internet Protocol Analysis/Collection

Internet Protocol Analysis

edit

Learning Guide

edit

This learning guide supports the Wikiversity course Internet Protocol Analysis, available at http://en.wikiversity.org/wiki/Internet_Protocol_Analysis.

Overview

edit
 

Internet protocol analysis is an advanced computer networking topic that uses a packet analyzer to capture, view, and understand Internet protocols. This course comprises 15 lessons that use Wireshark to study and experiment with Internet protocols. Each lesson includes Wikipedia readings, YouTube videos, and hands-on learning activities.

This entire Wikiversity course can be downloaded in book form by selecting Download Learning Guide in the sidebar.

Preparation

edit

This is a third-semester, college-level course. Learners should already be familiar with introductory computer concepts and/or introductory computer networking concepts.

Lessons

edit
  1. Introduction
  2. Packet Analyzers
  3. Link Layer
  4. Address Resolution Protocol (ARP)
  5. Internet Layer / IPv4
  6. Subnetting
  7. IPv6
  8. Internet Control Message Protocol (ICMP)
  9. Multicast
  10. Transport Layer
  11. Address Assignment
  12. Name Resolution
  13. Application Layer
  14. Routing
  15. Network Monitoring

Bibliography

edit
  • Carrell, Jeffrey L., Chappell, Laura & Tittel, Ed (2013). Guide to TCP/IP, Fourth Edition. Cengage. ISBN 9781133019862
  • Chappell, Laura A. & Tittel, Ed (2007). Guide to TCP/IP, Third Edition. Course Technology. ISBN 9781418837556
  • Davies, Joseph (2012). Understanding IPv6, 3rd Edition. Microsoft Press. ISBN 9780735659148
  • Fall, Kevin R. & Stevens, W. Richard (2012). TCP/IP Illustrated, Volume 1: The Protocols, Second Edition. Pearson. ISBN 9780321336316

References

edit
  Subject classification: this is a networking resource.
  Educational level: this is a tertiary (university) resource.
  Completion status: this resource is considered to be complete.

Lesson 1 - Introduction

edit
 

This lesson introduces Internet protocol analysis by looking at background information on the Internet protocol suite, the Request for Comments process and Internet standards, and comparing the Internet protocol suite to the Open Systems Interconnection (OSI) model.

Readings

edit
  1. Wikipedia: Internet protocol suite
  2. Wikipedia: Request for Comments
  3. Wikipedia: Internet Standard
  4. Wikipedia: OSI model

Multimedia

edit
  1. YouTube: Network Layers - OSI, TCP/IP Models - Part 1
  2. YouTube: Network Layers - OSI, TCP/IP Models - Part 2
  3. YouTube: Network Layers - OSI, TCP/IP Models - Part 3

Activities

edit
  1. Draw your own personal reference chart comparing the Internet protocol suite four-layer model to the OSI seven-layer model.
  2. Review Internet standards regarding private networks and see if your computer is on a private network.
  3. Review Wikipedia: April Fools' Day Request for Comments for a humorous look at networking standards.
  4. Consider why the OSI seven layer model is sometimes referred to as a theoretical model while the Internet protocol suite might be referred to as an operational model.

Lesson Summary

edit
  • The Internet protocol suite is the set of communications protocols used for the Internet and similar networks. It is a four-layer model containing Link, Internet, Transport, and Application layers.[1]
  • The Internet protocol suite is maintained by the Internet Engineering Task Force (IETF).[2]
  • The Link layer contains communication technologies for a local network.[3]
  • The Internet layer connects local networks, thus establishing internetworking.[4]
  • The Transport layer handles host-to-host communication.[5]
  • The Application layer contains all protocols for specific data communications services on a process-to-process level.[6]
  • A Request for Comments (RFC) is a memorandum published by the Internet Engineering Task Force (IETF) describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems.[7]
  • Requests for Comments are designated with a status of Informational, Experimental, Best Current Practice (BCP), Standards Track, or Historic. Standards-track documents are further divided into Proposed Standard, Draft Standard, and Internet Standard.[8]
  • Internet Standard is a special Request for Comments (RFC) or set of RFCs which is characterized by a high degree of technical maturity and by a generally held belief that the specified protocol or service provides significant benefit to the Internet community.[9]
  • Best Current Practice is a Request for Comments (RFC) that may include official rules, but which does not affect over the wire data and is not on the standards track.[10]
  • The Internet protocol suite protocols are deliberately not as rigidly designed into strict layers as in the OSI model.[11]
  • The Internet Link layer includes the OSI Data Link and Physical layers, as well as parts of OSI's Network layer.[12]
  • The Internet internetworking layer (Internet layer) is a subset of the OSI Network layer.[13]
  • The Internet Transport layer includes the graceful close function of the OSI Session layer as well as the OSI Transport layer.[14]
  • The Internet Application layer includes the OSI Application layer, Presentation layer, and most of the Session layer.[15]

Key Terms

edit
Advanced Research Projects Agency Network (ARPANET)
The world's first operational packet switching network and the progenitor of what was to become the global Internet.[16]
Best Current Practice
Mandatory IETF RFCs, including official rules, but which do not affect over the wire data and are not on the standards track.[17]
best effort delivery
A network service in which the network does not provide any guarantees that data is delivered or that a user is given a guaranteed quality of service level or a certain priority.[18]
checksum
A fixed-size datum computed from an arbitrary block of digital data for the purpose of detecting accidental errors that may have been introduced during its transmission or storage.[19]
communications protocol
A system of digital message formats and rules for exchanging those messages in or between computing systems and in telecommunications.[20]
Defense Advanced Research Projects Agency (DARPA)
An agency of the United States Department of Defense responsible for the development of new technologies for use by the military.[21]
encapsulation
A method of designing modular communication protocols in which logically separate functions in the network are abstracted from their underlying structures by inclusion or information hiding within higher level objects.[22]
Ethernet
A family of Link layer computer networking technologies for local area networks (LANs).[23]
Internet Architecture Board (IAB)
The committee charged with oversight of the technical and engineering development of the Internet by the Internet Society (ISOC).[24]
Internet Drafts
A series of working documents published by the IETF.[25]
Internet Engineering Task Force (IETF)
Develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standards bodies and dealing in particular with standards of the Internet protocol suite (TCP/IP).[26]
Internet Protocol (IP)
The principal communications protocol used for relaying datagrams (also known as network packets) across an internetwork using the Internet Protocol Suite responsible for routing packets across network boundaries.[27]
Internet Society (ISOC)
An international, non-profit organization founded in 1992 to provide leadership in Internet related standards, education, and policy.[28]
Internet Standard
A normative specification of a technology or methodology applicable to the Internet.[29]
internetworking
The practice of connecting a computer network with other networks through the use of gateways that provide a common method of routing information packets between the networks.[30]
medium
A material substance (solid, liquid, gas, or plasma) that can propagate energy waves.[31]
Open Systems Interconnection (OSI) model
A product of the Open Systems Interconnection effort at the International Organization for Standardization for characterizing and standardizing the functions of a communications system in terms of abstraction layers.[32]
packet
A formatted unit of data carried by a computer network.[33]
packet header
Data placed at the beginning of a block of data being stored or transmitted.[34]
protocol stack
An implementation of a computer networking protocol suite.[35]
Request For Comments (RFC)
A memorandum published by the Internet Engineering Task Force (IETF) describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems.[36]
router
A device that forwards data packets between computer networks.[37]
Transmission Control Protocol (TCP)
A Transport layer protocol that provides reliable, ordered delivery of a stream of octets from a program on one computer to another program on another computer.[38]

Review Questions

edit
Enable JavaScript to hide answers.
Click on a question to see the answer.
  1. The Internet protocol suite is a _____ layer model.
    The Internet protocol suite is a four-layer model.
  2. The layers of the Internet protocol suite are _____.
    The layers of the Internet protocol suite are Link, Internet, Transport, and Application.
  3. The Internet protocol suite is maintained by _____.
    The Internet protocol suite is maintained by the Internet Engineering Task Force (IETF).
  4. The Internet protocol suite layer that contains communication technologies for a local network is the _____ layer.
    The Internet protocol suite layer that contains communication technologies for a local network is the Link layer.
  5. The Internet protocol suite layer that connects local networks to establish internetworking is the _____ layer.
    The Internet protocol suite layer that connects local networks to establish internetworking is the Internet layer.
  6. The Internet protocol suite layer that handles host-to-host communication is the _____ layer.
    The Internet protocol suite layer that handles host-to-host communication is the transport layer.
  7. The Internet protocol suite layer that contains all protocols for specific data communications services on a process-to-process level is the _____ layer.
    The Internet protocol suite layer that contains all protocols for specific data communications services on a process-to-process level is the Application layer.
  8. A memorandum published by the Internet Engineering Task Force (IETF) describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems is known as a _____.
    A memorandum published by the Internet Engineering Task Force (IETF) describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems is known as a Request for Comments (RFC).
  9. A Request for Comments (RFC) which is characterized by a high degree of technical maturity and by a generally held belief that the specified protocol or service provides significant benefit to the Internet community is known as a/an _____.
    A Request for Comments (RFC) which is characterized by a high degree of technical maturity and by a generally held belief that the specified protocol or service provides significant benefit to the Internet community is known as an Internet Standard.
  10. A Request for Comments (RFC) that may include official rules, but which does not affect over the wire data and is not on the standards track is known as a/an _____.
    A Request for Comments (RFC) that may include official rules, but which does not affect over the wire data and is not on the standards track is known as a Best Current Practice.
  11. The Internet protocol suite protocols are _____ (more/less) rigidly designed into strict layers when compared to the OSI model.
    The Internet protocol suite protocols are less rigidly designed into strict layers when compared to the OSI model.
  12. The Internet protocol suite layer that includes the OSI Data Link and Physical layers, as well as parts of OSI's Network layer is the _____ layer.
    The Internet protocol suite layer that includes the OSI Data Link and Physical layers, as well as parts of OSI's Network layer is the Link layer.
  13. The Internet protocol suite layer that is a subset of the OSI Network layer is the _____ layer.
    The Internet protocol suite layer that is a subset of the OSI Network layer is the Internet layer.
  14. The Internet protocol suite layer that includes the graceful close function of the OSI Session layer as well as the OSI Transport layer is the _____ layer.
    The Internet protocol suite layer that includes the graceful close function of the OSI Session layer as well as the OSI Transport layer is the Transport layer.
  15. The Internet protocol suite layer that includes the OSI Application layer, Presentation layer, and most of the Session layer is the _____ layer.
    The Internet protocol suite layer that includes the OSI Application layer, Presentation layer, and most of the Session layer is the Application layer.

Assessments

edit

See Also

edit

References

edit
  Type classification: this is a lesson resource.
  Completion status: this resource is considered to be complete.
  1. Wikipedia: Internet protocol suite
  2. Wikipedia: Internet protocol suite
  3. Wikipedia: Internet protocol suite#Link layer
  4. Wikipedia: Internet protocol suite#Internet layer
  5. Wikipedia: Internet protocol suite#Transport layer
  6. Wikipedia: Internet protocol suite#Application layer
  7. Wikipedia: Request for Comments
  8. Wikipedia: Request for Comments#Status
  9. Wikipedia: Internet Standard
  10. Wikipedia: Request for Comments#Status "best current practice"
  11. Wikipedia: OSI model#Comparison with TCP/IP model
  12. Wikipedia: OSI model#Comparison with TCP/IP model
  13. Wikipedia: OSI model#Comparison with TCP/IP model
  14. Wikipedia: OSI model#Comparison with TCP/IP model
  15. Wikipedia: OSI model#Comparison with TCP/IP model
  16. Wikipedia: ARPANET
  17. Wikipedia: Request for Comments#Status "best current practice"
  18. Wikipedia: Best effort delivery
  19. Wikipedia: Checksum
  20. Wikipedia: Communications protocol
  21. Wikipedia: Darpa
  22. Wikipedia: Encapsulation (networking)
  23. Wikipedia: Ethernet
  24. Wikipedia: Internet Architecture Board
  25. Wikipedia: Internet Draft
  26. Wikipedia: IETF
  27. Wikipedia: Internet Protocol
  28. Wikipedia: Internet Society
  29. Wikipedia: Internet Standard
  30. Wikipedia: Internetworking
  31. Wikipedia: Transmission medium
  32. Wikipedia: Osi model
  33. Wikipedia: Packet (information technology)
  34. Wikipedia: Packet header
  35. Wikipedia: Protocol stack
  36. Wikipedia: Request for Comments
  37. Wikipedia: Router (computing)
  38. Wikipedia: Transmission Control Protocol

ipconfig with no options displays the IP address, subnet mask and default gateway for each adapter bound to TCP/IP. This activity will show you how to use the default ipconfig command.

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.

Activity 1 - Display IP Address, Subnet Mask and Default Gateway

edit

To display the IP address, subnet mask and default gateway for each adapter bound to TCP/IP:

  1. Open a command prompt.
  2. Type ipconfig (to see all options type ipconfig /all).
  3. Press Enter.
  4. Observe available adapters and their IP settings.
  5. Close the command prompt to complete this activity.

Readings

edit

References

edit

Private networks are networks that use a private Internet Protocol (IP) address space, following the standards described in Request for Comments (RFC) 1918 and 4193. These activities will review private networks, the relevant RFCs, and then show you how to identify whether or not your network is using the private IP address space.

Activities

edit
  1. Read Wikipedia: Private network.
  2. Review RFC 1918 and RFC 4193 and compare the detailed specifications to the Wikipedia summary.
  3. Use Ipconfig to view your IP address.
  4. If you have an IPv4 address, review the private IPv4 address spaces and see if your IP address is within one of the private address ranges.
  5. If you have an IPv6 address, review the private IPv6 address spaces and see if your IP address is a unique local address (fc00::/7), site local address (fec0::/10), link local address (fe80::/10), or public address.

References

edit

Lesson 2 - Packet Analyzers

edit
 

This lesson concludes the introduction to Internet protocol analysis by looking at packet analyzers in general and the open source packet analyzer Wireshark in particular. Activities include installing Wireshark and using it to capture network traffic.

Readings

edit
  1. Wikipedia: Packet analyzer
  2. Wikipedia: Promiscuous mode
  3. Wikipedia: Port mirroring
  4. Wikipedia: Wireshark
  5. Wikipedia: pcap

Multimedia

edit
  1. YouTube: Getting Started with Wireshark
  2. YouTube: Intro to using Wireshark - CCNA Network Fundamentals
  3. YouTube: Port Mirroring - CompTIA Network+ N10-005: 1.4
  4. YouTube: Using Wireshark and Cisco Port Mirroring

Activities

edit
  1. Install Wireshark.
  2. Review Wireshark: User's Guide.
  3. Use Wireshark to capture network traffic.
  4. Use Wireshark to filter displayed traffic.
  5. Use Wireshark to filter captured traffic.
  6. Consider situations in which a packet analyzer might be used to troubleshoot network traffic.

Lesson Summary

edit
  • A packet analyzer is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network.[1]
  • Packet analyzers can be software or hardware-based.[2]
  • Network interface controllers (NICs) normally drop frames that are not broadcast or multicast, and do not have the NIC as the destination MAC address.[3]
  • Promiscuous mode is a network interface controller (NIC) mode that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive.[4]
  • Network interface controllers (NICs) operating in promiscuous mode may or may not be detectable, depending on firewall settings.[5]
  • Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port.[6]
  • Wireshark is a free and open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education.[7]
  • Wireshark was originally named Ethereal, but was renamed in May 2006 due to trademark issues.[8]
  • Tcpdump is a command line-based packet analyzer available on most Unix-like operating systems.[9]
  • As a security precaution, it is best to separate packet capture activities from packet analysis activities. Packet capture activities must be run with special privileges, but packet analysis does not require special privileges.[10]
  • Packet analyzers such as Wireshark and tcpdump depend on a packet capture library known as libpcap (Unix/Linux) or WinPcap (Windows).[11]

Key Terms

edit
broadcast
Transmit a message to all recipients simultaneously.[12]
broadcast domain
A logical division of a computer network in which all nodes can reach each other by broadcast at the data link layer.[13]
collision domain
A section of a network where data packets can collide with one another when being sent on a shared medium or through repeaters, in particular, when using early versions of Ethernet.[14]
data stream
A sequence of digitally encoded coherent signals (data packets) used to transmit or receive information.[15]
encryption
The process of encoding messages (or information) in such a way that eavesdroppers cannot read it, but that authorized parties can.[16]
Ethereal
The original name of the Wireshark packet analyzer, renamed due to trademark issues.[17]
hub
A multiport repeater that links devices and works at the physical layer of the OSI model.[18]
Intrusion Detection System (IDS)
A device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station.[19]
libpcap
A packet capture library used on Unix-like systems.[20]
multicast
Transmit a message to a group of destination computers simultaneously with a single transmission from the source.[21]
Network Interface Controller (NIC)
A computer hardware component that connects a computer to a computer network.[22]
packet analyzer
A computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network.[23]
port mirroring
Used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port.[24]
promiscuous mode
A network interface controller (NIC) mode that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive.[25]
reverse engineering
The process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation.[26]
router
A device that forwards data packets between computer networks and works at the network layer of the OSI model.[27]
sniffer
Another term for packet analyzer.[28]
switch
A multiport bridge that links network segments or devices and works at the data link layer of the OSI model.[29]
tcpdump
A command line-based packet analyzer available on most Unix-like operating systems.[30]
tshark[31]
Tool to Dump and analyze network traffic from Wireshark
unicast
Transmit a message to a single destination identified by a unique address.[32]
Virtual LAN (VLAN)
A concept of partitioning a physical network so that distinct broadcast domains are created.[33]
WinPcap
A packet capture library used on Windows systems.[34]
Wireshark
A free and open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education.[35]

Review Questions

edit
Enable JavaScript to hide answers.

Click on a question to see the answer.

  1. A computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network is known as a _____.
    A computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network is known as a packet analyzer.
  2. Packet analyzers can be _____ (hardware/software/both) based.
    Packet analyzers can be software or hardware-based.
  3. Network interface cards (NICs) normally drop frames that are not _____ or _____, and do not have the NIC as the _____ MAC address..
    Network interface cards (NICs) normally drop frames that are not broadcast or multicast, and do not have the NIC as the destination MAC address.
  4. A network interface controller (NIC) mode that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive is known as _____ mode.
    A network interface controller (NIC) mode that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive is known as promiscuous mode.
  5. Network interface controllers (NICs) operating in promiscuous mode may or may not be detectable, depending on _____ settings.
    Network interface controllers (NICs) operating in promiscuous mode may or may not be detectable, depending on firewall settings.
  6. The ability for a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port is known as _____.
    The ability for a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port is known as port mirroring.
  7. An example of a free and open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education is _____.
    An example of a free and open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education is Wireshark.
  8. Wireshark was originally named _____, but was renamed in May 2006 due to trademark issues.
    Wireshark was originally named Ethereal, but was renamed in May 2006 due to trademark issues.
  9. A command line-based packet analyzer available on most Unix-like operating systems is _____.
    A command line-based packet analyzer available on most Unix-like operating systems is tcpdump.
  10. Packet _____ activities must be run with special privileges, but packet _____ activities do not require special privileges.
    Packet capture activities must be run with special privileges, but packet analysis activities do not require special privileges.
  11. Packet analyzers such as Wireshark and tcpdump depend on a packet capture library known as _____ or _____.
    Packet analyzers such as Wireshark and tcpdump depend on a packet capture library known as libpcap or WinPcap.

Assessments

edit

See also

edit

References

edit
  Type classification: this is a lesson resource.
  Completion status: this resource is considered to be complete.

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to download and install Wireshark.

Preparation

edit

To prepare for this activity, you need to have a PC which you're allowed to install new software. This course will implement on Windows. However, students with Linux or MacOS can follow the similar steps, except the installation ones.

Activity 1 - Determine System Type

edit

To determine system type for Windows:

  1. Use msinfo32 (press Windows key, type "run", then type "Msinfo32") to display the system type. The system type will either be X86-based PC or X64-based PC. X86-based PC is a 32-bit system. X64-based PC is a 64-bit system.
  2. Close msinfo32.

Activity 2 - Download Wireshark

edit

To download Wireshark:

  1. Open a web browser.
  2. Navigate to http://www.wireshark.org.
  3. Select Download Wireshark.
  4. Select the Wireshark Windows Installer matching your system type, either 32-bit or 64-bit as determined in Activity 1. Save the program in the Downloads folder.
  5. Close the web browser.

Activity 3 - Install Wireshark

edit

To Wireshark Windows Installer

  1. Wireshark Windows InstallerSelect the Downloads folder.
  2. Locate the version of Wireshark you downloaded in Activity 2. Double-click on the file to open it.
  3. If you see a User Account Control dialog box, select Yes to allow the program to make changes to this computer.
  4. Select Next > to start the Setup Wizard.
  5. Review the license agreement. If you agree, select I Agree to continue.
  6. Select Next > to accept the default components.
  7. Select the shortcuts you would like to have created. Leave the file extensions selected. Select Next > to continue.
  8. Select Next > to accept the default install location.
  9. Select Install to begin installation.
  10. Select Next > to install WinPcap.
  11. Select Next > to start the Setup Wizard.
  12. Review the license agreement. If you agree, select I Agree to continue.
  13. Select Install to begin installation.
  14. Select Finish to complete the installation of WinPcap.
  15. Select Next > to continue with the installation of Wireshark.
  16. Select Finish to complete the installation of Wireshark.

Note:

  • If you encounter compatibility errors, such as with installing WinPcap on Windows 8, try using Compatibility Mode.
  • All steps above might be slightly different, which depends on the Wireshark versions.

See Also

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture network traffic.

Readings

edit
  1. Wireshark: User's Guide

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture Network Traffic

edit

To capture network traffic:

  1. Start a Wireshark capture.
  2. Open a web browser and navigate to a favorite web site.
  3. Stop the Wireshark capture.
  4. Observe the traffic captured in the top Wireshark packet list pane.
  5. Select a packet you want to analyze.
  6. Observe the packet details in the middle Wireshark packet details pane.
  7. Expand various protocol containers to view detailed protocol information.
  8. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and filter network traffic using a display filter.

Readings

edit
  1. Wireshark: Display Filters

Multimedia

edit
  1. YouTube: Wireshark 101: Display Filters and Filter Options, HakTip 122

Preparation

edit

To prepare for this activity:

  1. Start your system Linux or Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture Network Traffic

edit

To capture network traffic:

  1. Start a Wireshark capture.
  2. Use ping 8.8.8.8 to ping an Internet host by IP address.
  3. Stop the Wireshark capture.

Activity 2 - Use a Display Filter

edit

To use a display filter:

  1. Type ip.addr == 8.8.8.8 in the Filter box and press Enter.
  2. Observe that the Packet List Pane is now filtered so that only traffic to (destination) or from (source) IP address 8.8.8.8 is displayed.
  3. Click Clear on the Filter toolbar to clear the display filter.
  4. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and filter network traffic using a capture filter.

Readings

edit
  1. Wireshark: Capture Filters

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture Network Traffic Using a Capture Filter

edit

To capture network traffic using a capture filter:

  1. Select either the Capture menu and then the Interfaces dialog box or the List the available capture interfaces toolbar button.
  2. Select Options.
  3. Double-click on the interface you want to use for the capture.
  4. In the Capture Filter box type host 8.8.8.8.
  5. Select OK to save the changes.
  6. Select Start to start a Wireshark capture.
  7. Use ping 8.8.8.8 to ping an Internet host by IP address.
  8. Use ping 8.8.4.4 to ping an Internet host by IP address.
  9. Observe that only traffic to (destination) or from (source) IP address 8.8.8.8 is captured.
  10. Stop the Wireshark capture.
  11. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit
edit
 

This lesson introduces the Link layer and looks at a variety of link layer frame types. Activities include identifying MAC addresses and using Wireshark to examine Ethernet network traffic.

Readings

edit
  1. Wikipedia: Link layer
  2. Wikipedia: MAC address
  3. Wikipedia: Organizationally Unique Identifier
  4. Wikipedia: Ethernet frame
  5. Wikipedia: EtherType
  6. Wikipedia: Token Ring Frame Format
  7. Wikipedia: Point-to-Point Protocol (PPP) Frame
  8. Wikipedia: IEEE 802.11 Frames

Multimedia

edit
  1. YouTube: MAC Address Formats - CompTIA Network+ N10-005: 1.3
  2. YouTube: Basics of ipconfig, ping, tracert, nslookup and netstat

Activities

edit
  1. Display MAC Addresses Using Getmac.
  2. Display MAC Addresses Using Ipconfig.
  3. Search for a MAC Address OUI.
  4. Compare Ethernet and Token Ring frame formats. Which fields are included in both formats? Which fields are unique to one format or the other?
  5. Compare Ethernet and Point-to-Point Protocol frame formats. Which fields are included in both formats? Which fields are unique to one format or the other?
  6. Review Wireshark: Ethernet.
  7. Use Wireshark to capture and analyze Ethernet traffic.
  8. Review Wireshark: WLAN Capture Setup.
  9. If your wireless network adapter supports it, use Wireshark to capture and analyze 802.11 traffic. Are you able to capture actual 802.11 traffic, or is it translated to Ethernet traffic before it can be captured and displayed?
  10. Link layer protocols have changed significantly since the introduction of the Internet protocol suite, while the core TCP/IP protocols have changed very little. Consider possible explanations for the many changes and performance improvements in link layer protocols over time.
  11. Consider situations in which a packet analyzer might be used to troubleshoot link layer traffic.

Lesson Summary

edit
  • The Link layer is the lowest layer in the Internet Protocol Suite. It implements the communication protocol necessary for a host to link to its directly-connected network.[1]
  • TCP/IP's layers are descriptions of operating scopes (application, host-to-host, network, link) and not detailed prescriptions of operating procedures, data semantics, or networking technologies.[2]
  • Layering in TCP/IP is not a principal design criterion and in general is considered to be harmful.[3]
  • The standard (IEEE 802) format for printing MAC-48 addresses in human-friendly form is six groups of two hexadecimal digits, separated by hyphens (-) or colons (:), in transmission order.[4]
  • The IEEE expects the MAC-48 space to be exhausted no sooner than the year 2100.[5]
  • If the least significant bit of the most significant octet of an address is set to 0 (zero), the frame is meant to reach only one receiving NIC.[6]
  • If the least significant bit of the most significant address octet is set to 1, the frame will still be sent only once; however, NICs will choose to accept it based on different criteria than a matching MAC address: for example, based on a configurable list of multicast MAC addresses.[7]
  • Packets sent to the broadcast address, all one bits or hexadecimal FF:FF:FF:FF:FF:FF, are received by all stations on a local area network.[8]
  • Packets sent to a multicast address are received by all stations on a LAN that have been configured to receive packets sent to that address.[9]
  • Although intended to be a permanent and globally unique identification, it is possible to change the MAC address on most modern hardware.[10]
  • An Organizationally Unique Identifier (OUI) is a 24-bit number purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority and uniquely identifies the vendor or manufacturer of a network adapter.[11]
  • An Ethernet frame includes destination and source MAC addresses, Ethertype, data, and a frame check sequence.[12]
  • Ethertype is a two-octet field used to indicate which protocol is encapsulated in the payload of an Ethernet Frame.[13]
  • A Token Ring frame includes access control, frame control, destination and source MAC addresses, data, and a frame check sequence.[14]
  • A Point-to-Point Protocol (PPP) frame includes protocol and data information.[15]
  • An IEEE 802.11 frame includes frame control, destination and source MAC addresses, data, and a frame check sequence.[16]

Key Terms

edit
802.3
A set of IEEE standards for implementing wired Ethernet.[17]
802.5
A set of IEEE standards for implementing Token Ring.[18]
802.11
A set of IEEE standards for implementing wireless local area network (WLAN) communication.[19]
Carrier Sense Multiple Access with Collision Detection (CSMA/CD)
A Media Access Control (MAC) method in which a carrier sensing scheme is used, and a transmitting data station that detects another signal while transmitting a frame stops transmitting that frame, transmits a jam signal, and then waits for a random time interval before trying to resend the frame.[20]
data transmission
The physical transfer of data (a digital bit stream) over a point-to-point or point-to-multipoint communication channel.[21]
Ethernet
A family of computer networking technologies for local area networks (LANs) that was commercially introduced in 1980 and standardized in 1985 as IEEE 802.3.[22]
Institute of Electrical and Electronics Engineers (IEEE)
A professional association headquartered in New York City that is dedicated to advancing technological innovation and excellence.[23]
Local Area Network (LAN)
A computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building using network media.[24]
MAC spoofing
A technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device.[25]
network segment
A portion of a computer network, sometimes used as a synonym for collision domain.[26]
node
A connection point, either a redistribution point or a communication endpoint.[27]
Organizationally Unique Identifier (OUI)
A 24-bit number purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority and uniquely identifies the vendor or manufacturer of a network adapter.[28]
Point-to-Point Protocol (PPP)
A data link protocol commonly used in establishing a direct connection between two networking nodes in a Wide Area Network (WAN) environment.[29]
Token Ring
A data link protocol that uses a ring topology and was standardized as IEEE 802.5.[30]
unique identifier (UID)
Any identifier which is guaranteed to be unique among all identifiers used for a given set of objects and for a specific purpose.[31]
Wide Area Network (WAN)
A network that covers a broad area (i.e., any telecommunications network that links across metropolitan, regional, or national boundaries) using private or public network transports.[32]

Review Questions

edit
Enable JavaScript to hide answers.

Click on a question to see the answer.

  1. The Link layer is the _____ layer in the Internet Protocol Suite. It implements the communication protocol necessary for a host to link to _____.
    The Link layer is the lowest layer in the Internet Protocol Suite. It implements the communication protocol necessary for a host to link to its directly-connected network.
  2. TCP/IP's layers are descriptions of operating scopes (application, host-to-host, network, link) and _____ detailed prescriptions of operating procedures, data semantics, or networking technologies.
    TCP/IP's layers are descriptions of operating scopes (application, host-to-host, network, link) and not detailed prescriptions of operating procedures, data semantics, or networking technologies.
  3. Layering in TCP/IP is not a principal design criterion and in general is considered to be _____.
    Layering in TCP/IP is not a principal design criterion and in general is considered to be harmful.
  4. The standard (IEEE 802) format for printing MAC-48 addresses in human-friendly form is _____ groups of two hexadecimal digits, separated by hyphens (-) or colons (:), in transmission order.
    The standard (IEEE 802) format for printing MAC-48 addresses in human-friendly form is six groups of two hexadecimal digits, separated by hyphens (-) or colons (:), in transmission order.
  5. The IEEE expects the MAC-48 space to be exhausted no sooner than the year _____.
    The IEEE expects the MAC-48 space to be exhausted no sooner than the year 2100.
  6. If the least significant bit of the most significant octet of an address is set to 0 (zero), the frame is meant to reach _____.
    If the least significant bit of the most significant octet of an address is set to 0 (zero), the frame is meant to reach only one receiving NIC.
  7. If the least significant bit of the most significant address octet is set to 1, the frame will still be sent only once; however, NICs will choose to accept it based on different criteria than a matching MAC address: for example, based on _____.
    If the least significant bit of the most significant address octet is set to 1, the frame will still be sent only once; however, NICs will choose to accept it based on different criteria than a matching MAC address: for example, based on a configurable list of multicast MAC addresses.
  8. Packets sent to the broadcast address, _____, are received by all stations on a local area network.
    Packets sent to the broadcast address, all one bits or hexadecimal FF:FF:FF:FF:FF:FF, are received by all stations on a local area network.
  9. Packets sent to a multicast address are received by all stations on a LAN that _____.
    Packets sent to a multicast address are received by all stations on a LAN that have been configured to receive packets sent to that address.
  10. Although intended to be a permanent and globally unique identification, it is possible to _____ the MAC address on most modern hardware.
    Although intended to be a permanent and globally unique identification, it is possible to change the MAC address on most modern hardware.
  11. An Organizationally Unique Identifier (OUI) is a 24-bit number purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority and uniquely identifies _____.
    An Organizationally Unique Identifier (OUI) is a 24-bit number purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority and uniquely identifies the vendor or manufacturer of a network adapter.
  12. An Ethernet frame includes _____.
    An Ethernet frame includes destination and source MAC addresses, Ethertype, data, and a frame check sequence.
  13. Ethertype is a two-octet field used to indicate _____.
    Ethertype is a two-octet field used to indicate which protocol is encapsulated in the payload of an Ethernet Frame.
  14. A Token Ring frame includes _____.
    A Token Ring frame includes access control, frame control, destination and source MAC addresses, data, and a frame check sequence.
  15. A Point-to-Point Protocol (PPP) frame includes _____.
    A Point-to-Point Protocol (PPP) frame includes protocol and data information.
  16. An IEEE 802.11 frame includes _____.
    An IEEE 802.11 frame includes frame control, destination and source MAC addresses, data, and a frame check sequence.

