Computer Networks/DV2 Lab



Similar documents
Computer Networks/DV2 Lab

Transport and Network Layer

Technical Support Information Belkin internal use only

Introduction to Analyzer and the ARP protocol

Computer Networks/DV2 Lab

Networking Test 4 Study Guide

BASIC ANALYSIS OF TCP/IP NETWORKS

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Understanding TCP/IP. Introduction. What is an Architectural Model? APPENDIX

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Module 1: Reviewing the Suite of TCP/IP Protocols

Guideline for setting up a functional VPN

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Ethernet. Ethernet. Network Devices

Introduction to Network Security Lab 1 - Wireshark

Multi-Homing Dual WAN Firewall Router

Slide 1 Introduction cnds@napier 1 Lecture 6 (Network Layer)

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Lecture Computer Networks

EXPLORER. TFT Filter CONFIGURATION

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

Lab VI Capturing and monitoring the network traffic

Networking Basics and Network Security

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Indian Institute of Technology Kharagpur. TCP/IP Part I. Prof Indranil Sengupta Computer Science and Engineering Indian Institute of Technology

Network Programming TDC 561

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

Basic Networking Concepts. 1. Introduction 2. Protocols 3. Protocol Layers 4. Network Interconnection/Internet

8.2 The Internet Protocol

How do I get to

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Network-Oriented Software Development. Course: CSc4360/CSc6360 Instructor: Dr. Beyah Sessions: M-W, 3:00 4:40pm Lecture 2

First Workshop on Open Source and Internet Technology for Scientific Environment: with case studies from Environmental Monitoring

UPPER LAYER SWITCHING

LESSON Networking Fundamentals. Understand TCP/IP

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Network Layer IPv4. Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS. School of Computing, UNF

Troubleshooting Tools

Lab - Using Wireshark to View Network Traffic

Modern snoop lab lite version

Intrusion Detection, Packet Sniffing

Lab 1: Network Devices and Technologies - Capturing Network Traffic

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

RARP: Reverse Address Resolution Protocol

Objectives of Lecture. Network Architecture. Protocols. Contents

EKT 332/4 COMPUTER NETWORK

Overview of TCP/IP. TCP/IP and Internet

NETWORK LAYER/INTERNET PROTOCOLS

The OSI and TCP/IP Models. Lesson 2

Mobile IP Network Layer Lesson 02 TCP/IP Suite and IP Protocol

Wireshark Tutorial INTRODUCTION

Basic Network Configuration

CCNA R&S: Introduction to Networks. Chapter 5: Ethernet

Unix System Administration

Linux Network Security

Guide to TCP/IP, Third Edition. Chapter 3: Data Link and Network Layer TCP/IP Protocols

Lab 1: Packet Sniffing and Wireshark

How To Understand and Configure Your Network for IntraVUE

Protocols and Architecture. Protocol Architecture.

Internet Control Protocols Reading: Chapter 3

CET442L Lab #2. IP Configuration and Network Traffic Analysis Lab

IP Networking. Overview. Networks Impact Daily Life. IP Networking - Part 1. How Networks Impact Daily Life. How Networks Impact Daily Life

Transport Layer. Chapter 3.4. Think about

IP - The Internet Protocol

Lecture (02) Networking Model (TCP/IP) Networking Standard (OSI) (I)

EITF25 Internet Techniques and Applications L5: Wide Area Networks (WAN) Stefan Höst

Communications and Computer Networks

Mathatma Gandhi University

Gary Hecht Computer Networking (IP Addressing, Subnet Masks, and Packets)

Introduction To Computer Networking

Chapter 9. IP Secure

Internetworking. Problem: There is more than one network (heterogeneity & scale)

Lab Conducting a Network Capture with Wireshark

ESSENTIALS. Understanding Ethernet Switches and Routers. April 2011 VOLUME 3 ISSUE 1 A TECHNICAL SUPPLEMENT TO CONTROL NETWORK

The OSI Model and the TCP/IP Protocol Suite

Network Security: Workshop

IP Network Layer. Datagram ID FLAG Fragment Offset. IP Datagrams. IP Addresses. IP Addresses. CSCE 515: Computer Network Programming TCP/IP

