internet, and most routers will not forward them. By using these reserved IP addresses, organizations do not have to be as concerned with address conflicts. The defined private addresses for the three main address classes (A, B, and C) are: Class A: to Class B: to Class C: to In addition to the private address ranges listed, there are a few other address ranges that have other functions. The first, is the range of to This address range is used for diagnostic purposes, with the common address of used to identify IP on the host itself. The second range is to This address range is used by Microsoft to allocate addresses to hosts, for Automatic Private IP Addressing (APIPA). Lesson 2: Advanced TCP/IP 39

10 The Subnet Mask Along with an IP address, each host that uses TCP/IP has a subnet mask. The subnet mask is used during a process called ANDing to determine the network to which the host belongs. The way the mask identifies the network is by the number of bits allocated, or masked, for the network. A bit that is masked is identified with a binary value of 1. By default, a Class A IP address has 8 bits masked to identify the network, a Class B IP address has 16 bits masked to identify the network, and a Class C IP address has 24 bits masked to identify the network. These default subnet masks use contiguous bits to create the full mask. The following table shows the default subnet masks for the three classes, first in binary, then in the more traditional dotted decimal format. Default Subnet Masks Class Binary Format Dotted Decimal Format A B C The subnet mask can be represented in different formats. For example, one common format is to list the IP address followed by the full subnet mask, such as this: Another option, and one that is easier to write, is to count and record the number of bits that are used as 1s in the subnet mask. For example, in the default subnet mask for Class C, there are 24 bits designated as 1. So, to use the second format, list the IP address followed by a slash and the number of bits masked, such as this: /24. Subnetting Example In the event that you need to split a network into more than one range, such as having different buildings or floors, you will need to subdivide the network. The following example will step you through the process of splitting a network and creating the subnet mask necessary to support the resulting subnetworks. Let s say you have been assigned the network with the subnet mask, and need to break this up into 12 network ranges to support, for example, the 12 major departments in your corporate building. Here s what you should do: 1. Determine how many bits, in binary, it takes to make up the number of subnetworks you need to create. In binary, 12 is 1100, so you will need 4 bits. 2. Take 4 bits from the host side of the subnet mask and, AND them to the network side, effectively changing your subnet mask from to As you know, the subnet mask tells you where the dividing line between network and host bits reside. You started with a network ID of and subnet mask of , which in binary looks like this: (IP address for network) (subnet mask) Your dividing line is at the end of the first octet (eight bits starting from the left). You have one big network with a network ID of , a 40 Tactical Perimeter Defense

11 range of usable addresses from: to , and a broadcast address of The new, divided network looks like this: (IP address for network) (subnet mask) Notice that the network/host dividing line is now in the middle of the second octet. All of your networks will have binary addresses that will look like this: xxxx yyyy.yyyyyyyy.yyyyyyyy, where x represents one of the variable bits used to create your subnetworks and y represents a bit on the host side of the address. 3. Determine the subnetwork addresses by changing the value of the x bits. The first possible permutation is the network; the second is the network, and so forth. The following table lists all of the possible subnetwork addresses (notice the pattern?). Subnetwork Binary Address Decimal Address First Second Third Fourth Fifth Sixth Seventh Eighth Ninth Tenth Eleventh Twelfth Thirteenth Fourteenth Fifteenth Sixteenth For the first network, the network ID is with a subnet mask of The first usable address is , and the last usable address is The broadcast address is (the next possible IP address would be , which is the network ID of the second network). The second network has an ID of , a usable range of to , and a broadcast address of Notice that you needed only 12 networks, but you have 16. That can happen, depending on the number of networks needed. For example, if you had needed 20 networks, you would have needed to move the network/host dividing line over 5 bits to the right (20 in binary is 10100, so 5 bits must be used). In that case, you would have had a subnet mask of (instead of the that you used for the first example), which would have given you 32 subnetworks, even though you needed only 20. Consider it room for corporate growth! Lesson 2: Advanced TCP/IP 41

12 router: An interconnection device that is similar to a bridge but serves packets or frames containing certain protocols. Routers link LANs at the Network Layer. Note that any combination of addressing can be represented in different text. For example, you may come across a resource that defines the IP address in decimal, and the subnet mask in hexadecimal. You must be able to quickly recognize the addressing as defined. Use the following task to test your ability to quickly perform these conversions. TASK 2A-1 Layering and Address Conversions 1. Describe how layering is beneficial to the function of networking. By using a layered model, network communications can be broken into smaller chunks. These smaller chunks can each have a specific purpose, or function, and in the event an error happens in one chunk, it is possible that only that error be addressed, instead of starting over from scratch. 2. If you have an IP address of and a subnet mask of FF-FF , to which IP network does your computer belong? Provide both decimal and Hex notations. In decimal, the network address is ; in Hex, the network address is C0-A If you have an IP address of C0-A8-0A-01 and a subnet mask of /16, to which IP network does your computer belong? Provide both decimal and Hex notations. In decimal, the network address is ; in Hex the network address is C0-A Routing You will get into routing in more detail later, but at this stage, you will address the basics. Being familiar with a network and how one host will communicate with another host within the same network, what do you think will happen if a host needs to send information to a host that is not in its network? This is exactly the situation where routing is needed. You need to route that information from your network to the receiving host s network. Of course, the device that makes this possible is the router. The first router you will encounter on your way out of your network is the default gateway. This is the device that your computer will send all traffic to, once it determines that the destination host is not local (on the same network as itself). After the default gateway gets a packet of information destined for host User1 on network X, it looks at its routing table (think of this as a sort of directory telling the router that traffic destined for networks C, G, F, and X should go out interface 1, traffic destined for networks E, A, B, and R should go out interface 2, and so forth), then the router forwards the packet out through interface 1. The destination network may or may not be attached to interface 1 the router doesn t really care at this point it just forwards the packet on according to the information in its routing table. This process 42 Tactical Perimeter Defense

13 repeats from one router to the next until the packet finally reaches the router that is attached to the same network as the destination host. When the packet reaches this router, which is usually also the destination host s default gateway, it is sent out on the network as a unicast directed to the destination host User1. VLSM and CIDR The standard methods of subnet masking discussed earlier are effective; however, there are instances where further subdividing is required, or more control of the addressing of the network is desired. In these cases, you can use either of the following two options: Variable Length Subnet Masking (VLSM) or Classless Interdomain Routing (CIDR). Think back to the previous example of subnet masking. In particular, let s take a closer look at the fourth network. It was intended to be used by the IT staff; however, they want to break the rather large network block given to them into smaller, more manageable blocks. Specifically, they need five smaller subnetworks to be created from their network block of with a subnet mask of This time, let s represent the IP addresses and subnet masks using the slash method: /12. Notice the IP address stays the same, but we replace the subnet mask with /12 to tell others that the subnet mask has 12 1s in it (which, of course, corresponds to ). Now, back to the IT staff s networking issue. You have an already subnetted network ( /12) that you would like to split into five smaller networks. To begin, you need to ask the same starting question: How many bits does it take to make 5? In binary, 5 is 101, so you will need three bits. Then, add three bits to the present subnet mask (don t worry that it has already been subnetted before that doesn t matter). So, now you have /15 as your first network address and new subnet mask. The new variable range is xxx y.yyyyyyyy.yyyyyyyy, where the binary numbers will not change, x represents the variable bits that will make up the networks, and y designates the host bits. So, what are the new network addresses? Subnetwork Binary Address Decimal Address First Second Third Fourth Fifth Sixth Seventh Eighth Lesson 2: Advanced TCP/IP 43

