advancedtcp/ip lesson 2 - lamar...

Advanced TCP/IP

OverviewThere is one primary set of protocols that runs networks and the Internettoday. In this lesson, you will work with those protocols: the TransmissionControl Protocol (TCP) and the Internet Protocol (IP). In order to managethe security of a network, you must become familiar with the details of howTCP/IP functions, including core concepts, such as addressing andsubnetting, and advanced concepts, such as session establishment and packetanalysis.

ObjectivesTo better understand advanced TCP/IP concepts, you will:

2A Define the core concepts of TCP/IP.

Given a machine running TCP/IP, you will define the core concepts ofTCP/IP, including the layering models, RFCs, addressing and subnetting,VLSM and CIDR, and the TCP/IP suite.

2B Analyze sessions of TCP.

Given a Windows Server 2003 computer, you will examine control flags,sequence numbers, and acknowledgement numbers, and you will use Net-work Monitor to view and analyze all of the fields of the three-wayhandshake and session teardowns.

2C Analyze IP.

Given a Windows Server 2003 computer, you will use Network Monitorto view and analyze all the fields of IP.

2D Analyze ICMP.

Given a Windows Server 2003 computer, you will use Network Monitorto view and analyze all the fields of ICMP.

2E Analyze TCP.

Given a Windows Server 2003 computer, you will use Network Monitorto view and analyze all the fields of TCP.

2F Analyze UDP.

Given a Windows Server 2003 computer, you will use Network Monitorto view and analyze all the fields of UDP.

Data Filestftp.capfragment.capping.txtping.capftp.txtftp.cap

Lesson Time6 hours

LESSON

2

Lesson 2: Advanced TCP/IP 31

DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

2G Analyze fragmentation.

Given a Windows Server 2003 computer, you will use Network Monitorto view and analyze network traffic fragmentation.

2H Complete a full session analysis.

Given a Windows Server 2003 computer, you will use Network Monitorto view and analyze a complete FTP session, frame by frame.

32 Tactical Perimeter Defense

DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

Topic 2ATCP/IP ConceptsIn order for two hosts to communicate, there must first be an agreed-upon methodof communication for both hosts to use. The protocol that the Internet was builton, and the protocol that all hosts on the Internet use is TCP/IP, or TransmissionControl Protocol/Internet Protocol. Because the two hosts agree on the protocolthey will use, we can go right into the details of the protocol itself.

The TCP/IP ModelIn order for data to move from one host to another, it must be transmitted andreceived. There are several ways this could happen, in theory.

• The data file could be sent as a whole file, intact, from one host to another.

• The data file could be split in half and sent, sending and receiving two equalsized pieces.

• The data file could be split into many smaller pieces, all sent and received ina specific sequence.

It is this last method that is actually used. For example, if a user is at a host andwants to view a web page on a different host, the request and subsequentresponse will take many small steps to complete. In Figure 2-1, you can see thefour layers of the TCP/IP Model, along with the browser’s request for a web pagegoing to the web server.

Figure 2-1: A web request moving along the TCP/IP Model.

The four layers of the TCP/IP Model are:

• The Application Layer

• The Transport Layer

• The Internet Layer (also called the Network Layer)

• The Network Access Layer (also called the Link Layer)

Many of the Concepts inthis topic were covered inthe prerequisite courses,but are provided here forreview.

host:A single computer orworkstation; it can beconnected to a network.

server:A system that providesnetwork service such as diskstorage and file transfer, or aprogram that provides such aservice. A kind of daemonthat performs a service forthe requester, which oftenruns on a computer otherthan the client machine.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

The reason that there are alternate names for these layers is that there has neverbeen an agreed-upon standard for the names to which the industry agrees. Eachof these layers are detailed as follows:

• The Application Layer is the highest layer in the model, and communicateswith the software that requires the network. In our example, the software isthe web page request from a browser.

• The Transport Layer is where the reliability of the communication is dealtwith. There are two protocols that work at this layer, TCP (TransmissionControl Protocol) and UDP (User Datagram Protocol). An immediate differ-ence between the two is that TCP does provide for reliable delivery of data,whereas UDP provides no such guarantee.

• The Internet Layer (or Network Layer) provides the mechanism required toaddress and move the data from one host to the other. The primary protocolyou will examine at this layer is IP (Internet Protocol).

• The Network Access Layer (or Link Layer) is where the data communicationinteracts with the physical medium of the network. This is the layer thatdoes the actual sending and receiving of the data.

As you saw in Figure 2-1, as the web page request was initiated on the host, itmoved down the layers, was transmitted across the network, and moved up thelayers on the web server. These are the layers on which all network communica-tion using TCP/IP is based. There is a different set of layers, however, called theOSI Model.

The OSI ModelThe TCP/IP Model works well for TCP/IP communications, but there are manyprotocols and methods of communication other than TCP/IP. A standard wasneeded to encompass all of the communication protocols. The standard developedby the International Organization for Standardization (ISO) is called the OSIModel.

The Open Systems Interconnect (OSI) Model has seven layers, compared to thefour layers of the TCP/IP Model. The seven layers of the OSI Model are:

• The Application Layer

• The Presentation Layer

• The Session Layer

• The Transport Layer

• The Network Layer

• The Data Link Layer

• The Physical Layer

network:Two or more machines

interconnected forcommunications.

OSI:(Open Systems

Interconnection) A set ofinternationally accepted andopenly developed standards

that meet the needs ofnetwork resource

administration and integratednetwork components.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

The names of these layers are fixed, as this is an agreed upon standard. Thedetails of each layer are as follows:

• The Application Layer is the highest layer of the OSI Model, and deals withinteraction between the software and the network.

• The Presentation Layer is responsible for data services such as data compres-sion and data encryption/decryption.

• The Session Layer is responsible for establishing, managing (such as packetsize), and ending a session between two hosts.

• The Transport Layer is responsible for error control and data recoverybetween two hosts. Both TCP and UDP work at this layer.

• The Network Layer is responsible for logical addressing, routing, and for-warding of datagrams. IP works at this layer.

• The Data Link Layer is responsible for packaging data frames for transmis-sion on the physical medium. Error control is added at this layer, often inthe form of a Cyclic Redundancy Check (CRC). This layer is subdividedinto the LLC (Logical Link Control) and MAC (Media Access Control)sublayers. The MAC sublayer is associated with the physical address of thenetwork device and the LLC sublayer makes the association between thisphysical address (such as the 48-bit MAC address if using Ethernet) and thelogical address (such as the 32-bit IP address if using IP) at the NetworkLayer.

• The Physical Layer is responsible for the actual transmission and receipt ofthe data bit stream on the physical medium.

The OSI Model and the TCP/IP Model do fit together. In Figure 2-2, you can seethat the two primary layers of concern in the TCP/IP Model (the Transport andInternet Layers), match directly with the Transport and Network Layers of theOSI Model, while the other two TCP/IP Model layers encompass two or morelayers of the OSI Model.

Figure 2-2: A comparison of the OSI and TCP/IP Models.

As the data from one host flows down the layers of the model, each layerattaches a small piece of information relevant to that layer. This attachment iscalled the header. For example, the Network Layer header will identify the logicaladdresses (such as IP addresses) used for this transmission. This process of add-ing a header at each layer is called encapsulating. Figure 2-3 shows a visualrepresentation of the header and the encapsulation process.

packet:A block of data sent over thenetwork transmitting theidentities of the sending andreceiving stations, error-control information, andmessage.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

Figure 2-3: Headers and the encapsulation process as data moves down the stack.

When the second host receives the data, and as the data moves up the layers,each header will let the host know how to handle this piece of data. After all theheaders have been removed, the receiving host is left with the data as it was sent.

RFCsWith all the standards defined in the previous section, you may be asking whereto go to find the standards. The answer is to the RFCs. A Request For Comments(RFC) is the industry location for standards relating to TCP/IP and the Internet.RFCs are freely available documents to read and study, and if you ever want togo directly to the source, be sure to use the RFC.

Although you will find RFCs listed all over the Internet, to view them all onlinego to: www.rfc-editor.org. This is the website with a searchable index of allRFCs. There are several RFCs you should be familiar with, and that you shouldknow by name to look up. This way you will not have to search hundreds ofresponses to find what you need. The RFCs you should know are:

• The Internet Protocol (IP): RFC 791.

• The Internet Control Messaging Protocol (ICMP): RFC 792.

• The Transmission Control Protocol (TCP): RFC 793.

• The User Datagram Protocol (UDP): RFC 768.

The Function of IPThe Internet Protocol (which works at the Network layer of both the OSI and theTCP/IP models), by definition, has a simple function. IP identifies the currenthost—via an address—and using addressing, moves a packet of information fromone host to another. Each host on the network has a unique IP address, and eachpacket the host sends will contain its own IP address and the IP address to whichthe packet is destined.

The packets are then directed, or routed, across the network, using the destinationaddress, until they reach their final destination. The receiving host can read the IPaddress of the sender and send a response, if required.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

Although it sounds straightforward, and does work, there are drawbacks. Forinstance, when packets are sent from one host to another, they may be receivedout of order. IP has no mechanism for dealing with that problem. Also, packetscan get lost or corrupted during transmission, again a problem IP does notmanage. These problems are left to an upper protocol to manage. Often that pro-tocol will be TCP, as you will see in the following topic.

Binary, Decimal, and Hexadecimal ConversionsEven though you may be familiar with the concept of binary math, you may wishto review this section briefly. In binary, each bit has the ability to be either a 1 ora 0. In computers, these bits are stored in groups of 8. Since each bit can beeither a 1 or a 0, each location is designated a power of 2. A byte, therefore, hasbinary values from 20 through 27 . In Figure 2-4, you can see the value of eachof the 8 bits in a byte.

When the bits are presented as a byte, the value of each of the 8 locations isadded to present you with the decimal equivalent. For example, if all 8 bits were1s, such as 11111111, then the decimal value would be 255 or128+64+32+16+8+4+2+1. Here are a few other quick binary to decimal conver-sions:

Binary 11000000 is decimal 192 or 128+64+0+0+0+0+0+0




The IP addresses that are either manually or dynamically assigned to a host are32-bit fields, often shown as four decimal values for ease of reading. Forexample, a common address would be 192.168.10.1. Each number is an 8-bitbinary value, or an octet. In this example, the first octet is 192, the second 168,the third 10, and the fourth 1.