Zarząd (7 osób) F inanse (13 osób) M arketing (7 osób) S przedaż (16 osób) K adry (15 osób)

Solution of Exercise Sheet 5

Overview of Computer Networks

Raritan Valley Community College Academic Course Outline. CISY Advanced Computer Networking

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

EE984 Laboratory Experiment 2: Protocol Analysis

Review: Lecture 1 - Internet History

CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK

Connecting with Computer Science, 2e. Chapter 5 The Internet

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

Protocols. Packets. What's in an IP packet

VisuSniff: A Tool For The Visualization Of Network Traffic

Networks: IP and TCP. Internet Protocol

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Computer Networks. Lecture 3: IP Protocol. Marcin Bieńkowski. Institute of Computer Science University of Wrocław

TCP/IP Protocol Suite. Marshal Miller Chris Chase

How To Use A Network Over The Internet (Networking) With A Network (Netware) And A Network On A Computer (Network)

Chapter 12 Supporting Network Address Translation (NAT)

Packet Sniffing with Wireshark and Tcpdump

Transcription:

Computer Networks/DV2 Lab Room: BB 219 Additional Information: http://www.fb9dv.uni-duisburg.de/ti/en/education/teaching/ss08/netlab Equipment for each group: - 1 Server computer (OS: Windows 2000 Advanced Server) - 1 Client computer (OS: Windows 2000 Professional) - 1 Computer as Router / Gateway (OS: Linux) - 1 Hub - Network cables 1. Practical Training: Network planning and installation of a file server 2. Practical Training: Web server installation and Internet connection setup. 3. Practical Training: Installation and configuration of a Firewall 4. Practical Training: Installation of a VPN for the connection of two networks 5. Practical Training: Programming attempt; Client/Server connection over Sockets 6. Practical Training: Network Monitoring Name: Matriculation No.: Supervisor Signature: 1. Introduction The most important characteristics of computer networks are security and reliability. A good example for higher level of security in computer networks is firewalls. They are usually placed between the network, which should be protected and the internet. However, when large networks are divided into smaller ones, additional firewalls could be set between the different subnets. These techniques provide higher security against external attacks, but none regarding internal problems, which are often caused by the network users. The security of a computer network directly impacts its reliability. The network reliability depends on more than one point, however. For example, defect hardware or falsely configured software could influence the functionality, respectively the reliability of a network. The worst case would be a complete breakdown of the whole network. Therefore, a major task of a network administrator is to periodically check the network regarding security leaks or malfunctions. One way to perform these checks is to analyse the traffic of the network. In this practical training we will be using the program Wireshark to aid us in analysing our network traffic. Contact: Joachim Zumbrägel BB 320 Tel: 379-3978 Mail: Joachim.zumbraegel@uni-due.de 2. Basics Network Sniffers The software Wireshark belongs to the category of the so called sniffers or Network Sniffers, nevertheless it can be used for traffic analysis and traffic logging of LANs. Wireshark is an open source project 1 2

released under the GNU General Public Licence. This piece of software offers a lot of functionalities which are not always easy to use if you don t have at least basic knowledge about network sniffers and network protocols. A network sniffer consists of a number of components. The underlying component is the capture driver, which is either directly connected to the NIC (Network Interface Card) driver or to the PPP-Adapter. The capture driver copies all network packets into a buffer, where different filters could be defined in order to restrict capturing only to packets, which match certain criteria. In addition, a certain time frame could be defined or a limit could be set for the number of packets, which should be captured. In this practical training WinPCap is used as the capture driver. A decoding component is required for data analysis. After decoding, single packets can be combined in Data Streams, i.e. all packets with the same source-ip-address, destination-ip-address and ports. Additionally, the use of DNS for mapping IP-addresses to names can be helpful for analysis. Furthermore, there are a lot of other options and techniques, which are not used in our practical training and therefore not described here. Figure 1: Wireshark Protocols and Layers As previously mentioned, basic knowledge of network protocols is required, if one wants to work with a network sniffer program like Wireshark. The major protocols in use are described in this document. Figure 2 shows, which protocols belong to which layer of the ISO/OSI Model. 3 4

