BASIC ANALYSIS OF TCP/IP NETWORKS

Similar documents
Computer Networks I Laboratory Exercise 1

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

Internetworking Microsoft TCP/IP on Microsoft Windows NT 4.0

Chapter 10 Troubleshooting

Technical Support Information Belkin internal use only

CCNA Discovery Networking for Homes and Small Businesses Student Packet Tracer Lab Manual

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

SSVP SIP School VoIP Professional Certification

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Lab PC Network TCP/IP Configuration

Lab Organizing CCENT Objectives by OSI Layer

Internet Control Protocols Reading: Chapter 3

Lab Conducting a Network Capture with Wireshark

Lab - Observing DNS Resolution

Lab 1: Packet Sniffing and Wireshark

CET442L Lab #2. IP Configuration and Network Traffic Analysis Lab

Linux Network Security

1 PC to WX64 direction connection with crossover cable or hub/switch

Lab VI Capturing and monitoring the network traffic

Introduction to Network Security Lab 1 - Wireshark

Qvis Security Technical Support Field Manual LX Series

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

Networking Test 4 Study Guide

Step-by-Step Configuration

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Lab - Using Wireshark to View Network Traffic

Workstation ARP. Objective. Background / Preparation

Topic 7 DHCP and NAT. Networking BAsics.

Chapter 7 Troubleshooting

Multi-Homing Dual WAN Firewall Router

Computer Networks/DV2 Lab

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Chapter 15: Advanced Networks

Interconnection of Heterogeneous Networks. Internetworking. Service model. Addressing Address mapping Automatic host configuration

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Chapter 4 Customizing Your Network Settings

SSVVP SIP School VVoIP Professional Certification

TCP/IP, Addressing and Services

Computer Networks. Lecture 3: IP Protocol. Marcin Bieńkowski. Institute of Computer Science University of Wrocław

Pre-lab and In-class Laboratory Exercise 10 (L10)

Guide to TCP/IP, Third Edition. Chapter 3: Data Link and Network Layer TCP/IP Protocols

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

Lab Configuring Access Policies and DMZ Settings

CCNA R&S: Introduction to Networks. Chapter 5: Ethernet

IP Addressing and Subnetting. 2002, Cisco Systems, Inc. All rights reserved.

UIP1868P User Interface Guide

Chapter 1 Installing the Gateway

Guideline for setting up a functional VPN

Savvius Insight Initial Configuration

Network Basics GRAPHISOFT. for connecting to a BIM Server (version 1.0)

Network Monitoring User Guide Pulse Appliance

Networking 4 Voice and Video over IP (VVoIP)

ASUS WL-5XX Series Wireless Router Internet Configuration. User s Guide

The OSI and TCP/IP Models. Lesson 2

Ethernet. Ethernet. Network Devices

Introduction to Network Operating Systems

Catalyst Layer 3 Switch for Wake On LAN Support Across VLANs Configuration Example

Modern snoop lab lite version

Basic Network Configuration

Raritan Valley Community College Academic Course Outline. CISY Advanced Computer Networking

Wireless Local Area Networks (WLANs)

Lab - Using IOS CLI with Switch MAC Address Tables

Networking Guide Redwood Manager 3.0 August 2013

Capture and analysis of the network traffic with Wireshark

Advanced Higher Computing. Computer Networks. Homework Sheets

Chapter 6 Using Network Monitoring Tools

Protocol Data Units and Encapsulation

Internetworking and IP Address

Unix System Administration

2. IP Networks, IP Hosts and IP Ports

Step-by-Step Configuration

Module 1: Reviewing the Suite of TCP/IP Protocols

D-Link DAP-1360 Repeater Mode Configuration

IP Networking. Overview. Networks Impact Daily Life. IP Networking - Part 1. How Networks Impact Daily Life. How Networks Impact Daily Life

Application Note Configuring the UGate 3000 for use with ClipMail Pro and ClipExpress

CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Data Communication Networks and Converged Networks

Deployment Guide: Transparent Mode

Troubleshooting Tools

Broadband Phone Gateway BPG510 Technical Users Guide

Understanding Windows Server 2003 Networking p. 1 The OSI Model p. 2 Protocol Stacks p. 4 Communication between Stacks p. 13 Microsoft's Network

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Procedure: You can find the problem sheet on Drive D: of the lab PCs. Part 1: Router & Switch

Network Load Balancing

How do I get to

Network-Oriented Software Development. Course: CSc4360/CSc6360 Instructor: Dr. Beyah Sessions: M-W, 3:00 4:40pm Lecture 2

How To Understand and Configure Your Network for IntraVUE

Chapter 5 Customizing Your Network Settings

Transport and Network Layer

Talk2M Free+ Remote-Access Connectivity Solution for ewon COSY devices. Getting Started Guide

Introduction on Low level Network tools

Chapter 6 Using Network Monitoring Tools

Network Protocol Configuration

LAB THREE STATIC ROUTING

UPPER LAYER SWITCHING

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

ADSL Router Quick Installation Guide Revised, edited and illustrated by Neo

Transcription:

