Computer Networks

1
Computer Networks

• Project 4
• Understanding Protocols

2
TABLE OF CONTENTS

• Project Overview
• Report Format
• Environment and Tools
• Taking Ethereal For a Test Drive
• The Program Emma
• An Environment Question
• Understanding TCP
• Understanding ARP
• Understanding Netstat
• Understanding ifconfig
• Snooping Network Traffic

3
Project Overview

• The purpose of this Project is to become familiar
  with a number of tools that can be used for
  probing whats happening at the Transport,
  Network, and Link Level of your machine.
• This consists of trying various commands to
  understand the configuration of your machine. It
  also includes using tools to watch and understand
  packets traveling across the network.
• In addition youll become knowledgeable about the
  contents of transpoort, network and MAC headers.
• You can work on this either singly or in pairs.
• Have fun.

4
Report Format

• What will you be handing in?
• The answer is everything and absolutely
  nothing.
• Your goal in this entire lab is to prepare for an
  exam on this material. You can collect any data
  you want here. You can print it out and bring it
  to the exam you can bring as much paper as you
  want.
• What will be on this exam?
• It will ask very concrete questions about how to
  use ethereal and the other tools. It will also
  ask more general questions about packets, fields,
  etc. Thats why it will be a good idea to do
  these labs and remember what you did.

5
Environment and Tools
Connection To World 140.132.1.139
Switch
Hub
Tarski
192.168.1.1

• 192.168.1.2

192.168.1.4
192.168.1.5
192.168.1.3
NET1 This machine has two NICs
NET4
NET5
NET2
NET3
All machines have username / password root /
NetLab Note that by running root you have
complete control over the machine.
6
Environment and Tools
Getting Around You can log into any of the
machines Net2 Net5 via terminal/monitor.
Warning, Net2 is very slow and will be used only
indirectly in this lab. You can ssh between any
of the machines net1 net5 by using their IP
address we arent running a nameserver so you
will not be able to do something like ping
Net2. Saving data between the Networks Lab and
the rest of the world During the course of doing
these various measurements, youll be collecting
a lot of data. This data will be output from
Ethereal, various other outputs, and so on. But
theres no printing or saving facilities in the
lab. So you would really like to get the data
back to your home directory in the regular CS lab
to get your file back to spears. From any of
the machines, you can ssh to tarski (also called
Net1), the machine that sees the world. ssh b
192.168.1.1 l Being able
to ssh in this fashion may or may not be useful
to you. What IS useful is being able to copy
files between nodes. Suppose Im on net2 and I
want to transfer the file CollectedWisdom to my
home directory on Spears. I do that with the
command scp which you can look up. Heres an
example of its use scp CollectedWisdom
jbreecher_at_192.168.1.1CollectedWisdom This will
deposit the file Collected Wisdom in my home
directory.
7
Environment and Tools

• Some of the simple tools you will use include
• ARP Netstat Ipconfig ping ftp telnet
  ssh
• You can read about these for your system as
  described later.
• Ethereal can be downloaded from http//www.etherea
  l.com/
• However, it is already installed on the machines
  in the Network Lab so you wont need to download
  it. A manual describing its behavior is at
  http//www.ethereal.com/docs/
• Chapter 1 gives an overview of the product,
  Chapter 3 gives details of its usage.
• Theres also a nice summary produced by Kurose
  and Ross at
• http//gaia.cs.umass.edu/ethereal-labs/labs/Ethe
  real_INTRO.pdf
• Id recommend that you read portions of this
  document.
• In fact the whole thing will be useful to you
  except we will not need
• Getting Ethereal on page 3.
• We will replace Taking Ethereal For a Test
  Run with our own version.
• This lab has been written for the machines in the
  Networks Lab. These instructions dont work on
  the machines in the general lab because Ethereal
  is very privileged. Using Ethereal you can see
  all the packets coming into the machine, whether
  those packets are generated by you, or by someone
  else.
• You COULD run ethereal on your own home computer,
  but there are a number of items that work well or
  work only on machines connected on their own
  subnet and we want to observe this behavior.

