Title: Computer Networks
1Computer Networks
- Project 4
- Understanding Protocols
2TABLE OF CONTENTS
- Project Overview
- Report Format
- Environment and Tools
- Taking Ethereal For a Test Drive
- The Program Emma
- An Environment Question
- Understanding TCP
- Understanding ARP
- Understanding Netstat
- Understanding ifconfig
- Snooping Network Traffic
-
3Project Overview
- The purpose of this Project is to become familiar
with a number of tools that can be used for
probing whats happening at the Transport,
Network, and Link Level of your machine. - This consists of trying various commands to
understand the configuration of your machine. It
also includes using tools to watch and understand
packets traveling across the network. - In addition youll become knowledgeable about the
contents of transpoort, network and MAC headers. - You can work on this either singly or in pairs.
- Have fun.
4Report Format
- What will you be handing in?
- The answer is everything and absolutely
nothing. - Your goal in this entire lab is to prepare for an
exam on this material. You can collect any data
you want here. You can print it out and bring it
to the exam you can bring as much paper as you
want. - What will be on this exam?
- It will ask very concrete questions about how to
use ethereal and the other tools. It will also
ask more general questions about packets, fields,
etc. Thats why it will be a good idea to do
these labs and remember what you did.
5Environment and Tools
Connection To World 140.132.1.139
Switch
Hub
Tarski
192.168.1.1
192.168.1.4
192.168.1.5
192.168.1.3
NET1 This machine has two NICs
NET4
NET5
NET2
NET3
All machines have username / password root /
NetLab Note that by running root you have
complete control over the machine.
6Environment and Tools
Getting Around You can log into any of the
machines Net2 Net5 via terminal/monitor.
Warning, Net2 is very slow and will be used only
indirectly in this lab. You can ssh between any
of the machines net1 net5 by using their IP
address we arent running a nameserver so you
will not be able to do something like ping
Net2. Saving data between the Networks Lab and
the rest of the world During the course of doing
these various measurements, youll be collecting
a lot of data. This data will be output from
Ethereal, various other outputs, and so on. But
theres no printing or saving facilities in the
lab. So you would really like to get the data
back to your home directory in the regular CS lab
to get your file back to spears. From any of
the machines, you can ssh to tarski (also called
Net1), the machine that sees the world. ssh b
192.168.1.1 l Being able
to ssh in this fashion may or may not be useful
to you. What IS useful is being able to copy
files between nodes. Suppose Im on net2 and I
want to transfer the file CollectedWisdom to my
home directory on Spears. I do that with the
command scp which you can look up. Heres an
example of its use scp CollectedWisdom
jbreecher_at_192.168.1.1CollectedWisdom This will
deposit the file Collected Wisdom in my home
directory.
7Environment and Tools
- Some of the simple tools you will use include
- ARP Netstat Ipconfig ping ftp telnet
ssh - You can read about these for your system as
described later. - Ethereal can be downloaded from http//www.etherea
l.com/ - However, it is already installed on the machines
in the Network Lab so you wont need to download
it. A manual describing its behavior is at
http//www.ethereal.com/docs/ - Chapter 1 gives an overview of the product,
Chapter 3 gives details of its usage. - Theres also a nice summary produced by Kurose
and Ross at - http//gaia.cs.umass.edu/ethereal-labs/labs/Ethe
real_INTRO.pdf - Id recommend that you read portions of this
document. - In fact the whole thing will be useful to you
except we will not need - Getting Ethereal on page 3.
- We will replace Taking Ethereal For a Test
Run with our own version. - This lab has been written for the machines in the
Networks Lab. These instructions dont work on
the machines in the general lab because Ethereal
is very privileged. Using Ethereal you can see
all the packets coming into the machine, whether
those packets are generated by you, or by someone
else. - You COULD run ethereal on your own home computer,
but there are a number of items that work well or
work only on machines connected on their own
subnet and we want to observe this behavior.
8Taking Ethereal For A Test Drive
- The best way to learn about any new piece of
software is to try it out! Do the following - Log on to net5. Get a command line started.
Start up the Ethereal software by saying
ethereal. You will initially see a window
similar to that shown in Figure 2 - 2. Now get back to the command line and do a ping
to net2 by typing ping 192.168.1.2 - 3. Returning to ethereal, to begin packet
capture, select the Capture pull down menu and
select options. This will cause the Ethereal
Capture Options window to be displayed, as shown
in Figure 3.