Even though the fourth octet is given a decimal value of 1, it is still given an8-bit value in IP addressing. Each bit of the 32-bit address must be represented,so the computer sees a decimal 1 in an IP address as 00000001. Keeping this inmind, the full decimal IP address of 192.168.10.1 is seen to the computer asbinary IP address: 11000000.10101000.00001010.00000001

In tools that are designed to capture and analyze network traffic, the IP address isoften represented in its hexadecimal (Hex) format. The ability to view and recog-nize addressing in Hex format is a useful skill to have when you are workingwith TCP/IP. In hexadecimal format, the IP address 192.168.10.1 is C0-A8-0A-01. The following is a quick summary on Hex conversions.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

To convert the decimal address 192.168.10.1 to hexadecimal, convert each of itsoctets, then combine the results, as follows:

1. Divide 192 by 16. The result is 12, with a remainder of 0. Because decimal12 is the same as Hex C and decimal 0 is the same as Hex 0, decimal 192 isequal to Hex C0.

2. Divide 168 by 16. The result is 10, with a remainder of 8. Because decimal10 is the same as Hex A and decimal 8 is the same as Hex 8, decimal 168 isequal to Hex A8.

3. Decimal 10 is the same as Hex A.

4. Decimal 1 is the same as Hex 1.

5. Combining the results of each conversion shows that decimal 192.168.10.1 isequal to Hex C0A80A01.

Another way to derive this result is to first convert from decimal to binary, thenconvert binary to hexadecimal four bits at a time, and finally, combine the results,as shown here:

1. Decimal 192 is the same as binary 11000000.




5. Binary 1100 (the first four bits of the first octet) is the same as Hex C.

6. Binary 0000 is the same as Hex 0.

7. Binary 1010 is the same as Hex A.



10. Binary 1010 is the same as Hex A.



13. Combining the Hex equivalents shows that decimal 192.168.10.1 is equal toHex C0A80A01.

IP Address ClassesThere are five defined classes of IP addresses: Class A, Class B, Class C, ClassD, and Class E. The details of each class are as follows:

• Class A IP addresses use the first 8 bits of an IP address to define the net-work, and the remaining 24 bits to define the host. This means there can bemore than 16 million hosts in each Class A network (224–2, because all 1sand all 0s cannot be used as host addresses). All Class A IP addresses willhave a first octet of 0xxxxxxx in binary format. 10.10.10.10 is an exampleof a Class A IP address.

• Class B IP addresses use the first 16 bits to define the network, and theremaining 16 bits to define the host. This means there can be more than65,000 hosts in each Class B network (216–2). All Class B IP addresses willhave a first octet of 10xxxxxx in binary format. 172.16.31.200 is an exampleof a Class B IP address.

• Class C IP addresses use the first 24 bits to define the network, and theremaining 8 bits to define the host. This means there can be only 254 hosts


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

in each Class C network (28–2). All Class C IP addresses will have a firstoctet of 110xxxxx in binary format. 192.168.10.1 is an example of a Class CIP address.

• Class D IP addressing is not used for hosts, but is often used formulticasting (which will be discussed later), where there is more than onerecipient. The first-octet binary value of a Class D IP address is 1110xxxx.224.0.0.9 is an example of a Class D IP address.

• Class E IP addressing is used for experimental functions and for future use.It does have a defined first-octet binary value as well. All Class E IPaddresses have a first octet binary value of 11110xxx. 241.1.2.3 is anexample of a Class E IP address.

Figure 2-4: IP address classes and their first-octet values.

Private IP Addresses and Special-function IP AddressesThere are several ranges of IP addresses that are not used on the Internet. Theseaddresses are known as private, or reserved, IP addresses. Defined in RFC 1918,any host on any network can use these addresses, but these addresses are notmeant to be used on the Internet, and most routers will not forward them. Byusing these reserved IP addresses, organizations do not have to be as concernedwith address conflicts. The defined private addresses for the three main addressclasses (A, B, and C) are:

• Class A: 10.0.0.0 to 10.255.255.255

• Class B: 172.16.0.0 to 172.31.255.255

• Class C: 192.168.0.0 to 192.168.255.255

In addition to the private address ranges listed, there are a few other addressranges that have other functions. The first, is the range of 127.0.0.0 to 127.255.255.255. This address range is used for diagnostic purposes, with the commonaddress of 127.0.0.1 used to identify IP on the host itself. The second range is169.254.0.0 to 169.254.255.255. This address range is used by Microsoft to allo-cate addresses to hosts, for Automatic Private IP Addressing (APIPA).


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

The Subnet MaskAlong with an IP address, each host that uses TCP/IP has a subnet mask. Thesubnet mask is used during a process called ANDing to determine the network towhich the host belongs. The way the mask identifies the network is by the num-ber of bits allocated, or masked, for the network. A bit that is masked is identifiedwith a binary value of 1.

By default, a Class A IP address has 8 bits masked to identify the network, aClass B IP address has 16 bits masked to identify the network, and a Class C IPaddress has 24 bits masked to identify the network. These default subnet masksuse contiguous bits to create the full mask. The following table shows the defaultsubnet masks for the three classes, first in binary, then in the more traditional dot-ted decimal format.

Default Subnet Masks

Class Binary Format Dotted Decimal FormatA 11111111.00000000.00000000.00000000 255.0.0.0B 11111111.11111111.00000000.00000000 255.255.0.0C 11111111.11111111.11111111.00000000 255.255.255.0

The subnet mask can be represented in different formats. For example, one com-mon format is to list the IP address followed by the full subnet mask, such asthis: 192.168.10.1 255.255.255.0. Another option, and one that is easier to write,is to count and record the number of bits that are used as 1s in the subnet mask.For example, in the default subnet mask for Class C, there are 24 bits designatedas 1. So, to use the second format, list the IP address followed by a slash and thenumber of bits masked, such as this: 192.168.10.1/24.

Subnetting ExampleIn the event that you need to split a network into more than one range, such ashaving different buildings or floors, you will need to subdivide the network. Thefollowing example will step you through the process of splitting a network andcreating the subnet mask necessary to support the resulting subnetworks.

Let’s say you have been assigned the 10.0.0.0 network with the 255.0.0.0 subnetmask, and need to break this up into 12 network ranges to support, for example,the 12 major departments in your corporate building. Here’s what you should do:

1. Determine how many bits, in binary, it takes to make up the number of sub-networks you need to create. In binary, 12 is 1100, so you will need 4 bits.

2. Take 4 bits from the host side of the subnet mask and, AND them to thenetwork side, effectively changing your subnet mask from 255.0.0.0 to 255.240.0.0.

• As you know, the subnet mask tells you where the dividing linebetween network and host bits reside. You started with a network ID of10.0.0.0 and subnet mask of 255.0.0.0, which in binary looks like this:

00001010.00000000.00000000.00000000 (IP address for network)

11111111.00000000.00000000.00000000 (subnet mask)

• Your dividing line is at the end of the first octet (eight bits starting fromthe left). You have one big network with a network ID of 10.0.0.0, a


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

range of usable addresses from: 10.0.0.1 to 10.255.255.254, and abroadcast address of 10.255.255.255.

• The new, divided network looks like this:

00001010.0000 0000.00000000.00000000 (IP address for network)

11111111.1111 0000.00000000.00000000 (subnet mask)

• Notice that the network/host dividing line is now in the middle of thesecond octet. All of your networks will have binary addresses that willlook like this: 00001010.xxxx yyyy.yyyyyyyy.yyyyyyyy, where x repre-sents one of the variable bits used to create your subnetworks and yrepresents a bit on the host side of the address.

3. Determine the subnetwork addresses by changing the value of the x bits. Thefirst possible permutation is the 00001010.0000 network; the second is the00001010.0001 network, and so forth. The following table lists all of thepossible subnetwork addresses (notice the pattern?).

Subnetwork Binary Address Decimal AddressFirst 00001010.0000 0000.00000000.00000000 10.0.0.0Second 00001010.0001 0000.00000000.00000000 10.16.0.0Third 00001010.0010 0000.00000000.00000000 10.32.0.0Fourth 00001010.0011 0000.00000000.00000000 10.48.0.0Fifth 00001010.0100 0000.00000000.00000000 10.64.0.0Sixth 00001010.0101 0000.00000000.00000000 10.80.0.0Seventh 00001010.0110 0000.00000000.00000000 10.96.0.0Eighth 00001010.0111 0000.00000000.00000000 10.112.0.0Ninth 00001010.1000 0000.00000000.00000000 10.128.0.0Tenth 00001010.1001 0000.00000000.00000000 10.144.0.0Eleventh 00001010.1010 0000.00000000.00000000 10.160.0.0Twelfth 00001010.1011 0000.00000000.00000000 10.176.0.0Thirteenth 00001010.1100 0000.00000000.00000000 10.192.0.0Fourteenth 00001010.1101 0000.00000000.00000000 10.208.0.0Fifteenth 00001010.1110 0000.00000000.00000000 10.224.0.0Sixteenth 00001010.1111 0000.00000000.00000000 10.240.0.0

For the first network, the network ID is 10.0.0.0 with a subnet mask of 255.240.0.0. The first usable address is 10.0.0.1, and the last usable address is 10.15.255.254. The broadcast address is 10.15.255.255 (the next possible IP address wouldbe 10.16.0.0, which is the network ID of the second network). The second net-work has an ID of 10.16.0.0, a usable range of 10.16.0.1 to 10.16.255.254, and abroadcast address of 10.16.255.255.

Notice that you needed only 12 networks, but you have 16. That can happen,depending on the number of networks needed. For example, if you had needed 20networks, you would have needed to move the network/host dividing line over 5bits to the right (20 in binary is 10100, so 5 bits must be used). In that case, youwould have had a subnet mask of 255.248.0.0 (instead of the 255.240.0.0 thatyou used for the first example), which would have given you 32 subnetworks,even though you needed only 20. Consider it room for corporate growth!


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

Note that any combination of addressing can be represented in different text. Forexample, you may come across a resource that defines the IP address in decimal,and the subnet mask in hexadecimal. You must be able to quickly recognize theaddressing as defined. Use the following task to test your ability to quickly per-form these conversions.

TASK 2A-1Layering and Address Conversions

1. Describe how layering is beneficial to the function of networking.

By using a layered model, network communications can be broken intosmaller chunks. These smaller chunks can each have a specific purpose, orfunction, and in the event an error happens in one chunk, it is possible thatonly that error be addressed, instead of starting over from scratch.

