medianets.humedianets.hu/.../uploads/2017/11/CN_Lab-1-v1.1_EN.docx · Web viewSwitch of IPv6...

Communication Networks Laboratory I/1 and I/2 The TCP/IP protocol stack

The TCP/IP protocol stack v1.0

Created by: Dr. Gábor Lencse, BME HIT, 2015.

Name and Neptun code: name, NEPTUNname, NEPTUN

Name of :Room, workstation: I. B. 141/142, workstationDate and time: 2017.Filename:e.g. KH1-szdu001-1.docx

format: KH1-<course><workstation>-<# laboratory>.docxKH1-

1


Task 1 – Basic usage of the Wireshark protocol analyzer

TODO:

Switch of IPv6 support. Open Start menu / Control Panel / All Control Panel Items / Network and Sharing Center window, click on Local Area Connections, then on the Properties / Networking tab find: „Internet Protocol Version 6 (TCP/IPv6)”. Uncheck the checkbox then click OK.

Start Wireshark (Start menu / Wireshark). On the start screen’s Capture column click „Capture Options”. In the opening dialog window

select the computer’s physical interface (Local Area Connection). (Check the checkbox.) Check the settings to keep the below setup.

Start the capture by clicking on Start. During the capture the Wireshark continuously shows the captured packets.

If not: In the View menu select Packet list and switch on the feature. Have a look at the main information presented in the columns: number, time, source/destination address, IPv4/IPv6 if exists, link protocol address (MAC), length, other (e.g., higher layer information summary).

Start a Firefox browser window while keeping the capture running and download the page http://www.bme.hu. When the download finished (it is not a must to wait for all the images), stop the capture (the fourth button in the Wireshark menu line: a red square).

Filter the required traffic. For this purpose, let’s find out the IP address of the workstation. (In the followings we mean IPv4, IPv6 will be touched only in laboratory session #3.) Open a

2

http://www.bme.hu/


Windows Command Prompt and let it open. Use the ipconfig command and find out the workstation’s IP address (Ethernet adapter Local Area Connection / IPv4 Address).

IP address of the workstation:

Find out the webserver’s (www.bme.hu) IP address webserver using the nslookup www.bme.hu command.

IP address of www.bme.hu:

Create a display filter that shows only the traffic between the workstation and the webserver!

The required display filter:

If the filter is right, the SYN segment will appear as the first segment of the communication. (If not, try again to find an appropriate filter.)

Select this first element of the displayed packet list and check whether the details are visualized in the window below the packet list. In case of problems: check the setting in View menu, Packet Details.Analyze the packet details. Open the first row (by clicking the + mark of it) with the summary information.

Open the next row with the Ethernet header information and find out the following details.

Value the Type field:Means the following protocol:

Select the Type field and check its value in hexadecimal format using the information window below. In case of problems: check the setting in View menu, Packet Bytes.What is the byte order to provide the information? (Note that this is the byte order in the TCP/IP world!)

Type of byte order:

Open the IP header and identify the fields. Find the hexadecimal value containing the Version and the Header Length. What is the link between the length of header and the appropriate bits?

Length of header:The value stored in the appropriate bits:The link between the two:

How could we find out the higher layer protocol encapsulated in the IP packet?

Name of field:Value of field:Meaning of the value:

Open the TCP header and have a look at the header fields. Find the source and destination port numbers and the value of the Maximum Segment Size (MSS).

3


Source port:Destination port:Options/ Maximum segment size:

If you have any other observation, note here.

Any other observation:

Remove the earlier Display filter and use this: ip.proto==17.What is the transport layer protocol in the packets listed with the above filter?

Name of the transport layer protocol:

Help: DNS is not a transport layer protocol; it belongs to the application layer. Note: Which one is the responsible field for the higher layer protocol in the IP header?

Pick a packet encapsulating a DNS request message (use the Info field to identify the type of message).

Open the UDP header and find the destination port number:

Destination port:



Note the difference between display and capture filters! Create a capture filter to capture only HTTP protocol messages. Use the capture filter tcp port http and download the http://dev.tilb.sze.hu website. (Second button entitled „Show the capture options…” of the Wireshark button line, then double click on the physical interface in the appearing dialogue window. )

Can you see the captured packets? Help: If not, check whether the Display filter for UDP packets has been removed or not.

Make a screenshot about the capture and paste it here:



Do not forget to remove the Capturer filter after the completion of this task!

4

http://dev.tilb.sze.hu/


Task 2 – ICMP protocol

Note: ICMP is not a transport layer protocol, but it also encapsulated in IP datagrams.