14 44 Tactical Perimeter Defense For the first network, the network ID is , the usable addresses are to , and the broadcast address is ; for the second, the network ID is , the usable addresses are to , and the broadcast address is , and so forth. Did you notice that you have eight possible networks when you needed only five? Again, you can consider it just having more room for expansion. X-casting When a packet is sent from one host to another, the process of routing functions and the packet is sent as defined. However, the process is different if one host is trying to reach more than one destination, or if one message is to be received by every other host in the network. These types of communication are referred to as broadcasting, multicasting, and unicasting. Unicast is a term that was created after multicasting and broadcasting were already defined. A unicast is a directed communication between a single transmitter and a single receiver. This is how most communication between two hosts happens, with Host A specifically communicating with Host B. A broadcast is a communication that is sent out from a single transmitting host and is destined for all possible receivers on a segment (generally, everyone in the network, since the routers that direct traffic from one network to another are generally used to stop broadcasts, thereby creating broadcast domain boundaries). Broadcasting can be done for many reasons, such as locating another host. For a MAC broadcast, the broadcast address used is FF:FF:FF:FF:FF:FF. For an IP broadcast, the address used is based on the network settings. For example, if you are on network /24, the broadcast address is A multicast is a communication that is sent out to a group of receivers on the network. Multicasting is often implemented as a means for directing traffic from the presenter of a video conference to the audience. In comparison to the broadcast, which all receivers on the segment will receive, those who wish to receive a multicast must join a group to do so. Group membership is often very dynamic and controlled by a user or an application. Currently, Class D addresses are used for multicasting purposes. Remember, Class D has IP addresses in the range of to TASK 2A-2 Routers and Subnetting 1. You are using a host that has an IP address of and a subnet mask of You are trying to reach a host with the IP address Will you need to go through a router? Explain your response. Yes, you will need to go through a router. Your subnet mask defines you as belonging to network , and the remote host you are trying to reach does not belong to your network. 2. Boot your computer to Windows Server 2003, and log on as Administrator, with a blank (null) password.

15 3. Choose Start Settings Network Connections. Right-click the network interface and choose Properties. 4. Select Internet Protocol (TCP/IP) and click Properties. 5. Click the Advanced button, and verify that the IP Settings tab is displayed. Under Default Gateways, record the IP address here: For the LEFT side of the classroom, the Default Gateway is For the RIGHT side, it is Select the Default Gateway IP address you just recorded, and click Remove. Click OK twice and click Close twice. 7. Open a command prompt and ping an address that is not on your local network. For instance, if you are on the LEFT side of the classroom, you could ping an address in the network, and if you are on the RIGHT side of the classroom, you could ping an address in the network. 8. Observe the message you receive. The text Destination Host unreachable is displayed. Your computer knows that the ping packet is supposed to go to a computer that is outside your local network but it does not know how to get it there. 9. Switch to the Network Connections Control Panel and display the properties of the network interface. 10. Select Internet Protocol (TCP/IP), click Properties, and then click Advanced. On the IP Settings tab, click the Add button found in the Default Gateway area. 11. In the TCP/IP Gateway Address box, enter the IP address you recorded earlier in the task and click Add. Click OK twice and click Close twice. 12. Switch back to the command prompt and try to ping the remote address again. 13. Observe the message you receive. This time, as long as the other computer s default gateway is correctly configured, you should be successful in pinging the remote computer. This is because your computer now knows to send traffic to the router if that traffic is destined for another network. (How the routers know where to send the traffic is covered later in the course.) Contact your instructor if your ping attempt is not successful. 14. Close all open windows. Be prepared to diagram or otherwise explain the classroom setup. The recommended classroom layout is shown in the figure in the setup. Students must be able to ping all computers within the classroom for the remaining tasks to work properly. If any students are not successful in the second ping attempt, help them troubleshoot the issue. Lesson 2: Advanced TCP/IP 45

16 security: A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences. Topic 2B Analyzing the Three-way Handshake Although a great deal of emphasis is given to IP due to the addressing and masking issues, TCP deserves equal attention from the security professional. In addition to TCP, the other protocol that functions as a transport protocol is UDP. This topic will concentrate on TCP; however, a brief discussion on UDP is warranted. The following table provides a brief comparison of the two protocols. Comparing TCP and UDP TCP Connection-oriented Slower communications Considered reliable Transport Layer UDP Connectionless Faster communications Considered unreliable Transport Layer TCP provides a connection-oriented means of communication, whereas UDP provides connectionless communication. The connection-oriented function of TCP means it can ensure reliable transmission, and can recover if transmission errors occur. The connectionless function of UDP means that packets are sent with the understanding they will make it to the other host, with no means of ensuring the reliability of the transmission. UDP is considered faster because less work is done between the two hosts that are communicating. Host 1 simply sends a packet to the address of host 2. There is nothing built into UDP to provide for host 1 checking to see if host 2 received the packet, or for host 2 sending a message back to host 1, acknowledging receipt. TCP provides the functions of connection-oriented communication by using features such as the three-way handshake, acknowledgements, and sequence numbers. In addition to these features, a significant part of TCP is the use of control flags. There are six TCP control flags in a TCP header, each with a specific meaning. 46 Tactical Perimeter Defense

17 TCP Flags The TCP flags are: SYN, ACK, FIN, RESET, PUSH, and URGENT. These flags may also be identified as S, ack, F, R, P, and urg. Each of these flags occupies the space of one bit in the header, and if they are assigned a value of 1, they are considered on. The function of each flag is identified as follows: The SYN, or S, flag represents the first part of establishing a connection. The synchronizing of communication will generally be in the first packet of communication. The ACK, or ack, flag represents acknowledgement of receipt of data from the sending host. This is sent during the second part of establishing a connection, in response to the sending host s SYN request. The FIN, or F, flag represents the sender s intentions of terminating the communication in what is known as a graceful manner. The RESET, or R, flag represents the sender s intentions to reset the communication. The PUSH, or P, flag is used when the sending host requires data to be pushed directly to the receiving application, and not fill in a buffer. The URGENT, or urg, flag represents that this data should take precedence over other data transmissions. Sequence and Acknowledgement Numbers In addition to the TCP flags, another critical issue of TCP is that of numbers: sequence and acknowledgement numbers, to be specific. Because TCP has been defined as a reliable protocol that has the ability to provide for connectionoriented communication, there must be a mechanism to provide these features. Sequence and acknowledgement numbers are what provide this. Sequence Numbers The sequence number is found in the TCP header of each TCP packet and is a 32-bit value. These numbers allow the two hosts a common ground for communication, and allow for the hosts to identify packets sent and received. If a large web page requires several TCP packets for transmission, sequence numbers are used by the receiving host to reassemble the packets in the proper order and provide the full web page for viewing. When a host sends the request to initiate a new connection, an Initial Sequence Number (ISN) must be chosen. There are different algorithms by different vendors for the choosing of an ISN; however, RFC 793 states that the ISN is to be a 32-bit number that increments by one every 4 microseconds. Acknowledgement Numbers The acknowledgement number is also found in the TCP header of each TCP packet, and is also a 32-bit value. These numbers allow the two hosts to be given a receipt of data delivery. An acknowledgement number is in the packet header in response to a sequence number in the sending packet. In the event that the sending host does not receive an acknowledgement for a transmitted packet in the defined timeframe, the sender will retransmit the packet. This is how TCP provides reliable delivery. If a packet seems to have been lost, the sender will retransmit it. Lesson 2: Advanced TCP/IP 47

18 48 Tactical Perimeter Defense Connections All communication in TCP/IP is done with connections between two hosts. Each connection is opened (or established), data is sent, and the connection is closed (or torn down). These connections have very specific rules they must follow. There are two different states of the open portion of this process: Passive Open and Active Open. Passive Open is when a running application tells TCP that it is ready to receive inbound requests via TCP. The application is assuming inbound requests are coming, and is prepared to serve those requests. This is also known as the listening state, as the application is listening for requests to communicate. Active Open is when a running application tells TCP to start a communication session with a remote host (which is in Passive Open state). It is possible for two hosts in Active Open to begin communication. It is not a requirement that the remote host be in Passive Open, but that is the most common scenario. Connection Establishment In order for the sequence and acknowledgement numbers to have any function, a session between the two hosts must be established. This connection establishment is called the three-way handshake. The three-way handshake involves three distinct steps, which are detailed as follows (please refer to Figure 2-5 when reading this section): 1. Host A sends a segment to Host C with the following: SYN = 1 (The session is being synchronized.) ACK = 0 (There is no value in the ACK field, so this flag is a 0.) Sequence Number = x, where x is a variable. (x is Host A s ISN.) Acknowledgement Number = 0 2. Host C receives Host A s segment and responds to Host A with the following: SYN = 1 (The session is still being synchronized.) ACK = 1 (The acknowledgement flag is now set, as there is an ack value in this segment.) Sequence Number = y, where y is a variable. (y is Host C s ISN.) Acknowledgement Number = x + 1 (The sequence number from Host A, plus 1.) 3. Host A receives Host C s segment and responds to Host C with the following: SYN = 0 (Session is synchronized with this segment; further requests are not needed.) ACK = 1 (The ack flag is set in response to the SYN from the previous segment.) Sequence Number = x + 1 (This is the next sequence number in series.) Acknowledgement Number = y + 1 (The sequence number from Host C, plus 1.) At this point, the hosts are synchronized and the session is established in both directions, with data transfer to follow.