Assessments

edit

See Also

edit

References

edit
  Type classification: this is a lesson resource.
  Completion status: this resource is considered to be complete.

Getmac is a Windows command used to display the Media Access Control (MAC) addresses for each network adapter in the computer. These activities will show you how to use the getmac command to display MAC addresses.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.

Activity 1 - Display MAC Addresses Using Getmac

edit

To display MAC addresses using getmac:

  1. Open a command prompt.
  2. Type getmac and press Enter.
  3. Observe the results. You should see a list of physical addresses and transport names in use on the computer.
  4. Close the command prompt to complete this activity.

References

edit

ipconfig /all displays all configuration information for each adapter bound to TCP/IP. This activity will show you how to use ipconfig /all.

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.

Activity 1 - Display All IP Configuration Information

edit

To display all configuration information for each adapter bound to TCP/IP:

  1. Open a command prompt.
  2. Type ipconfig /all.
    Note: While the space between ipconfig and /all isn't required, it's a good idea to get into the habit of including a space between a command and any specified options for other commands that do require the space.
  3. Press Enter.
  4. Observe available adapters and their detailed IP settings.
  5. Close the command prompt to complete this activity.

Readings

edit

References

edit

A Media Access Control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment. The Organizationally Unique Identifier (OUI) is a 24-bit number that is purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority and uniquely identifies the vendor or manufacturer of the network adapter.

Readings

edit

Activity 1 - Search for a MAC Address OUI

edit

To search for a MAC address OUI:

  1. Use getmac or ipconfig to find the MAC address of your network adapter.
  2. Using an Internet browser, navigate to the IEEE Standards Association Public OUI Listing and search for the first three octets (first six hexadecimal digits) of the MAC address you found above to identify the manufacturer / registrar of your network adapter.

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Ethernet traffic.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture Ethernet Traffic

edit

To capture Ethernet traffic:

  1. Start a Wireshark capture.
  2. Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
  3. Use ping <default gateway address> to ping the default gateway address.
  4. Stop the Wireshark capture.

Activity 2 - Analyze Ethernet Traffic

edit

To analyze Ethernet traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. All of the traffic you see is likely to be Ethernet traffic. If you want to specifically identify the traffic generated from the ping command above, look for traffic with ICMP listed as the protocol and Echo (ping) request or Echo (ping) reply in the description.
  2. Select a packet you want to analyze.
  3. Observe the packet details in the middle Wireshark packet details pane.
  4. Select Frame. Notice when you select the frame that the entire frame is highlighted in the bottom packet bytes pane.
  5. Expand Frame to view frame details.
  6. Expand Ethernet II to view Ethernet details. Notice the Destination, Source, and Type fields.
  7. Select the Destination field. Notice when you select the Destination field that the first six bytes of the frame are highlighted in the bottom packet bytes pane. This is the destination MAC address for the Ethernet frame.
  8. Select the Source field. Notice when you select the Source field that the second six bytes of the frame are highlighted in the bottom packet bytes pane. This is the source MAC address for the Ethernet frame.
  9. Select the Type field. Notice when you select the Type field that the 13th and 14th bytes of the frame are highlighted in the bottom packet bytes pane. This is the type of packet encapsulated inside the Ethernet frame.
  10. Select additional Ethernet frames in the top packet list pane and observe frame details in these packets.

Activity 3 - Confirm MAC Addresses in Ethernet Traffic

edit

To confirm MAC addresses in Ethernet traffic:

  1. Use ipconfig /all or Getmac to display your computer's Physical Address.
  2. Compare your computer's physical address to the Source and Destination fields in the captured traffic. Identify which frames were sent by your computer and which frames were received by your computer.
  3. Use arp -a to view the ARP cache.
  4. Locate the default gateway IP address used in the ping command above and note the Physical Address of the default gateway.
  5. Compare your default gateway's physical address to the Source and Destination fields in the captured traffic. Identify which frames were sent by the default gateway and and which frames were sent to the default gateway.
  6. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Lesson 4 - Address Resolution Protocol (ARP)

edit
 

This lesson continues the Link layer and looks at the Address Resolution Protocol (ARP). Activities include viewing and modifying the ARP cache and using Wireshark to examine ARP network traffic.


Readings

edit
  1. Wikipedia: Address Resolution Protocol
  2. Wikipedia: Broadcast address

Multimedia

edit
  1. YouTube: Basics of ipconfig, ping, tracert, nslookup and netstat
  2. YouTube: An Overview of ARP - CompTIA Network+ N10-005: 4.3
  3. YouTube: ARP Basics for the Cisco CCNA
  4. YouTube: Address Resolution Protocol (ARP) Explained

Activities

edit
  1. View the ARP Cache.
  2. Modify the ARP Cache.
  3. Review Wireshark: Address Resolution Protocol (ARP).
  4. Use Wireshark to capture and analyze Address Resolution Protocol (ARP) traffic.
  5. Consider situations in which a packet analyzer might be used to troubleshoot ARP traffic.

Lesson Summary

edit
  • Address Resolution Protocol (ARP) is a telecommunications protocol used for resolution of network (Internet) layer addresses into link layer addresses.[1]
  • ARP is the name of the program for manipulating Address Resolution Protocol caches in most operating systems.[2]
  • In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by the Neighbor Discovery Protocol (NDP).[3]
  • ARP is a request and reply protocol that runs encapsulated by the line protocol.[4]
  • ARP is an Internet Protocol Suite Link layer protocol.[5]
  • ARP packets include the sender hardware address, the sender protocol address, the target hardware address, and the target protocol address.[6] The hardware address is typically the MAC address and the protocol address is typically the IP address.
  • The ARP cache is a memory-cached table of IP addresses and corresponding hardware addresses.[7]
  • An ARP probe is an ARP request for one's own IP address, sent just before a network interface begins to use that address. This is done to ensure that the IP address is not already in use on the network.[8]
  • A gratuitous ARP request is similar to an ARP probe in that an ARP request for one's own IP address is sent just before a network interface begins to sue the address. The difference is that an ARP probe involves conflict detection, while a gratuitous ARP request is simply an announcement of intent to use the given address.[9]
  • ARP mediation supports the transparent use of ARP requests across a circuit-based virtual private wire service (circuit-based VPN).[10]
  • Inverse ARP is used to resolve link layer addresses into network (Internet) layer addresses.[11]
  • Reverse ARP is similar to Inverse ARP in that it was used to resolve a link layer address into a network layer address. The difference is that Reverse ARP was used to resolve one's own link layer address rather than another node. Reverse ARP has been replaced by the Bootstrap Protocol (BOOTP) and the Dynamic Host Configuration Protocol (DHCP).[12]
  • Proxy ARP is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network.[13]
  • ARP spoofing is a technique whereby an attacker sends fake Address Resolution Protocol (ARP) messages onto a Local Area Network to associate the attacker's MAC address with the IP address of another host.[14]
  • The IPv4 broadcast address is 255.255.255.255.[15]
  • IPv6 does not define broadcast addresses. IPv6 uses multicast addressing.[16]
  • The Ethernet broadcast address is FF:FF:FF:FF:FF:FF.[17]

Key Terms

edit
Asynchronous Transfer Mode (ATM)
A telecommunications protocol defined by ANSI and ITU standards to carry voice, data, and video using asynchronous time-division multiplexing and small, fixed-sized cells.[18]
Customer Edge (CE)
The router at the customer premises that is connected to the provider edge of a service provider network.[19]
denial-of-service attack (DoS attack)
An attempt to make a machine or network resource unavailable to its intended users.[20]
Fiber Distributed Data Interface (FDDI)
Provides a 100 Mbit/s optical standard for data transmission in a local area network that can extend in range up to 200 kilometers (120 mi).[21]
Frame Relay
A standardized wide area network technology that specifies the physical and logical link layers of digital telecommunications channels using a packet switching methodology. Originally designed for transport across Integrated Services Digital Network (ISDN) infrastructure, it is less expensive than leased lines.[22]
man-in-the-middle attack
A form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them.[23]
Provider Edge (PE)
A router between one network service provider's area and areas administered by other network providers.[24]
telecommunication
The science and practice of transmitting information by electromagnetic means.[25]
Virtual Private Wire Service (VPWS)
A circuit-based Virtual Private Network (VPN).[26]
X.25
An ITU-T standard protocol suite for packet switched wide area network (WAN) communication using leased lines, plain old telephone service connections or ISDN connections as physical links.[27]

Review Questions

edit
Enable JavaScript to hide answers.

Click on a question to see the answer.

  1. Address Resolution Protocol (ARP) is a telecommunications protocol used for _____.
    Address Resolution Protocol (ARP) is a telecommunications protocol used for resolution of network (Internet) layer addresses into link layer addresses.
  2. ARP is the name of the program for manipulating Address Resolution Protocol _____ in most operating systems.
    ARP is the name of the program for manipulating Address Resolution Protocol caches in most operating systems.
  3. In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by _____.
    In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by the Neighbor Discovery Protocol (NDP).
  4. ARP is a request and reply protocol that runs encapsulated by the _____ protocol.
    ARP is a request and reply protocol that runs encapsulated by the line protocol.
  5. ARP is an Internet Protocol Suite _____ layer protocol.
    ARP is an Internet Protocol Suite Link layer protocol.
  6. ARP packets include _____.
    ARP packets include the sender hardware address, the sender protocol address, the target hardware address, and the target protocol address.
  7. The ARP cache is _____.
    The ARP cache is a memory-cached table of IP addresses and corresponding hardware addresses.
  8. An ARP probe is _____.
    An ARP probe is an ARP request for one's own IP address, sent just before a network interface begins to use that address.
  9. A gratuitous ARP request is _____.
    A gratuitous ARP request is simply an announcement of intent to use the given address.
  10. ARP mediation supports the transparent use of ARP requests across _____.
    ARP mediation supports the transparent use of ARP requests across a circuit-based virtual private wire service (circuit-based VPN).
  11. Inverse ARP is used to _____.
    Inverse ARP is used to resolve link layer addresses into network (Internet) layer addresses.
  12. Reverse ARP is similar to Inverse ARP in that it was used to resolve a link layer address into a network layer address. The difference is that _____.
    Reverse ARP is similar to Inverse ARP in that it was used to resolve a link layer address into a network layer address. The difference is that Reverse ARP was used to resolve one's own link layer address rather than another node.
  13. Proxy ARP is a technique by which a device on a given network _____.
    Proxy ARP is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network.
  14. ARP spoofing is a technique whereby an attacker _____.
    ARP spoofing is a technique whereby an attacker sends fake Address Resolution Protocol (ARP) messages onto a Local Area Network to associate the attacker's MAC address with the IP address of another host.
  15. The IPv4 broadcast address is _____.
    The IPv4 broadcast address is 255.255.255.255.
  16. IPv6 does not define broadcast addresses. IPv6 uses _____ addressing.
    IPv6 does not define broadcast addresses. IPv6 uses multicast addressing.
  17. The Ethernet broadcast address is _____.
    The Ethernet broadcast address is FF:FF:FF:FF:FF:FF.

Assessments

edit

See Also

edit

References

edit
  Type classification: this is a lesson resource.
  Completion status: this resource is considered to be complete.

Arp is a Windows command used to view and modify the Address Resolution Protocol (ARP) cache. These activities will show you how to view the ARP cache.

Note: To complete this activity, you must have an administrative user account or know the username and password of an administrator account you can enter when prompted.

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.

Activity 1 - View the ARP Cache

edit

To view the ARP cache:

  1. Type arp -a and press Enter.
  2. Observe the ARP cache entries.

Activity 2 - Clear the ARP Cache

edit

In order to observe the effects of Media Access Control (MAC) address resolution, start by clearing the ARP cache:

  1. Open an elevated/administrator command prompt.
  2. Type arp -d and press Enter.

Activity 3 - View the ARP Cache

edit

To view the ARP cache:

  1. Type arp -a and press Enter.
  2. Observe the ARP cache entries. There should not be any entries in the list. If there are, a background process on your computer has contacted a network host or router since the cache was cleared.

Activity 4 - Ping the Default Gateway

edit

To dynamically add an entry to the ARP cache, ping the default gateway:

  1. Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
  2. Use ping <default gateway address> to ping the default gateway address.
  3. Observe the results. You should see replies indicating success.

Activity 5 - View the ARP Cache

edit

To view the ARP cache:

  1. Type arp -a and press Enter.
  2. Observe the ARP cache entries. There should be an entry for the default gateway showing its Internet (IP) address and physical (MAC) address. There may be other entries, depending on what background process on your computer has contacted a network host.
  3. Close the command prompt to complete this activity.

Readings

edit

References

edit

Arp is a Windows command used to view and modify the Address Resolution Protocol (ARP) cache. These activities will show you how to modify the ARP cache.

Note: To complete this activity, you must have an administrative user account or know the username and password of an administrator account you can enter when prompted.

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.

Activity 1 - Clear the ARP Cache

edit

In order to limit the amount of information displayed, start by clearing the ARP cache:

  1. Open an elevated/administrator command prompt.
  2. Type arp -d and press Enter.

Activity 2 - View the ARP Cache

edit

To view the ARP cache:

  1. Type arp -a and press Enter.
  2. Observe the ARP cache entries. There should not be any entries in the list. If there are, either a network host has contacted your computer, or a background process on your computer has contacted a network host or router since the cache was cleared.

Activity 3 - Ping the Default Gateway

edit

To dynamically add an entry to the ARP cache, ping the default gateway:

  1. Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
  2. Use ping <default gateway address> to ping the default gateway address.
  3. Observe the results. You should see replies indicating success.

Activity 4 - View the ARP Cache

edit

To view the ARP cache:

  1. Type arp -a and press Enter.
  2. Observe the ARP cache entries. There should be an entry for the default gateway showing its Internet (IP) address and physical (MAC) address. There may be other entries, depending on what other network hosts have contacted your computer, or what background process on your computer has contacted a network host.

Activity 5 - Modify the ARP Cache

edit

Note: You will lose Internet access with this next step and will restore it again in Activity 8.

Method 1 - Windows XP and Earlier

edit

Modify the ARP cache entry for the default gateway by replacing it with an invalid MAC static address:

  1. Type arp -s <default gateway address> 00-11-22-33-44-55 and press Enter.

Method 2 - Windows 7 and Later

edit

Determine your network adapter interface name and modify the ARP cache entry for the default gateway by replacing it with an invalid MAC static address:

  1. Type netsh interface ipv4 show config.
  2. Locate the interface with the default gateway listed in Activity 3. The interface name is typically "Local Area Connection" or "Wireless Network Connection".
  3. Type netsh interface ipv4 add neighbors "<interface name>" <default gateway address> 00-11-22-33-44-55, where <interface name> is the name of the interface identified and <default gateway address> is the address of the default gateway listed in Activity 3. For example, if the interface name is "Local Area Connection" and the default gateway is 192.168.1.1, you would type netsh interface ipv4 add neighbors "Local Area Connection" 192.168.1.1 00-11-22-33-44-55.

Activity 6 - View the ARP Cache

edit

To view the ARP cache:

  1. Type arp -a and press Enter.
  2. Observe the ARP cache entries. Notice that the default gateway now has the type static and has an invalid MAC address.

Activity 7 - Ping the Default Gateway

edit

To test the ARP cache entry, attempt to ping the default gateway:

  1. Use ping <default gateway address> to ping the default gateway address.
  2. Observe the results. You should see "Request timed out.", indicating the default gateway cannot be reached.

Activity 8 - Reset the ARP Cache

edit

Method 1 - Windows XP and Earlier

edit

To reset the ARP cache:

  1. Type arp -d and press Enter.
  2. Type arp -a and press Enter to confirm that the static entry has been cleared.

Method 2 - Windows 7 and Later

edit

To reset the ARP cache:

  1. Type netsh interface ipv4 delete neighbors and press Enter.
  2. Type netsh interface ipv4 show neighbors and press Enter to confirm that the static entry has been cleared.

Activity 9 - Ping the Default Gateway

edit

Ping the default gateway to verify network connectivity to the default gateway:

  1. Use ping <default gateway address> to ping the default gateway address.
  2. Observe the results. You should see replies indicating success.

Activity 10 - View the ARP Cache

edit

To view the ARP cache:

  1. Type arp -a and press Enter.
  2. Observe the ARP cache entries. Notice that the default gateway now has the type dynamic and its valid MAC address.
  3. Close the command prompt to complete this activity.

Readings

edit

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Address Resolution Protocol (ARP) traffic.

Readings

edit

Multimedia

edit

Preparation

edit

To prepare for this activity:

  1. Start your computer.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture ARP Traffic

edit

To capture ARP traffic:

  1. Start Wireshark, but do not yet start a capture.
  2. Open an elevated/administrator command prompt.
  3. Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
  4. Start a Wireshark capture.
  5. Use arp -d to clear the ARP cache.
  6. Use ping <default gateway address> to ping the default gateway address.
  7. Use arp -a to view the ARP cache and confirm an entry has been added for the default gateway address.
  8. Close the command prompt.
  9. Stop the Wireshark capture.

Activity 2 - Analyze an ARP Request

edit

To analyze an ARP request:

  1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ARP listed as the protocol. To view only ARP traffic, type arp (lower case) in the Filter box and press Enter.
  2. Select the first ARP packet.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Address Resolution Protocol frame.
  4. Expand Ethernet II to view Ethernet details.
  5. Observe the Destination field. Notice that the destination field is the Ethernet broadcast address (FF:FF:FF:FF:FF:FF). All devices on the network will receive the ARP request.
  6. Observe the Source field. This should contain your MAC address. You can use ipconfig /all, getmac, or ifconfig to confirm.
  7. Observe the Type field. Notice that the type is 0x0806, indicating ARP.
  8. Expand Address Resolution Protocol (request) to view ARP details.
  9. Observe the Sender MAC address. Notice that the sender MAC address is your MAC address.
  10. Observe the Sender IP address. Notice that the sender IP address is your IP address.
  11. Observe the Target MAC address. Notice that the target MAC address is all zeros, because the target MAC address is unknown at this point.
  12. Observe the Target IP address. Notice that the target IP address is the IP address of the default gateway.

Activity 3 - Analyze an ARP Reply

edit

To analyze an ARP reply:

  1. Select the second ARP packet.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Address Resolution Protocol frame. Confirm that in the middle packet details pane that the packet is labeled Address Resolution Protocol (reply).
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination field. Notice that the destination field is your MAC address.
  5. Observe the Source field. This should be the MAC address of the default gateway.
  6. Observe the Type field. Notice that the type is 0x0806, indicating ARP.
  7. Expand Address Resolution Protocol (reply) to view ARP details.
  8. Observe the Sender MAC address. Notice that the sender MAC address is the MAC address of the default gateway.
  9. Observe the Sender IP address. Notice that the sender IP address is the IP address of the default gateway.
  10. Observe the Target MAC address. Notice that the destination MAC address is your MAC address.
  11. Observe the Target IP address. Notice that the destination IP address is your IP address.
  12. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

See also

edit

Lesson 5 - Internet Layer / IPv4

edit
 

This lesson introduces the Internet layer and looks at IPv4. Activities include IPv4 addressing and using Wireshark to examine IPv4 network traffic.

Readings

edit
  1. Wikipedia: Internet layer
  2. Wikipedia: Internet Protocol
  3. Wikipedia: IPv4
  4. Wikipedia: IP address
  5. Wikipedia: Classful network

Multimedia

edit
  1. YouTube: An overview of IPv4 and IPv6 - CompTIA Network+ N10-005: 1.3
  2. YouTube: Basics of ipconfig, ping, tracert, nslookup and netstat

Activities

edit
  1. Use a Regional Internet Registry to search the Whois database for IP address information.
  2. Review Wireshark: Internet Protocol (IP).
  3. Use Wireshark to capture and analyze local IPv4 traffic.
  4. Use Wireshark to capture and analyze remote IPv4 traffic.
  5. Use Wireshark to capture and analyze fragmented IPv4 traffic.
  6. Consider situations in which a packet analyzer might be used to troubleshoot IPv4 traffic.

Lesson Summary

edit
  • The Internet layer is a group of internetworking methods, protocols, and specifications in the Internet protocol suite that are used to transport datagrams from the originating host across network boundaries, if necessary, to the destination host specified by a network address.[1]
  • The Internet layer is not responsible for reliable transmission. It provides only an unreliable connection-less service, and "best effort" delivery.[2]
  • The core protocols used in the Internet layer are IPv4, IPv6, the Internet Control Message Protocol (ICMP), and the Internet Group Management Protocol (IGMP).[3]
  • The Internet Control Message Protocol (ICMP) is primarily used for error and diagnostic functions.[4]
  • The Internet Group Management Protocol (IGMP) is used by IPv4 hosts and adjacent multicast routers to establish multicast group memberships.[5]
  • Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by authenticating and/or encrypting each IP packet in a data stream.[6]
  • Each IP datagram has two components, a header and a data payload. The IP header is tagged with the source IP address, destination IP address, and other meta-data needed to route and deliver the datagram.[7]
  • IPv4 uses 32-bit (four-byte) addresses, most often written in the dotted decimal notation, which consists of four octets of bit values expressed individually in decimal and separated by periods.[8]
  • Private IPv4 network address ranges are reserved for use in private networks and include 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. Private networks communicate with public networks through network address translation (NAT).[9]
  • The link-local IPv4 address range, 169.254.0.0/16, is similar to a private network address range but is not routable. These addresses are most often used when a host cannot obtain an IP address from a Dynamic Host Configuration Protocol (DHCP) server.[10]
  • The loopback address range, 127.0.0.0/8 is reserved for loopback, or internal host addressing.[11]
  • The primary address pool of the Internet, maintained by the Internet Assigned Numbers Authority (IANA), was exhausted on 3 February 2011.[12]
  • Valid IPv4 host addresses have a first octet in the range 1-126 (originally Class A), 128-191 (originally Class B), or 192-223 (originally Class C). Multicast addresses have a first octet in the range 224-239 (originally Class D). Addresses with a first octet in the range 240-255 are unused (reserved / experimental).[13][14]
  • Classful networking was replaced by Classless Inter-Domain Routing (CIDR) starting in 1993.[15] However, the basic addressing concepts developed under classful networking still apply to IPv4. The CIDR changes apply to subnetting and routing, which will be examined in the next lesson.

Key Terms

edit
American Registry for Internet Numbers (ARIN)
The Regional Internet Registry (RIR) for Canada, many Caribbean and North Atlantic islands, and the United States.[16]
data corruption
Errors in computer data that occur during writing, reading, storage, transmission, or processing, which introduce unintended changes to the original data.[17]
datagram
A basic transfer unit associated with a packet-switched network in which the delivery, arrival time, and order of arrival are not guaranteed by the network service.[18]
gateway
A network point that acts as an entrance to another network.[19]
host
A computer connected to a computer network and assigned a network layer host address.[20]
Internet Assigned Numbers Authority (IANA)
The entity that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System (DNS), media types, and other Internet Protocol-related symbols and numbers.[21]
Internet Protocol (IP)
The principal communications protocol responsible for addressing hosts and routing datagrams (packets) from a source host to the destination host across one or more networks.[22]
IP fragmentation
The Internet Protocol fragmentation and reassembly procedure that can break a datagram into pieces that may later be reassembled based on identification, offset, and length.[23]
network address translation (NAT)
The process of modifying IP address information in IP packet headers while in transit across a traffic routing device.[24]
octet
A unit of digital information in computing and telecommunications that consists of eight bits.[25]
packet switching
A digital networking communications method that groups all transmitted data into variably-sized blocks, called packets, for delivery over a shared network.[26]
Regional Internet Registry (RIR)
An organization that manages the allocation and registration of Internet number resources within a particular region of the world.[27]
robustness principle
Be liberal in what you accept, and conservative in what you send.[28]
scalability
The ability of a system, network, or process, to handle a growing amount of work in a capable manner or its ability to be enlarged to accommodate that growth.[29]

Review Questions

edit
Enable JavaScript to hide answers.

Click on a question to see the answer.

  1. The Internet layer is a group of internetworking methods, protocols, and specifications in the Internet protocol suite that are used to _____ from the originating _____ across _____, if necessary, to the destination _____ specified by a network address.
    The Internet layer is a group of internetworking methods, protocols, and specifications in the Internet protocol suite that are used to transport datagrams from the originating host across network boundaries, if necessary, to the destination host specified by a network address.
  2. The Internet layer is not responsible for reliable transmission. It provides only _____.
    The Internet layer is not responsible for reliable transmission. It provides only an unreliable connection-less service, and "best effort" delivery.
  3. The core protocols used in the Internet layer are _____.
    The core protocols used in the Internet layer are IPv4, IPv6, the Internet Control Message Protocol (ICMP), and the Internet Group Management Protocol (IGMP).
  4. The _____ is primarily used for error and diagnostic functions.
    The Internet Control Message Protocol (ICMP) is primarily used for error and diagnostic functions.
  5. The _____ is used by IPv4 hosts and adjacent multicast routers to establish multicast group memberships.
    The Internet Group Management Protocol (IGMP) is used by IPv4 hosts and adjacent multicast routers to establish multicast group memberships.
  6. Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by _____ and/or _____ each IP packet in a data stream.
    Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by authenticating and/or encrypting each IP packet in a data stream.
  7. Each IP datagram has two components, a header and a data payload. The IP header is tagged with _____ needed to route and deliver the datagram.
    Each IP datagram has two components, a header and a data payload. The IP header is tagged with the source IP address, destination IP address, and other meta-data needed to route and deliver the datagram.
  8. IPv4 uses _____ addresses, most often written in the _____ notation.
    IPv4 uses 32-bit (four-byte) addresses, most often written in the dotted decimal notation.
  9. Private IPv4 network address ranges are reserved for use in private networks and include _____.
    Private IPv4 network address ranges are reserved for use in private networks and include 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.
  10. Private networks communicate with public networks through _____.
    Private networks communicate with public networks through network address translation (NAT).
  11. The link-local IPv4 address range, _____, is similar to a private network address range but is not routable.
    The link-local IPv4 address range, 169.254.0.0/16, is similar to a private network address range but is not routable.
  12. The loopback address range, _____ is reserved for loopback, or internal host addressing.
    The loopback address range, 127.0.0.0/8 is reserved for loopback, or internal host addressing.
  13. The primary address pool of the Internet, maintained by the Internet Assigned Numbers Authority (IANA), was exhausted in _____.
    The primary address pool of the Internet, maintained by the Internet Assigned Numbers Authority (IANA), was exhausted in 2011.
  14. Valid IPv4 host addresses have a first octet in the range _____ (originally Class A), _____ (originally Class B), or _____ (originally Class C).
    Valid IPv4 host addresses have a first octet in the range 1-126 (originally Class A), 128-191 (originally Class B), or 192-223 (originally Class C).
  15. Multicast addresses have a first octet in the range _____ (originally Class D).
    Multicast addresses have a first octet in the range 224-239 (originally Class D).
  16. Addresses with a first octet in the range _____ are unused (reserved / experimental).
    Addresses with a first octet in the range 240-255 are unused (reserved / experimental).
  17. Classful networking was replaced by _____ starting in 1993.
    Classful networking was replaced by Classless Inter-Domain Routing (CIDR) starting in 1993.

Assessments

edit

See Also

edit

References

edit
  Type classification: this is a lesson resource.
  Completion status: this resource is considered to be complete.

IP address registration information may be located using one of the five Regional Internet Registry Whois databases. These activities will show you how to find the registrant or service provider for a given IP address.

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.

Activity 1 - Determine your Regional Internet Registry

edit

To determine your Regional Internet Registry:

  1. Review Wikipedia: Regional Internet Registry.

Activity 2 - Search for a Public IPv4 Address

edit

To search for a public IPv4 address:

  1. Navigate to the home page of one of the five regional Internet registries:
  2. Locate the Whois / Search Database feature on the registry home page.
  3. Enter 8.8.8.8 in the search box. This is the IPv4 address of one of Google's public DNS servers. Press Enter or select the submit button to submit your search.
  4. Review the returned registration information.

Activity 3 - Search for a Private IPv4 Address

edit

To search for a private IPv4 address:

  1. Enter 192.168.0.1 in the search box. This is a private IP address. Press Enter or select the submit button to submit your search.
  2. Review the returned registration information.
edit

To search for a link-local IPv4 address:

  1. Enter 169.254.1.1 in the search box. This is a loopback address. Press Enter or select the submit button to submit your search.
  2. Review the returned registration information.

Activity 5 - Search for a Loopback IPv4 Address

edit

To search for a loopback IPv4 address:

  1. Enter 127.0.0.1 in the search box. This is a loopback address. Press Enter or select the submit button to submit your search.
  2. Review the returned registration information.

Activity 6 - Search for a Multicast IPv4 Address

edit

To search for a multicast IPv4 address:

  1. Enter 224.0.0.1 in the search box. This is a loopback address. Press Enter or select the submit button to submit your search.
  2. Review the returned registration information.

Activity 7 - Search for a Reserved IPv4 Address

edit

To search for a reserved IPv4 address:

  1. Enter 240.0.0.1 in the search box. This is a loopback address. Press Enter or select the submit button to submit your search.
  2. Review the returned registration information.

Activity 8 - Search for a Public IPv6 Address

edit

To search for a public IPv6 address:

  1. Enter 2001:4860:4860::8888 in the search box. This is the IPv6 address of one of Google's public DNS servers. Press Enter or select the submit button to submit your search.
  2. Review the returned registration information.

Readings

edit

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Address Resolution Protocol (ARP) traffic.

Readings

edit

Multimedia

edit

Preparation

edit

To prepare for this activity:

  1. Start your computer.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture ARP Traffic

edit

To capture ARP traffic:

  1. Start Wireshark, but do not yet start a capture.
  2. Open an elevated/administrator command prompt.
  3. Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
  4. Start a Wireshark capture.
  5. Use arp -d to clear the ARP cache.
  6. Use ping <default gateway address> to ping the default gateway address.
  7. Use arp -a to view the ARP cache and confirm an entry has been added for the default gateway address.
  8. Close the command prompt.
  9. Stop the Wireshark capture.