8
Taking Ethereal For A Test Drive

• The best way to learn about any new piece of
  software is to try it out! Do the following
• Log on to net5. Get a command line started.
  Start up the Ethereal software by saying
  ethereal. You will initially see a window
  similar to that shown in Figure 2
• 2. Now get back to the command line and do a ping
  to net2 by typing ping 192.168.1.2
• 3. Returning to ethereal, to begin packet
  capture, select the Capture pull down menu and
  select options. This will cause the Ethereal
  Capture Options window to be displayed, as shown
  in Figure 3.

Figure 2
Figure 3
9
Taking Ethereal For A Test Drive

• 4. You can use all of the default values in this
  window. The network interfaces (i.e., the
  physical connections) that your computer has to
  the network will be shown in the Interface pull
  down menu at the top of the Capture Options
  window.
• After selecting the network interface (or -
  most likely -using the default interface chosen
  by Ethereal), click Start. Packet capture will
  now begin - all packets being sent/received
  from/by your computer are now being captured by
  Ethereal!
• 5. Once you begin packet capture, a packet
  capture summary window will appear, as shown in
  Figure 4. This window summarizes the number of
  packets of various types that are being captured,
  and (importantly!) contains the Stop button that
  will allow you to stop packet capture. Dont stop
  packet capture yet.

Figure 4
10
Taking Ethereal For A Test Drive

• 6. After ethereal has captured 30 50 packets,
  stop Ethereal packet capture by selecting stop in
  the Ethereal capture window. This will cause the
  Ethereal capture window to disappear and the main
  Ethereal window to display all packets captured
  since you began packet capture. The main Ethereal
  window should now look similar to Figure 5. You
  now have live packet data that contains all
  protocol messages exchanged between your computer
  and other network entities!

Figure 5
11
Taking Ethereal For A Test Drive

• 7. The ping message communications with the net2
  node should appear somewhere in the listing of
  packets captured. But there will be other types
  of packets displayed as well. Even though the
  only action you took was to run ping, there were
  evidently many other protocols running on your
  computer that are unseen by the user. Well learn
  much more about these protocols as we progress
  through the text! For now, you should just be
  aware that there is often much more going on than
  meets the eye!
• 8. Type in icmp (without the quotes, and in
  lower case all protocol names are input in
  lower case in Ethereal) into the display filter
  specification window at the top of the main
  Ethereal window. Then select Apply (to the right
  of where you entered icmp). This will cause
  only ICMP message to be displayed in the
  packet-listing window.
• 9. Select the first icmp message shown in the
  packet-listing window. This should be the first
  ping message that was sent from net5 to net2.
  When you select this message, the Ethernet frame,
  IP datagram, etc. information will be displayed
  in the packet-header window. Play around try
  clicking on various packet information in the
  windows, and figure out what it does.

12
Taking Ethereal For A Test Drive

• 10 Saving captured traffic You will want to save
  the data inside ethereal to take home with you.
  Remember the total process involves printing the
  data to an ascii file as described here, and then
  doing an scp to tarski as described on a previous
  page.
• Save the results of the captured traffic as a
  plain text file.
• This is done by selecting Print in the File
  menu. When a Print window pops up, select the
  options and set a filename.
• Selecting print options in the Print window for
  saving captured traffic to plain text files
• o Select the format "Plain Text".
• o Select the File checkbox and type the
  filename in the field next to the File button.
• o Select Print summary if you want to save only
  some high level information on each packet. Print
  summary is usually sufficient.
• o Select Print detail and "Expand all levels"
  if you want to save all details of all packets at
  all levels.
• o Click the OK button to complete the save
  operation.
• Play with the various options here and see what
  gets produced. You can also do save as to
  produce a file that you can display using
  ethereal on your home machine.
• 11. Exit Ethereal