BASIC ANALYSIS OF TCP/IP NETWORKS INTRODUCTION Communication analysis provides powerful tool for maintenance, performance monitoring, attack detection, and problems fixing in computer networks. Today networks are mostly based on TCP/IP family of protocols, which is supported by a wide number of devices including home appliances and mobile devices. Network analysis can be performed using simple utilities included in operating systems ( nslookup, ping, tracert etc.) or special instruments like packet sniffer (e.g. Wireshark). Using these instruments network administrator is able to identify a problem, its location and fix it. Network analysis can also be misused for illegal activities (e.g. illegal access to network resources) and, of course, for defence against such attacks. Packet sniffers use so called promiscuous mode of the NIC (Network Interface Card). In this mode the NIC is receiving all frames including those with different than local MAC addresses. Communication channel interception is another requirement for the packet sniffer application. This is quite easy when the network infrastructure is based on hubs, but for switching infrastructure, where the frame is forwarded only to its destination, it has to be managed explicitly. The most often used method is port mirroring (the switch mirrors all frames forwarded to selected port also to the mirror port), which is used in this lab. Other methods include physical channel branching (can be detected), physical layer interception (e.g. for optical fibre channels), destruction of internal switching table or direct sniffer installation on a network node (not always possible). Similar approaches can be used for both wired and wireless technologies (wireless are usually better secured). ANALYSED NETWORK You will perform basic analysis of simple network with scheme depicted on following picture. There are just two devices within network. 1

Default gateway operating as network access point. It s a router with one interface dedicated for accessing the outside network (denoted as WAN interface). Other router s interfaces are operating as a switch for local network (denoted as LAN interfaces). Additionally, all communication from the LAN and WAN interfaces is mirrored to a single LAN interface, denoted as mirror interface. All LAN interfaces of the gateway share a single static IP address. Monitored PC connected to one of the LAN interfaces of network gateway. This device is source of all analysed communication. The IP address of monitored PC is acquired from the DHCP server within default gateway. Additionally, sniffer PC is connected to the mirror interface of default gateway. However, it s not a part of the analysed network, because it has no assigned IP address. WIRESHARK The content of Wireshark s window upon program launch is depicted on following picture. In order to start the frames capture, select the Ethernet adapter from the list of available network interfaces (1). Afterwards, start the capture by clicking on capture control button in top-left part of main window (2). The content of Wireshark s window upon capture start is depicted on following picture. The window is divided into following four parts. 2

The filter panel is located under the Wireshark s toolbar and contains set of predefined filters. The captured frames list is located under the filter panel and displays basic information about each captured frame. User can display detailed information about particular frame in the detailed view (2), as well as frame raw data in the lower part of main window (3) by clicking on it. The detailed view contains various information about selected frame structure, headers and data payload. It s also possible (and desirable) to save captured data for later analysis. PROTOCOL ANALYSIS During this lab, you will perform a basic analysis of some elementary, usually application protocols of TCP/IP family and get yourself familiar with their purpose and basic principles. To analyse each protocol, capture a network traffic by Wireshark with use of properly selected predefined filter. Additionally, there is a lecture about TCP/IP protocols located on the desktop of the sniffer PC (file TCPIP_prednaska.pdf ), which you can use for finding necessary information about analysed protocol. Execute following steps in order to start the analysis. Open the command line on the monitored PC. Release current network configuration of monitored PC by command ipconfig release and disconnect monitored PC from network. Launch Wireshark on the sniffer PC and start the frames capture. Connect the monitored PC into network and wait until it s IP address is assigned. DYNAMIC HOST CONFIGURATION PROTOCOL The DHCP is a protocol of application layer of the OSI model and the TCP/IP stack designated for dynamic configuration of new network hosts. Usually configured parameters are e.g. host IP address, subnet mask, gateway IP address and DNS server IP addresses, however, there are many more configurable parameters. More information about DHCP can be found in the lecture. On the sniffer PC, capture network traffic using Wireshark with predefined filter DHCP, analyse process of dynamic configuration of the monitored PC and note following information. o The IP address assignment procedure. o Source and destination L2 and L3 addresses of frames / packets with DHCP datagrams. o The IP address lease time. o The monitored PC hostname. o The leased IP address. o The subnet mask. o The default gateway IP address. o The DHCP server IP address. On the monitored PC, use command ipconfig all and verify, if all found information are correct. ADRESS RESOLUTION PROTOCOL The ARP is designated for address translation. Its primary purpose is to allow translation from known L3 (IP) address to a L2 (MAC) address, but there is also reverse variant of this protocol. Because ARP operates as an interconnection between two layers, it s hard to classify it as a protocol of one particular layer. Therefore, it s often denoted as a protocol between link and network layers of OSI model and TCP/IP stack. More information about ARP can be found in the lecture. 3