Activity 2 - Analyze an ARP Request

edit

To analyze an ARP request:

  1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ARP listed as the protocol. To view only ARP traffic, type arp (lower case) in the Filter box and press Enter.
  2. Select the first ARP packet.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Address Resolution Protocol frame.
  4. Expand Ethernet II to view Ethernet details.
  5. Observe the Destination field. Notice that the destination field is the Ethernet broadcast address (FF:FF:FF:FF:FF:FF). All devices on the network will receive the ARP request.
  6. Observe the Source field. This should contain your MAC address. You can use ipconfig /all, getmac, or ifconfig to confirm.
  7. Observe the Type field. Notice that the type is 0x0806, indicating ARP.
  8. Expand Address Resolution Protocol (request) to view ARP details.
  9. Observe the Sender MAC address. Notice that the sender MAC address is your MAC address.
  10. Observe the Sender IP address. Notice that the sender IP address is your IP address.
  11. Observe the Target MAC address. Notice that the target MAC address is all zeros, because the target MAC address is unknown at this point.
  12. Observe the Target IP address. Notice that the target IP address is the IP address of the default gateway.

Activity 3 - Analyze an ARP Reply

edit

To analyze an ARP reply:

  1. Select the second ARP packet.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Address Resolution Protocol frame. Confirm that in the middle packet details pane that the packet is labeled Address Resolution Protocol (reply).
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination field. Notice that the destination field is your MAC address.
  5. Observe the Source field. This should be the MAC address of the default gateway.
  6. Observe the Type field. Notice that the type is 0x0806, indicating ARP.
  7. Expand Address Resolution Protocol (reply) to view ARP details.
  8. Observe the Sender MAC address. Notice that the sender MAC address is the MAC address of the default gateway.
  9. Observe the Sender IP address. Notice that the sender IP address is the IP address of the default gateway.
  10. Observe the Target MAC address. Notice that the destination MAC address is your MAC address.
  11. Observe the Target IP address. Notice that the destination IP address is your IP address.
  12. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

See also

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze local IPv4 traffic.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture Local IPv4 Traffic

edit

To capture local IPv4 traffic:

  1. Start a Wireshark capture.
  2. Use ping <default gateway address> to ping the default gateway address.
  3. Stop the Wireshark capture.

Activity 2 - Analyze Local IPv4 Outbound Traffic

edit

To analyze local IPv4 outbound traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
  2. Select the first ICMP packet, labeled Echo (ping) request.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
  4. Expand Ethernet II to view Ethernet details.
  5. Observe the Destination field. This should contain the MAC address of your default gateway. You can use arp -a to confirm.
  6. Observe the Source field. This should contain your MAC address. You can use ipconfig /all or getmac to confirm.
  7. Observe the Type field. Notice that the type is 0x0800, indicating IP.
  8. Expand Internet Protocol Version 4 to view IP details.
  9. Observe the Source address. Notice that the source address is your IP address.
  10. Observe the Destination address. Notice that the destination address is the default gateway IP address.

Activity 3 - Analyze Local IPv4 Inbound Traffic

edit

To analyze local IPv4 inbound traffic:

  1. In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination field. This should contain your MAC address.
  5. Observe the Source field. This should contain the MAC address of your default gateway.
  6. Observe the Type field. Notice that the type is 0x0800, indicating IP.
  7. Expand Internet Protocol Version 4 to view IP details.
  8. Observe the Source address. Notice that the source address is the default gateway IP address.
  9. Observe the Destination address. Notice that the destination address is your IP address.
  10. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze remote IPv4 traffic.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture Remote IPv4 Traffic

edit

To capture remote IPv4 traffic:

  1. Start a Wireshark capture.
  2. Use ping 8.8.8.8 to ping an Internet host by IP address.
  3. Stop the Wireshark capture.

Activity 2 - Analyze Remote IPv4 Outbound Traffic

edit

To analyze remote IPv4 outbound traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
  2. Select the first ICMP packet, labeled Echo (ping) request.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
  4. Expand Ethernet II to view Ethernet details.
  5. Observe the Destination field. This should contain the MAC address of your default gateway. You can use arp -a to confirm. Notice that remote Internet layer traffic is processed as local Link layer traffic. The default gateway will route the packet to the Internet.
  6. Observe the Source field. This should contain your MAC address. You can use ipconfig /all or getmac to confirm.
  7. Observe the Type field. Notice that the type is 0x0800, indicating IP.
  8. Expand Internet Protocol Version 4 to view IP details.
  9. Observe the Source address. Notice that the source address is your IP address.
  10. Observe the Destination address. Notice that the destination address is the Internet host IP address.

Activity 3 - Analyze Remote IPv4 Inbound Traffic

edit

To analyze remote IPv4 inbound traffic:

  1. In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination field. This should contain your MAC address.
  5. Observe the Source field. This should contain the MAC address of your default gateway. Notice that the remote Internet layer traffic is returned as local Link layer traffic. The routers between the Internet host and your network routed the packet back to your router so that it could forward the packet back to your computer.
  6. Observe the Type field. Notice that the type is 0x0800, indicating IP.
  7. Expand Internet Protocol Version 4 to view IP details.
  8. Observe the Source address. Notice that the source address is the Internet host IP address.
  9. Observe the Destination address. Notice that the destination address is your IP address.
  10. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze fragmented IPv4 traffic.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture Fragmented IPv4 Traffic

edit

To capture fragmented IPv4 traffic:

  1. Start a Wireshark capture.
  2. Use ping -l 2500 <default gateway address> to ping the default gateway address with a 2,500 byte packet. Notice that because the default maximum transmission unit (MTU) for Ethernet frames is 1,500 bytes, this should generate fragmented packets.
  3. Stop the Wireshark capture.

Activity 2 - Analyze Fragmented IPv4 Outbound Traffic

edit

To analyze fragmented IPv4 outbound traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the protocol. To find only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
  2. Select the first ICMP packet, labeled Echo (ping) request.
  3. If you applied an icmp filter, clear the filter so you can see the IPv4 fragments.
  4. Select the IPv4 packet immediately above the first ICMP packet.
  5. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
  6. Expand Internet Protocol Version 4 to view IP details.
  7. Expand Flags to view flag details.
  8. Observe the More fragments field. Notice that it is set, indicating more fragments will follow.
  9. Observe the Fragment offset field. Notice that it is 0, indicating this is the first fragment.
  10. Observe the Total length and Header length fields. Subtract header length from total length to determine the size of this fragment.
  11. In the top Wireshark packet list pane, select the next packet, labeled Echo (ping) request.
  12. View IP details.
  13. Observe the More fragments field. Notice that it is not set, indicating no more fragments will follow.
  14. Observe the Fragment offset field. Notice that it is the same as the size calculated for the first fragment.
  15. Observe the Total length and Header length fields. Subtract header length from total length to determine the size of this fragment.
  16. Add the sizes of the two fragments together to determine total data length. It should be 2,508, indicating 2,500 bytes of ICMP data and an 8 byte ICMP header.

Activity 3 - Analyze Fragmented IPv4 Inbound Traffic

edit

To analyze fragmented IPv4 inbound traffic:

  1. In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
  2. Select the IPv4 packet immediately above the second ICMP packet.
  3. View IP details.
  4. Observe the More fragments field. Notice that it is set, indicating more fragments will follow.
  5. Observe the Fragment offset field. Notice that it is 0, indicating this is the first fragment.
  6. Observe the Total length and Header length fields. Subtract header length from total length to determine the size of this fragment.
  7. In the top Wireshark packet list pane, select the next packet, labeled Echo (ping) reply.
  8. View IP details.
  9. Observe the More fragments field. Notice that it is not set, indicating no more fragments will follow.
  10. Observe the Fragment offset field. Notice that it is the same as the size calculated for the first fragment.
  11. Observe the Total length and Header length fields. Subtract header length from total length to determine the size of this fragment.
  12. Add the sizes of the two fragments together to determine total data length. It should be 2,508, indicating 2,500 bytes of ICMP data and an 8 byte ICMP header.
  13. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Lesson 6 - Subnetting

edit
 

This lesson continues the Internet layer and looks at subnetworks, Classless Inter-Domain Routing (CIDR), subnetting, and supernetworks. Activities include IPv4 subnetting, and using the Cisco Subnet Game.

Readings

edit
  1. Wikipedia: Subnetwork
  2. Wikipedia: IPv4 subnetting reference
  3. Wikipedia: CIDR notation
  4. Wikipedia: Classless Inter-Domain Routing
  5. Wikipedia: Supernetwork

Multimedia

edit
  1. YouTube: Subnetting, Cisco CCNA, Binary Numbers - Part 1
  2. YouTube: Subnetting, Cisco CCNA, Binary Numbers - Part 2
  3. YouTube: Subnetting, Cisco CCNA, Binary Numbers - Part 3
  4. YouTube: Subnetting, Cisco CCNA, Binary Numbers - Part 4
  5. YouTube: Subnetting Cisco CCNA - Part 1 The Magic Number
  6. YouTube: Subnetting Cisco CCNA - Part 2 The Magic Number
  7. YouTube: Subnetting Cisco CCNA - Part 3 The Magic Number
  8. YouTube: Subnetting Cisco CCNA - Part 4 The Magic Number
  9. YouTube: Subnetting Cisco CCNA - Part 5 The Magic Number
  10. YouTube: Subnetting Cisco CCNA - Part 6 The Magic Number

Activities

edit
  1. Review Cisco: IP Addressing and Subnetting for New Users.
  2. Review Understanding TCP/IP addressing and subnetting basics.
  3. Experiment with an online subnet calculator such as Online IP Subnet Calculator.
  4. Generate practice subnetting questions using this Subnet Calculator.
  5. Review EasySubnetting.com subnetting resources.
  6. Play the Cisco: Subnet Troubleshooting Game.
  7. Consider situations in which a packet analyzer might be used to troubleshoot subnetting and routing traffic.

Lesson Summary

edit
  • An IP address has two fields, a network prefix and a host identifier.[1]
  • The network prefix is identified using CIDR notation.[2]
  • In IPv4, the network prefix may also be identified using a 32-bit subnet mask in dotted-decimal notation.[3]
  • A network is divided into two or more subnetworks by dividing the host identifier field into separate subnet number and smaller host identifier fields.[4]
  • All hosts on a subnetwork have the same network prefix.[5]
  • Traffic between subnets is exchanged through a router.[6]
  • The first address on any given IPv4 network or subnet is reserved for the network itself.[7]
  • The last address on any given IPv4 network or subnet is reserved for broadcast.[8]
  • The separation of the network prefix/subnet number from the host identifier is performed by a bitwise AND operation between the IP address and the (sub)network mask.[9]
  • The number of subnetworks created by subnetting can be calculated as 2n, where n is the number of bits used for subnetting.[10]
  • The number of available hosts on each subnet can be calculated as 2n -2 ,where n is the number of bits available for the host identifier.[11]
  • The goal of Classless Inter-Domain Routing was to slow the growth of routing tables on routers across the Internet, and to help slow the rapid exhaustion of IPv4 addresses.[12]
  • Classless Inter-Domain Routing is based on variable-length subnet masking (VLSM), which allows a network to be divided into variously sized subnets, providing the opportunity to size a network more appropriately for local needs.[13]
  • The benefits of supernetting are conservation of address space and efficiencies gained in routers in terms of memory storage of route information and processing overhead when matching routes.[14]

Key Terms

edit
bitwise AND
A binary operation that takes two representations of equal length and performs the logical AND operation on each pair of corresponding bits. The result in each position is 1 if the first bit is 1 and the second bit is 1; otherwise, the result is 0.[15]
CIDR notation
A compact specification of an Internet Protocol address and its associated routing prefix.[16]
provider-independent address space
A block of IP addresses assigned by a regional Internet registry (RIR) directly to an end-user organization.[17]
routing table
A data table stored in a router or a networked computer that lists the routes to particular network destinations, and in some cases, metrics (distances) associated with those routes.[18]
subnet
A logically visible subdivision of an IP network.[19]
subnet mask
A bitmask that encodes the (sub)network prefix length in dotted-decimal notation, starting with a number of 1 bits equal to the prefix length, ending with 0 bits, and encoded in four-part dotted-decimal format.[20]
subnetting
The practice of dividing a network into two or more networks.[21]
supernet
An Internet Protocol (IP) network that is formed from the combination of two or more networks (or subnets) with a common Classless Inter-Domain Routing (CIDR) prefix.[22]

Review Questions

edit
Enable JavaScript to hide answers.

Click on a question to see the answer.

  1. An IP address has two fields, _____.
    An IP address has two fields, a network prefix and a host identifier.
  2. The network prefix is identified using _____.
    The network prefix is identified using CIDR notation.
  3. In IPv4, in addition to using CIDR notation, the network prefix may be identified using _____.
    In IPv4, in addition to using CIDR notation, the network prefix may be identified using a 32-bit subnet mask in dotted-decimal notation.
  4. A network is divided into two or more subnetworks by dividing _____.
    A network is divided into two or more subnetworks by dividing the host identifier field into separate subnet number and smaller host identifier fields.
  5. All hosts on a subnetwork have the same _____.
    All hosts on a subnetwork have the same network prefix.
  6. Traffic between subnets is exchanged through a _____.
    Traffic between subnets is exchanged through a router.
  7. The first address on any given network or subnet is reserved for _____.
    The first address on any given IPv4 network or subnet is reserved for the network itself.
  8. The last address on any given IPv4 network or subnet is reserved for _____.
    The last address on any given IPv4 network or subnet is reserved for broadcast.
  9. The separation of the network prefix/subnet number from the host identifier is performed by _____.
    The separation of the network prefix/subnet number from the host identifier is performed by a bitwise AND operation between the IP address and the (sub)network mask.
  10. The number of subnetworks created by subnetting can be calculated as _____.
    The number of subnetworks created by subnetting can be calculated as 2n, where n is the number of bits used for subnetting.
  11. The number of available hosts on each subnet can be calculated as _____.
    The number of available hosts on each subnet can be calculated as 2n-2, where n is the number of bits available for the host identifier.
  12. The goal of Classless Inter-Domain Routing was to _____.
    The goal of Classless Inter-Domain Routing was to slow the growth of routing tables on routers across the Internet, and to help slow the rapid exhaustion of IPv4 addresses.
  13. Classless Inter-Domain Routing is based on _____.
    Classless Inter-Domain Routing is based on variable-length subnet masking (VLSM).
  14. The benefits of supernetting are _____.
    The benefits of supernetting are conservation of address space and efficiencies gained in routers in terms of memory storage of route information and processing overhead when matching routes.

Assessments

edit

References

edit
  Type classification: this is a lesson resource.
  Completion status: this resource is considered to be complete.

Lesson 7 - IPv6

edit
 

This lesson continues the Internet layer and looks at IPv6 and a variety of IPv6 transition technologies. Activities include using Wireshark to examine IPv6 network traffic.

Readings

edit
  1. Wikipedia: IPv6
  2. Wikipedia: Link-local address
  3. Wikipedia: Teredo tunneling
  4. Wikipedia: ISATAP
  5. Wikipedia: 6to4
  6. Wikipedia: 6in4
  7. Wikipedia: NAT64

Multimedia

edit
  1. YouTube: An overview of IPv4 and IPv6 - CompTIA Network+ N10-005: 1.3
  2. YouTube: IPv6 Transition Technology

Activities

edit
  1. Use netsh to configure IPv6 settings.
  2. Use Wireshark to capture and analyze local IPv6 traffic.
  3. Use Wireshark to capture and analyze remote IPv6 traffic.
  4. Use Wireshark to capture and analyze IPv6 Teredo traffic.
  5. Use Wireshark to capture and analyze IPv6 6to4 traffic.
  6. Use Wireshark to capture and analyze IPv6 6in4 traffic.
  7. Consider situations in which a packet analyzer might be used to troubleshoot IPv6 traffic.

Lesson Summary

edit
  • IPv6 is an Internet-layer protocol for packet-switched internetworking and provides end-to-end datagram transmission across multiple IP networks.[1]
  • IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of running out of IPv4 addresses.[2]
  • IPv6 uses 128-bit addresses, commonly displayed to users as eight groups of four hexadecimal digits separated by colons.[3]
  • In an IPv6 address, leading zeroes may be removed from any group of hexadecimal digits. Multiple consecutive groups of zeroes may be replaced with a double colon (::).[4]
  • The IPv6 subnet size has been standardized by fixing the size of the host identifier portion of an address to 64 bits.[5]
  • IPv6 does not implement interoperability features with IPv4, but essentially creates a parallel, independent network. Exchanging traffic between the two networks requires special translator gateways.[6]
  • Work on IPv6 began by 1992, and was first published in a series of RFCs in 1996.[7]
  • Most transport and application-layer protocols need little or no change to operate over IPv6.[8]
  • Multicasting is part of the base specification in IPv6. IPv6 does not implement traditional IP broadcast and does not define broadcast addresses.[9]
  • IPv6 hosts can configure themselves automatically when connected to a routed IPv6 network using the Neighbor Discovery Protocol via Internet Control Message Protocol version 6 (ICMPv6) router discovery messages.[10]
  • IPv6 routers do not perform fragmentation.[11]
  • Privacy extensions for IPv6 allow the operating system to generate ephemeral IP addresses by concatenating a randomly generated host identifier with the assigned network prefix for communication with remote hosts.[12]
  • The IPv6 header consists of a fixed portion with minimal functionality required for all packets and may be followed by optional extensions to implement special features. The fixed header requires 40 octets (320 bits) and contains the source and destination addresses, traffic classification options, a hop counter, and the type of the optional extension or payload which follows the fixed header.[13]
  • The IPv6 loopback address is ::1.[14]
  • Link-local addresses begin with fe80::/10.[15]
  • Tunneling may be used to enable IPv4 networks to communicate with IPv6 networks. In tunneling, IPv6 packets are encapsulated within IPv4 packets, in effect using IPv4 as a link layer for IPv6.[16]
  • Teredo is an automatic inter-site tunneling technique that uses UDP encapsulation and can cross Network Address Translation (NAT) nodes.[17] Teredo addresses begin with 2001:0::/32.[18]
  • ISATAP is an automatic intra-site tunneling technique that uses IPv4 encapsulation. It cannot cross NAT nodes.[19]ISATAP addresses begin with fe80::200:5efe/96.[20]
  • 6to4 is an automatic inter-site tunneling technique that uses IPv4 encapsulation. It cannot cross NAT nodes.[21] 6to4 addresses begin with 2002::/16 and relay through 192.88.99.1.[22]
  • 6in4 is a configured inter-site tunneling technique that uses IPv4 encapsulation. It can cross NAT nodes with proper configuration.[23] 6in4 addresses are public addresses assigned by the tunnel broker, and therefore create security risks.[24]
  • NAT64 is a network address translation technique that allows IPv6-only hosts to communicate with IPv4-only servers. NAT64 server addresses begin with 64:ff9b::/96.[25]

Key Terms

edit
anycast
A network addressing and routing methodology in which datagrams from a single sender are routed to the topologically nearest node in a group of potential receivers, though it may be sent to several nodes, all identified by the same destination address.[26]
Data Over Cable Service Interface Specification (DOCSIS)
An international telecommunications standard that permits the addition of high-speed data transfer to an existing cable TV (CATV) system.[27]
end-to-end principle
A classic computer network design principle which states that application-specific functions ought to reside in the end hosts of a network rather than in intermediary nodes – provided they can be implemented completely and correctly in the end hosts.[28]
hop count
A count of the intermediate devices (routers) through which data must pass between source and destination.[29]
jumbogram
An internet layer packet exceeding the standard Maximum Transmission Unit (MTU) of the underlying network technology.[30]
Mobile IP
An Internet Engineering Task Force (IETF) standard communications protocol that is designed to allow mobile device users to move from one network to another while maintaining a permanent IP address.[31]
Path MTU Discovery (PMTUD)
A standardized technique for determining the maximum transmission unit (MTU) size on the network path between two Internet Protocol (IP) hosts.[32]
proxy server
A computer system or application that acts as an intermediary for requests from clients seeking resources from other servers.[33]
Quality of Service (QoS)
The ability to provide different priority to different applications, users, or data flows, or to guarantee a certain level of performance to a data flow.[34]
Stateless Address Autoconfiguration (SLAAC)
A method by which a node automatically creates a link-local address with the prefix fe80::/64 on each IPv6-enabled interface, even if globally routable addresses are manually configured or obtained through configuration protocols.[35]
tunneling protocol
The use of one network protocol (the delivery protocol) to encapsulate a different payload protocol.[36]
World IPv6 Launch
The Internet Society declared June 6, 2012 to be the date for "World IPv6 Launch", with participating major websites enabling IPv6 permanently, participating ISPs offering IPv6 connectivity, and participating router manufacturers offering devices enabled for IPv6 by default.[37]

Review Questions

edit
Enable JavaScript to hide answers.

Click on a question to see the answer.

  1. IPv6 is an _____-layer protocol for packet-switched internetworking and provides end-to-end datagram transmission across multiple IP networks.
    IPv6 is an Internet-layer protocol for packet-switched internetworking and provides end-to-end datagram transmission across multiple IP networks.
  2. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of _____.
    IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of running out of IPv4 addresses.
  3. IPv6 uses _____-bit addresses, commonly displayed to users as _____ groups of _____ hexadecimal digits separated by _____.
    IPv6 uses 128-bit addresses, commonly displayed to users as eight groups of four hexadecimal digits separated by colons.
  4. In an IPv6 address, leading zeroes may be removed from any group of hexadecimal digits. Multiple consecutive groups of zeroes may be replaced with _____.
    In an IPv6 address, leading zeroes may be removed from any group of hexadecimal digits. Multiple consecutive groups of zeroes may be replaced with a double colon (::).
  5. The IPv6 subnet size has been standardized by fixing the size of the host identifier portion of an address to _____ bits.
    The IPv6 subnet size has been standardized by fixing the size of the host identifier portion of an address to 64 bits.
  6. IPv6 does not implement interoperability features with IPv4, but essentially creates a _____. Exchanging traffic between the two networks requires special translator _____.
    IPv6 does not implement interoperability features with IPv4, but essentially creates a parallel, independent network. Exchanging traffic between the two networks requires special translator gateways.
  7. Work on IPv6 began by _____, and was first published in a series of RFCs in _____.
    Work on IPv6 began by 1992, and was first published in a series of RFCs in 1996.
  8. Most transport and application-layer protocols need _____ to operate over IPv6.
    Most transport and application-layer protocols need little or no change to operate over IPv6.
  9. Multicasting is part of the base specification in IPv6. IPv6 does not implement traditional IP _____ and does not define _____.
    Multicasting is part of the base specification in IPv6. IPv6 does not implement traditional IP broadcast and does not define broadcast addresses.
  10. IPv6 hosts can configure themselves automatically when connected to a routed IPv6 network using the _____ via Internet Control Message Protocol version 6 (ICMPv6) router discovery messages.
    IPv6 hosts can configure themselves automatically when connected to a routed IPv6 network using the Neighbor Discovery Protocol via Internet Control Message Protocol version 6 (ICMPv6) router discovery messages.
  11. IPv6 routers do not perform _____.
    IPv6 routers do not perform fragmentation.
  12. Privacy extensions for IPv6 allow the operating system to generate _____ for communication with remote hosts.
    Privacy extensions for IPv6 allow the operating system to generate ephemeral IP addresses by concatenating a randomly generated host identifier with the assigned network prefix for communication with remote hosts.
  13. The IPv6 header consists of a fixed portion with minimal functionality required for all packets and may be followed by optional extensions to implement special features. The fixed header requires _____ octets (_____ bits) and contains _____.
    The IPv6 header consists of a fixed portion with minimal functionality required for all packets and may be followed by optional extensions to implement special features. The fixed header requires 40 octets (320 bits) and contains the source and destination addresses, traffic classification options, a hop counter, and the type of the optional extension or payload which follows the fixed header.
  14. The IPv6 loopback address is _____.
    The IPv6 loopback address is ::1.
  15. Link-local addresses begin with _____.
    Link-local addresses begin with the prefix fe80::/10.
  16. Tunneling may be used to enable IPv4 networks to communicate with IPv6 networks. In tunneling, _____ packets are encapsulated within _____ packets, in effect using _____ as a _____ layer for _____.
    Tunneling may be used to enable IPv4 networks to communicate with IPv6 networks. In tunneling, IPv6 packets are encapsulated within IPv4 packets, in effect using IPv4 as a link layer for IPv6.
  17. Teredo is an _____ _____-site tunneling technique that uses _____ encapsulation and _____ cross Network Address Translation (NAT) nodes.
    Teredo is an automatic inter-site tunneling technique that uses UDP encapsulation and can cross Network Address Translation (NAT) nodes.
  18. Teredo addresses begin with _____.
    Teredo addresses begin with 2001:0::/32.
  19. ISATAP is an _____ _____-site tunneling technique that uses _____ encapsulation. It _____ cross NAT nodes.
    ISATAP is an automatic intra-site tunneling technique that uses IPv4 encapsulation. It cannot cross NAT nodes.
  20. ISATAP addresses begin with _____.
    ISATAP addresses begin with fe80::200:5efe/96.
  21. 6to4 is an _____ _____-site tunneling technique that uses _____ encapsulation. It _____ cross NAT nodes.
    6to4 is an automatic inter-site tunneling technique that uses IPv4 encapsulation. It cannot cross NAT nodes.
  22. 6to4 addresses begin with _____ and relay through _____.
    6to4 addresses begin with 2002::/16 and relay through 192.88.99.1.
  23. 6in4 is a _____ _____-site tunneling technique that uses _____ encapsulation. It _____ cross NAT nodes.
    6in4 is a configured inter-site tunneling technique that uses IPv4 encapsulation. It can cross NAT nodes.
  24. 6in4 addresses are _____ addresses assigned by the tunnel broker, and therefore create security risks.
    6in4 addresses are public addresses assigned by the tunnel broker, and therefore create security risks.
  25. NAT64 is a _____ that allows _____-only hosts to communicate with _____-only servers.
    NAT64 is a network address translation technique that allows IPv6-only hosts to communicate with IPv4-only servers.
  26. NAT64 server addresses begin with _____.
    NAT64 server addresses begin with 64:ff9b::/96.

Assessments

edit

References

edit
  Type classification: this is a lesson resource.
  Completion status: this resource is considered to be complete.

Netsh is a Windows command used to display and modify the network configuration of a currently running local or remote computer. These activities will show you how to use the netsh command to configure IPv6 settings.

Note: To complete this activity, you must have an administrative user account or know the username and password of an administrator account you can enter when prompted.

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.

Activity 1 - Display IPv6 Information

edit

To display IPv6 information:

  1. Open an elevated/administrator command prompt.
  2. Use ipconfig to display IP address information. Observe the results. If IPv6 is enabled, you should see one or more IPv6 addresses. A typical Windows 7 computer has a Link-local IPv6 Address, an ISATAP tunnel adapter with media disconnected, and a Teredo tunnel adapter. Link-local addresses begin with fe80::/10. ISATAP addresses are specific link-local addresses beginning with fe80::200:5efe/96. Teredo addresses begin with 2001:0::/32.
  3. Type netsh interface ipv6 show interfaces and press Enter. Observe the results listing the interfaces on which IPv6 is enabled. Note that all netsh parameters may be abbreviated, as long as the abbreviation is a unique parameter. netsh interface ipv6 show interfaces may be entered as netsh i ipv6 sh i.
  4. Type netsh interface ipv6 show addresses and press Enter. Observe the results listing the interface IPv6 addresses.
  5. Type netsh interface ipv6 show destinationcache and press Enter. Observe the results listing recent IPv6 destinations.
  6. Type netsh interface ipv6 show dnsservers and press Enter. Observe the results listing IPv6 DNS server settings.
  7. Type netsh interface ipv6 show neighbors and press Enter. Observe the results listing IPv6 neighbors. This is similar to the IPv4 ARP cache.
  8. Type netsh interface ipv6 show route and press Enter. Observe the results listing IPv6 route information.

Activity 2 - Disable Teredo

edit

To disable Teredo:

  1. Type netsh interface teredo set state disabled and press Enter.
  2. Use ipconfig to confirm that Teredo was disabled.

Activity 3 - Disable ISATAP

edit

To disable ISATAP:

  1. Type netsh interface isatap set state disabled and press Enter.
  2. Use ipconfig to confirm that ISATAP was disabled.

Activity 4 - Enable 6to4

edit

To enable 6to4:

  1. Type netsh interface 6to4 set state enabled and press Enter.
  2. Use ipconfig to confirm that 6to4 was enabled.

Note that 6to4 will show media disconnected if you have a private IP address.

Activity 5 - Disable 6to4

edit

To disable 6to4:

  1. Type netsh interface 6to4 set state disabled and press Enter.
  2. Use ipconfig to confirm that 6to4 was disabled.

Activity 6 - Enable 6in4

edit

To enable a functioning 6in4 tunnel, you must register with a tunnel broker:

  1. Visit http://tunnelbroker.net.
  2. Register with the service.
  3. Complete the NewB certification.
  4. Create a Regular Tunnel. Fill in the necessary information.
  5. View Example Configurations. Select your operating system. For recent Windows operating systems, the netsh command sequence would be similar to:
    • netsh interface ipv6 add v6v4tunnel IP6Tunnel <your IPv4 address> <tunnel broker IPv4 address>
    • netsh interface ipv6 add address IP6Tunnel <your given IPv6 address>
    • netsh interface ipv6 add route ::/0 IP6Tunnel <your given IPv6 gateway address>
  6. Use ipconfig to confirm that a 6in4 tunnel was created.

Activity 7 - Disable 6in4

edit
  1. Type netsh interface ipv6 show interface and press Enter.
  2. Identify the interface ID of the 6in4 tunnel created in Activity 6.
  3. Type netsh interface ipv6 delete interface id, where id is the ID number of the 6in4 tunnel. Then press Enter.
  4. Use ipconfig to confirm that the 6in4 tunnel was deleted.

Activity 8 - Enable Teredo

edit

To enable Teredo:

  1. Type netsh interface teredo set state default and press Enter.
  2. Use ipconfig to confirm that Teredo was enabled.

Activity 9 - Enable ISATAP

edit

To enable ISATAP:

  1. Type netsh interface isatap set state enabled and press Enter.
  2. Use ipconfig to confirm that ISATAP was enabled.
  3. Close the command prompt to complete this activity.

Activity 10 - Reset IPv6

edit

To reset IPv6:

  1. Type netsh interface ipv6 reset and press Enter.
  2. Close the command prompt and restart the computer to complete this activity.

Readings

edit

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze local IPv6 traffic.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture Local IPv6 Traffic

edit

To capture local IPv6 traffic:

  1. Use ipconfig to display the default gateway address. Note the Default Gateway displayed. Be sure to select an IPv6 address. If you don't have an IPv6 default gateway, just review the following instructions for content understanding.
  2. Start a Wireshark capture.
  3. Use ping <default gateway address> to ping the default gateway IPv6 address.
  4. Stop the Wireshark capture.