The different layers in detail: Physical Layer Data-Link Network Transport Application The basic layer. Defines i.e. the transmission medium and rules for the transmission of single Bits. In this layer the packets are transferred from one NIC to another (NIC = Network Interface Card) This layer has the following capabilities (independent of the hardware): Addressing across different physical nets Distributing the data over the physical connections Dividing the data in packets (picketing) Embedding the packets into frames (framing) Fragmenting of packets (if required) Assembling of the fragments on the target computer TCP: Realizes a reliable byte stream between two processes and takes care that the data is transmitted in the right order and integrity. UDP: Delivers Datagram without reliability Applications and network service programs, i.e. PING, HTTP-Server, DNS, etc. Figure 2: Protocols Layer It is not only the knowledge of protocols useful for network traffic analysis, but understanding of the communication between different layers as well. The basic idea of the ISO/OSI layers model is that only neighbouring layers are capable of communicating. For that reason the TCP does not take care how a connection was established (i.e. Ethernet or ISDN). As you should already know, the data in each layer is encapsulated by a layer specific frame. The encapsulation principle is as follows: Layer N receives a packet from Layer N+1, processes it and encapsulates that packet with a header (and in some cases with a trailer). The last step is to deliver the newly encapsulated packet to Layer N-1 5 6

By use of the MAC 1 -Address a network card is able to distinguish whether a received packet addresses the network card itself or another computer. If the received packet contains the MAC-Address of the network card, it is passed to the next higher protocol layer. All other packets are usually not accepted. Nevertheless the receiving of any packet is possible. For that the network card must be switched to a so called Promiscuous Mode, which allows receipt of all packets and therefore traffic monitoring. Figure 3: Packet Encapsulation Header For traffic analysis, headers of the different protocols are very important. Figure 3 shows the principle of packet encapsulation. Each layer stores in its packet header, layer specific information, in order for the packet to be processed correctly on the receiver s side. It is possible to define different options for the packet within the header i.e. priority, time to live (TTL), special routes, etc. Computer communication A thing to consider before analysing the traffic of a network is how the computers are connected. If a direct physical connection through the same media or a connection via a HUB is established between the computers, then all computers are capable of receiving the complete network traffic. However, if the computers are connected through a switch this is not longer the case, because switches are capable of analysing the packets and therefore know, which computer is being addressed. Furthermore, a switch knows which computer is connected on which port. Using that information a switch passes packets only to the computer which is addressed. Therefore, a computer connected to a switch is never able to listen to the complete network traffic. Figure 4: Ethernet II Frame The preamble is used for synchronization and contains a sequence of '10101010'-Bytes. The SFD field contains at its last bit position '1' (10101011). This field is used only for transmissions and will not be analysed. The Destination (Empfänger) and Sender (Absender) addresses are MAC-Addresses (example of a MAC-Address: 00-E0-7D-82-DD-86). Because the value is given in hexadecimal code 6 bytes are used for its representation. The Type field is used for the distinction of higher protocols (i.e. 0x0800 for IP und 0x0806 for ARP). 1 MAC-Address (Medium Access Control) is a worldwide unique identification of a network card. 7 8