13
The Program Emma

• Theres a small program named emma that you will
  be using for TCP tests later on. Heres a
  description of the program that will help you
  later on. Remember way back in Project 0 you
  built a client and server that simply sent
  messages back and forth between each other. This
  program is an offshoot of the code from Project
  0. The code for emma.c is available on all the
  netlab machines.
• Emma has one executable, but it can be run as
  either a sender or a receiver but it does only
  that one instance of the program sends only,
  and the other receives only. Here are the inputs
  for emma
• emma Address
• or UDP
• The program expects switches in a particular
  format. See examples below
• -b - The total bytes to be sent, after
  which sender closes the
• connection. Note the receiver may
  not receive this many bytes.
• -d - Direction - your choices are Send or
  Receive. The receiver also
• does the accept while the Sender
  will do the connect.
• -i - IP Address - in the form
  uuu.vvv.www.xxx. This is needed for the
• Sender/Connector only - it shows how
  to get to the receiver.
• -p - Port that the receiver will accept
  on. Both sides need to know this.
• The default port is built into the
  program - this switch is optional.
• -s - Size of request to be sent or
  received.
• -t - Transport protocol - either TCP
  (default) or UDP
• Example
• emma -d Send -i 140.232.101.125 -b
  1000000
• emma -d Receive -s 50

14
An Environment Question

• So now you understand how ethereal works you
  can get it running and you can see results. So
  run the following test
• On net5, run ping to net2 (192.168.1.2). It
  should run forever, or until you stop it.
• Run ethereal on net4 and on net3.
• Observe the ping packets that are going by.
• What do you see?
• Explain the difference in terms of switches and
  hubs note that net3 is connected to a switch
  and net4 is connected to a hub. Why does this
  matter?

15
Understanding TCP

• In this part you will look at transport headers
  and information as produced by TCP.
• This falls into the following topics
• Looking at connections and closes.
• Looking at large data transfers flow control.
• Solving a mystery.
• Looking at connections and closes.
• Perform the following steps
• Start the program emma as a receiver on net2 ?
  emma -d Receive -s 50
• Start ethereal on net5 get it so its enabled
  to capture packets.
• Start emma on net5 using this command ?
• emma -d Send -i 192.168.1.2 -b 5000 s 50
• Emma should complete fairly quickly on net5.
• Stop ethereal.
• Since you commanded ethereal to send only 5000
  bytes,
• you should see the entire transaction the
  connection, a small amount
• of data transfer, and then a close of the
  connection.

16
Understanding TCP

• What is the IP address and TCP port number used
  by the net5 node (source) that is transferring
  the file to net2? ?To answer this question, its
  probably easiest to select a TCP message and
  explore the details of the TCP packet used to
  carry this message, using the details of the
  selected packet header window.
• What is the IP address and port on the
  destination node, net2?
• What is the sequence number of the TCP SYN
  segment that is used to initiate the TCP
  connection between net5 computer and net2? What
  is it in the segment that identifies the segment
  as a SYN segment?
• What is the sequence number of the SYNACK segment
  sent by net2 to net5 in reply to the SYN? What is
  the value of the ACKnowledgement field in the
  SYNACK segment? How did net2 determine that
  value? What is it in the segment that identifies
  the segment as a SYNACK segment?
• What is the sequence number of the TCP segment
  containing the first data segment? How do you
  know that its data rather than part of the
  connection request? This segment is the packet
  sent by net5 immediately after the SYN segment.
  How does this sequence number compare to the one
  you found for the SYN?

17
Understanding TCP

• What are the sequence numbers of the remaining
  data transfer segments? At what time was each
  segment sent? At what time was the
  acknowledgement for each of these segments
  received?
• Given the difference between when each
  TCP segment was sent, and when its
  acknowledgement was received, what is the RTT
  value for each of the six segments? What is the
  Estimated RTT value (see page 237 in text) after
  the receipt of each ACK? Assume that the value of
  the Estimated RTT is equal to the measured RTT
  for the first segment, and then is computed using
  the Estimated RTT equation on page 237 for all
  subsequent segments.
• Note Ethereal has a nice feature
  that allows you to plot the RTT for each of the
  TCP segments sent. Select a TCP segment in the
  listing of captured packets window that is
  being sent from net5 to net2. Then select
  Statistics-TCP Stream Graph-Round Trip Time
  Graph.
• What does the connection close look like? How do
  you know its a close? Remember the answer to
  this means understanding how both sides react to
  a close request.
• The way emma is written, the sending side
  transmits the requested amount of data, and then
  closes the connection. So you should see net5
  (the sender) initiate the close. And you should
  see net2 then respond to that close request with
  its own close request.