Activity 2 - Analyze Local IPv6 Outbound Traffic

edit

To analyze local IPv6 outbound traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMPv6 listed as the protocol. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
  2. Select the first ICMPv6 packet or scroll down if necessary to locate the first packet labeled Echo (ping) request.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
  4. Expand Ethernet II to view Ethernet details.
  5. Observe the Destination field. This should contain the MAC address of your default gateway. You can use netsh interface ipv6 show neighbors to confirm.
  6. Observe the Source field. This should contain your MAC address. You can use ipconfig /all or getmac to confirm.
  7. Observe the Type field. Notice that the type is 0x86dd, indicating IPv6.
  8. Expand Internet Protocol Version 6 to view IPv6 details.
  9. Observe the Source address. Notice that the source address is your IPv6 address.
  10. Observe the Destination address. Notice that the destination address is the default gateway IPv6 address.

Activity 3 - Analyze Local IPv6 Inbound Traffic

edit

To analyze local IPv6 inbound traffic:

  1. In the top Wireshark packet list pane, select the next ICMPv6 packet, labeled Echo (ping) reply.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination field. This should contain your MAC address.
  5. Observe the Source field. This should contain the MAC address of your default gateway.
  6. Observe the Type field. Notice that the type is 0x86dd, indicating IP.
  7. Expand Internet Protocol Version 6 to view IPv6 details.
  8. Observe the Source address. Notice that the source address is the default gateway IPv6 address.
  9. Observe the Destination address. Notice that the destination address is your IPv6 address.
  10. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze remote IPv6 traffic.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture Remote IPv6 Traffic

edit

To capture remote IPv6 traffic:

  1. Start a Wireshark capture.
  2. Use ping 2001:4860:4860::8888 to ping an Internet host by IPv6 address.
  3. Stop the Wireshark capture.

Activity 2 - Analyze Remote IPv6 Outbound Traffic

edit

To analyze remote IPv6 outbound traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMPv6 listed as the protocol. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
  2. Select the first ICMPv6 packet, labeled Echo (ping) request.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
  4. Expand Ethernet II to view Ethernet details.
  5. Observe the Destination field. This should contain the MAC address of your default gateway. You can use netsh interface ipv6 show neighbors to confirm. Notice that remote Internet layer traffic is processed as local Link layer traffic. The default gateway will route the packet to the Internet.
  6. Observe the Source field. This should contain your MAC address. You can use ipconfig /all or getmac to confirm.
  7. Observe the Type field. Notice that the type is 0x86dd, indicating IPv6.
  8. Expand Internet Protocol Version 6 to view IPv6 details.
  9. Observe the Source address. Notice that the source address is your IPv6 address.
  10. Observe the Destination address. Notice that the destination address is the Internet host IPv6 address.

Activity 3 - Analyze Remote IPv6 Inbound Traffic

edit

To analyze remote IPv6 inbound traffic:

  1. In the top Wireshark packet list pane, select the next ICMPv6 packet, labeled Echo (ping) reply.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination field. This should contain your MAC address.
  5. Observe the Source field. This should contain the MAC address of your default gateway. Notice that the remote Internet layer traffic is returned as local Link layer traffic. The routers between the Internet host and your network routed the packet back to your router so that it could forward the packet back to your computer.
  6. Observe the Type field. Notice that the type is 0x86dd, indicating IPv6.
  7. Expand Internet Protocol Version 6 to view IPv6 details.
  8. Observe the Source address. Notice that the source address is the Internet host IPv6 address.
  9. Observe the Destination address. Notice that the destination address is your IPv6 address.
  10. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze IPv6 Teredo traffic. Note: These activities do not require an IPv6 Internet connection. Teredo tunnels across IPv4.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.
  4. Enable Teredo if necessary.

Activity 1 - Capture IPv6 Teredo Traffic

edit

To capture IPv6 Teredo traffic:

  1. Use ipconfig /all to verify that you have a Teredo tunnel adapter. If not, simply read along to understand the following concepts.
  2. Start a Wireshark capture.
  3. Use ping 2001:4860:4860::8888 to ping an Internet host by IPv6 address.
  4. Stop the Wireshark capture.

Activity 2 - Analyze IPv6 Teredo Traffic

edit

To analyze IPv6 Teredo traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. Type teredo (lower case) in the Filter box and press Enter to select Teredo traffic.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Teredo IPv6 Over UDP Tunneling / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. The IPv6 / ICMPv6 packets are encapsulated inside IPv4 / UDP packets and forwarded to a Teredo server for IPv6 forwarding.
  3. Expand Internet Protocol Version 6 and identify the Source Teredo Port number.
  4. Modify the Filter box to teredo || udp.port == <Teredo port number>. For example, if the port number was 54321, you would enter a filter of teredo || udp.port == 54321. Then press Enter.
  5. Observe the IPv6 Teredo traffic.
  6. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze IPv6 6to4 traffic. Note: These activities do not require an IPv6 Internet connection. 6to4 tunnels across IPv4.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.
  4. Enable 6to4 if necessary.

Activity 1 - Capture IPv6 6to4 Traffic

edit

To capture IPv6 6to4 traffic:

  1. Use ipconfig /all to verify that you have a 6TO4 tunnel adapter. If not, simply read along to understand the following concepts.
  2. Start a Wireshark capture.
  3. Use ping 2001:4860:4860::8888 to ping an Internet host by IPv6 address.
  4. Stop the Wireshark capture.

Activity 2 - Analyze IPv6 6to4 Traffic

edit

To analyze IPv6 6to4 traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. Type ipv6.addr == 2001:4860:4860::8888 (lower case) in the Filter box and press Enter to select the generated traffic.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. The IPv6 / ICMPv6 packets are encapsulated inside IPv4 packets and forwarded to the 6to4 relay at 192.88.99.1 for IPv6 forwarding.
  3. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze IPv6 6in4 traffic. Note: These activities do not require an IPv6 Internet connection. 6in4 tunnels across IPv4.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.
  4. Establish an IPv6 6in4 tunnel.

Activity 1 - Capture IPv6 6in4 Traffic

edit

To capture IPv6 6in4 traffic:

  1. Use ipconfig /all to verify that you have an IPv6 tunnel adapter. If not, simply read along to understand the following concepts.
  2. Start a Wireshark capture.
  3. Use ping 2001:4860:4860::8888 to ping an Internet host by IPv6 address.
  4. Stop the Wireshark capture.

Activity 2 - Analyze IPv6 6in4 Traffic

edit

To analyze IPv6 6in4 traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. Type ipv6.addr == 2001:4860:4860::8888 (lower case) in the Filter box and press Enter to select the generated traffic.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. The IPv6 / ICMPv6 packets are encapsulated inside IPv4 packets and forwarded to a 6in4 IPv6 server for IPv6 forwarding.
  3. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Lesson 8 - Internet Control Message Protocol (ICMP)

edit
 

This lesson continues the Internet layer and looks at the Internet Control Message Protocol (ICMP and ICMPv6). Activities include using Wireshark to examine ICMP and ICMPv6 network traffic.

Readings

edit
  1. Wikipedia: Internet Control Message Protocol
  2. Wikipedia: ICMPv6
  3. Wikipedia: Path MTU Discovery

Multimedia

edit
  1. YouTube: ICMP Packet Capture with Michael Gregg

Activities

edit
  1. Review Wireshark: Internet Control Message Protocol (ICMP).[1]
  2. Use Wireshark to capture and analyze ICMP Echo traffic.
  3. Use Wireshark to capture and analyze ICMP Time Exceeded traffic.
  4. Use Wireshark to capture and analyze ICMP tracert/traceroute traffic.
  5. Review Wireshark: ICMPv6.
  6. Use Wireshark to capture and analyze ICMPv6 Echo traffic.
  7. Use Wireshark to capture and analyze ICMPv6 Time Exceeded traffic.
  8. Use Wireshark to capture and analyze ICMPv6 tracert/traceroute traffic.
  9. Use ping to determine local network MTU.
  10. Use ping to determine Path MTU to an Internet host such as Google's public DNS server 8.8.8.8.
    Note that Internet routers frequently drop large ICMP packets to prevent Denial of Service attacks, so it may not be possible to capture ICMPv6 Packet Too Big messages with this approach.
  11. Consider situations in which a packet analyzer might be used to troubleshoot ICMP traffic.

Lesson Summary

edit
  • ICMP is a core protocol operating in the Internet layer of the Internet Protocol Suite.[2]
  • ICMP messages are used for diagnostic or control purposes or generated in response to errors in IP operations.[1]
  • ICMP messages may be classified into two categories: error messages and information messages.[3]
  • ICMP errors are directed to the source IP address of the originating packet.[4]
  • ICMPv6 is an integral part of IPv6 and performs error reporting, diagnostic functions (e.g., ping), and provides a framework for extensions to implement future changes.[5]
  • ICMPv6 error messages include Destination Unreachable, Packet Too Big, Time Exceeded, and Parameter Problem.[6]
  • ICMPv6 informational messages include Echo Request, Echo Reply, and a variety of multicast messages that will be covered in the next lesson.[7]
  • The tracert (traceroute) and Pathping commands are implemented by transmitting datagrams with specially set IP TTL header fields and looking for ICMP Time Exceeded and Destination Unreachable messages generated in response.[8]
  • The ping utility is implemented using ICMP Echo Request and Echo Reply messages.[9]
  • Path MTU Discovery in IPv4 is performed by routers and supported through fragmentation.[10]
  • Path MTU Discovery in IPv6 must be performed by the sending host, because IPv6 routers do not support fragmentation.[11]

Key Terms

edit
Destination Unreachable
An ICMP error message which is generated by the host or its inbound gateway to inform the client that the destination is unreachable for some reason.[12]
Echo Reply
An ICMP informational message response to an echo request.[13]
Echo Request
An ICMP informational message whose data is expected to be received back in an echo reply.[14]
Packet Too Big
An ICMP error message which is generated by a gateway to inform the source of a discarded datagram due to the size being too large for the link layer.[15]
Parameter Problem
An ICMP error message which is generated by a host to inform the source of a problem with a field in the IPv6 header or extension headers of a packet that has been discarded.[16]
Path MTU Discovery (PMTUD)
A standardized technique in computer networking for determining the maximum transmission unit (MTU) size on the network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP fragmentation.[17]
Redirect Message
An ICMP message which informs a host to update its routing information (to send packets on an alternate route).[18]
Source Quench
An ICMP message which requests that the sender decrease the rate of messages sent to a router or host.[19]
Time Exceeded
An ICMP error message which is generated by a gateway to inform the source of a discarded datagram due to the time to live / hop count field reaching zero.[20]

Review Questions

edit
Enable JavaScript to hide answers.

Click on a question to see the answer.

  1. ICMP is a core protocol operating in the _____ layer of the Internet Protocol Suite.
    ICMP is a core protocol operating in the Internet layer of the Internet Protocol Suite.
  2. ICMP messages are used for _____.
    ICMP messages are used for diagnostic or control purposes or generated in response to errors in IP operations.
  3. ICMP messages may be classified into two categories: _____ and _____.
    ICMP messages may be classified into two categories: error messages and information messages.
  4. ICMP errors are directed to _____.
    ICMP errors are directed to the source IP address of the originating packet.
  5. ICMPv6 is an integral part of IPv6 and performs _____, and provides _____.
    ICMPv6 is an integral part of IPv6 and performs error reporting, diagnostic functions (e.g., ping), and provides a framework for extensions to implement future changes.
  6. ICMPv6 error messages include _____.
    ICMPv6 error messages include Destination Unreachable, Packet Too Big, Time Exceeded, and Parameter Problem.
  7. ICMPv6 informational messages include _____.
    ICMPv6 informational messages include Echo Request, Echo Reply, and a variety of multicast messages.
  8. The _____ utilities are implemented by transmitting datagrams with specially set IP TTL header fields and looking for ICMP Time Exceeded and Destination Unreachable messages generated in response.
    The tracert (traceroute) and Pathping utilities are implemented by transmitting datagrams with specially set IP TTL header fields and looking for ICMP Time Exceeded and Destination Unreachable messages generated in response.
  9. The _____ utility is implemented using ICMP Echo Request and Echo Reply messages.
    The ping utility is implemented using ICMP Echo Request and Echo Reply messages.
  10. Path MTU Discovery in _____ is performed by routers.
    Path MTU Discovery in IPv4 is performed by routers.
  11. Path MTU Discovery in _____ must be performed by the sending host.
    Path MTU Discovery in IPv6 must be performed by the sending host.
  12. ICMP stands for _____.
    ICMP stands for Internet Control Message Protocol.

Assessments

edit

References

edit
  Type classification: this is a lesson resource.
  Completion status: this resource is considered to be complete.

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Internet Control Message Protocol (ICMP) Echo traffic.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture ICMP Echo Traffic

edit

To capture ICMP Echo traffic:

  1. Start a Wireshark capture.
  2. Use ping <default gateway address> to ping the default gateway address.
  3. Stop the Wireshark capture.

Activity 2 - Analyze ICMP Echo Request Traffic

edit

To analyze ICMP Echo Request traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
  2. Select the first ICMP packet, labeled Echo (ping) request.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
  4. Expand Internet Control Message Protocol to view ICMP details.
  5. Observe the Type. Notice that the type is 8 (Echo (ping) request).
  6. Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
  7. Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that Windows sends an alphabet sequence during ping requests.

Activity 3 - Analyze ICMP Echo Reply Traffic

edit

To analyze ICMP Echo Reply traffic:

  1. In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
  3. Expand Internet Control Message Protocol to view ICMP details.
  4. Observe the Type. Notice that the type is 0 (Echo (ping) reply).
  5. Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
  6. Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that the reply echoes the request sequence.
  7. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Internet Control Message Protocol (ICMP) Time Exceeded traffic.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture ICMP Time Exceeded Traffic

edit

To capture ICMP Time Exceeded traffic:

  1. Start a Wireshark capture.
  2. Use ping -i 1 8.8.8.8 to ping one of Google's public DNS servers with a Time To Live setting of 1.
  3. Stop the Wireshark capture.

Activity 2 - Analyze ICMP Echo Request Traffic

edit

To analyze ICMP Echo Request traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
  2. Select the first ICMP packet, labeled Echo (ping) request.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
  4. Expand Internet Protocol Version 4 to view IPv4 details.
  5. Observe the Time to live. Notice that the time to live is set to 1.
  6. Expand Internet Control Message Protocol to view ICMP details.
  7. Observe the Type. Notice that the type is 8 (Echo (ping) request).
  8. Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
  9. Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that Windows sends an alphabet sequence during ping requests.

Activity 3 - Analyze ICMP Time Exceeded Traffic

edit

To analyze ICMP Time Exceeded traffic:

  1. In the top Wireshark packet list pane, select the second ICMP packet, labeled Time-to-live exceeded.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
  3. Expand Internet Protocol Version 4 to view IPv4 details.
  4. Observe the Source. This is the IP address of the router where the time was exceeded.
  5. Expand Internet Control Message Protocol to view ICMP details.
  6. Observe the Type. Notice that the type is 11 (Time-to-live exceeded).
  7. Observe the Code. Notice that the code is 0 (Time to live exceeded in transit).
  8. Observe the fields that follow. Notice that the contents of the request packet are returned with the time exceeded error.
  9. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze tracert/traceroute traffic. Tracing routes is accomplished through the use of Internet Control Message Protocol (ICMP) Time Exceeded.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture Tracert Traffic

edit

To capture ICMP tracert traffic:

  1. Start a Wireshark capture.
  2. Open a command prompt.
  3. Type tracert -d 8.8.8.8 and press Enter to trace the route to one of Google's public DNS servers. The -d option prevents DNS name resolution, which in this case will improve performance and reduce the amount of captured traffic.
  4. When the trace is complete, close the command prompt.
  5. Stop the Wireshark capture.

Activity 2 - Analyze Tracert Traffic

edit

To analyze tracert traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
  2. Select the first ICMP packet, labeled Echo (ping) request.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
  4. Expand Internet Protocol Version 4 to view IPv4 details.
  5. Observe the Time to live. Notice that the time to live is set to 1.
  6. Expand Internet Control Message Protocol to view ICMP details.
  7. Observe the Type. Notice that the type is 8 (Echo (ping) request). Tracert is performed through a series of ICMP Echo requests, varying the Time-To-Live (TTL) until the destination is found.
  8. In the top Wireshark packet list pane, select the second ICMP packet, labeled Time-to-live exceeded.
  9. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
  10. Expand Internet Protocol Version 4 to view IPv4 details.
  11. Observe the Source. This is the IP address of the router where the time was exceeded.
  12. Expand Internet Control Message Protocol to view ICMP details.
  13. Observe the Type. Notice that the type is 11 (Time-to-live exceeded).
  14. Observe the Code. Notice that the code is 0 (Time to live exceeded in transit).
  15. Observe the fields that follow. Notice that the contents of the request packet are returned with the time exceeded error.
  16. Continue selecting alternate ICMP Echo Request and ICMP Time-To-Live Exceeded packets. Notice that the request is repeated three times for each time-to-live count, and each reply indicates the IP address of the router where the time to live was exceeded.
  17. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Internet Control Message Protocol Version 6 (ICMPv6) Echo traffic.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture ICMPv6 Echo Traffic

edit

To capture ICMPv6 Echo traffic:

  1. Start a Wireshark capture.
  2. Use ping 2001:4860:4860::8888 to ping one of Google's public IPv6 DNS servers.
  3. Stop the Wireshark capture.

Activity 2 - Analyze ICMPv6 Echo Request Traffic

edit

To analyze ICMPv6 Echo Request traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMPv6 listed as the protocol. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
  2. Select the first ICMPv6 packet, labeled Echo (ping) request.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. Note if you are using an IPv6 tunnel, your IPv6 packet may be encapsulated inside an IPv4 or UDP packet.
  4. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
  5. Observe the Type. Notice that the type is Echo (ping) request (128).
  6. Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
  7. Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that Windows sends an alphabet sequence during ping requests.

Activity 3 - Analyze ICMPv6 Echo Reply Traffic

edit

To analyze ICMPv6 Echo Reply traffic:

  1. In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. Again, if you are using an IPv6 tunnel, your IPv6 packet may be encapsulated inside an IPv4 or UDP packet.
  3. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
  4. Observe the Type. Notice that the type is Echo (ping) reply (129).
  5. Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
  6. Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that the reply echoes the request sequence.
  7. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Internet Control Message Protocol Version 6 (ICMPv6) Time Exceeded traffic.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture ICMPv6 Time Exceeded Traffic

edit

To capture ICMPv6 Time Exceeded traffic:

  1. Start a Wireshark capture.
  2. Use ping -i 1 2001:4860:4860::8888 to ping one of Google's public IPv6 DNS servers with a hop limit of 1.
  3. Stop the Wireshark capture.

Activity 2 - Analyze ICMPv6 Echo Request Traffic

edit

To analyze ICMPv6 Echo Request traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMPv6 listed as the protocol. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
  2. Select the first ICMPv6 packet, labeled Echo (ping) request.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. Note if you are using an IPv6 tunnel, your IPv6 packet may be encapsulated inside an IPv4 or UDP packet.
  4. Expand Internet Protocol Version 6 to view IPv6 details.
  5. Observe the Hop limit. Notice that the hop limit is set to 1.
  6. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
  7. Observe the Type. Notice that the type is Echo (ping) request (128).
  8. Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
  9. Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that Windows sends an alphabet sequence during ping requests.

Activity 3 - Analyze ICMP Time Exceeded Traffic

edit

To analyze ICMPv6 Time Exceeded traffic:

  1. In the top Wireshark packet list pane, select the second ICMPv6 packet, labeled Time Exceeded.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. Again, if you are using an IPv6 tunnel, your IPv6 packet may be encapsulated inside an IPv4 or UDP packet.
  3. Expand Internet Protocol Version 6 to view IPv6 details.
  4. Observe the Source. This is the IP address of the router where the hop limit was exceeded.
  5. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
  6. Observe the Type. Notice that the type is Time Exceeded (3).
  7. Observe the Code. Notice that the code is 0 (Hop limit exceeded in transit).
  8. Observe the fields that follow. Notice that the contents of the request packet are returned with the time exceeded error.
  9. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze tracert/traceroute traffic. Tracing routes is accomplished through the use of Internet Control Message Protocol (ICMPv6) Time Exceeded.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture Tracert Traffic

edit

To capture ICMPv6 tracert traffic:

  1. Start a Wireshark capture.
  2. Open a command prompt.
  3. Type tracert -d 2001:4860:4860::8888 and press Enter to trace the route to one of Google's public IPv6 DNS servers. The -d option prevents DNS name resolution, which in this case will improve performance and reduce the amount of captured traffic.
  4. When the trace is complete, close the command prompt.
  5. Stop the Wireshark capture.

Activity 2 - Analyze Tracert Traffic

edit

To analyze tracert traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMPv6 listed as the protocol. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
  2. Select the first ICMPv6 packet, labeled Echo (ping) request.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol frame. Note if you are using an IPv6 tunnel, your IPv6 packet may be encapsulated inside an IPv4 or UDP packet.
  4. Expand Internet Protocol Version 6 to view IPv6 details.
  5. Observe the Hop limit. Notice that the hop limit is set to 1.
  6. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
  7. Observe the Type. Notice that the type is Echo (ping) request (128). Tracert is performed through a series of ICMPv6 Echo requests, varying the hop limit until the destination is found.
  8. In the top Wireshark packet list pane, select the second ICMPv6 packet, labeled Time Exceeded.
  9. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol frame. Again, if you are using an IPv6 tunnel, your IPv6 packet may be encapsulated inside an IPv4 or UDP packet.
  10. Expand Internet Protocol Version 6 to view IPv6 details.
  11. Observe the Source. This is the IPv6 address of the router where the time was exceeded.
  12. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
  13. Observe the Type. Notice that the type is Time Exceeded (3).
  14. Observe the Code. Notice that the code is 0 (hop limit exceeded in transit).
  15. Observe the fields that follow. Notice that the contents of the request packet are returned with the time exceeded error.
  16. Continue selecting alternate ICMPv6 Echo Request and ICMPv6 Time Exceeded packets. Notice that the request is repeated three times for each hop limit count, and each reply indicates the IPv6 address of the router where the time to live was exceeded.
  17. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

The ping command has an option to configure the length or size of the buffer to be transmitted. These activities will show you how to use the ping command with a custom packet length to test the network's maximum transmission unit (MTU).

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.

Activity 1 - Ping the Default Gateway with a Custom Packet Length

edit

To ping the default gateway with a custom packet length:

  1. Open a command prompt.
  2. Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
  3. Type ping -l 1000 <default gateway address> where <default gateway address> is the default gateway address displayed above. For example, if the default gateway address was 192.168.1.1, you would type ping -l 1000 192.168.1.1. Then press Enter.
  4. Observe the results.

Activity 2 - Ping the Default Gateway with a Custom Packet Length and Do Not Fragment

edit

To ping the default gateway with a custom packet length and do not fragment:

  1. Type ping -f -l 1000 <default gateway address> and press Enter. Note the addition of the -f option to prevent fragmentation of the packet.
  2. Observe the results.

Activity 3 - Vary Packet Length to Determine MTU

edit

To determine MTU:

  1. Repeat Activity 2 but vary the length of the packet up or down as necessary until you determine the largest packet size that delivers successfully on your network. When the packet is too long, you will see an error similar to, "Packet needs to be fragmented but DF set." The maximum packet length for a standard Ethernet network is 1500 bytes, minus 20 bytes for Internet Protocol (IP) overhead, minus 8 bytes for Internet Control Message Protocol (ICMP) overhead, or an MTU of 1472. Your results are likely to be 1472 or lower, depending on the network equipment between your computer and the target host.
  2. Close the command prompt to complete this activity.

Readings

edit

References

edit

Lesson 9 - Multicast

edit
 

This lesson concludes the Internet layer and looks at multicasting. Activities include using Wireshark to examine multicast and Neighbor Discovery Protocol (NDP) network traffic.

Readings

edit
  1. Wikipedia: Multicast
  2. Wikipedia: Multicast address
  3. Wikipedia: Internet Group Management Protocol
  4. Wikipedia: Multicast Listener Discovery
  5. Wikipedia: Neighbor Discovery Protocol

Multimedia

edit
  1. YouTube: Understanding Unicast, Multicast, and Broadcast - CompTIA Network+ N10-005: 1.3
  2. YouTube: Neighbor Discovery Protocol

Activities

edit
  1. Review Wireshark: Internet Group Management Protocol (IGMP).
  2. Use Wireshark to capture and analyze IPv4 multicast traffic.
  3. Use Wireshark to capture and analyze IPv6 multicast traffic.
  4. Use Wireshark to capture and analyze ICMPv6 Neighbor Discovery Protocol (NDP) traffic.
  5. Consider situations in which a packet analyzer might be used to troubleshoot multicast traffic.

Lesson Summary

edit
  • Multicast is the delivery of a message or information to a group of destination computers simultaneously in a single transmission from the source.[1]
  • Multicast uses network infrastructure efficiently by requiring the source to send a packet only once, even if it needs to be delivered to a large number of receivers. The nodes in the network take care of replicating the packet to reach multiple receivers when necessary.[2]
  • In multicast routing, there is always one source and a group of destinations. Broadcasting is a special case of muticasting in which the group contains all hosts.[3]
  • IPv4 multicast addresses were originally designated as Class D. The Classless Inter-Domain Routing (CIDR) prefix of this group is 224.0.0.0/4 and includes addresses from 224.0.0.0 through 239.255.255.255.[4]
  • The 239.0.0.0/8 range is assigned by RFC 2365 for private use within an organization.[5]
  • IPv6 multicast addresses start with ff00::/8.[6]
  • Ethernet frames with a value of 1 in the least-significant bit of the first octet of the destination address are treated as multicast (broadcast) frames and are sent to all network hosts. The recipient host Ethernet controller determines by address hashing whether to receive or drop the multicast frame.[7]
  • Ethernet IPv4 multicast frames have a destination MAC address starting with 01-00-5E-xx-xx-xx.[8]
  • Ethernet IPv6 multicast frames have a destination MAC address starting with 33-33-xx-xx-xx-xx.[9]
  • The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. IGMP is used on IPv4 networks.[10]
  • Multicast management on IPv6 networks is handled by Multicast Listener Discovery (MLD) which uses ICMPv6 messaging in contrast to IGMP's bare IP encapsulation.[11][12]
  • Neighbor Discovery Protocol (NDP) is an Internet layer protocol in the Internet Protocol Suite used with IPv6.[13]
  • NDP is responsible for address autoconfiguration of nodes, discovery of other nodes on the link, determining the Link Layer addresses of other nodes, duplicate address detection, finding available routers and Domain Name System (DNS) servers, address prefix discovery, and maintaining reachability information about the paths to other active neighbor nodes.[14]
  • NDP defines five ICMPv6 packet types: Router Solicitation, Router Advertisement, Neighbor Solicitation, Neighbor Advertisement, and Redirect.[15]

Key Terms

edit
Internet Protocol television (IPTV)
A system through which television services are delivered using the Internet protocol suite over a packet-switched network such as the Internet, instead of being delivered through traditional terrestrial, satellite signal, and cable television formats.[16]
Internet Relay Chat (IRC)
A protocol for real-time Internet text messaging (chat) or synchronous conferencing.[17]
overlay network
A computer network which is built on the top of another network where nodes in the overlay can be thought of as being connected by virtual or logical links in the underlying physical network.[18]
Neighbor Advertisement
An ICMPv6 NDP packet type that nodes use to respond to a Neighbor Solicitation message.[19]
Neighbor Solicitation
An ICMPv6 NDP packet type that nodes use to determine the link-layer address of a neighbor, or to verify that a neighbor is still reachable via a cached link-layer address.[20]
peer-to-peer (P2P)
A computer network in which each computer in the network can act as a client or server for the other computers in the network.[21]
presence information
A status indicator that conveys ability and willingness of a potential communication partner—for example a user--to communicate.[22]
Redirect
An ICMPv6 NDP packet type that routers use to inform hosts of a better first hop for a destination.[23]
Router Advertisement
An ICMPv6 NDP packet type that routers use to advertise their presence together with various link and Internet parameters either periodically, or in response to a Router Solicitation message.[24]
Router Solicitation
An ICMPv6 NDP packet type that hosts use to request routers to generate Router Advertisements immediately rather than at their next scheduled time.[25]
streaming media
Multimedia that is constantly received by and presented to an end-user while being delivered by a provider.[26]

Review Questions

edit
Enable JavaScript to hide answers.

Click on a question to see the answer.

  1. Multicast is the delivery of a message or information to _____.
    Multicast is the delivery of a message or information to a group of destination computers simultaneously in a single transmission from the source.
  2. Multicast uses network infrastructure efficiently by requiring the source to send a packet _____, even if it needs to be delivered to a large number of receivers.
    Multicast uses network infrastructure efficiently by requiring the source to send a packet only once, even if it needs to be delivered to a large number of receivers.
  3. In multicast routing, there is always _____.
    In multicast routing, there is always one source and a group of destinations.
  4. Broadcasting is a special case of muticasting in which _____.
    Broadcasting is a special case of muticasting in which the group contains all hosts.
  5. IPv4 multicast addresses were originally designated as Class _____. The Classless Inter-Domain Routing (CIDR) prefix of this group is _____ and includes addresses from _____ through _____.
    IPv4 multicast addresses were originally designated as Class D. The Classless Inter-Domain Routing (CIDR) prefix of this group is 224.0.0.0/4 and includes addresses from 224.0.0.0 through 239.255.255.255.
  6. The _____ range is assigned by RFC 2365 for private multicast use within an organization.
    The 239.0.0.0/8 range is assigned by RFC 2365 for private multicast use within an organization.
  7. IPv6 multicast addresses start with _____.
    IPv6 multicast addresses start with ff00::/8.
  8. Ethernet frames with a value of 1 in the least-significant bit of the _____ are treated as multicast (broadcast) frames and are sent to all network hosts.
    Ethernet frames with a value of 1 in the least-significant bit of the first octet of the destination address are treated as multicast (broadcast) frames and are sent to all network hosts.
  9. Ethernet IPv4 multicast frames have a destination MAC address starting with _____.
    Ethernet IPv4 multicast frames have a destination MAC address starting with 01-00-5E-xx-xx-xx.
  10. Ethernet IPv6 multicast frames have a destination MAC address starting with _____.
    Ethernet IPv6 multicast frames have a destination MAC address starting with 33-33-xx-xx-xx-xx.
  11. The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts and adjacent routers on IPv4 networks to _____.
    The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts and adjacent routers on IPv4 networks to establish multicast group memberships.
  12. Multicast management on IPv6 networks is handled by _____ which uses _____ messaging.
    Multicast management on IPv6 networks is handled by Multicast Listener Discovery (MLD) which uses ICMPv6 messaging.
  13. Neighbor Discovery Protocol (NDP) is an _____ layer protocol in the Internet Protocol Suite used with IPv6.
    Neighbor Discovery Protocol (NDP) is an Internet layer protocol in the Internet Protocol Suite used with IPv6.
  14. NDP is responsible for _____.
    NDP is responsible for address autoconfiguration of nodes, discovery of other nodes on the link, determining the Link Layer addresses of other nodes, duplicate address detection, finding available routers and Domain Name System (DNS) servers, address prefix discovery, and maintaining reachability information about the paths to other active neighbor nodes.
  15. NDP defines five ICMPv6 packet types: _____.
    NDP defines five ICMPv6 packet types: Router Solicitation, Router Advertisement, Neighbor Solicitation, Neighbor Advertisement, and Redirect.

Assessments

edit

References

edit
  Type classification: this is a lesson resource.
  Completion status: this resource is considered to be complete.

