internet Protocol Analysis/Collection
Internet Protocol Analysis
[edit | edit source]Learning Guide
[edit | edit source]This learning guide supports the Wikiversity course Internet Protocol Analysis, available at http://en.wikiversity.org/wiki/Internet_Protocol_Analysis.
Overview
[edit | edit source]Internet protocol analysis is an advanced computer networking topic that uses a packet analyzer to capture, view, and understand Internet protocols. This course comprises 15 lessons that use Wireshark to study and experiment with Internet protocols. Each lesson includes Wikipedia readings, YouTube videos, and hands-on learning activities.
Preparation
[edit | edit source]This is a third-semester, college-level course. Learners should already be familiar with introductory computer concepts and/or introductory computer networking concepts.
Lessons
[edit | edit source]- Introduction
- Packet Analyzers
- Link Layer
- Address Resolution Protocol (ARP)
- Internet Layer / IPv4
- Subnetting
- IPv6
- Internet Control Message Protocol (ICMP)
- Multicast
- Transport Layer
- Address Assignment
- Name Resolution
- Application Layer
- Routing
- Network Monitoring
Bibliography
[edit | edit source]- Carrell, Jeffrey L., Chappell, Laura & Tittel, Ed (2013). Guide to TCP/IP, Fourth Edition. Cengage. ISBN 9781133019862
- Chappell, Laura A. & Tittel, Ed (2007). Guide to TCP/IP, Third Edition. Course Technology. ISBN 9781418837556
- Davies, Joseph (2012). Understanding IPv6, 3rd Edition. Microsoft Press. ISBN 9780735659148
- Fall, Kevin R. & Stevens, W. Richard (2012). TCP/IP Illustrated, Volume 1: The Protocols, Second Edition. Pearson. ISBN 9780321336316
References
[edit | edit source]Lesson 1 - Introduction
[edit | edit source]This lesson introduces Internet protocol analysis by looking at background information on the Internet protocol suite, the Request for Comments process and Internet standards, and comparing the Internet protocol suite to the Open Systems Interconnection (OSI) model.
Readings
[edit | edit source]- Wikipedia: Internet protocol suite
- Wikipedia: Request for Comments
- Wikipedia: Internet Standard
- Wikipedia: OSI model
Multimedia
[edit | edit source]- YouTube: Network Layers - OSI, TCP/IP Models - Part 1
- YouTube: Network Layers - OSI, TCP/IP Models - Part 2
- YouTube: Network Layers - OSI, TCP/IP Models - Part 3
Activities
[edit | edit source]- Draw your own personal reference chart comparing the Internet protocol suite four-layer model to the OSI seven-layer model.
- Review Internet standards regarding private networks and see if your computer is on a private network.
- Review Wikipedia: April Fools' Day Request for Comments for a humorous look at networking standards.
- Consider why the OSI seven layer model is sometimes referred to as a theoretical model while the Internet protocol suite might be referred to as an operational model.
Lesson Summary
[edit | edit source]- The Internet protocol suite is the set of communications protocols used for the Internet and similar networks. It is a four-layer model containing Link, Internet, Transport, and Application layers.[1]
- The Internet protocol suite is maintained by the Internet Engineering Task Force (IETF).[2]
- The Link layer contains communication technologies for a local network.[3]
- The Internet layer connects local networks, thus establishing internetworking.[4]
- The Transport layer handles host-to-host communication.[5]
- The Application layer contains all protocols for specific data communications services on a process-to-process level.[6]
- A Request for Comments (RFC) is a memorandum published by the Internet Engineering Task Force (IETF) describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems.[7]
- Requests for Comments are designated with a status of Informational, Experimental, Best Current Practice (BCP), Standards Track, or Historic. Standards-track documents are further divided into Proposed Standard, Draft Standard, and Internet Standard.[8]
- Internet Standard is a special Request for Comments (RFC) or set of RFCs which is characterized by a high degree of technical maturity and by a generally held belief that the specified protocol or service provides significant benefit to the Internet community.[9]
- Best Current Practice is a Request for Comments (RFC) that may include official rules, but which does not affect over the wire data and is not on the standards track.[10]
- The Internet protocol suite protocols are deliberately not as rigidly designed into strict layers as in the OSI model.[11]
- The Internet Link layer includes the OSI Data Link and Physical layers, as well as parts of OSI's Network layer.[12]
- The Internet internetworking layer (Internet layer) is a subset of the OSI Network layer.[13]
- The Internet Transport layer includes the graceful close function of the OSI Session layer as well as the OSI Transport layer.[14]
- The Internet Application layer includes the OSI Application layer, Presentation layer, and most of the Session layer.[15]
Key Terms
[edit | edit source]- Advanced Research Projects Agency Network (ARPANET)
- The world's first operational packet switching network and the progenitor of what was to become the global Internet.[16]
- Best Current Practice
- Mandatory IETF RFCs, including official rules, but which do not affect over the wire data and are not on the standards track.[17]
- best effort delivery
- A network service in which the network does not provide any guarantees that data is delivered or that a user is given a guaranteed quality of service level or a certain priority.[18]
- checksum
- A fixed-size datum computed from an arbitrary block of digital data for the purpose of detecting accidental errors that may have been introduced during its transmission or storage.[19]
- communications protocol
- A system of digital message formats and rules for exchanging those messages in or between computing systems and in telecommunications.[20]
- Defense Advanced Research Projects Agency (DARPA)
- An agency of the United States Department of Defense responsible for the development of new technologies for use by the military.[21]
- encapsulation
- A method of designing modular communication protocols in which logically separate functions in the network are abstracted from their underlying structures by inclusion or information hiding within higher level objects.[22]
- Ethernet
- A family of Link layer computer networking technologies for local area networks (LANs).[23]
- Internet Architecture Board (IAB)
- The committee charged with oversight of the technical and engineering development of the Internet by the Internet Society (ISOC).[24]
- Internet Drafts
- A series of working documents published by the IETF.[25]
- Internet Engineering Task Force (IETF)
- Develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standards bodies and dealing in particular with standards of the Internet protocol suite (TCP/IP).[26]
- Internet Protocol (IP)
- The principal communications protocol used for relaying datagrams (also known as network packets) across an internetwork using the Internet Protocol Suite responsible for routing packets across network boundaries.[27]
- Internet Society (ISOC)
- An international, non-profit organization founded in 1992 to provide leadership in Internet related standards, education, and policy.[28]
- Internet Standard
- A normative specification of a technology or methodology applicable to the Internet.[29]
- internetworking
- The practice of connecting a computer network with other networks through the use of gateways that provide a common method of routing information packets between the networks.[30]
- medium
- A material substance (solid, liquid, gas, or plasma) that can propagate energy waves.[31]
- Open Systems Interconnection (OSI) model
- A product of the Open Systems Interconnection effort at the International Organization for Standardization for characterizing and standardizing the functions of a communications system in terms of abstraction layers.[32]
- packet
- A formatted unit of data carried by a computer network.[33]
- packet header
- Data placed at the beginning of a block of data being stored or transmitted.[34]
- protocol stack
- An implementation of a computer networking protocol suite.[35]
- Request For Comments (RFC)
- A memorandum published by the Internet Engineering Task Force (IETF) describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems.[36]
- router
- A device that forwards data packets between computer networks.[37]
- Transmission Control Protocol (TCP)
- A Transport layer protocol that provides reliable, ordered delivery of a stream of octets from a program on one computer to another program on another computer.[38]
Review Questions
[edit | edit source]-
The Internet protocol suite is a _____ layer model.The Internet protocol suite is a four-layer model.
-
The layers of the Internet protocol suite are _____.The layers of the Internet protocol suite are Link, Internet, Transport, and Application.
-
The Internet protocol suite is maintained by _____.The Internet protocol suite is maintained by the Internet Engineering Task Force (IETF).
-
The Internet protocol suite layer that contains communication technologies for a local network is the _____ layer.The Internet protocol suite layer that contains communication technologies for a local network is the Link layer.
-
The Internet protocol suite layer that connects local networks to establish internetworking is the _____ layer.The Internet protocol suite layer that connects local networks to establish internetworking is the Internet layer.
-
The Internet protocol suite layer that handles host-to-host communication is the _____ layer.The Internet protocol suite layer that handles host-to-host communication is the transport layer.
-
The Internet protocol suite layer that contains all protocols for specific data communications services on a process-to-process level is the _____ layer.The Internet protocol suite layer that contains all protocols for specific data communications services on a process-to-process level is the Application layer.
-
A memorandum published by the Internet Engineering Task Force (IETF) describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems is known as a _____.A memorandum published by the Internet Engineering Task Force (IETF) describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems is known as a Request for Comments (RFC).
-
A Request for Comments (RFC) which is characterized by a high degree of technical maturity and by a generally held belief that the specified protocol or service provides significant benefit to the Internet community is known as a/an _____.A Request for Comments (RFC) which is characterized by a high degree of technical maturity and by a generally held belief that the specified protocol or service provides significant benefit to the Internet community is known as an Internet Standard.
-
A Request for Comments (RFC) that may include official rules, but which does not affect over the wire data and is not on the standards track is known as a/an _____.A Request for Comments (RFC) that may include official rules, but which does not affect over the wire data and is not on the standards track is known as a Best Current Practice.
-
The Internet protocol suite protocols are _____ (more/less) rigidly designed into strict layers when compared to the OSI model.The Internet protocol suite protocols are less rigidly designed into strict layers when compared to the OSI model.
-
The Internet protocol suite layer that includes the OSI Data Link and Physical layers, as well as parts of OSI's Network layer is the _____ layer.The Internet protocol suite layer that includes the OSI Data Link and Physical layers, as well as parts of OSI's Network layer is the Link layer.
-
The Internet protocol suite layer that is a subset of the OSI Network layer is the _____ layer.The Internet protocol suite layer that is a subset of the OSI Network layer is the Internet layer.
-
The Internet protocol suite layer that includes the graceful close function of the OSI Session layer as well as the OSI Transport layer is the _____ layer.The Internet protocol suite layer that includes the graceful close function of the OSI Session layer as well as the OSI Transport layer is the Transport layer.
-
The Internet protocol suite layer that includes the OSI Application layer, Presentation layer, and most of the Session layer is the _____ layer.The Internet protocol suite layer that includes the OSI Application layer, Presentation layer, and most of the Session layer is the Application layer.
Assessments
[edit | edit source]See Also
[edit | edit source]References
[edit | edit source]- ↑ Wikipedia: Internet protocol suite
- ↑ Wikipedia: Internet protocol suite
- ↑ Wikipedia: Internet protocol suite#Link layer
- ↑ Wikipedia: Internet protocol suite#Internet layer
- ↑ Wikipedia: Internet protocol suite#Transport layer
- ↑ Wikipedia: Internet protocol suite#Application layer
- ↑ Wikipedia: Request for Comments
- ↑ Wikipedia: Request for Comments#Status
- ↑ Wikipedia: Internet Standard
- ↑ Wikipedia: Request for Comments#Status "best current practice"
- ↑ Wikipedia: OSI model#Comparison with TCP/IP model
- ↑ Wikipedia: OSI model#Comparison with TCP/IP model
- ↑ Wikipedia: OSI model#Comparison with TCP/IP model
- ↑ Wikipedia: OSI model#Comparison with TCP/IP model
- ↑ Wikipedia: OSI model#Comparison with TCP/IP model
- ↑ Wikipedia: ARPANET
- ↑ Wikipedia: Request for Comments#Status "best current practice"
- ↑ Wikipedia: Best effort delivery
- ↑ Wikipedia: Checksum
- ↑ Wikipedia: Communications protocol
- ↑ Wikipedia: Darpa
- ↑ Wikipedia: Encapsulation (networking)
- ↑ Wikipedia: Ethernet
- ↑ Wikipedia: Internet Architecture Board
- ↑ Wikipedia: Internet Draft
- ↑ Wikipedia: IETF
- ↑ Wikipedia: Internet Protocol
- ↑ Wikipedia: Internet Society
- ↑ Wikipedia: Internet Standard
- ↑ Wikipedia: Internetworking
- ↑ Wikipedia: Transmission medium
- ↑ Wikipedia: Osi model
- ↑ Wikipedia: Packet (information technology)
- ↑ Wikipedia: Packet header
- ↑ Wikipedia: Protocol stack
- ↑ Wikipedia: Request for Comments
- ↑ Wikipedia: Router (computing)
- ↑ Wikipedia: Transmission Control Protocol
ipconfig with no options displays the IP address, subnet mask and default gateway for each adapter bound to TCP/IP. This activity will show you how to use the default ipconfig command.
Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
Activity 1 - Display IP Address, Subnet Mask and Default Gateway
[edit | edit source]To display the IP address, subnet mask and default gateway for each adapter bound to TCP/IP:
- Open a command prompt.
- Type ipconfig (to see all options type ipconfig /all).
- Press Enter.
- Observe available adapters and their IP settings.
- Close the command prompt to complete this activity.
Readings
[edit | edit source]References
[edit | edit source]Private networks are networks that use a private Internet Protocol (IP) address space, following the standards described in Request for Comments (RFC) 1918 and 4193. These activities will review private networks, the relevant RFCs, and then show you how to identify whether or not your network is using the private IP address space.
Activities
[edit | edit source]- Read Wikipedia: Private network.
- Review RFC 1918 and RFC 4193 and compare the detailed specifications to the Wikipedia summary.
- Use Ipconfig to view your IP address.
- If you have an IPv4 address, review the private IPv4 address spaces and see if your IP address is within one of the private address ranges.
- If you have an IPv6 address, review the private IPv6 address spaces and see if your IP address is a unique local address (fc00::/7), site local address (fec0::/10), link local address (fe80::/10), or public address.
References
[edit | edit source]Lesson 2 - Packet Analyzers
[edit | edit source]This lesson concludes the introduction to Internet protocol analysis by looking at packet analyzers in general and the open source packet analyzer Wireshark in particular. Activities include installing Wireshark and using it to capture network traffic.
Readings
[edit | edit source]- Wikipedia: Packet analyzer
- Wikipedia: Promiscuous mode
- Wikipedia: Port mirroring
- Wikipedia: Wireshark
- Wikipedia: pcap
Multimedia
[edit | edit source]- YouTube: Getting Started with Wireshark
- YouTube: Intro to using Wireshark - CCNA Network Fundamentals
- YouTube: Port Mirroring - CompTIA Network+ N10-005: 1.4
- YouTube: Using Wireshark and Cisco Port Mirroring
Activities
[edit | edit source]- Install Wireshark.
- Review Wireshark: User's Guide.
- Use Wireshark to capture network traffic.
- Use Wireshark to filter displayed traffic.
- Use Wireshark to filter captured traffic.
- Consider situations in which a packet analyzer might be used to troubleshoot network traffic.
Lesson Summary
[edit | edit source]- A packet analyzer is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network.[1]
- Packet analyzers can be software or hardware-based.[2]
- Network interface controllers (NICs) normally drop frames that are not broadcast or multicast, and do not have the NIC as the destination MAC address.[3]
- Promiscuous mode is a network interface controller (NIC) mode that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive.[4]
- Network interface controllers (NICs) operating in promiscuous mode may or may not be detectable, depending on firewall settings.[5]
- Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port.[6]
- Wireshark is a free and open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education.[7]
- Wireshark was originally named Ethereal, but was renamed in May 2006 due to trademark issues.[8]
- Tcpdump is a command line-based packet analyzer available on most Unix-like operating systems.[9]
- As a security precaution, it is best to separate packet capture activities from packet analysis activities. Packet capture activities must be run with special privileges, but packet analysis does not require special privileges.[10]
- Packet analyzers such as Wireshark and tcpdump depend on a packet capture library known as libpcap (Unix/Linux) or WinPcap (Windows).[11]
Key Terms
[edit | edit source]- broadcast
- Transmit a message to all recipients simultaneously.[12]
- broadcast domain
- A logical division of a computer network in which all nodes can reach each other by broadcast at the data link layer.[13]
- collision domain
- A section of a network where data packets can collide with one another when being sent on a shared medium or through repeaters, in particular, when using early versions of Ethernet.[14]
- data stream
- A sequence of digitally encoded coherent signals (data packets) used to transmit or receive information.[15]
- encryption
- The process of encoding messages (or information) in such a way that eavesdroppers cannot read it, but that authorized parties can.[16]
- Ethereal
- The original name of the Wireshark packet analyzer, renamed due to trademark issues.[17]
- hub
- A multiport repeater that links devices and works at the physical layer of the OSI model.[18]
- Intrusion Detection System (IDS)
- A device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station.[19]
- libpcap
- A packet capture library used on Unix-like systems.[20]
- multicast
- Transmit a message to a group of destination computers simultaneously with a single transmission from the source.[21]
- Network Interface Controller (NIC)
- A computer hardware component that connects a computer to a computer network.[22]
- packet analyzer
- A computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network.[23]
- port mirroring
- Used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port.[24]
- promiscuous mode
- A network interface controller (NIC) mode that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive.[25]
- reverse engineering
- The process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation.[26]
- router
- A device that forwards data packets between computer networks and works at the network layer of the OSI model.[27]
- sniffer
- Another term for packet analyzer.[28]
- switch
- A multiport bridge that links network segments or devices and works at the data link layer of the OSI model.[29]
- tcpdump
- A command line-based packet analyzer available on most Unix-like operating systems.[30]
- tshark[31]
- Tool to Dump and analyze network traffic from Wireshark
- unicast
- Transmit a message to a single destination identified by a unique address.[32]
- Virtual LAN (VLAN)
- A concept of partitioning a physical network so that distinct broadcast domains are created.[33]
- WinPcap
- A packet capture library used on Windows systems.[34]
- Wireshark
- A free and open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education.[35]
Review Questions
[edit | edit source]Click on a question to see the answer.
-
A computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network is known as a _____.A computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network is known as a packet analyzer.
-
Packet analyzers can be _____ (hardware/software/both) based.Packet analyzers can be software or hardware-based.
-
Network interface cards (NICs) normally drop frames that are not _____ or _____, and do not have the NIC as the _____ MAC address..Network interface cards (NICs) normally drop frames that are not broadcast or multicast, and do not have the NIC as the destination MAC address.
-
A network interface controller (NIC) mode that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive is known as _____ mode.A network interface controller (NIC) mode that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive is known as promiscuous mode.
-
Network interface controllers (NICs) operating in promiscuous mode may or may not be detectable, depending on _____ settings.Network interface controllers (NICs) operating in promiscuous mode may or may not be detectable, depending on firewall settings.
-
The ability for a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port is known as _____.The ability for a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port is known as port mirroring.
-
An example of a free and open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education is _____.An example of a free and open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education is Wireshark.
-
Wireshark was originally named _____, but was renamed in May 2006 due to trademark issues.Wireshark was originally named Ethereal, but was renamed in May 2006 due to trademark issues.
-
A command line-based packet analyzer available on most Unix-like operating systems is _____.A command line-based packet analyzer available on most Unix-like operating systems is tcpdump.
-
Packet _____ activities must be run with special privileges, but packet _____ activities do not require special privileges.Packet capture activities must be run with special privileges, but packet analysis activities do not require special privileges.
-
Packet analyzers such as Wireshark and tcpdump depend on a packet capture library known as _____ or _____.Packet analyzers such as Wireshark and tcpdump depend on a packet capture library known as libpcap or WinPcap.
Assessments
[edit | edit source]See also
[edit | edit source]References
[edit | edit source]- ↑ Wikipedia: Packet analyzer
- ↑ Wikipedia: Packet analyzer#Capabilities
- ↑ Wikipedia: Promiscuous mode
- ↑ Wikipedia: Promiscuous mode
- ↑ Wikipedia: Promiscuous mode#Detection
- ↑ Wikipedia: Port mirroring
- ↑ Wikipedia: Wireshark
- ↑ Wikipedia: Wireshark
- ↑ Wikipedia: Wireshark#Functionality
- ↑ Wikipedia: Wireshark#Security
- ↑ Wikipedia: Pcap
- ↑ Wikipedia: Broadcasting (computing)
- ↑ Wikipedia: Broadcast domain
- ↑ Wikipedia: Collision domain
- ↑ Wikipedia: Data stream
- ↑ Wikipedia: Encryption
- ↑ Wikipedia: Wireshark
- ↑ Wikipedia: Network hub
- ↑ Wikipedia: Intrusion detection system
- ↑ Wikipedia: Pcap
- ↑ Wikipedia: Multicast
- ↑ Wikipedia: Network interface controller
- ↑ Wikipedia: Packet analyzer
- ↑ Wikipedia: Port mirroring
- ↑ Wikipedia: Promiscuous mode
- ↑ Wikipedia: Reverse engineering
- ↑ Wikipedia: Router (computing)
- ↑ Wikipedia: Packet analyzer
- ↑ Wikipedia: Network switch
- ↑ Wikipedia: Tcpdump
- ↑ https://www.wireshark.org/docs/man-pages/tshark.html
- ↑ Wikipedia: Unicast
- ↑ Wikipedia: Virtual LAN
- ↑ Wikipedia: Pcap
- ↑ Wikipedia: Wireshark
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to download and install Wireshark.
Preparation
[edit | edit source]To prepare for this activity, you need to have a PC which you're allowed to install new software. This course will implement on Windows. However, students with Linux or MacOS can follow the similar steps, except the installation ones.
Activity 1 - Determine System Type
[edit | edit source]To determine system type for Windows:
- Use msinfo32 (press Windows key, type "run", then type "Msinfo32") to display the system type. The system type will either be X86-based PC or X64-based PC. X86-based PC is a 32-bit system. X64-based PC is a 64-bit system.
- Close msinfo32.
Activity 2 - Download Wireshark
[edit | edit source]To download Wireshark:
- Open a web browser.
- Navigate to http://www.wireshark.org.
- Select Download Wireshark.
- Select the Wireshark Windows Installer matching your system type, either 32-bit or 64-bit as determined in Activity 1. Save the program in the Downloads folder.
- Close the web browser.
Activity 3 - Install Wireshark
[edit | edit source]To Wireshark Windows Installer
- Wireshark Windows InstallerSelect the Downloads folder.
- Locate the version of Wireshark you downloaded in Activity 2. Double-click on the file to open it.
- If you see a User Account Control dialog box, select Yes to allow the program to make changes to this computer.
- Select Next > to start the Setup Wizard.
- Review the license agreement. If you agree, select I Agree to continue.
- Select Next > to accept the default components.
- Select the shortcuts you would like to have created. Leave the file extensions selected. Select Next > to continue.
- Select Next > to accept the default install location.
- Select Install to begin installation.
- Select Next > to install WinPcap.
- Select Next > to start the Setup Wizard.
- Review the license agreement. If you agree, select I Agree to continue.
- Select Install to begin installation.
- Select Finish to complete the installation of WinPcap.
- Select Next > to continue with the installation of Wireshark.
- Select Finish to complete the installation of Wireshark.