TODO:

What is the default gateway for your workstation’s physical Ethernet interface? (use ipconfig, Ethernet adapter Local Area Connection / Default Gateway).

Default Gateway:

Start a Wireshark capture on the physical interface of the workstation and send one ICMP echo request message to the default gateway (ping -n 1 <IP address of the default gateway>1), and another one to the frogstar.hit.bme.hu (ping -n 1 frogstar.hit.bme.hu), then stop the capture. Use an appropriate display filter to show ICMP messages.

Fill out the table below with names and/or hexadecimal values:Help: Open the captured packets’ Ethernet, IP and ICMP headers and check the relevant fields!Advice: Do not type the values, just use the Wireshark cut-and-paste technique: click with the right mouse button on the selected header field and use Copy with the appropriate option (“Value” in most of the cases).

Echo request #1 Echo reply #1 Echo request #2 Echo reply #2

Ether-net

SourceDestinationType

IPSourceDestinationProtocol

ICMP Type

Based on your observations answer the followings!

Where are the ICMP messages encapsulated?

ICMP messages are encapsulated in:

Where do you know it is an ICMP (and not a TCP or UDP) message?

ICMP protocol identifier in the IP header:

What identifies the kind of ICMP message?

The questioned field in the ICMP header:

1 Note! Marks „<” and „>” contain only textual notes, do not write them into the real commands!

5


The two pinged machines are different (IP addresses are different) but the MACs are the same. Why? Help: MAC and IP addresses are in different layers of the TCP/IP stack!

The MAC addresses are the same because:



6


Task 3 – ARP protocol, Part I.

ARP basic operation.

Reminder: the main task of ARP is the mapping of network layer IP addresses and link layer MAC addresses.

TODO:

Start a command prompt with administrator privileges (type cmd.exe into the Start menu search box, then right click on the appearing icon. In the showed menu select „Run as administrator”.)

Switch to drive D:, create a new folder and enter the folder. Create a batch file for the ping command called myping1.bat with the following content

(clears the ARP cache and sends one ICMP echo request to the computer given in the parameter):arp –d *ping -n 1 %1

Start a Wireshark trace on the workstation’s physical Ethernet interface, then use myping1.bat to ping the default gateway. Stop the trace after the ping completes.

Find out the MAC address of the workstation’s physical Ethernet interface (ipconfig /all command, Ethernet adapter Local Area Connection / Physical Address).

MAC address:

Create a display filter which shows only packets with the above MAC address in the source or destination link layer address field.

Display filter:

Identify the ARP request and reply, then examine the content, and fill out the below table with the Ethernet information. In case of MAC addresses write the whole 6 byte address and not the version with the vendor string. Type of frames: broadcast, multicast and unicast, based on the address. The Ethernet Type field should be given also in hexadecimal format.

source MAC destination MAC type of frame value of typeARP requestARP reply

If everything was correct, then the same value is in the Type column for both the message types. Where do we know whether the ARP message is a request or a response?

In which protocol can you find the questioned field?Name of field:Value of field in case of request:Value of field in case of reply:

Analyze the other ARP fields! Write down the 4 fields after the Opcode field, as we will use them in the next task.

7


Name of field #1:Name of field #2:Name of field #3:Name of field #4:

There is a value of 0 in one of the 4 fields in one of the 2 ARP messages. Which field and ARP message are we talking about?

Name of field:ARP message:



Have a look at the ARP cache table contents (arp -a), and find the entry for the default gateway. What is the type of this entry?

Type of entry:

8


Task 4 – ARP protocol, Part II.

IPv4 Address conflict detection.

TODO:

Set the IP address of the workstation to the following value: IP: 172.16.<# of workstation>.<# of workstation>, Subnet mask: 255.255.255.0.Help: Start menu / Control Panel / All Control Panel Items / Network and Sharing Center, then: Local Area Connections / Properties / Networking tab. Here:Internet Protocol Version 4 (TCP/IPv4) and Properties, uncheck „Obtain an IP address automatically” and select „Use the following address”. Before saving the new settings, start a Wireshark capture on the workstation’s physical interface, and stop after about 10 minutes. If you have to repeat this task, re-set the IP with a novel IP value (add 100 to the # of workstation and have this new number. A third try could use the same value as the first.)

Create a display filter (arp) to have only ARP messages shown in the Wireshark. How many ARP probe messages do you see? What is the time interval consecutive between

ARP probes? How many seconds were required to send the ARP Announcement after the last ARP Probe? How Wireshark calls the ARP Announcement message?