19 Figure 2-5: The three-way handshake. Connection Termination In addition to specific steps that are involved in the establishment of a session between two hosts, there are equally specific steps in the termination of the session. There are two methods of ending a session using TCP. One is considered graceful, and the other is non-graceful. A graceful shutdown happens when one host sends a message (using the FIN flag) to the other, stating it is time to end the session; the other acknowledges; and they both end the session. A non-graceful shutdown happens when one host simply sends a message (using the RESET flag) to the other, indicating the communication has stopped, with no acknowledgements and no further messages sent. In this section, we will investigate the details of the standard graceful termination. As you saw earlier, it requires three segments to establish a TCP session between two hosts. The other side of the session, the graceful termination, requires four segments. Four segments are required because TCP is a full-duplex communication protocol (meaning data can be flowing in both directions independently). As per the specifications of TCP, either end of a communication can end the session by sending a FIN, which has a sequence number just as a SYN has a sequence number. Similar to the Active and Passive Opens mentioned earlier, there are also Active and Passive Closes. The host that begins the termination sequence, by sending the first FIN, is the host performing the Active Close. The host that receives the first FIN is the host that is performing the Passive Close. The graceful teardown of a session is detailed as follows (please refer to Figure 2-6 when reading this section): 1. Host A initiates the session termination to Host C with the following: FIN = 1 (The session is being terminated.) ACK = 1 (There is an ack number, based on current communication.) Sequence Number (FIN number) = s (s is a variable based on the current communication.) Acknowledgement Number = p (p is a variable based on the current communication.) 2. Host C receives Host A s segment and replies with the following: FIN = 0 (This segment is not requesting closure of the session.) ACK = 1 (This segment does contain an ack number.) Sequence Number = Not Present (As there is no FIN, there is no sequence number required.) Lesson 2: Advanced TCP/IP 49

20 Acknowledgement Number = s + 1 (This is the response to Host A s FIN.) 3. Host C initiates the session termination in the opposite direction with the following: FIN = 1 (The session is being terminated.) ACK = 1 (There is an ack number.) Sequence Number = p (p is a variable based on the current communication.) Acknowledgement Number = s + 1 (This is the same as in the previous segment.) 4. Host A receives the segments from Host C and replies with the following: FIN = 0 (This segment does not request a termination, there is no SYN.) ACK = 1 (This segment does contain an ack number.) Sequence Number = Not Present Acknowledgement Number = p + 1 (This is Host C s sequence number, plus 1.) At this point the session has been terminated. Communication in both directions has had a FIN requested and an acknowledgement to the FIN, closing the session. Figure 2-6: Connection termination. Ports You have been introduced to the fact that IP deals with addressing and the sending/receiving of data between two hosts, and you have been introduced to the fact that TCP can be selected to provide reliable delivery of data. However, if a client sends a request to a server that is running many services, such as WWW, NNTP, SMTP, and FTP, how does the server know which application is supposed to receive the request? The answer is by specifying ports. 50 Tactical Perimeter Defense

21 Port numbers are located in the TCP or UDP header, and they are 16-bit values, ranging from 0 to Port numbers can be assigned to specific functions or applications. Ports can also be left open for dynamic use by two hosts during communication. There are ranges of ports for each function. There are three main categories of ports: well-known, registered, and dynamic. The well-known ports (also called reserved ports by some) are those in the range of 0 to These port numbers are assigned to specific applications and need to remain constant for the primary services of the Internet to continue to provide the flexibility and usefulness it does today. For example, the WWW service is port 80, the Telnet service is port 23, the SMTP service is port 25, and so on. The well-known port list is maintained by the Internet Assigned Numbers Authority (IANA), and can be found here: Registered ports are those in the range of 1024 to These port numbers can be registered to a specific function, but are not defined or controlled by a governing body, so multiple functions could end up using the same port. Dynamic ports (also called private ports) are those from to Any user of the Internet can use dynamic ports. When a client connects to a server and requests a resource, that client also requires a port. The client ports (also called ephemeral ports by some) are used by a client during one specific connection; each subsequent connection will use a different port number. These ports are not assigned to any default service, and are usually a number greater than There is no defined range for client ports; they can cover the numbers of both the registered and dynamic port ranges. When a client begins a session by requesting a service from a server, such as the WWW service on port 80, the client uses an ephemeral port on the client side. This enables the server to respond to the client. Data is then exchanged between the two hosts using the port numbers established for that session: 80 on the server side, and a dynamic number greater than 1023 on the client side. The combination of the IP address and port is often referred to as a socket, and the two hosts together are using a socket pair to communicate for this session. The following table lists some of the well-known ports and their associated services. Some Well-known Ports and their Services Port Service 23 Telnet 80 HTTP (Standard web pages) 443 Secure HTTP (Secure web pages) 20 and 21 FTP (Data and control) 53 DNS 25 SMTP 119 NNTP Lesson 2: Advanced TCP/IP 51

22 Trojan Horse: An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data. In addition to known valid services, such as those listed previously, there are many Trojan Horse programs that use specific ports (although the port can usually be changed). Ports Associated with Trojan Horses Port Number Name of Trojan Horse NetBus 1243 Sub Seven Sub Seven Back Orifice (TCP) Back Orifice 2000 (BO2K) (UDP) Back Orifice 2000 (BO2K) Network Monitor There is a very valuable tool available with Windows called Network Monitor. This tool allows for full packet capture and lets the analyst (you) peer into the packet s contents, examining both the payload, or data, and the headers, in detail. You can see any set flags s defined sequence and acknowledgement numbers, packet size, and more. The following is a discussion on the use of Network Monitor, provided as background for you to be able to perform the tasks in this lesson. Some of the things you can do with Network Monitor are: Monitor real-time network traffic. Analyze network traffic. Filter specific protocols to capture. In this lesson, you will be focusing on the capture and analysis of IP packets, and on the details of the protocol suite. 52 Tactical Perimeter Defense

23 Figure 2-7: The default view of Network Monitor, showing the various panes. In Figure 2-7, you can see the default view of Network Monitor. In this view, the screen is split into several sections. The top bar is the standard menu bar found in Microsoft programs. The basic functions on the toolbar that you will use in this lesson are contained in the File and Capture menus. The File menu contains three commands: Open, Save As, and Exit. Choose Open to open a previously saved Network Monitor capture. Choose Save As to save a Network Monitor capture. Choose Exit to exit. The Capture menu has more commands: Start, Stop, Stop And View, Pause, and Continue. The Start, Pause, and Continue commands are self-explanatory. The difference between Stop and Stop And View is that the Stop command ends the capture. The Stop And View command ends the capture and switches Network Monitor to its next mode, Display View. The other sections of the Capture View are panes (windows in a window) called Graph, Session Stats, Station Stats, and Total Stats. The Graph pane provides five bars that measure percentages of pre-defined metrics. The top graph indicates the percentage (%) of network utilization, meaning how much the network is being used. The second graph indicates the number of frames per second, meaning frames transmitted per second over the network. The third graph indicates the number of bytes per second that are transmitted over the network. Lesson 2: Advanced TCP/IP 53