Note:
- If you encounter compatibility errors, such as with installing WinPcap on Windows 8, try using Compatibility Mode.
- All steps above might be slightly different, which depends on the Wireshark versions.
See Also
[edit | edit source]- Wireshark: Official webpage
- Wireshark User's Guide: Building and Installing Wireshark
- Wireshark Developer's Guide: Quick Setup for Developers
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture network traffic.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture Network Traffic
[edit | edit source]To capture network traffic:
- Start a Wireshark capture.
- Open a web browser and navigate to a favorite web site.
- Stop the Wireshark capture.
- Observe the traffic captured in the top Wireshark packet list pane.
- Select a packet you want to analyze.
- Observe the packet details in the middle Wireshark packet details pane.
- Expand various protocol containers to view detailed protocol information.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and filter network traffic using a display filter.
Readings
[edit | edit source]Multimedia
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start your system Linux or Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture Network Traffic
[edit | edit source]To capture network traffic:
- Start a Wireshark capture.
- Use ping 8.8.8.8 to ping an Internet host by IP address.
- Stop the Wireshark capture.
Activity 2 - Use a Display Filter
[edit | edit source]To use a display filter:
- Type ip.addr == 8.8.8.8 in the Filter box and press Enter.
- Observe that the Packet List Pane is now filtered so that only traffic to (destination) or from (source) IP address 8.8.8.8 is displayed.
- Click Clear on the Filter toolbar to clear the display filter.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and filter network traffic using a capture filter.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture Network Traffic Using a Capture Filter
[edit | edit source]To capture network traffic using a capture filter:
- Select either the Capture menu and then the Interfaces dialog box or the List the available capture interfaces toolbar button.
- Select Options.
- Double-click on the interface you want to use for the capture.
- In the Capture Filter box type host 8.8.8.8.
- Select OK to save the changes.
- Select Start to start a Wireshark capture.
- Use ping 8.8.8.8 to ping an Internet host by IP address.
- Use ping 8.8.4.4 to ping an Internet host by IP address.
- Observe that only traffic to (destination) or from (source) IP address 8.8.8.8 is captured.
- Stop the Wireshark capture.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Lesson 3 - Link Layer
[edit | edit source]This lesson introduces the Link layer and looks at a variety of link layer frame types. Activities include identifying MAC addresses and using Wireshark to examine Ethernet network traffic.
Readings
[edit | edit source]- Wikipedia: Link layer
- Wikipedia: MAC address
- Wikipedia: Organizationally Unique Identifier
- Wikipedia: Ethernet frame
- Wikipedia: EtherType
- Wikipedia: Token Ring Frame Format
- Wikipedia: Point-to-Point Protocol (PPP) Frame
- Wikipedia: IEEE 802.11 Frames
Multimedia
[edit | edit source]- YouTube: MAC Address Formats - CompTIA Network+ N10-005: 1.3
- YouTube: Basics of ipconfig, ping, tracert, nslookup and netstat
Activities
[edit | edit source]- Display MAC Addresses Using Getmac.
- Display MAC Addresses Using Ipconfig.
- Search for a MAC Address OUI.
- Compare Ethernet and Token Ring frame formats. Which fields are included in both formats? Which fields are unique to one format or the other?
- Compare Ethernet and Point-to-Point Protocol frame formats. Which fields are included in both formats? Which fields are unique to one format or the other?
- Review Wireshark: Ethernet.
- Use Wireshark to capture and analyze Ethernet traffic.
- Review Wireshark: WLAN Capture Setup.
- If your wireless network adapter supports it, use Wireshark to capture and analyze 802.11 traffic. Are you able to capture actual 802.11 traffic, or is it translated to Ethernet traffic before it can be captured and displayed?
- Link layer protocols have changed significantly since the introduction of the Internet protocol suite, while the core TCP/IP protocols have changed very little. Consider possible explanations for the many changes and performance improvements in link layer protocols over time.
- Consider situations in which a packet analyzer might be used to troubleshoot link layer traffic.
Lesson Summary
[edit | edit source]- The Link layer is the lowest layer in the Internet Protocol Suite. It implements the communication protocol necessary for a host to link to its directly-connected network.[1]
- TCP/IP's layers are descriptions of operating scopes (application, host-to-host, network, link) and not detailed prescriptions of operating procedures, data semantics, or networking technologies.[2]
- Layering in TCP/IP is not a principal design criterion and in general is considered to be harmful.[3]
- The standard (IEEE 802) format for printing MAC-48 addresses in human-friendly form is six groups of two hexadecimal digits, separated by hyphens (-) or colons (:), in transmission order.[4]
- The IEEE expects the MAC-48 space to be exhausted no sooner than the year 2100.[5]
- If the least significant bit of the most significant octet of an address is set to 0 (zero), the frame is meant to reach only one receiving NIC.[6]
- If the least significant bit of the most significant address octet is set to 1, the frame will still be sent only once; however, NICs will choose to accept it based on different criteria than a matching MAC address: for example, based on a configurable list of multicast MAC addresses.[7]
- Packets sent to the broadcast address, all one bits or hexadecimal FF:FF:FF:FF:FF:FF, are received by all stations on a local area network.[8]
- Packets sent to a multicast address are received by all stations on a LAN that have been configured to receive packets sent to that address.[9]
- Although intended to be a permanent and globally unique identification, it is possible to change the MAC address on most modern hardware.[10]
- An Organizationally Unique Identifier (OUI) is a 24-bit number purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority and uniquely identifies the vendor or manufacturer of a network adapter.[11]
- An Ethernet frame includes destination and source MAC addresses, Ethertype, data, and a frame check sequence.[12]
- Ethertype is a two-octet field used to indicate which protocol is encapsulated in the payload of an Ethernet Frame.[13]
- A Token Ring frame includes access control, frame control, destination and source MAC addresses, data, and a frame check sequence.[14]
- A Point-to-Point Protocol (PPP) frame includes protocol and data information.[15]
- An IEEE 802.11 frame includes frame control, destination and source MAC addresses, data, and a frame check sequence.[16]
Key Terms
[edit | edit source]- 802.3
- A set of IEEE standards for implementing wired Ethernet.[17]
- 802.5
- A set of IEEE standards for implementing Token Ring.[18]
- 802.11
- A set of IEEE standards for implementing wireless local area network (WLAN) communication.[19]
- Carrier Sense Multiple Access with Collision Detection (CSMA/CD)
- A Media Access Control (MAC) method in which a carrier sensing scheme is used, and a transmitting data station that detects another signal while transmitting a frame stops transmitting that frame, transmits a jam signal, and then waits for a random time interval before trying to resend the frame.[20]
- data transmission
- The physical transfer of data (a digital bit stream) over a point-to-point or point-to-multipoint communication channel.[21]
- Ethernet
- A family of computer networking technologies for local area networks (LANs) that was commercially introduced in 1980 and standardized in 1985 as IEEE 802.3.[22]
- Institute of Electrical and Electronics Engineers (IEEE)
- A professional association headquartered in New York City that is dedicated to advancing technological innovation and excellence.[23]
- Local Area Network (LAN)
- A computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building using network media.[24]
- MAC spoofing
- A technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device.[25]
- network segment
- A portion of a computer network, sometimes used as a synonym for collision domain.[26]
- node
- A connection point, either a redistribution point or a communication endpoint.[27]
- Organizationally Unique Identifier (OUI)
- A 24-bit number purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority and uniquely identifies the vendor or manufacturer of a network adapter.[28]
- Point-to-Point Protocol (PPP)
- A data link protocol commonly used in establishing a direct connection between two networking nodes in a Wide Area Network (WAN) environment.[29]
- Token Ring
- A data link protocol that uses a ring topology and was standardized as IEEE 802.5.[30]
- unique identifier (UID)
- Any identifier which is guaranteed to be unique among all identifiers used for a given set of objects and for a specific purpose.[31]
- Wide Area Network (WAN)
- A network that covers a broad area (i.e., any telecommunications network that links across metropolitan, regional, or national boundaries) using private or public network transports.[32]
Review Questions
[edit | edit source]Click on a question to see the answer.
-
The Link layer is the _____ layer in the Internet Protocol Suite. It implements the communication protocol necessary for a host to link to _____.The Link layer is the lowest layer in the Internet Protocol Suite. It implements the communication protocol necessary for a host to link to its directly-connected network.
-
TCP/IP's layers are descriptions of operating scopes (application, host-to-host, network, link) and _____ detailed prescriptions of operating procedures, data semantics, or networking technologies.TCP/IP's layers are descriptions of operating scopes (application, host-to-host, network, link) and not detailed prescriptions of operating procedures, data semantics, or networking technologies.
-
Layering in TCP/IP is not a principal design criterion and in general is considered to be _____.Layering in TCP/IP is not a principal design criterion and in general is considered to be harmful.
-
The standard (IEEE 802) format for printing MAC-48 addresses in human-friendly form is _____ groups of two hexadecimal digits, separated by hyphens (-) or colons (:), in transmission order.The standard (IEEE 802) format for printing MAC-48 addresses in human-friendly form is six groups of two hexadecimal digits, separated by hyphens (-) or colons (:), in transmission order.
-
The IEEE expects the MAC-48 space to be exhausted no sooner than the year _____.The IEEE expects the MAC-48 space to be exhausted no sooner than the year 2100.
-
If the least significant bit of the most significant octet of an address is set to 0 (zero), the frame is meant to reach _____.If the least significant bit of the most significant octet of an address is set to 0 (zero), the frame is meant to reach only one receiving NIC.
-
If the least significant bit of the most significant address octet is set to 1, the frame will still be sent only once; however, NICs will choose to accept it based on different criteria than a matching MAC address: for example, based on _____.If the least significant bit of the most significant address octet is set to 1, the frame will still be sent only once; however, NICs will choose to accept it based on different criteria than a matching MAC address: for example, based on a configurable list of multicast MAC addresses.
-
Packets sent to the broadcast address, _____, are received by all stations on a local area network.Packets sent to the broadcast address, all one bits or hexadecimal FF:FF:FF:FF:FF:FF, are received by all stations on a local area network.
-
Packets sent to a multicast address are received by all stations on a LAN that _____.Packets sent to a multicast address are received by all stations on a LAN that have been configured to receive packets sent to that address.
-
Although intended to be a permanent and globally unique identification, it is possible to _____ the MAC address on most modern hardware.Although intended to be a permanent and globally unique identification, it is possible to change the MAC address on most modern hardware.
-
An Organizationally Unique Identifier (OUI) is a 24-bit number purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority and uniquely identifies _____.An Organizationally Unique Identifier (OUI) is a 24-bit number purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority and uniquely identifies the vendor or manufacturer of a network adapter.
-
An Ethernet frame includes _____.An Ethernet frame includes destination and source MAC addresses, Ethertype, data, and a frame check sequence.
-
Ethertype is a two-octet field used to indicate _____.Ethertype is a two-octet field used to indicate which protocol is encapsulated in the payload of an Ethernet Frame.
-
A Token Ring frame includes _____.A Token Ring frame includes access control, frame control, destination and source MAC addresses, data, and a frame check sequence.
-
A Point-to-Point Protocol (PPP) frame includes _____.A Point-to-Point Protocol (PPP) frame includes protocol and data information.
-
An IEEE 802.11 frame includes _____.An IEEE 802.11 frame includes frame control, destination and source MAC addresses, data, and a frame check sequence.
Assessments
[edit | edit source]See Also
[edit | edit source]References
[edit | edit source]- ↑ RFC 1122 - Requirements for Internet Hosts -- Communication Layers
- ↑ Wikipedia: Link layer
- ↑ Wikipedia: Link layer#Relation to OSI model
- ↑ Wikipedia: MAC address#Notational conventions
- ↑ Wikipedia: MAC address#Address details
- ↑ Wikipedia: MAC address#Address details
- ↑ Wikipedia: MAC address#Address details
- ↑ Wikipedia: MAC address#Address details
- ↑ Wikipedia: MAC address#Address details
- ↑ Wikipedia: MAC address#Usage in Hosts
- ↑ Wikipedia: Organizationally Unique Identifier
- ↑ Wikipedia: Ethernet frame
- ↑ Wikipedia: Ethertype
- ↑ Wikipedia: Token ring#Token ring frame format
- ↑ Wikipedia: Point-to-Point Protocol#PPP frame
- ↑ Wikipedia: IEEE 802.11#Frames
- ↑ Wikipedia: 802.3
- ↑ Wikipedia: Token ring
- ↑ Wikipedia: IEEE 802.11
- ↑ Wikipedia: Carrier sense multiple access with collision detection
- ↑ Wikipedia: Data transmission
- ↑ Wikipedia: Ethernet
- ↑ Wikipedia: Institute of Electrical and Electronics Engineers
- ↑ Wikipedia: Local area network
- ↑ Wikipedia: MAC spoofing
- ↑ Wikipedia: Network segment
- ↑ Wikipedia: Node (networking)
- ↑ Wikipedia: Organizationally Unique Identifier
- ↑ Wikipedia: Point-to-Point Protocol
- ↑ Wikipedia: Token ring
- ↑ Wikipedia: Unique identifier
- ↑ Wikipedia: Wide area network
Getmac is a Windows command used to display the Media Access Control (MAC) addresses for each network adapter in the computer. These activities will show you how to use the getmac command to display MAC addresses.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
Activity 1 - Display MAC Addresses Using Getmac
[edit | edit source]To display MAC addresses using getmac:
- Open a command prompt.
- Type getmac and press Enter.
- Observe the results. You should see a list of physical addresses and transport names in use on the computer.
- Close the command prompt to complete this activity.
References
[edit | edit source]ipconfig /all displays all configuration information for each adapter bound to TCP/IP. This activity will show you how to use ipconfig /all.
Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
Activity 1 - Display All IP Configuration Information
[edit | edit source]To display all configuration information for each adapter bound to TCP/IP:
- Open a command prompt.
- Type ipconfig /all.
Note: While the space between ipconfig and /all isn't required, it's a good idea to get into the habit of including a space between a command and any specified options for other commands that do require the space. - Press Enter.
- Observe available adapters and their detailed IP settings.
- Close the command prompt to complete this activity.
Readings
[edit | edit source]References
[edit | edit source]A Media Access Control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment. The Organizationally Unique Identifier (OUI) is a 24-bit number that is purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority and uniquely identifies the vendor or manufacturer of the network adapter.
Readings
[edit | edit source]Activity 1 - Search for a MAC Address OUI
[edit | edit source]To search for a MAC address OUI:
- Use getmac or ipconfig to find the MAC address of your network adapter.
- Using an Internet browser, navigate to the IEEE Standards Association Public OUI Listing and search for the first three octets (first six hexadecimal digits) of the MAC address you found above to identify the manufacturer / registrar of your network adapter.
References
[edit | edit source]- Wikipedia: Media Access Control (MAC) Address
- Wikipedia: Organizationally Unique Identifier (OUI)
- IEEE Standards Association Public OUI Listing
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Ethernet traffic.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture Ethernet Traffic
[edit | edit source]To capture Ethernet traffic:
- Start a Wireshark capture.
- Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
- Use ping <default gateway address> to ping the default gateway address.
- Stop the Wireshark capture.
Activity 2 - Analyze Ethernet Traffic
[edit | edit source]To analyze Ethernet traffic:
- Observe the traffic captured in the top Wireshark packet list pane. All of the traffic you see is likely to be Ethernet traffic. If you want to specifically identify the traffic generated from the ping command above, look for traffic with ICMP listed as the protocol and Echo (ping) request or Echo (ping) reply in the description.
- Select a packet you want to analyze.
- Observe the packet details in the middle Wireshark packet details pane.
- Select Frame. Notice when you select the frame that the entire frame is highlighted in the bottom packet bytes pane.
- Expand Frame to view frame details.
- Expand Ethernet II to view Ethernet details. Notice the Destination, Source, and Type fields.
- Select the Destination field. Notice when you select the Destination field that the first six bytes of the frame are highlighted in the bottom packet bytes pane. This is the destination MAC address for the Ethernet frame.
- Select the Source field. Notice when you select the Source field that the second six bytes of the frame are highlighted in the bottom packet bytes pane. This is the source MAC address for the Ethernet frame.
- Select the Type field. Notice when you select the Type field that the 13th and 14th bytes of the frame are highlighted in the bottom packet bytes pane. This is the type of packet encapsulated inside the Ethernet frame.
- Select additional Ethernet frames in the top packet list pane and observe frame details in these packets.
Activity 3 - Confirm MAC Addresses in Ethernet Traffic
[edit | edit source]To confirm MAC addresses in Ethernet traffic:
- Use ipconfig /all or Getmac to display your computer's Physical Address.
- Compare your computer's physical address to the Source and Destination fields in the captured traffic. Identify which frames were sent by your computer and which frames were received by your computer.
- Use arp -a to view the ARP cache.
- Locate the default gateway IP address used in the ping command above and note the Physical Address of the default gateway.
- Compare your default gateway's physical address to the Source and Destination fields in the captured traffic. Identify which frames were sent by the default gateway and and which frames were sent to the default gateway.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Lesson 4 - Address Resolution Protocol (ARP)
[edit | edit source]This lesson continues the Link layer and looks at the Address Resolution Protocol (ARP). Activities include viewing and modifying the ARP cache and using Wireshark to examine ARP network traffic.
Readings
[edit | edit source]Multimedia
[edit | edit source]- YouTube: Basics of ipconfig, ping, tracert, nslookup and netstat
- YouTube: An Overview of ARP - CompTIA Network+ N10-005: 4.3
- YouTube: ARP Basics for the Cisco CCNA
- YouTube: Address Resolution Protocol (ARP) Explained
Activities
[edit | edit source]- View the ARP Cache.
- Modify the ARP Cache.
- Review Wireshark: Address Resolution Protocol (ARP).
- Use Wireshark to capture and analyze Address Resolution Protocol (ARP) traffic.
- Consider situations in which a packet analyzer might be used to troubleshoot ARP traffic.
Lesson Summary
[edit | edit source]- Address Resolution Protocol (ARP) is a telecommunications protocol used for resolution of network (Internet) layer addresses into link layer addresses.[1]
- ARP is the name of the program for manipulating Address Resolution Protocol caches in most operating systems.[2]
- In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by the Neighbor Discovery Protocol (NDP).[3]
- ARP is a request and reply protocol that runs encapsulated by the line protocol.[4]
- ARP is an Internet Protocol Suite Link layer protocol.[5]
- ARP packets include the sender hardware address, the sender protocol address, the target hardware address, and the target protocol address.[6] The hardware address is typically the MAC address and the protocol address is typically the IP address.
- The ARP cache is a memory-cached table of IP addresses and corresponding hardware addresses.[7]
- An ARP probe is an ARP request for one's own IP address, sent just before a network interface begins to use that address. This is done to ensure that the IP address is not already in use on the network.[8]
- A gratuitous ARP request is similar to an ARP probe in that an ARP request for one's own IP address is sent just before a network interface begins to sue the address. The difference is that an ARP probe involves conflict detection, while a gratuitous ARP request is simply an announcement of intent to use the given address.[9]
- ARP mediation supports the transparent use of ARP requests across a circuit-based virtual private wire service (circuit-based VPN).[10]
- Inverse ARP is used to resolve link layer addresses into network (Internet) layer addresses.[11]
- Reverse ARP is similar to Inverse ARP in that it was used to resolve a link layer address into a network layer address. The difference is that Reverse ARP was used to resolve one's own link layer address rather than another node. Reverse ARP has been replaced by the Bootstrap Protocol (BOOTP) and the Dynamic Host Configuration Protocol (DHCP).[12]
- Proxy ARP is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network.[13]
- ARP spoofing is a technique whereby an attacker sends fake Address Resolution Protocol (ARP) messages onto a Local Area Network to associate the attacker's MAC address with the IP address of another host.[14]
- The IPv4 broadcast address is 255.255.255.255.[15]
- IPv6 does not define broadcast addresses. IPv6 uses multicast addressing.[16]
- The Ethernet broadcast address is FF:FF:FF:FF:FF:FF.[17]
Key Terms
[edit | edit source]- Asynchronous Transfer Mode (ATM)
- A telecommunications protocol defined by ANSI and ITU standards to carry voice, data, and video using asynchronous time-division multiplexing and small, fixed-sized cells.[18]
- Customer Edge (CE)
- The router at the customer premises that is connected to the provider edge of a service provider network.[19]
- denial-of-service attack (DoS attack)
- An attempt to make a machine or network resource unavailable to its intended users.[20]
- Fiber Distributed Data Interface (FDDI)
- Provides a 100 Mbit/s optical standard for data transmission in a local area network that can extend in range up to 200 kilometers (120 mi).[21]
- Frame Relay
- A standardized wide area network technology that specifies the physical and logical link layers of digital telecommunications channels using a packet switching methodology. Originally designed for transport across Integrated Services Digital Network (ISDN) infrastructure, it is less expensive than leased lines.[22]
- man-in-the-middle attack
- A form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them.[23]
- Provider Edge (PE)
- A router between one network service provider's area and areas administered by other network providers.[24]
- telecommunication
- The science and practice of transmitting information by electromagnetic means.[25]
- Virtual Private Wire Service (VPWS)
- A circuit-based Virtual Private Network (VPN).[26]
- X.25
- An ITU-T standard protocol suite for packet switched wide area network (WAN) communication using leased lines, plain old telephone service connections or ISDN connections as physical links.[27]
Review Questions
[edit | edit source]Click on a question to see the answer.
-
Address Resolution Protocol (ARP) is a telecommunications protocol used for _____.Address Resolution Protocol (ARP) is a telecommunications protocol used for resolution of network (Internet) layer addresses into link layer addresses.
-
ARP is the name of the program for manipulating Address Resolution Protocol _____ in most operating systems.ARP is the name of the program for manipulating Address Resolution Protocol caches in most operating systems.
-
In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by _____.In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by the Neighbor Discovery Protocol (NDP).
-
ARP is a request and reply protocol that runs encapsulated by the _____ protocol.ARP is a request and reply protocol that runs encapsulated by the line protocol.
-
ARP is an Internet Protocol Suite _____ layer protocol.ARP is an Internet Protocol Suite Link layer protocol.
-
ARP packets include _____.ARP packets include the sender hardware address, the sender protocol address, the target hardware address, and the target protocol address.
-
The ARP cache is _____.The ARP cache is a memory-cached table of IP addresses and corresponding hardware addresses.
-
An ARP probe is _____.An ARP probe is an ARP request for one's own IP address, sent just before a network interface begins to use that address.
-
A gratuitous ARP request is _____.A gratuitous ARP request is simply an announcement of intent to use the given address.
-
ARP mediation supports the transparent use of ARP requests across _____.ARP mediation supports the transparent use of ARP requests across a circuit-based virtual private wire service (circuit-based VPN).
-
Inverse ARP is used to _____.Inverse ARP is used to resolve link layer addresses into network (Internet) layer addresses.