Figure 2
Figure 3
9Taking Ethereal For A Test Drive
- 4. You can use all of the default values in this
window. The network interfaces (i.e., the
physical connections) that your computer has to
the network will be shown in the Interface pull
down menu at the top of the Capture Options
window. - After selecting the network interface (or -
most likely -using the default interface chosen
by Ethereal), click Start. Packet capture will
now begin - all packets being sent/received
from/by your computer are now being captured by
Ethereal! - 5. Once you begin packet capture, a packet
capture summary window will appear, as shown in
Figure 4. This window summarizes the number of
packets of various types that are being captured,
and (importantly!) contains the Stop button that
will allow you to stop packet capture. Dont stop
packet capture yet.
Figure 4
10Taking Ethereal For A Test Drive
- 6. After ethereal has captured 30 50 packets,
stop Ethereal packet capture by selecting stop in
the Ethereal capture window. This will cause the
Ethereal capture window to disappear and the main
Ethereal window to display all packets captured
since you began packet capture. The main Ethereal
window should now look similar to Figure 5. You
now have live packet data that contains all
protocol messages exchanged between your computer
and other network entities!
Figure 5
11Taking Ethereal For A Test Drive
- 7. The ping message communications with the net2
node should appear somewhere in the listing of
packets captured. But there will be other types
of packets displayed as well. Even though the
only action you took was to run ping, there were
evidently many other protocols running on your
computer that are unseen by the user. Well learn
much more about these protocols as we progress
through the text! For now, you should just be
aware that there is often much more going on than
meets the eye! - 8. Type in icmp (without the quotes, and in
lower case all protocol names are input in
lower case in Ethereal) into the display filter
specification window at the top of the main
Ethereal window. Then select Apply (to the right
of where you entered icmp). This will cause
only ICMP message to be displayed in the
packet-listing window. - 9. Select the first icmp message shown in the
packet-listing window. This should be the first
ping message that was sent from net5 to net2.
When you select this message, the Ethernet frame,
IP datagram, etc. information will be displayed
in the packet-header window. Play around try
clicking on various packet information in the
windows, and figure out what it does.
12Taking Ethereal For A Test Drive
- 10 Saving captured traffic You will want to save
the data inside ethereal to take home with you.
Remember the total process involves printing the
data to an ascii file as described here, and then
doing an scp to tarski as described on a previous
page. - Save the results of the captured traffic as a
plain text file. - This is done by selecting Print in the File
menu. When a Print window pops up, select the
options and set a filename. - Selecting print options in the Print window for
saving captured traffic to plain text files - o Select the format "Plain Text".
- o Select the File checkbox and type the
filename in the field next to the File button. - o Select Print summary if you want to save only
some high level information on each packet. Print
summary is usually sufficient. - o Select Print detail and "Expand all levels"
if you want to save all details of all packets at
all levels. - o Click the OK button to complete the save
operation. - Play with the various options here and see what
gets produced. You can also do save as to
produce a file that you can display using
ethereal on your home machine. - 11. Exit Ethereal
13The Program Emma
- Theres a small program named emma that you will
be using for TCP tests later on. Heres a
description of the program that will help you
later on. Remember way back in Project 0 you
built a client and server that simply sent
messages back and forth between each other. This
program is an offshoot of the code from Project
0. The code for emma.c is available on all the
netlab machines. - Emma has one executable, but it can be run as
either a sender or a receiver but it does only
that one instance of the program sends only,
and the other receives only. Here are the inputs
for emma - emma Address
- or UDP
- The program expects switches in a particular
format. See examples below - -b - The total bytes to be sent, after
which sender closes the - connection. Note the receiver may
not receive this many bytes. - -d - Direction - your choices are Send or
Receive. The receiver also - does the accept while the Sender
will do the connect. - -i - IP Address - in the form
uuu.vvv.www.xxx. This is needed for the - Sender/Connector only - it shows how
to get to the receiver. - -p - Port that the receiver will accept
on. Both sides need to know this. - The default port is built into the
program - this switch is optional. - -s - Size of request to be sent or
received. - -t - Transport protocol - either TCP
(default) or UDP - Example
- emma -d Send -i 140.232.101.125 -b
1000000 - emma -d Receive -s 50
14An Environment Question
- So now you understand how ethereal works you
can get it running and you can see results. So
run the following test - On net5, run ping to net2 (192.168.1.2). It
should run forever, or until you stop it. - Run ethereal on net4 and on net3.
- Observe the ping packets that are going by.
- What do you see?
- Explain the difference in terms of switches and
hubs note that net3 is connected to a switch
and net4 is connected to a hub. Why does this
matter?