2. If you have an IP address of 192.168.10.1 and a subnet mask of FF-FF-00-00, to which IP network does your computer belong? Provide bothdecimal and Hex notations.

In decimal, the network address is 192.168.0.0; in Hex, the network addressis C0-A8-00-00.

3. If you have an IP address of C0-A8-0A-01 and a subnet mask of /16, towhich IP network does your computer belong? Provide both decimaland Hex notations.

In decimal, the network address is 192.168.0.0; in Hex the network addressis C0-A8-00-00.

RoutingYou will get into routing in more detail later, but at this stage, you will addressthe basics. Being familiar with a network and how one host will communicatewith another host within the same network, what do you think will happen if ahost needs to send information to a host that is not in its network?

This is exactly the situation where routing is needed. You need to route that infor-mation from your network to the receiving host’s network. Of course, the devicethat makes this possible is the router. The first router you will encounter on yourway out of your network is the default gateway. This is the device that your com-puter will send all traffic to, once it determines that the destination host is notlocal (on the same network as itself). After the default gateway gets a packet ofinformation destined for host User1 on network X, it looks at its routing table(think of this as a sort of directory—telling the router that traffic destined for net-works C, G, F, and X should go out interface 1, traffic destined for networks E,A, B, and R should go out interface 2, and so forth), then the router forwards thepacket out through interface 1. The destination network may or may not beattached to interface 1—the router doesn’t really care at this point—it just for-wards the packet on according to the information in its routing table. This process

router:An interconnection device

that is similar to a bridge butserves packets or frames

containing certain protocols.Routers link LANs at the

Network Layer.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

repeats from one router to the next until the packet finally reaches the router thatis attached to the same network as the destination host. When the packet reachesthis router, which is usually also the destination host’s default gateway, it is sentout on the network as a unicast directed to the destination host User1.

VLSM and CIDRThe standard methods of subnet masking discussed earlier are effective; however,there are instances where further subdividing is required, or more control of theaddressing of the network is desired. In these cases, you can use either of thefollowing two options: Variable Length Subnet Masking (VLSM) or ClasslessInterdomain Routing (CIDR).

Think back to the previous example of subnet masking. In particular, let’s take acloser look at the fourth network. It was intended to be used by the IT staff; how-ever, they want to break the rather large network block given to them intosmaller, more manageable blocks. Specifically, they need five smaller subnet-works to be created from their network block of 10.48.0.0 with a subnet mask of255.240.0.0.

This time, let’s represent the IP addresses and subnet masks using the slashmethod: 10.48.0.0/12. Notice the IP address stays the same, but we replace thesubnet mask with /12 to tell others that the subnet mask has 12 1s in it (which, ofcourse, corresponds to 255.240.0.0).

Now, back to the IT staff’s networking issue. You have an already subnetted net-work (10.48.0.0/12) that you would like to split into five smaller networks. Tobegin, you need to ask the same starting question: How many bits does it take tomake 5? In binary, 5 is 101, so you will need three bits. Then, add three bits tothe present subnet mask (don’t worry that it has already been subnetted before—that doesn’t matter). So, now you have 10.48.0.0/15 as your first network addressand new subnet mask.

The new variable range is 00001010.0011xxx y.yyyyyyyy.yyyyyyyy, where thebinary numbers will not change, x represents the variable bits that will make upthe networks, and y designates the host bits.

So, what are the new network addresses?

Subnetwork Binary Address Decimal AddressFirst 00001010.0011000 0.00000000.00000000 10.48.0.0Second 00001010.0011001 0.00000000.00000000 10.50.0.0Third 00001010.0011010 0.00000000.00000000 10.52.0.0Fourth 00001010.0011011 0.00000000.00000000 10.54.0.0Fifth 00001010.0011100 0.00000000.00000000 10.56.0.0Sixth 00001010.0011101 0.00000000.00000000 10.58.0.0Seventh 00001010.0011110 0.00000000.00000000 10.60.0.0Eighth 00001010.0011111 0.00000000.00000000 10.62.0.0


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

For the first network, the network ID is 10.48.0.0, the usable addresses are 10.48.0.1 to 10.49.255.254, and the broadcast address is 10.49.255.255; for the second,the network ID is 10.50.0.0, the usable addresses are 10.50.0.1 to 10.51.255.254,and the broadcast address is 10.51.255.255, and so forth. Did you notice that youhave eight possible networks when you needed only five? Again, you can con-sider it just having more room for expansion.

X-castingWhen a packet is sent from one host to another, the process of routing functionsand the packet is sent as defined. However, the process is different if one host istrying to reach more than one destination, or if one message is to be received byevery other host in the network. These types of communication are referred to asbroadcasting, multicasting, and unicasting.

• Unicast is a term that was created after multicasting and broadcasting werealready defined. A unicast is a directed communication between a singletransmitter and a single receiver. This is how most communication betweentwo hosts happens, with Host A specifically communicating with Host B.

• A broadcast is a communication that is sent out from a single transmittinghost and is destined for all possible receivers on a segment (generally, every-one in the network, since the routers that direct traffic from one network toanother are generally used to stop broadcasts, thereby creating broadcastdomain boundaries). Broadcasting can be done for many reasons, such aslocating another host. For a MAC broadcast, the broadcast address used isFF:FF:FF:FF:FF:FF. For an IP broadcast, the address used is based on thenetwork settings. For example, if you are on network 192.168.10.0/24, thebroadcast address is 192.168.10.255.

• A multicast is a communication that is sent out to a group of receivers onthe network. Multicasting is often implemented as a means for directing traf-fic from the presenter of a video conference to the audience. In comparisonto the broadcast, which all receivers on the segment will receive, those whowish to receive a multicast must join a group to do so. Group membership isoften very dynamic and controlled by a user or an application. Currently,Class D addresses are used for multicasting purposes. Remember, Class Dhas IP addresses in the range of 224.0.0.0 to 239.255.255.255.

TASK 2A-2Routers and Subnetting

1. You are using a host that has an IP address of 192.168.10.23 and asubnet mask of 255.255.255.0. You are trying to reach a host with the IPaddress 192.168.11.23. Will you need to go through a router? Explainyour response.

Yes, you will need to go through a router. Your subnet mask defines you asbelonging to network 192.168.10.0, and the remote host you are trying toreach does not belong to your network.

2. Boot your computer to Windows Server 2003, and log on as Administra-tor, with a blank (null) password.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

3. Choose Start→Settings→Network Connections. Right-click the networkinterface and choose Properties.

4. Select Internet Protocol (TCP/IP) and click Properties.

5. Click the Advanced button, and verify that the IP Settings tab isdisplayed.

Under Default Gateways, record the IP address here:

For the LEFT side of the classroom, the Default Gateway is 172.16.0.1. Forthe RIGHT side, it is 172.18.0.1.

6. Select the Default Gateway IP address you just recorded, and clickRemove. Click OK twice and click Close twice.

7. Open a command prompt and ping an address that is not on your localnetwork. For instance, if you are on the LEFT side of the classroom, youcould ping an address in the 172.18.10.0 network, and if you are on theRIGHT side of the classroom, you could ping an address in the 172.16.10.0network.

8. Observe the message you receive. The text “Destination Host unreachable”is displayed. Your computer knows that the ping packet is supposed to go toa computer that is outside your local network but it does not know how toget it there.

9. Switch to the Network Connections Control Panel and display the prop-erties of the network interface.

10. Select Internet Protocol (TCP/IP), click Properties, and then clickAdvanced. On the IP Settings tab, click the Add button found in theDefault Gateway area.

11. In the TCP/IP Gateway Address box, enter the IP address you recordedearlier in the task and click Add. Click OK twice and click Close twice.

12. Switch back to the command prompt and try to ping the remote addressagain.

13. Observe the message you receive. This time, as long as the other comput-er’s default gateway is correctly configured, you should be successful inpinging the remote computer. This is because your computer now knows tosend traffic to the router if that traffic is destined for another network. (Howthe routers know where to send the traffic is covered later in the course.)Contact your instructor if your ping attempt is not successful.

14. Close all open windows.

Be prepared to diagram orotherwise explain theclassroom setup.

The recommended classroomlayout is shown in the figurein the setup.

Students must be able toping all computers withinthe classroom for theremaining tasks to workproperly. If any students arenot successful in thesecond ping attempt, helpthem troubleshoot theissue.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

Topic 2BAnalyzing the Three-way HandshakeAlthough a great deal of emphasis is given to IP due to the addressing and mask-ing issues, TCP deserves equal attention from the security professional. Inaddition to TCP, the other protocol that functions as a transport protocol is UDP.This topic will concentrate on TCP; however, a brief discussion on UDP iswarranted. The following table provides a brief comparison of the two protocols.

Comparing TCP and UDP

TCP UDPConnection-oriented ConnectionlessSlower communications Faster communicationsConsidered reliable Considered unreliableTransport Layer Transport Layer

TCP provides a connection-oriented means of communication, whereas UDP pro-vides connectionless communication. The connection-oriented function of TCPmeans it can ensure reliable transmission, and can recover if transmission errorsoccur. The connectionless function of UDP means that packets are sent with theunderstanding they will make it to the other host, with no means of ensuring thereliability of the transmission.

UDP is considered faster because less work is done between the two hosts thatare communicating. Host 1 simply sends a packet to the address of host 2. Thereis nothing built into UDP to provide for host 1 checking to see if host 2 receivedthe packet, or for host 2 sending a message back to host 1, acknowledgingreceipt.

TCP provides the functions of connection-oriented communication by using fea-tures such as the three-way handshake, acknowledgements, and sequencenumbers. In addition to these features, a significant part of TCP is the use of con-trol flags. There are six TCP control flags in a TCP header, each with a specificmeaning.

security:A condition that results from

the establishment andmaintenance of protective

measures that ensure a stateof inviolability from hostile

acts or influences.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

TCP FlagsThe TCP flags are: SYN, ACK, FIN, RESET, PUSH, and URGENT. These flagsmay also be identified as S, ack, F, R, P, and urg. Each of these flags occupiesthe space of one bit in the header, and if they are assigned a value of 1, they areconsidered on. The function of each flag is identified as follows:

• The SYN, or S, flag represents the first part of establishing a connection.The synchronizing of communication will generally be in the first packet ofcommunication.