-
Reverse ARP is similar to Inverse ARP in that it was used to resolve a link layer address into a network layer address. The difference is that _____.Reverse ARP is similar to Inverse ARP in that it was used to resolve a link layer address into a network layer address. The difference is that Reverse ARP was used to resolve one's own link layer address rather than another node.
-
Proxy ARP is a technique by which a device on a given network _____.Proxy ARP is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network.
-
ARP spoofing is a technique whereby an attacker _____.ARP spoofing is a technique whereby an attacker sends fake Address Resolution Protocol (ARP) messages onto a Local Area Network to associate the attacker's MAC address with the IP address of another host.
-
The IPv4 broadcast address is _____.The IPv4 broadcast address is 255.255.255.255.
-
IPv6 does not define broadcast addresses. IPv6 uses _____ addressing.IPv6 does not define broadcast addresses. IPv6 uses multicast addressing.
-
The Ethernet broadcast address is _____.The Ethernet broadcast address is FF:FF:FF:FF:FF:FF.
Assessments
[edit | edit source]See Also
[edit | edit source]References
[edit | edit source]- ↑ Wikipedia: Address Resolution Protocol
- ↑ Wikipedia: Address Resolution Protocol
- ↑ Wikipedia: Address Resolution Protocol
- ↑ Wikipedia: Address Resolution Protocol#Operating scope
- ↑ Wikipedia: Address Resolution Protocol#Operating scope
- ↑ Wikipedia: Address Resolution Protocol#Packet structure
- ↑ Wikipedia: Address Resolution Protocol#Example
- ↑ RFC 5227
- ↑ RFC 5227
- ↑ Wikipedia: Address Resolution Protocol#ARP mediation
- ↑ Wikipedia: Address Resolution Protocol#Inverse ARP and Reverse ARP
- ↑ Wikipedia: Address Resolution Protocol#Inverse ARP and Reverse ARP
- ↑ Wikipedia: Proxy ARP
- ↑ Wikipedia: ARP spoofing
- ↑ Wikipedia: Broadcast address#IP networking
- ↑ Wikipedia: Broadcast address#IP networking
- ↑ Wikipedia: Broadcast address#Ethernet
- ↑ Wikipedia: Asynchronous Transfer Mode
- ↑ Wikipedia: Customer edge
- ↑ Wikipedia: Denial-of-service
- ↑ Wikipedia: FDDI
- ↑ Wikipedia: Frame Relay
- ↑ Wikipedia: Man-in-the-middle
- ↑ Wikipedia: Provider Edge
- ↑ Wikipedia: Telecommunication
- ↑ Wikipedia: Virtual private network#Virtual private wire and private line services .28VPWS and VPLS.29
- ↑ Wikipedia: X.25
Arp is a Windows command used to view and modify the Address Resolution Protocol (ARP) cache. These activities will show you how to view the ARP cache.
Note: To complete this activity, you must have an administrative user account or know the username and password of an administrator account you can enter when prompted.
Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
Activity 1 - View the ARP Cache
[edit | edit source]To view the ARP cache:
- Type arp -a and press Enter.
- Observe the ARP cache entries.
Activity 2 - Clear the ARP Cache
[edit | edit source]In order to observe the effects of Media Access Control (MAC) address resolution, start by clearing the ARP cache:
- Open an elevated/administrator command prompt.
- Type arp -d and press Enter.
Activity 3 - View the ARP Cache
[edit | edit source]To view the ARP cache:
- Type arp -a and press Enter.
- Observe the ARP cache entries. There should not be any entries in the list. If there are, a background process on your computer has contacted a network host or router since the cache was cleared.
Activity 4 - Ping the Default Gateway
[edit | edit source]To dynamically add an entry to the ARP cache, ping the default gateway:
- Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
- Use ping <default gateway address> to ping the default gateway address.
- Observe the results. You should see replies indicating success.
Activity 5 - View the ARP Cache
[edit | edit source]To view the ARP cache:
- Type arp -a and press Enter.
- Observe the ARP cache entries. There should be an entry for the default gateway showing its Internet (IP) address and physical (MAC) address. There may be other entries, depending on what background process on your computer has contacted a network host.
- Close the command prompt to complete this activity.
Readings
[edit | edit source]- Wikipedia: Address Resolution Protocol (ARP)
- Wikipedia: IP Address
- Wikipedia: Media Access Control (MAC) Address
References
[edit | edit source]Arp is a Windows command used to view and modify the Address Resolution Protocol (ARP) cache. These activities will show you how to modify the ARP cache.
Note: To complete this activity, you must have an administrative user account or know the username and password of an administrator account you can enter when prompted.
Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
Activity 1 - Clear the ARP Cache
[edit | edit source]In order to limit the amount of information displayed, start by clearing the ARP cache:
- Open an elevated/administrator command prompt.
- Type arp -d and press Enter.
Activity 2 - View the ARP Cache
[edit | edit source]To view the ARP cache:
- Type arp -a and press Enter.
- Observe the ARP cache entries. There should not be any entries in the list. If there are, either a network host has contacted your computer, or a background process on your computer has contacted a network host or router since the cache was cleared.
Activity 3 - Ping the Default Gateway
[edit | edit source]To dynamically add an entry to the ARP cache, ping the default gateway:
- Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
- Use ping <default gateway address> to ping the default gateway address.
- Observe the results. You should see replies indicating success.
Activity 4 - View the ARP Cache
[edit | edit source]To view the ARP cache:
- Type arp -a and press Enter.
- Observe the ARP cache entries. There should be an entry for the default gateway showing its Internet (IP) address and physical (MAC) address. There may be other entries, depending on what other network hosts have contacted your computer, or what background process on your computer has contacted a network host.
Activity 5 - Modify the ARP Cache
[edit | edit source]Note: You will lose Internet access with this next step and will restore it again in Activity 8.
Method 1 - Windows XP and Earlier
[edit | edit source]Modify the ARP cache entry for the default gateway by replacing it with an invalid MAC static address:
- Type arp -s <default gateway address> 00-11-22-33-44-55 and press Enter.
Method 2 - Windows 7 and Later
[edit | edit source]Determine your network adapter interface name and modify the ARP cache entry for the default gateway by replacing it with an invalid MAC static address:
- Type netsh interface ipv4 show config.
- Locate the interface with the default gateway listed in Activity 3. The interface name is typically "Local Area Connection" or "Wireless Network Connection".
- Type netsh interface ipv4 add neighbors "<interface name>" <default gateway address> 00-11-22-33-44-55, where <interface name> is the name of the interface identified and <default gateway address> is the address of the default gateway listed in Activity 3. For example, if the interface name is "Local Area Connection" and the default gateway is 192.168.1.1, you would type netsh interface ipv4 add neighbors "Local Area Connection" 192.168.1.1 00-11-22-33-44-55.
Activity 6 - View the ARP Cache
[edit | edit source]To view the ARP cache:
- Type arp -a and press Enter.
- Observe the ARP cache entries. Notice that the default gateway now has the type static and has an invalid MAC address.
Activity 7 - Ping the Default Gateway
[edit | edit source]To test the ARP cache entry, attempt to ping the default gateway:
- Use ping <default gateway address> to ping the default gateway address.
- Observe the results. You should see "Request timed out.", indicating the default gateway cannot be reached.
Activity 8 - Reset the ARP Cache
[edit | edit source]Method 1 - Windows XP and Earlier
[edit | edit source]To reset the ARP cache:
- Type arp -d and press Enter.
- Type arp -a and press Enter to confirm that the static entry has been cleared.
Method 2 - Windows 7 and Later
[edit | edit source]To reset the ARP cache:
- Type netsh interface ipv4 delete neighbors and press Enter.
- Type netsh interface ipv4 show neighbors and press Enter to confirm that the static entry has been cleared.
Activity 9 - Ping the Default Gateway
[edit | edit source]Ping the default gateway to verify network connectivity to the default gateway:
- Use ping <default gateway address> to ping the default gateway address.
- Observe the results. You should see replies indicating success.
Activity 10 - View the ARP Cache
[edit | edit source]To view the ARP cache:
- Type arp -a and press Enter.
- Observe the ARP cache entries. Notice that the default gateway now has the type dynamic and its valid MAC address.
- Close the command prompt to complete this activity.
Readings
[edit | edit source]- Wikipedia: Address Resolution Protocol (ARP)
- Wikipedia: IP Address
- Wikipedia: Media Access Control (MAC) Address
- Wikipedia: netsh
References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Address Resolution Protocol (ARP) traffic.
Readings
[edit | edit source]- Wikipedia: Address_Resolution_Protocol (ARP)
- Wikipedia: Media Access Control (MAC) Address
- Wikipedia: Broadcast Address
- Wikipedia: Ethertype
Multimedia
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start your computer.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture ARP Traffic
[edit | edit source]To capture ARP traffic:
- Start Wireshark, but do not yet start a capture.
- Open an elevated/administrator command prompt.
- Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
- Start a Wireshark capture.
- Use arp -d to clear the ARP cache.
- Use ping <default gateway address> to ping the default gateway address.
- Use arp -a to view the ARP cache and confirm an entry has been added for the default gateway address.
- Close the command prompt.
- Stop the Wireshark capture.
Activity 2 - Analyze an ARP Request
[edit | edit source]To analyze an ARP request:
- Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ARP listed as the protocol. To view only ARP traffic, type arp (lower case) in the Filter box and press Enter.
- Select the first ARP packet.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Address Resolution Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination field. Notice that the destination field is the Ethernet broadcast address (FF:FF:FF:FF:FF:FF). All devices on the network will receive the ARP request.
- Observe the Source field. This should contain your MAC address. You can use ipconfig /all, getmac, or ifconfig to confirm.
- Observe the Type field. Notice that the type is 0x0806, indicating ARP.
- Expand Address Resolution Protocol (request) to view ARP details.
- Observe the Sender MAC address. Notice that the sender MAC address is your MAC address.
- Observe the Sender IP address. Notice that the sender IP address is your IP address.
- Observe the Target MAC address. Notice that the target MAC address is all zeros, because the target MAC address is unknown at this point.
- Observe the Target IP address. Notice that the target IP address is the IP address of the default gateway.
Activity 3 - Analyze an ARP Reply
[edit | edit source]To analyze an ARP reply:
- Select the second ARP packet.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Address Resolution Protocol frame. Confirm that in the middle packet details pane that the packet is labeled Address Resolution Protocol (reply).
- Expand Ethernet II to view Ethernet details.
- Observe the Destination field. Notice that the destination field is your MAC address.
- Observe the Source field. This should be the MAC address of the default gateway.
- Observe the Type field. Notice that the type is 0x0806, indicating ARP.
- Expand Address Resolution Protocol (reply) to view ARP details.
- Observe the Sender MAC address. Notice that the sender MAC address is the MAC address of the default gateway.
- Observe the Sender IP address. Notice that the sender IP address is the IP address of the default gateway.
- Observe the Target MAC address. Notice that the destination MAC address is your MAC address.
- Observe the Target IP address. Notice that the destination IP address is your IP address.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]See also
[edit | edit source]Lesson 5 - Internet Layer / IPv4
[edit | edit source]This lesson introduces the Internet layer and looks at IPv4. Activities include IPv4 addressing and using Wireshark to examine IPv4 network traffic.
Readings
[edit | edit source]- Wikipedia: Internet layer
- Wikipedia: Internet Protocol
- Wikipedia: IPv4
- Wikipedia: IP address
- Wikipedia: Classful network
Multimedia
[edit | edit source]- YouTube: An overview of IPv4 and IPv6 - CompTIA Network+ N10-005: 1.3
- YouTube: Basics of ipconfig, ping, tracert, nslookup and netstat
Activities
[edit | edit source]- Use a Regional Internet Registry to search the Whois database for IP address information.
- Review Wireshark: Internet Protocol (IP).
- Use Wireshark to capture and analyze local IPv4 traffic.
- Use Wireshark to capture and analyze remote IPv4 traffic.
- Use Wireshark to capture and analyze fragmented IPv4 traffic.
- Consider situations in which a packet analyzer might be used to troubleshoot IPv4 traffic.
Lesson Summary
[edit | edit source]- The Internet layer is a group of internetworking methods, protocols, and specifications in the Internet protocol suite that are used to transport datagrams from the originating host across network boundaries, if necessary, to the destination host specified by a network address.[1]
- The Internet layer is not responsible for reliable transmission. It provides only an unreliable connection-less service, and "best effort" delivery.[2]
- The core protocols used in the Internet layer are IPv4, IPv6, the Internet Control Message Protocol (ICMP), and the Internet Group Management Protocol (IGMP).[3]
- The Internet Control Message Protocol (ICMP) is primarily used for error and diagnostic functions.[4]
- The Internet Group Management Protocol (IGMP) is used by IPv4 hosts and adjacent multicast routers to establish multicast group memberships.[5]
- Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by authenticating and/or encrypting each IP packet in a data stream.[6]
- Each IP datagram has two components, a header and a data payload. The IP header is tagged with the source IP address, destination IP address, and other meta-data needed to route and deliver the datagram.[7]
- IPv4 uses 32-bit (four-byte) addresses, most often written in the dotted decimal notation, which consists of four octets of bit values expressed individually in decimal and separated by periods.[8]
- Private IPv4 network address ranges are reserved for use in private networks and include 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. Private networks communicate with public networks through network address translation (NAT).[9]
- The link-local IPv4 address range, 169.254.0.0/16, is similar to a private network address range but is not routable. These addresses are most often used when a host cannot obtain an IP address from a Dynamic Host Configuration Protocol (DHCP) server.[10]
- The loopback address range, 127.0.0.0/8 is reserved for loopback, or internal host addressing.[11]
- The primary address pool of the Internet, maintained by the Internet Assigned Numbers Authority (IANA), was exhausted on 3 February 2011.[12]
- Valid IPv4 host addresses have a first octet in the range 1-126 (originally Class A), 128-191 (originally Class B), or 192-223 (originally Class C). Multicast addresses have a first octet in the range 224-239 (originally Class D). Addresses with a first octet in the range 240-255 are unused (reserved / experimental).[13][14]
- Classful networking was replaced by Classless Inter-Domain Routing (CIDR) starting in 1993.[15] However, the basic addressing concepts developed under classful networking still apply to IPv4. The CIDR changes apply to subnetting and routing, which will be examined in the next lesson.
Key Terms
[edit | edit source]- American Registry for Internet Numbers (ARIN)
- The Regional Internet Registry (RIR) for Canada, many Caribbean and North Atlantic islands, and the United States.[16]
- data corruption
- Errors in computer data that occur during writing, reading, storage, transmission, or processing, which introduce unintended changes to the original data.[17]
- datagram
- A basic transfer unit associated with a packet-switched network in which the delivery, arrival time, and order of arrival are not guaranteed by the network service.[18]
- gateway
- A network point that acts as an entrance to another network.[19]
- host
- A computer connected to a computer network and assigned a network layer host address.[20]
- Internet Assigned Numbers Authority (IANA)
- The entity that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System (DNS), media types, and other Internet Protocol-related symbols and numbers.[21]
- Internet Protocol (IP)
- The principal communications protocol responsible for addressing hosts and routing datagrams (packets) from a source host to the destination host across one or more networks.[22]
- IP fragmentation
- The Internet Protocol fragmentation and reassembly procedure that can break a datagram into pieces that may later be reassembled based on identification, offset, and length.[23]
- network address translation (NAT)
- The process of modifying IP address information in IP packet headers while in transit across a traffic routing device.[24]
- octet
- A unit of digital information in computing and telecommunications that consists of eight bits.[25]
- packet switching
- A digital networking communications method that groups all transmitted data into variably-sized blocks, called packets, for delivery over a shared network.[26]
- Regional Internet Registry (RIR)
- An organization that manages the allocation and registration of Internet number resources within a particular region of the world.[27]
- robustness principle
- Be liberal in what you accept, and conservative in what you send.[28]
- scalability
- The ability of a system, network, or process, to handle a growing amount of work in a capable manner or its ability to be enlarged to accommodate that growth.[29]
Review Questions
[edit | edit source]Click on a question to see the answer.
-
The Internet layer is a group of internetworking methods, protocols, and specifications in the Internet protocol suite that are used to _____ from the originating _____ across _____, if necessary, to the destination _____ specified by a network address.The Internet layer is a group of internetworking methods, protocols, and specifications in the Internet protocol suite that are used to transport datagrams from the originating host across network boundaries, if necessary, to the destination host specified by a network address.
-
The Internet layer is not responsible for reliable transmission. It provides only _____.The Internet layer is not responsible for reliable transmission. It provides only an unreliable connection-less service, and "best effort" delivery.
-
The core protocols used in the Internet layer are _____.The core protocols used in the Internet layer are IPv4, IPv6, the Internet Control Message Protocol (ICMP), and the Internet Group Management Protocol (IGMP).
-
The _____ is primarily used for error and diagnostic functions.The Internet Control Message Protocol (ICMP) is primarily used for error and diagnostic functions.
-
The _____ is used by IPv4 hosts and adjacent multicast routers to establish multicast group memberships.The Internet Group Management Protocol (IGMP) is used by IPv4 hosts and adjacent multicast routers to establish multicast group memberships.
-
Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by _____ and/or _____ each IP packet in a data stream.Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by authenticating and/or encrypting each IP packet in a data stream.
-
Each IP datagram has two components, a header and a data payload. The IP header is tagged with _____ needed to route and deliver the datagram.Each IP datagram has two components, a header and a data payload. The IP header is tagged with the source IP address, destination IP address, and other meta-data needed to route and deliver the datagram.
-
IPv4 uses _____ addresses, most often written in the _____ notation.IPv4 uses 32-bit (four-byte) addresses, most often written in the dotted decimal notation.
-
Private IPv4 network address ranges are reserved for use in private networks and include _____.Private IPv4 network address ranges are reserved for use in private networks and include 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.
-
Private networks communicate with public networks through _____.Private networks communicate with public networks through network address translation (NAT).
-
The link-local IPv4 address range, _____, is similar to a private network address range but is not routable.The link-local IPv4 address range, 169.254.0.0/16, is similar to a private network address range but is not routable.
-
The loopback address range, _____ is reserved for loopback, or internal host addressing.The loopback address range, 127.0.0.0/8 is reserved for loopback, or internal host addressing.
-
The primary address pool of the Internet, maintained by the Internet Assigned Numbers Authority (IANA), was exhausted in _____.The primary address pool of the Internet, maintained by the Internet Assigned Numbers Authority (IANA), was exhausted in 2011.
-
Valid IPv4 host addresses have a first octet in the range _____ (originally Class A), _____ (originally Class B), or _____ (originally Class C).Valid IPv4 host addresses have a first octet in the range 1-126 (originally Class A), 128-191 (originally Class B), or 192-223 (originally Class C).
-
Multicast addresses have a first octet in the range _____ (originally Class D).Multicast addresses have a first octet in the range 224-239 (originally Class D).
-
Addresses with a first octet in the range _____ are unused (reserved / experimental).Addresses with a first octet in the range 240-255 are unused (reserved / experimental).
-
Classful networking was replaced by _____ starting in 1993.Classful networking was replaced by Classless Inter-Domain Routing (CIDR) starting in 1993.
Assessments
[edit | edit source]See Also
[edit | edit source]References
[edit | edit source]- ↑ Wikipedia: Internet layer
- ↑ Wikipedia: Internet layer#Purpose
- ↑ Wikipedia: Internet layer#Core protocols
- ↑ Wikipedia: Internet layer#Core protocols
- ↑ Wikipedia: Internet layer#Core protocols
- ↑ Wikipedia: Internet layer#Security
- ↑ Wikipedia: Internet Protocol#Datagram construction
- ↑ Wikipedia: IPv4#Address representations
- ↑ Wikipedia: IPv4#Private networks
- ↑ Wikipedia: IPv4#Link-local addressing
- ↑ Wikipedia: IPv4#Loopback
- ↑ Wikipedia: IPv4#Address space exhaustion
- ↑ Wikipedia: Classful network
- ↑ Wikipedia: List of assigned /8 IPv4 address blocks
- ↑ Wikipedia: Classful network
- ↑ Wikipedia: American Registry for Internet Numbers
- ↑ Wikipedia: Data corruption
- ↑ Wikipedia: Datagrams
- ↑ Wikipedia: Gateway (telecommunications)#Details
- ↑ Wikipedia: Network host
- ↑ Wikipedia: Internet Assigned Numbers Authority
- ↑ Wikipedia: Internet Protocol
- ↑ RFC 791
- ↑ Wikipedia: Network address translation
- ↑ Wikipedia: Octet (computing)
- ↑ Wikipedia: Packet-switched
- ↑ Wikipedia: Regional Internet registries
- ↑ RFC 1122
- ↑ Wikipedia: Scalability
IP address registration information may be located using one of the five Regional Internet Registry Whois databases. These activities will show you how to find the registrant or service provider for a given IP address.
Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
Activity 1 - Determine your Regional Internet Registry
[edit | edit source]To determine your Regional Internet Registry:
Activity 2 - Search for a Public IPv4 Address
[edit | edit source]To search for a public IPv4 address:
- Navigate to the home page of one of the five regional Internet registries:
- Locate the Whois / Search Database feature on the registry home page.
- Enter 8.8.8.8 in the search box. This is the IPv4 address of one of Google's public DNS servers. Press Enter or select the submit button to submit your search.
- Review the returned registration information.
Activity 3 - Search for a Private IPv4 Address
[edit | edit source]To search for a private IPv4 address:
- Enter 192.168.0.1 in the search box. This is a private IP address. Press Enter or select the submit button to submit your search.
- Review the returned registration information.
Activity 4 - Search for a Link-Local IPv4 Address
[edit | edit source]To search for a link-local IPv4 address:
- Enter 169.254.1.1 in the search box. This is a loopback address. Press Enter or select the submit button to submit your search.
- Review the returned registration information.
Activity 5 - Search for a Loopback IPv4 Address
[edit | edit source]To search for a loopback IPv4 address:
- Enter 127.0.0.1 in the search box. This is a loopback address. Press Enter or select the submit button to submit your search.
- Review the returned registration information.
Activity 6 - Search for a Multicast IPv4 Address
[edit | edit source]To search for a multicast IPv4 address:
- Enter 224.0.0.1 in the search box. This is a loopback address. Press Enter or select the submit button to submit your search.
- Review the returned registration information.
Activity 7 - Search for a Reserved IPv4 Address
[edit | edit source]To search for a reserved IPv4 address:
- Enter 240.0.0.1 in the search box. This is a loopback address. Press Enter or select the submit button to submit your search.
- Review the returned registration information.
Activity 8 - Search for a Public IPv6 Address
[edit | edit source]To search for a public IPv6 address:
- Enter 2001:4860:4860::8888 in the search box. This is the IPv6 address of one of Google's public DNS servers. Press Enter or select the submit button to submit your search.
- Review the returned registration information.
Readings
[edit | edit source]References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Address Resolution Protocol (ARP) traffic.