ARP (Address Resolution Protocol) ARP is used for mapping MAC-Addresses to IP-Addresses. The Address Resolution Protocol uses a mapping table for this task. Before a connection is established over the Ethernet, IP asks ARP for the MAC-Address of an IP-Address. At first, ARP looks into its mapping table if an appropriate entry exists, if not ARP sends a broadcast to all connected nodes in order to get this information from another node. The answer to this request is stored into the mapping table. Figure 6: IP Header Figure 5: Function of the ARP-Protocol IP (Internet Protocol) The task of the Internet Protocol is to transport data packets from a sender to a destination over different networks. The transmission is packet oriented, connectionless and not guaranteed. That means that IP itself neither guarantees the receipt of a packet nor the right sequence of transmitted packets (i.e. packets can be lost due to network overload). The maximum length of IP-packets is limited to 65 535 Bytes. Due to the fact that some nets (internetworking-components) are not able to handle such large packets the minimum length of an IP-packet is defined by 576 Bytes. If a large packet is divided into smaller packets, it is called fragmentation. The procedure of rebuilding the large packet out of the smaller ones is called reassembling. Version Header Length Type of Service Total Length Identification Flags Fragment Offset Time to live (TTL) Protocol Header Checksum Source IP-Address Destination IP-Address Options Version, i.e. IPv4 or IPv6 Length of the Header in 32-Bit steps Service and transmission parameter. Hardly used. Length of the Datagram, max. 64 kbyte Number for identification, Indicates if the datagram is fragmented or not Defines the location of the fragment relative to the beginning of the datagram. This number (max=255, typical = 128) defines how man router stations are allowed to pass. Each routers decrements the number by one. If TTL is zero the packet will be destroyed Defines the protocol of the higher protocol hierarchy i.e. UDP or TCP Used for fault checking Sender IP-Address Receiver IP-Address Are used in order to adapt services for higher 9 10

protocols, i.e. security requests of the receiver. Length is not fixed. The next higher protocol level is the transport layer. Here different protocols like UDP, TCP and ICMP are located. TCP (Transmission Control Protocol) TCP is a connection oriented transport protocol for use in a packet switched network. The Transmission Control Protocol (TCP) is on top of the Internet Protocol (IP). It provides the functionality of the transport layer and establishes a secure connection between sender and receiver before data exchange. The data of the higher layers is not changed by TCP, but spanned and sent as single data packets, which can be up to 65 kbytes big. edgement number 4 bytes are reserved, which are used for receiving acknowledgement of each packet. The header length is also specified, because it is not fixed. Each field within the TCP header will not be further explained in this paper. More information can be found in: Computer Netzwerke, Anderw S. Tannenbaum, chapter 6.4 The end-to-end control uses a positive acknowledgement where all received packets are confirmed, the other packets will be resent. Using this mechanism a proper data exchange is warranted. The loss of data can be prevented by the flow control, because each data packet is numbered and confirmed. If a confirmation does not arrive in a specific time frame the packet is resent. If an error occurs the error mechanism is activated and requests the erroneous data again from the layers above. UDP (User Datagram Protocol) The User Datagram Protocol is a transport protocol (layer 4) of the OSI reference model and it provides a connectionless data exchange between computers. Figure 7: TCP Header Using port numbers for sender and receiver, TCP packets can be multiplexed. For each port number 2 bytes are reserved. The allocation of the numbers is dynamic. The data exchange between TCP and processes is handled by port numbers as well. For the sequence number 4 bytes are reserved. The sequence number and the acknowledgement number are used for flow control and the order of the data packets. While the connection is established, a random number is generated and exchanged by sender and receiver. This number is called the initial sequence number and it will be incremented while data exchange. For the acknowl- Figure 8: UDP Header UDP has a minimum of protocol mechanism and it does not guarantee the delivery of the datagram to the remote machine, nor does it provide mechanisms for detecting duplicates or sequence interchanges. Therefore the functional range of UDP is much smaller than TCP. It is restricted to transport service, connection multiplexing and error handling. 11 12