15Understanding TCP
- In this part you will look at transport headers
and information as produced by TCP. - This falls into the following topics
- Looking at connections and closes.
- Looking at large data transfers flow control.
- Solving a mystery.
- Looking at connections and closes.
- Perform the following steps
- Start the program emma as a receiver on net2 ?
emma -d Receive -s 50 - Start ethereal on net5 get it so its enabled
to capture packets. - Start emma on net5 using this command ?
- emma -d Send -i 192.168.1.2 -b 5000 s 50
- Emma should complete fairly quickly on net5.
- Stop ethereal.
- Since you commanded ethereal to send only 5000
bytes, - you should see the entire transaction the
connection, a small amount - of data transfer, and then a close of the
connection.
16Understanding TCP
- What is the IP address and TCP port number used
by the net5 node (source) that is transferring
the file to net2? ?To answer this question, its
probably easiest to select a TCP message and
explore the details of the TCP packet used to
carry this message, using the details of the
selected packet header window. - What is the IP address and port on the
destination node, net2? - What is the sequence number of the TCP SYN
segment that is used to initiate the TCP
connection between net5 computer and net2? What
is it in the segment that identifies the segment
as a SYN segment? - What is the sequence number of the SYNACK segment
sent by net2 to net5 in reply to the SYN? What is
the value of the ACKnowledgement field in the
SYNACK segment? How did net2 determine that
value? What is it in the segment that identifies
the segment as a SYNACK segment? - What is the sequence number of the TCP segment
containing the first data segment? How do you
know that its data rather than part of the
connection request? This segment is the packet
sent by net5 immediately after the SYN segment.
How does this sequence number compare to the one
you found for the SYN?
17Understanding TCP
- What are the sequence numbers of the remaining
data transfer segments? At what time was each
segment sent? At what time was the
acknowledgement for each of these segments
received? - Given the difference between when each
TCP segment was sent, and when its
acknowledgement was received, what is the RTT
value for each of the six segments? What is the
Estimated RTT value (see page 237 in text) after
the receipt of each ACK? Assume that the value of
the Estimated RTT is equal to the measured RTT
for the first segment, and then is computed using
the Estimated RTT equation on page 237 for all
subsequent segments. - Note Ethereal has a nice feature
that allows you to plot the RTT for each of the
TCP segments sent. Select a TCP segment in the
listing of captured packets window that is
being sent from net5 to net2. Then select
Statistics-TCP Stream Graph-Round Trip Time
Graph. - What does the connection close look like? How do
you know its a close? Remember the answer to
this means understanding how both sides react to
a close request. - The way emma is written, the sending side
transmits the requested amount of data, and then
closes the connection. So you should see net5
(the sender) initiate the close. And you should
see net2 then respond to that close request with
its own close request.
18Understanding TCP
- Looking at large data transfers flow control.
- Perform the following steps
- Start the program emma as a receiver on net2 ?
emma -d Receive -s 50 - Start ethereal on net4 get it so its enabled
to capture packets. - Start emma on net4 using this command ?
- emma -d Send -i 192.168.1.2 -b 10000000
- Wait a very few seconds. Stop ethereal the
segments are going by very quickly so it wont
take long to collect data. - Heres the logic behind this set of commands.
Net2 is an old slow machine. It shouldnt be
able to keep up with net4. Besides, weve told
net2 to make receive requests of only 50 bytes at
a time whereas net4 is sending 1460 bytes at a
time. This should force flow control with net2
reducing its receive window on occasion in order
to keep net4 in check. - Answer these questions
- What is the length of each of the first six data
transfer TCP segments? - What is the minimum amount of available buffer
space advertised at the receiver for the entire
trace? Does the lack of receiver buffer space
ever throttle the sender? How can you tell this? - Are there any retransmitted segments in the trace
file? What did you check for (in the trace) in
order to answer this question? - How much data does the receiver typically
acknowledge in an ACK? Can you identify cases
where the receiver is ACKing every other received
segment (see Table 3.2 on page 245 in the text). - What is the throughput (bytes transferred per
unit time) for the TCP connection? Explain how
you calculated this value.
19Understanding TCP
- Select a TCP segment in the Ethereals listing
of captured-packets window. Then select the
menu (Statistics-TCP Stream Graph-
Time-Sequence-Graph(Stevens). You should see a
plot that looks similar to the following plot. - Here, each dot represents a TCP segment sent,
plotting the sequence number of the segment
versus the time at which it was sent. Note that a
set of dots stacked above each other represents a
series of packets that were sent back-to-back by
the sender.