• The ACK, or ack, flag represents acknowledgement of receipt of data fromthe sending host. This is sent during the second part of establishing a con-nection, in response to the sending host’s SYN request.

• The FIN, or F, flag represents the sender’s intentions of terminating the com-munication in what is known as a graceful manner.

• The RESET, or R, flag represents the sender’s intentions to reset thecommunication.

• The PUSH, or P, flag is used when the sending host requires data to bepushed directly to the receiving application, and not fill in a buffer.

• The URGENT, or urg, flag represents that this data should take precedenceover other data transmissions.

Sequence and Acknowledgement NumbersIn addition to the TCP flags, another critical issue of TCP is that of numbers:sequence and acknowledgement numbers, to be specific. Because TCP has beendefined as a reliable protocol that has the ability to provide for connection-oriented communication, there must be a mechanism to provide these features.Sequence and acknowledgement numbers are what provide this.

Sequence NumbersThe sequence number is found in the TCP header of each TCP packet and is a32-bit value. These numbers allow the two hosts a common ground for communi-cation, and allow for the hosts to identify packets sent and received. If a largeweb page requires several TCP packets for transmission, sequence numbers areused by the receiving host to reassemble the packets in the proper order and pro-vide the full web page for viewing.

When a host sends the request to initiate a new connection, an Initial SequenceNumber (ISN) must be chosen. There are different algorithms by different ven-dors for the choosing of an ISN; however, RFC 793 states that the ISN is to be a32-bit number that increments by one every 4 microseconds.

Acknowledgement NumbersThe acknowledgement number is also found in the TCP header of each TCPpacket, and is also a 32-bit value. These numbers allow the two hosts to be givena receipt of data delivery. An acknowledgement number is in the packet header inresponse to a sequence number in the sending packet.

In the event that the sending host does not receive an acknowledgement for atransmitted packet in the defined timeframe, the sender will retransmit the packet.This is how TCP provides reliable delivery. If a packet seems to have been lost,the sender will retransmit it.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

ConnectionsAll communication in TCP/IP is done with connections between two hosts. Eachconnection is opened (or established), data is sent, and the connection is closed(or torn down). These connections have very specific rules they must follow.There are two different states of the open portion of this process: Passive Openand Active Open.

• Passive Open is when a running application tells TCP that it is ready toreceive inbound requests via TCP. The application is assuming inboundrequests are coming, and is prepared to serve those requests. This is alsoknown as the listening state, as the application is listening for requests tocommunicate.

• Active Open is when a running application tells TCP to start a communica-tion session with a remote host (which is in Passive Open state). It ispossible for two hosts in Active Open to begin communication. It is not arequirement that the remote host be in Passive Open, but that is the mostcommon scenario.

Connection EstablishmentIn order for the sequence and acknowledgement numbers to have any function, asession between the two hosts must be established. This connection establishmentis called the three-way handshake. The three-way handshake involves three dis-tinct steps, which are detailed as follows (please refer to Figure 2-5 when readingthis section):

1. Host A sends a segment to Host C with the following:

SYN = 1 (The session is being synchronized.)

ACK = 0 (There is no value in the ACK field, so this flag is a 0.)

Sequence Number = x, where x is a variable. (x is Host A’s ISN.)

Acknowledgement Number = 0

2. Host C receives Host A’s segment and responds to Host A with the follow-ing:

SYN = 1 (The session is still being synchronized.)

ACK = 1 (The acknowledgement flag is now set, as there is an ackvalue in this segment.)

Sequence Number = y, where y is a variable. (y is Host C’s ISN.)

Acknowledgement Number = x + 1 (The sequence number from HostA, plus 1.)

3. Host A receives Host C’s segment and responds to Host C with the follow-ing:

SYN = 0 (Session is synchronized with this segment; further requestsare not needed.)

ACK = 1 (The ack flag is set in response to the SYN from the previoussegment.)

Sequence Number = x + 1 (This is the next sequence number in series.)

Acknowledgement Number = y + 1 (The sequence number from HostC, plus 1.)

At this point, the hosts are synchronized and the session is established in bothdirections, with data transfer to follow.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

Figure 2-5: The three-way handshake.

Connection TerminationIn addition to specific steps that are involved in the establishment of a sessionbetween two hosts, there are equally specific steps in the termination of thesession. There are two methods of ending a session using TCP. One is consideredgraceful, and the other is non-graceful.

A graceful shutdown happens when one host sends a message (using the FINflag) to the other, stating it is time to end the session; the other acknowledges;and they both end the session. A non-graceful shutdown happens when one hostsimply sends a message (using the RESET flag) to the other, indicating the com-munication has stopped, with no acknowledgements and no further messages sent.In this section, we will investigate the details of the standard graceful termination.

As you saw earlier, it requires three segments to establish a TCP session betweentwo hosts. The other side of the session, the graceful termination, requires foursegments. Four segments are required because TCP is a full-duplex communica-tion protocol (meaning data can be flowing in both directions independently). Asper the specifications of TCP, either end of a communication can end the sessionby sending a FIN, which has a sequence number just as a SYN has a sequencenumber.

Similar to the Active and Passive Opens mentioned earlier, there are also Activeand Passive Closes. The host that begins the termination sequence, by sending thefirst FIN, is the host performing the Active Close. The host that receives the firstFIN is the host that is performing the Passive Close. The graceful teardown of asession is detailed as follows (please refer to Figure 2-6 when reading this sec-tion):

1. Host A initiates the session termination to Host C with the following:

FIN = 1 (The session is being terminated.)

ACK = 1 (There is an ack number, based on current communication.)

Sequence Number (FIN number) = s (s is a variable based on the cur-rent communication.)

Acknowledgement Number = p (p is a variable based on the currentcommunication.)

2. Host C receives Host A’s segment and replies with the following:

FIN = 0 (This segment is not requesting closure of the session.)

ACK = 1 (This segment does contain an ack number.)

Sequence Number = Not Present (As there is no FIN, there is nosequence number required.)


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

Acknowledgement Number = s + 1 (This is the response to Host A’sFIN.)

3. Host C initiates the session termination in the opposite direction with thefollowing:

FIN = 1 (The session is being terminated.)

ACK = 1 (There is an ack number.)

Sequence Number = p (p is a variable based on the currentcommunication.)

Acknowledgement Number = s + 1 (This is the same as in the previoussegment.)

4. Host A receives the segments from Host C and replies with the following:

FIN = 0 (This segment does not request a termination, there is noSYN.)

ACK = 1 (This segment does contain an ack number.)

Sequence Number = Not Present

Acknowledgement Number = p + 1 (This is Host C’s sequence number,plus 1.)

At this point the session has been terminated. Communication in both directionshas had a FIN requested and an acknowledgement to the FIN, closing the session.

Figure 2-6: Connection termination.

PortsYou have been introduced to the fact that IP deals with addressing and thesending/receiving of data between two hosts, and you have been introduced to thefact that TCP can be selected to provide reliable delivery of data. However, if aclient sends a request to a server that is running many services, such as WWW,NNTP, SMTP, and FTP, how does the server know which application is supposedto receive the request? The answer is by specifying ports.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

Port numbers are located in the TCP or UDP header, and they are 16-bit values,ranging from 0 to 65535. Port numbers can be assigned to specific functions orapplications. Ports can also be left open for dynamic use by two hosts duringcommunication. There are ranges of ports for each function. There are three maincategories of ports: well-known, registered, and dynamic.

• The well-known ports (also called reserved ports by some) are those in therange of 0 to 1023. These port numbers are assigned to specific applicationsand need to remain constant for the primary services of the Internet to con-tinue to provide the flexibility and usefulness it does today. For example, theWWW service is port 80, the Telnet service is port 23, the SMTP service isport 25, and so on. The well-known port list is maintained by the InternetAssigned Numbers Authority (IANA), and can be found here:www.iana.org/assignments/port-numbers.

• Registered ports are those in the range of 1024 to 49151. These port num-bers can be registered to a specific function, but are not defined or controlledby a governing body, so multiple functions could end up using the sameport.

• Dynamic ports (also called private ports) are those from 49152 to 65535.Any user of the Internet can use dynamic ports.

When a client connects to a server and requests a resource, that client alsorequires a port. The client ports (also called ephemeral ports by some) are usedby a client during one specific connection; each subsequent connection will use adifferent port number. These ports are not assigned to any default service, and areusually a number greater than 1023. There is no defined range for client ports;they can cover the numbers of both the registered and dynamic port ranges.When a client begins a session by requesting a service from a server, such as theWWW service on port 80, the client uses an ephemeral port on the client side.This enables the server to respond to the client. Data is then exchanged betweenthe two hosts using the port numbers established for that session: 80 on theserver side, and a dynamic number greater than 1023 on the client side. The com-bination of the IP address and port is often referred to as a socket, and the twohosts together are using a socket pair to communicate for this session.

The following table lists some of the well-known ports and their associatedservices.

Some Well-known Ports and their Services

Port Service23 Telnet80 HTTP (Standard web pages)443 Secure HTTP (Secure web pages)20 and 21 FTP (Data and control)53 DNS25 SMTP119 NNTP


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

In addition to known valid services, such as those listed previously, there aremany Trojan Horse programs that use specific ports (although the port can usu-ally be changed).

Ports Associated with Trojan Horses

Port Number Name of Trojan Horse12345 NetBus1243 Sub Seven27374 Sub Seven 2.131337 Back Orifice54320 (TCP) Back Orifice 2000 (BO2K)54321 (UDP) Back Orifice 2000 (BO2K)

Network MonitorThere is a very valuable tool available with Windows called Network Monitor.This tool allows for full packet capture and lets the analyst (you) peer into thepacket’s contents, examining both the payload, or data, and the headers, in detail.You can see any set flags’s defined sequence and acknowledgement numbers,packet size, and more. The following is a discussion on the use of NetworkMonitor, provided as background for you to be able to perform the tasks in thislesson.

Some of the things you can do with Network Monitor are:

• Monitor real-time network traffic.

• Analyze network traffic.

• Filter specific protocols to capture.

In this lesson, you will be focusing on the capture and analysis of IP packets, andon the details of the protocol suite.

Trojan Horse:An apparently useful and

innocent program containingadditional hidden code which

allows the unauthorizedcollection, exploitation,

falsification, or destruction ofdata.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

Figure 2-7: The default view of Network Monitor, showing the various panes.