Regarding the transport service, correct data exchange is not assured using UDP, because it does not make use of any acknowledgement system. Therefore lost data packets cannot be resent. In contrast to TCP the UDP does not establish a connection between the machines, but it sends data packets through the network independent of each other. On the top layer of the TCP/IP Model, the so called application layer, are the protocols of the well known applications like: HTTP, FTP, POP3, PING, DHCP, DNS etc. To list the details of each protocol here, would go beyond the scope of the lab, but a short overview is very helpful for further understanding. HTTP (Hyper Text Transfer Protocol) HTTP is a general, stateless, object-oriented protocol for data communication within the World Wide Web (WWW). The HTTP is a straight forward protocol. It describes a defined set of messages and replies, which are used for client and server communication during an HTML session. For each request of a web browser to a web server for a new document, a new connection is established. HTTP serves the addressing of objects using URL (Uniform Resource Locator). It completes the interaction between clients and servers and provides the adjustment of the formats between them. Example: http://www.uni-duisburg.de FTP (File Transfer Protocol) The File Transfer Protocol (FTP) is used for data exchange between different machines across the internet and for easier data handling. FTP is based on the TCP, which means it uses TCP as an under laying protocol. The data transfer is controlled by the local system. The user rights on the remote system are dependent on the authentication using username and password. Example: ftp://ftp.uni-duisburg.de Example with user identification: ftp://user:password@ftp.uni-duisburg.de PING (Packet Internet Grouper) PING is a small program, which implements the echo protocol. It is used in order to test the availability of remote computers. Therefore the ICMP (Internet Control Message Protocol) sends a request and waits for its response. With the ping command it can be verified if a specific computer is connected to the internet or not. If there is no reply of the pinged computer within a specified timeframe, implies that the ping request cannot reach the machine or the machine cannot reply the ping, which means that this computer is switched off or it is protected by a firewall,. 3. Wireshark The program Wireshark can be started by double-clicking the icon on the desktop or by accessing the Start menu (Start > Programme > Wireshark > Wireshark). The GUI (Graphical User Interface) is divided in three frames: The upper frame is a list of the captured packets with a short description. By clicking on a packet the other two frames will print out some more information about this packet. The middle frame has a tree structure. It holds the information divided by protocols or more precisely the layers of a protocol family. The lowest frame shows the data of the chosen packet. By clicking on different fields in the middle frame the corresponding data will be highlighted in this frame. 13 14

To show the packets and the information concerning the data, the network traffic has to be captured first; therefore Wireshark uses the Capture drivers. To start a capture, click on Capture in the upper menu bar and afterwards on Start. Now you can choose some more options for the capture e.g. a time limit or a packet limit. Please try as much as you can by choosing different options since Wireshark offers many features, which cannot be described here in details. For analysing the captured traffic the filters are the tools, which to help. You can set them up to show only special packets. To emphasize their importance, imagine that within seconds some 10000 packets are captured and you want to find special protocols or IP-Addresses. By use of filter one can easily limit the captured results to his desire. Filters can be configured by clicking Capture and Capture Filters. 4. Exercises Exercise 1 In the documents the ARP (Address Resolution Protocol) was explained. With the use of: arp a you get the actual ARP-Table. Try to find all IP-addresses and the corresponding MAC-addresses of all computers in your network. Please write them down in the table below. Keep in mind that the ARP-Table is not static. It contains only the addresses, which were required by an established communication. Alternatively, the option View, Coloring Rules can be used to colorize packets which fit a certain pattern. Another important option is Follow TCP Stream. You can find it under the Analyze Menu. This feature allows the user to show up a contiguous DataStream. Server (Windows) Client (Windows) Firewall (Linux) IP-Address MAC-Address Exercise 2 Now that you know all IP- and MAC-Addresses you should take a look at the network traffic. Start Wireshark, choose Capture and then Options. Set the capture to stop after 100 packets are captured. While capturing you have to generate some traffic e.g. by accessing a website. Try to get familiar with the program by testing some functions. If you face any problems do not hesitate to ask. Exercise 3 Start the program Wireshark on the Server Computer. The rest of the group should generate different traffic on the Client Computer. For Example: accessing websites, FTP Servers, Ping or telnet and so on. With the help of the data retrieved by Wireshark try to find out which ser- 15 16

vices, which servers and which pages were accessed by the client computer. It also works vice versa, starting Wireshark on the Client and generating traffic from the Server. Notes: Exercise 4 Since now you are able to identify the captured packets, we can take a look at the security aspects. Once again start Wireshark and monitor the traffic. The tutor will join your network and enter his email account (www.gmx.de). Try to get the password he is using for his email account. 17 18

Literature: Andrew S. Tanenbaum: Computernetzwerke, Prentice-Hall, 1998 W.E. Proebster: Rechnernetze Technik Protkolle Systeme Anwendungen, Oldenbourg 2002 Anatol Badbach, Erwin Hoffmann: Technik der IP- Netze, Hanser 2001 Links: http://www.wireshark.org/ http://www.wiresharktraining.com/resources.html 19

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information