- Use the Time-Sequence-Graph(Stevens) plotting
tool to view the sequence number versus time plot
of segments being sent from net4 to net2. - Comment on ways in which the measured data
differs from the idealized behavior of TCP that
weve studied in the text. - Additional graphs are in Statistics-TCP Stream
Graph- Round Trip Time and Statistics-TCP
Stream Graph- Throughput. Take a look at them
and make sense of them.
20Understanding TCP
- Solving a mystery.
- Heres the mystery. Emma, operating as a
receiver, reports many fewer bytes received than
the sending emma reports having sent. Does this
mean that bytes are lost? Does it mean that one
of the programs isnt reporting correctly? The
goal is to use our environment to measure what is
going on between two nodes running emma and
determine if the problem is in the network or in
emma. - Perform the following steps
- Start ethereal on net3 (note this is NOT net2
) get it so its enabled to capture packets. - Start the program emma as a receiver on net3 ?
emma -d Receive - Start ethereal on net4 get it so its enabled
to capture packets. - Start emma on net4 using this command ?emma -d
Send -i 192.168.1.3 -b 10000 - The sender should finish within a few seconds.
Stop both ethereals when emma is finished. - So what is the answer to the mystery? We know
that were running emma on a relatively fast
receiver and that were not slowing it down by
having it receive only small amounts of data.
Here are some things to try - How many bytes does ethereal say are being sent
from node4? How many from node3? - Is the close coming in the middle of the data on
node3? This would mean that emma goes to do a
receive and finds that the connection is closed,
even though theres more data to be gotten. - Which side is issuing the close?
- Can you determine if the network is behaving
correctly?
21Transfer files and clean up
- This would be a good time to stop and save your
work. - Do an scp and copy your files that youve been
working on to tarski. Do you have a sensible
naming scheme for these files so you can figure
them out later? - Its easy to generate all kinds of cruf in these
directories. Please clean up.
22Understanding ARP
- This part of the lab explores the operation of
the Address Resolution Protocol (ARP) which
resolves a MAC address for a given IP address. Yo
will want to read about ARP in your text to get
an overview of this section. The lab exercises
use the command arp, for displaying and
manipulating the contents of the ARP cache. The
ARP cache is a table that holds entries of the
form . The most common
uses of the arp command are as follows - arp a
- Displays the content of the ARP cache.
- arp d IPAddress or arp d
- Deletes the entry with IP address IPAddress, or
all addresses. - arp s IPaddress MAC_Address
- Adds a static entry to the ARP cache which is
never overwritten by network events. The MAC
address is entered as a 6 hexadecimal bytes
separated by colons. - Example arp s 00022D0D68C1
- Each complete entry in the ARP cache will be
marked with the C flag. Permanent entries are
marked with M and published entries have the P
flag.
23Understanding ARP
- Time-outs in the ARP cache
- The entries in an ARP cache have a limited
lifetime. Entries are deleted unless they are
refreshed. The typical lifetime of an ARP entry
is 2 minutes, but much longer lifetimes (up to 20
minutes) have been observed. You will want to
verify when your system does remove ARP entries
automatically after a certain amount of time. - Refreshing the ARP cache
- You will observe that occasionally, a host sends
out ARP requests to interfaces that are already
in the ARP cache. - Example Suppose that a host with IP address
has an ARP cache entry - is-at
- Then, this host occasionally sends an unicast ARP
Request to MAC address 000283392C42 of the
form - Who has ? Tell
- to verify that the IP address is
still present before deleting the entry from the
ARP cache.
24Understanding ARP
- Arp requests to a real address not in cache.
- Start capturing data with ethereal on net4.
- On net4, view the ARP cache with arp a and then
delete all entries with the arp d option. - 3. Issue a ping command from net4 to net2
- ping c 2 192.168.1.2
- Stop ethereal. Observe the ARP packets in the
ethereal window. Explore the MAC addresses in the
Ethernet headers of the captured packets. Direct
your attention to the following fields - The destination MAC address of the ARP Request
packets. - The Type field in the Ethernet headers of ARP
packets and ICMP messages. - 4. View the ARP cache again with the command arp
-a. Note that ARP cache entries get
refreshed/deleted fairly quickly. Note also that
the cache needed to have data in it in order to
satisfy the ping request. - 5. Save the results of ethereal to a text file
for later reference. - Questions
- Use the saved data to answer the following
questions - What is the destination MAC address of an ARP
Request packet? What does this mean? - What are the different values of the Type field
in the Ethernet headers that you observed? - Use the captured data to discuss the process in
which ARP acquires the MAC address for an IP
address 192.168.1.2.