In Figure 2-7, you can see the default view of Network Monitor. In this view, thescreen is split into several sections.

The top bar is the standard menu bar found in Microsoft programs. The basicfunctions on the toolbar that you will use in this lesson are contained in the Fileand Capture menus.

• The File menu contains three commands: Open, Save As, and Exit.

— Choose Open to open a previously saved Network Monitor capture.

— Choose Save As to save a Network Monitor capture.

— Choose Exit to exit.

• The Capture menu has more commands: Start, Stop, Stop And View, Pause,and Continue.

— The Start, Pause, and Continue commands are self-explanatory.

— The difference between Stop and Stop And View is that the Stop com-mand ends the capture. The Stop And View command ends the captureand switches Network Monitor to its next mode, Display View.

The other sections of the Capture View are panes (windows in a window) calledGraph, Session Stats, Station Stats, and Total Stats.

• The Graph pane provides five bars that measure percentages of pre-definedmetrics.

— The top graph indicates the percentage (%) of network utilization,meaning how much the network is being used.

— The second graph indicates the number of frames per second, meaningframes transmitted per second over the network.

— The third graph indicates the number of bytes per second that are trans-mitted over the network.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

— The fourth graph indicates the number of broadcasts per second that aretransmitted over the network.

— The fifth graph indicates the number of multicasts per second that aretransmitted over the network.

While a capture is running, these graphs work in real time, providingcurrent data.

• The next pane is the Session Stats pane. In this pane, you can see the ses-sions that are taking place during the capture.

• Following the Session Stats is the Station Stats pane. In this pane, you cansee statistics per interface on the host, per broadcast, per multicast, andmore.

• The final pane in this view is the Total Stats pane. The Total Stats pane issubdivided into sections: Network Statistics, Captured Statistics, Per SecondStatistics, Network Card (MAC) Statistics, and Network Card (MAC) ErrorStatistics. From this pane, you can identify frames, broadcasts, multicasts,network utilization, errors, and more, all in real time during the capture.

Displaying CapturesAfter you have captured network traffic, you can begin your analysis, whichrequires a different view of Network Monitor. You will need to use the DisplayView. You can switch to the Display View by either using the Capture→Stop AndView command or by using the Display Captured Data command after a capturesession has been stopped.

Figure 2-8: The Summary View of Network Monitor.

When you first open the Summary View, as shown in Figure 2-8, you will see atimeline of packets captured. By double-clicking any packet that was captured,you can look into its details and bring up the next view of Network Monitor.Once you have selected a packet, Network Monitor displays three panes for pre-senting information to you.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

Figure 2-9: The details of a packet in Network Monitor.

The top pane shown in Figure 2-9 is the Summary pane. This pane provides thebasic details of a packet, such as:

• Frame number

• Time the packet was captured

• Destination and source MAC addresses

• Protocol used

• Destination and source IP addresses

The middle pane shown in Figure 2-9 is the Detail pane. This pane provides theactual details of the protocol for the selected packet. Any line that has a plus signnext to it can be expanded for further detail.

The bottom pane in Figure 2-9 is the Hex pane. This pane provides the actualHex value for the raw data that each frame is comprised of. When you selectsomething in the Detail pane, it is highlighted in the Hex pane for comparison.Also, in this pane, the ASCII characters are visible. In the event that cleartext iscaptured, this is where it will be readable.

Network Monitor FiltersBecause Network Monitor has the ability to capture all network traffic, it wouldbe very easy to capture too much information and have difficulty in finding whatyou were looking for. This is where filtering comes into play. There are two typesof filters available in Network Monitor: capture filters and display filters. Forexample, if you wanted to capture only TCP messages, you could create a capturefilter so that only TCP messages are captured. If you wanted to view only ICMPmessages, you could create a display filter so that all you see are ICMPmessages. Figure 2-10 and Figure 2-11 show the dialog boxes used for each filtertype.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

To create or use filters, choose Capture→Filter. Using filters not only makes iteasier for you, as an analyst, to find what you are looking for, but they allow forthe buffer that stores the capture to not be filled with useless information.

Figure 2-10: Network Monitor’s Capture Filter dialog box.

Figure 2-11 shows the Display Filter dialog box.

Figure 2-11: Network Monitor’s Display Filter dialog box.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

When using filtering, you will likely use either protocol or address filtering. Withprotocol filtering, you identify a specific protocol to work with. With address fil-tering, you again define the specific address to filter. Filters can be implementedin different directions, either traffic into this host, outbound from this host, or inboth directions. These options are implemented by selecting the appropriate arrow(one of these three: --->, ---<, or <-->) for the function you want toperform.

TASK 2B-1Using Network Monitor

1. Open a command prompt, and enter ipconfig /all

If you are on the LEFT side of the classroom, your IP addresses will be 172.16.10.x. If you are on the RIGHT side of the classroom, your IP addresseswill be 172.18.10.x.

2. Record the MAC and IP address for the network card in your computer.

MAC address Each card will have a unique MAC address.IP address Each card will have a unique IP address.

3. Close the Command Prompt window.

4. Open Network Monitor. (From the Start menu, choose All Programs→Administrative Tools→Network Monitor.)

5. If you see the Select Default Network message box, click OK to display theSelect A Network dialog box. Expand the + sign next to Local Computer,select the interface with the MAC address associated with the networkinterface, and click OK.

6. Choose Capture→Start, or press F10 to start a capture.

7. If you are on the LEFT side of the classroom, ping the IP address 172.16.0.1. If you are on the RIGHT side of the classroom, ping the IP address172.18.0.1. This will create network traffic for you to capture.

8. Wait for 20 to 30 seconds. As you wait, watch the real time statisticschange in the Network Monitor Capture window.

9. Choose Capture→Stop And View. You should now see the Display View,including the timeline of the packets captured.

10. Double-click any packet to change to the Detail View.

11. Observe the structure of the three panes in this view, and expand any +signs displayed in the middle pane.

12. Choose Display→Filter.

13. Select Protocol==Any, and click the Edit Expression button.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

14. With the Protocol tab selected, click the Disable All button.

15. Scroll down to ICMP, select ICMP, and click the Enable button. TheExpression field at the top of the dialog box should now display Protocol ==ICMP. Click OK.

16. Click OK to implement this filter on your capture.

17. Observe that only ICMP frames are visible in your window now.

18. Choose File→Save As, and save the capture as First_Capture.cap in thedefault location.

19. Close Network Monitor.

WiresharkAnother product you can use to capture data is called Wireshark. (Wireshark wasformerly known as Ethereal, with the name change taking place in 2006.) WithWireshark, data can be captured off the wire or read from a captured file. Datacan also be saved to a file format that Microsoft Network Monitor canunderstand. Wireshark supports analysis on over 750 Data Link, Network, Trans-port, and Application layer protocols. Wireshark can be downloaded fromwww.wireshark.org

To perform promiscuous mode captures on a Windows machine, you have to firstdownload and install the latest stable version of WinPcap; do not install any alphaor beta versions. WinPcap is the Windows equivalent of libpcap (LIBrary forPacket CAPtures) for Linux. It can be obtained from www.winpcap.org. In fact,you will use WinPcap later in the course, along with other tools such aswindump, tcpdump, nmap, and snort.

TASK 2B-2Installing and Starting Wireshark

1. Choose Start→My Computer.

2. Open C:\Tools\Lesson2.

3. Double-click the WinPcap_4_0.exe file.

4. In the WinPcap_4_0.exe Installer Welcome screen, click Next.

5. Read the License Agreement, and click I Agree.

6. To close the WinPcap install wizard, click Finish.

7. Double click the Wireshark_setup-0.99.5.exe file.

8. In the Wireshark Setup Wizard Welcome screen, click Next.

9. Read the License Agreement, and click I Agree.

promiscuous mode:Normally an Ethernet

interface reads all addressinformation and accepts

follow-on packets onlydestined for itself, but when

the interface is inpromiscuous mode, it reads

all information (sniffer),regardless of its destination.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

10. Accept the Default Components (do not make any changes), and click Next.

11. Accept the Default Additional Tasks (do not make any changes), and clickNext.

12. Accept the Default Destination Folder, and click Next.

13. You have already installed WinPcap, so do not check any boxes on theWinPcap screen, and click Install.

14. In the Installation Complete screen, click Next.

15. In the Completing The Wireshark 0.99.5 Setup Wizard, check the RunWireshark_setup-0.99.5.exe check box and click Finish.

16. Leave Wireshark open for the following tasks.

Wireshark OverviewWhen you first start Wireshark (formerly called Ethereal), you will see a GUIwith three panes. The top pane lists the captured frames in sequence. When youhighlight a frame, the middle pane provides protocol layer information about thatframe, and the bottom pane shows the details of the frame in both Hex andASCII values.

Figure 2-12: The Ethereal (Wireshark) GUI.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

At the top of the GUI there is a menu bar, with File, Edit, View, Go, Capture,Analyze, Statistics, and Help. Just above the top pane is a Filter button, a drop-down menu, an Expression button, a Clear button, and an Apply button. Thesebuttons allow you to filter through the captured data, which as you will see, is avery important feature.

When you wish to start a capture in Wireshark, you have several options. Youcan go to the Capture drop-down menu and select Start or you can simply pressthe third icon from the right in the icons listed just below the main menu bar.However, as this is the first time you are running Wireshark, you must definesome options. A quick way to the option screen is to press Ctrl+K combination.When you do so, you will see a window that has many options, where you canmake some specific selections, including the following:

• The interface to capture packets from.

• The limit to the number of packets to capture (if any).

• Whether you wish to capture packets in promiscuous mode or not.

• Any filters you wish to use.

• The file name for the capture file.

• If you wish to view the packets onscreen in real time.

• Parameters to define when the capture should stop.

• Whether you wish to enable or disable name resolution at the Data Link,Network, and Transport layers.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

Figure 2-13: Wireshark’s Capture Options dialog box.

When you click OK, capture will start on the selected network interface and youwill see another pop-up informing you that. Wireshark will continue with the cap-ture until you click the Stop button.

Figure 2-14: Wireshark pop-up displaying capture information.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

Once you have selected your options and clicked OK, the capture will start onthe selected network interface, and you will see a pop-up window informing youof the capture in progress. Wireshark will continue with the capture until youpress the Stop button or an option you configured tells the capture to stop.

Figure 2-15: The many Save As options in Wireshark.