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze IPv4 multicast traffic.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture IPv4 Multicast Traffic

edit

To capture IPv4 multicast traffic:

  1. Start a Wireshark capture.
  2. In Windows, select Start and then type Network and Sharing Center in the Run box. Press Enter.
  3. Select Change advanced sharing settings.
  4. Note the current status of Network discovery. If it is already on, select Turn off network discovery and Save changes.
  5. Select Turn on network discovery and Save changes.
  6. Wait a few seconds for network discovery to generate multicast traffic.
  7. If Network discovery was initially off, select Turn off network discovery and Save changes to return the status to the original setting. If network discovery was initially on, leave it on.
  8. Stop the Wireshark capture.

Activity 2 - Analyze IPv4 Multicast Traffic

edit

To analyze IPv4 multicast traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. To view only IPv4 multicast traffic, type ip.addr >= 224.0.0.0 (lower case) in the Filter box and press Enter.
  2. The traffic you are most likely to see is Simple Service Discovery Protocol (SSDP) traffic. You may also see Web Services Dynamic Discovery (WS-Discovery) traffic or other multicast traffic. Whatever you find, select the first frame.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 frame.
  4. Expand Ethernet II to view the Ethernet details.
  5. Observe the Destination address. Notice that it starts with 01:00:5e, the Ethernet multicast address for IPv4.
  6. Expand Internet Protocol Version 4 to view IPv4 details.
  7. Observe the Destination address. Notice that it is in the 224.0.0.0 - 239.255.255.255 IPv4 multicast range. If it is SSDP or WS-Discovery traffic, it will be addressed to 239.255.255.250.
  8. Select additional frames and observe the Ethernet and IPv4 details for multicast traffic.
  9. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze IPv6 multicast traffic.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture IPv6 Multicast Traffic

edit

To capture IPv6 multicast traffic:

  1. Start a Wireshark capture.
  2. In Windows, select Start and then type Network and Sharing Center in the Run box. Press Enter.
  3. Select Change advanced sharing settings.
  4. Note the current status of Network discovery. If it is already on, select Turn off network discovery and Save changes.
  5. Select Turn on network discovery and Save changes.
  6. Wait a few seconds for network discovery to generate multicast traffic.
  7. If Network discovery was initially off, select Turn off network discovery and Save changes to return the status to the original setting. If network discovery was initially on, leave it on.
  8. Stop the Wireshark capture.

Activity 2 - Analyze IPv6 Multicast Traffic

edit

To analyze IPv6 multicast traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. To view only IPv6 multicast traffic, type ipv6.addr >= ff00:: (lower case) in the Filter box and press Enter.
  2. The traffic you are most likely to see is ICMPv6 and Simple Service Discovery Protocol (SSDP) traffic. You may also see Web Services Dynamic Discovery (WS-Discovery) traffic or other multicast traffic. Whatever you find, select the first frame.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 frame.
  4. Expand Ethernet II to view the Ethernet details.
  5. Observe the Destination address. Notice that it starts with 33:33, the Ethernet multicast address for IPv6.
  6. Expand Internet Protocol Version 6 to view IPv6 details.
  7. Observe the Destination address. Notice that it begins with ff (ff00::/8), the IPv6 multicast range. If it is SSDP or WS-Discovery traffic, it will be addressed to ff02::c.
  8. Select additional frames and observe the Ethernet and IPv6 details for multicast traffic.
  9. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze ICMPv6 Neighbor Discovery Protocol (NDP) traffic.

Note: To complete this activity, you must have an administrative user account or know the username and password of an administrator account you can enter when prompted.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Display Teredo Status

edit

To display Teredo status:

  1. Open an elevated/administrator command prompt.
  2. Type netsh interface teredo show state and press Enter.
  3. Observe the Teredo status.

Activity 2 - Disable Teredo

edit

If Teredo is currently enabled, disable it:

  1. Type netsh interface teredo set state disabled and press Enter.
  2. Use ipconfig to confirm that Teredo was disabled.

Activity 3 - Capture ICMPv6 NDP Traffic

edit

To capture ICMPv6 NDP traffic:

  1. Start a Wireshark capture.
  2. Type netsh interface teredo set state default and press Enter.
  3. Use ipconfig to display Teredo settings. Note your IPv6 addresses.
  4. Use ping 2001:4860:4860::8888 to ping an Internet host by IPv6 address.
  5. Close the command prompt.
  6. Stop the Wireshark capture.

Activity 4 - Analyze Neighbor Solicitation Traffic

edit

To analyze Neighbor Solicitation traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
  2. Select the first ICMPv6 packet labeled Neighbor Solicitation.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
  4. Expand Ethernet II to view the Ethernet details.
  5. Observe the Destination address. Notice that it starts with 33:33, the Ethernet multicast address for IPv6.
  6. Expand Internet Protocol Version 6 to view IPv6 details.
  7. Observe the Destination address. Notice that it begins with ff (ff00::/8), the IPv6 multicast range.
  8. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
  9. Observe the Type, Target Address, and Source link-layer address.

Activity 5 - Analyze Neighbor Advertisement Traffic

edit

To analyze Neighbor Advertisement traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the next ICMPv6 packet labeled Neighbor Advertisement.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
  4. Expand Ethernet II to view the Ethernet details.
  5. Observe the Destination address. Notice that it matches the source link-layer address from the Neighbor Solicitation packet above.
  6. Expand Internet Protocol Version 6 to view IPv6 details.
  7. Observe the Source address. Notice that it matches the target address from the Neighbor Solicitation packet above.
  8. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
  9. Observe the Type, Target Address, and Target link-layer address. Notice that the Neighbor Advertisement is a direct response to the Neighbor Solicitation in the previous packet.

Activity 6 - Analyze Multicast Listener Report Traffic

edit

To analyze Multicast Listener Report traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the next ICMPv6 packet labeled Multicast Listener Report Message v2.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
  4. Expand Ethernet II to view the Ethernet details.
  5. Observe the Destination address. Notice that it starts with 33:33, the Ethernet multicast address for IPv6.
  6. Expand Internet Protocol Version 6 to view IPv6 details.
  7. Observe the Destination address. Notice that it begins with ff (ff00::/8), the IPv6 multicast range.
  8. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
  9. Observe the Type and the Multicast Address Record Changed. The address ff02::1:3 is used for LLMNR.

Activity 7 - Analyze Router Solicitation Traffic

edit

To analyze Router Solicitation traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Scroll down to select the next ICMPv6 packet labeled Router Solicitation.
  3. Observe the packet details in the middle Wireshark packet details pane. If this is a Teredo packet, you will see that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Teredo IPv6 Over UDP tunneling / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
  4. Expand Internet Protocol Version 6 to view IPv6 details.
  5. Observe the Source address and Destination address. Notice that the Destination address is ff02::2, the IPv6 multicast router address.

Activity 8 - Analyze Router Advertisement Traffic

edit

To analyze Router Advertisement traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Scroll down to select the next ICMPv6 packet labeled Router Advertisement.
  3. Observe the packet details in the middle Wireshark packet details pane. If this is a Teredo packet, you will see that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Teredo IPv6 Over UDP tunneling / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
  4. Expand Internet Protocol Version 6 to view IPv6 details.
  5. Observe the Source address and Destination address. Notice that the Destination address matches the Source address in the Router Solicitation packet above.
  6. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
  7. Observe Router Advertisement details.
  8. Expand ICMPv6 Option to view Prefix information.
  9. Observe Prefix details.
  10. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

Activity 9 - Disable Teredo

edit

If Teredo was initially disabled on your system, you should disable it again:

  1. Open an elevated/administrator command prompt.
  2. Type netsh interface teredo set state disabled and press Enter.
  3. Use ipconfig to confirm that Teredo was disabled.
  4. Close the command prompt to complete this activity.

References

edit

Lesson 10 - Transport Layer

edit
 

This lesson introduces the Transport layer and looks at User Datagram Protocol (UDP) and Transmission Control Protocol (TCP). Activities include using netstat to display protocol statistics and using Wireshark to examine UDP and TCP network traffic.

Readings

edit
  1. Wikipedia: Transport layer
  2. Wikipedia: User Datagram Protocol
  3. Wikipedia: Transmission Control Protocol

Multimedia

edit
  1. YouTube: 03 01 Introduction to TCP & UDP Protocols
  2. YouTube: Basics of ipconfig, ping, tracert, nslookup and netstat
  3. YouTube: The Netstat Command - CompTIA Network+ N10-005: 4.3

Activities

edit
  1. Use netstat to display protocol statistics.
  2. Use netstat to display all active connections and listening ports.
  3. Use Wireshark to capture and analyze User Datagram Protocol (UDP) traffic.
  4. Use Wireshark to capture and analyze Transmission Control Protocol (TCP) traffic.
  5. Consider situations in which a packet analyzer might be used to troubleshoot transport layer traffic.

Lesson Summary

edit
  • The transport layer provides end-to-end communication services for applications.[1]
  • The transport layer provides services such as connection-oriented data stream support, reliability, flow control, and multiplexing.[2]
  • The Transmission Control Protocol (TCP) is used for connection-oriented transmissions. The User Datagram Protocol (UDP) is used for connection-less messaging transmissions.[3]
  • Many of the services attributed to the transport layer are specific to TCP and do not apply to UDP. These include connections, byte oriented data streams, sequencing, reliability, flow control, and congestion avoidance.[4]
  • Transport layer protocols include source and destination port numbers to identify process-to-process communication.[5] Sessions are identified using the client's IP address and port number.[6]
  • TCP packets are referred to as segments. UDP packets are referred to as datagrams.[7]
  • UDP has no handshaking dialogues, and thus exposes any unreliability of the underlying network protocol to the user's program.[8]
  • UDP provides checksums for data integrity, and port numbers for addressing different functions at the source and destination of the datagram.[9]
  • UDP is simple and stateless, with minimal delay, and works well in unidirectional (broadcast / multicast) communication.[10]
  • The UDP header includes fields for: source port, destination port, length, and checksum.[11]
  • TCP is reliable, ordered, heavyweight, and streaming.[12]
  • UDP is unreliable, un-ordered, lightweight, and without streaming or connection control.[13]
  • UDP provides a datagram service that emphasizes reduced latency over TCP stream reliability.[14] TCP is optimized for accurate delivery rather than timely delivery.[15]
  • TCP is a reliable stream delivery service that guarantees that all bytes received will be identical with bytes sent and in the correct order.[16]
  • The TCP header includes fields for: source port, destination port, sequence number, acknowledgement number, data offset, flags, window size, checksum, and an urgent pointer.[17]
  • TCP protocol operations are divided into three phases: connection establishment, data transfer, and connection termination.[18]
  • TCP connection establishment is performed through a three-way handshake exchanging sequence numbers and acknowledgements (SYN, SYN-ACK, ACK).[19]
  • TCP connection termination is performed through a four-way handshake of exchanging finish flags and acknowledgements (FIN, ACK, FIN, ACK).[20]
  • TCP achieves reliable transmission by using a sequence number to account for each byte of data.[21]
  • TCP performs error detection through sequence numbers, acknowledgements, and a checksum for each packet.[22]
  • TCP uses a sliding window flow control process in which the receiver specifies the amount of additional data that it is willing to accept for the connection and the sending host can send only up to that amount of data before it must wait for an acknowledgment from the receiving host.[23]
  • TCP achieves congestion control through slow-start, congestion avoidance, fast retransmit, fast recovery, and retransmission timeout.[24]
  • TCP and UDP port numbers range from 0 to 65535.[25]
  • The Internet Assigned Numbers Authority has divided TCP and UDP port numbers into three ranges. Port numbers 0 through 1023 are used for common, well-known services. Port numbers 1024 through 49151 are registered ports used for IANA-registered services. Ports 49152 through 65535 are dynamic ports that can be used for any purpose.[26]

Key Terms

edit
ACK
An acknowledgement signal passed between communicating processes or computers to signify acknowledgement, or receipt of response, as part of a communications protocol.[27]
application programming interface (API)
A protocol intended to be used as an interface by software components to communicate with each other.[28]
Automatic Repeat reQuest (ARQ) (or Automatic Repeat Query)
An error-control method for data transmission that uses acknowledgements (messages sent by the receiver indicating that it has correctly received a data frame or packet) and timeouts (specified periods of time allowed to elapse before an acknowledgment is to be received) to achieve reliable data transmission over an unreliable service.[29]
buffer
A region of a physical memory storage used to temporarily prevent data from continuing while it is being moved from one place to another.[30]
buffer underrun
A state occurring when a buffer used to communicate between two devices or processes is fed with data at a lower speed than the data is being read from it.[31]
checksum
A fixed-size datum computed from an arbitrary block of digital data for the purpose of detecting accidental errors that may have been introduced during its transmission or storage.[32]
connection-oriented communication
A data communication mode whereby the devices at the end points use a protocol to establish an end-to-end logical or physical connection before any data may be sent.[33]
connectionless
A data communication mode in which a message can be sent from one end point to another without prior arrangement.[34]
data stream
A sequence of digitally encoded coherent signals (packets of data or data packets) used to transmit or receive information that is in the process of being transmitted.[35]
datagram
A basic transfer unit associated with a packet-switched network in which the delivery, arrival time, and order of arrival are not guaranteed by the network service.[36]
deadlock
A situation in which two or more competing actions are each waiting for the other to finish, and thus neither ever does.[37]
ephemeral port
A short-lived transport protocol port allocated automatically from a predefined range.[38]
error detection
Techniques that enable reliable delivery of digital data over unreliable communication channels.[39]
flow control
The process of managing the rate of data transmission between two nodes to prevent a fast sender from outrunning a slow receiver.[40]
handshaking
An automated process of negotiation that dynamically sets parameters of a communications channel established between two entities before normal communication over the channel begins.[41]
latency
A measure of time delay experienced in a system.[42]
maximum segment size (MSS)
A parameter of the TCP protocol that specifies the largest amount of data that a computer or communications device can receive in a single TCP segment.[43]
multiplexing
A method by which multiple analog message signals or digital data streams are combined into one signal over a shared medium.[44]
NAK
A negative acknowledgement signal passed between communicating processes or computers to signify an error or lack of acceptance as part of a communications protocol.[45]
network congestion
A data communication situation in which a link or node is carrying so much data that its quality of service deteriorates.[46]
registered port
A transport protocol port assigned by the Internet Assigned Numbers Authority (IANA) for use with a certain protocol or application.[47]
reliability
A reliable protocol is one that provides reliability properties with respect to the delivery of data to the intended recipient(s), as opposed to an unreliable protocol, which does not provide notifications to the sender as to the delivery of transmitted data.[48]
Slow-start
One of the algorithms that TCP uses to control congestion inside the network, in which the TCP window size is increased each time an acknowledgment is received.[49]
TCP window scale option
An option to increase the TCP receive window size above its maximum value of 65,535 bytes.[50]

Review Questions

edit
Enable JavaScript to hide answers.

Click on a question to see the answer.

  1. The transport layer provides _____.
    The transport layer provides end-to-end communication services for applications.
  2. The transport layer provides services such as _____.
    The transport layer provides services such as connection-oriented data stream support, reliability, flow control, and multiplexing.
  3. The Transmission Control Protocol (TCP) is used for _____ transmissions. The User Datagram Protocol (UDP) is used for _____ transmissions.
    The Transmission Control Protocol (TCP) is used for connection-oriented transmissions. The User Datagram Protocol (UDP) is used for connection-less messaging transmissions.
  4. Many of the services attributed to the transport layer are specific to _____ and do not apply to _____. These include connections, byte oriented data streams, sequencing, reliability, flow control, and congestion avoidance.
    Many of the services attributed to the transport layer are specific to TCP and do not apply to UDP. These include connections, byte oriented data streams, sequencing, reliability, flow control, and congestion avoidance.
  5. Transport layer protocols include source and destination _____ to identify process-to-process communication. Sessions are identified using _____.
    Transport layer protocols include source and destination port numbers to identify process-to-process communication. Sessions are identified using the client's IP address and port number.
  6. TCP packets are referred to as _____. UDP packets are referred to as _____.
    TCP packets are referred to as segments. UDP packets are referred to as datagrams.
  7. UDP has no _____, and thus exposes any unreliability of the underlying network protocol to the user's program.
    UDP has no handshaking dialogues, and thus exposes any unreliability of the underlying network protocol to the user's program.
  8. UDP provides _____ for data integrity, and _____ for addressing different functions at the source and destination of the datagram.
    UDP provides checksums for data integrity, and port numbers for addressing different functions at the source and destination of the datagram.
  9. UDP is _____, with _____ delay, and works well in unidirectional (broadcast / multicast) communication.
    UDP is simple and stateless, with minimal delay, and works well in unidirectional (broadcast / multicast) communication.
  10. The UDP header includes fields for: _____.
    The UDP header includes fields for: source port, destination port, length, and checksum.
  11. TCP is _____.
    TCP is reliable, ordered, heavyweight, and streaming.
  12. UDP is _____.
    UDP is unreliable, un-ordered, lightweight, and without streaming or connection control.
  13. UDP provides a datagram service that emphasizes _____ over TCP _____. TCP is optimized for _____ rather than _____.
    UDP provides a datagram service that emphasizes reduced latency over TCP stream reliability. TCP is optimized for accurate delivery rather than timely delivery.
  14. TCP is a _____ delivery service that _____.
    TCP is a reliable stream delivery service that guarantees that all bytes received will be identical with bytes sent and in the correct order.
  15. The TCP header includes fields for: _____.
    The TCP header includes fields for: source port, destination port, sequence number, acknowledgement number, data offset, flags, window size, checksum, and an urgent pointer.
  16. TCP protocol operations are divided into three phases: _____.
    TCP protocol operations are divided into three phases: connection establishment, data transfer, and connection termination.
  17. TCP connection establishment is performed through _____.
    TCP connection establishment is performed through a three-way handshake exchanging sequence numbers and acknowledgements (SYN, SYN-ACK, ACK).
  18. TCP connection termination is performed through _____.
    TCP connection termination is performed through a four-way handshake of exchanging finish flags and acknowledgements (FIN, ACK, FIN, ACK).
  19. TCP achieves reliable transmission by using _____.
    TCP achieves reliable transmission by using a sequence number to account for each byte of data.
  20. TCP performs error detection through _____.
    TCP performs error detection through sequence numbers, acknowledgements, and a checksum for each packet.
  21. TCP uses a sliding window flow control process in which _____.
    TCP uses a sliding window flow control process in which the receiver specifies the amount of additional data that it is willing to accept for the connection and the sending host can send only up to that amount of data before it must wait for an acknowledgment from the receiving host.
  22. TCP achieves congestion control through _____.
    TCP achieves congestion control through slow-start, congestion avoidance, fast retransmit, fast recovery, and retransmission timeout.
  23. TCP and UDP port numbers range from _____.
    TCP and UDP port numbers range from 0 to 65535.
  24. The Internet Assigned Numbers Authority has divided TCP and UDP port numbers into three ranges. Port numbers _____ are used for common, well-known services. Port numbers _____ are registered ports used for IANA-registered services. Ports _____ are dynamic ports that can be used for any purpose.
    The Internet Assigned Numbers Authority has divided TCP and UDP port numbers into three ranges. Port numbers 0 through 1023 are used for common, well-known services. Port numbers 1024 through 49151 are registered ports used for IANA-registered services. Ports 49152 through 65535 are dynamic ports that can be used for any purpose.

Assessments

edit

See Also

edit

References

edit
  Type classification: this is a lesson resource.
  Completion status: this resource is considered to be complete.
  1. Wikipedia: Transport layer
  2. Wikipedia: Transport layer
  3. Wikipedia: Transport layer
  4. Wikipedia: Transport layer#Services
  5. Wikipedia: Transport layer#Analysis
  6. Wikipedia: Transmission Control Protocol#Resource usage
  7. Wikipedia: Transport layer#Analysis
  8. Wikipedia: User Datagram Protocol
  9. Wikipedia: User Datagram Protocol
  10. Wikipedia: User Datagram Protocol
  11. Wikipedia: User Datagram Protocol#Packet structure
  12. Wikipedia: User Datagram Protocol#Comparison of UDP and TCP
  13. Wikipedia: User Datagram Protocol#Comparison of UDP and TCP
  14. Wikipedia: Transmission Control Protocol
  15. Wikipedia: Transmission Control Protocol#Network function
  16. Wikipedia: Transmission Control Protocol#Network function
  17. Wikipedia: Transmission Control Protocol#TCP segment structure
  18. Wikipedia: Transmission Control Protocol#Protocol operation
  19. Wikipedia: Transmission Control Protocol#Protocol operation
  20. Wikipedia: Transmission Control Protocol#Protocol operation
  21. Wikipedia: Transmission Control Protocol#Reliable transmission
  22. Wikipedia: Transmission Control Protocol#Error detection
  23. Wikipedia: Transmission Control Protocol#Flow control
  24. Wikipedia: Transmission Control Protocol#Congestion control
  25. Wikipedia: Port (computer networking)#Common port numbers
  26. Wikipedia: Port (computer networking)#Common port numbers
  27. Wikipedia: Acknowledgement (data networks)
  28. Wikipedia: Application programming interface
  29. Wikipedia: Automatic repeat request
  30. Wikipedia: Data buffer
  31. Wikipedia: Buffer underrun
  32. Wikipedia: Checksums
  33. Wikipedia: Connection-oriented communication
  34. Wikipedia: Connectionless protocol
  35. Wikipedia: Data stream
  36. Wikipedia: Datagram
  37. Wikipedia: Deadlock
  38. Wikipedia: Ephemeral port
  39. Wikipedia: Error detection and correction
  40. Wikipedia: Flow control (data)
  41. Wikipedia: Handshaking
  42. Wikipedia: Latency (engineering)
  43. Wikipedia: Maximum segment size
  44. Wikipedia: Multiplexing
  45. Wikipedia: Negative-acknowledge character
  46. Wikipedia: Network congestion
  47. Wikipedia: Registered port
  48. Wikipedia: Reliability (computer networking)
  49. Wikipedia: Slow-start
  50. Wikipedia: TCP window scale option

Netstat is a command-line tool that displays network statistics on a variety of operating systems. This activity will show you how to use the netstat command to display statistics by protocol.

Preparation

edit

To prepare for this activity:

  1. Start your operating system.
  2. Log in if necessary.

Activity 1 - Display Statistics by Protocol

edit

To display statistics by protocol:

  1. Open a command prompt.
  2. Type netstat -s.
  3. Press Enter.
  4. Observe the statistics for IPv4, IPv6, ICMPv4, ICMPv6, TCP, and UDP.
  5. Close the command prompt to complete this activity.

Readings

edit

References

edit

Netstat is a command-line tool that displays network statistics on a variety of operating systems. This activity will show you how to use the netstat command to display all active connections (TCP and UDP)

Preparation

edit

To prepare for this activity:

  1. Start your operating system.
  2. Log in if necessary.

Activity 1 - Display All Active Connections

edit

To display all active connections:

  1. Open a command prompt.
  2. Type netstat -a.
  3. Press Enter.
  4. Observe active TCP and UDP connections and listening ports, the local address and port number, the remote name or address and port number if a connection is established, and the connection status.

Activity 2 - Display All Active Connections by Number

edit

To display all active connections by number (IP address) instead of by host name:

  1. Type netstat -a -n.
  2. Press Enter.
  3. Observe active TCP and UDP connections and listening ports, the local address and port number, the remote name or address and port number if a connection is established, and the connection status.
  4. Close the command prompt to complete this activity.

Readings

edit

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze User Datagram Protocol (UDP) traffic.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture UDP Traffic

edit

To capture UDP traffic:

  1. Start a Wireshark capture.
  2. Open a command prompt.
  3. Type ipconfig /renew and press Enter to renew your DHCP assigned IP address. If you have a static address, this will not generate any UDP traffic.
  4. Type ipconfig /flushdns and press Enter to clear your DNS name cache.
  5. Type nslookup 8.8.8.8 and press Enter to look up the hostname for IP address 8.8.8.8.
  6. Close the command prompt.
  7. Stop the Wireshark capture.

Activity 2 - Analyze UDP DHCP Traffic

edit

To analyze UDP DHCP traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. To view only UDP traffic related to the DHCP renewal, type udp.port == 68 (lower case) in the Filter box and press Enter.
  2. Select the first DHCP packet, labeled DHCP Request.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
  4. Expand Ethernet II to view Ethernet details.
  5. Observe the Destination and Source fields. The destination should be your DHCP server's MAC address and the source should be your MAC address. You can use ipconfig /all to confirm.
  6. Expand Internet Protocol Version 4 to view IP details.
  7. Observe the Source address. Notice that the source address is your IP address.
  8. Observe the Destination address. Notice that the destination address is the DHCP server IP address.
  9. Expand User Datagram Protocol to view UDP details.
  10. Observe the Source port. Notice that it is bootpc (68), the bootp client port.
  11. Observe the Destination port. Notice that it is bootps (67), the bootp server port.
  12. In the top Wireshark packet list pane, select the second DHCP packet, labeled DHCP ACK.
  13. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
  14. Expand Ethernet II to view Ethernet details.
  15. Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DHCP server's MAC address.
  16. Expand Internet Protocol Version 4 to view IP details.
  17. Observe the Source address. Notice that the source address is the DHCP server IP address.
  18. Observe the Destination address. Notice that the destination address is your IP address.
  19. Expand User Datagram Protocol to view UDP details.
  20. Observe the Source port. Notice that it is bootps (67), the bootp server port.
  21. Observe the Destination port. Notice that it is bootpc (68), the bootp client port.

Activity 3 - Analyze UDP DNS Traffic

edit

To analyze UDP DNS traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. To view only UDP traffic related to the DHCP renewal, type udp.port == 53 (lower case) in the Filter box and press Enter.
  2. Select the first DNS packet, labeled Standard query.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Domain Name System (query) frame.
  4. Expand Ethernet II to view Ethernet details.
  5. Observe the Destination and Source fields. The destination should be your DNS server's MAC address if it is local, or your default gateway's MAC address if the DNS server is remote. The source should be your MAC address. You can use ipconfig /all to confirm.
  6. Expand Internet Protocol Version 4 to view IP details.
  7. Observe the Source address. Notice that the source address is your IP address.
  8. Observe the Destination address. Notice that the destination address is the DNS server IP address.
  9. Expand User Datagram Protocol to view UDP details.
  10. Observe the Source port. Notice that it is a dynamic port selected for this DNS query.
  11. Observe the Destination port. Notice that it is domain (53), the DNS server port.
  12. In the top Wireshark packet list pane, select the second DNS packet, labeled Standard query response.
  13. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Domain Name System (response) frame.
  14. Expand Ethernet II to view Ethernet details.
  15. Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DNS server's MAC address if it is local, or your default gateway's MAC address if the DNS server is remote.
  16. Expand Internet Protocol Version 4 to view IP details.
  17. Observe the Source address. Notice that the source address is the DNS server IP address.
  18. Observe the Destination address. Notice that the destination address is your IP address.
  19. Expand User Datagram Protocol to view UDP details.
  20. Observe the Source port. Notice that it is domain (53) the DNS server port.
  21. Observe the Destination port. Notice that it is the same dynamic port used to make the DNS query in the first packet.
  22. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Transmission Control Protocol (TCP) traffic.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.
  4. Install the Telnet client.

Activity 1 - Capture TCP Traffic

edit

To capture TCP traffic:

  1. Start a Wireshark capture.
  2. Open a command prompt.
  3. Type telnet www.google.com 80 and press Enter.
  4. Close the command prompt to close the TCP connection.
  5. Stop the Wireshark capture.

Activity 2 - Analyze TCP SYN Traffic

edit

To analyze TCP SYN traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. To view only TCP traffic related to the web server connection, type tcp.port == 80 (lower case) in the Filter box and press Enter.
  2. Select the first TCP packet, labeled http [SYN].
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
  4. Expand Ethernet II to view Ethernet details.
  5. Observe the Destination and Source fields. The destination should be your default gateway's MAC address and the source should be your MAC address. You can use ipconfig /all to confirm.
  6. Expand Internet Protocol Version 4 to view IP details.
  7. Observe the Source address. Notice that the source address is your IP address.
  8. Observe the Destination address. Notice that the destination address is the IP address of one of Google's web servers.
  9. Expand Transmission Control Protocol to view TCP details.
  10. Observe the Source port. Notice that it is a dynamic port selected for this connection.
  11. Observe the Destination port. Notice that it is http (80).
  12. Observe the Sequence number. Notice that it is 0 (relative sequence number). To see the actual sequence number, select the Sequence number to highlight the sequence number in the bottom Wireshark bytes pane.
  13. Expand Flags to view flag details.
  14. Observe the flag settings. Notice that SYN is set, indicating the first segment in the TCP three-way handshake.

Activity 3 - Analyze TCP SYN, ACK Traffic

edit

To analyze TCP SYN, ACK traffic:

  1. In the top Wireshark packet list pane, select the second TCP packet, labeled SYN, ACK.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your MAC address and the source should be your default gateway MAC address.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is the Google web server IP address.
  7. Observe the Destination address. Notice that the destination address is your IP address.
  8. Expand Transmission Control Protocol to view TCP details.
  9. Observe the Source port. Notice that it is http (80).
  10. Observe the Destination port. Notice that it is the same dynamic port selected for this connection.
  11. Observe the Sequence number. Notice that it is 0 (relative sequence number). To see the actual sequence number, select Sequence number to highlight the sequence number in the bottom Wireshark bytes pane.
  12. Observe the Acknowledgement number. Notice that it is 1 (relative ack number). To see the actual acknowledgement number, select Acknowledgement number to highlight the acknowledgement number in the bottom pane. Notice that the actual acknowledgement number is one greater than the sequence number in the previous segment.
  13. Expand Flags to view flag details.
  14. Observe the flag settings. Notice that SYN and ACK are set, indicating the second segment in the TCP three-way handshake.

Activity 4 - Analyze TCP ACK Traffic

edit

To analyze TCP ACK traffic:

  1. In the top Wireshark packet list pane, select the third TCP packet, labeled http ACK.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your default gateway MAC address and the source should be your MAC address.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is your IP address.
  7. Observe the Destination address. Notice that the destination address is the Google web server IP address.
  8. Expand Transmission Control Protocol to view TCP details.
  9. Observe the Source port. Notice that it is the same dynamic port selected for this connection.
  10. Observe the Destination port. Notice that it is http (80).
  11. Observe the Sequence number. Notice that it is 1 (relative sequence number). To see the actual sequence number, select Sequence number to highlight the sequence number in the bottom Wireshark bytes pane.
  12. Observe the Acknowledgement number. Notice that it is 1 (relative ack number). To see the actual acknowledgement number, select Acknowledgement number to highlight the acknowledgement number in the bottom pane.
  13. Expand Flags to view flag details.
  14. Observe the flag settings. Notice that ACK is set, indicating the third segment in the TCP three-way handshake. The client has established a TCP connection with the server.

Activity 5 - Analyze TCP FIN ACK Traffic

edit

To analyze TCP FIN ACK traffic:

  1. In the top Wireshark packet list pane, select the fourth TCP packet, labeled http FIN, ACK.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your default gateway MAC address and the source should be your MAC address.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is your IP address.
  7. Observe the Destination address. Notice that the destination address is the Google web server IP address.
  8. Expand Transmission Control Protocol to view TCP details.
  9. Observe the Source port. Notice that it is the same dynamic port selected for this connection.
  10. Observe the Destination port. Notice that it is http (80).
  11. Observe the Sequence number. Notice that it is 1 (relative sequence number).
  12. Observe the Acknowledgement number. Notice that it is 1 (relative ack number).
  13. Expand Flags to view flag details.
  14. Observe the flag settings. Notice that FIN and ACK are set, indicating the first segment in the TCP teardown handshake. The client has indicated it is closing the TCP connection with the server.