Readings
[edit | edit source]- Wikipedia: Address_Resolution_Protocol (ARP)
- Wikipedia: Media Access Control (MAC) Address
- Wikipedia: Broadcast Address
- Wikipedia: Ethertype
Multimedia
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start your computer.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture ARP Traffic
[edit | edit source]To capture ARP traffic:
- Start Wireshark, but do not yet start a capture.
- Open an elevated/administrator command prompt.
- Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
- Start a Wireshark capture.
- Use arp -d to clear the ARP cache.
- Use ping <default gateway address> to ping the default gateway address.
- Use arp -a to view the ARP cache and confirm an entry has been added for the default gateway address.
- Close the command prompt.
- Stop the Wireshark capture.
Activity 2 - Analyze an ARP Request
[edit | edit source]To analyze an ARP request:
- Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ARP listed as the protocol. To view only ARP traffic, type arp (lower case) in the Filter box and press Enter.
- Select the first ARP packet.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Address Resolution Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination field. Notice that the destination field is the Ethernet broadcast address (FF:FF:FF:FF:FF:FF). All devices on the network will receive the ARP request.
- Observe the Source field. This should contain your MAC address. You can use ipconfig /all, getmac, or ifconfig to confirm.
- Observe the Type field. Notice that the type is 0x0806, indicating ARP.
- Expand Address Resolution Protocol (request) to view ARP details.
- Observe the Sender MAC address. Notice that the sender MAC address is your MAC address.
- Observe the Sender IP address. Notice that the sender IP address is your IP address.
- Observe the Target MAC address. Notice that the target MAC address is all zeros, because the target MAC address is unknown at this point.
- Observe the Target IP address. Notice that the target IP address is the IP address of the default gateway.
Activity 3 - Analyze an ARP Reply
[edit | edit source]To analyze an ARP reply:
- Select the second ARP packet.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Address Resolution Protocol frame. Confirm that in the middle packet details pane that the packet is labeled Address Resolution Protocol (reply).
- Expand Ethernet II to view Ethernet details.
- Observe the Destination field. Notice that the destination field is your MAC address.
- Observe the Source field. This should be the MAC address of the default gateway.
- Observe the Type field. Notice that the type is 0x0806, indicating ARP.
- Expand Address Resolution Protocol (reply) to view ARP details.
- Observe the Sender MAC address. Notice that the sender MAC address is the MAC address of the default gateway.
- Observe the Sender IP address. Notice that the sender IP address is the IP address of the default gateway.
- Observe the Target MAC address. Notice that the destination MAC address is your MAC address.
- Observe the Target IP address. Notice that the destination IP address is your IP address.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]See also
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze local IPv4 traffic.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture Local IPv4 Traffic
[edit | edit source]To capture local IPv4 traffic:
- Start a Wireshark capture.
- Use ping <default gateway address> to ping the default gateway address.
- Stop the Wireshark capture.
Activity 2 - Analyze Local IPv4 Outbound Traffic
[edit | edit source]To analyze local IPv4 outbound traffic:
- Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
- Select the first ICMP packet, labeled Echo (ping) request.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination field. This should contain the MAC address of your default gateway. You can use arp -a to confirm.
- Observe the Source field. This should contain your MAC address. You can use ipconfig /all or getmac to confirm.
- Observe the Type field. Notice that the type is 0x0800, indicating IP.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is your IP address.
- Observe the Destination address. Notice that the destination address is the default gateway IP address.
Activity 3 - Analyze Local IPv4 Inbound Traffic
[edit | edit source]To analyze local IPv4 inbound traffic:
- In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination field. This should contain your MAC address.
- Observe the Source field. This should contain the MAC address of your default gateway.
- Observe the Type field. Notice that the type is 0x0800, indicating IP.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is the default gateway IP address.
- Observe the Destination address. Notice that the destination address is your IP address.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze remote IPv4 traffic.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture Remote IPv4 Traffic
[edit | edit source]To capture remote IPv4 traffic:
- Start a Wireshark capture.
- Use ping 8.8.8.8 to ping an Internet host by IP address.
- Stop the Wireshark capture.
Activity 2 - Analyze Remote IPv4 Outbound Traffic
[edit | edit source]To analyze remote IPv4 outbound traffic:
- Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
- Select the first ICMP packet, labeled Echo (ping) request.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination field. This should contain the MAC address of your default gateway. You can use arp -a to confirm. Notice that remote Internet layer traffic is processed as local Link layer traffic. The default gateway will route the packet to the Internet.
- Observe the Source field. This should contain your MAC address. You can use ipconfig /all or getmac to confirm.
- Observe the Type field. Notice that the type is 0x0800, indicating IP.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is your IP address.
- Observe the Destination address. Notice that the destination address is the Internet host IP address.
Activity 3 - Analyze Remote IPv4 Inbound Traffic
[edit | edit source]To analyze remote IPv4 inbound traffic:
- In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination field. This should contain your MAC address.
- Observe the Source field. This should contain the MAC address of your default gateway. Notice that the remote Internet layer traffic is returned as local Link layer traffic. The routers between the Internet host and your network routed the packet back to your router so that it could forward the packet back to your computer.
- Observe the Type field. Notice that the type is 0x0800, indicating IP.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is the Internet host IP address.
- Observe the Destination address. Notice that the destination address is your IP address.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze fragmented IPv4 traffic.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture Fragmented IPv4 Traffic
[edit | edit source]To capture fragmented IPv4 traffic:
- Start a Wireshark capture.
- Use ping -l 2500 <default gateway address> to ping the default gateway address with a 2,500 byte packet. Notice that because the default maximum transmission unit (MTU) for Ethernet frames is 1,500 bytes, this should generate fragmented packets.
- Stop the Wireshark capture.
Activity 2 - Analyze Fragmented IPv4 Outbound Traffic
[edit | edit source]To analyze fragmented IPv4 outbound traffic:
- Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the protocol. To find only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
- Select the first ICMP packet, labeled Echo (ping) request.
- If you applied an icmp filter, clear the filter so you can see the IPv4 fragments.
- Select the IPv4 packet immediately above the first ICMP packet.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
- Expand Internet Protocol Version 4 to view IP details.
- Expand Flags to view flag details.
- Observe the More fragments field. Notice that it is set, indicating more fragments will follow.
- Observe the Fragment offset field. Notice that it is 0, indicating this is the first fragment.
- Observe the Total length and Header length fields. Subtract header length from total length to determine the size of this fragment.
- In the top Wireshark packet list pane, select the next packet, labeled Echo (ping) request.
- View IP details.
- Observe the More fragments field. Notice that it is not set, indicating no more fragments will follow.
- Observe the Fragment offset field. Notice that it is the same as the size calculated for the first fragment.
- Observe the Total length and Header length fields. Subtract header length from total length to determine the size of this fragment.
- Add the sizes of the two fragments together to determine total data length. It should be 2,508, indicating 2,500 bytes of ICMP data and an 8 byte ICMP header.
Activity 3 - Analyze Fragmented IPv4 Inbound Traffic
[edit | edit source]To analyze fragmented IPv4 inbound traffic:
- In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
- Select the IPv4 packet immediately above the second ICMP packet.
- View IP details.
- Observe the More fragments field. Notice that it is set, indicating more fragments will follow.
- Observe the Fragment offset field. Notice that it is 0, indicating this is the first fragment.
- Observe the Total length and Header length fields. Subtract header length from total length to determine the size of this fragment.
- In the top Wireshark packet list pane, select the next packet, labeled Echo (ping) reply.
- View IP details.
- Observe the More fragments field. Notice that it is not set, indicating no more fragments will follow.
- Observe the Fragment offset field. Notice that it is the same as the size calculated for the first fragment.
- Observe the Total length and Header length fields. Subtract header length from total length to determine the size of this fragment.
- Add the sizes of the two fragments together to determine total data length. It should be 2,508, indicating 2,500 bytes of ICMP data and an 8 byte ICMP header.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Lesson 6 - Subnetting
[edit | edit source]This lesson continues the Internet layer and looks at subnetworks, Classless Inter-Domain Routing (CIDR), subnetting, and supernetworks. Activities include IPv4 subnetting, and using the Cisco Subnet Game.
Readings
[edit | edit source]- Wikipedia: Subnetwork
- Wikipedia: IPv4 subnetting reference
- Wikipedia: CIDR notation
- Wikipedia: Classless Inter-Domain Routing
- Wikipedia: Supernetwork
Multimedia
[edit | edit source]- YouTube: Subnetting, Cisco CCNA, Binary Numbers - Part 1
- YouTube: Subnetting, Cisco CCNA, Binary Numbers - Part 2
- YouTube: Subnetting, Cisco CCNA, Binary Numbers - Part 3
- YouTube: Subnetting, Cisco CCNA, Binary Numbers - Part 4
- YouTube: Subnetting Cisco CCNA - Part 1 The Magic Number
- YouTube: Subnetting Cisco CCNA - Part 2 The Magic Number
- YouTube: Subnetting Cisco CCNA - Part 3 The Magic Number
- YouTube: Subnetting Cisco CCNA - Part 4 The Magic Number
- YouTube: Subnetting Cisco CCNA - Part 5 The Magic Number
- YouTube: Subnetting Cisco CCNA - Part 6 The Magic Number
Activities
[edit | edit source]- Review Cisco: IP Addressing and Subnetting for New Users.
- Review Understanding TCP/IP addressing and subnetting basics.
- Experiment with an online subnet calculator such as Online IP Subnet Calculator.
- Generate practice subnetting questions using this Subnet Calculator.
- Review EasySubnetting.com subnetting resources.
- Play the Cisco: Subnet Troubleshooting Game.
- Consider situations in which a packet analyzer might be used to troubleshoot subnetting and routing traffic.
Lesson Summary
[edit | edit source]- An IP address has two fields, a network prefix and a host identifier.[1]
- The network prefix is identified using CIDR notation.[2]
- In IPv4, the network prefix may also be identified using a 32-bit subnet mask in dotted-decimal notation.[3]
- A network is divided into two or more subnetworks by dividing the host identifier field into separate subnet number and smaller host identifier fields.[4]
- All hosts on a subnetwork have the same network prefix.[5]
- Traffic between subnets is exchanged through a router.[6]
- The first address on any given IPv4 network or subnet is reserved for the network itself.[7]
- The last address on any given IPv4 network or subnet is reserved for broadcast.[8]
- The separation of the network prefix/subnet number from the host identifier is performed by a bitwise AND operation between the IP address and the (sub)network mask.[9]
- The number of subnetworks created by subnetting can be calculated as 2n, where n is the number of bits used for subnetting.[10]
- The number of available hosts on each subnet can be calculated as 2n -2 ,where n is the number of bits available for the host identifier.[11]
- The goal of Classless Inter-Domain Routing was to slow the growth of routing tables on routers across the Internet, and to help slow the rapid exhaustion of IPv4 addresses.[12]
- Classless Inter-Domain Routing is based on variable-length subnet masking (VLSM), which allows a network to be divided into variously sized subnets, providing the opportunity to size a network more appropriately for local needs.[13]
- The benefits of supernetting are conservation of address space and efficiencies gained in routers in terms of memory storage of route information and processing overhead when matching routes.[14]
Key Terms
[edit | edit source]- bitwise AND
- A binary operation that takes two representations of equal length and performs the logical AND operation on each pair of corresponding bits. The result in each position is 1 if the first bit is 1 and the second bit is 1; otherwise, the result is 0.[15]
- CIDR notation
- A compact specification of an Internet Protocol address and its associated routing prefix.[16]
- provider-independent address space
- A block of IP addresses assigned by a regional Internet registry (RIR) directly to an end-user organization.[17]
- routing table
- A data table stored in a router or a networked computer that lists the routes to particular network destinations, and in some cases, metrics (distances) associated with those routes.[18]
- subnet
- A logically visible subdivision of an IP network.[19]
- subnet mask
- A bitmask that encodes the (sub)network prefix length in dotted-decimal notation, starting with a number of 1 bits equal to the prefix length, ending with 0 bits, and encoded in four-part dotted-decimal format.[20]
- subnetting
- The practice of dividing a network into two or more networks.[21]
- supernet
- An Internet Protocol (IP) network that is formed from the combination of two or more networks (or subnets) with a common Classless Inter-Domain Routing (CIDR) prefix.[22]
Review Questions
[edit | edit source]Click on a question to see the answer.
-
An IP address has two fields, _____.An IP address has two fields, a network prefix and a host identifier.
-
The network prefix is identified using _____.The network prefix is identified using CIDR notation.
-
In IPv4, in addition to using CIDR notation, the network prefix may be identified using _____.In IPv4, in addition to using CIDR notation, the network prefix may be identified using a 32-bit subnet mask in dotted-decimal notation.
-
A network is divided into two or more subnetworks by dividing _____.A network is divided into two or more subnetworks by dividing the host identifier field into separate subnet number and smaller host identifier fields.
-
All hosts on a subnetwork have the same _____.All hosts on a subnetwork have the same network prefix.
-
Traffic between subnets is exchanged through a _____.Traffic between subnets is exchanged through a router.
-
The first address on any given network or subnet is reserved for _____.The first address on any given IPv4 network or subnet is reserved for the network itself.
-
The last address on any given IPv4 network or subnet is reserved for _____.The last address on any given IPv4 network or subnet is reserved for broadcast.
-
The separation of the network prefix/subnet number from the host identifier is performed by _____.The separation of the network prefix/subnet number from the host identifier is performed by a bitwise AND operation between the IP address and the (sub)network mask.
-
The number of subnetworks created by subnetting can be calculated as _____.The number of subnetworks created by subnetting can be calculated as 2n, where n is the number of bits used for subnetting.
-
The number of available hosts on each subnet can be calculated as _____.The number of available hosts on each subnet can be calculated as 2n-2, where n is the number of bits available for the host identifier.
-
The goal of Classless Inter-Domain Routing was to _____.The goal of Classless Inter-Domain Routing was to slow the growth of routing tables on routers across the Internet, and to help slow the rapid exhaustion of IPv4 addresses.
-
Classless Inter-Domain Routing is based on _____.Classless Inter-Domain Routing is based on variable-length subnet masking (VLSM).
-
The benefits of supernetting are _____.The benefits of supernetting are conservation of address space and efficiencies gained in routers in terms of memory storage of route information and processing overhead when matching routes.
Assessments
[edit | edit source]References
[edit | edit source]- ↑ Wikipedia: Subnetwork
- ↑ Wikipedia: Subnetwork
- ↑ Wikipedia: Subnetwork
- ↑ Wikipedia: Subnetwork
- ↑ Wikipedia: Subnet mask#Network addressing and routing
- ↑ Wikipedia: Subnetwork
- ↑ Wikipedia: Subnetwork
- ↑ Wikipedia: Subnetwork#Special addresses and subnets
- ↑ Wikipedia: Subnetwork#IPv4 subnetting
- ↑ Wikipedia: Subnetwork#Subnet and host counts
- ↑ Wikipedia: Subnetwork#Subnet and host counts
- ↑ Wikipedia: Classless Inter-Domain Routing
- ↑ Wikipedia: Classless Inter-Domain Routing#Background
- ↑ Wikipedia: Supernetwork
- ↑ Wikipedia: Bitwise operation#AND
- ↑ Wikipedia: CIDR notation
- ↑ Wikipedia: Provider-independent address space
- ↑ Wikipedia: Routing table
- ↑ Wikipedia: Subnetwork
- ↑ Wikipedia: Classless Inter-Domain Routing#Subnet masks
- ↑ Wikipedia: Subnetwork
- ↑ Wikipedia: Supernetwork
Lesson 7 - IPv6
[edit | edit source]This lesson continues the Internet layer and looks at IPv6 and a variety of IPv6 transition technologies. Activities include using Wireshark to examine IPv6 network traffic.
Readings
[edit | edit source]- Wikipedia: IPv6
- Wikipedia: Link-local address
- Wikipedia: Teredo tunneling
- Wikipedia: ISATAP
- Wikipedia: 6to4
- Wikipedia: 6in4
- Wikipedia: NAT64
Multimedia
[edit | edit source]- YouTube: An overview of IPv4 and IPv6 - CompTIA Network+ N10-005: 1.3
- YouTube: IPv6 Transition Technology
Activities
[edit | edit source]- Use netsh to configure IPv6 settings.
- Use Wireshark to capture and analyze local IPv6 traffic.
- Use Wireshark to capture and analyze remote IPv6 traffic.
- Use Wireshark to capture and analyze IPv6 Teredo traffic.
- Use Wireshark to capture and analyze IPv6 6to4 traffic.
- Use Wireshark to capture and analyze IPv6 6in4 traffic.
- Consider situations in which a packet analyzer might be used to troubleshoot IPv6 traffic.
Lesson Summary
[edit | edit source]- IPv6 is an Internet-layer protocol for packet-switched internetworking and provides end-to-end datagram transmission across multiple IP networks.[1]
- IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of running out of IPv4 addresses.[2]
- IPv6 uses 128-bit addresses, commonly displayed to users as eight groups of four hexadecimal digits separated by colons.[3]
- In an IPv6 address, leading zeroes may be removed from any group of hexadecimal digits. Multiple consecutive groups of zeroes may be replaced with a double colon (::).[4]
- The IPv6 subnet size has been standardized by fixing the size of the host identifier portion of an address to 64 bits.[5]
- IPv6 does not implement interoperability features with IPv4, but essentially creates a parallel, independent network. Exchanging traffic between the two networks requires special translator gateways.[6]
- Work on IPv6 began by 1992, and was first published in a series of RFCs in 1996.[7]
- Most transport and application-layer protocols need little or no change to operate over IPv6.[8]
- Multicasting is part of the base specification in IPv6. IPv6 does not implement traditional IP broadcast and does not define broadcast addresses.[9]
- IPv6 hosts can configure themselves automatically when connected to a routed IPv6 network using the Neighbor Discovery Protocol via Internet Control Message Protocol version 6 (ICMPv6) router discovery messages.[10]
- IPv6 routers do not perform fragmentation.[11]
- Privacy extensions for IPv6 allow the operating system to generate ephemeral IP addresses by concatenating a randomly generated host identifier with the assigned network prefix for communication with remote hosts.[12]
- The IPv6 header consists of a fixed portion with minimal functionality required for all packets and may be followed by optional extensions to implement special features. The fixed header requires 40 octets (320 bits) and contains the source and destination addresses, traffic classification options, a hop counter, and the type of the optional extension or payload which follows the fixed header.[13]
- The IPv6 loopback address is ::1.[14]
- Link-local addresses begin with fe80::/10.[15]
- Tunneling may be used to enable IPv4 networks to communicate with IPv6 networks. In tunneling, IPv6 packets are encapsulated within IPv4 packets, in effect using IPv4 as a link layer for IPv6.[16]
- Teredo is an automatic inter-site tunneling technique that uses UDP encapsulation and can cross Network Address Translation (NAT) nodes.[17] Teredo addresses begin with 2001:0::/32.[18]
- ISATAP is an automatic intra-site tunneling technique that uses IPv4 encapsulation. It cannot cross NAT nodes.[19]ISATAP addresses begin with fe80::200:5efe/96.[20]
- 6to4 is an automatic inter-site tunneling technique that uses IPv4 encapsulation. It cannot cross NAT nodes.[21] 6to4 addresses begin with 2002::/16 and relay through 192.88.99.1.[22]
- 6in4 is a configured inter-site tunneling technique that uses IPv4 encapsulation. It can cross NAT nodes with proper configuration.[23] 6in4 addresses are public addresses assigned by the tunnel broker, and therefore create security risks.[24]
- NAT64 is a network address translation technique that allows IPv6-only hosts to communicate with IPv4-only servers. NAT64 server addresses begin with 64:ff9b::/96.[25]
Key Terms
[edit | edit source]- anycast
- A network addressing and routing methodology in which datagrams from a single sender are routed to the topologically nearest node in a group of potential receivers, though it may be sent to several nodes, all identified by the same destination address.[26]
- Data Over Cable Service Interface Specification (DOCSIS)
- An international telecommunications standard that permits the addition of high-speed data transfer to an existing cable TV (CATV) system.[27]
- end-to-end principle
- A classic computer network design principle which states that application-specific functions ought to reside in the end hosts of a network rather than in intermediary nodes – provided they can be implemented completely and correctly in the end hosts.[28]
- hop count
- A count of the intermediate devices (routers) through which data must pass between source and destination.[29]
- jumbogram
- An internet layer packet exceeding the standard Maximum Transmission Unit (MTU) of the underlying network technology.[30]
- Mobile IP
- An Internet Engineering Task Force (IETF) standard communications protocol that is designed to allow mobile device users to move from one network to another while maintaining a permanent IP address.[31]
- Path MTU Discovery (PMTUD)
- A standardized technique for determining the maximum transmission unit (MTU) size on the network path between two Internet Protocol (IP) hosts.[32]
- proxy server
- A computer system or application that acts as an intermediary for requests from clients seeking resources from other servers.[33]
- Quality of Service (QoS)
- The ability to provide different priority to different applications, users, or data flows, or to guarantee a certain level of performance to a data flow.[34]
- Stateless Address Autoconfiguration (SLAAC)
- A method by which a node automatically creates a link-local address with the prefix fe80::/64 on each IPv6-enabled interface, even if globally routable addresses are manually configured or obtained through configuration protocols.[35]
- tunneling protocol
- The use of one network protocol (the delivery protocol) to encapsulate a different payload protocol.[36]
- World IPv6 Launch
- The Internet Society declared June 6, 2012 to be the date for "World IPv6 Launch", with participating major websites enabling IPv6 permanently, participating ISPs offering IPv6 connectivity, and participating router manufacturers offering devices enabled for IPv6 by default.[37]
Review Questions
[edit | edit source]Click on a question to see the answer.
-
IPv6 is an _____-layer protocol for packet-switched internetworking and provides end-to-end datagram transmission across multiple IP networks.IPv6 is an Internet-layer protocol for packet-switched internetworking and provides end-to-end datagram transmission across multiple IP networks.
-
IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of _____.IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of running out of IPv4 addresses.
-
IPv6 uses _____-bit addresses, commonly displayed to users as _____ groups of _____ hexadecimal digits separated by _____.IPv6 uses 128-bit addresses, commonly displayed to users as eight groups of four hexadecimal digits separated by colons.
-
In an IPv6 address, leading zeroes may be removed from any group of hexadecimal digits. Multiple consecutive groups of zeroes may be replaced with _____.In an IPv6 address, leading zeroes may be removed from any group of hexadecimal digits. Multiple consecutive groups of zeroes may be replaced with a double colon (::).
-
The IPv6 subnet size has been standardized by fixing the size of the host identifier portion of an address to _____ bits.The IPv6 subnet size has been standardized by fixing the size of the host identifier portion of an address to 64 bits.