After you stop a capture, you can view and analyze the data for your current use.You when you are done and wish to save the file for future analysis, you havemany options.

Notice how many choices you have for saving a capture—you can save to Net-work Monitor’s format if you want. (Conversely, Wireshark will read a capturesaved by any of the protocol analyzers in the list.) When you are done with cap-ture and analysis and want to close the program, choose File→Quit or pressCtrl+Q.

TASK 2B-3Using Wireshark

Setup: Wireshark has been successfully installed and is running onyour computer.

1. Choose Capture→Options.

2. In the Interface drop-down list, select you local area network adapter.

3. Notice that when you select your adapter, directly below the word Inter-face, the program has listed your LAN address.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

4. Make sure that the Capture Packets In Promiscuous Mode check box ischecked.

5. Check the Update List Of Packets In Real Time check box.

6. Click the Start button and open a command prompt.

7. Ping your Default Gateway IP Address.

8. When the ping has completed, close the command prompt, return toWireshark, and choose Capture→Stop.

9. Double-click any frame where your computer is the Source and the Des-tination is the Default Gateway IP Address you just pinged. The protocolwill be listed as ICMP.

10. Expand and view the frame details.

11. Note that you can analyze data in a similar fashion as in NetworkMonitor.

12. Once you are done with this initial look at Wireshark, close the application.

13. Click the Continue Without Saving button.

TCP ConnectionsEarlier, you were introduced to the function and the process of control flags, thethree-way handshake, and the session teardown. In this section, you are going touse Network Monitor to view the three-way handshake, packet by packet, and toview the teardown, packet by packet.

Remember, the three-way handshake is used by two hosts when they are creatinga session. The first host begins by sending out a packet with the SYN flag set,and no other flags. The second packet is a response with both the SYN and ACKflags set. The third part of the session establishment will have the ACK flag set.

TASK 2B-4Analyzing the Three-way Handshake

1. Choose Start→Administrative Tools→Services.

2. Right-click telnet and choose Properties.

3. At the Startup type, select manual.

4. Click Apply.

5. Click Start.

6. Click OK.

7. Close the Services window.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

8. Open Network Monitor, and start a capture.

9. At a command prompt:

If you are on the LEFT side of the classroom, enter telnet 172.16.0.1

If you are on the RIGHT side of the classroom, enter telnet 172.18.0.1

Enter y, at the Login type anonymous press Enter, and at the Passwordprompt, press Enter.

10. Press Enter repeatedly until your connection to the host is lost. Your screenmay resemble the following graphic.

Minimize the command prompt window.

11. Switch back to Network Monitor, and choose Capture→Stop And View.

12. In the Summary pane, identify the frames that are involved in the three-way handshake.

13. Once you have identified the frames that are part of the three-way hand-shake, based on the discussion, look for the following:

a. In the first frame, what are the SEQ number, ACK number, and flags?

b. In the second frame, what are the SEQ number, ACK number, andflags?

c. In the third frame, what are the SEQ number, ACK number, and flags?

14. Expand each of the three frames in the handshake, and examine them ingreater detail in the Detail pane.

15. Using the Hex pane, identify the value for the flags that are set for eachframe.

16. Leave Network Monitor open, along with this capture, for the next task.

The Session Teardown ProcessPreviously, you examined the session teardown process. Here, you will examinethe details of the session teardown. Remember, there are four parts of sessionteardown.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

TASK 2B-5Analyzing the Session Teardown Process

Setup: Network Monitor is running, and the last capture you per-formed is displayed.

1. In the Summary pane, identify the frames that are involved in the sessionteardown.

2. Once you have identified the frames, examine them in greater detail in theDetail pane.

3. In each frame, identify at least the following:

a. Flags that are set.

b. Sequence number.

c. Acknowledgement number.

4. Save the capture as tcp_connections.cap and close the capture.

5. Minimize Network Monitor.

Topic 2CCapturing and Identifying IP DatagramsAlong with TCP, the protocol you will spend the most time analyzing will be IP.This protocol is the one that does the most work of the entire TCP/IP suite. InFigure 2-16, you can see the actual format of the IP datagram. There are sevenrows of information in the figure, with the critical rows being the first five. Whena computer receives an IP datagram, it will begin reading on Row One on the leftside, bit by bit. Once it reads through Row One, it will read Row Two, and soon.

To work with IP further, referto RFC 791.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

Figure 2-16: An IP datagram with all fields shown.

Using Figure 2-16, we will move through the header, identifying the function ofeach area. After identifying the header fields, we will use Network Monitor tocapture and analyze the IP header.

• Starting on Row One, on the left side is a field called Version. This is a 4-bitfield that defines the version of IP that is currently running. Right now, thiswill likely be a value of 4, as that is the current industry standard—IPv4, orIP version 4. Some instances may be using IP version 6, or IPv6, which youwill examine later in the course.

• Moving to the right of the Version is a field called Header Length (IHL).This is a 4-bit field that defines the number of 32-bit words in the headeritself, including options. In most captures, this value will be 5, for nooptions set, the normal value.

• Continuing to the right of Header Length is a field called Type Of Service.This is an 8-bit field that defines the quality of service for this packet. Dif-ferent applications may require different needs of available bandwidth, andType Of Service is one way of addressing those needs.

• The last field on Row One is the field called Total Length. This is a 16-bitfield that defines the length of the entire IP datagram in bytes.

• Starting on Row Two, on the left side is a field called Identification. This isa 16-bit field that defines each datagram sent by the host. The standard forthis field is for the identification value to increment by one for everydatagram sent.

• Following the Identification field is a field called Flags. Not to be confusedwith the flags of TCP, which you have seen, this is a 3-bit field that is usedin conjunction with fragmentation. The first of the three bits is to be set at 0,


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

as a default. The next bit is known as the DF bit, or Don’t Fragment. Thethird bit is known as the MF bit, or More Fragment.

• The last field on Row Two is a field called Fragment Offset. This is a 13-bitfield that is used to define where in the datagram this fragment belongs. (Ifthere is fragmentation, the first fragment will have an offset of 0.)

• Starting on Row Three, on the left side, is a field called Time To Live. Thisis an 8-bit field that is used to define the maximum amount of time thisdatagram may be allowed to exist in the network. The TTL is created by thesender and lowers by 1 for every router that the datagram crosses. If theTTL reaches 0, the packet is to be discarded.

• Moving to the right is a field called Protocol. This is an 8-bit field that isused to define the upper-layer protocol that is in use for this datagram. Thereare many unique protocol numbers, and if you wish to study all of the num-bers, please refer to RFC 790. However, the following list identifies severalimportant Protocol ID numbers:

— Protocol ID Number 1: ICMP

— Protocol ID Number 6: TCP

— Protocol ID Number 17: UDP

• The final field on Row Three is a field called Header Checksum. This is a16-bit field that is used to provide a check on the IP header only; this is nota checksum for any data following the header. This checksum providesintegrity for the header itself.

• The Fourth Row is a single field, the Source IP Address. This field is a32-bit value that identifies the IP address of the source host of this packet.

• The Fifth Row is also a single field, the Destination IP Address. This field isa 32-bit value that identifies the IP address of the destination host for thispacket.

• The Sixth Row contains any options that may be present. This is a variable,with no absolute fixed size to the options. Some of the options that may bein this field are those that are related to routing or timekeeping. If optionsare used, there will be padding added so this field equals 32 bits in size.

• The Seventh and final Row is the representation of the data. By this point,the header is complete and the data the user wishes to send or receive isstored in the packet.

TASK 2C-1Capturing and Identifying IP Datagrams

Setup: You are logged on to Windows Server 2003 as Administrator.A command prompt and Network Monitor are running.

1. In Network Monitor, start a new capture, and leave the capturerunning.

2. Open a command prompt and enter ftp ip_address whereip_address is the address of a neighbor computer.

integrity:Assuring information will notbe accidentally ormaliciously altered ordestroyed.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

3. At this time, the connection will not be successful, type bye and close thecommand prompt.

4. Return to Network Monitor and choose Capture→Stop And View.

5. Observe the Protocol column. Apply a filter to only show TCP. For thespecific steps, see Task 2B-1, step 12 through step 16. Click any of theframes and observe that the TCP control bits includes FTP.

6. Examine the IP header, compared to the discussion. Look for the following:

a. Version Number.

b. Time To Live.

c. Protocol ID.

d. Source Address.

e. Destination Address.

7. Once you are done examining the IP header, save the capture asIP_Header.cap and close.

Topic 2DCapturing and Identifying ICMP MessagesWhen you are analyzing protocols, it should become immediately apparent thatthere are differences between ICMP and the other protocols discussed in thislesson. There is a similar concept in that the ICMP message is encapsulated inthe IP datagram, just as you saw with TCP and UDP. In Figure 2-17, you can seethe actual format of the ICMP message. There are only two rows of informationshown in the figure.

Figure 2-17: An ICMP message with all fields shown.

To work with ICMP further,refer to RFC 792.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

Using Figure 2-17, we will move through the header, identifying the function ofeach area. After identifying the header fields, we will use Network Monitor tocapture and analyze an ICMP message.

• Starting on Row One, on the left side, the first field is called Type. This isan 8-bit value that identifies the specific ICMP message. For example, aType could be 3, which is a type of unreachable message.

• Following Type on Row One is a field called Code. This is an 8-bit valuethat works in conjunction with Type to define the specific details of theICMP message. For example, using Type 3, the Code could be 1, which isdestination host unreachable.

• Moving along on Row One, the final field is called Checksum. This is a16-bit value that checks the integrity of the entire ICMP message.

• The Second Row has no fixed fields. Depending on the Type and Code ofthe ICMP message, this field may contain many things. One example ofwhat may go in this field is the time stamping of messages.

TASK 2D-1Capturing and Identifying ICMP Messages


1. Begin a new capture.

2. Switch to the command prompt, and ping a valid IP address of anotherhost in your subnet. Wait for the ping to finish, and then minimize thecommand prompt.

3. In Network Monitor, stop and view the capture.

4. Scroll down the packets captured to identify ICMP messages, or createan ICMP filter.

5. Analyze the captured frames to identify the ping process between yourcomputer and the host you pinged.

6. Compare the messages to the discussion, looking for the following:

a. Source IP Address.

b. Destination IP Address.

c. Type.

d. Code.

e. Payload for ping.