Activity 6 - Analyze TCP FIN ACK Traffic

edit

To analyze TCP FIN ACK traffic:

  1. In the top Wireshark packet list pane, select the fifth TCP packet, labeled FIN, ACK.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your MAC address and the source should be your default gateway MAC address.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is the Google web server IP address.
  7. Observe the Destination address. Notice that the destination address is your IP address.
  8. Expand Transmission Control Protocol to view TCP details.
  9. Observe the Source port. Notice that it is http (80).
  10. Observe the Destination port. Notice that it is the same dynamic port selected for this connection.
  11. Observe the Sequence number. Notice that it is 1 (relative sequence number).
  12. Observe the Acknowledgement number. Notice that it is 2 (relative ack number).
  13. Expand Flags to view flag details.
  14. Observe the flag settings. Notice that FIN and ACK are set, indicating the second segment in the TCP three-way handshake. The server has indicated it is closing the TCP connection with the client.

Activity 7 - Analyze TCP ACK Traffic

edit

To analyze TCP ACK traffic:

  1. In the top Wireshark packet list pane, select the sixth TCP packet, labeled http ACK.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your default gateway MAC address and the source should be your MAC address.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is your IP address.
  7. Observe the Destination address. Notice that the destination address is the Google web server IP address.
  8. Expand Transmission Control Protocol to view TCP details.
  9. Observe the Source port. Notice that it is the same dynamic port selected for this connection.
  10. Observe the Destination port. Notice that it is http (80).
  11. Observe the Sequence number. Notice that it is 2 (relative sequence number).
  12. Observe the Acknowledgement number. Notice that it is 2 (relative ack number).
  13. Expand Flags to view flag details.
  14. Observe the flag settings. Notice that ACK is set, indicating the third segment in the TCP teardown handshake. The client has acknowledged the server closing the TCP connection.
  15. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Lesson 11 - Address Assignment

edit
 

This lesson introduces dynamic addressing and looks at the Bootstrap Protocol (BOOTP) and the Dynamic Host Configuration Protocol for IPv4 (DHCP) and IPv6 (DHCPv6). Activities include using Wireshark to examine BOOTP, DHCP, and DHCPv6 network traffic.

Readings

edit
  1. Wikipedia: Link-local address
  2. Wikipedia: Bootstrap Protocol
  3. Wikipedia: Dynamic Host Configuration Protocol
  4. Wikipedia: DHCPv6
  5. Wikipedia: Prefix delegation

Multimedia

edit
  1. YouTube: DHCP Addressing Overview - CompTIA Network+ N10-005: 2.3
  2. YouTube: The DHCP Process in Wireshark
  3. YouTube: Understanding APIPA - CompTIA Network+ N10-005: 1.3

Activities

edit
  1. View and test a link-local address.
  2. Use Wireshark to capture and analyze Dynamic Host Configuration Protocol (DHCP) traffic.
  3. Use Wireshark to capture and analyze DHCPv6 traffic.
  4. Consider situations in which a packet analyzer might be used to troubleshoot address assignment traffic.

Lesson Summary

edit
  • A link-local address is an Internet Protocol address that is intended only for communications within the segment of a local network (a link) or a point-to-point connection that a host is connected to.[1]
  • Routers do not forward packets with link-local addresses.[2]
  • Link-local addresses for IPv4 are defined in the address block 169.254.0.0/16.[3]
  • Link-local addresses for IPv6 are defined with the prefix fe80::/64.[4]
  • Unlike IPv4, IPv6 requires a link-local address to be assigned to every network interface on which the IPv6 protocol is enabled, even when one or more routable addresses are also assigned.[5]
  • The IPv6 link-local address is required for sublayer operations of the Neighbor Discovery Protocol (NDP) and DHCPv6.[6]
  • The Bootstrap Protocol, or BOOTP, is a network protocol used by a network client to obtain an IP address from a configuration server.[7]
  • The Dynamic Host Configuration Protocol (DHCP) is a more advanced protocol for the same purpose as BOOTP and has superseded the use of BOOTP.[8] DHCP is an extension of BOOTP and uses the same datagram format.[9]
  • Most DHCP servers also function as BOOTP servers.[10]
  • The BOOTP protocol replaced the Reverse Address Resolution Protocol (RARP).[11]
  • BOOTP, and therefore DHCP, supports the use of a relay agent, which allows BOOTP packets to be forwarded from the local network so that one central BOOTP server can serve hosts on many subnets.[12]
  • The Dynamic Host Configuration Protocol (DHCP) is a network protocol that is used to configure network devices so that they can communicate on an IP network.[13]
  • DHCP servers maintain a database of available IP addresses and configuration information.[14]
  • Network links without a DHCP server can use DHCP relay agents to receive messages from DHCP clients and forward them to DHCP servers. DHCP servers send responses back to the relay agent, and the relay agent then sends these responses to the DHCP client on the local network link.[15]
  • DHCP servers typically grant IP addresses to clients only for a limited interval. DHCP clients are responsible for renewing their IP address before that interval has expired, and must stop using the address once the interval has expired, if they have not been able to renew it.[16]
  • By default, clients attempt to renew their lease using unicast (directed) traffic starting at one half of lease time, also known as renewal time (T1).[17]
  • By default, clients attempt to renew their lease using broadcast traffic starting at 87.5% of lease time, also known as rebinding time (T2).[18]
  • DHCP servers assign addresses through either dynamic or automatic allocation, or thorough static allocation (address reservations).[19]
  • DHCPv4 operations fall into four basic phases: IP discovery, IP lease offer, IP request, and IP lease acknowledgement. These points are often abbreviated as DORA (Discovery, Offer, Request, Acknowledgement).[20]
  • DHCPv4 options provided to clients include subnet mask, router (default gateway), domain name server, domain name, NetBIOS name servers (WINS), lease time, renewal time (T1), rebinding time (T2), and others.[21]
  • The base DHCP protocol does not include any mechanism for authentication. Because of this, it is vulnerable to a variety of attacks including unauthorized servers, unauthorized clients, and address exhaustion attacks from malicious clients.[22]
  • DHCPv6 operations are similar to DHCPv4, but are described as Solicit, Advertise, Request, and Reply.[23] Renewals are processed with Renew and Reply.[24]
  • DHCPv6-PD prefix delegation is used to assign a network address prefix to a user site, configuring the user's router with the prefix to be used for each LAN.[25]

Key Terms

edit
Automatic Private IP Addressing (APIPA)
Microsoft's terminology for link-local addressing.[26]
Bootstrapping
A self-sustaining process that proceeds without external help.[27]
diskless node
A workstation or personal computer without disk drives, which employs network booting to load its operating system from a server.[28]
fault-tolerant
A design that enables a system to continue operation, possibly at a reduced level, rather than failing completely when some part of the system fails.[29]
Preboot eXecution Environment (PXE, sometimes pronounced "pixie")
An environment to boot computers using a network interface independent of local data storage devices (like hard disks) or installed operating systems.[30]
Reverse Address Resolution Protocol (RARP)
An obsolete protocol that finds the logical IP address for a machine that knows only its physical address.[31]

Review Questions

edit
Enable JavaScript to hide answers.

Click on a question to see the answer.

  1. A link-local address is an Internet Protocol address that is _____.
    A link-local address is an Internet Protocol address that is intended only for communications within the segment of a local network (a link) or a point-to-point connection that a host is connected to.
  2. Routers _____ packets with link-local addresses.
    Routers do not forward packets with link-local addresses.
  3. Link-local addresses for IPv4 are defined in the address block _____.
    Link-local addresses for IPv4 are defined in the address block 169.254.0.0/16.
  4. Link-local addresses for IPv6 are defined with the prefix _____.
    Link-local addresses for IPv6 are defined with the prefix fe80::/64.
  5. Unlike _____, _____ requires a link-local address to be assigned to every network interface on which the _____ protocol is enabled, even when one or more routable addresses are also assigned.
    Unlike IPv4, IPv6 requires a link-local address to be assigned to every network interface on which the IPv6 protocol is enabled, even when one or more routable addresses are also assigned.
  6. The IPv6 link-local address is required for sublayer operations of _____.
    The IPv6 link-local address is required for sublayer operations of the Neighbor Discovery Protocol (NDP) and DHCPv6.
  7. The Bootstrap Protocol, or BOOTP, is a network protocol used by a network client to _____.
    The Bootstrap Protocol, or BOOTP, is a network protocol used by a network client to obtain an IP address from a configuration server.
  8. The Dynamic Host Configuration Protocol (DHCP) is a more advanced protocol for the same purpose as _____ and has superseded the use of _____. DHCP is an extension of _____ and uses the same datagram format.
    The Dynamic Host Configuration Protocol (DHCP) is a more advanced protocol for the same purpose as BOOTP and has superseded the use of BOOTP. DHCP is an extension of BOOTP and uses the same datagram format.
  9. Most DHCP servers also function as _____ servers.
    Most DHCP servers also function as BOOTP servers.
  10. The BOOTP protocol replaced _____.
    The BOOTP protocol replaced the Reverse Address Resolution Protocol (RARP).
  11. BOOTP, and therefore DHCP, supports the use of a relay agent, which _____.
    BOOTP, and therefore DHCP, supports the use of a relay agent, which allows BOOTP packets to be forwarded from the local network so that one central BOOTP server can serve hosts on many subnets.
  12. The Dynamic Host Configuration Protocol (DHCP) is a network protocol that is used to _____.
    The Dynamic Host Configuration Protocol (DHCP) is a network protocol that is used to configure network devices so that they can communicate on an IP network.
  13. DHCP servers maintain _____.
    DHCP servers maintain a database of available IP addresses and configuration information.
  14. Network links without a DHCP server can use _____ to receive messages from DHCP clients and forward them to DHCP servers.
    Network links without a DHCP server can use DHCP relay agents to receive messages from DHCP clients and forward them to DHCP servers.
  15. DHCP servers typically grant IP addresses to clients only for _____. DHCP clients are responsible for _____, and must _____.
    DHCP servers typically grant IP addresses to clients only for a limited interval. DHCP clients are responsible for renewing their IP address before that interval has expired, and must stop using the address once the interval has expired, if they have not been able to renew it.
  16. By default, clients attempt to renew their lease using _____ traffic starting at one half of lease time, also known as _____ time (T1).
    By default, clients attempt to renew their lease using unicast (directed) traffic starting at one half of lease time, also known as renewal time (T1).
  17. By default, clients attempt to renew their lease using _____ traffic starting at 87.5% of lease time, also known as _____ time (T2).
    By default, clients attempt to renew their lease using broadcast traffic starting at 87.5% of lease time, also known as rebinding time (T2).
  18. DHCP servers assign addresses through either _____.
    DHCP servers assign addresses through either dynamic or automatic allocation, or thorough static allocation (address reservations).
  19. DHCPv4 operations fall into four basic phases: _____. These points are often abbreviated as _____.
    DHCPv4 operations fall into four basic phases: IP discovery, IP lease offer, IP request, and IP lease acknowledgement. These points are often abbreviated as DORA (Discovery, Offer, Request, Acknowledgement).
  20. DHCPv4 options provided to clients include _____.
    DHCPv4 options provided to clients include subnet mask, router (default gateway), domain name server, domain name, NetBIOS name servers (WINS), lease time, renewal time (T1), rebinding time (T2), and others.
  21. The base DHCP protocol does not include any mechanism for authentication. Because of this, it is vulnerable to a variety of attacks including _____.
    The base DHCP protocol does not include any mechanism for authentication. Because of this, it is vulnerable to a variety of attacks including unauthorized servers, unauthorized clients, and address exhaustion attacks from malicious clients.
  22. DHCPv6 operations are similar to DHCPv4, but are described as _____. Renewals are processed with _____.
    DHCPv6 operations are similar to DHCPv4, but are described as Solicit, Advertise, Request, and Reply. Renewals are processed with Renew and Reply.
  23. DHCPv6-PD prefix delegation is used to _____.
    DHCPv6-PD prefix delegation is used to assign a network address prefix to a user site, configuring the user's router with the prefix to be used for each LAN.

Assessments

edit

See Also

edit

References

edit
  Type classification: this is a lesson resource.
  Completion status: this resource is considered to be complete.

A link-local address is an Internet Protocol address that is intended only for communications within the segment of a local network (a link) or a point-to-point connection that a host is connected to. These activities will show you how to view and test link-local addresses.

Readings

edit

Activities

edit

See Also

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Dynamic Host Configuration Protocol (DHCP) traffic.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture DHCP Traffic

edit

To capture DHCP traffic:

  1. Start a Wireshark capture.
  2. Open a command prompt.
  3. Type ipconfig /renew and press Enter.
  4. Type ipconfig /release and press Enter.
  5. Type ipconfig /renew and press Enter.
  6. Close the command prompt.
  7. Stop the Wireshark capture.

Activity 2 - Analyze DHCP Request Traffic

edit

To analyze DHCP Request (lease renewal) traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. To view only DHCP traffic, type udp.port == 68 (lower case) in the Filter box and press Enter.
  2. In the top Wireshark packet list pane, select the first DHCP packet, labeled DHCP Request.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
  4. Expand Ethernet II to view Ethernet details.
  5. Observe the Destination and Source fields. The destination should be your DHCP server's MAC address and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
  6. Expand Internet Protocol Version 4 to view IP details.
  7. Observe the Source address. Notice that the source address is your IP address.
  8. Observe the Destination address. Notice that the destination address is the IP address of the DHCP server.
  9. Expand User Datagram Protocol to view UDP details.
  10. Observe the Source port. Notice that it is bootpc (68), the BOOTP client port.
  11. Observe the Destination port. Notice that it is bootps (67), the BOOTP server port.
  12. Expand Bootstrap Protocol to view BOOTP details.
  13. Observe the DHCP Message Type. Notice that it is a Request (3).
  14. Observe the Client IP address, Client MAC address, and DHCP option fields. This is the request to the DHCP server.

Activity 3 - Analyze DHCP ACK Traffic

edit

To analyze DHCP ACK (server acknowledgement) traffic:

  1. In the top Wireshark packet list pane, select the second DHCP packet, labeled DHCP ACK.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DHCP server's MAC address.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is the DHCP server IP address.
  7. Observe the Destination address. Notice that the destination address is your IP address.
  8. Expand User Datagram Protocol to view UDP details.
  9. Observe the Source port. Notice that it is bootps (67), the BOOTP server port.
  10. Observe the Destination port. Notice that it is bootpc (68), the BOOTP client port.
  11. Expand Bootstrap Protocol to view BOOTP details.
  12. Observe the DHCP Message Type. Notice that it is an ACK (5).
  13. Observe the Client IP address and Client MAC address fields. This is the acknowledgement from the DHCP server.
  14. Observe the DHCP options and expand to view the details for IP Address Lease Time, Subnet Mask, Router (Default Gateway), Domain Name Server, and Domain Name, as well as any other options if included.

Activity 4 - Analyze DHCP Release Traffic

edit

To analyze DHCP Release traffic:

  1. In the top Wireshark packet list pane, select the third DHCP packet, labeled DHCP Release.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your DHCP server's MAC address and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is your IP address.
  7. Observe the Destination address. Notice that the destination address is the IP address of the DHCP server.
  8. Expand User Datagram Protocol to view UDP details.
  9. Observe the Source port. Notice that it is bootpc (68), the BOOTP client port.
  10. Observe the Destination port. Notice that it is bootps (67), the BOOTP server port.
  11. Expand Bootstrap Protocol to view BOOTP details.
  12. Observe the DHCP Message Type. Notice that it is a Release (7).
  13. Observe the Client IP address and Client MAC address fields. This is the address that will be released on the DHCP server.

Activity 5 - Analyze DHCP Discover Traffic

edit

To analyze DHCP Discover (lease request) traffic:

  1. In the top Wireshark packet list pane, select the fourth DHCP packet, labeled DHCP Discover.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be the broadcast address ff:ff:ff:ff:ff:ff and the source should be your MAC address. When the client doesn't have an IP address or server information, it has to broadcast to discover a DHCP server.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is 0.0.0.0, indicating no current IP address.
  7. Observe the Destination address. Notice that the destination address 255.255.255.255, the broadcast IP address.
  8. Expand User Datagram Protocol to view UDP details.
  9. Observe the Source port. Notice that it is bootpc (68), the BOOTP client port.
  10. Observe the Destination port. Notice that it is bootps (67), the BOOTP server port.
  11. Expand Bootstrap Protocol to view BOOTP details.
  12. Observe the DHCP Message Type. Notice that it is a Discover (1).
  13. Observe the Client IP address, Client MAC address, and DHCP option fields. This is the request to the DHCP server.

Activity 6 - Analyze DHCP Offer Traffic

edit

To analyze DHCP Offer (server offer) traffic:

  1. In the top Wireshark packet list pane, select the fifth DHCP packet, labeled DHCP Offer.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DHCP server's MAC address.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is the DHCP server's IP address.
  7. Observe the Destination address. Notice that the destination address is 255.255.255.255 (broadcast) address.
  8. Expand User Datagram Protocol to view UDP details.
  9. Observe the Source port. Notice that it is bootps (67), the BOOTP server port.
  10. Observe the Destination port. Notice that it is bootpc (68), the BOOTP client port.
  11. Expand Bootstrap Protocol to view BOOTP details.
  12. Observe the DHCP Message Type. Notice that it is an Offer (2).
  13. Observe the Client IP address and Client MAC address fields. This is the offer from the DHCP server.
  14. Observe the DHCP options and expand to view the details for IP Address Lease Time, Subnet Mask, Router (Default Gateway), Domain Name Server, and Domain Name, as well as any other options if included.

Activity 7 - Analyze DHCP Request Traffic

edit

To analyze DHCP Request (lease request) traffic:

  1. In the top Wireshark packet list pane, select the sixth DHCP packet, labeled DHCP Request.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be the broadcast address ff:ff:ff:ff:ff:ff and the source should be your MAC address. When the client doesn't have an IP address or server information, it has to broadcast to request an address lease.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is 0.0.0.0, indicating no current IP address.
  7. Observe the Destination address. Notice that the destination address 255.255.255.255, the broadcast IP address.
  8. Expand User Datagram Protocol to view UDP details.
  9. Observe the Source port. Notice that it is bootpc (68), the BOOTP client port.
  10. Observe the Destination port. Notice that it is bootps (67), the BOOTP server port.
  11. Expand Bootstrap Protocol to view BOOTP details.
  12. Observe the DHCP Message Type. Notice that it is a Request (3).
  13. Observe the Client IP address, Client MAC address, and DHCP option fields. This is the request to the DHCP server.

Activity 8 - Analyze DHCP ACK Traffic

edit

To analyze DHCP ACK (server acknowledgement) traffic:

  1. In the top Wireshark packet list pane, select the seventh DHCP packet, labeled DHCP ACK.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DHCP server's MAC address.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is the DHCP server IP address.
  7. Observe the Destination address. Notice that the destination address is the broadcast address 255.255.255.255.
  8. Expand User Datagram Protocol to view UDP details.
  9. Observe the Source port. Notice that it is bootps (67), the BOOTP server port.
  10. Observe the Destination port. Notice that it is bootpc (68), the BOOTP client port.
  11. Expand Bootstrap Protocol to view BOOTP details.
  12. Observe the DHCP Message Type. Notice that it is an ACK (5).
  13. Observe the Client IP address and Client MAC address fields. This is the acknowledgement from the DHCP server.
  14. Observe the DHCP options and expand to view the details for IP Address Lease Time, Subnet Mask, Router (Default Gateway), Domain Name Server, and Domain Name, as well as any other options if included.
  15. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze DHCPv6 traffic.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture DHCPv6 Traffic

edit

To capture DHCPv6 traffic:

  1. Start a Wireshark capture.
  2. Open a command prompt.
  3. Type ipconfig /renew6 and press Enter.
  4. Type ipconfig /release6 and press Enter.
  5. Type ipconfig /renew6 and press Enter.
  6. Close the command prompt.
  7. Stop the Wireshark capture.

Activity 2 - Analyze DHCPv6 Renew Traffic

edit

To analyze DHCPv6 Renew traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. To view only DHCPv6 traffic, type dhcpv6 (lower case) in the Filter box and press Enter.
  2. In the top Wireshark packet list pane, select the first DHCPv6 packet, labeled DHCPv6 Renew.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
  4. Expand Ethernet II to view Ethernet details.
  5. Observe the Destination and Source fields. The destination should be the DHCPv6 multicast MAC address 33:33:00:01:00:02 and the source should be your MAC address. You can use ipconfig /all and netsh interface ipv6 show neighbors to confirm.
  6. Expand Internet Protocol Version 6 to view IPv6 details.
  7. Observe the Source address. Notice that the source address is your link-local IPv6 address.
  8. Observe the Destination address. Notice that the destination address is the DHCPv6 multicast address ff02::1:2.
  9. Expand User Datagram Protocol to view UDP details.
  10. Observe the Source port. Notice that it is dhcpv6-client (546).
  11. Observe the Destination port. Notice that it is dhcpv6-server (547).
  12. Expand DHCPv6 to view DHCPv6 details.
  13. Observe the DHCPv6 Message Type. Notice that it is a Renew (5).
  14. Observe the Client Identifier and Server Identifier fields.
  15. Expand Option Request to view option details.
  16. Observe the requested options.

Activity 3 - Analyze DHCPv6 Reply Traffic

edit

To analyze DHCPv6 Reply traffic:

  1. In the top Wireshark packet list pane, select the second DHCPv6 packet, labeled DHCPv6 Reply.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DHCPv6 server's MAC address.
  5. Expand Internet Protocol Version 6 to view IPv6 details.
  6. Observe the Source address. Notice that the source address is the DHCPv6 server IPv6 address.
  7. Observe the Destination address. Notice that the destination address is your link-local IPv6 address.
  8. Expand User Datagram Protocol to view UDP details.
  9. Observe the Source port. Notice that it is a dynamic port.
  10. Observe the Destination port. Notice that it is dhcpv6-client (546).
  11. Expand DHCPv6 to view DHCPv6 details.
  12. Observe the DHCPv6 Message Type. Notice that it is a Reply (7).
  13. Expand Client Identifier, Server Identifier, and Identity Association to view Reply details.
  14. Observe the MAC addresses, IPv6 addresses, and lease time, as well as any options if included.

Activity 4 - Analyze DHCPv6 Release Traffic

edit

To analyze DHCPv6 Release traffic:

  1. In the top Wireshark packet list pane, select the third DHCPv6 packet, labeled DHCPv6 Release.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be the DHCPv6 multicast MAC address 33:33:00:01:00:02 and the source should be your MAC address.
  5. Expand Internet Protocol Version 6 to view IPv6 details.
  6. Observe the Source address. Notice that the source address is your link-local IPv6 address.
  7. Observe the Destination address. Notice that the destination address is the DHCPv6 multicast address ff02::1:2.
  8. Expand User Datagram Protocol to view UDP details.
  9. Observe the Source port. Notice that it is dhcpv6-client (546).
  10. Observe the Destination port. Notice that it is dhcpv6-server (547).
  11. Expand DHCPv6 to view DHCPv6 details.
  12. Observe the DHCPv6 Message Type. Notice that it is a Release (8).
  13. Expand Client Identifier, Server Identifier, and Identity Association to view Release details.
  14. Observe the MAC addresses, IPv6 addresses, and lease time, as well as any options if included. This is the address that will be released on the DHCPv6 server.

Activity 5 - Analyze DHCPv6 Reply Traffic

edit

To analyze DHCPv6 Reply traffic:

  1. In the top Wireshark packet list pane, select the second DHCPv6 packet, labeled DHCPv6 Reply.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DHCPv6 server's MAC address.
  5. Expand Internet Protocol Version 6 to view IPv6 details.
  6. Observe the Source address. Notice that the source address is the DHCPv6 server IPv6 address.
  7. Observe the Destination address. Notice that the destination address is your link-local IPv6 address.
  8. Expand User Datagram Protocol to view UDP details.
  9. Observe the Source port. Notice that it is a dynamic port.
  10. Observe the Destination port. Notice that it is dhcpv6-client (546).
  11. Expand DHCPv6 to view DHCPv6 details.
  12. Observe the DHCPv6 Message Type. Notice that it is a Reply (7).
  13. Expand Client Identifier and Server Identifier to view Reply details.
  14. Observe the MAC addresses and IPv6 addresses. Notice that there is no Identity Association in reply to an address release.

Activity 6 - Analyze DHCPv6 Solicit Traffic

edit

To analyze DHCPv6 Solicit traffic:

  1. In the top Wireshark packet list pane, select the fifth DHCPv6 packet, labeled DHCPv6 Solicit.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be the DHCPv6 multicast MAC address 33:33:00:01:00:02 and the source should be your MAC address.
  5. Expand Internet Protocol Version 6 to view IPv6 details.
  6. Observe the Source address. Notice that the source address is your link-local IPv6 address.
  7. Observe the Destination address. Notice that the destination address is the DHCPv6 multicast address ff02::1:2.
  8. Expand User Datagram Protocol to view UDP details.
  9. Observe the Source port. Notice that it is dhcpv6-client (546).
  10. Observe the Destination port. Notice that it is dhcpv6-server (547).
  11. Expand DHCPv6 to view DHCPv6 details.
  12. Observe the DHCPv6 Message Type. Notice that it is a Solicit (1).
  13. Expand Client Identifier, Identity Association, and Option Request to view Solicit details.
  14. Observe the MAC address, as well as any options if included.

Activity 7 - Analyze DHCPv6 Advertise Traffic

edit

To analyze DHCPv6 Advertise traffic:

  1. In the top Wireshark packet list pane, select the sixth DHCPv6 packet, labeled DHCPv6 Advertise.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DHCPv6 server's MAC address.
  5. Expand Internet Protocol Version 6 to view IPv6 details.
  6. Observe the Source address. Notice that the source address is the DHCPv6 server IPv6 address.
  7. Observe the Destination address. Notice that the destination address is your link-local IPv6 address.
  8. Expand User Datagram Protocol to view UDP details.
  9. Observe the Source port. Notice that it is a dynamic port.
  10. Observe the Destination port. Notice that it is dhcpv6-client (546).
  11. Expand DHCPv6 to view DHCPv6 details.
  12. Observe the DHCPv6 Message Type. Notice that it is an Advertise (2).
  13. Expand Client Identifier, Server Identifier, and Identity Association to view Advertise details.
  14. Observe the MAC addresses, IPv6 addresses, and lease time, as well as any options if included.

Activity 8 - Analyze DHCPv6 Request Traffic

edit

To analyze DHCPv6 Request traffic:

  1. In the top Wireshark packet list pane, select the seventh DHCPv6 packet, labeled DHCPv6 Request.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be the DHCPv6 multicast MAC address 33:33:00:01:00:02 and the source should be your MAC address.
  5. Expand Internet Protocol Version 6 to view IPv6 details.
  6. Observe the Source address. Notice that the source address is your link-local IPv6 address.
  7. Observe the Destination address. Notice that the destination address is the DHCPv6 multicast address ff02::1:2.
  8. Expand User Datagram Protocol to view UDP details.
  9. Observe the Source port. Notice that it is dhcpv6-client (546).
  10. Observe the Destination port. Notice that it is dhcpv6-server (547).
  11. Expand DHCPv6 to view DHCPv6 details.
  12. Observe the DHCPv6 Message Type. Notice that it is a Request (3).
  13. Expand Client Identifier, Identity Association, and Option Request to view Request details.
  14. Observe the MAC address, as well as any options if included.

Activity 9 - Analyze DHCPv6 Reply Traffic

edit

To analyze DHCPv6 Reply traffic:

  1. In the top Wireshark packet list pane, select the eighth DHCPv6 packet, labeled DHCPv6 Reply.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DHCPv6 server's MAC address.
  5. Expand Internet Protocol Version 6 to view IPv6 details.
  6. Observe the Source address. Notice that the source address is the DHCPv6 server IPv6 address.
  7. Observe the Destination address. Notice that the destination address is your link-local IPv6 address.
  8. Expand User Datagram Protocol to view UDP details.
  9. Observe the Source port. Notice that it is a dynamic port.
  10. Observe the Destination port. Notice that it is dhcpv6-client (546).
  11. Expand DHCPv6 to view DHCPv6 details.
  12. Observe the DHCPv6 Message Type. Notice that it is a Reply (7).
  13. Expand Client Identifier, Server Identifier, and Identity Association to view Reply details.
  14. Observe the MAC addresses, IPv6 addresses, and lease time, as well as any options if included.
  15. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Lesson 12 - Name Resolution

edit
 

This lesson introduces name resolution and looks at hosts files, the Domain Name System (DNS), and NetBIOS over TCP/IP (NetBT). Activities include editing the hosts file and using Wireshark to examine DNS network traffic.

Readings

edit
  1. Wikipedia: Hosts (file)
  2. Wikipedia: Domain Name System
  3. Wikipedia: Multicast DNS
  4. Wikipedia: Link-local Multicast Name Resolution
  5. Wikipedia: NetBIOS over TCP/IP

Multimedia

edit
  1. YouTube: An Overview of DNS - CompTIA Network+ N10-005: 1.7
  2. YouTube: DNS Records - CompTIA Network+ N10-005: 1.7
  3. YouTube: Dynamic DNS - CompTIA Network+ N10-005: 1.7
  4. YouTube: Basics of ipconfig, ping, tracert, nslookup and netstat
  5. YouTube: Using nslookup to Resolve Domain Names to IP Addresses
  6. YouTube: The Nbtstat Command - CompTIA Network+ N10-005: 4.3

Activities

edit
  1. View the Hosts file.
  2. Edit the Hosts file.
  3. Use nslookup to display host addresses.
  4. Use nslookup to display other record types.
  5. Review the current DNS root zone settings file.
  6. Use nslookup to simulate a recursive query.
  7. Review Wireshark: DNS.
  8. Use Wireshark to capture and analyze Domain Name System (DNS) traffic.
  9. Use Wireshark to capture and analyze Link Local Multicast Name Resolution (LLNMR) traffic.
  10. Use nbtstat to display NetBIOS over TCP/IP statistics.
  11. Consider situations in which a packet analyzer might be used to troubleshoot name resolution traffic.