Number of ARP Probe messages:Probe interval:Time before ARP Announcement:Wireshark name for ARP Announcement:



The Internet is not available with these settings. However, do not modify the network setup as we will use these current values as initials for the next task.

9


Task 5 – DHCP protocol

Operation of DHCP in practice.

TODO:

Set back the manual IP address setting to DHCP. Help: In the above mentioned dialogue box deselect „Use the following address” and use „Obtain an IP address automatically”. Before saving the new setup, start a Wireshark capture on the physical interface of the workstation, and stop after about 10 minutes.

Create an appropriate display filter (bootp) to show only BOOTP messages. Remove the display filter and show the same messages by not having this above, built-in

filter, but by creating a novel one. Try to come up with a shortest possible filter! Help: BOOTP messages are transmitted between UDP port numbers 67 and 68, other applications do not use these ports.

Own display filter:

Analyze the 4 messages used to acquire the IP address, and fill out the below table.

source MAC destination MAC source IP destination IPDHCP DiscoverDHCP OfferDHCP RequestDHCP ACK

Think about the values and create statements on the main observation by answering the below questions!

At the time of sending a DHCP Discover message, what is the IP address of the workstation and does it know where to send such a message?

Statements:

At the time of sending a DHCP Offer does the offering server know the MAC address of the requester?

Statements:

At the time of sending a DHCP Request is it allowed to use the offered address by the workstation?

Statements:



Have a look at the DHCP ACK message. What is the lease time value? What kind of other identifiers were given by the server to the workstation?

Lease time:Subnet mask:Router IP address:

10


DNS server(s):



Workstations automatically renew their leases. Now start a Wireshark capture on the physical interface of the workstation and initiate such a renew with ipconfig /renew, then after about 10 seconds stop the capture. (Use the bootp filter.)

How many DHCP messages do you see? What kind of IP address was used by the client? Why? What was the destination address of the request?

Type of 1st DHCP message:Type of 2nd DHCP message:Client IP address:Why can it use that address?Destination IP address in the client’s request:

Let’s see how can we give our IP address back before the lease time. Start a Wireshark capture on the physical interface of the workstation and use ipconfig /release, then stop the trace after about 10 minutes. (Use the bootp filter.)

Check the command output. Does the workstation have a valid IP address?

Observations:

Have a look at the IP address of the workstation using the ipconfig command. What do you see? What kind of IP address is this?

Observations:IP address value:IP address type:

Have a look at the DHCP Release message. If you have any other observation, note here.


Restore the Internet connection using ipconfig /renew.

IMPORTANT: Now you have the basic knowledge on how to set up interfaces, use command line tools and Wireshark protocol analyzer. For the next laboratory sessions, there will be no such detailed instructions for such tasks, you should remember on these basics.

11


Task 6 – TCP session creation and termination

Basic knowledge on TCP operation in practice.

TODO:

Start a Wireshark capture, open the http://dev.tilb.sze.hu website, wait for a minute, then stop the capture. (You can check the packets in the real-time packet list. Use Wireshark capture/display filters if needed!)

Identify the steps of the TCP three-way-handshake! What are the control bits during the procedure?

1st step (K-->S) active:2nd step (S-->K) active:3rd step (K-->S) active:

Analyze the TCP header of the 3 segments! Log the real values of the sequence numbers in both directions! (Note, that Wireshark displays a so called relative sequence number, but here we need the real values sent by the partners!)

Sequence number in K-->S direction:Sequence number in S-->K direction:

Log the real values of sequence numbers in the ACKs in both directions!

The value of ACK for K-->S direction (sent in S-->K direction):The value of ACK for S-->K direction (sent in K-->S direction):

Based on the above give a textual explanation of the ACK field!

A value of n in the ACK field means:



Identify the steps of the four-way-handshake! What are the active control bits in the different steps?

Active in the 1st step:Active in the 2nd step:Active in the 3rd step:Active in the 4th step:



12

http://dev.tilb.sze.hu/


13


Task 7 – Traceroute

Operation of the traceroute command in practice.

traceroute basics:

“Traceroute sends a sequence of User Datagram Protocol (UDP) packets addressed to a destination host. The time-to-live (TTL) value (hop limit) is used in determining the intermediate routers being traversed towards the destination. Routers decrement TTL values of packets by one when routing and discard packets whose TTL value has reached zero, returning the ICMP error message ICMP Time Exceeded.” Read more in: https://en.wikipedia.org/wiki/Traceroute

Differences in Windows:

1. The program is called tracert.exe. (Reminder from the DOS era.)2. Does not use UDP packets but relies on ICMP echo request messages.