7. Save this capture as Valid_Ping.cap and close it. You are going to runanother capture.



DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

9. Switch to the command prompt, ping a known invalid IP address foryour network, wait for the ping to finish, and minimize the commandprompt. For instance, if you were to ping the address 208.18.24.2, youshould receive a message indicating that the request timed out. Or, if you areon the 172.16.10.0 network, you might try to ping the address 172.16.10.201, as that address is unlikely to be in use on your network.

10. In Network Monitor, stop and view the capture.

11. Scroll down the packets captured to identify ICMP messages.

12. Analyze the captured frames, and compare them to the discussion, look-ing for the following:

a. Source IP Address.

b. Destination IP Address.

c. Type.

d. Code.

13. Save this capture as icmpheader.cap and close.

Topic 2ECapturing and Identifying TCP HeadersWhen investigating TCP/IP, you will find that TCP data is encapsulated in the IPdatagram. Since you have already looked into the IP datagram itself, at this stageyou will examine TCP further. In Figure 2-18, you can see the actual format ofthe TCP header. There are seven rows of information in the figure, with the criti-cal ones for this discussion being the first five. Just as with IP, when a computerreceives the TCP header, it will begin reading on Row One on the left side, bitby bit. Once it reads through Row One, it will read Row Two, and so on.

Figure 2-18: A TCP header with all fields shown.

Based on your networkenvironment, you may not

receive these ICMPmessages.

To work with TCP further,refer to RFC 793.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

Using Figure 2-18, we will move through the header, identifying the function ofeach area. After identifying the header fields, we will use Network Monitor tocapture and analyze the TCP header.

• Starting on Row One, on the left side is a field called Source Port Number.This field is a 16-bit number that defines the upper-layer application that isusing TCP on the source host.

• The second field on Row One is a field called Destination Port Number. Thisis a 16-bit field that defines the upper-layer application that is using TCP onthe destination host. The combination of an IP address and a port number isoften called a socket. A socket pair identifies both ends of a communicationcompletely, by using the host IP address and port, and the destination IPaddress and port.

• Moving onto Row Two, the entire row is a single field called SequenceNumber. This is a 32-bit value that identifies the unique sequence number ofthis packet. The sequence numbers are used to track communication and arepart of the reason TCP is considered a connection-oriented protocol.

• In Row Three, you can see that the entire row is also a single field, calledAcknowledgement Number. This is a 32-bit value that provides a response toa sequence number. Under normal operations, this value will be the value ofthe sequence number of the last packet received in this line of communica-tion, plus 1. There will be a value in this field only if the ACK flag is turnedon (flags are in the next row).

• Continuing on to Row Four, starting on the left side is a field called Offset(sometimes also called Header Length). This is a 4-bit value that defines thesize of the TCP header. Because this is a 4-bit value, the limit on the size ofthe header is 60 bytes. If there are no options set, the size of the header is20 bytes.

• Moving to the right is a field called Reserved. This is a 6-bit value that isalways left at 0 for functioning hosts using TCP/IP. It is not used for anynormal network traffic.

• After the Reserved field are the six Control Flags. Each flag is only 1 bit,either on or off. There are six control flags, and they are listed as follows inthe left-to-right order they occupy in the TCP header:

— URG: If this is a 1, the Urgent flag is set.

— ACK: If this is a 1, the Acknowledgement flag is set.

— PSH: If this is a 1, the Push flag is set.

— RST: If this is a 1, the Reset flag is set.

— SYN: If this is a 1, the Synchronize flag is set.

— FIN: If this is a 1, the Finish flag is set.

For a detailed discussion on the flags and their functions, please reviewthat section earlier in this lesson.

• Following the Control Flags on Row Four is a field called Window Size.This is a 16-bit value that identifies the number of bytes, starting with theone defined in the Acknowledgement field, that the sender of this segment iswilling to accept.

• Moving on to Row Five, on the left side, there is a field called TCPChecksum. This is a 16-bit value that is used to provide an integrity check


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

of the TCP header and the TCP data. The value is calculated by the sender,then stored and the receiver compares the value upon receipt.

• Following the TCP checksum on Row Five is a field called Urgent Pointer.This is a 16-bit value that is used if the sender must send emergencyinformation. The pointer points to the sequence number of the byte that fol-lows the urgent data, and is only active if the URG flag has been set.

• The Sixth Row has only one field, called Options. This is a 32-bit value thatis often used to define a maximum segment size (MSS). MSS is used so thesender can inform the receiver of the maximum segment size that the senderis going to receive on return communication. In the event that the options setdo not take up all 32 bits, padding will be added to fill the field.

• The Seventh and final Row is the representation of the data. By this point,the header is complete and the data the user wants to send or receive isstored in the packet.

TASK 2E-1Capturing and Identifying TCP Headers



2. Switch to the command prompt and initiate a Telnet session to a neigh-boring host. Whether or not it connects at this time is not important, so theTelnet service does not need to be on.

3. If the Telnet session starts, exit the Telnet session; otherwise, close thecommand prompt.

4. Stop and view the capture.

5. Add a filter so that all you see are TCP frames. For the specific steps toadd filters, see Task 2B-1, step 12 through step 16.

6. Analyze the TCP headers in the frames.

7. When analyzing the headers, look for the following:

a. Sequence Numbers.

b. Acknowledgement Numbers.

c. Source Port Numbers.

d. Destination Port Numbers.

8. Once you have analyzed the header, save the capture as Telnet_Attempt.capand close.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

Topic 2FCapturing and Identifying UDP HeadersCompared to TCP, UDP is a very simple transport protocol. The UDP header anddata will be completely encapsulated in the IP datagram, just as with TCP. In Fig-ure 2-19, you can see the actual format of the UDP header. There are three rowsof information in the figure. Just as with TCP, when a computer receives the UDPheader, it will begin reading on Row One on the left side, bit by bit. Once itreads through Row One, it will read Row Two, and so on.

Figure 2-19: A UDP header with all fields shown.

Using Figure 2-19, we will move through the header, identifying the function ofeach area. After identifying the header fields, we will use Network Monitor tocapture and analyze the UDP header.

• Starting on Row One, on the left side is a field called Source Port Number.This field is a 16-bit value that defines the upper-layer application that isusing UDP on the source host.

• The second field on Row One is called Destination Port Number. This fieldis a 16-bit value that defines the upper-layer application that is using UDPon the destination host.

• On the Second Row, the field on the left is called UDP Length. This is a16-bit value that identifies the length of the UDP data and the UDP header.

• The second field on Row Two is a field called UDP Checksum. This is a16-bit value that is used to provide an integrity check of the UDP headerand the UDP data. The value is calculated by the sender, then stored, and thereceiver compares the value upon receipt.

• Row Three is where the actual user data is stored. It is possible for a user tosend a UDP datagram with zero bytes of data.

TASK 2F-1Working with UDP Headers

Setup: You are logged on to Windows Server 2003 as Administrator,and Network Monitor is running.

1. Browse to C:\Tools\Lesson2. In that folder is a file called tftp.cap. Opentftp.cap in Network Monitor.

To work with UDP further,refer to RFC 768.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

2. Expand the details of any UDP frame, and compare it to the discussion.Look for the following:

a. Source Port.

b. Destination Port.

c. What the actual UDP data is.

3. As you are analyzing this traffic, verify that no session was established, asUDP is connectionless.

4. Close the capture.

Topic 2GAnalyzing Packet FragmentationPacket-switched networks will all, at one time or another, experiencefragmentation. This is due to the fact that all complex networks are made up ofvarious physical media and configurations. So, a packet of a certain size might fitfine on one segment, but may suddenly be many times larger than the capacity ofthe next segment. The size limit that is allowed to exist on a network varies fromnetwork to network and is referred to as the Maximum Transmission Unit(MTU).

In the event that a datagram gets fragmented, it is not reassembled until it reachesits final destination. When the datagram is fragmented, each fragment becomes itsown unique packet—transmitted and received uniquely.

TCP segments are sent using IP datagrams. TCP expects a one-to-one ratio ofsegments to datagrams. Therefore, IP on the receiving end must completely reas-semble the datagram before handing the segment to TCP. In the relationshipbetween TCP and IP, the following rules that affect fragmentation are defined:

• The TCP Maximum Segment Size (MSS) is the IP Maximum Datagram Sizeminus 40 octets.

• The default IP Maximum Datagram Size is 576 octets.

• The default TCP Maximum Segment Size is 536 octets.

Fragmentation will rarely happen at the source of a datagram, but it is possible.For example, if a receiving host says it can accept segments that are many timeslarger than what the sender normally sends. Another example would be a host ona small-packet-sized network, such as PPP, and using an application with a fixed-size message.

The common location then for fragmentation is at a gateway, where the odds ofdifferent MTUs on different interfaces are very high. The following list shows theMTU for various media:

• PPP: 296 bytes

• Ethernet: 1500 bytes

• FDDI: 4352 bytes

• Token Ring (4 MB/s): 4464 bytes

• Token Ring (16 MB/s): 17914 bytes

The official minimum MTU is68, and the maximum is

65535.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

Figure 2-20: How fragmentation works.

TASK 2G-1Analyzing Fragmentation


1. Navigate to C:\Tools\Lesson2 and open fragment.cap in NetworkMonitor.

2. Expand the details of frame 1, looking for the Fragment flag.

3. Observe that, in frame 1, there is no Fragment Offset, as this is the firstfragment.

4. Select several consecutive frames. Observe that each successive frame hasa higher Fragment Offset as it gets farther from the beginning of the originaldatagram.

5. Observe that the IP ID stays constant for each fragment.

6. Expand the details of frame 16.

7. Observe that the Fragment flags are now both 0, indicating this is the last ofthe fragments.

8. Close the capture.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

Topic 2HAnalyzing an Entire SessionNow that you have analyzed IP, TCP, UDP, ICMP, fragmentation, handshakes,and teardowns, it is time to put them together. In this topic, you will follow alongusing two sample captures that were made specifically for this purpose. One cap-ture is a PING capture, and the other is an FTP capture. By analyzing them, youwill see how TCP/IP functions—from start to finish.

About the TasksIn the following tasks, Windows Server 2003 Network Monitor was used to cap-ture a ping between two hosts and an ftp session between two hosts. The pingand ftp commands were run from the command prompt, and the output saved tothe text files ping.txt and ftp.txt, respectively. The Network Monitor captureswere saved to files ping.cap and ftp.cap, respectively. You can open the TXT fileswith Notepad to see the commands and responses. You can open the CAP fileswith Network Monitor and see the frames captured as a result. Let’s take a look.