Lesson Summary

edit
  • The hosts file is a computer file used in an operating system to map hostnames to IP addresses.[1]
  • The hosts file contains lines of text consisting of an IP address in the first text field followed by one or more host names.[2]
  • Comments in the hosts file are indicated by a hash character (#) in the first position of such lines.[3]
  • The location of the hosts file on Windows systems is %SystemRoot%\system32\drivers\etc\hosts.[4]
  • The hosts file may be used to define any hostname or domain name for use by the local system.[5]
  • The hosts file represents an attack vector for malicious software, because the hosts file is queried before DNS.[6]
  • The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network.[7]
  • The Domain Name System distributes the responsibility of assigning domain names and mapping those names to IP addresses. Authoritative name servers are assigned to be responsible for their particular domains, and in turn can assign other authoritative name servers for their sub-domains.[8]
  • A domain name consists of one or more parts, technically called labels, that are concatenated and delimited by dots (.).[9]
  • The hierarchy of domains within a domain name descends from right to left.[10]
  • Each label in a domain name may contain up to 63 characters. The full domain name may not exceed a total length of 253 characters.[11]
  • Common DNS record types include A (address), AAAA (IPv6 address), CNAME (canonical or alias name), MX (mail exchange), NS (name server), PTR (pointer), SOA (start of authority), and TXT (text).[12]
  • A non-recursive query is one in which the DNS server provides a record for a domain for which it is authoritative itself, or it provides a partial result without querying other servers.[13]
  • A recursive query is one for which the DNS server will fully answer the query (or give an error) by querying other name servers as needed.[14]
  • Caching DNS servers cache DNS queries and perform recursive queries to improve efficiency, reduce DNS traffic across the Internet, and increase performance in end-user applications.[15]
  • A reverse lookup is a query of the DNS for domain names when the IP address is known using the IPv4 domain in-addr.arpa or the IPv6 domain ip6.arpa, and reverse lookup IP addresses are specified in reverse order.[16]
  • Link Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link.[17]
  • LLMNR responders listen on UDP port 5355 on IPv4 address 224.0.0.252 (MAC address 01-00-5E-00-00-FC) and IPv6 address FF02::1:3 (MAC address 33-33-00-01-00-03).[18]
  • NetBIOS over TCP/IP (NBT) is a networking protocol that allows legacy computer applications relying on the NetBIOS API to be used on modern TCP/IP networks.[19]
  • NetBIOS provides three distinct services: Name service for name registration and resolution on port 137, Datagram distribution service for connectionless communication on port 138, and Session service for connection-oriented communication on port 139.[20]
  • NetBIOS is a legacy protocol used to support computers and applications that predate Windows 2000 and do not support host names. It is enabled by default, though most Windows 2000 and later networks and applications no longer require it.[21]

Key Terms

edit
American Standard Code for Information Interchange (ASCII)
A character-encoding scheme originally based on the English alphabet.[22]
authoritative name server
A name server that gives answers that have been configured by an original source rather than answers that were obtained via a DNS query to another name server.[23]
Berkley Internet Name Domain (BIND)
The DNS server service (daemon) included in most Unix and Unix-like operating systems.[24]
dig (domain information groper)
A network administration command-line tool for querying Domain Name System (DNS) name servers used on Unix-like systems.[25]
DNS root zone
The top-level DNS zone in a hierarchical namespace using the Domain Name System (DNS).[26]
DNS spoofing
A computer hacking attack, whereby data is introduced into a Domain Name System (DNS) name server's cache database, causing the name server to return an incorrect IP address and diverting traffic to another computer (often the attacker's).[27]
DNS zone
A portion of a domain name space using the Domain Name System (DNS) for which administrative responsibility has been delegated.[28]
DomainKeys Identified Mail (DKIM)
A method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message and a recipient to validate that the message was not modified in transit.[29]
domain name registrar
An organization or commercial entity that manages the reservation of Internet domain names.[30]
Dynamic DNS (DDNS)
A method of updating, in real time, a Domain Name System (DNS) to point to a changing IP address on a network or on the Internet.[31]
Fully Qualified Domain Name (FQDN)
A domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS), including the top-level domain and the root zone.[32]
Internationalizing Domain Names in Applications (IDNA)
A mechanism for converting domain names containing non-ASCII characters to an ASCII-coded equivalent.[33]
Letters Digits Hyphen (LDH) rule
The guideline for characters allowed in a domain name, which include letters, digits, and the hyphen.[34]
NetBIOS Frames (NBF)
A non-routable transport-level data protocol most commonly used as one of the layers of Microsoft Windows networking in the 1990s.[35]
nslookup
A network administration command-line tool for querying Domain Name System (DNS) name servers used on Windows systems.[36]
Phishing
The act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity.[37]
Punycode
An instance of a general encoding syntax by which a string of Unicode characters is transformed uniquely and reversibly into a smaller, restricted character set.[38]
root name server
A name server for the Domain Name System's root zone.[39]
Sender Policy Framework (SPF)
An email validation system designed to prevent email spam by verifying sender IP addresses using the Domain Name System (DNS) and TXT records.[40]
Server Message Block (SMB)
An application-layer protocol mainly used for providing shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network, as well as providing an authenticated inter-process communication mechanism.[41]
top-level domain (TLD)
One of the domains at the highest level in the hierarchical Domain Name System of the Internet.[42]
Unicode
A computing industry standard for the consistent encoding, representation and handling of text expressed in most of the world's writing systems.[43]
Uniform resource locator (URL)
A specific character string that constitutes a reference to an Internet resource.[44]
WHOIS
A query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information.[45]
Windows Internet Name Service (WINS)
Microsoft's implementation of NetBIOS Name Service (NBNS), a name server and service for NetBIOS computer names.[46]

Review Questions

edit
Enable JavaScript to hide answers.

Click on a question to see the answer.

  1. The _____ file is a computer file used in an operating system to map hostnames to IP addresses.
    The hosts file is a computer file used in an operating system to map hostnames to IP addresses.
  2. The hosts file contains lines of text consisting of _____.
    The hosts file contains lines of text consisting of an IP address in the first text field followed by one or more host names.
  3. Comments in the hosts file are indicated by _____.
    Comments in the hosts file are indicated by a hash character (#) in the first position of such lines.
  4. The location of the hosts file on Windows systems is _____.
    The location of the hosts file on Windows systems is %SystemRoot%\system32\drivers\etc\hosts.
  5. The _____ file may be used to define any hostname or domain name for use by the local system.
    The hosts file may be used to define any hostname or domain name for use by the local system.
  6. The hosts file represents _____ for malicious software.
    The hosts file represents an attack vector for malicious software.
  7. The Domain Name System (DNS) is a _____ for computers, services, or any resource connected to the Internet or a private network.
    The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network.
  8. The Domain Name System _____ the responsibility of assigning domain names and mapping those names to IP addresses. _____ name servers are assigned to be responsible for their particular domains, and in turn can assign other _____ name servers for their sub-domains.
    The Domain Name System distributes the responsibility of assigning domain names and mapping those names to IP addresses. Authoritative name servers are assigned to be responsible for their particular domains, and in turn can assign other authoritative name servers for their sub-domains.
  9. A domain name consists of one or more parts, technically called _____, that are concatenated and delimited by _____.
    A domain name consists of one or more parts, technically called labels, that are concatenated and delimited by dots (.).
  10. The hierarchy of domains within a domain name descends from _____ to _____.
    The hierarchy of domains within a domain name descends from right to left.
  11. Each label in a domain name may contain up to _____ characters. The full domain name may not exceed a total length of _____ characters.
    Each label in a domain name may contain up to 63 characters. The full domain name may not exceed a total length of 253 characters.
  12. Common DNS record types include _____ (address), _____ (IPv6 address), _____ (canonical or alias name), _____ (mail exchange), _____ (name server), _____ (pointer), _____ (start of authority), and _____ (text).
    Common DNS record types include A (address), AAAA (IPv6 address), CNAME (canonical or alias name), MX (mail exchange), NS (name server), PTR (pointer), SOA (start of authority), and TXT (text).
  13. A _____ query is one in which the DNS server provides a record for a domain for which it is authoritative itself, or it provides a partial result without querying other servers.
    A non-recursive query is one in which the DNS server provides a record for a domain for which it is authoritative itself, or it provides a partial result without querying other servers.
  14. A _____ query is one for which the DNS server will fully answer the query (or give an error) by querying other name servers as needed.
    A recursive query is one for which the DNS server will fully answer the query (or give an error) by querying other name servers as needed.
  15. Caching DNS servers cache DNS queries and perform recursive queries to _____.
    Caching DNS servers cache DNS queries and perform recursive queries to improve efficiency, reduce DNS traffic across the Internet, and increase performance in end-user applications.
  16. A reverse lookup is a query of the DNS for _____ using the IPv4 domain _____ or the IPv6 domain _____, and reverse lookup IP addresses are specified in _____ order.
    A reverse lookup is a query of the DNS for domain names when the IP address is known using the IPv4 domain in-addr.arpa or the IPv6 domain ip6.arpa, and reverse lookup IP addresses are specified in reverse order.
  17. Link Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to _____.
    Link Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link.
  18. LLMNR responders listen on UDP port _____ on IPv4 address _____ and IPv6 address _____.
    LLMNR responders listen on UDP port 5355 on IPv4 address 224.0.0.252 (MAC address 01-00-5E-00-00-FC) and IPv6 address FF02::1:3 (MAC address 33-33-00-01-00-03).
  19. NetBIOS over TCP/IP (NBT) is a networking protocol that allows _____.
    NetBIOS over TCP/IP (NBT) is a networking protocol that allows legacy computer applications relying on the NetBIOS API to be used on modern TCP/IP networks.
  20. NetBIOS provides three distinct services: _____, _____, and _____.
    NetBIOS provides three distinct services: Name service for name registration and resolution on port 137, Datagram distribution service for connectionless communication on port 138, and Session service for connection-oriented communication on port 139.
  21. NetBIOS is a legacy protocol used to support computers and applications that predate _____ and do not support _____.
    NetBIOS is a legacy protocol used to support computers and applications that predate Windows 2000 and do not support host names.

Assessments

edit

See Also

edit

References

edit
  Type classification: this is a lesson resource.
  Completion status: this resource is considered to be complete.
  1. Wikipedia: Hosts (file)
  2. Wikipedia: Hosts (file)#File content
  3. Wikipedia: Hosts (file)#File content
  4. Wikipedia: Hosts (file)#Location in the file system
  5. Wikipedia: Hosts (file)#Extended applications
  6. Wikipedia: Hosts (file)#Security issues
  7. Wikipedia: Domain Name System
  8. Wikipedia: Domain Name System
  9. Wikipedia: Domain Name System#Domain name syntax
  10. Wikipedia: Domain Name System#Domain name syntax
  11. Wikipedia: Domain Name System#Domain name syntax
  12. Wikipedia: List of DNS record types
  13. Wikipedia: Domain Name System#DNS resolvers
  14. Wikipedia: Domain Name System#DNS resolvers
  15. Wikipedia: Domain Name System#Recursive and caching name server
  16. Wikipedia: Domain Name System#Reverse lookup
  17. Wikipedia: Link-local Multicast Name Resolution
  18. Wikipedia: Link-local Multicast Name Resolution
  19. Wikipedia: NetBIOS over TCP/IP
  20. http://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP#Services
  21. Wikipedia: NetBIOS over TCP/IP#Decreasing relevance in post-NT Client-Server Networks
  22. Wikipedia: ASCII
  23. Wikipedia: Domain Name System#Authoritative name server
  24. Wikipedia: BIND
  25. Wikipedia: Domain Information Groper
  26. Wikipedia: DNS root zone
  27. Wikipedia: DNS spoofing
  28. Wikipedia: DNS zone
  29. Wikipedia: DomainKeys Identified Mail
  30. Wikipedia: Domain name registrar
  31. Wikipedia: Dynamic DNS
  32. Wikipedia: Fully qualified domain name
  33. Wikipedia: Internationalized domain name
  34. Wikipedia: Domain Name System#Domain name syntax
  35. Wikipedia: NetBIOS Frames protocol
  36. Wikipedia: Nslookup
  37. Wikipedia: Phishing
  38. Wikipedia: Punycode
  39. Wikipedia: Root nameserver
  40. Wikipedia: Sender Policy Framework
  41. Wikipedia: Server Message Block
  42. Wikipedia: Top-level domain
  43. Wikipedia: Unicode
  44. Wikipedia: Uniform Resource Locator
  45. Wikipedia: WHOIS
  46. Wikipedia: Windows Internet Name Service

The hosts file is a plain text file used to map host names to IP addresses. On Windows, it is located in the C:\Windows\System32\drivers\etc folder. This activity will show you how to view the hosts file.

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.

View the hosts File

edit

To view the hosts file:

  1. Open the Start menu.
  2. Select All Programs.
  3. Select Accessories.
  4. Select Notepad.
  5. In Notepad, select File then Open.
  6. Navigate to C:\Windows\System32\drivers\etc.
  7. Change the file type to open from Text Documents (*.txt) to All Files (*.*).
  8. Open the hosts file.
  9. Read the comments in the host file. The comments begin with a # character.
  10. Observe the host records stored in the file. At a minimum you should find a record for 127.0.0.1 localhost.
  11. Close Notepad. Do not save any changes.

Readings

edit

References

edit

The hosts file is a plain text file used to map host names to IP addresses. On Windows, it is located in the C:\Windows\System32\drivers\etc folder.

Note that the "Hosts" file is owned by the "System" account [NT AUTHORITY/SYSTEM] and may only be modified by an administrator.

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.

View the hosts file

edit

To view the hosts file:

  1. Open the Start menu.
  2. In the Run box, type Notepad.exe and press Enter. Note: If you will be editing the hosts file in the next activity, you must right-click on Notepad and Run as administrator rather than press Enter.
  3. In Notepad, select File then Open.
  4. Navigate to C:\Windows\System32\drivers\etc.
  5. Change the file type to open from Text Documents (*.txt) to All Files (*.*).
  6. Open the hosts file.
  7. Read the comments in the host file. The comments begin with a # character.
  8. Observe the host records stored in the file. At a minimum you should find a record for 127.0.0.1 localhost.

Edit the hosts file

edit

To edit the hosts file:

  1. Change the line 127.0.0.1 localhost to 127.0.0.1 localhost me.
  2. In Notepad, select File then Save to save the file.
  3. Open a command prompt.
  4. Type ping me and press Enter.
  5. Observe the results. The ping should be successful, because the name me is now defined as an alias for the loopback address 127.0.0.1.
  6. In Notepad, remove me from the line 127.0.0.1 localhost and then save the hosts file.
  7. In the command prompt, type ping me and press Enter.
  8. Observe the results. The ping should fail, because the name me is no longer defined as an alias for the loopback address.
  9. In Notepad, add a line of 8.8.8.8 googledns and then save the hosts file.
  10. In the command prompt, type ping googledns and press Enter.
  11. Observe the results. The ping should be successful, because the name googledns is now defined as an alias for 8.8.8.8.
  12. In Notepad, remove the line of 8.8.8.8 googledns and then save the hosts file.
  13. In the command prompt, type ping googledns and press Enter.
  14. Observe the results. The ping should fail, because the name googledns is no longer defined as an alias for 8.8.8.8.
  15. Close the command prompt and close Notepad to complete this activity.

Readings

edit

References

edit

Nslookup is a command-line tool used to query a Domain Name System (DNS) server to obtain an IP address mapping or other DNS records. These activities will show you how to use the nslookup command to display host addresses.

Preparation

edit

To prepare for this activity:

  1. Start your operating system.
  2. Log in if necessary.

Activity 1 - Observe DNS Settings

edit

To observe DNS settings:

  1. Open a command prompt.
  2. Use ipconfig /all to display DNS settings.
  3. Observe the DNS Servers address values.

Activity 2 - Display Host Addresses

edit

To display host addresses:

  1. Type nslookup www.google.com and press Enter.
  2. Observe the server information. Notice the DNS server address matches one of the values listed for DNS Servers above.
  3. Observe the results. Notice that both IPv4 and IPv6 addresses are displayed. Google has assigned both IPv4 and IPv6 addresses to this host.
  4. Type nslookup ipv4.google.com and press Enter.
  5. Observe the results. Notice that only IPv4 addresses are displayed. Google has not assigned an IPv6 address to this host name.
  6. Type nslookup ipv6.google.com and press Enter.
  7. Observe the results. Notice that only IPv6 addresses are displayed. Google has not assigned an IPv4 address to this host name.

Activity 3 - Use a Custom DNS Server

edit

To use a custom DNS server:

  1. Type nslookup www.google.com 8.8.8.8 and press Enter.
  2. Observe the server information. Notice the DNS server address is 8.8.8.8.
  3. Type nslookup www.google.com 8.8.4.4 and press Enter.
  4. Observe the server information. Notice the DNS server address is 8.8.4.4.
  5. Close the command prompt to complete this activity.

Readings

edit

References

edit

Nslookup is a command-line tool used to query a Domain Name System (DNS) server to obtain an IP address mapping or other DNS records. These activities will show you how to use the nslookup command to display other record types.

Preparation

edit

To prepare for this activity:

  1. Start your operating system.
  2. Log in if necessary.

Activity 1 - Display Host Addresses

edit

To display host addresses:

  1. Open a command prompt.
  2. Type nslookup google.com and press Enter.
  3. Observe the results. Notice the IP addresses listed for this host name.

Activity 2 - Display Other Record Types

edit

To display other record types:

  1. Type nslookup -type=ns google.com and press Enter.
  2. Observe the results. Notice the name servers listed for this domain name.
  3. Type nslookup -type=soa google.com and press Enter.
  4. Observe the results. Notice the start of authority information listed for this zone.
  5. Type nslookup -type=mx google.com and press Enter.
  6. Observe the results. Notice the mail exchangers listed for this domain name.
  7. Type nslookup -type=txt google.com and press Enter.
  8. Observe the results. Notice the text records listed for this domain name.
  9. Close the command prompt to complete this activity.

Readings

edit

References

edit

Nslookup is a command-line tool used to query a Domain Name System (DNS) server to obtain an IP address mapping or other DNS records. These activities will show you how to use the nslookup command to simulate recursive queries.

Preparation

edit

To prepare for this activity:

  1. Start your operating system.
  2. Log in if necessary.

Activity 1 - Perform a Recursive Query

edit

To perform a recursive query:

  1. Open a command prompt.
  2. Type nslookup en.wikiversity.org and press Enter.
  3. Observe the results. Notice the IP address listed for this host name. Note that this is a recursive query. The following activity will simulate the queries necessary to return this address information.

Activity 2 - Simulate a Recursive Query

edit

To simulate a recursive query:

  1. Type nslookup -norecurse -type=ns org. a.root-servers.net and press Enter. The -norecurse option forces nslookup to issue a non-recursive or iterative query. This is the type of query that DNS servers typically issue to other DNS servers.
  2. Observe the results. Notice the name servers listed for the org. domain. Select the first org. name server IP address returned.
  3. Type nslookup -norecurse -type=ns wikiversity.org. <org. name server>, where <org. name server> is the first org. name server IP address listed above. Then press Enter.
  4. Observe the results. Notice the name servers listed for the wikiversity.org. domain. Select the first wikiversity.org. name server IP address returned.
  5. Type nslookup -norecurse en.wikiversity.org. <wikiversity.org. name server>, where <wikiversity.org. name server> is the first wikiversity.org. name server IP address listed above. Then press Enter.
  6. Observe the results. Notice the IP address should match the IP address for en.wikiversity.org returned in Activity 1 above.
  7. Close the command prompt to complete this activity.

Readings

edit

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Domain Name System (DNS) traffic.

Readings

edit

Multimedia

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture DNS Traffic

edit

To capture DNS traffic:

  1. Start a Wireshark capture.
  2. Open a command prompt.
  3. Type ipconfig /flushdns and press Enter to clear the DNS cache.
  4. Type ipconfig /displaydns and press Enter to display the DNS cache.
  5. Observe the results. Notice the only records currently displayed come from the hosts file.
  6. Type nslookup en.wikiversity.org and press Enter.
  7. Observe the results. Notice there is an entry in the cache for en.wikiversity.org.
  8. Close the command prompt.
  9. Stop the Wireshark capture.

Activity 2 - Analyze DNS Query Traffic

edit

To analyze DNS query traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. To view only DNS traffic, type udp.port == 53 (lower case) in the Filter box and press Enter.
  2. Select the DNS packet labeled Standard query A en.wikiversity.org.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Domain Name System (query) frame.
  4. Expand Ethernet II to view Ethernet details.
  5. Observe the Destination and Source fields. The destination should be either your local DNS server's MAC address or your default gateway's MAC address and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
  6. Expand Internet Protocol Version 4 to view IP details.
  7. Observe the Source address. Notice that the source address is your IP address.
  8. Observe the Destination address. Notice that the destination address is the IP address of the DNS server.
  9. Expand User Datagram Protocol to view UDP details.
  10. Observe the Source port. Notice that it is a dynamic port selected for this DNS query.
  11. Observe the Destination port. Notice that it is domain (53), the DNS server port.
  12. Expand Domain Name System (query) to view DNS details.
  13. Expand Flags to view flags details.
  14. Observe the Recursion desired field. Notice that a recursive query is requested.
  15. Expand Queries to view query details.
  16. Observe the query for en.wikiversity.org.

Activity 3 - Analyze DNS Response Traffic

edit

To analyze DNS response traffic:

  1. In the top Wireshark packet list pane, select the next DNS packet, labeled Standard query response CNAME wikiversity....
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Domain Name System (response) frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your MAC address and the source should be your local DNS server's MAC address or your default gateway's MAC address.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is the DNS server IP address.
  7. Observe the Destination address. Notice that the destination address is your IP address.
  8. Expand User Datagram Protocol to view UDP details.
  9. Observe the Source port. Notice that it is domain (53), the DNS server port.
  10. Observe the Destination port. Notice that it is the same dynamic port used to make the DNS query in the first packet.
  11. Expand Domain Name System (query) to view DNS details.
  12. Expand Flags to view flags details.
  13. Observe the flags. Notice that this is a recursive response.
  14. Expand Queries to view query details.
  15. Observe the query for en.wikiversity.org.
  16. Expand Answers to view answer details.
  17. Observe the CNAME and A records returned in response to this DNS query.
  18. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Link-Local Multicast Name Resolution (LLMNR) traffic.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture LLMNR Traffic

edit

To capture LLMNR traffic:

  1. Start a Wireshark capture.
  2. Open a command prompt.
  3. Type ping <unknown>, where <unknown> is any unknown host name on your network. An unknown host name is used for this activity because names resolved by DNS will not generate LLMNR traffic.
  4. Close the command prompt.
  5. Stop the Wireshark capture.

Activity 2 - Analyze LLMNR IPv6 Traffic

edit

To analyze LLMNR IPv6 traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. To view only LLMNR traffic, type udp.port == 5355 (lower case) in the Filter box and press Enter.
  2. Select the first LLMNR packet labeled Standard query.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / User Datagram Protocol / Link-local Multicast Name Resolution (query) frame.
  4. Expand Ethernet II to view Ethernet details.
  5. Observe the Destination and Source fields. The destination should be the LLMNR IPv6 multicast MAC address 33:33:00:01:00:03 and the source should be your MAC address. You can use ipconfig /all and netsh interface ipv6 show neighbors to confirm.
  6. Expand Internet Protocol Version 6 to view IPv6 details.
  7. Observe the Source address. Notice that the source address is your link-local IPv6 address.
  8. Observe the Destination address. Notice that the destination address is the LLMNR multicast IPv6 address ff02::1:3.
  9. Expand User Datagram Protocol to view UDP details.
  10. Observe the Source port. Notice that it is a dynamic port selected for this LLMNR query.
  11. Observe the Destination port. Notice that it is llmnr (5355).
  12. Expand Link-local Multicast Name Resolution (query) to view LLMNR details.
  13. Expand Flags to view flags details.
  14. Expand Queries to view query details.
  15. Observe the query generated.

Activity 3 - Analyze LLMNR IPv4 Traffic

edit

To analyze LLMNR IPv4 traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. To view only LLMNR traffic, type udp.port == 5355 (lower case) in the Filter box and press Enter.
  2. Select the second LLMNR packet labeled Standard query.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Link-local Multicast Name Resolution (query) frame.
  4. Expand Ethernet II to view Ethernet details.
  5. Observe the Destination and Source fields. The destination should be the LLMNR IPv4 multicast MAC address 01:00:5e:00:00:fc and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
  6. Expand Internet Protocol Version 4 to view IPv4 details.
  7. Observe the Source address. Notice that the source address is your IPv4 address.
  8. Observe the Destination address. Notice that the destination address is the LLMNR multicast IPv4 address 224.0.0.252.
  9. Expand User Datagram Protocol to view UDP details.
  10. Observe the Source port. Notice that it is a dynamic port selected for this LLMNR query.
  11. Observe the Destination port. Notice that it is llmnr (5355).
  12. Expand Link-local Multicast Name Resolution (query) to view LLMNR details.
  13. Expand Flags to view flags details.
  14. Expand Queries to view query details.
  15. Observe the query generated.
  16. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Nbtstat is a Windows command-line tool that displays NetBIOS over TCP/IP statistics. These activities will show you how to use the nbtstat command.

Readings

edit

Activities

edit

References

edit

Lesson 13 - Application Layer

edit
 

This lesson introduces the Application layer and looks at a variety of application-layer protocols. Activities include using Wireshark to examine Hyper Text Transfer Protocol (HTTP), HTTP Secure (HTTPS), and Simple Mail Transfer Protocol (SMTP) network traffic.


Readings

edit
  1. Wikipedia: Application layer
  2. Wikipedia: Hypertext Transfer Protocol
  3. Wikipedia: HTTP Secure
  4. Wikipedia: Transport Layer Security
  5. Wikipedia: Simple Mail Transfer Protocol

Multimedia

edit
  1. YouTube: Common TCP and UDP Ports - CompTIA Network+ N10-005: 1.5
  2. YouTube: Application Protocols - CompTIA Network+ N10-005: 1.6
  3. YouTube: Telnet Client and Server Demonstration in Windows Vista and XP

Activities

edit
  1. Review Wireshark: Hyper Text Transfer Protocol (HTTP).
  2. Use Wireshark to capture and analyze Hypertext Transfer Protocol (HTTP) traffic.
  3. Review Wireshark: SSL.
  4. Use Wireshark to capture and analyze HTTP Secure (HTTPS) traffic.
  5. Review Wireshark: Simple Mail Transfer Protocol (SMTP).
  6. Use Wireshark to capture and analyze Simple Mail Transfer Protocol (SMTP) traffic.
  7. Consider situations in which a packet analyzer might be used to troubleshoot application layer traffic.
  8. Use Mozilla Thunderbird as local email client.

Lesson Summary

edit
  • The application layer is an abstraction layer reserved for communications protocols and methods designed for process-to-process communications across an Internet Protocol (IP) computer network.[1]
  • Application layer protocols use the underlying transport layer protocols to establish host-to-host connections.[2]
  • The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia information systems.[3]
  • HTTP functions as a request-response protocol in the client-server computing model.[4]
  • HTTP uses TCP as its transport protocol and servers listen on port 80 by default.[5]
  • HTTP defines methods that may be performed on the desired resource. Methods include GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, CONNECT, and PATCH.[6]
  • HTTP requests include a request line, headers, an empty line, and an optional message body.[7]
  • HTTP responses include a status line, header, an empty line, and an optional message body.[8]
  • Hypertext Transfer Protocol Secure (HTTPS) is a widely used communications protocol for secure communication over a computer network, with especially wide deployment on the Internet. Technically, it is not a protocol in itself; rather, it is the result of simply layering the Hypertext Transfer Protocol (HTTP) on top of the Secure Sockets Layer / Transport Layer Security (SSL/TLS) protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications.[9]
  • HTTPS uses TCP as its transport protocol and servers listen on port 443 by default.[10]
  • Web servers supporting HTTPS connections must have a public key certificate signed by a certificate authority the web browser trusts in order to connect without a client warning.[11]
  • TLS and SSL encrypt the segments of network connections at the Application Layer for the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for confidentiality, and message authentication codes for message integrity.[12]
  • TLS handshaking includes the exchange of settings, server authentication, optional client authentication, and public key encryption of a symmetric session key.[13]
  • Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (e-mail) transmission across Internet Protocol (IP) networks.[14]
  • Client applications use SMTP for sending messages to a mail server, but usually use either the Post Office Protocol (POP) or the Internet Message Access Protocol (IMAP) or a proprietary system to access their mail box accounts on a mail server.[15]
  • Client applications should use TCP port 587 to submit SMTP messages to a server. Servers use TCP port 25 to transfer SMTP messages to destination servers.[16]
  • SMTP transactions include commands for MAIL, RCPT, and DATA.[17]

Key Terms

edit
abstraction layer
A way of hiding the implementation details of a particular set of functionality.[18]
authentication
The act of confirming the identity of a person, software program, or computer system.[19]
eavesdropping
The act of secretly listening to the private conversation of others without their consent.[20]
hypermedia
A logical extension of the term hypertext in which graphics, audio, video, plain text and hyperlinks intertwine to create a generally non-linear medium of information.[21]
HyperText Markup Language (HTML)
The main markup language for displaying web pages and other information that can be displayed in a web browser.[22]
Internet Message Access Protocol (IMAP)
An Application Layer Internet protocol that allows an e-mail client to access e-mail on a remote mail server.[23]
man-in-the-middle attack
A form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection.[24]
Post Office Protocol (POP)
An application-layer Internet standard protocol used by local e-mail clients to retrieve e-mail from a remote server over a TCP/IP connection.[25]
public-key cryptography
A cryptographic system requiring two separate keys, one of which is secret and one of which is public.[26]
stateless protocol
A communications protocol that treats each request as an independent transaction that is unrelated to any previous request so that the communication consists of independent pairs of requests and responses.[27]
symmetric-key algorithms
A class of algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext.[28]
tampering
The deliberate altering or adulteration of information, a product, a package, or system.[29]
web cache
A mechanism for the temporary storage (caching) of web documents, such as HTML pages and images, to reduce bandwidth usage, server load, and perceived lag.[30]
web crawler
A computer program that browses the World Wide Web in a methodical, automated manner or in an orderly fashion.[31]
World Wide Web Consortium (W3C)
The main international standards organization for the World Wide Web.[32]

Review Questions

edit
Enable JavaScript to hide answers.

Click on a question to see the answer.

  1. The application layer is an abstraction layer reserved for communications protocols and methods designed for _____ communications across an Internet Protocol (IP) computer network.
    The application layer is an abstraction layer reserved for communications protocols and methods designed for process-to-process communications across an Internet Protocol (IP) computer network.
  2. Application layer protocols use the underlying transport layer protocols to establish _____ connections.
    Application layer protocols use the underlying transport layer protocols to establish host-to-host connections.
  3. The Hypertext Transfer Protocol (HTTP) is an application protocol for _____.
    The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia information systems.
  4. HTTP functions as a _____ protocol in the _____ computing model.
    HTTP functions as a request-response protocol in the client-server computing model.
  5. HTTP uses _____ as its transport protocol and servers listen on port _____ by default.
    HTTP uses TCP as its transport protocol and servers listen on port 80 by default.
  6. HTTP defines methods that may be performed on the desired resource. Methods include _____.
    HTTP defines methods that may be performed on the desired resource. Methods include GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, CONNECT, and PATCH.
  7. HTTP requests include _____.
    HTTP requests include a request line, headers, an empty line, and an optional message body.
  8. HTTP responses include _____.
    HTTP responses include a status line, header, an empty line, and an optional message body.
  9. Hypertext Transfer Protocol Secure (HTTPS) is a widely used communications protocol for secure communication over a computer network, with especially wide deployment on the Internet. Technically, it is not a protocol in itself; rather, it is _____.
    Hypertext Transfer Protocol Secure (HTTPS) is a widely used communications protocol for secure communication over a computer network, with especially wide deployment on the Internet. Technically, it is not a protocol in itself; rather, it is the result of simply layering the Hypertext Transfer Protocol (HTTP) on top of the Secure Sockets Layer / Transport Layer Security (SSL/TLS) protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications.
  10. HTTPS uses _____ as its transport protocol and servers listen on port _____ by default.
    HTTPS uses TCP as its transport protocol and servers listen on port 443 by default.
  11. Web servers supporting HTTPS connections must have a public key certificate _____.
    Web servers supporting HTTPS connections must have a public key certificate signed by a certificate authority the web browser trusts in order to connect without a client warning.
  12. TLS and SSL encrypt the segments of network connections at the Application Layer for the Transport Layer, using _____.
    TLS and SSL encrypt the segments of network connections at the Application Layer for the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for confidentiality, and message authentication codes for message integrity.
  13. TLS handshaking includes _____.
    TLS handshaking includes the exchange of settings, server authentication, optional client authentication, and public key encryption of a symmetric session key.
  14. Simple Mail Transfer Protocol (SMTP) is an Internet standard for _____.
    Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (e-mail) transmission across Internet Protocol (IP) networks.
  15. Client applications use _____ for sending messages to a mail server, but usually use either _____ or _____ or a proprietary system to access their mail box accounts on a mail server.
    Client applications use SMTP for sending messages to a mail server, but usually use either the Post Office Protocol (POP) or the Internet Message Access Protocol (IMAP) or a proprietary system to access their mail box accounts on a mail server.
  16. Client applications should use TCP port _____ to submit SMTP messages to a server. Servers use TCP port _____ to transfer SMTP messages to destination servers.
    Client applications should use TCP port 587 to submit SMTP messages to a server. Servers use TCP port 25 to transfer SMTP messages to destination servers.
  17. SMTP transactions include commands for _____.
    SMTP transactions include commands for MAIL, RCPT, and DATA.