-
IPv6 does not implement interoperability features with IPv4, but essentially creates a _____. Exchanging traffic between the two networks requires special translator _____.IPv6 does not implement interoperability features with IPv4, but essentially creates a parallel, independent network. Exchanging traffic between the two networks requires special translator gateways.
-
Work on IPv6 began by _____, and was first published in a series of RFCs in _____.Work on IPv6 began by 1992, and was first published in a series of RFCs in 1996.
-
Most transport and application-layer protocols need _____ to operate over IPv6.Most transport and application-layer protocols need little or no change to operate over IPv6.
-
Multicasting is part of the base specification in IPv6. IPv6 does not implement traditional IP _____ and does not define _____.Multicasting is part of the base specification in IPv6. IPv6 does not implement traditional IP broadcast and does not define broadcast addresses.
-
IPv6 hosts can configure themselves automatically when connected to a routed IPv6 network using the _____ via Internet Control Message Protocol version 6 (ICMPv6) router discovery messages.IPv6 hosts can configure themselves automatically when connected to a routed IPv6 network using the Neighbor Discovery Protocol via Internet Control Message Protocol version 6 (ICMPv6) router discovery messages.
-
IPv6 routers do not perform _____.IPv6 routers do not perform fragmentation.
-
Privacy extensions for IPv6 allow the operating system to generate _____ for communication with remote hosts.Privacy extensions for IPv6 allow the operating system to generate ephemeral IP addresses by concatenating a randomly generated host identifier with the assigned network prefix for communication with remote hosts.
-
The IPv6 header consists of a fixed portion with minimal functionality required for all packets and may be followed by optional extensions to implement special features. The fixed header requires _____ octets (_____ bits) and contains _____.The IPv6 header consists of a fixed portion with minimal functionality required for all packets and may be followed by optional extensions to implement special features. The fixed header requires 40 octets (320 bits) and contains the source and destination addresses, traffic classification options, a hop counter, and the type of the optional extension or payload which follows the fixed header.
-
The IPv6 loopback address is _____.The IPv6 loopback address is ::1.
-
Link-local addresses begin with _____.Link-local addresses begin with the prefix fe80::/10.
-
Tunneling may be used to enable IPv4 networks to communicate with IPv6 networks. In tunneling, _____ packets are encapsulated within _____ packets, in effect using _____ as a _____ layer for _____.Tunneling may be used to enable IPv4 networks to communicate with IPv6 networks. In tunneling, IPv6 packets are encapsulated within IPv4 packets, in effect using IPv4 as a link layer for IPv6.
-
Teredo is an _____ _____-site tunneling technique that uses _____ encapsulation and _____ cross Network Address Translation (NAT) nodes.Teredo is an automatic inter-site tunneling technique that uses UDP encapsulation and can cross Network Address Translation (NAT) nodes.
-
Teredo addresses begin with _____.Teredo addresses begin with 2001:0::/32.
-
ISATAP is an _____ _____-site tunneling technique that uses _____ encapsulation. It _____ cross NAT nodes.ISATAP is an automatic intra-site tunneling technique that uses IPv4 encapsulation. It cannot cross NAT nodes.
-
ISATAP addresses begin with _____.ISATAP addresses begin with fe80::200:5efe/96.
-
6to4 is an _____ _____-site tunneling technique that uses _____ encapsulation. It _____ cross NAT nodes.6to4 is an automatic inter-site tunneling technique that uses IPv4 encapsulation. It cannot cross NAT nodes.
-
6to4 addresses begin with _____ and relay through _____.6to4 addresses begin with 2002::/16 and relay through 192.88.99.1.
-
6in4 is a _____ _____-site tunneling technique that uses _____ encapsulation. It _____ cross NAT nodes.6in4 is a configured inter-site tunneling technique that uses IPv4 encapsulation. It can cross NAT nodes.
-
6in4 addresses are _____ addresses assigned by the tunnel broker, and therefore create security risks.6in4 addresses are public addresses assigned by the tunnel broker, and therefore create security risks.
-
NAT64 is a _____ that allows _____-only hosts to communicate with _____-only servers.NAT64 is a network address translation technique that allows IPv6-only hosts to communicate with IPv4-only servers.
-
NAT64 server addresses begin with _____.NAT64 server addresses begin with 64:ff9b::/96.
Assessments
[edit | edit source]References
[edit | edit source]- ↑ Wikipedia: IPv6#Technical definition
- ↑ Wikipedia: IPv6
- ↑ Wikipedia: IPv6
- ↑ Wikipedia: IPv6#Address format
- ↑ Wikipedia: IPv6#Technical definition
- ↑ Wikipedia: IPv6#Technical definition
- ↑ Wikipedia: IPv6#Working-group proposal
- ↑ Wikipedia: IPv6#Comparison to IPv4
- ↑ Wikipedia: IPv6#Multicasting
- ↑ Wikipedia: IPv6#Stateless address autoconfiguration .28SLAAC.29
- ↑ Wikipedia: IPv6#Simplified processing by routers
- ↑ Wikipedia: IPv6#Privacy
- ↑ Wikipedia: IPv6#Packet format
- ↑ Wikipedia: IPv6#Address format
- ↑ Wikipedia: Link-local address
- ↑ Wikipedia: IPv6#Tunneling
- ↑ Wikipedia: IPv6#Automatic tunneling
- ↑ Wikipedia: Teredo tunneling
- ↑ Wikipedia: IPv6#Automatic tunneling
- ↑ Wikipedia: ISATAP
- ↑ Wikipedia: IPv6#Automatic tunneling
- ↑ Wikipedia: 6to4
- ↑ Wikipedia: IPv6#Configured and automated tunneling .286in4.29
- ↑ Wikipedia: 6in4
- ↑ Wikipedia: NAT64
- ↑ Wikipedia: Anycast
- ↑ Wikipedia: DOCSIS
- ↑ Wikipedia: End-to-end principle
- ↑ Wikipedia: Hop count
- ↑ Wikipedia: Jumbogram
- ↑ Wikipedia: Mobile IPv6
- ↑ Wikipedia: Path MTU discovery
- ↑ Wikipedia: Proxy server
- ↑ Wikipedia: Quality of service
- ↑ Wikipedia: IPv6 address#Stateless address autoconfiguration
- ↑ Wikipedia: Tunneling protocol
- ↑ Wikipedia: IPv6 deployment#World IPv6 Launch
Netsh is a Windows command used to display and modify the network configuration of a currently running local or remote computer. These activities will show you how to use the netsh command to configure IPv6 settings.
Note: To complete this activity, you must have an administrative user account or know the username and password of an administrator account you can enter when prompted.
Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
Activity 1 - Display IPv6 Information
[edit | edit source]To display IPv6 information:
- Open an elevated/administrator command prompt.
- Use ipconfig to display IP address information. Observe the results. If IPv6 is enabled, you should see one or more IPv6 addresses. A typical Windows 7 computer has a Link-local IPv6 Address, an ISATAP tunnel adapter with media disconnected, and a Teredo tunnel adapter. Link-local addresses begin with fe80::/10. ISATAP addresses are specific link-local addresses beginning with fe80::200:5efe/96. Teredo addresses begin with 2001:0::/32.
- Type netsh interface ipv6 show interfaces and press Enter. Observe the results listing the interfaces on which IPv6 is enabled. Note that all netsh parameters may be abbreviated, as long as the abbreviation is a unique parameter. netsh interface ipv6 show interfaces may be entered as netsh i ipv6 sh i.
- Type netsh interface ipv6 show addresses and press Enter. Observe the results listing the interface IPv6 addresses.
- Type netsh interface ipv6 show destinationcache and press Enter. Observe the results listing recent IPv6 destinations.
- Type netsh interface ipv6 show dnsservers and press Enter. Observe the results listing IPv6 DNS server settings.
- Type netsh interface ipv6 show neighbors and press Enter. Observe the results listing IPv6 neighbors. This is similar to the IPv4 ARP cache.
- Type netsh interface ipv6 show route and press Enter. Observe the results listing IPv6 route information.
Activity 2 - Disable Teredo
[edit | edit source]To disable Teredo:
- Type netsh interface teredo set state disabled and press Enter.
- Use ipconfig to confirm that Teredo was disabled.
Activity 3 - Disable ISATAP
[edit | edit source]To disable ISATAP:
- Type netsh interface isatap set state disabled and press Enter.
- Use ipconfig to confirm that ISATAP was disabled.
Activity 4 - Enable 6to4
[edit | edit source]To enable 6to4:
- Type netsh interface 6to4 set state enabled and press Enter.
- Use ipconfig to confirm that 6to4 was enabled.
Note that 6to4 will show media disconnected if you have a private IP address.
Activity 5 - Disable 6to4
[edit | edit source]To disable 6to4:
- Type netsh interface 6to4 set state disabled and press Enter.
- Use ipconfig to confirm that 6to4 was disabled.
Activity 6 - Enable 6in4
[edit | edit source]To enable a functioning 6in4 tunnel, you must register with a tunnel broker:
- Visit http://tunnelbroker.net.
- Register with the service.
- Complete the NewB certification.
- Create a Regular Tunnel. Fill in the necessary information.
- View Example Configurations. Select your operating system. For recent Windows operating systems, the netsh command sequence would be similar to:
- netsh interface ipv6 add v6v4tunnel IP6Tunnel <your IPv4 address> <tunnel broker IPv4 address>
- netsh interface ipv6 add address IP6Tunnel <your given IPv6 address>
- netsh interface ipv6 add route ::/0 IP6Tunnel <your given IPv6 gateway address>
- Use ipconfig to confirm that a 6in4 tunnel was created.
Activity 7 - Disable 6in4
[edit | edit source]- Type netsh interface ipv6 show interface and press Enter.
- Identify the interface ID of the 6in4 tunnel created in Activity 6.
- Type netsh interface ipv6 delete interface id, where id is the ID number of the 6in4 tunnel. Then press Enter.
- Use ipconfig to confirm that the 6in4 tunnel was deleted.
Activity 8 - Enable Teredo
[edit | edit source]To enable Teredo:
- Type netsh interface teredo set state default and press Enter.
- Use ipconfig to confirm that Teredo was enabled.
Activity 9 - Enable ISATAP
[edit | edit source]To enable ISATAP:
- Type netsh interface isatap set state enabled and press Enter.
- Use ipconfig to confirm that ISATAP was enabled.
- Close the command prompt to complete this activity.
Activity 10 - Reset IPv6
[edit | edit source]To reset IPv6:
- Type netsh interface ipv6 reset and press Enter.
- Close the command prompt and restart the computer to complete this activity.
Readings
[edit | edit source]References
[edit | edit source]- Microsoft TechNet: Netsh commands for Interface IPv4 and IPv6
- Hurricane Electric Free IPv6 Tunnel Broker
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze local IPv6 traffic.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture Local IPv6 Traffic
[edit | edit source]To capture local IPv6 traffic:
- Use ipconfig to display the default gateway address. Note the Default Gateway displayed. Be sure to select an IPv6 address. If you don't have an IPv6 default gateway, just review the following instructions for content understanding.
- Start a Wireshark capture.
- Use ping <default gateway address> to ping the default gateway IPv6 address.
- Stop the Wireshark capture.
Activity 2 - Analyze Local IPv6 Outbound Traffic
[edit | edit source]To analyze local IPv6 outbound traffic:
- Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMPv6 listed as the protocol. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
- Select the first ICMPv6 packet or scroll down if necessary to locate the first packet labeled Echo (ping) request.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination field. This should contain the MAC address of your default gateway. You can use netsh interface ipv6 show neighbors to confirm.
- Observe the Source field. This should contain your MAC address. You can use ipconfig /all or getmac to confirm.
- Observe the Type field. Notice that the type is 0x86dd, indicating IPv6.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Source address. Notice that the source address is your IPv6 address.
- Observe the Destination address. Notice that the destination address is the default gateway IPv6 address.
Activity 3 - Analyze Local IPv6 Inbound Traffic
[edit | edit source]To analyze local IPv6 inbound traffic:
- In the top Wireshark packet list pane, select the next ICMPv6 packet, labeled Echo (ping) reply.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination field. This should contain your MAC address.
- Observe the Source field. This should contain the MAC address of your default gateway.
- Observe the Type field. Notice that the type is 0x86dd, indicating IP.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Source address. Notice that the source address is the default gateway IPv6 address.
- Observe the Destination address. Notice that the destination address is your IPv6 address.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze remote IPv6 traffic.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture Remote IPv6 Traffic
[edit | edit source]To capture remote IPv6 traffic:
- Start a Wireshark capture.
- Use ping 2001:4860:4860::8888 to ping an Internet host by IPv6 address.
- Stop the Wireshark capture.
Activity 2 - Analyze Remote IPv6 Outbound Traffic
[edit | edit source]To analyze remote IPv6 outbound traffic:
- Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMPv6 listed as the protocol. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
- Select the first ICMPv6 packet, labeled Echo (ping) request.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination field. This should contain the MAC address of your default gateway. You can use netsh interface ipv6 show neighbors to confirm. Notice that remote Internet layer traffic is processed as local Link layer traffic. The default gateway will route the packet to the Internet.
- Observe the Source field. This should contain your MAC address. You can use ipconfig /all or getmac to confirm.
- Observe the Type field. Notice that the type is 0x86dd, indicating IPv6.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Source address. Notice that the source address is your IPv6 address.
- Observe the Destination address. Notice that the destination address is the Internet host IPv6 address.
Activity 3 - Analyze Remote IPv6 Inbound Traffic
[edit | edit source]To analyze remote IPv6 inbound traffic:
- In the top Wireshark packet list pane, select the next ICMPv6 packet, labeled Echo (ping) reply.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination field. This should contain your MAC address.
- Observe the Source field. This should contain the MAC address of your default gateway. Notice that the remote Internet layer traffic is returned as local Link layer traffic. The routers between the Internet host and your network routed the packet back to your router so that it could forward the packet back to your computer.
- Observe the Type field. Notice that the type is 0x86dd, indicating IPv6.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Source address. Notice that the source address is the Internet host IPv6 address.
- Observe the Destination address. Notice that the destination address is your IPv6 address.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze IPv6 Teredo traffic. Note: These activities do not require an IPv6 Internet connection. Teredo tunnels across IPv4.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
- Enable Teredo if necessary.
Activity 1 - Capture IPv6 Teredo Traffic
[edit | edit source]To capture IPv6 Teredo traffic:
- Use ipconfig /all to verify that you have a Teredo tunnel adapter. If not, simply read along to understand the following concepts.
- Start a Wireshark capture.
- Use ping 2001:4860:4860::8888 to ping an Internet host by IPv6 address.
- Stop the Wireshark capture.
Activity 2 - Analyze IPv6 Teredo Traffic
[edit | edit source]To analyze IPv6 Teredo traffic:
- Observe the traffic captured in the top Wireshark packet list pane. Type teredo (lower case) in the Filter box and press Enter to select Teredo traffic.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Teredo IPv6 Over UDP Tunneling / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. The IPv6 / ICMPv6 packets are encapsulated inside IPv4 / UDP packets and forwarded to a Teredo server for IPv6 forwarding.
- Expand Internet Protocol Version 6 and identify the Source Teredo Port number.
- Modify the Filter box to teredo || udp.port == <Teredo port number>. For example, if the port number was 54321, you would enter a filter of teredo || udp.port == 54321. Then press Enter.
- Observe the IPv6 Teredo traffic.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze IPv6 6to4 traffic. Note: These activities do not require an IPv6 Internet connection. 6to4 tunnels across IPv4.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
- Enable 6to4 if necessary.
Activity 1 - Capture IPv6 6to4 Traffic
[edit | edit source]To capture IPv6 6to4 traffic:
- Use ipconfig /all to verify that you have a 6TO4 tunnel adapter. If not, simply read along to understand the following concepts.
- Start a Wireshark capture.
- Use ping 2001:4860:4860::8888 to ping an Internet host by IPv6 address.
- Stop the Wireshark capture.
Activity 2 - Analyze IPv6 6to4 Traffic
[edit | edit source]To analyze IPv6 6to4 traffic:
- Observe the traffic captured in the top Wireshark packet list pane. Type ipv6.addr == 2001:4860:4860::8888 (lower case) in the Filter box and press Enter to select the generated traffic.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. The IPv6 / ICMPv6 packets are encapsulated inside IPv4 packets and forwarded to the 6to4 relay at 192.88.99.1 for IPv6 forwarding.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze IPv6 6in4 traffic. Note: These activities do not require an IPv6 Internet connection. 6in4 tunnels across IPv4.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
- Establish an IPv6 6in4 tunnel.
Activity 1 - Capture IPv6 6in4 Traffic
[edit | edit source]To capture IPv6 6in4 traffic:
- Use ipconfig /all to verify that you have an IPv6 tunnel adapter. If not, simply read along to understand the following concepts.
- Start a Wireshark capture.
- Use ping 2001:4860:4860::8888 to ping an Internet host by IPv6 address.
- Stop the Wireshark capture.
Activity 2 - Analyze IPv6 6in4 Traffic
[edit | edit source]To analyze IPv6 6in4 traffic:
- Observe the traffic captured in the top Wireshark packet list pane. Type ipv6.addr == 2001:4860:4860::8888 (lower case) in the Filter box and press Enter to select the generated traffic.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. The IPv6 / ICMPv6 packets are encapsulated inside IPv4 packets and forwarded to a 6in4 IPv6 server for IPv6 forwarding.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Lesson 8 - Internet Control Message Protocol (ICMP)
[edit | edit source]This lesson continues the Internet layer and looks at the Internet Control Message Protocol (ICMP and ICMPv6). Activities include using Wireshark to examine ICMP and ICMPv6 network traffic.
Readings
[edit | edit source]Multimedia
[edit | edit source]Activities
[edit | edit source]- Review Wireshark: Internet Control Message Protocol (ICMP).[1]
- Use Wireshark to capture and analyze ICMP Echo traffic.
- Use Wireshark to capture and analyze ICMP Time Exceeded traffic.
- Use Wireshark to capture and analyze ICMP tracert/traceroute traffic.
- Review Wireshark: ICMPv6.
- Use Wireshark to capture and analyze ICMPv6 Echo traffic.
- Use Wireshark to capture and analyze ICMPv6 Time Exceeded traffic.
- Use Wireshark to capture and analyze ICMPv6 tracert/traceroute traffic.
- Use ping to determine local network MTU.
- Use ping to determine Path MTU to an Internet host such as Google's public DNS server 8.8.8.8.
- Note that Internet routers frequently drop large ICMP packets to prevent Denial of Service attacks, so it may not be possible to capture ICMPv6 Packet Too Big messages with this approach.
- Consider situations in which a packet analyzer might be used to troubleshoot ICMP traffic.
Lesson Summary
[edit | edit source]- ICMP is a core protocol operating in the Internet layer of the Internet Protocol Suite.[2]
- ICMP messages are used for diagnostic or control purposes or generated in response to errors in IP operations.[1]
- ICMP messages may be classified into two categories: error messages and information messages.[3]
- ICMP errors are directed to the source IP address of the originating packet.[4]
- ICMPv6 is an integral part of IPv6 and performs error reporting, diagnostic functions (e.g., ping), and provides a framework for extensions to implement future changes.[5]
- ICMPv6 error messages include Destination Unreachable, Packet Too Big, Time Exceeded, and Parameter Problem.[6]
- ICMPv6 informational messages include Echo Request, Echo Reply, and a variety of multicast messages that will be covered in the next lesson.[7]
- The tracert (traceroute) and Pathping commands are implemented by transmitting datagrams with specially set IP TTL header fields and looking for ICMP Time Exceeded and Destination Unreachable messages generated in response.[8]
- The ping utility is implemented using ICMP Echo Request and Echo Reply messages.[9]
- Path MTU Discovery in IPv4 is performed by routers and supported through fragmentation.[10]
- Path MTU Discovery in IPv6 must be performed by the sending host, because IPv6 routers do not support fragmentation.[11]
Key Terms
[edit | edit source]- Destination Unreachable
- An ICMP error message which is generated by the host or its inbound gateway to inform the client that the destination is unreachable for some reason.[12]
- Echo Reply
- An ICMP informational message response to an echo request.[13]
- Echo Request
- An ICMP informational message whose data is expected to be received back in an echo reply.[14]
- Packet Too Big
- An ICMP error message which is generated by a gateway to inform the source of a discarded datagram due to the size being too large for the link layer.[15]
- Parameter Problem
- An ICMP error message which is generated by a host to inform the source of a problem with a field in the IPv6 header or extension headers of a packet that has been discarded.[16]
- Path MTU Discovery (PMTUD)
- A standardized technique in computer networking for determining the maximum transmission unit (MTU) size on the network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP fragmentation.[17]
- Redirect Message
- An ICMP message which informs a host to update its routing information (to send packets on an alternate route).[18]
- Source Quench
- An ICMP message which requests that the sender decrease the rate of messages sent to a router or host.[19]
- Time Exceeded
- An ICMP error message which is generated by a gateway to inform the source of a discarded datagram due to the time to live / hop count field reaching zero.[20]
Review Questions
[edit | edit source]Click on a question to see the answer.
-
ICMP is a core protocol operating in the _____ layer of the Internet Protocol Suite.ICMP is a core protocol operating in the Internet layer of the Internet Protocol Suite.
-
ICMP messages are used for _____.ICMP messages are used for diagnostic or control purposes or generated in response to errors in IP operations.
-
ICMP messages may be classified into two categories: _____ and _____.ICMP messages may be classified into two categories: error messages and information messages.
-
ICMP errors are directed to _____.ICMP errors are directed to the source IP address of the originating packet.
-
ICMPv6 is an integral part of IPv6 and performs _____, and provides _____.ICMPv6 is an integral part of IPv6 and performs error reporting, diagnostic functions (e.g., ping), and provides a framework for extensions to implement future changes.
-
ICMPv6 error messages include _____.ICMPv6 error messages include Destination Unreachable, Packet Too Big, Time Exceeded, and Parameter Problem.
-
ICMPv6 informational messages include _____.ICMPv6 informational messages include Echo Request, Echo Reply, and a variety of multicast messages.
-
The _____ utilities are implemented by transmitting datagrams with specially set IP TTL header fields and looking for ICMP Time Exceeded and Destination Unreachable messages generated in response.The tracert (traceroute) and Pathping utilities are implemented by transmitting datagrams with specially set IP TTL header fields and looking for ICMP Time Exceeded and Destination Unreachable messages generated in response.
-
The _____ utility is implemented using ICMP Echo Request and Echo Reply messages.The ping utility is implemented using ICMP Echo Request and Echo Reply messages.
-
Path MTU Discovery in _____ is performed by routers.Path MTU Discovery in IPv4 is performed by routers.
-
Path MTU Discovery in _____ must be performed by the sending host.Path MTU Discovery in IPv6 must be performed by the sending host.
-
ICMP stands for _____.ICMP stands for Internet Control Message Protocol.