25Understanding ARP
- ARP requests for a non-real address
- Observe what happens when an ARP Request is
issued for an IP address that does not exist. - 1. Start capturing data with ethereal on net4.
- 2. Establish a Telnet session from net4 to
10.0.1.10 (Note that this address does not exist
on this network) - telnet 10.0.1.10
- 3. Observe the time interval and the frequency
with which net4 transmits ARP Request packets.
Repeat the experiment a number of times to
discover the pattern. - 4. Save the captured output.
- Questions
- Using the saved output, describe the time
interval between each ARP Request packet issued
by net4 Describe the method used by ARP to
determine the time between retransmissions of an
unsuccessful ARP Request. Include relevant data
to support your answer. - Why are ARP Request packets not transmitted
(i.e. not encapsulated) as IP packets? Explain
your answer.
26Understanding Netstat
- The command netstat displays information on the
network configuration and activity of a system,
including network connections, routing tables,
interface statistics, masquerade connections, and
multicast memberships. The following exercise
explores how to use the netstat command to
extract different types of information about the
network configuration of a host. - Netstat has slightly different switches on
Linux/Windows/Macs. In general, useful switches
are -a, -e, -n, -r, -s. Read about and
understand these usages. - Exercise 6.
- On the netlab Linux node, try the different
variations of the netstat command listed above
and save the output to a file for your future
reference. - 1. Display information on the network interfaces
by typing ???? - 2. Display the content of the IP routing table by
typing ???? - 3. Display information on TCP and UDP ports that
are currently in use by typing ???? - 4. Display the statistics of various networking
protocols by typing ????
27Understanding Netstat
- Questions
- Using the saved output, answer the following
questions. - What are the network interfaces of net4?
- How many IP datagrams, ICMP messages, UDP
datagrams, and TCP segments has your machine
transmitted and received since it was last
rebooted? - Show your machines routing table. What do the
columns in this table mean. Explain, based on
this table, how your machine determines routing
behavior. - Explain the role of interface lo, the loopback
interface. - In the port table produced by netstat a, pick
one of the connections and explain it completely.
What local program is using the port? What do
listening and established mean?
28Understanding ifconfig
- (Note, this is called ipconfig in the Windows
world) - USAGE
- ipconfig /? /all /release adapter
/renew adapter - /flushdns /registerdns
- /showclassid adapter
- Options
- /? Display this help message.
- /all Display full configuration
information. - /release Release the IP address for
the specified adapter. - /renew Renew the IP address for the
specified adapter. - /flushdns Purges the DNS Resolver
cache. - /registerdns Refreshes all DHCP leases
and re-registers DNS names - /displaydns Display the contents of the
DNS Resolver Cache. - /showclassid Displays all the dhcp class
IDs allowed for adapter.
Play with these see what they do. Some may
force a reboot.
29Snooping Network Traffic
- Snoop Passwords from a telnet session
- Capture traffic from a telnet session between two
hosts. - On net4, run the ethereal command and start it
capturing. - On net4, start up a telnet session to net3
telnet 192.168.1.3 - When net 3 responds, try to log in with a
username/password. As it turns out, there isnt
really a telnet working, so your login request
will fail. But thats just fine. - Stop ethereal and look at the packets. Find the
packets that have username and password. What do
they look like? - In ethereal, there is a simple method to view the
payload sent in a TCP connection. Simply select a
packet that contains a TCP segment in the main
window of ethereal, and then click on "Follow TCP
Stream" in the "Tools" menu of the ethereal
window. This will create a new window that
displays only the payload of the selected TCP
connection. - Save the details of the packets, i.e., select
Print details in the Print window of
ethereal, which transmit the login name and
password. As a hint, you can set the display
filter in ethereal to show only the desired
packet(s). - Questions
- Using the saved output, identify the port
numbers of the telnet client and the telnet
server. - Identify the login name and the password, shown
in plain text in the payload of the packets that
you captured.
30Snooping Network Traffic
- Snoop an ssh session
- SSH is supposedly secure. In this section you
will determine if it is. - Run ethereal on net4, and start to capture
traffic. - ssh from net4 to net3 and log in.
- Perform several simple commands that will produce
packets traveling back and forth between net4 and
net3. - Save the ethereal output to a text file (using
the Print Summary option). - Questions
- Describe what you see with respect to
username/password encryption. Explain the
sequence of packets that accomplish this login. - Describe what you see with respect to data
transfer. - Given enough data and knowing the data being
sent, could you crack this encryption?