TASK 2H-1Performing a Complete ICMP Session Analysis

Objective: To use the supplied capture and text files to examine theTCP/IP headers, in order to understand how a session is setup, used, and torn down.


1. Start Notepad and open the file ping.txt. This file is in C:\Tools\Lesson2.You should see the output shown in the following graphic.

2. Keep this file open.

3. Switch to Network Monitor, and open the file ping.cap. It’s also locatedin C:\Tools\Lesson2


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

4. Observe that frame 1 is an Ethernet broadcast trying to resolve the target IPaddress to its MAC address.

5. Observe that frame 2 is a reply from the target machine with the appropriateresolution. From now on, the two hosts can communicate.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

6. Observe the next two frames. They are ICMP echo messages going back andforth between the two hosts, corresponding to the output in the text file.Examine the ICMP messages, and see the details in frames 3 and 4 asshown in the following graphics.

7. Observe that, for the ping command, no session was set up or torn down—just a simple ICMP echo request, followed by an ICMP echo reply.

8. Close ping.cap and ping.txt.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

Continuing the Complete Session AnalysisIn the last task, one host successfully pinged another, in preparation for establish-ing an FTP transaction. We’ll look at the FTP portion of the session, but beforewe do, a quick differentiation between active and passive FTP is in order.

FTP CommunicationUp to this point you have been examining ICMP communication. Now you willexamine an active FTP session. There are two different types of FTP, somethingthat many administrators are unfamiliar with. The two FTP types are simplycalled passive and active.

The mode most people think of with FTP is active FTP. In active FTP, a clientmakes a connection to the FTP server. The client uses a port higher than 1024(we’ll call it X) to connect to the server, which then uses port 21, and the FTPcommand and control session is established. The server responds with the datatransfer, sent on port 20. The client will receive the data transfer on a port onehigher than the client used for command transfer, or X+1.

In passive mode FTP, the client initiates both connections between the client andthe server. When the FTP client begins an FTP session, the client opens two ports(again one higher than 1024, and the next port higher, or X and X+1). The firstconnection and port is the session to the server for command and control onserver port 21. The server then opens a random port (again higher than 1024,referred to as Y in this section), and sends this port information back to theclient. The client then requests the data transfer from client port X+1 to serverport Y.

When active FTP is used, there can be a situation that firewalls dislike. The firstpart of the FTP session, from client to server is not a problem. However, whenthe server responds to the client, it can seem to the firewall to be a new sessionstarted from an untrusted network, trying to gain access to the private network.

Passive FTP solves this problem on the firewall, as both parts of the FTP sessionoriginate from the FTP client, and no session starts from an untrusted network.There is a different problem with passive FTP. This problem is not on thefirewall, but on the server configuration itself. Because the FTP client starts bothsessions, the FTP server must be able to listen on any high port, meaning all highports must be open and available. To deal with this situation, many FTP applica-tions now include features that limit the port range that the server can use.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

TASK 2H-2Performing a Complete FTP Session Analysis

Objective: To use the supplied capture and text files to examine theTCP/IP headers, in order to understand how a session is setup, used, and torn down.

Setup: You are logged on to Windows Server 2003 as Administrator.Notepad and Network Monitor are running.

1. Switch to Notepad and open ftp.txt. This file is located in C:\Tools\Lesson2. You should see the results shown in the following graphic.

2. Observe that, in this session, when the ftp server asks for a password, theuser enters it but it is not recorded on screen.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

3. Switch to Network Monitor, and open ftp.cap in C:\Tools\Lesson2. Youshould see results similar to those shown in the following graphics. (Depend-ing on the version of Network Monitor you are using, MAC and IPaddresses might be displayed in Hex, and the time might be in a differentformat.)

There are 51 frames involved in this capture.

4. If you would like to change the color of the FTP packets for easier viewing,choose Display→Colors. Scroll down and select FTP; then, from theBackground drop-down list, select a mild color such as gray or teal, andclick OK. If you select a darker color, it might make it more difficult to readthe text.

If you would like to changethe format of the addressesfrom Hex to more readablenames, choose Display→Addresses, and click Add. Inthe box that is displayed,enter FTPSITE for the Name,add 002B32CFC72 for theAddress, verify that the Typeis Ethernet, and click OK.Click Add again, then enterLOCAL for the Name, add0002B32C5B13 for theAddress, verify that the Typeis Ethernet, and click OKtwice.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

5. Observe that frames 3, 4, and 5 represent the TCP handshake involved inestablishing the session. Frames shaded gray (6, 8-9, 11-12, 14, 16-19, 23,29, 31-34, 38, 44, and 46-47) are all directly involved with the ftpapplication—authentication, ftp requests for directory information, an actualfile transfer, followed by a quit, and bye response.

6. Observe that in frame 8, you can see the user name being supplied.

7. Observe that in frame 9, you can see the request for a password.

8. Observe that in frame 11, you can see the password being supplied. Isn’t thisa good enough reason to employ some secure authentication such as encryp-tion?

9. Let’s view the three-way handshake frames in a bit more detail.

Frame 3 starts the three-way handshake Active Open by setting the SYN bitto 1, offering source port no. 2025 (07E9 in Hex), while at the same timedirecting the request to port number 21 (15 in Hex) on the server. Asequence number 2052360112 (7A5487B0 in Hex) is associated with thisframe to uniquely identify it, even in the event of multiple sessions betweenthe same two hosts.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

10. Let’s look at the reply.

The reply from the ftp server in frame 4 includes an ACK, while simulta-neously including a SYN. This is the Passive Open.

11. Observe that frame 5 includes an ACK from the client.

Once the session is established, FTP can continue on with its setup. Thisincludes a login and a password (to be supplied if anonymous access in notsupported), followed by file requests.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

12. Observe that frame 6 shows the ftp server asking for user identification.Frame 8 shows the ftp client supplying the user name of test user.

13. Observe that this is met by the ftp server asking for the password in frame9.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

14. Observe that in frame 11, you can see the password being offered. Becauseno secure methods for authentication were set up, you can see the actualpassword (the word “plaintext”).

15. Observe that once the user has been authenticated, the ftp session is allowedto continue. The ftp server puts out the welcome message shown in frame12.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

16. Observe that the rest of the frames dealing with FTP—frames 14, 16-19, 23,29, 31-34, 38, and 44—have to do with directory listings and file transfers.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

17. Observe that in frame 38, you can see the actual contents of the file as it isbeing transferred In this case, and because it is just a text file, you can readthe contents.

18. Observe that in frame 46, you can see the client attempt to close the connec-tion with the Quit command.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

19. Observe that in frame 47, you can see the server communicate with the cli-ent with the message “See ya later.”


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

20. Observe that these messages are followed by TCP terminating the sessionfrom both ends in frames 48 and 49, and 50 and 51, respectively, where theFIN bits are set to 1 and the corresponding frame contains the ACK bit setto 1.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

21. Close Network Monitor. If you are prompted to save addresses, click No.

22. Close Notepad.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

SummaryIn this lesson, you looked deep into the structure of the TCP/IP protocol.You reviewed the RFCs associated with IP, ICMP, TCP, and UDP. You thenused Network Monitor and Wireshark to capture and analyze IP packets.You examined captures associated with network traffic. You learned to readthe actual data being transmitted between two or more hosts. Finally, youanalyzed a complete session, frame-by-frame.

Lesson Review2A How many layers are in the OSI Model?

Seven.

How many layers are in the TCP/IP Model?

Four.

What are the assignable classes of IP addresses?

A, B, and C.

What are the three private ranges of IP addresses, as defined in theRFCs?

a. 10.0.0.0 to 10.255.255.255

b. 172.16.0.0 to 172.131.255.255

c. 192.168.0.0 to 192.168.255.255

2B How many control flags are in a TCP header?

Six.

What is the function of an acknowledgement number?

To provide an acknowledgement for a received packet. The value is usuallytied into the SYN number on the received packet.

How many steps are required to establish a TCP connection?

Three.

How many steps are required to tear down a TCP connection?

Four.

What are the two main views of Network Monitor?

Display View and Capture View.

2C What is the first field that is read by the computer in the IP header?

Version.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

What is the Protocol ID of ICMP in the IP header?

1.

What is the Protocol ID of TCP in the IP header?

6.

What is the Protocol ID of UDP in the IP header?

17.

2D What is the first field that is read by the computer in the ICMP mes-sage?

Type.

How many bits make up the Type field?

Eight.

How many bits make up the Code field?

Eight.

2E What is the first field that is read by the computer in the TCP header?

Source Port Number.

How many control bits are in the TCP header?

Six.

How many bits is the Sequence Number?

32.

How many bits is the Acknowledgement Number?

32.

2F What is the first field that is read by the computer in the UDP header?

Source Port Number.

What is the UDP header and data encapsulated in?

An IP datagram.

How many bits are both the source and destination port numbers?

16.

What is in the payload of the tftp.cap file that you analyzed?

Cisco Router Configuration and Access Lists.

2G In the fragment.cap file that you analyzed, how do you suppose thisfragmentation happened?

By a user sending a large ping. (See the file fragment.txt, in the same folderas fragment.cap, to understand how this was initiated.)


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

Why is there no upper-layer protocol list in the Detail pane for frames 2through 13?

These are the subsequent fragments whose upper-layer protocol is referredto in the first fragment; therefore, they do not have any header informationother than IP.

What was the upper-layer protocol that caused the fragmentation?

ICMP.

2H In the FTP capture file that you analyzed in this topic, what pair ofsockets are involved in the initial three-way handshake?

On the client: IP address 172.16.30.2, port 2025. On the FTP Server: IPaddress 172.16.30.1, port 21.

In the FTP capture file that you analyzed in this topic, what pair ofsockets are involved in the exchange of FTP data in response to therequest for directory listing?

On the FTP Server: IP address 172.16.30.1, port 20. On the client: IPaddress 172.16.30.2, port 2026.

In the FTP capture file that you analyzed in this topic, what framesindicate that a three-way handshake is taking place between the FTPserver and the client in preparation for the sending of FTP data inresponse to the request for the file textfile.txt?

Frames 35, 36, and 37.


DO N

OT

REPL

ICAT

E

Inst

ruct

or E

ditio

n

advancedtcp/ip lesson 2 - lamar...

Documents