18
Understanding TCP

• Looking at large data transfers flow control.
• Perform the following steps
• Start the program emma as a receiver on net2 ?
  emma -d Receive -s 50
• Start ethereal on net4 get it so its enabled
  to capture packets.
• Start emma on net4 using this command ?
• emma -d Send -i 192.168.1.2 -b 10000000
• Wait a very few seconds. Stop ethereal the
  segments are going by very quickly so it wont
  take long to collect data.
• Heres the logic behind this set of commands.
  Net2 is an old slow machine. It shouldnt be
  able to keep up with net4. Besides, weve told
  net2 to make receive requests of only 50 bytes at
  a time whereas net4 is sending 1460 bytes at a
  time. This should force flow control with net2
  reducing its receive window on occasion in order
  to keep net4 in check.
• Answer these questions
• What is the length of each of the first six data
  transfer TCP segments?
• What is the minimum amount of available buffer
  space advertised at the receiver for the entire
  trace? Does the lack of receiver buffer space
  ever throttle the sender? How can you tell this?
• Are there any retransmitted segments in the trace
  file? What did you check for (in the trace) in
  order to answer this question?
• How much data does the receiver typically
  acknowledge in an ACK? Can you identify cases
  where the receiver is ACKing every other received
  segment (see Table 3.2 on page 245 in the text).
• What is the throughput (bytes transferred per
  unit time) for the TCP connection? Explain how
  you calculated this value.

19
Understanding TCP

• Select a TCP segment in the Ethereals listing
  of captured-packets window. Then select the
  menu (Statistics-TCP Stream Graph-
  Time-Sequence-Graph(Stevens). You should see a
  plot that looks similar to the following plot.
• Here, each dot represents a TCP segment sent,
  plotting the sequence number of the segment
  versus the time at which it was sent. Note that a
  set of dots stacked above each other represents a
  series of packets that were sent back-to-back by
  the sender.

• Use the Time-Sequence-Graph(Stevens) plotting
  tool to view the sequence number versus time plot
  of segments being sent from net4 to net2.
• Comment on ways in which the measured data
  differs from the idealized behavior of TCP that
  weve studied in the text.
• Additional graphs are in Statistics-TCP Stream
  Graph- Round Trip Time and Statistics-TCP
  Stream Graph- Throughput. Take a look at them
  and make sense of them.

20
Understanding TCP

• Solving a mystery.
• Heres the mystery. Emma, operating as a
  receiver, reports many fewer bytes received than
  the sending emma reports having sent. Does this
  mean that bytes are lost? Does it mean that one
  of the programs isnt reporting correctly? The
  goal is to use our environment to measure what is
  going on between two nodes running emma and
  determine if the problem is in the network or in
  emma.
• Perform the following steps
• Start ethereal on net3 (note this is NOT net2
  ) get it so its enabled to capture packets.
• Start the program emma as a receiver on net3 ?
  emma -d Receive
• Start ethereal on net4 get it so its enabled
  to capture packets.
• Start emma on net4 using this command ?emma -d
  Send -i 192.168.1.3 -b 10000
• The sender should finish within a few seconds.
  Stop both ethereals when emma is finished.
• So what is the answer to the mystery? We know
  that were running emma on a relatively fast
  receiver and that were not slowing it down by
  having it receive only small amounts of data.
  Here are some things to try
• How many bytes does ethereal say are being sent
  from node4? How many from node3?
• Is the close coming in the middle of the data on
  node3? This would mean that emma goes to do a
  receive and finds that the connection is closed,
  even though theres more data to be gotten.
• Which side is issuing the close?
• Can you determine if the network is behaving
  correctly?