24 The fourth graph indicates the number of broadcasts per second that are transmitted over the network. The fifth graph indicates the number of multicasts per second that are transmitted over the network. While a capture is running, these graphs work in real time, providing current data. The next pane is the Session Stats pane. In this pane, you can see the sessions that are taking place during the capture. Following the Session Stats is the Station Stats pane. In this pane, you can see statistics per interface on the host, per broadcast, per multicast, and more. The final pane in this view is the Total Stats pane. The Total Stats pane is subdivided into sections: Network Statistics, Captured Statistics, Per Second Statistics, Network Card (MAC) Statistics, and Network Card (MAC) Error Statistics. From this pane, you can identify frames, broadcasts, multicasts, network utilization, errors, and more, all in real time during the capture. Displaying Captures After you have captured network traffic, you can begin your analysis, which requires a different view of Network Monitor. You will need to use the Display View. You can switch to the Display View by either using the Capture Stop And View command or by using the Display Captured Data command after a capture session has been stopped. Figure 2-8: The Summary View of Network Monitor. When you first open the Summary View, as shown in Figure 2-8, you will see a timeline of packets captured. By double-clicking any packet that was captured, you can look into its details and bring up the next view of Network Monitor. Once you have selected a packet, Network Monitor displays three panes for presenting information to you. 54 Tactical Perimeter Defense

25 Figure 2-9: The details of a packet in Network Monitor. The top pane shown in Figure 2-9 is the Summary pane. This pane provides the basic details of a packet, such as: Frame number Time the packet was captured Destination and source MAC addresses Protocol used Destination and source IP addresses The middle pane shown in Figure 2-9 is the Detail pane. This pane provides the actual details of the protocol for the selected packet. Any line that has a plus sign next to it can be expanded for further detail. The bottom pane in Figure 2-9 is the Hex pane. This pane provides the actual Hex value for the raw data that each frame is comprised of. When you select something in the Detail pane, it is highlighted in the Hex pane for comparison. Also, in this pane, the ASCII characters are visible. In the event that cleartext is captured, this is where it will be readable. Network Monitor Filters Because Network Monitor has the ability to capture all network traffic, it would be very easy to capture too much information and have difficulty in finding what you were looking for. This is where filtering comes into play. There are two types of filters available in Network Monitor: capture filters and display filters. For example, if you wanted to capture only TCP messages, you could create a capture filter so that only TCP messages are captured. If you wanted to view only ICMP messages, you could create a display filter so that all you see are ICMP messages. Figure 2-10 and Figure 2-11 show the dialog boxes used for each filter type. Lesson 2: Advanced TCP/IP 55

26 To create or use filters, choose Capture Filter. Using filters not only makes it easier for you, as an analyst, to find what you are looking for, but they allow for the buffer that stores the capture to not be filled with useless information. Figure 2-10: Network Monitor s Capture Filter dialog box. Figure 2-11 shows the Display Filter dialog box. Figure 2-11: Network Monitor s Display Filter dialog box. 56 Tactical Perimeter Defense

27 When using filtering, you will likely use either protocol or address filtering. With protocol filtering, you identify a specific protocol to work with. With address filtering, you again define the specific address to filter. Filters can be implemented in different directions, either traffic into this host, outbound from this host, or in both directions. These options are implemented by selecting the appropriate arrow (one of these three: --->, ---<, or <-->) for the function you want to perform. TASK 2B-1 Using Network Monitor 1. Open a command prompt, and enter ipconfig /all If you are on the LEFT side of the classroom, your IP addresses will be x. If you are on the RIGHT side of the classroom, your IP addresses will be x. 2. Record the MAC and IP address for the network card in your computer. MAC address IP address Each card will have a unique MAC address. Each card will have a unique IP address. 3. Close the Command Prompt window. 4. Open Network Monitor. (From the Start menu, choose All Programs Administrative Tools Network Monitor.) 5. If you see the Select Default Network message box, click OK to display the Select A Network dialog box. Expand the + sign next to Local Computer, select the interface with the MAC address associated with the network interface, and click OK. 6. Choose Capture Start, or press F10 to start a capture. 7. If you are on the LEFT side of the classroom, ping the IP address If you are on the RIGHT side of the classroom, ping the IP address This will create network traffic for you to capture. 8. Wait for 20 to 30 seconds. As you wait, watch the real time statistics change in the Network Monitor Capture window. 9. Choose Capture Stop And View. You should now see the Display View, including the timeline of the packets captured. 10. Double-click any packet to change to the Detail View. 11. Observe the structure of the three panes in this view, and expand any + signs displayed in the middle pane. 12. Choose Display Filter. 13. Select Protocol==Any, and click the Edit Expression button. Lesson 2: Advanced TCP/IP 57

28 14. With the Protocol tab selected, click the Disable All button. promiscuous mode: Normally an Ethernet interface reads all address information and accepts follow-on packets only destined for itself, but when the interface is in promiscuous mode, it reads all information (sniffer), regardless of its destination. 15. Scroll down to ICMP, select ICMP, and click the Enable button. The Expression field at the top of the dialog box should now display Protocol == ICMP. Click OK. 16. Click OK to implement this filter on your capture. 17. Observe that only ICMP frames are visible in your window now. 18. Choose File Save As, and save the capture as First_Capture.cap in the default location. 19. Close Network Monitor. Wireshark Another product you can use to capture data is called Wireshark. (Wireshark was formerly known as Ethereal, with the name change taking place in 2006.) With Wireshark, data can be captured off the wire or read from a captured file. Data can also be saved to a file format that Microsoft Network Monitor can understand. Wireshark supports analysis on over 750 Data Link, Network, Transport, and Application layer protocols. Wireshark can be downloaded from To perform promiscuous mode captures on a Windows machine, you have to first download and install the latest stable version of WinPcap; do not install any alpha or beta versions. WinPcap is the Windows equivalent of libpcap (LIBrary for Packet CAPtures) for Linux. It can be obtained from In fact, you will use WinPcap later in the course, along with other tools such as windump, tcpdump, nmap, and snort. TASK 2B-2 Installing and Starting Wireshark 1. Choose Start My Computer. 2. Open C:\Tools\Lesson2. 3. Double-click the WinPcap_4_0.exe file. 4. In the WinPcap_4_0.exe Installer Welcome screen, click Next. 5. Read the License Agreement, and click I Agree. 6. To close the WinPcap install wizard, click Finish. 7. Double click the Wireshark_setup exe file. 8. In the Wireshark Setup Wizard Welcome screen, click Next. 9. Read the License Agreement, and click I Agree. 58 Tactical Perimeter Defense

29 10. Accept the Default Components (do not make any changes), and click Next. 11. Accept the Default Additional Tasks (do not make any changes), and click Next. 12. Accept the Default Destination Folder, and click Next. 13. You have already installed WinPcap, so do not check any boxes on the WinPcap screen, and click Install. 14. In the Installation Complete screen, click Next. 15. In the Completing The Wireshark Setup Wizard, check the Run Wireshark_setup exe check box and click Finish. 16. Leave Wireshark open for the following tasks. Wireshark Overview When you first start Wireshark (formerly called Ethereal), you will see a GUI with three panes. The top pane lists the captured frames in sequence. When you highlight a frame, the middle pane provides protocol layer information about that frame, and the bottom pane shows the details of the frame in both Hex and ASCII values. Figure 2-12: The Ethereal (Wireshark) GUI. Lesson 2: Advanced TCP/IP 59

30 At the top of the GUI there is a menu bar, with File, Edit, View, Go, Capture, Analyze, Statistics, and Help. Just above the top pane is a Filter button, a dropdown menu, an Expression button, a Clear button, and an Apply button. These buttons allow you to filter through the captured data, which as you will see, is a very important feature. When you wish to start a capture in Wireshark, you have several options. You can go to the Capture drop-down menu and select Start or you can simply press the third icon from the right in the icons listed just below the main menu bar. However, as this is the first time you are running Wireshark, you must define some options. A quick way to the option screen is to press Ctrl+K combination. When you do so, you will see a window that has many options, where you can make some specific selections, including the following: The interface to capture packets from. The limit to the number of packets to capture (if any). Whether you wish to capture packets in promiscuous mode or not. Any filters you wish to use. The file name for the capture file. If you wish to view the packets onscreen in real time. Parameters to define when the capture should stop. Whether you wish to enable or disable name resolution at the Data Link, Network, and Transport layers. 60 Tactical Perimeter Defense