Assessments
[edit | edit source]References
[edit | edit source]- ↑ 1.0 1.1 Wikipedia: Internet Control Message Protocol#Technical details
- ↑ Wikipedia: Internet Control Message Protocol
- ↑ Wikipedia: ICMPv6#Technical details
- ↑ Wikipedia: Internet Control Message Protocol#Technical details
- ↑ Wikipedia: ICMPv6
- ↑ Wikipedia: ICMPv6#Types of ICMPv6 messages
- ↑ Wikipedia: ICMPv6#Types of ICMPv6 messages
- ↑ Wikipedia: Internet Control Message Protocol#Technical details
- ↑ Wikipedia: Internet Control Message Protocol#Technical details
- ↑ Wikipedia: Path MTU Discovery
- ↑ Wikipedia: Path MTU Discovery
- ↑ Wikipedia: Destination Unreachable
- ↑ Wikipedia: Ping (networking utility)#Echo reply
- ↑ Wikipedia: Echo Reply#Echo request
- ↑ Wikipedia: IPv6 packet#Fragmentation
- ↑ RFC 4443 section-3.4
- ↑ Wikipedia: Path MTU Discovery
- ↑ Wikipedia: ICMP Redirect Message
- ↑ Wikipedia: ICMP Source Quench
- ↑ Wikipedia: Time Exceeded
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Internet Control Message Protocol (ICMP) Echo traffic.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture ICMP Echo Traffic
[edit | edit source]To capture ICMP Echo traffic:
- Start a Wireshark capture.
- Use ping <default gateway address> to ping the default gateway address.
- Stop the Wireshark capture.
Activity 2 - Analyze ICMP Echo Request Traffic
[edit | edit source]To analyze ICMP Echo Request traffic:
- Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
- Select the first ICMP packet, labeled Echo (ping) request.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
- Expand Internet Control Message Protocol to view ICMP details.
- Observe the Type. Notice that the type is 8 (Echo (ping) request).
- Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
- Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that Windows sends an alphabet sequence during ping requests.
Activity 3 - Analyze ICMP Echo Reply Traffic
[edit | edit source]To analyze ICMP Echo Reply traffic:
- In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
- Expand Internet Control Message Protocol to view ICMP details.
- Observe the Type. Notice that the type is 0 (Echo (ping) reply).
- Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
- Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that the reply echoes the request sequence.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Internet Control Message Protocol (ICMP) Time Exceeded traffic.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture ICMP Time Exceeded Traffic
[edit | edit source]To capture ICMP Time Exceeded traffic:
- Start a Wireshark capture.
- Use ping -i 1 8.8.8.8 to ping one of Google's public DNS servers with a Time To Live setting of 1.
- Stop the Wireshark capture.
Activity 2 - Analyze ICMP Echo Request Traffic
[edit | edit source]To analyze ICMP Echo Request traffic:
- Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
- Select the first ICMP packet, labeled Echo (ping) request.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
- Expand Internet Protocol Version 4 to view IPv4 details.
- Observe the Time to live. Notice that the time to live is set to 1.
- Expand Internet Control Message Protocol to view ICMP details.
- Observe the Type. Notice that the type is 8 (Echo (ping) request).
- Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
- Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that Windows sends an alphabet sequence during ping requests.
Activity 3 - Analyze ICMP Time Exceeded Traffic
[edit | edit source]To analyze ICMP Time Exceeded traffic:
- In the top Wireshark packet list pane, select the second ICMP packet, labeled Time-to-live exceeded.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
- Expand Internet Protocol Version 4 to view IPv4 details.
- Observe the Source. This is the IP address of the router where the time was exceeded.
- Expand Internet Control Message Protocol to view ICMP details.
- Observe the Type. Notice that the type is 11 (Time-to-live exceeded).
- Observe the Code. Notice that the code is 0 (Time to live exceeded in transit).
- Observe the fields that follow. Notice that the contents of the request packet are returned with the time exceeded error.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze tracert/traceroute traffic. Tracing routes is accomplished through the use of Internet Control Message Protocol (ICMP) Time Exceeded.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture Tracert Traffic
[edit | edit source]To capture ICMP tracert traffic:
- Start a Wireshark capture.
- Open a command prompt.
- Type tracert -d 8.8.8.8 and press Enter to trace the route to one of Google's public DNS servers. The -d option prevents DNS name resolution, which in this case will improve performance and reduce the amount of captured traffic.
- When the trace is complete, close the command prompt.
- Stop the Wireshark capture.
Activity 2 - Analyze Tracert Traffic
[edit | edit source]To analyze tracert traffic:
- Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
- Select the first ICMP packet, labeled Echo (ping) request.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
- Expand Internet Protocol Version 4 to view IPv4 details.
- Observe the Time to live. Notice that the time to live is set to 1.
- Expand Internet Control Message Protocol to view ICMP details.
- Observe the Type. Notice that the type is 8 (Echo (ping) request). Tracert is performed through a series of ICMP Echo requests, varying the Time-To-Live (TTL) until the destination is found.
- In the top Wireshark packet list pane, select the second ICMP packet, labeled Time-to-live exceeded.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
- Expand Internet Protocol Version 4 to view IPv4 details.
- Observe the Source. This is the IP address of the router where the time was exceeded.
- Expand Internet Control Message Protocol to view ICMP details.
- Observe the Type. Notice that the type is 11 (Time-to-live exceeded).
- Observe the Code. Notice that the code is 0 (Time to live exceeded in transit).
- Observe the fields that follow. Notice that the contents of the request packet are returned with the time exceeded error.
- Continue selecting alternate ICMP Echo Request and ICMP Time-To-Live Exceeded packets. Notice that the request is repeated three times for each time-to-live count, and each reply indicates the IP address of the router where the time to live was exceeded.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Internet Control Message Protocol Version 6 (ICMPv6) Echo traffic.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture ICMPv6 Echo Traffic
[edit | edit source]To capture ICMPv6 Echo traffic:
- Start a Wireshark capture.
- Use ping 2001:4860:4860::8888 to ping one of Google's public IPv6 DNS servers.
- Stop the Wireshark capture.
Activity 2 - Analyze ICMPv6 Echo Request Traffic
[edit | edit source]To analyze ICMPv6 Echo Request traffic:
- Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMPv6 listed as the protocol. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
- Select the first ICMPv6 packet, labeled Echo (ping) request.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. Note if you are using an IPv6 tunnel, your IPv6 packet may be encapsulated inside an IPv4 or UDP packet.
- Expand Internet Control Message Protocol v6 to view ICMPv6 details.
- Observe the Type. Notice that the type is Echo (ping) request (128).
- Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
- Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that Windows sends an alphabet sequence during ping requests.
Activity 3 - Analyze ICMPv6 Echo Reply Traffic
[edit | edit source]To analyze ICMPv6 Echo Reply traffic:
- In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. Again, if you are using an IPv6 tunnel, your IPv6 packet may be encapsulated inside an IPv4 or UDP packet.
- Expand Internet Control Message Protocol v6 to view ICMPv6 details.
- Observe the Type. Notice that the type is Echo (ping) reply (129).
- Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
- Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that the reply echoes the request sequence.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Internet Control Message Protocol Version 6 (ICMPv6) Time Exceeded traffic.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture ICMPv6 Time Exceeded Traffic
[edit | edit source]To capture ICMPv6 Time Exceeded traffic:
- Start a Wireshark capture.
- Use ping -i 1 2001:4860:4860::8888 to ping one of Google's public IPv6 DNS servers with a hop limit of 1.
- Stop the Wireshark capture.
Activity 2 - Analyze ICMPv6 Echo Request Traffic
[edit | edit source]To analyze ICMPv6 Echo Request traffic:
- Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMPv6 listed as the protocol. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
- Select the first ICMPv6 packet, labeled Echo (ping) request.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. Note if you are using an IPv6 tunnel, your IPv6 packet may be encapsulated inside an IPv4 or UDP packet.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Hop limit. Notice that the hop limit is set to 1.
- Expand Internet Control Message Protocol v6 to view ICMPv6 details.
- Observe the Type. Notice that the type is Echo (ping) request (128).
- Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
- Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that Windows sends an alphabet sequence during ping requests.
Activity 3 - Analyze ICMP Time Exceeded Traffic
[edit | edit source]To analyze ICMPv6 Time Exceeded traffic:
- In the top Wireshark packet list pane, select the second ICMPv6 packet, labeled Time Exceeded.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. Again, if you are using an IPv6 tunnel, your IPv6 packet may be encapsulated inside an IPv4 or UDP packet.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Source. This is the IP address of the router where the hop limit was exceeded.
- Expand Internet Control Message Protocol v6 to view ICMPv6 details.
- Observe the Type. Notice that the type is Time Exceeded (3).
- Observe the Code. Notice that the code is 0 (Hop limit exceeded in transit).
- Observe the fields that follow. Notice that the contents of the request packet are returned with the time exceeded error.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze tracert/traceroute traffic. Tracing routes is accomplished through the use of Internet Control Message Protocol (ICMPv6) Time Exceeded.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture Tracert Traffic
[edit | edit source]To capture ICMPv6 tracert traffic:
- Start a Wireshark capture.
- Open a command prompt.
- Type tracert -d 2001:4860:4860::8888 and press Enter to trace the route to one of Google's public IPv6 DNS servers. The -d option prevents DNS name resolution, which in this case will improve performance and reduce the amount of captured traffic.
- When the trace is complete, close the command prompt.
- Stop the Wireshark capture.
Activity 2 - Analyze Tracert Traffic
[edit | edit source]To analyze tracert traffic:
- Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMPv6 listed as the protocol. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
- Select the first ICMPv6 packet, labeled Echo (ping) request.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol frame. Note if you are using an IPv6 tunnel, your IPv6 packet may be encapsulated inside an IPv4 or UDP packet.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Hop limit. Notice that the hop limit is set to 1.
- Expand Internet Control Message Protocol v6 to view ICMPv6 details.
- Observe the Type. Notice that the type is Echo (ping) request (128). Tracert is performed through a series of ICMPv6 Echo requests, varying the hop limit until the destination is found.
- In the top Wireshark packet list pane, select the second ICMPv6 packet, labeled Time Exceeded.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol frame. Again, if you are using an IPv6 tunnel, your IPv6 packet may be encapsulated inside an IPv4 or UDP packet.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Source. This is the IPv6 address of the router where the time was exceeded.
- Expand Internet Control Message Protocol v6 to view ICMPv6 details.
- Observe the Type. Notice that the type is Time Exceeded (3).
- Observe the Code. Notice that the code is 0 (hop limit exceeded in transit).
- Observe the fields that follow. Notice that the contents of the request packet are returned with the time exceeded error.
- Continue selecting alternate ICMPv6 Echo Request and ICMPv6 Time Exceeded packets. Notice that the request is repeated three times for each hop limit count, and each reply indicates the IPv6 address of the router where the time to live was exceeded.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]The ping command has an option to configure the length or size of the buffer to be transmitted. These activities will show you how to use the ping command with a custom packet length to test the network's maximum transmission unit (MTU).
Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
Activity 1 - Ping the Default Gateway with a Custom Packet Length
[edit | edit source]To ping the default gateway with a custom packet length:
- Open a command prompt.
- Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
- Type ping -l 1000 <default gateway address> where <default gateway address> is the default gateway address displayed above. For example, if the default gateway address was 192.168.1.1, you would type ping -l 1000 192.168.1.1. Then press Enter.
- Observe the results.
Activity 2 - Ping the Default Gateway with a Custom Packet Length and Do Not Fragment
[edit | edit source]To ping the default gateway with a custom packet length and do not fragment:
- Type ping -f -l 1000 <default gateway address> and press Enter. Note the addition of the -f option to prevent fragmentation of the packet.
- Observe the results.
Activity 3 - Vary Packet Length to Determine MTU
[edit | edit source]To determine MTU:
- Repeat Activity 2 but vary the length of the packet up or down as necessary until you determine the largest packet size that delivers successfully on your network. When the packet is too long, you will see an error similar to, "Packet needs to be fragmented but DF set." The maximum packet length for a standard Ethernet network is 1500 bytes, minus 20 bytes for Internet Protocol (IP) overhead, minus 8 bytes for Internet Control Message Protocol (ICMP) overhead, or an MTU of 1472. Your results are likely to be 1472 or lower, depending on the network equipment between your computer and the target host.
- Close the command prompt to complete this activity.
Readings
[edit | edit source]- Wikipedia: Ping (networking utility)
- Wikipedia: Maximum transmission unit
- Wikipedia: Internet Protocol
- Wikipedia: Internet Control Message Protocol (ICMP)
References
[edit | edit source]Lesson 9 - Multicast
[edit | edit source]This lesson concludes the Internet layer and looks at multicasting. Activities include using Wireshark to examine multicast and Neighbor Discovery Protocol (NDP) network traffic.
Readings
[edit | edit source]- Wikipedia: Multicast
- Wikipedia: Multicast address
- Wikipedia: Internet Group Management Protocol
- Wikipedia: Multicast Listener Discovery
- Wikipedia: Neighbor Discovery Protocol
Multimedia
[edit | edit source]- YouTube: Understanding Unicast, Multicast, and Broadcast - CompTIA Network+ N10-005: 1.3
- YouTube: Neighbor Discovery Protocol
Activities
[edit | edit source]- Review Wireshark: Internet Group Management Protocol (IGMP).
- Use Wireshark to capture and analyze IPv4 multicast traffic.
- Use Wireshark to capture and analyze IPv6 multicast traffic.
- Use Wireshark to capture and analyze ICMPv6 Neighbor Discovery Protocol (NDP) traffic.
- Consider situations in which a packet analyzer might be used to troubleshoot multicast traffic.
Lesson Summary
[edit | edit source]- Multicast is the delivery of a message or information to a group of destination computers simultaneously in a single transmission from the source.[1]
- Multicast uses network infrastructure efficiently by requiring the source to send a packet only once, even if it needs to be delivered to a large number of receivers. The nodes in the network take care of replicating the packet to reach multiple receivers when necessary.[2]
- In multicast routing, there is always one source and a group of destinations. Broadcasting is a special case of muticasting in which the group contains all hosts.[3]
- IPv4 multicast addresses were originally designated as Class D. The Classless Inter-Domain Routing (CIDR) prefix of this group is 224.0.0.0/4 and includes addresses from 224.0.0.0 through 239.255.255.255.[4]
- The 239.0.0.0/8 range is assigned by RFC 2365 for private use within an organization.[5]
- IPv6 multicast addresses start with ff00::/8.[6]
- Ethernet frames with a value of 1 in the least-significant bit of the first octet of the destination address are treated as multicast (broadcast) frames and are sent to all network hosts. The recipient host Ethernet controller determines by address hashing whether to receive or drop the multicast frame.[7]
- Ethernet IPv4 multicast frames have a destination MAC address starting with 01-00-5E-xx-xx-xx.[8]
- Ethernet IPv6 multicast frames have a destination MAC address starting with 33-33-xx-xx-xx-xx.[9]
- The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. IGMP is used on IPv4 networks.[10]
- Multicast management on IPv6 networks is handled by Multicast Listener Discovery (MLD) which uses ICMPv6 messaging in contrast to IGMP's bare IP encapsulation.[11][12]
- Neighbor Discovery Protocol (NDP) is an Internet layer protocol in the Internet Protocol Suite used with IPv6.[13]
- NDP is responsible for address autoconfiguration of nodes, discovery of other nodes on the link, determining the Link Layer addresses of other nodes, duplicate address detection, finding available routers and Domain Name System (DNS) servers, address prefix discovery, and maintaining reachability information about the paths to other active neighbor nodes.[14]
- NDP defines five ICMPv6 packet types: Router Solicitation, Router Advertisement, Neighbor Solicitation, Neighbor Advertisement, and Redirect.[15]
Key Terms
[edit | edit source]- Internet Protocol television (IPTV)
- A system through which television services are delivered using the Internet protocol suite over a packet-switched network such as the Internet, instead of being delivered through traditional terrestrial, satellite signal, and cable television formats.[16]
- Internet Relay Chat (IRC)
- A protocol for real-time Internet text messaging (chat) or synchronous conferencing.[17]
- overlay network
- A computer network which is built on the top of another network where nodes in the overlay can be thought of as being connected by virtual or logical links in the underlying physical network.[18]
- Neighbor Advertisement
- An ICMPv6 NDP packet type that nodes use to respond to a Neighbor Solicitation message.[19]
- Neighbor Solicitation
- An ICMPv6 NDP packet type that nodes use to determine the link-layer address of a neighbor, or to verify that a neighbor is still reachable via a cached link-layer address.[20]
- peer-to-peer (P2P)
- A computer network in which each computer in the network can act as a client or server for the other computers in the network.[21]
- presence information
- A status indicator that conveys ability and willingness of a potential communication partner—for example a user--to communicate.[22]
- Redirect
- An ICMPv6 NDP packet type that routers use to inform hosts of a better first hop for a destination.[23]
- Router Advertisement
- An ICMPv6 NDP packet type that routers use to advertise their presence together with various link and Internet parameters either periodically, or in response to a Router Solicitation message.[24]
- Router Solicitation
- An ICMPv6 NDP packet type that hosts use to request routers to generate Router Advertisements immediately rather than at their next scheduled time.[25]
- streaming media
- Multimedia that is constantly received by and presented to an end-user while being delivered by a provider.[26]
Review Questions
[edit | edit source]Click on a question to see the answer.
-
Multicast is the delivery of a message or information to _____.Multicast is the delivery of a message or information to a group of destination computers simultaneously in a single transmission from the source.
-
Multicast uses network infrastructure efficiently by requiring the source to send a packet _____, even if it needs to be delivered to a large number of receivers.Multicast uses network infrastructure efficiently by requiring the source to send a packet only once, even if it needs to be delivered to a large number of receivers.
-
In multicast routing, there is always _____.In multicast routing, there is always one source and a group of destinations.
-
Broadcasting is a special case of muticasting in which _____.Broadcasting is a special case of muticasting in which the group contains all hosts.
-
IPv4 multicast addresses were originally designated as Class _____. The Classless Inter-Domain Routing (CIDR) prefix of this group is _____ and includes addresses from _____ through _____.IPv4 multicast addresses were originally designated as Class D. The Classless Inter-Domain Routing (CIDR) prefix of this group is 224.0.0.0/4 and includes addresses from 224.0.0.0 through 239.255.255.255.
-
IPv6 multicast addresses start with _____.IPv6 multicast addresses start with ff00::/8.
-
Ethernet frames with a value of 1 in the least-significant bit of the _____ are treated as multicast (broadcast) frames and are sent to all network hosts.Ethernet frames with a value of 1 in the least-significant bit of the first octet of the destination address are treated as multicast (broadcast) frames and are sent to all network hosts.
-
Ethernet IPv4 multicast frames have a destination MAC address starting with _____.Ethernet IPv4 multicast frames have a destination MAC address starting with 01-00-5E-xx-xx-xx.
-
Ethernet IPv6 multicast frames have a destination MAC address starting with _____.Ethernet IPv6 multicast frames have a destination MAC address starting with 33-33-xx-xx-xx-xx.
-
The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts and adjacent routers on IPv4 networks to _____.The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts and adjacent routers on IPv4 networks to establish multicast group memberships.
-
Multicast management on IPv6 networks is handled by _____ which uses _____ messaging.Multicast management on IPv6 networks is handled by Multicast Listener Discovery (MLD) which uses ICMPv6 messaging.
-
Neighbor Discovery Protocol (NDP) is an _____ layer protocol in the Internet Protocol Suite used with IPv6.Neighbor Discovery Protocol (NDP) is an Internet layer protocol in the Internet Protocol Suite used with IPv6.
-
NDP is responsible for _____.NDP is responsible for address autoconfiguration of nodes, discovery of other nodes on the link, determining the Link Layer addresses of other nodes, duplicate address detection, finding available routers and Domain Name System (DNS) servers, address prefix discovery, and maintaining reachability information about the paths to other active neighbor nodes.
-
NDP defines five ICMPv6 packet types: _____.NDP defines five ICMPv6 packet types: Router Solicitation, Router Advertisement, Neighbor Solicitation, Neighbor Advertisement, and Redirect.
Assessments
[edit | edit source]References
[edit | edit source]- ↑ Wikipedia: Multicast
- ↑ Wikipedia: Multicast#IP multicast
- ↑ Wikipedia: Multicast#Multicast Routing
- ↑ Wikipedia: Multicast address#IPv4
- ↑ Wikipedia: Multicast address#Administratively Scoped IPv4 Multicast addresses
- ↑ Wikipedia: Multicast address#IPv6
- ↑ Wikipedia: Multicast address#Ethernet
- ↑ Wikipedia: Multicast address#Ethernet
- ↑ Wikipedia: Multicast address#Ethernet
- ↑ Wikipedia: Internet Group Management Protocol
- ↑ Wikipedia: Internet Group Management Protocol
- ↑ Wikipedia: Multicast Listener Discovery
- ↑ Wikipedia: Neighbor Discovery Protocol
- ↑ Wikipedia: Neighbor Discovery Protocol
- ↑ Wikipedia: Neighbor Discovery Protocol#Technical details
- ↑ Wikipedia: IPTV
- ↑ Wikipedia: Internet Relay Chat
- ↑ Wikipedia: Overlay network
- ↑ RFC 4861
- ↑ RFC 4861
- ↑ Wikipedia: Peer-to-peer
- ↑ Wikipedia: Presence information
- ↑ RFC 4861
- ↑ RFC 4861
- ↑ RFC 4861
- ↑ Wikipedia: Streaming media
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze IPv4 multicast traffic.
Readings
[edit | edit source]- Wikipedia: Multicast
- Wikipedia: Multicast Address
- Wikipedia: Simple Service Discovery Protocol (SSDP)
- Wikipedia: Web Services Dynamic Discovery (WS-Discovery)
Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture IPv4 Multicast Traffic
[edit | edit source]To capture IPv4 multicast traffic:
- Start a Wireshark capture.
- In Windows, select Start and then type Network and Sharing Center in the Run box. Press Enter.
- Select Change advanced sharing settings.
- Note the current status of Network discovery. If it is already on, select Turn off network discovery and Save changes.
- Select Turn on network discovery and Save changes.
- Wait a few seconds for network discovery to generate multicast traffic.
- If Network discovery was initially off, select Turn off network discovery and Save changes to return the status to the original setting. If network discovery was initially on, leave it on.
- Stop the Wireshark capture.
Activity 2 - Analyze IPv4 Multicast Traffic
[edit | edit source]To analyze IPv4 multicast traffic:
- Observe the traffic captured in the top Wireshark packet list pane. To view only IPv4 multicast traffic, type ip.addr >= 224.0.0.0 (lower case) in the Filter box and press Enter.
- The traffic you are most likely to see is Simple Service Discovery Protocol (SSDP) traffic. You may also see Web Services Dynamic Discovery (WS-Discovery) traffic or other multicast traffic. Whatever you find, select the first frame.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 frame.
- Expand Ethernet II to view the Ethernet details.