21
Transfer files and clean up

• This would be a good time to stop and save your
  work.
• Do an scp and copy your files that youve been
  working on to tarski. Do you have a sensible
  naming scheme for these files so you can figure
  them out later?
• Its easy to generate all kinds of cruf in these
  directories. Please clean up.

22
Understanding ARP

• This part of the lab explores the operation of
  the Address Resolution Protocol (ARP) which
  resolves a MAC address for a given IP address. Yo
  will want to read about ARP in your text to get
  an overview of this section. The lab exercises
  use the command arp, for displaying and
  manipulating the contents of the ARP cache. The
  ARP cache is a table that holds entries of the
  form . The most common
  uses of the arp command are as follows
• arp a
• Displays the content of the ARP cache.
• arp d IPAddress or arp d
• Deletes the entry with IP address IPAddress, or
  all addresses.
• arp s IPaddress MAC_Address
• Adds a static entry to the ARP cache which is
  never overwritten by network events. The MAC
  address is entered as a 6 hexadecimal bytes
  separated by colons.
• Example arp s 00022D0D68C1
• Each complete entry in the ARP cache will be
  marked with the C flag. Permanent entries are
  marked with M and published entries have the P
  flag.

23
Understanding ARP

• Time-outs in the ARP cache
• The entries in an ARP cache have a limited
  lifetime. Entries are deleted unless they are
  refreshed. The typical lifetime of an ARP entry
  is 2 minutes, but much longer lifetimes (up to 20
  minutes) have been observed. You will want to
  verify when your system does remove ARP entries
  automatically after a certain amount of time.
• Refreshing the ARP cache
• You will observe that occasionally, a host sends
  out ARP requests to interfaces that are already
  in the ARP cache.
• Example Suppose that a host with IP address
  has an ARP cache entry
• is-at
• Then, this host occasionally sends an unicast ARP
  Request to MAC address 000283392C42 of the
  form
• Who has ? Tell
• to verify that the IP address is
  still present before deleting the entry from the
  ARP cache.

24
Understanding ARP

• Arp requests to a real address not in cache.
• Start capturing data with ethereal on net4.
• On net4, view the ARP cache with arp a and then
  delete all entries with the arp d option.
• 3. Issue a ping command from net4 to net2
• ping c 2 192.168.1.2
• Stop ethereal. Observe the ARP packets in the
  ethereal window. Explore the MAC addresses in the
  Ethernet headers of the captured packets. Direct
  your attention to the following fields
• The destination MAC address of the ARP Request
  packets.
• The Type field in the Ethernet headers of ARP
  packets and ICMP messages.
• 4. View the ARP cache again with the command arp
  -a. Note that ARP cache entries get
  refreshed/deleted fairly quickly. Note also that
  the cache needed to have data in it in order to
  satisfy the ping request.
• 5. Save the results of ethereal to a text file
  for later reference.
• Questions
• Use the saved data to answer the following
  questions
• What is the destination MAC address of an ARP
  Request packet? What does this mean?
• What are the different values of the Type field
  in the Ethernet headers that you observed?
• Use the captured data to discuss the process in
  which ARP acquires the MAC address for an IP
  address 192.168.1.2.

25
Understanding ARP

• ARP requests for a non-real address
• Observe what happens when an ARP Request is
  issued for an IP address that does not exist.
• 1. Start capturing data with ethereal on net4.
• 2. Establish a Telnet session from net4 to
  10.0.1.10 (Note that this address does not exist
  on this network)
• telnet 10.0.1.10
• 3. Observe the time interval and the frequency
  with which net4 transmits ARP Request packets.
  Repeat the experiment a number of times to
  discover the pattern.
• 4. Save the captured output.
• Questions
• Using the saved output, describe the time
  interval between each ARP Request packet issued
  by net4 Describe the method used by ARP to
  determine the time between retransmissions of an
  unsuccessful ARP Request. Include relevant data
  to support your answer.
• Why are ARP Request packets not transmitted
  (i.e. not encapsulated) as IP packets? Explain
  your answer.