31 Figure 2-13: Wireshark s Capture Options dialog box. When you click OK, capture will start on the selected network interface and you will see another pop-up informing you that. Wireshark will continue with the capture until you click the Stop button. Figure 2-14: Wireshark pop-up displaying capture information. Lesson 2: Advanced TCP/IP 61

32 Once you have selected your options and clicked OK, the capture will start on the selected network interface, and you will see a pop-up window informing you of the capture in progress. Wireshark will continue with the capture until you press the Stop button or an option you configured tells the capture to stop. Figure 2-15: The many Save As options in Wireshark. After you stop a capture, you can view and analyze the data for your current use. You when you are done and wish to save the file for future analysis, you have many options. Notice how many choices you have for saving a capture you can save to Network Monitor s format if you want. (Conversely, Wireshark will read a capture saved by any of the protocol analyzers in the list.) When you are done with capture and analysis and want to close the program, choose File Quit or press Ctrl+Q. TASK 2B-3 Using Wireshark Setup: 1. Choose Capture Options. Wireshark has been successfully installed and is running on your computer. 2. In the Interface drop-down list, select you local area network adapter. 3. Notice that when you select your adapter, directly below the word Interface, the program has listed your LAN address. 62 Tactical Perimeter Defense

33 4. Make sure that the Capture Packets In Promiscuous Mode check box is checked. 5. Check the Update List Of Packets In Real Time check box. 6. Click the Start button and open a command prompt. 7. Ping your Default Gateway IP Address. 8. When the ping has completed, close the command prompt, return to Wireshark, and choose Capture Stop. 9. Double-click any frame where your computer is the Source and the Destination is the Default Gateway IP Address you just pinged. The protocol will be listed as ICMP. 10. Expand and view the frame details. 11. Note that you can analyze data in a similar fashion as in Network Monitor. 12. Once you are done with this initial look at Wireshark, close the application. 13. Click the Continue Without Saving button. TCP Connections Earlier, you were introduced to the function and the process of control flags, the three-way handshake, and the session teardown. In this section, you are going to use Network Monitor to view the three-way handshake, packet by packet, and to view the teardown, packet by packet. Remember, the three-way handshake is used by two hosts when they are creating a session. The first host begins by sending out a packet with the SYN flag set, and no other flags. The second packet is a response with both the SYN and ACK flags set. The third part of the session establishment will have the ACK flag set. TASK 2B-4 Analyzing the Three-way Handshake 1. Choose Start Administrative Tools Services. 2. Right-click telnet and choose Properties. 3. At the Startup type, select manual. 4. Click Apply. 5. Click Start. 6. Click OK. 7. Close the Services window. Lesson 2: Advanced TCP/IP 63

34 8. Open Network Monitor, and start a capture. 9. At a command prompt: If you are on the LEFT side of the classroom, enter telnet If you are on the RIGHT side of the classroom, enter telnet Enter y, at the Login type anonymous press Enter, and at the Password prompt, press Enter. 10. Press Enter repeatedly until your connection to the host is lost. Your screen may resemble the following graphic. Minimize the command prompt window. 11. Switch back to Network Monitor, and choose Capture Stop And View. 12. In the Summary pane, identify the frames that are involved in the threeway handshake. 13. Once you have identified the frames that are part of the three-way handshake, based on the discussion, look for the following: a. In the first frame, what are the SEQ number, ACK number, and flags? b. In the second frame, what are the SEQ number, ACK number, and flags? c. In the third frame, what are the SEQ number, ACK number, and flags? 14. Expand each of the three frames in the handshake, and examine them in greater detail in the Detail pane. 15. Using the Hex pane, identify the value for the flags that are set for each frame. 16. Leave Network Monitor open, along with this capture, for the next task. The Session Teardown Process Previously, you examined the session teardown process. Here, you will examine the details of the session teardown. Remember, there are four parts of session teardown. 64 Tactical Perimeter Defense

35 TASK 2B-5 Analyzing the Session Teardown Process Setup: Network Monitor is running, and the last capture you performed is displayed. 1. In the Summary pane, identify the frames that are involved in the session teardown. 2. Once you have identified the frames, examine them in greater detail in the Detail pane. 3. In each frame, identify at least the following: a. Flags that are set. b. Sequence number. c. Acknowledgement number. 4. Save the capture as tcp_connections.cap and close the capture. 5. Minimize Network Monitor. Topic 2C Capturing and Identifying IP Datagrams Along with TCP, the protocol you will spend the most time analyzing will be IP. This protocol is the one that does the most work of the entire TCP/IP suite. In Figure 2-16, you can see the actual format of the IP datagram. There are seven rows of information in the figure, with the critical rows being the first five. When a computer receives an IP datagram, it will begin reading on Row One on the left side, bit by bit. Once it reads through Row One, it will read Row Two, and so on. To work with IP further, refer to RFC 791. Lesson 2: Advanced TCP/IP 65

36 Figure 2-16: An IP datagram with all fields shown. Using Figure 2-16, we will move through the header, identifying the function of each area. After identifying the header fields, we will use Network Monitor to capture and analyze the IP header. Starting on Row One, on the left side is a field called Version. This is a 4-bit field that defines the version of IP that is currently running. Right now, this will likely be a value of 4, as that is the current industry standard IPv4, or IP version 4. Some instances may be using IP version 6, or IPv6, which you will examine later in the course. Moving to the right of the Version is a field called Header Length (IHL). This is a 4-bit field that defines the number of 32-bit words in the header itself, including options. In most captures, this value will be 5, for no options set, the normal value. Continuing to the right of Header Length is a field called Type Of Service. This is an 8-bit field that defines the quality of service for this packet. Different applications may require different needs of available bandwidth, and Type Of Service is one way of addressing those needs. The last field on Row One is the field called Total Length. This is a 16-bit field that defines the length of the entire IP datagram in bytes. Starting on Row Two, on the left side is a field called Identification. This is a 16-bit field that defines each datagram sent by the host. The standard for this field is for the identification value to increment by one for every datagram sent. Following the Identification field is a field called Flags. Not to be confused with the flags of TCP, which you have seen, this is a 3-bit field that is used in conjunction with fragmentation. The first of the three bits is to be set at 0, 66 Tactical Perimeter Defense

37 as a default. The next bit is known as the DF bit, or Don t Fragment. The third bit is known as the MF bit, or More Fragment. The last field on Row Two is a field called Fragment Offset. This is a 13-bit field that is used to define where in the datagram this fragment belongs. (If there is fragmentation, the first fragment will have an offset of 0.) Starting on Row Three, on the left side, is a field called Time To Live. This is an 8-bit field that is used to define the maximum amount of time this datagram may be allowed to exist in the network. The TTL is created by the sender and lowers by 1 for every router that the datagram crosses. If the TTL reaches 0, the packet is to be discarded. Moving to the right is a field called Protocol. This is an 8-bit field that is used to define the upper-layer protocol that is in use for this datagram. There are many unique protocol numbers, and if you wish to study all of the numbers, please refer to RFC 790. However, the following list identifies several important Protocol ID numbers: Protocol ID Number 1: ICMP Protocol ID Number 6: TCP Protocol ID Number 17: UDP The final field on Row Three is a field called Header Checksum. This is a 16-bit field that is used to provide a check on the IP header only; this is not a checksum for any data following the header. This checksum provides integrity for the header itself. The Fourth Row is a single field, the Source IP Address. This field is a 32-bit value that identifies the IP address of the source host of this packet. The Fifth Row is also a single field, the Destination IP Address. This field is a 32-bit value that identifies the IP address of the destination host for this packet. The Sixth Row contains any options that may be present. This is a variable, with no absolute fixed size to the options. Some of the options that may be in this field are those that are related to routing or timekeeping. If options are used, there will be padding added so this field equals 32 bits in size. The Seventh and final Row is the representation of the data. By this point, the header is complete and the data the user wishes to send or receive is stored in the packet. TASK 2C-1 Capturing and Identifying IP Datagrams Setup: You are logged on to Windows Server 2003 as Administrator. A command prompt and Network Monitor are running. 1. In Network Monitor, start a new capture, and leave the capture running. 2. Open a command prompt and enter ftp ip_address where ip_address is the address of a neighbor computer. integrity: Assuring information will not be accidentally or maliciously altered or destroyed. Lesson 2: Advanced TCP/IP 67