- Observe the Destination address. Notice that it starts with 01:00:5e, the Ethernet multicast address for IPv4.
- Expand Internet Protocol Version 4 to view IPv4 details.
- Observe the Destination address. Notice that it is in the 224.0.0.0 - 239.255.255.255 IPv4 multicast range. If it is SSDP or WS-Discovery traffic, it will be addressed to 239.255.255.250.
- Select additional frames and observe the Ethernet and IPv4 details for multicast traffic.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze IPv6 multicast traffic.
Readings
[edit | edit source]- Wikipedia: Multicast
- Wikipedia: Multicast Address
- Wikipedia: Simple Service Discovery Protocol (SSDP)
- Wikipedia: Web Services Dynamic Discovery (WS-Discovery)
Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture IPv6 Multicast Traffic
[edit | edit source]To capture IPv6 multicast traffic:
- Start a Wireshark capture.
- In Windows, select Start and then type Network and Sharing Center in the Run box. Press Enter.
- Select Change advanced sharing settings.
- Note the current status of Network discovery. If it is already on, select Turn off network discovery and Save changes.
- Select Turn on network discovery and Save changes.
- Wait a few seconds for network discovery to generate multicast traffic.
- If Network discovery was initially off, select Turn off network discovery and Save changes to return the status to the original setting. If network discovery was initially on, leave it on.
- Stop the Wireshark capture.
Activity 2 - Analyze IPv6 Multicast Traffic
[edit | edit source]To analyze IPv6 multicast traffic:
- Observe the traffic captured in the top Wireshark packet list pane. To view only IPv6 multicast traffic, type ipv6.addr >= ff00:: (lower case) in the Filter box and press Enter.
- The traffic you are most likely to see is ICMPv6 and Simple Service Discovery Protocol (SSDP) traffic. You may also see Web Services Dynamic Discovery (WS-Discovery) traffic or other multicast traffic. Whatever you find, select the first frame.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 frame.
- Expand Ethernet II to view the Ethernet details.
- Observe the Destination address. Notice that it starts with 33:33, the Ethernet multicast address for IPv6.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Destination address. Notice that it begins with ff (ff00::/8), the IPv6 multicast range. If it is SSDP or WS-Discovery traffic, it will be addressed to ff02::c.
- Select additional frames and observe the Ethernet and IPv6 details for multicast traffic.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze ICMPv6 Neighbor Discovery Protocol (NDP) traffic.
Note: To complete this activity, you must have an administrative user account or know the username and password of an administrator account you can enter when prompted.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Display Teredo Status
[edit | edit source]To display Teredo status:
- Open an elevated/administrator command prompt.
- Type netsh interface teredo show state and press Enter.
- Observe the Teredo status.
Activity 2 - Disable Teredo
[edit | edit source]If Teredo is currently enabled, disable it:
- Type netsh interface teredo set state disabled and press Enter.
- Use ipconfig to confirm that Teredo was disabled.
Activity 3 - Capture ICMPv6 NDP Traffic
[edit | edit source]To capture ICMPv6 NDP traffic:
- Start a Wireshark capture.
- Type netsh interface teredo set state default and press Enter.
- Use ipconfig to display Teredo settings. Note your IPv6 addresses.
- Use ping 2001:4860:4860::8888 to ping an Internet host by IPv6 address.
- Close the command prompt.
- Stop the Wireshark capture.
Activity 4 - Analyze Neighbor Solicitation Traffic
[edit | edit source]To analyze Neighbor Solicitation traffic:
- Observe the traffic captured in the top Wireshark packet list pane. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
- Select the first ICMPv6 packet labeled Neighbor Solicitation.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
- Expand Ethernet II to view the Ethernet details.
- Observe the Destination address. Notice that it starts with 33:33, the Ethernet multicast address for IPv6.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Destination address. Notice that it begins with ff (ff00::/8), the IPv6 multicast range.
- Expand Internet Control Message Protocol v6 to view ICMPv6 details.
- Observe the Type, Target Address, and Source link-layer address.
Activity 5 - Analyze Neighbor Advertisement Traffic
[edit | edit source]To analyze Neighbor Advertisement traffic:
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the next ICMPv6 packet labeled Neighbor Advertisement.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
- Expand Ethernet II to view the Ethernet details.
- Observe the Destination address. Notice that it matches the source link-layer address from the Neighbor Solicitation packet above.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Source address. Notice that it matches the target address from the Neighbor Solicitation packet above.
- Expand Internet Control Message Protocol v6 to view ICMPv6 details.
- Observe the Type, Target Address, and Target link-layer address. Notice that the Neighbor Advertisement is a direct response to the Neighbor Solicitation in the previous packet.
Activity 6 - Analyze Multicast Listener Report Traffic
[edit | edit source]To analyze Multicast Listener Report traffic:
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the next ICMPv6 packet labeled Multicast Listener Report Message v2.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
- Expand Ethernet II to view the Ethernet details.
- Observe the Destination address. Notice that it starts with 33:33, the Ethernet multicast address for IPv6.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Destination address. Notice that it begins with ff (ff00::/8), the IPv6 multicast range.
- Expand Internet Control Message Protocol v6 to view ICMPv6 details.
- Observe the Type and the Multicast Address Record Changed. The address ff02::1:3 is used for LLMNR.
Activity 7 - Analyze Router Solicitation Traffic
[edit | edit source]To analyze Router Solicitation traffic:
- Observe the traffic captured in the top Wireshark packet list pane.
- Scroll down to select the next ICMPv6 packet labeled Router Solicitation.
- Observe the packet details in the middle Wireshark packet details pane. If this is a Teredo packet, you will see that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Teredo IPv6 Over UDP tunneling / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Source address and Destination address. Notice that the Destination address is ff02::2, the IPv6 multicast router address.
Activity 8 - Analyze Router Advertisement Traffic
[edit | edit source]To analyze Router Advertisement traffic:
- Observe the traffic captured in the top Wireshark packet list pane.
- Scroll down to select the next ICMPv6 packet labeled Router Advertisement.
- Observe the packet details in the middle Wireshark packet details pane. If this is a Teredo packet, you will see that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Teredo IPv6 Over UDP tunneling / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Source address and Destination address. Notice that the Destination address matches the Source address in the Router Solicitation packet above.
- Expand Internet Control Message Protocol v6 to view ICMPv6 details.
- Observe Router Advertisement details.
- Expand ICMPv6 Option to view Prefix information.
- Observe Prefix details.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
Activity 9 - Disable Teredo
[edit | edit source]If Teredo was initially disabled on your system, you should disable it again:
- Open an elevated/administrator command prompt.
- Type netsh interface teredo set state disabled and press Enter.
- Use ipconfig to confirm that Teredo was disabled.
- Close the command prompt to complete this activity.
References
[edit | edit source]Lesson 10 - Transport Layer
[edit | edit source]This lesson introduces the Transport layer and looks at User Datagram Protocol (UDP) and Transmission Control Protocol (TCP). Activities include using netstat to display protocol statistics and using Wireshark to examine UDP and TCP network traffic.
Readings
[edit | edit source]- Wikipedia: Transport layer
- Wikipedia: User Datagram Protocol
- Wikipedia: Transmission Control Protocol
Multimedia
[edit | edit source]- YouTube: 03 01 Introduction to TCP & UDP Protocols
- YouTube: Basics of ipconfig, ping, tracert, nslookup and netstat
- YouTube: The Netstat Command - CompTIA Network+ N10-005: 4.3
Activities
[edit | edit source]- Use netstat to display protocol statistics.
- Use netstat to display all active connections and listening ports.
- Use Wireshark to capture and analyze User Datagram Protocol (UDP) traffic.
- Use Wireshark to capture and analyze Transmission Control Protocol (TCP) traffic.
- Consider situations in which a packet analyzer might be used to troubleshoot transport layer traffic.
Lesson Summary
[edit | edit source]- The transport layer provides end-to-end communication services for applications.[1]
- The transport layer provides services such as connection-oriented data stream support, reliability, flow control, and multiplexing.[2]
- The Transmission Control Protocol (TCP) is used for connection-oriented transmissions. The User Datagram Protocol (UDP) is used for connection-less messaging transmissions.[3]
- Many of the services attributed to the transport layer are specific to TCP and do not apply to UDP. These include connections, byte oriented data streams, sequencing, reliability, flow control, and congestion avoidance.[4]
- Transport layer protocols include source and destination port numbers to identify process-to-process communication.[5] Sessions are identified using the client's IP address and port number.[6]
- TCP packets are referred to as segments. UDP packets are referred to as datagrams.[7]
- UDP has no handshaking dialogues, and thus exposes any unreliability of the underlying network protocol to the user's program.[8]
- UDP provides checksums for data integrity, and port numbers for addressing different functions at the source and destination of the datagram.[9]
- UDP is simple and stateless, with minimal delay, and works well in unidirectional (broadcast / multicast) communication.[10]
- The UDP header includes fields for: source port, destination port, length, and checksum.[11]
- TCP is reliable, ordered, heavyweight, and streaming.[12]
- UDP is unreliable, un-ordered, lightweight, and without streaming or connection control.[13]
- UDP provides a datagram service that emphasizes reduced latency over TCP stream reliability.[14] TCP is optimized for accurate delivery rather than timely delivery.[15]
- TCP is a reliable stream delivery service that guarantees that all bytes received will be identical with bytes sent and in the correct order.[16]
- The TCP header includes fields for: source port, destination port, sequence number, acknowledgement number, data offset, flags, window size, checksum, and an urgent pointer.[17]
- TCP protocol operations are divided into three phases: connection establishment, data transfer, and connection termination.[18]
- TCP connection establishment is performed through a three-way handshake exchanging sequence numbers and acknowledgements (SYN, SYN-ACK, ACK).[19]
- TCP connection termination is performed through a four-way handshake of exchanging finish flags and acknowledgements (FIN, ACK, FIN, ACK).[20]
- TCP achieves reliable transmission by using a sequence number to account for each byte of data.[21]
- TCP performs error detection through sequence numbers, acknowledgements, and a checksum for each packet.[22]
- TCP uses a sliding window flow control process in which the receiver specifies the amount of additional data that it is willing to accept for the connection and the sending host can send only up to that amount of data before it must wait for an acknowledgment from the receiving host.[23]
- TCP achieves congestion control through slow-start, congestion avoidance, fast retransmit, fast recovery, and retransmission timeout.[24]
- TCP and UDP port numbers range from 0 to 65535.[25]
- The Internet Assigned Numbers Authority has divided TCP and UDP port numbers into three ranges. Port numbers 0 through 1023 are used for common, well-known services. Port numbers 1024 through 49151 are registered ports used for IANA-registered services. Ports 49152 through 65535 are dynamic ports that can be used for any purpose.[26]
Key Terms
[edit | edit source]- ACK
- An acknowledgement signal passed between communicating processes or computers to signify acknowledgement, or receipt of response, as part of a communications protocol.[27]
- application programming interface (API)
- A protocol intended to be used as an interface by software components to communicate with each other.[28]
- Automatic Repeat reQuest (ARQ) (or Automatic Repeat Query)
- An error-control method for data transmission that uses acknowledgements (messages sent by the receiver indicating that it has correctly received a data frame or packet) and timeouts (specified periods of time allowed to elapse before an acknowledgment is to be received) to achieve reliable data transmission over an unreliable service.[29]
- buffer
- A region of a physical memory storage used to temporarily prevent data from continuing while it is being moved from one place to another.[30]
- buffer underrun
- A state occurring when a buffer used to communicate between two devices or processes is fed with data at a lower speed than the data is being read from it.[31]
- checksum
- A fixed-size datum computed from an arbitrary block of digital data for the purpose of detecting accidental errors that may have been introduced during its transmission or storage.[32]
- connection-oriented communication
- A data communication mode whereby the devices at the end points use a protocol to establish an end-to-end logical or physical connection before any data may be sent.[33]
- connectionless
- A data communication mode in which a message can be sent from one end point to another without prior arrangement.[34]
- data stream
- A sequence of digitally encoded coherent signals (packets of data or data packets) used to transmit or receive information that is in the process of being transmitted.[35]
- datagram
- A basic transfer unit associated with a packet-switched network in which the delivery, arrival time, and order of arrival are not guaranteed by the network service.[36]
- deadlock
- A situation in which two or more competing actions are each waiting for the other to finish, and thus neither ever does.[37]
- ephemeral port
- A short-lived transport protocol port allocated automatically from a predefined range.[38]
- error detection
- Techniques that enable reliable delivery of digital data over unreliable communication channels.[39]
- flow control
- The process of managing the rate of data transmission between two nodes to prevent a fast sender from outrunning a slow receiver.[40]
- handshaking
- An automated process of negotiation that dynamically sets parameters of a communications channel established between two entities before normal communication over the channel begins.[41]
- latency
- A measure of time delay experienced in a system.[42]
- maximum segment size (MSS)
- A parameter of the TCP protocol that specifies the largest amount of data that a computer or communications device can receive in a single TCP segment.[43]
- multiplexing
- A method by which multiple analog message signals or digital data streams are combined into one signal over a shared medium.[44]
- NAK
- A negative acknowledgement signal passed between communicating processes or computers to signify an error or lack of acceptance as part of a communications protocol.[45]
- network congestion
- A data communication situation in which a link or node is carrying so much data that its quality of service deteriorates.[46]
- registered port
- A transport protocol port assigned by the Internet Assigned Numbers Authority (IANA) for use with a certain protocol or application.[47]
- reliability
- A reliable protocol is one that provides reliability properties with respect to the delivery of data to the intended recipient(s), as opposed to an unreliable protocol, which does not provide notifications to the sender as to the delivery of transmitted data.[48]
- Slow-start
- One of the algorithms that TCP uses to control congestion inside the network, in which the TCP window size is increased each time an acknowledgment is received.[49]
- TCP window scale option
- An option to increase the TCP receive window size above its maximum value of 65,535 bytes.[50]
Review Questions
[edit | edit source]Click on a question to see the answer.
-
The transport layer provides _____.The transport layer provides end-to-end communication services for applications.
-
The transport layer provides services such as _____.The transport layer provides services such as connection-oriented data stream support, reliability, flow control, and multiplexing.
-
The Transmission Control Protocol (TCP) is used for _____ transmissions. The User Datagram Protocol (UDP) is used for _____ transmissions.The Transmission Control Protocol (TCP) is used for connection-oriented transmissions. The User Datagram Protocol (UDP) is used for connection-less messaging transmissions.
-
Many of the services attributed to the transport layer are specific to _____ and do not apply to _____. These include connections, byte oriented data streams, sequencing, reliability, flow control, and congestion avoidance.Many of the services attributed to the transport layer are specific to TCP and do not apply to UDP. These include connections, byte oriented data streams, sequencing, reliability, flow control, and congestion avoidance.
-
Transport layer protocols include source and destination _____ to identify process-to-process communication. Sessions are identified using _____.Transport layer protocols include source and destination port numbers to identify process-to-process communication. Sessions are identified using the client's IP address and port number.
-
TCP packets are referred to as _____. UDP packets are referred to as _____.TCP packets are referred to as segments. UDP packets are referred to as datagrams.
-
UDP has no _____, and thus exposes any unreliability of the underlying network protocol to the user's program.UDP has no handshaking dialogues, and thus exposes any unreliability of the underlying network protocol to the user's program.
-
UDP provides _____ for data integrity, and _____ for addressing different functions at the source and destination of the datagram.UDP provides checksums for data integrity, and port numbers for addressing different functions at the source and destination of the datagram.
-
UDP is _____, with _____ delay, and works well in unidirectional (broadcast / multicast) communication.UDP is simple and stateless, with minimal delay, and works well in unidirectional (broadcast / multicast) communication.
-
The UDP header includes fields for: _____.The UDP header includes fields for: source port, destination port, length, and checksum.
-
TCP is _____.TCP is reliable, ordered, heavyweight, and streaming.
-
UDP is _____.UDP is unreliable, un-ordered, lightweight, and without streaming or connection control.
-
UDP provides a datagram service that emphasizes _____ over TCP _____. TCP is optimized for _____ rather than _____.UDP provides a datagram service that emphasizes reduced latency over TCP stream reliability. TCP is optimized for accurate delivery rather than timely delivery.
-
TCP is a _____ delivery service that _____.TCP is a reliable stream delivery service that guarantees that all bytes received will be identical with bytes sent and in the correct order.
-
The TCP header includes fields for: _____.The TCP header includes fields for: source port, destination port, sequence number, acknowledgement number, data offset, flags, window size, checksum, and an urgent pointer.
-
TCP protocol operations are divided into three phases: _____.TCP protocol operations are divided into three phases: connection establishment, data transfer, and connection termination.
-
TCP connection establishment is performed through _____.TCP connection establishment is performed through a three-way handshake exchanging sequence numbers and acknowledgements (SYN, SYN-ACK, ACK).
-
TCP connection termination is performed through _____.TCP connection termination is performed through a four-way handshake of exchanging finish flags and acknowledgements (FIN, ACK, FIN, ACK).
-
TCP achieves reliable transmission by using _____.TCP achieves reliable transmission by using a sequence number to account for each byte of data.
-
TCP performs error detection through _____.TCP performs error detection through sequence numbers, acknowledgements, and a checksum for each packet.
-
TCP uses a sliding window flow control process in which _____.TCP uses a sliding window flow control process in which the receiver specifies the amount of additional data that it is willing to accept for the connection and the sending host can send only up to that amount of data before it must wait for an acknowledgment from the receiving host.
-
TCP achieves congestion control through _____.TCP achieves congestion control through slow-start, congestion avoidance, fast retransmit, fast recovery, and retransmission timeout.
-
TCP and UDP port numbers range from _____.TCP and UDP port numbers range from 0 to 65535.
-
The Internet Assigned Numbers Authority has divided TCP and UDP port numbers into three ranges. Port numbers _____ are used for common, well-known services. Port numbers _____ are registered ports used for IANA-registered services. Ports _____ are dynamic ports that can be used for any purpose.The Internet Assigned Numbers Authority has divided TCP and UDP port numbers into three ranges. Port numbers 0 through 1023 are used for common, well-known services. Port numbers 1024 through 49151 are registered ports used for IANA-registered services. Ports 49152 through 65535 are dynamic ports that can be used for any purpose.
Assessments
[edit | edit source]See Also
[edit | edit source]References
[edit | edit source]- ↑ Wikipedia: Transport layer
- ↑ Wikipedia: Transport layer
- ↑ Wikipedia: Transport layer
- ↑ Wikipedia: Transport layer#Services
- ↑ Wikipedia: Transport layer#Analysis
- ↑ Wikipedia: Transmission Control Protocol#Resource usage
- ↑ Wikipedia: Transport layer#Analysis
- ↑ Wikipedia: User Datagram Protocol
- ↑ Wikipedia: User Datagram Protocol
- ↑ Wikipedia: User Datagram Protocol
- ↑ Wikipedia: User Datagram Protocol#Packet structure
- ↑ Wikipedia: User Datagram Protocol#Comparison of UDP and TCP
- ↑ Wikipedia: User Datagram Protocol#Comparison of UDP and TCP
- ↑ Wikipedia: Transmission Control Protocol
- ↑ Wikipedia: Transmission Control Protocol#Network function
- ↑ Wikipedia: Transmission Control Protocol#Network function
- ↑ Wikipedia: Transmission Control Protocol#TCP segment structure
- ↑ Wikipedia: Transmission Control Protocol#Protocol operation
- ↑ Wikipedia: Transmission Control Protocol#Protocol operation
- ↑ Wikipedia: Transmission Control Protocol#Protocol operation
- ↑ Wikipedia: Transmission Control Protocol#Reliable transmission
- ↑ Wikipedia: Transmission Control Protocol#Error detection
- ↑ Wikipedia: Transmission Control Protocol#Flow control
- ↑ Wikipedia: Transmission Control Protocol#Congestion control
- ↑ Wikipedia: Port (computer networking)#Common port numbers
- ↑ Wikipedia: Port (computer networking)#Common port numbers
- ↑ Wikipedia: Acknowledgement (data networks)
- ↑ Wikipedia: Application programming interface
- ↑ Wikipedia: Automatic repeat request
- ↑ Wikipedia: Data buffer
- ↑ Wikipedia: Buffer underrun
- ↑ Wikipedia: Checksums
- ↑ Wikipedia: Connection-oriented communication
- ↑ Wikipedia: Connectionless protocol
- ↑ Wikipedia: Data stream
- ↑ Wikipedia: Datagram
- ↑ Wikipedia: Deadlock
- ↑ Wikipedia: Ephemeral port
- ↑ Wikipedia: Error detection and correction
- ↑ Wikipedia: Flow control (data)
- ↑ Wikipedia: Handshaking
- ↑ Wikipedia: Latency (engineering)
- ↑ Wikipedia: Maximum segment size
- ↑ Wikipedia: Multiplexing
- ↑ Wikipedia: Negative-acknowledge character
- ↑ Wikipedia: Network congestion
- ↑ Wikipedia: Registered port
- ↑ Wikipedia: Reliability (computer networking)
- ↑ Wikipedia: Slow-start
- ↑ Wikipedia: TCP window scale option
Netstat is a command-line tool that displays network statistics on a variety of operating systems. This activity will show you how to use the netstat command to display statistics by protocol.
Preparation
[edit | edit source]To prepare for this activity:
- Start your operating system.
- Log in if necessary.
Activity 1 - Display Statistics by Protocol
[edit | edit source]To display statistics by protocol:
- Open a command prompt.
- Type netstat -s.
- Press Enter.
- Observe the statistics for IPv4, IPv6, ICMPv4, ICMPv6, TCP, and UDP.
- Close the command prompt to complete this activity.
Readings
[edit | edit source]References
[edit | edit source]Netstat is a command-line tool that displays network statistics on a variety of operating systems. This activity will show you how to use the netstat command to display all active connections (TCP and UDP)
Preparation
[edit | edit source]To prepare for this activity:
- Start your operating system.
- Log in if necessary.
Activity 1 - Display All Active Connections
[edit | edit source]To display all active connections:
- Open a command prompt.
- Type netstat -a.
- Press Enter.
- Observe active TCP and UDP connections and listening ports, the local address and port number, the remote name or address and port number if a connection is established, and the connection status.
Activity 2 - Display All Active Connections by Number
[edit | edit source]To display all active connections by number (IP address) instead of by host name:
- Type netstat -a -n.
- Press Enter.
- Observe active TCP and UDP connections and listening ports, the local address and port number, the remote name or address and port number if a connection is established, and the connection status.
- Close the command prompt to complete this activity.
Readings
[edit | edit source]References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze User Datagram Protocol (UDP) traffic.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture UDP Traffic
[edit | edit source]To capture UDP traffic:
- Start a Wireshark capture.
- Open a command prompt.
- Type ipconfig /renew and press Enter to renew your DHCP assigned IP address. If you have a static address, this will not generate any UDP traffic.