In order to prevent unnecessary network load due to address translation request before each IP packet transmission, operating systems usually cache mappings between L3 and L2 addresses into ARP cache. A record is held in a ARP cache usually few minutes, until it s removed from the cache. On the sniffer PC, capture network traffic using Wireshark with predefined filter ARP, analyse process of resolution of MAC address of default gateway and note following information. o The default gateway IP address resolution procedure. o Source and destination L2 addresses of ARP frames. o Payload of ARP frames. On the monitored PC, use command arp a in order to display content of ARP cache. o Analyse content of ARP cache and verify that it contains MAC address of default gateway. INTERNET CONTROL MESSAGE PROTOCOL The ICMP serves as diagnostic and control protocol of IP layer of TCP/IP stack. Examples of well-known diagnostic messages used by ICMP are Echo Request and Echo Reply messages used e.g. by ping and tracert commands. Example of control message is e.g. Destination Unreachable message, which is sent by intermediary L3 device (i.e. router) upon detection of unreachability of packet s destination, e.g. when route to destination is unknown or when routing is not possible due to traffic filtration. As ICMP helps to ensure transfer of information between communication endpoints, it can be classified as a protocol of the network layer of OSI model and TCP/IP stack. More information about this protocol can be found in the lecture. On the monitored PC use command ping 147.32.192.2. On the sniffer PC, capture network traffic using Wireshark with predefined filter ICMP and analyse captured ICMP messages. o Note the payload of Echo Request and Echo Reply messages. The Echo Request and Echo Reply messages can be used to determine exact number of intermediary L3 device between two endpoint hosts by periodic sending of the Echo Reply message with increasing value of Time-To- Live field of the message s IP header. This is exactly what tracert command does. On the monitored PC, use command tracert and determine number of routers between monitored PC and arbitrary server. DOMAIN NAME SYSTEM The DNS is a protocol of application layer of OSI model and TCP/IP stack designated for translation of domain names (i.e. hostnames that can be easily read by humans) of hosts into their L3 addresses. The DNS protocol uses system of hierarchically structured domain servers containing information about L3 addresses of hosts and domain servers in particular domain. More information about DNS can be found in the lecture. Similarly to the case of ARP, operating systems usually store mapping between domain names and L3 addresses of network hosts into DNS cache in order to reduce network load. On the monitored PC, open web browser and enter address www.seznam.cz. On the sniffer PC, capture network traffic using Wireshark with predefined filter DNS, analyse process of resolution of IP address of the server and note following information. o The server IP address resolution procedure. o Source and destination L2 a L3 addresses of frames / packets with DNS datagrams. o The requested domain name. 4

o The resolved IP address. It s of course necessary to maintain the mapping between domain name and L3 address of some host in the system of the domain servers. This service is usually paid and temporarily limited. On the internet, there is number of public databases containing registrations of domain names (i.e. who s services). Use arbitrary public database of domain names (i.e. whois service) and determine date of the domain name registration expiration of arbitrary server. HYPERTEXT TRANSFER PROTOCOL The HTTP is a text-oriented protocol of application layer of OSI model and TCP/IP stack designated for transfer of data in textual form and its primary purpose is to transfer web pages. However, it s also possible to use it for transfer of object-oriented data or remote procedure call. More information about HTTP can be found in the lecture. On the monitored PC, open web browser and access arbitrary web page. On the sniffer PC, capture network traffic using Wireshark with predefined filter HTTP, analyse process of webpage transfer and note following information. o Content of request sent by web browser. o Content of server s response. o Determine the number of servers, from which parts of webpage has been loaded. FILE TRANSFER PROTOCOL The FTP is a protocol of application layer of OSI model and TCP/IP stack designated for file transfer. Opposed to the majority of TCP/IP protocol, its actively uses two ports. One for transfer of control information and other for transfer of binary data. More information about FTP can be found in the lecture. On the monitored PC, open FileZilla program and connect to the FTP server using following credentials. o IP address of server: 147.32.202.63. o Username: student_low. o Password: A3B38DSY. On the sniffer PC, capture network traffic using Wireshark with predefined filter FTP and analyse process of FTP client login. o Try to find captured user credentials (i.e. username and password). o Analyse the connection initiation mechanism (i.e. 3-way handshake) of the TCP protocol. On the monitored PC, use FileZilla for the upload of the RUR_CZ.txt text file on the FTP server. On the sniffer PC, analyse file transfer procedure and verify following TCP protocol congestion control mechanisms. o The slow start mechanism. o The data-flow mechanism (i.e. regulation of the value of Window Size field of the TCP header). SECURITY Today, most of personalized web services is secured. Try to capture and analyse secured communication with arbitrary web service (e.g. e-mail or social network). On the monitored PC, open web browser and access arbitrary secured web service. On the sniffer PC, capture network traffic using Wireshark without any predefined filter (use Clear button in order to cancel the filtration of captured data) and try to analyse captured data. o Try to explain, why it s difficult to capture and analyse secured communication. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information