38 3. At this time, the connection will not be successful, type bye and close the command prompt. To work with ICMP further, refer to RFC Return to Network Monitor and choose Capture Stop And View. 5. Observe the Protocol column. Apply a filter to only show TCP. For the specific steps, see Task 2B-1, step 12 through step 16. Click any of the frames and observe that the TCP control bits includes FTP. 6. Examine the IP header, compared to the discussion. Look for the following: a. Version Number. b. Time To Live. c. Protocol ID. d. Source Address. e. Destination Address. 7. Once you are done examining the IP header, save the capture as IP_Header.cap and close. Topic 2D Capturing and Identifying ICMP Messages When you are analyzing protocols, it should become immediately apparent that there are differences between ICMP and the other protocols discussed in this lesson. There is a similar concept in that the ICMP message is encapsulated in the IP datagram, just as you saw with TCP and UDP. In Figure 2-17, you can see the actual format of the ICMP message. There are only two rows of information shown in the figure. Figure 2-17: An ICMP message with all fields shown. 68 Tactical Perimeter Defense

39 Using Figure 2-17, we will move through the header, identifying the function of each area. After identifying the header fields, we will use Network Monitor to capture and analyze an ICMP message. Starting on Row One, on the left side, the first field is called Type. This is an 8-bit value that identifies the specific ICMP message. For example, a Type could be 3, which is a type of unreachable message. Following Type on Row One is a field called Code. This is an 8-bit value that works in conjunction with Type to define the specific details of the ICMP message. For example, using Type 3, the Code could be 1, which is destination host unreachable. Moving along on Row One, the final field is called Checksum. This is a 16-bit value that checks the integrity of the entire ICMP message. The Second Row has no fixed fields. Depending on the Type and Code of the ICMP message, this field may contain many things. One example of what may go in this field is the time stamping of messages. TASK 2D-1 Capturing and Identifying ICMP Messages Setup: 1. Begin a new capture. You are logged on to Windows Server 2003 as Administrator. A command prompt and Network Monitor are running. 2. Switch to the command prompt, and ping a valid IP address of another host in your subnet. Wait for the ping to finish, and then minimize the command prompt. 3. In Network Monitor, stop and view the capture. 4. Scroll down the packets captured to identify ICMP messages, or create an ICMP filter. 5. Analyze the captured frames to identify the ping process between your computer and the host you pinged. 6. Compare the messages to the discussion, looking for the following: a. Source IP Address. b. Destination IP Address. c. Type. d. Code. e. Payload for ping. 7. Save this capture as Valid_Ping.cap and close it. You are going to run another capture. 8. Begin a new capture. Lesson 2: Advanced TCP/IP 69

40 Based on your network environment, you may not receive these ICMP messages. To work with TCP further, refer to RFC Switch to the command prompt, ping a known invalid IP address for your network, wait for the ping to finish, and minimize the command prompt. For instance, if you were to ping the address , you should receive a message indicating that the request timed out. Or, if you are on the network, you might try to ping the address , as that address is unlikely to be in use on your network. 10. In Network Monitor, stop and view the capture. 11. Scroll down the packets captured to identify ICMP messages. 12. Analyze the captured frames, and compare them to the discussion, looking for the following: a. Source IP Address. b. Destination IP Address. c. Type. d. Code. 13. Save this capture as icmpheader.cap and close. Topic 2E Capturing and Identifying TCP Headers When investigating TCP/IP, you will find that TCP data is encapsulated in the IP datagram. Since you have already looked into the IP datagram itself, at this stage you will examine TCP further. In Figure 2-18, you can see the actual format of the TCP header. There are seven rows of information in the figure, with the critical ones for this discussion being the first five. Just as with IP, when a computer receives the TCP header, it will begin reading on Row One on the left side, bit by bit. Once it reads through Row One, it will read Row Two, and so on. Figure 2-18: A TCP header with all fields shown. 70 Tactical Perimeter Defense

41 Using Figure 2-18, we will move through the header, identifying the function of each area. After identifying the header fields, we will use Network Monitor to capture and analyze the TCP header. Starting on Row One, on the left side is a field called Source Port Number. This field is a 16-bit number that defines the upper-layer application that is using TCP on the source host. The second field on Row One is a field called Destination Port Number. This is a 16-bit field that defines the upper-layer application that is using TCP on the destination host. The combination of an IP address and a port number is often called a socket. A socket pair identifies both ends of a communication completely, by using the host IP address and port, and the destination IP address and port. Moving onto Row Two, the entire row is a single field called Sequence Number. This is a 32-bit value that identifies the unique sequence number of this packet. The sequence numbers are used to track communication and are part of the reason TCP is considered a connection-oriented protocol. In Row Three, you can see that the entire row is also a single field, called Acknowledgement Number. This is a 32-bit value that provides a response to a sequence number. Under normal operations, this value will be the value of the sequence number of the last packet received in this line of communication, plus 1. There will be a value in this field only if the ACK flag is turned on (flags are in the next row). Continuing on to Row Four, starting on the left side is a field called Offset (sometimes also called Header Length). This is a 4-bit value that defines the size of the TCP header. Because this is a 4-bit value, the limit on the size of the header is 60 bytes. If there are no options set, the size of the header is 20 bytes. Moving to the right is a field called Reserved. This is a 6-bit value that is always left at 0 for functioning hosts using TCP/IP. It is not used for any normal network traffic. After the Reserved field are the six Control Flags. Each flag is only 1 bit, either on or off. There are six control flags, and they are listed as follows in the left-to-right order they occupy in the TCP header: URG: If this is a 1, the Urgent flag is set. ACK: If this is a 1, the Acknowledgement flag is set. PSH: If this is a 1, the Push flag is set. RST: If this is a 1, the Reset flag is set. SYN: If this is a 1, the Synchronize flag is set. FIN: If this is a 1, the Finish flag is set. For a detailed discussion on the flags and their functions, please review that section earlier in this lesson. Following the Control Flags on Row Four is a field called Window Size. This is a 16-bit value that identifies the number of bytes, starting with the one defined in the Acknowledgement field, that the sender of this segment is willing to accept. Moving on to Row Five, on the left side, there is a field called TCP Checksum. This is a 16-bit value that is used to provide an integrity check Lesson 2: Advanced TCP/IP 71

42 of the TCP header and the TCP data. The value is calculated by the sender, then stored and the receiver compares the value upon receipt. Following the TCP checksum on Row Five is a field called Urgent Pointer. This is a 16-bit value that is used if the sender must send emergency information. The pointer points to the sequence number of the byte that follows the urgent data, and is only active if the URG flag has been set. The Sixth Row has only one field, called Options. This is a 32-bit value that is often used to define a maximum segment size (MSS). MSS is used so the sender can inform the receiver of the maximum segment size that the sender is going to receive on return communication. In the event that the options set do not take up all 32 bits, padding will be added to fill the field. The Seventh and final Row is the representation of the data. By this point, the header is complete and the data the user wants to send or receive is stored in the packet. TASK 2E-1 Capturing and Identifying TCP Headers Setup: 1. Begin a new capture. You are logged on to Windows Server 2003 as Administrator. A command prompt and Network Monitor are running. 2. Switch to the command prompt and initiate a Telnet session to a neighboring host. Whether or not it connects at this time is not important, so the Telnet service does not need to be on. 3. If the Telnet session starts, exit the Telnet session; otherwise, close the command prompt. 4. Stop and view the capture. 5. Add a filter so that all you see are TCP frames. For the specific steps to add filters, see Task 2B-1, step 12 through step Analyze the TCP headers in the frames. 7. When analyzing the headers, look for the following: a. Sequence Numbers. b. Acknowledgement Numbers. c. Source Port Numbers. d. Destination Port Numbers. 8. Once you have analyzed the header, save the capture as Telnet_Attempt.cap and close. 72 Tactical Perimeter Defense