TODO:

Start a Wireshark capture, then execute tracert frogstar.hit.bme.hu, analyze the command output, finally stop the capture. Log the executed commands and the outputs!

Executed commands and their output:

Analyze the Wireshark capture! Find the first ICMP message sent by the local workstation towards frogstar.hit.bme.hu. Fill out the below table!

IP header fieldsSourceDestinationProtocol

ICMP header fields

TypeCodeIdentifier (Big Endian)Sequence no. (Big Endian)

Find the error message resulted by the above first ICMP echo request message! Where do you know that it was resulted by the above echo request? Help: use the values of the above table!

The part used for the identification:

Find the last ICMP echo request message for which an answer "Time-to-live exceeded" was received! What is the value of the TTL field in the IP header?

IP TTL:

What is the value of the TTL field in the IP header in the next ICMP echo request message?

IP TTL:

What is the answer for that sent by frogstar.hit.bme.hu ?

14


ICMP Type:

What is the reason of this message?

Explanation:

Summarize how tracert uses the received ICMP message during the operation?

Tasks depending the received ICMP message:

What is the maximal TTL starting value in case of IP? Help: the TTL field uses 8 bits. Based on the tracert output how many routers are touched from the local workstation till

frogstar.hit.bme.hu ?

Maximal starting value of TTL:The number of the touched routers:

Execute the ping frogstar.hit.bme.hu command, then log the command and the output!

Executed command and its output:

What is the TTL value displayed by the ping command in case of the returning message?

TTL value displayed by ping:

What is the relationship between the maximal starting TTL value, the number of the touched IP routers, and the TTL value displayed by ping? Explain!

Relationship and explanation:



Let’s test another server. Use www.tilb.sze.hu as the target. Analyze the results of the tracert and ping commands.

Executed commands and their output:

Let’s assume that the above relationship is still valid. What is the IP TTL starting value in the ICMP echo reply messages sent by www.tilb.sze.hu ?

Starting value of IP TTL now:

Let’s test www.inf.unideb.hu! What is your observation? What could be the reason? Extend the description of tracert operation!

Executed commands and their

15


output:Symptom and explanation:The tracert command in absence of answer:Ends the operation if:



16


Task 8 – TCP window scaling

Practical examination of TCP window scaling mechanisms.

TODO:

Open http://dev.tilb.sze.hu/TCP/ in a web browser, start a Wireshark capture, then click on the file called 100MB. Download the file, wait for the complete download, then stop the Wireshark capture. (If the download lasts more than 1 minute, stop it and the capture after 1 minute.)

Find the segments of the three-way-handshake used for the TCP session creation, and determine the value of the window scaling factor for both directions.

Field value (n)(Shift count)

Multiplication value (2n)(Multiplier)

From the client to the server (download)From the server to the client (upload)

Find a TCP segment for the tcp.window_size>70000 filter. Examine the real value of the Window field and the correctness of the calculation. (Open the TCP header, and have a look on the hexadecimal value of the window size value.)

Value of the Window field of the TCP header in hexadecimal format:Decimal window size value displayed by Wireshark:Calculated window size by Wireshark:Is the calculation right?



17

http://dev.tilb.sze.hu/TCP/


Task 9 – Determination of number of TCP sessions

A practical problem solving experience.

TODO:

Examine how many TCP sessions are opened by Firefox, Google Chrome, and Internet Explorer web browsers to download http://dev.tilb.sze.hu/tesztalbum/. Use Wireshark and try to solve the problem alone! Create an appropriate display filter for the problem and fill out the below tables! If you don’t have the solution in 5 minutes, have a look at the Help below.

Display Filter:

Firefox Google Chrome Internet ExplorerNumber of TCP sessions:



18

http://dev.tilb.sze.hu/tesztalbum/


Help: Imagine an unknown number of snakes chopped into several pieces and laid on the ground. The question: how many snakes were chopped? Think about that and don’t read further!

If the above help was not enough: the solution is to count the snake heads or tails! Now think further and come up with the solution for TCP sessions!

19

medianets.humedianets.hu/.../uploads/2017/11/CN_Lab-1-v1.1_EN.docx · Web viewSwitch of IPv6...

Documents

Transcript of medianets.humedianets.hu/.../uploads/2017/11/CN_Lab-1-v1.1_EN.docx · Web viewSwitch of IPv6...