26
Understanding Netstat

• The command netstat displays information on the
  network configuration and activity of a system,
  including network connections, routing tables,
  interface statistics, masquerade connections, and
  multicast memberships. The following exercise
  explores how to use the netstat command to
  extract different types of information about the
  network configuration of a host.
• Netstat has slightly different switches on
  Linux/Windows/Macs. In general, useful switches
  are -a, -e, -n, -r, -s. Read about and
  understand these usages.
• Exercise 6.
• On the netlab Linux node, try the different
  variations of the netstat command listed above
  and save the output to a file for your future
  reference.
• 1. Display information on the network interfaces
  by typing ????
• 2. Display the content of the IP routing table by
  typing ????
• 3. Display information on TCP and UDP ports that
  are currently in use by typing ????
• 4. Display the statistics of various networking
  protocols by typing ????

27
Understanding Netstat

• Questions
• Using the saved output, answer the following
  questions.
• What are the network interfaces of net4?
• How many IP datagrams, ICMP messages, UDP
  datagrams, and TCP segments has your machine
  transmitted and received since it was last
  rebooted?
• Show your machines routing table. What do the
  columns in this table mean. Explain, based on
  this table, how your machine determines routing
  behavior.
• Explain the role of interface lo, the loopback
  interface.
• In the port table produced by netstat a, pick
  one of the connections and explain it completely.
  What local program is using the port? What do
  listening and established mean?

28
Understanding ifconfig

• (Note, this is called ipconfig in the Windows
  world)
• USAGE
• ipconfig /? /all /release adapter
  /renew adapter
• /flushdns /registerdns
• /showclassid adapter
• Options
• /? Display this help message.
• /all Display full configuration
  information.
• /release Release the IP address for
  the specified adapter.
• /renew Renew the IP address for the
  specified adapter.
• /flushdns Purges the DNS Resolver
  cache.
• /registerdns Refreshes all DHCP leases
  and re-registers DNS names
• /displaydns Display the contents of the
  DNS Resolver Cache.
• /showclassid Displays all the dhcp class
  IDs allowed for adapter.

Play with these see what they do. Some may
force a reboot.
29
Snooping Network Traffic

• Snoop Passwords from a telnet session
• Capture traffic from a telnet session between two
  hosts.
• On net4, run the ethereal command and start it
  capturing.
• On net4, start up a telnet session to net3
  telnet 192.168.1.3
• When net 3 responds, try to log in with a
  username/password. As it turns out, there isnt
  really a telnet working, so your login request
  will fail. But thats just fine.
• Stop ethereal and look at the packets. Find the
  packets that have username and password. What do
  they look like?
• In ethereal, there is a simple method to view the
  payload sent in a TCP connection. Simply select a
  packet that contains a TCP segment in the main
  window of ethereal, and then click on "Follow TCP
  Stream" in the "Tools" menu of the ethereal
  window. This will create a new window that
  displays only the payload of the selected TCP
  connection.
• Save the details of the packets, i.e., select
  Print details in the Print window of
  ethereal, which transmit the login name and
  password. As a hint, you can set the display
  filter in ethereal to show only the desired
  packet(s).
• Questions
• Using the saved output, identify the port
  numbers of the telnet client and the telnet
  server.
• Identify the login name and the password, shown
  in plain text in the payload of the packets that
  you captured.

30
Snooping Network Traffic

• Snoop an ssh session
• SSH is supposedly secure. In this section you
  will determine if it is.
• Run ethereal on net4, and start to capture
  traffic.
• ssh from net4 to net3 and log in.
• Perform several simple commands that will produce
  packets traveling back and forth between net4 and
  net3.
• Save the ethereal output to a text file (using
  the Print Summary option).
• Questions
• Describe what you see with respect to
  username/password encryption. Explain the
  sequence of packets that accomplish this login.
• Describe what you see with respect to data
  transfer.
• Given enough data and knowing the data being
  sent, could you crack this encryption?