43 Topic 2F Capturing and Identifying UDP Headers Compared to TCP, UDP is a very simple transport protocol. The UDP header and data will be completely encapsulated in the IP datagram, just as with TCP. In Figure 2-19, you can see the actual format of the UDP header. There are three rows of information in the figure. Just as with TCP, when a computer receives the UDP header, it will begin reading on Row One on the left side, bit by bit. Once it reads through Row One, it will read Row Two, and so on. Figure 2-19: A UDP header with all fields shown. Using Figure 2-19, we will move through the header, identifying the function of each area. After identifying the header fields, we will use Network Monitor to capture and analyze the UDP header. Starting on Row One, on the left side is a field called Source Port Number. This field is a 16-bit value that defines the upper-layer application that is using UDP on the source host. The second field on Row One is called Destination Port Number. This field is a 16-bit value that defines the upper-layer application that is using UDP on the destination host. On the Second Row, the field on the left is called UDP Length. This is a 16-bit value that identifies the length of the UDP data and the UDP header. The second field on Row Two is a field called UDP Checksum. This is a 16-bit value that is used to provide an integrity check of the UDP header and the UDP data. The value is calculated by the sender, then stored, and the receiver compares the value upon receipt. Row Three is where the actual user data is stored. It is possible for a user to send a UDP datagram with zero bytes of data. TASK 2F-1 Working with UDP Headers Setup: You are logged on to Windows Server 2003 as Administrator, and Network Monitor is running. 1. Browse to C:\Tools\Lesson2. In that folder is a file called tftp.cap. Open tftp.cap in Network Monitor. To work with UDP further, refer to RFC 768. Lesson 2: Advanced TCP/IP 73

44 The official minimum MTU is 68, and the maximum is Expand the details of any UDP frame, and compare it to the discussion. Look for the following: a. Source Port. b. Destination Port. c. What the actual UDP data is. 3. As you are analyzing this traffic, verify that no session was established, as UDP is connectionless. 4. Close the capture. Topic 2G Analyzing Packet Fragmentation Packet-switched networks will all, at one time or another, experience fragmentation. This is due to the fact that all complex networks are made up of various physical media and configurations. So, a packet of a certain size might fit fine on one segment, but may suddenly be many times larger than the capacity of the next segment. The size limit that is allowed to exist on a network varies from network to network and is referred to as the Maximum Transmission Unit (MTU). In the event that a datagram gets fragmented, it is not reassembled until it reaches its final destination. When the datagram is fragmented, each fragment becomes its own unique packet transmitted and received uniquely. TCP segments are sent using IP datagrams. TCP expects a one-to-one ratio of segments to datagrams. Therefore, IP on the receiving end must completely reassemble the datagram before handing the segment to TCP. In the relationship between TCP and IP, the following rules that affect fragmentation are defined: The TCP Maximum Segment Size (MSS) is the IP Maximum Datagram Size minus 40 octets. The default IP Maximum Datagram Size is 576 octets. The default TCP Maximum Segment Size is 536 octets. Fragmentation will rarely happen at the source of a datagram, but it is possible. For example, if a receiving host says it can accept segments that are many times larger than what the sender normally sends. Another example would be a host on a small-packet-sized network, such as PPP, and using an application with a fixedsize message. The common location then for fragmentation is at a gateway, where the odds of different MTUs on different interfaces are very high. The following list shows the MTU for various media: PPP: 296 bytes Ethernet: 1500 bytes FDDI: 4352 bytes Token Ring (4 MB/s): 4464 bytes Token Ring (16 MB/s): bytes 74 Tactical Perimeter Defense

45 Figure 2-20: How fragmentation works. TASK 2G-1 Analyzing Fragmentation Setup: You are logged on to Windows Server 2003 as Administrator, and Network Monitor is running. 1. Navigate to C:\Tools\Lesson2 and open fragment.cap in Network Monitor. 2. Expand the details of frame 1, looking for the Fragment flag. 3. Observe that, in frame 1, there is no Fragment Offset, as this is the first fragment. 4. Select several consecutive frames. Observe that each successive frame has a higher Fragment Offset as it gets farther from the beginning of the original datagram. 5. Observe that the IP ID stays constant for each fragment. 6. Expand the details of frame Observe that the Fragment flags are now both 0, indicating this is the last of the fragments. 8. Close the capture. Lesson 2: Advanced TCP/IP 75

46 Topic 2H Analyzing an Entire Session Now that you have analyzed IP, TCP, UDP, ICMP, fragmentation, handshakes, and teardowns, it is time to put them together. In this topic, you will follow along using two sample captures that were made specifically for this purpose. One capture is a PING capture, and the other is an FTP capture. By analyzing them, you will see how TCP/IP functions from start to finish. About the Tasks In the following tasks, Windows Server 2003 Network Monitor was used to capture a ping between two hosts and an ftp session between two hosts. The ping and ftp commands were run from the command prompt, and the output saved to the text files ping.txt and ftp.txt, respectively. The Network Monitor captures were saved to files ping.cap and ftp.cap, respectively. You can open the TXT files with Notepad to see the commands and responses. You can open the CAP files with Network Monitor and see the frames captured as a result. Let s take a look. TASK 2H-1 Performing a Complete ICMP Session Analysis Objective: Setup: To use the supplied capture and text files to examine the TCP/IP headers, in order to understand how a session is set up, used, and torn down. You are logged on to Windows Server 2003 as Administrator, and Network Monitor is running. 1. Start Notepad and open the file ping.txt. This file is in C:\Tools\Lesson2. You should see the output shown in the following graphic. 2. Keep this file open. 3. Switch to Network Monitor, and open the file ping.cap. It s also located in C:\Tools\Lesson2 76 Tactical Perimeter Defense

47 4. Observe that frame 1 is an Ethernet broadcast trying to resolve the target IP address to its MAC address. 5. Observe that frame 2 is a reply from the target machine with the appropriate resolution. From now on, the two hosts can communicate. Lesson 2: Advanced TCP/IP 77

48 6. Observe the next two frames. They are ICMP echo messages going back and forth between the two hosts, corresponding to the output in the text file. Examine the ICMP messages, and see the details in frames 3 and 4 as shown in the following graphics. 7. Observe that, for the ping command, no session was set up or torn down just a simple ICMP echo request, followed by an ICMP echo reply. 8. Close ping.cap and ping.txt. 78 Tactical Perimeter Defense

49 Continuing the Complete Session Analysis In the last task, one host successfully pinged another, in preparation for establishing an FTP transaction. We ll look at the FTP portion of the session, but before we do, a quick differentiation between active and passive FTP is in order. FTP Communication Up to this point you have been examining ICMP communication. Now you will examine an active FTP session. There are two different types of FTP, something that many administrators are unfamiliar with. The two FTP types are simply called passive and active. The mode most people think of with FTP is active FTP. In active FTP, a client makes a connection to the FTP server. The client uses a port higher than 1024 (we ll call it X) to connect to the server, which then uses port 21, and the FTP command and control session is established. The server responds with the data transfer, sent on port 20. The client will receive the data transfer on a port one higher than the client used for command transfer, or X+1. In passive mode FTP, the client initiates both connections between the client and the server. When the FTP client begins an FTP session, the client opens two ports (again one higher than 1024, and the next port higher, or X and X+1). The first connection and port is the session to the server for command and control on server port 21. The server then opens a random port (again higher than 1024, referred to as Y in this section), and sends this port information back to the client. The client then requests the data transfer from client port X+1 to server port Y. When active FTP is used, there can be a situation that firewalls dislike. The first part of the FTP session, from client to server is not a problem. However, when the server responds to the client, it can seem to the firewall to be a new session started from an untrusted network, trying to gain access to the private network. Passive FTP solves this problem on the firewall, as both parts of the FTP session originate from the FTP client, and no session starts from an untrusted network. There is a different problem with passive FTP. This problem is not on the firewall, but on the server configuration itself. Because the FTP client starts both sessions, the FTP server must be able to listen on any high port, meaning all high ports must be open and available. To deal with this situation, many FTP applications now include features that limit the port range that the server can use. Lesson 2: Advanced TCP/IP 79