Assessments

edit

See Also

edit

References

edit
  Type classification: this is a lesson resource.
  Completion status: this resource is considered to be complete.

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze HTTP (Hypertext Transfer Protocol) traffic.

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture HTTP Traffic

edit

To capture HTTP traffic:

  1. Open a new web browser window or tab.
  2. Search the Internet for an http (rather than https) website.
  3. Start a Wireshark capture.
  4. Navigate to the website found in your search.
  5. Stop the Wireshark capture.

Activity 2 - Select Destination Traffic

edit

To select destination traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. To view only HTTP traffic, type http (lower case) in the Filter box and press Enter.
  2. Select the first HTTP packet labeled GET /.
  3. Observe the destination IP address.
  4. To view all related traffic for this connection, change the filter to ip.addr == <destination>, where <destination> is the destination address of the HTTP packet.

Activity 3 - Analyze TCP Connection Traffic

edit

To analyze TCP connection traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. The first three packets (TCP SYN, TCP SYN/ACK, TCP ACK) are the TCP three way handshake. Select the first packet.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your default gateway's MAC address and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is your IP address.
  7. Observe the Destination address. Notice that the destination address is the IP address of the HTTP server.
  8. Expand Transmission Control Protocol to view TCP details.
  9. Observe the Source port. Notice that it is a dynamic port selected for this HTTP connection.
  10. Observe the Destination port. Notice that it is http (80). Note that all of the packets for this connection will have matching MAC addresses, IP addresses, and port numbers.

Activity 4 - Analyze HTTP Request Traffic

edit

To analyze HTTP request traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the fourth packet, which is the first HTTP packet and labeled GET /.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol / Hypertext Transfer Protocol frame. Also notice that the Ethernet II, Internet Protocol Version 4, and Transmission Control Protocol values are consistent with the TCP connection analyzed in Activity 3.
  4. Expand Hypertext Transfer Protocol to view HTTP details.
  5. Observe the GET request, Host, Connection, User-Agent, Referrer, Accept, and Cookie fields. This is the information passed to the HTTP server with the GET request.
  6. Observe the traffic captured in the top Wireshark packet list pane.
  7. Select the fifth packet, labeled TCP ACK. This is the server TCP acknowledgement of receiving the GET request.

Activity 5 - Analyze HTTP Response Traffic

edit

To analyze HTTP response traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the second HTTP packet, labeled 301 Moved Permanently.
  3. Observe the packet details in the middle Wireshark packet details pane.
  4. Expand Hypertext Transfer Protocol to view HTTP details.
  5. Observe the HTTP response, Server, Expires, Location, and other available information. This response indicates that the requested page has permanently moved to the location provided.
  6. Observe the traffic captured in the top Wireshark packet list pane.
  7. Select the next packet, labeled TCP ACK. This is the client TCP acknowledgement of receiving the HTTP response.

Activity 6 - Analyze HTTP Request Traffic

edit

To analyze HTTP request traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the third HTTP packet, labeled GET /wiki/Wikiversity:Main_Page.
  3. Observe the packet details in the middle Wireshark packet details pane.
  4. Expand Hypertext Transfer Protocol to view HTTP details.
  5. Observe the HTTP request fields. Notice that the request is similar to the request in Activity 4 above, except that the new page location is requested.
  6. Observe the traffic captured in the top Wireshark packet list pane.
  7. Select the next packet, labeled TCP ACK. This is the server TCP acknowledgement of receiving the GET request.

Activity 7 - Analyze HTTP Response Traffic

edit

To play HTTP response traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the next packet, labeled TCP segment of a reassembled PDU. Notice that because the server response is longer than the maximum segment PDU size, the response has been split into several TCP segments.
  3. Observe the packet details in the middle Wireshark packet details pane.
  4. Observe the packet contents in the bottom Wireshark packet bytes pane.
  5. Observe the traffic captured in the top Wireshark packet list pane. Notice that for every two TCP segments of data, there is a TCP ACK acknowledgement of receiving the HTTP response.
  6. Select the last HTTP packet, labeled HTTP 200 OK.
  7. Observe the packet details in the middle Wireshark packet details pane. Notice the Reassembled TCP Segments listed.
  8. Expand Hypertext Transfer Protocol to view HTTP details.
  9. Observe the full HTTP response to be passed to the web browser.
  10. Expand Line-based text data to observe web page content.
  11. In the web browser, right-click on the web page and view the page source. Notice that it is identical to the line-based text captured in Wireshark.
  12. Close the web browser.
  13. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Hypertext Transfer Protocol Secure (HTTPS) traffic.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture HTTPS Traffic

edit

To capture HTTPS traffic:

  1. Open a new web browser window or tab.
  2. Start a Wireshark capture.
  3. Navigate to https://en.wikiversity.org.
  4. Stop the Wireshark capture.
  5. Close the web browser window or tab.

Activity 2 - Select Destination Traffic

edit

To select destination traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. To view only HTTPS traffic, type ssl (lower case) in the Filter box and press Enter.
  2. Select the first TLS packet labeled Client Hello.
  3. Observe the destination IP address.
  4. To view all related traffic for this connection, change the filter to ip.addr == <destination>, where <destination> is the destination address of the HTTP packet.

Activity 3 - Analyze TCP Connection Traffic

edit

To analyze TCP connection traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. The first three packets (TCP SYN, TCP SYN/ACK, TCP ACK) are the TCP three way handshake. Select the first packet.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your default gateway's MAC address and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is your IP address.
  7. Observe the Destination address. Notice that the destination address is the IP address of the HTTPS server.
  8. Expand Transmission Control Protocol to view TCP details.
  9. Observe the Source port. Notice that it is a dynamic port selected for this HTTPS connection.
  10. Observe the Destination port. Notice that it is https (443). Note that all of the packets for this connection will have matching MAC addresses, IP addresses, and port numbers.

Activity 4 - Analyze SSL/TLS Client Hello Traffic

edit

To analyze SSL/TLS connection traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the first TLS packet, labeled Client Hello.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol / Secure Sockets Layer frame. Also notice that the Ethernet II, Internet Protocol Version 4, and Transmission Control Protocol values are consistent with the TCP connection analyzed in Activity 3.
  4. Expand Secure Sockets Layer, TLS, and Handshake Protocol to view SSL/TLS details.
  5. Observe the Cipher Suites and Extensions supported.
  6. Observe the traffic captured in the top Wireshark packet list pane.
  7. Select the next packet, labeled TCP ACK. This is the server TCP acknowledgement of receiving the Client Hello request.

Activity 5 - Analyze SSL/TLS Server Hello Traffic

edit

To analyze SSL/TLS Server Hello traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the second TLS packet, labeled Server Hello.
  3. Observe the packet details in the middle Wireshark packet details pane.
  4. Expand Secure Sockets Layer, TLS, and Handshake Protocol to view SSL/TLS details.
  5. Observe the Cipher Suites and Extensions supported.

Activity 6 - Analyze SSL/TLS Certificate Traffic

edit

To analyze SSL/TLS Certificate traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the third TLS packet, labeled Certificate, Server Key Exchange, Server Hello Done.
  3. Observe the packet details in the middle Wireshark packet details pane.
  4. Expand Secure Sockets Layer, TLS, Handshake Protocol, and Certificates to view SSL/TLS details.
  5. Observe the certificate information provided.
  6. Expand TLS, Handshake Protocol, and EC Diffie-Hellman Server Params to view the public key and signature. The client uses the certificate to validate the public key and signature.
  7. Observe the traffic captured in the top Wireshark packet list pane.
  8. Select the next TCP packet, labeled TCP ACK. This is the client TCP acknowledgement of <receiving the Server Hello and Certificate responses.

Activity 7 - Analyze SSL/TLS Client Key Exchange Traffic

edit

To analyze SSL/TLS Client Key Exchange traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the fourth TLS packet, labeled Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message.
  3. Observe the packet details in the middle Wireshark packet details pane.
  4. Expand Secure Sockets Layer, TLS, Handshake Protocol, and Encrypted Handshake Message to view SSL/TLS details.
  5. Observe the encrypted handshake message. This encrypted handshake contains the session key that will be used to encrypt session traffic.

Activity 8 - Analyze SSL/TLS New Session Ticket Traffic

edit

To analyze SSL/TLS New Session Ticket traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the TLS packet labeled New Session Ticket ....
  3. Observe the packet details in the middle Wireshark packet details pane.
  4. Expand Secure Sockets Layer, TLS, Handshake Protocol, TLS Session Ticket, and Encrypted Handshake Message to view SSL/TLS details.
  5. Observe the encrypted handshake message. This is the server confirming the encrypted session.

Activity 9 - Analyze HTTPS Encrypted Data Exchange

edit

To analyze HTTPS encrypted data exchange:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the various TLS packets labeled Application Data.
  3. Observe the packet details in the middle Wireshark packet details pane.
  4. Expand Secure Sockets Layer and TLS to view SSL/TLS details.
  5. Observe the encrypted application data. Notice that the application data protocol is http.
  6. Observe the data in the bottom Wireshark packet bytes pane. Notice that the application data is encrypted.
  7. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Simple Mail Transfer Protocol (SMTP) traffic.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.
  4. Install the Telnet client.

Activity 1 - Capture SMTP Traffic

edit

To capture SMTP traffic:

  1. Start a Wireshark capture.
  2. Open a command prompt.
  3. Type telnet gmail-smtp-in.l.google.com 25 and press Enter. If this does not work, your ISP may be blocking outbound traffic on port 25. You can try telnet smtp.gmail.com 587 instead to generate SMTP traffic and then filter on port 587 in the next activity.
  4. Observe the server response.
  5. Type helo and press Enter.
  6. Observe the server response. Note that at this point you could enter mail, rcpt and data to send an SMTP message, but this only works on servers configured to allow clear text relay without authentication.
  7. Type quit and press Enter to close the connection.
  8. Observe the server response.
  9. Close the command prompt.
  10. Stop the Wireshark capture.

Activity 2 - Select Destination Traffic

edit

To select destination traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. To view only SMTP traffic, type smtp (lower case) in the Filter box and press Enter.
  2. Select the first SMTP packet labeled 220 ....
  3. Observe the destination IP address.
  4. To view all related traffic for this connection, change the filter to ip.addr == <destination>, where <destination> is the destination address of the SMTP packet.

Activity 3 - Analyze TCP Connection Traffic

edit

To analyze TCP connection traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. The first three packets (TCP SYN, TCP SYN/ACK, TCP ACK) are the TCP three way handshake. Select the first packet.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your default gateway's MAC address and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is your IP address.
  7. Observe the Destination address. Notice that the destination address is the IP address of the SMTP server.
  8. Expand Transmission Control Protocol to view TCP details.
  9. Observe the Source port. Notice that it is a dynamic port selected for this HTTP connection.
  10. Observe the Destination port. Notice that it is smtp (25). Note that all of the packets for this connection will have matching MAC addresses, IP addresses, and port numbers.

Activity 4 - Analyze SMTP Service Ready Traffic

edit

To analyze SMTP Service Ready traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the fourth packet, which is the first SMTP packet and labeled 220 ....
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol / Hypertext Transfer Protocol frame. Also notice that the Ethernet II, Internet Protocol Version 4, and Transmission Control Protocol values are consistent with the TCP connection analyzed in Activity 3.
  4. Expand Simple Mail Transfer Protocol and Response to view SMTP details.
  5. Observe the Response code and Response parameter.
  6. Observe the traffic captured in the top Wireshark packet list pane.
  7. Select the fifth packet, labeled TCP ACK. This is the client TCP acknowledgement of receiving the Service Ready message.

Activity 5 - Analyze SMTP HELO Traffic

edit

To analyze SMTP HELO traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the following TCP segments and acknowledgements. If you observe the packet details in the bottom Wireshark packet bytes pane carefully, you will see that the segments spell out the helo message. The sequence ends with a Wireshark-combined SMTP client helo message, followed by a server TCP acknowledgement.

Activity 6 - Analyze SMTP Completed Traffic

edit

To analyze SMTP Completed traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the following SMTP packet, labeled 250 ...
  3. Observe the packet details in the middle Wireshark packet details pane.
  4. Expand Simple Mail Transfer Protocol and Response to view SMTP details.
  5. Observe the Response code and Response parameter.

Activity 7 - Analyze SMTP QUIT Traffic

edit

To analyze SMTP QUIT traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the following TCP segments and acknowledgements. If you observe the packet details in the bottom Wireshark packet bytes pane carefully, you will see that the segments spell out the quit message. The sequence ends with a Wireshark-combined SMTP client quit message, followed by a server TCP acknowledgement.

Activity 8 - Analyze SMTP Closing Traffic

edit

To analyze SMTP Closing traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the following SMTP packet, labeled 221 ...
  3. Observe the packet details in the middle Wireshark packet details pane.
  4. Expand Simple Mail Transfer Protocol and Response to view SMTP details.
  5. Observe the Response code and Response parameter.
  6. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

edit

Lesson 14 - Routing Protocols

edit
 

This lesson introduces routing and routing protocols. Activities include configuring routing on Windows workstations and using Wireshark to examine Routing Information Protocol (RIP), Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), and Border Gateway Protocol (BGP) network traffic.


Readings

edit
  1. Wikipedia: Routing
  2. Wikipedia: Distance-vector routing protocol
  3. Wikipedia: Link-state routing protocol
  4. Wikipedia: Routing Information Protocol
  5. Wikipedia: Open Shortest Path First
  6. Wikipedia: Enhanced Interior Gateway Routing Protocol
  7. Wikipedia: Border Gateway Protocol

Multimedia

edit
  1. YouTube: Routing Tables - CompTIA Network+ N10-005: 1.4
  2. YouTube: Using the Route Command - CompTIA Network+ N10-005: 4.3
  3. YouTube: Configuring Routing Tables - CompTIA Network+ N10-005: 2.1
  4. YouTube: Routing Protocols Overview (Distance Vector and Link-State) CCNA Part 1
  5. YouTube: Routing Protocols Overview (Cisco CCNA- RIP, RIPv2, EIGRP, OSPF) Part 2

Activities

edit
  1. Use the route command to display the local routing table.
  2. Use the route command to modify the local routing table.
  3. Review Wireshark: Routing Information Protocol (RIP).
  4. Review Wireshark: Open Shortest Path First (OSPF).
  5. Review Wireshark: Enhanced Interior Gateway Routing Protocol (EIGRP).
  6. Review Wireshark: Border Gateway Protocol (BGP).
  7. Consider situations in which a packet analyzer might be used to troubleshoot routing traffic.

Lesson Summary

edit
  • Routing is the process of selecting paths in a network along which to send network traffic.[1]
  • Static routing involves manual updating of routing tables with fixed paths to destination networks.[2]
  • Dynamic or adaptive routing involves automatic updating of routing tables based on information carried by routing protocols.[3]
  • Routing protocols are divided into interior and exterior protocols. Interior protocols are further divided into distance-vector protocols and link-state protocols.[4] Distance-vector routing protocols are simple and efficient in small networks. Larger networks use link-state routing protocols.[5]
  • Distance-vector routing protocols require that a router informs its neighbors of topology changes periodically.[6] Each link is assigned a numeric distance or cost value, and information is shared among neighboring routers to accumulate a total cost to a given destination.[7]
  • Link-state protocols require that a router inform all the nodes in a network of topology changes.[8] Each node shares information regarding the nodes it can connect to with the entire network so that each node can build its own network map and determine for itself the least cost path to any given node.[9]
  • Routing Information Protocol (RIP) is a distance-vector routing protocol which employs the hop count as a routing metric. RIP uses the User Datagram Protocol (UDP) as its transport protocol, and is assigned the reserved port number 520.[10]
  • Open Shortest Path First (OSPF) is a link-state routing protocol.[11] OSPF does not use a TCP/IP transport protocol (UDP, TCP), but is encapsulated directly in IP datagrams with protocol number 89.[12]
  • Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary advanced distance-vector routing protocol, with optimizations to minimize both the routing instability incurred after topology changes, as well as the use of bandwidth and processing power in the router.[13]
  • Border Gateway Protocol (BGP) is the protocol which makes core routing decisions on the Internet.[14] BGP uses the Transmission Control Protocol (TCP) as its transport protocol, and is assigned the reserved port 179.[15]

Key Terms

edit
Autonomous System (AS)
A collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet.[16]
convergence
The state of a set of routers that have the same topological information about the internetwork in which they operate.[17]
convergence time
A measure of how fast a group of routers reach the state of convergence.[18]
count-to-infinity problem
An error in distance-vector routing protocols caused by the routers being unable to determine if routing loops exist in the information provided.[19]
exterior gateway protocol
A routing protocol that is used to determine network reachability between autonomous systems and makes use of interior gateway protocols to resolve routes within an autonomous system.[20]
holddown timer
A timer used by link-state routers that prevents invalid updates within a given period of time after they first receive information about a network that is unreachable.[21]
interior gateway protocol
A routing protocol that is used to exchange routing information within an autonomous system (AS).[22]
route poisoning
A link-state method of notifying a router that a previously available route has become invalid.[23]
split-horizon route advertisement
A method of preventing routing loops in distance-vector routing protocols by prohibiting a router from advertising a route back onto the interface from which it was learned.[24]

Review Questions

edit
Enable JavaScript to hide answers.

Click on a question to see the answer.

  1. Routing is the process of _____.
    Routing is the process of selecting paths in a network along which to send network traffic.
  2. Static routing involves _____ updating of routing tables with _____ paths to destination networks.
    Static routing involves manual updating of routing tables with fixed paths to destination networks.
  3. Dynamic or adaptive routing involves _____ updating of routing tables based on _____.
    Dynamic or adaptive routing involves automatic updating of routing tables based on information carried by routing protocols.
  4. Routing protocols are divided into _____ and _____ protocols. _____ protocols are further divided into _____ protocols and _____ protocols.
    Routing protocols are divided into interior and exterior protocols. Interior protocols are further divided into distance-vector protocols and link-state protocols.
  5. _____ routing protocols are simple and efficient in small networks. Larger networks use _____ routing protocols.
    Distance-vector routing protocols are simple and efficient in small networks. Larger networks use link-state routing protocols.
  6. _____ routing protocols require that a router informs its neighbors of topology changes periodically. Each link is assigned a numeric distance or cost value, and information is shared among neighboring routers to accumulate a total cost to a given destination.
    Distance-vector routing protocols require that a router informs its neighbors of topology changes periodically. Each link is assigned a numeric distance or cost value, and information is shared among neighboring routers to accumulate a total cost to a given destination.
  7. _____ protocols require that a router inform all the nodes in a network of topology changes. Each node shares information regarding the nodes it can connect to with the entire network so that each node can build its own network map and determine for itself the least cost path to any given node.
    Link-state protocols require that a router inform all the nodes in a network of topology changes. Each node shares information regarding the nodes it can connect to with the entire network so that each node can build its own network map and determine for itself the least cost path to any given node.
  8. Routing Information Protocol (RIP) is a _____ routing protocol which employs the hop count as a routing metric. RIP uses _____ as its transport protocol, and is assigned the reserved port number _____.
    Routing Information Protocol (RIP) is a distance-vector routing protocol which employs the hop count as a routing metric. RIP uses the User Datagram Protocol (UDP) as its transport protocol, and is assigned the reserved port number 520.
  9. Open Shortest Path First (OSPF) is a _____ routing protocol. OSPF does not use a TCP/IP transport protocol (UDP, TCP), but is encapsulated directly in IP datagrams with protocol number _____.
    Open Shortest Path First (OSPF) is a link-state routing protocol. OSPF does not use a TCP/IP transport protocol (UDP, TCP), but is encapsulated directly in IP datagrams with protocol number 89.
  10. Enhanced Interior Gateway Routing Protocol (EIGRP) is a _____ routing protocol, with optimizations to minimize both the routing instability incurred after topology changes, as well as the use of bandwidth and processing power in the router.
    Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary advanced distance-vector routing protocol, with optimizations to minimize both the routing instability incurred after topology changes, as well as the use of bandwidth and processing power in the router.
  11. Border Gateway Protocol (BGP) is the protocol which makes core routing decisions on the Internet. BGP uses _____ as its transport protocol, and is assigned the reserved port _____.
    Border Gateway Protocol (BGP) is the protocol which makes core routing decisions on the Internet. BGP uses the Transmission Control Protocol (TCP) as its transport protocol, and is assigned the reserved port 179.

Assessments

edit

See Also

edit

References

edit
  Type classification: this is a lesson resource.
  Completion status: this resource is considered to be complete.

Route is a Windows command that displays and updates the network routing table. These activities will show you how to use the route command to display the local routing table.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.

Display Local Routing Table

edit

To display the local routing table:

  1. Open a command prompt.
  2. Type route print.
  3. Press Enter.
  4. Observe the active routes by destination, network mask, gateway, interface, and metric.
  5. Close the command prompt to complete this activity.

References

edit

Route is a Windows command that displays and updates the network routing table. These activities will show you how to use the route command to modify the local routing table.

Note: To complete this activity, you must have an administrative user account or know the username and password of an administrator account you can enter when prompted.

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.

Display Local Routing Table

edit

To display the local routing table:

  1. Open an elevated/administrator command prompt.
  2. Type route print and press Enter.
  3. Observe the active routes by destination, network mask, gateway, interface, and metric.

Delete a Route

edit

To delete a route:

  1. Observe the routing table entry for network destination 0.0.0.0 listed in Activity 1. The gateway listed for this network is the default gateway. Make note of this gateway address for use in restoring this route.
  2. Type ping 8.8.8.8 to test Internet connectivity. The ping should be successful.
  3. Type route delete 0.0.0.0 and press Enter to delete the routing table entry for the default gateway.
  4. Type route print and press Enter.
  5. Observe the active routes by destination, network mask, gateway, interface, and metric. Note the missing entry for network destination 0.0.0.0.
  6. Type ping 8.8.8.8 to test Internet connectivity. The ping should fail.

Add a Route

edit

To add a route:

  1. Type route add 0.0.0.0 mask 0.0.0.0 <gateway>, where <gateway> is the gateway address listed for network destination 0.0.0.0 in Activity 1. For example, if the gateway was 192.168.1.1, you would type route add 0.0.0.0 mask 0.0.0.0 192.168.1.1. Then press Enter.
  2. Type ping 8.8.8.8 to test Internet connectivity. The ping should be successful. If not, repeat Activity 2 and then use ipconfig /renew to update your DHCP-assigned IP address and default gateway.
  3. Close the command prompt to complete this activity.

Readings

edit

References

edit

Lesson 15 - Network Monitoring

edit
 

This lesson introduces network monitoring and looks at the Simple Network Monitoring Protocol (SNMP). Activities include installing, configuring and testing the SNMP service, using Wireshark to examine SNMP network traffic, and using OpenNMS to monitor a network.

Readings

edit
  1. Wikipedia: Network monitoring
  2. Wikipedia: Simple Network Management Protocol
  3. Wikipedia: Management information base

Multimedia

edit
  1. YouTube: An Overview of SNMP - CompTIA Network+ N10-005: 4.4

Activities

edit
  1. Install the SNMP Service.
  2. Configure the SNMP Service.
  3. Test the SNMP Service.
  4. Use a free or open source network monitoring tool to monitor a network:
  5. Review Wireshark: Simple Network Management Protocol (SNMP).
  6. Consider situations in which a packet analyzer might be used to troubleshoot network monitoring traffic.

Lesson Summary

edit
  • Network monitoring describes the use of a system that constantly monitors a computer network for slow or failing components and that notifies the network administrator (via email, SMS or other alarms) in case of outages.[1]
  • Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks.[2] With SNMP, administrative computers called managers monitor or manage a group of hosts on a computer network. Each managed system executes an agent which reports information via SNMP to the manager.[3]
  • SNMP uses a Management Information Base (MIB) to describe the structure of the management data of a device subsystem. The MIB is a hierarchical namespace containing object identifiers (OID), and each OID identifies a variable that can be read or set via SNMP.[4]
  • SNMP is an application layer protocol. SNMP agents receive requests on UDP port 161. SNMP managers receive notifications (Traps and InformRequests) on UDP port 162.[5]
  • SNMP messages from managers include GetRequest, SetRequest, GetNextRequest, and GetBulkRequest. SNMP messages from agents include Response and Trap. SNMP messages from manager to manager include InformRequest.[6]
  • SNMP versions 1 and 2 support limited security through the use of a clear-text password known as a community string. SNMP version 3 supports encryption on UDP ports 10161 and 10162.[7][8]
  • Default SNMP settings present a variety of security issues that must be addressed when SNMP is implemented on a network.[9]

Key Terms

edit
agent
A software component that runs on managed devices and responds to requests from the network management system.[10]
availability
The degree to which a system, subsystem, or equipment is in a specified operable and committable state.[11]
managed device
A network node that implements an SNMP interface that allows unidirectional (read-only) or bidirectional access to node-specific information.[12]
network management system
A combination of hardware and software used to monitor and administer a computer network or networks.[13]
response time
The interval between the receipt of the end of transmission of an inquiry message and the beginning of the transmission of a response message to the station originating the inquiry.[14]
uptime
A measure of the time a machine has been up without any downtime.[15]

Review Questions

edit
Enable JavaScript to hide answers.

Click on a question to see the answer.

  1. Network monitoring describes the use of a system that _____ and that _____.
    Network monitoring describes the use of a system that constantly monitors a computer network for slow or failing components and that notifies the network administrator (via email, SMS or other alarms) in case of outages.
  2. Simple Network Management Protocol (SNMP) is an Internet-standard protocol for _____. With SNMP, administrative computers called _____ monitor or manage a group of hosts on a computer network. Each managed system executes an _____ which reports information via SNMP to the manager.
    Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. With SNMP, administrative computers called managers monitor or manage a group of hosts on a computer network. Each managed system executes an agent which reports information via SNMP to the manager.
  3. SNMP uses a _____ to describe the structure of the management data of a device subsystem. The _____ is a hierarchical namespace containing _____, and each _____ identifies a variable that can be read or set via SNMP.
    SNMP uses a Management Information Base (MIB) to describe the structure of the management data of a device subsystem. The MIB is a hierarchical namespace containing object identifiers (OID), and each OID identifies a variable that can be read or set via SNMP.
  4. SNMP is an _____ layer protocol. SNMP _____ receive requests on _____ port _____. SNMP _____ receive notifications on _____ port _____.
    SNMP is an application layer protocol. SNMP agents receive requests on UDP port 161. SNMP managers receive notifications on UDP port 162.
  5. SNMP messages from managers include _____. SNMP messages from agents include _____. SNMP messages from manager to manager include _____.
    SNMP messages from managers include GetRequest, SetRequest, GetNextRequest, and GetBulkRequest. SNMP messages from agents include Response and Trap. SNMP messages from manager to manager include InformRequest.
  6. SNMP versions 1 and 2 support limited security through the use of a clear-text password known as a _____. SNMP version 3 supports encryption on _____ ports _____ and _____.
    SNMP versions 1 and 2 support limited security through the use of a clear-text password known as a community string. SNMP version 3 supports encryption on UDP ports 10161 and 10162.
  7. Default SNMP settings present a variety of _____ that must be addressed when SNMP is implemented on a network.
    Default SNMP settings present a variety of security issues that must be addressed when SNMP is implemented on a network.

Assessments

edit

See Also

edit

References

edit
  Type classification: this is a lesson resource.
  Completion status: this resource is considered to be complete.

The SNMP Service is a Windows service that provides a Simple Network Management Protocol (SNMP) agent that can be used to monitor and manage Windows workstations and servers. These activities will show you how to install the SNMP Service.

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.

Activity 1 - Install the SNMP Service

edit

To install the SNMP Service:

  1. Open the Start menu.
  2. Select Control Panel.
  3. Select Programs.
  4. Select Turn Windows features on or off.
  5. Select the check box for Simple Network Management Protocol (SNMP).
  6. Select OK to complete this activity.

Readings

edit

References

edit

The SNMP Service is a Windows service that provides a Simple Network Management Protocol (SNMP) agent that can be used to monitor and manage Windows workstations and servers. These activities will show you how to configure the SNMP Service.

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install the SNMP Service.

Activity 1 - Configure the SNMP Service

edit

To configure the SNMP Service:

  1. Open the Start menu.
  2. In the Run box type Services or Services.msc.
  3. Press Enter.
  4. In the Services console, find SNMP Service. Double-click on it to view SNMP Service properties.
  5. Select the Agent tab.
  6. Enter values for Contact and Location for this workstation.
  7. Select all five check boxes (Physical, Applications, Datalink and subnetwork, Internet, and End-to-end).
  8. Apply changes.
  9. Select the Security tab.
  10. Clear the Send authentication trap check box.
  11. Add an accepted community name of public with READ ONLY rights.
  12. Select OK to apply changes and close the dialog box.
  13. Close the Services console to complete this activity.

References

edit

The SNMP Service is a Windows service that provides a Simple Network Management Protocol (SNMP) agent that can be used to monitor and manage Windows workstations and servers. These activities will show you how to test the SNMP Service.

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install the SNMP Service.
  4. Configure the SNMP Service.

Activity 1 - Install the iReasoning MIB Browser Free Personal Edition

edit

To install the iReasoning MIB Browser Free Personal Edition:

  1. Open a web browser.
  2. Navigate to http://www.ireasoning.com/downloadmibbrowserfree.php.
  3. Download and run setup.exe.
  4. If you see a User Account Control dialog box, select Yes to allow the program to make changes to this computer.
  5. Review the license agreement and select I Agree if you agree.
  6. Select Next > to select the default components.
  7. Select Install to install the program in the default location.
  8. Select Close when the installation is completed.
  9. Select Yes to launch the MIB Browser now.

Activity 2 - Test the SNMP Service

edit

To test the SNMP Service:

  1. In the iReasoning MIB Browser, enter 127.0.0.1 in the Address box.
  2. Navigate to a subtree that interests you.
  3. In the Operations pulldown, select Get Subtree and Go.
  4. Observe the settings reported by the SNMP service.
  5. Continue selecting different subtrees and review reported settings.
  6. Close the iReasoning MIB Browser to complete this activity.

References

edit