50 TASK 2H-2 Performing a Complete FTP Session Analysis Objective: Setup: To use the supplied capture and text files to examine the TCP/IP headers, in order to understand how a session is set up, used, and torn down. You are logged on to Windows Server 2003 as Administrator. Notepad and Network Monitor are running. 1. Switch to Notepad and open ftp.txt. This file is located in C:\Tools\ Lesson2. You should see the results shown in the following graphic. 2. Observe that, in this session, when the ftp server asks for a password, the user enters it but it is not recorded on screen. 80 Tactical Perimeter Defense

51 3. Switch to Network Monitor, and open ftp.cap in C:\Tools\Lesson2. You should see results similar to those shown in the following graphics. (Depending on the version of Network Monitor you are using, MAC and IP addresses might be displayed in Hex, and the time might be in a different format.) There are 51 frames involved in this capture. 4. If you would like to change the color of the FTP packets for easier viewing, choose Display Colors. Scroll down and select FTP; then, from the Background drop-down list, select a mild color such as gray or teal, and click OK. If you select a darker color, it might make it more difficult to read the text. If you would like to change the format of the addresses from Hex to more readable names, choose Display Addresses, and click Add. In the box that is displayed, enter FTPSITE for the Name, add 002B32CFC72 for the Address, verify that the Type is Ethernet, and click OK. Click Add again, then enter LOCAL for the Name, add 0002B32C5B13 for the Address, verify that the Type is Ethernet, and click OK twice. Lesson 2: Advanced TCP/IP 81

52 5. Observe that frames 3, 4, and 5 represent the TCP handshake involved in establishing the session. Frames shaded gray (6, 8-9, 11-12, 14, 16-19, 23, 29, 31-34, 38, 44, and 46-47) are all directly involved with the ftp application authentication, ftp requests for directory information, an actual file transfer, followed by a quit, and bye response. 6. Observe that in frame 8, you can see the user name being supplied. 7. Observe that in frame 9, you can see the request for a password. 8. Observe that in frame 11, you can see the password being supplied. Isn t this a good enough reason to employ some secure authentication such as encryption? 9. Let s view the three-way handshake frames in a bit more detail. Frame 3 starts the three-way handshake Active Open by setting the SYN bit to 1, offering source port no (07E9 in Hex), while at the same time directing the request to port number 21 (15 in Hex) on the server. A sequence number (7A5487B0 in Hex) is associated with this frame to uniquely identify it, even in the event of multiple sessions between the same two hosts. 82 Tactical Perimeter Defense

53 10. Let s look at the reply. The reply from the ftp server in frame 4 includes an ACK, while simultaneously including a SYN. This is the Passive Open. 11. Observe that frame 5 includes an ACK from the client. Once the session is established, FTP can continue on with its setup. This includes a login and a password (to be supplied if anonymous access in not supported), followed by file requests. Lesson 2: Advanced TCP/IP 83

54 12. Observe that frame 6 shows the ftp server asking for user identification. Frame 8 shows the ftp client supplying the user name of test user. 13. Observe that this is met by the ftp server asking for the password in frame Tactical Perimeter Defense

55 14. Observe that in frame 11, you can see the password being offered. Because no secure methods for authentication were set up, you can see the actual password (the word plaintext ). 15. Observe that once the user has been authenticated, the ftp session is allowed to continue. The ftp server puts out the welcome message shown in frame 12. Lesson 2: Advanced TCP/IP 85

56 16. Observe that the rest of the frames dealing with FTP frames 14, 16-19, 23, 29, 31-34, 38, and 44 have to do with directory listings and file transfers. 86 Tactical Perimeter Defense

57 Lesson 2: Advanced TCP/IP 87

58 17. Observe that in frame 38, you can see the actual contents of the file as it is being transferred In this case, and because it is just a text file, you can read the contents. 18. Observe that in frame 46, you can see the client attempt to close the connection with the Quit command. 88 Tactical Perimeter Defense

59 19. Observe that in frame 47, you can see the server communicate with the client with the message See ya later. Lesson 2: Advanced TCP/IP 89

60 20. Observe that these messages are followed by TCP terminating the session from both ends in frames 48 and 49, and 50 and 51, respectively, where the FIN bits are set to 1 and the corresponding frame contains the ACK bit set to Tactical Perimeter Defense

61 21. Close Network Monitor. If you are prompted to save addresses, click No. 22. Close Notepad. Lesson 2: Advanced TCP/IP 91

62 Summary In this lesson, you looked deep into the structure of the TCP/IP protocol. You reviewed the RFCs associated with IP, ICMP, TCP, and UDP. You then used Network Monitor and Wireshark to capture and analyze IP packets. You examined captures associated with network traffic. You learned to read the actual data being transmitted between two or more hosts. Finally, you analyzed a complete session, frame-by-frame. Lesson Review 2A 2B 2C How many layers are in the OSI Model? Seven. How many layers are in the TCP/IP Model? Four. What are the assignable classes of IP addresses? A, B, and C. What are the three private ranges of IP addresses, as defined in the RFCs? a to b to c to How many control flags are in a TCP header? Six. What is the function of an acknowledgement number? To provide an acknowledgement for a received packet. The value is usually tied into the SYN number on the received packet. How many steps are required to establish a TCP connection? Three. How many steps are required to tear down a TCP connection? Four. What are the two main views of Network Monitor? Display View and Capture View. What is the first field that is read by the computer in the IP header? Version. 92 Tactical Perimeter Defense

63 What is the Protocol ID of ICMP in the IP header? 2D 2E 2F 2G 1. What is the Protocol ID of TCP in the IP header? 6. What is the Protocol ID of UDP in the IP header? 17. What is the first field that is read by the computer in the ICMP message? Type. How many bits make up the Type field? Eight. How many bits make up the Code field? Eight. What is the first field that is read by the computer in the TCP header? Source Port Number. How many control bits are in the TCP header? Six. How many bits is the Sequence Number? 32. How many bits is the Acknowledgement Number? 32. What is the first field that is read by the computer in the UDP header? Source Port Number. What is the UDP header and data encapsulated in? An IP datagram. How many bits are both the source and destination port numbers? 16. What is in the payload of the tftp.cap file that you analyzed? Cisco Router Configuration and Access Lists. In the fragment.cap file that you analyzed, how do you suppose this fragmentation happened? By a user sending a large ping. (See the file fragment.txt, in the same folder as fragment.cap, to understand how this was initiated.) Lesson 2: Advanced TCP/IP 93

64 Why is there no upper-layer protocol list in the Detail pane for frames 2 through 13? These are the subsequent fragments whose upper-layer protocol is referred to in the first fragment; therefore, they do not have any header information other than IP. What was the upper-layer protocol that caused the fragmentation? ICMP. 2H In the FTP capture file that you analyzed in this topic, what pair of sockets are involved in the initial three-way handshake? On the client: IP address , port On the FTP Server: IP address , port 21. In the FTP capture file that you analyzed in this topic, what pair of sockets are involved in the exchange of FTP data in response to the request for directory listing? On the FTP Server: IP address , port 20. On the client: IP address , port In the FTP capture file that you analyzed in this topic, what frames indicate that a three-way handshake is taking place between the FTP server and the client in preparation for the sending of FTP data in response to the request for the file textfile.txt? Frames 35, 36, and Tactical Perimeter Defense