- Type ipconfig /flushdns and press Enter to clear your DNS name cache.
- Type nslookup 8.8.8.8 and press Enter to look up the hostname for IP address 8.8.8.8.
- Close the command prompt.
- Stop the Wireshark capture.
Activity 2 - Analyze UDP DHCP Traffic
[edit | edit source]To analyze UDP DHCP traffic:
- Observe the traffic captured in the top Wireshark packet list pane. To view only UDP traffic related to the DHCP renewal, type udp.port == 68 (lower case) in the Filter box and press Enter.
- Select the first DHCP packet, labeled DHCP Request.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your DHCP server's MAC address and the source should be your MAC address. You can use ipconfig /all to confirm.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is your IP address.
- Observe the Destination address. Notice that the destination address is the DHCP server IP address.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is bootpc (68), the bootp client port.
- Observe the Destination port. Notice that it is bootps (67), the bootp server port.
- In the top Wireshark packet list pane, select the second DHCP packet, labeled DHCP ACK.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DHCP server's MAC address.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is the DHCP server IP address.
- Observe the Destination address. Notice that the destination address is your IP address.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is bootps (67), the bootp server port.
- Observe the Destination port. Notice that it is bootpc (68), the bootp client port.
Activity 3 - Analyze UDP DNS Traffic
[edit | edit source]To analyze UDP DNS traffic:
- Observe the traffic captured in the top Wireshark packet list pane. To view only UDP traffic related to the DHCP renewal, type udp.port == 53 (lower case) in the Filter box and press Enter.
- Select the first DNS packet, labeled Standard query.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Domain Name System (query) frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your DNS server's MAC address if it is local, or your default gateway's MAC address if the DNS server is remote. The source should be your MAC address. You can use ipconfig /all to confirm.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is your IP address.
- Observe the Destination address. Notice that the destination address is the DNS server IP address.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is a dynamic port selected for this DNS query.
- Observe the Destination port. Notice that it is domain (53), the DNS server port.
- In the top Wireshark packet list pane, select the second DNS packet, labeled Standard query response.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Domain Name System (response) frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DNS server's MAC address if it is local, or your default gateway's MAC address if the DNS server is remote.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is the DNS server IP address.
- Observe the Destination address. Notice that the destination address is your IP address.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is domain (53) the DNS server port.
- Observe the Destination port. Notice that it is the same dynamic port used to make the DNS query in the first packet.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Transmission Control Protocol (TCP) traffic.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
- Install the Telnet client.
Activity 1 - Capture TCP Traffic
[edit | edit source]To capture TCP traffic:
- Start a Wireshark capture.
- Open a command prompt.
- Type telnet www.google.com 80 and press Enter.
- Close the command prompt to close the TCP connection.
- Stop the Wireshark capture.
Activity 2 - Analyze TCP SYN Traffic
[edit | edit source]To analyze TCP SYN traffic:
- Observe the traffic captured in the top Wireshark packet list pane. To view only TCP traffic related to the web server connection, type tcp.port == 80 (lower case) in the Filter box and press Enter.
- Select the first TCP packet, labeled http [SYN].
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your default gateway's MAC address and the source should be your MAC address. You can use ipconfig /all to confirm.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is your IP address.
- Observe the Destination address. Notice that the destination address is the IP address of one of Google's web servers.
- Expand Transmission Control Protocol to view TCP details.
- Observe the Source port. Notice that it is a dynamic port selected for this connection.
- Observe the Destination port. Notice that it is http (80).
- Observe the Sequence number. Notice that it is 0 (relative sequence number). To see the actual sequence number, select the Sequence number to highlight the sequence number in the bottom Wireshark bytes pane.
- Expand Flags to view flag details.
- Observe the flag settings. Notice that SYN is set, indicating the first segment in the TCP three-way handshake.
Activity 3 - Analyze TCP SYN, ACK Traffic
[edit | edit source]To analyze TCP SYN, ACK traffic:
- In the top Wireshark packet list pane, select the second TCP packet, labeled SYN, ACK.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your MAC address and the source should be your default gateway MAC address.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is the Google web server IP address.
- Observe the Destination address. Notice that the destination address is your IP address.
- Expand Transmission Control Protocol to view TCP details.
- Observe the Source port. Notice that it is http (80).
- Observe the Destination port. Notice that it is the same dynamic port selected for this connection.
- Observe the Sequence number. Notice that it is 0 (relative sequence number). To see the actual sequence number, select Sequence number to highlight the sequence number in the bottom Wireshark bytes pane.
- Observe the Acknowledgement number. Notice that it is 1 (relative ack number). To see the actual acknowledgement number, select Acknowledgement number to highlight the acknowledgement number in the bottom pane. Notice that the actual acknowledgement number is one greater than the sequence number in the previous segment.
- Expand Flags to view flag details.
- Observe the flag settings. Notice that SYN and ACK are set, indicating the second segment in the TCP three-way handshake.
Activity 4 - Analyze TCP ACK Traffic
[edit | edit source]To analyze TCP ACK traffic:
- In the top Wireshark packet list pane, select the third TCP packet, labeled http ACK.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your default gateway MAC address and the source should be your MAC address.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is your IP address.
- Observe the Destination address. Notice that the destination address is the Google web server IP address.
- Expand Transmission Control Protocol to view TCP details.
- Observe the Source port. Notice that it is the same dynamic port selected for this connection.
- Observe the Destination port. Notice that it is http (80).
- Observe the Sequence number. Notice that it is 1 (relative sequence number). To see the actual sequence number, select Sequence number to highlight the sequence number in the bottom Wireshark bytes pane.
- Observe the Acknowledgement number. Notice that it is 1 (relative ack number). To see the actual acknowledgement number, select Acknowledgement number to highlight the acknowledgement number in the bottom pane.
- Expand Flags to view flag details.
- Observe the flag settings. Notice that ACK is set, indicating the third segment in the TCP three-way handshake. The client has established a TCP connection with the server.
Activity 5 - Analyze TCP FIN ACK Traffic
[edit | edit source]To analyze TCP FIN ACK traffic:
- In the top Wireshark packet list pane, select the fourth TCP packet, labeled http FIN, ACK.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your default gateway MAC address and the source should be your MAC address.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is your IP address.
- Observe the Destination address. Notice that the destination address is the Google web server IP address.
- Expand Transmission Control Protocol to view TCP details.
- Observe the Source port. Notice that it is the same dynamic port selected for this connection.
- Observe the Destination port. Notice that it is http (80).
- Observe the Sequence number. Notice that it is 1 (relative sequence number).
- Observe the Acknowledgement number. Notice that it is 1 (relative ack number).
- Expand Flags to view flag details.
- Observe the flag settings. Notice that FIN and ACK are set, indicating the first segment in the TCP teardown handshake. The client has indicated it is closing the TCP connection with the server.
Activity 6 - Analyze TCP FIN ACK Traffic
[edit | edit source]To analyze TCP FIN ACK traffic:
- In the top Wireshark packet list pane, select the fifth TCP packet, labeled FIN, ACK.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your MAC address and the source should be your default gateway MAC address.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is the Google web server IP address.
- Observe the Destination address. Notice that the destination address is your IP address.
- Expand Transmission Control Protocol to view TCP details.
- Observe the Source port. Notice that it is http (80).
- Observe the Destination port. Notice that it is the same dynamic port selected for this connection.
- Observe the Sequence number. Notice that it is 1 (relative sequence number).
- Observe the Acknowledgement number. Notice that it is 2 (relative ack number).
- Expand Flags to view flag details.
- Observe the flag settings. Notice that FIN and ACK are set, indicating the second segment in the TCP three-way handshake. The server has indicated it is closing the TCP connection with the client.
Activity 7 - Analyze TCP ACK Traffic
[edit | edit source]To analyze TCP ACK traffic:
- In the top Wireshark packet list pane, select the sixth TCP packet, labeled http ACK.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your default gateway MAC address and the source should be your MAC address.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is your IP address.
- Observe the Destination address. Notice that the destination address is the Google web server IP address.
- Expand Transmission Control Protocol to view TCP details.
- Observe the Source port. Notice that it is the same dynamic port selected for this connection.
- Observe the Destination port. Notice that it is http (80).
- Observe the Sequence number. Notice that it is 2 (relative sequence number).
- Observe the Acknowledgement number. Notice that it is 2 (relative ack number).
- Expand Flags to view flag details.
- Observe the flag settings. Notice that ACK is set, indicating the third segment in the TCP teardown handshake. The client has acknowledged the server closing the TCP connection.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Lesson 11 - Address Assignment
[edit | edit source]This lesson introduces dynamic addressing and looks at the Bootstrap Protocol (BOOTP) and the Dynamic Host Configuration Protocol for IPv4 (DHCP) and IPv6 (DHCPv6). Activities include using Wireshark to examine BOOTP, DHCP, and DHCPv6 network traffic.
Readings
[edit | edit source]- Wikipedia: Link-local address
- Wikipedia: Bootstrap Protocol
- Wikipedia: Dynamic Host Configuration Protocol
- Wikipedia: DHCPv6
- Wikipedia: Prefix delegation
Multimedia
[edit | edit source]- YouTube: DHCP Addressing Overview - CompTIA Network+ N10-005: 2.3
- YouTube: The DHCP Process in Wireshark
- YouTube: Understanding APIPA - CompTIA Network+ N10-005: 1.3
Activities
[edit | edit source]- View and test a link-local address.
- Use Wireshark to capture and analyze Dynamic Host Configuration Protocol (DHCP) traffic.
- Use Wireshark to capture and analyze DHCPv6 traffic.
- Consider situations in which a packet analyzer might be used to troubleshoot address assignment traffic.
Lesson Summary
[edit | edit source]- A link-local address is an Internet Protocol address that is intended only for communications within the segment of a local network (a link) or a point-to-point connection that a host is connected to.[1]
- Routers do not forward packets with link-local addresses.[2]
- Link-local addresses for IPv4 are defined in the address block 169.254.0.0/16.[3]
- Link-local addresses for IPv6 are defined with the prefix fe80::/64.[4]
- Unlike IPv4, IPv6 requires a link-local address to be assigned to every network interface on which the IPv6 protocol is enabled, even when one or more routable addresses are also assigned.[5]
- The IPv6 link-local address is required for sublayer operations of the Neighbor Discovery Protocol (NDP) and DHCPv6.[6]
- The Bootstrap Protocol, or BOOTP, is a network protocol used by a network client to obtain an IP address from a configuration server.[7]
- The Dynamic Host Configuration Protocol (DHCP) is a more advanced protocol for the same purpose as BOOTP and has superseded the use of BOOTP.[8] DHCP is an extension of BOOTP and uses the same datagram format.[9]
- Most DHCP servers also function as BOOTP servers.[10]
- The BOOTP protocol replaced the Reverse Address Resolution Protocol (RARP).[11]
- BOOTP, and therefore DHCP, supports the use of a relay agent, which allows BOOTP packets to be forwarded from the local network so that one central BOOTP server can serve hosts on many subnets.[12]
- The Dynamic Host Configuration Protocol (DHCP) is a network protocol that is used to configure network devices so that they can communicate on an IP network.[13]
- DHCP servers maintain a database of available IP addresses and configuration information.[14]
- Network links without a DHCP server can use DHCP relay agents to receive messages from DHCP clients and forward them to DHCP servers. DHCP servers send responses back to the relay agent, and the relay agent then sends these responses to the DHCP client on the local network link.[15]
- DHCP servers typically grant IP addresses to clients only for a limited interval. DHCP clients are responsible for renewing their IP address before that interval has expired, and must stop using the address once the interval has expired, if they have not been able to renew it.[16]
- By default, clients attempt to renew their lease using unicast (directed) traffic starting at one half of lease time, also known as renewal time (T1).[17]
- By default, clients attempt to renew their lease using broadcast traffic starting at 87.5% of lease time, also known as rebinding time (T2).[18]
- DHCP servers assign addresses through either dynamic or automatic allocation, or thorough static allocation (address reservations).[19]
- DHCPv4 operations fall into four basic phases: IP discovery, IP lease offer, IP request, and IP lease acknowledgement. These points are often abbreviated as DORA (Discovery, Offer, Request, Acknowledgement).[20]
- DHCPv4 options provided to clients include subnet mask, router (default gateway), domain name server, domain name, NetBIOS name servers (WINS), lease time, renewal time (T1), rebinding time (T2), and others.[21]
- The base DHCP protocol does not include any mechanism for authentication. Because of this, it is vulnerable to a variety of attacks including unauthorized servers, unauthorized clients, and address exhaustion attacks from malicious clients.[22]
- DHCPv6 operations are similar to DHCPv4, but are described as Solicit, Advertise, Request, and Reply.[23] Renewals are processed with Renew and Reply.[24]
- DHCPv6-PD prefix delegation is used to assign a network address prefix to a user site, configuring the user's router with the prefix to be used for each LAN.[25]
Key Terms
[edit | edit source]- Automatic Private IP Addressing (APIPA)
- Microsoft's terminology for link-local addressing.[26]
- Bootstrapping
- A self-sustaining process that proceeds without external help.[27]
- diskless node
- A workstation or personal computer without disk drives, which employs network booting to load its operating system from a server.[28]
- fault-tolerant
- A design that enables a system to continue operation, possibly at a reduced level, rather than failing completely when some part of the system fails.[29]
- Preboot eXecution Environment (PXE, sometimes pronounced "pixie")
- An environment to boot computers using a network interface independent of local data storage devices (like hard disks) or installed operating systems.[30]
- Reverse Address Resolution Protocol (RARP)
- An obsolete protocol that finds the logical IP address for a machine that knows only its physical address.[31]
Review Questions
[edit | edit source]Click on a question to see the answer.
-
A link-local address is an Internet Protocol address that is _____.A link-local address is an Internet Protocol address that is intended only for communications within the segment of a local network (a link) or a point-to-point connection that a host is connected to.
-
Routers _____ packets with link-local addresses.Routers do not forward packets with link-local addresses.
-
Link-local addresses for IPv4 are defined in the address block _____.Link-local addresses for IPv4 are defined in the address block 169.254.0.0/16.
-
Link-local addresses for IPv6 are defined with the prefix _____.Link-local addresses for IPv6 are defined with the prefix fe80::/64.
-
Unlike _____, _____ requires a link-local address to be assigned to every network interface on which the _____ protocol is enabled, even when one or more routable addresses are also assigned.Unlike IPv4, IPv6 requires a link-local address to be assigned to every network interface on which the IPv6 protocol is enabled, even when one or more routable addresses are also assigned.
-
The IPv6 link-local address is required for sublayer operations of _____.The IPv6 link-local address is required for sublayer operations of the Neighbor Discovery Protocol (NDP) and DHCPv6.
-
The Bootstrap Protocol, or BOOTP, is a network protocol used by a network client to _____.The Bootstrap Protocol, or BOOTP, is a network protocol used by a network client to obtain an IP address from a configuration server.
-
The Dynamic Host Configuration Protocol (DHCP) is a more advanced protocol for the same purpose as _____ and has superseded the use of _____. DHCP is an extension of _____ and uses the same datagram format.The Dynamic Host Configuration Protocol (DHCP) is a more advanced protocol for the same purpose as BOOTP and has superseded the use of BOOTP. DHCP is an extension of BOOTP and uses the same datagram format.
-
Most DHCP servers also function as _____ servers.Most DHCP servers also function as BOOTP servers.
-
The BOOTP protocol replaced _____.The BOOTP protocol replaced the Reverse Address Resolution Protocol (RARP).
-
BOOTP, and therefore DHCP, supports the use of a relay agent, which _____.BOOTP, and therefore DHCP, supports the use of a relay agent, which allows BOOTP packets to be forwarded from the local network so that one central BOOTP server can serve hosts on many subnets.
-
The Dynamic Host Configuration Protocol (DHCP) is a network protocol that is used to _____.The Dynamic Host Configuration Protocol (DHCP) is a network protocol that is used to configure network devices so that they can communicate on an IP network.
-
DHCP servers maintain _____.DHCP servers maintain a database of available IP addresses and configuration information.
-
Network links without a DHCP server can use _____ to receive messages from DHCP clients and forward them to DHCP servers.Network links without a DHCP server can use DHCP relay agents to receive messages from DHCP clients and forward them to DHCP servers.
-
DHCP servers typically grant IP addresses to clients only for _____. DHCP clients are responsible for _____, and must _____.DHCP servers typically grant IP addresses to clients only for a limited interval. DHCP clients are responsible for renewing their IP address before that interval has expired, and must stop using the address once the interval has expired, if they have not been able to renew it.
-
By default, clients attempt to renew their lease using _____ traffic starting at one half of lease time, also known as _____ time (T1).By default, clients attempt to renew their lease using unicast (directed) traffic starting at one half of lease time, also known as renewal time (T1).
-
By default, clients attempt to renew their lease using _____ traffic starting at 87.5% of lease time, also known as _____ time (T2).By default, clients attempt to renew their lease using broadcast traffic starting at 87.5% of lease time, also known as rebinding time (T2).
-
DHCP servers assign addresses through either _____.DHCP servers assign addresses through either dynamic or automatic allocation, or thorough static allocation (address reservations).
-
DHCPv4 operations fall into four basic phases: _____. These points are often abbreviated as _____.DHCPv4 operations fall into four basic phases: IP discovery, IP lease offer, IP request, and IP lease acknowledgement. These points are often abbreviated as DORA (Discovery, Offer, Request, Acknowledgement).
-
DHCPv4 options provided to clients include _____.DHCPv4 options provided to clients include subnet mask, router (default gateway), domain name server, domain name, NetBIOS name servers (WINS), lease time, renewal time (T1), rebinding time (T2), and others.
-
The base DHCP protocol does not include any mechanism for authentication. Because of this, it is vulnerable to a variety of attacks including _____.The base DHCP protocol does not include any mechanism for authentication. Because of this, it is vulnerable to a variety of attacks including unauthorized servers, unauthorized clients, and address exhaustion attacks from malicious clients.
-
DHCPv6 operations are similar to DHCPv4, but are described as _____. Renewals are processed with _____.DHCPv6 operations are similar to DHCPv4, but are described as Solicit, Advertise, Request, and Reply. Renewals are processed with Renew and Reply.
-
DHCPv6-PD prefix delegation is used to _____.DHCPv6-PD prefix delegation is used to assign a network address prefix to a user site, configuring the user's router with the prefix to be used for each LAN.
Assessments
[edit | edit source]See Also
[edit | edit source]References
[edit | edit source]- ↑ Wikipedia: Link-local address
- ↑ Wikipedia: Link-local address
- ↑ Wikipedia: Link-local address
- ↑ Wikipedia: Link-local address
- ↑ Wikipedia: Link-local address#IPv6
- ↑ Wikipedia: Link-local address#IPv6
- ↑ Wikipedia: Bootstrap Protocol
- ↑ Wikipedia: Bootstrap Protocol
- ↑ Wikipedia: Dynamic Host Configuration Protocol#History
- ↑ Wikipedia: Bootstrap Protocol
- ↑ Wikipedia: Bootstrap Protocol#History
- ↑ Wikipedia: Bootstrap Protocol#History
- ↑ Wikipedia: Dynamic Host Configuration Protocol
- ↑ Wikipedia: Dynamic Host Configuration Protocol
- ↑ Wikipedia: Dynamic Host Configuration Protocol
- ↑ Wikipedia: Dynamic Host Configuration Protocol
- ↑ RFC 2131
- ↑ RFC 2131
- ↑ Wikipedia: Dynamic Host Configuration Protocol#Technical overview
- ↑ Wikipedia: Dynamic Host Configuration Protocol#Technical details
- ↑ Wikipedia: Dynamic Host Configuration Protocol#DHCP options
- ↑ Wikipedia: Dynamic Host Configuration Protocol#Security
- ↑ Wikipedia: DHCPv6
- ↑ RFC 3315
- ↑ Wikipedia: Prefix delegation
- ↑ Wikipedia: Link-local address#IPv4
- ↑ Wikipedia: Bootstrapping
- ↑ Wikipedia: Diskless workstation
- ↑ Wikipedia: Fault-tolerant design
- ↑ Wikipedia: Preboot Execution Environment
- ↑ Wikipedia: Reverse Address Resolution Protocol
A link-local address is an Internet Protocol address that is intended only for communications within the segment of a local network (a link) or a point-to-point connection that a host is connected to. These activities will show you how to view and test link-local addresses.
Readings
[edit | edit source]Activities
[edit | edit source]See Also
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Dynamic Host Configuration Protocol (DHCP) traffic.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture DHCP Traffic
[edit | edit source]To capture DHCP traffic:
- Start a Wireshark capture.
- Open a command prompt.
- Type ipconfig /renew and press Enter.
- Type ipconfig /release and press Enter.
- Type ipconfig /renew and press Enter.
- Close the command prompt.
- Stop the Wireshark capture.
Activity 2 - Analyze DHCP Request Traffic
[edit | edit source]To analyze DHCP Request (lease renewal) traffic:
- Observe the traffic captured in the top Wireshark packet list pane. To view only DHCP traffic, type udp.port == 68 (lower case) in the Filter box and press Enter.
- In the top Wireshark packet list pane, select the first DHCP packet, labeled DHCP Request.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your DHCP server's MAC address and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is your IP address.
- Observe the Destination address. Notice that the destination address is the IP address of the DHCP server.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is bootpc (68), the BOOTP client port.
- Observe the Destination port. Notice that it is bootps (67), the BOOTP server port.
- Expand Bootstrap Protocol to view BOOTP details.
- Observe the DHCP Message Type. Notice that it is a Request (3).
- Observe the Client IP address, Client MAC address, and DHCP option fields. This is the request to the DHCP server.
Activity 3 - Analyze DHCP ACK Traffic
[edit | edit source]To analyze DHCP ACK (server acknowledgement) traffic:
- In the top Wireshark packet list pane, select the second DHCP packet, labeled DHCP ACK.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DHCP server's MAC address.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is the DHCP server IP address.
- Observe the Destination address. Notice that the destination address is your IP address.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is bootps (67), the BOOTP server port.
- Observe the Destination port. Notice that it is bootpc (68), the BOOTP client port.
- Expand Bootstrap Protocol to view BOOTP details.
- Observe the DHCP Message Type. Notice that it is an ACK (5).
- Observe the Client IP address and Client MAC address fields. This is the acknowledgement from the DHCP server.
- Observe the DHCP options and expand to view the details for IP Address Lease Time, Subnet Mask, Router (Default Gateway), Domain Name Server, and Domain Name, as well as any other options if included.
Activity 4 - Analyze DHCP Release Traffic
[edit | edit source]To analyze DHCP Release traffic:
- In the top Wireshark packet list pane, select the third DHCP packet, labeled DHCP Release.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your DHCP server's MAC address and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is your IP address.
- Observe the Destination address. Notice that the destination address is the IP address of the DHCP server.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is bootpc (68), the BOOTP client port.
- Observe the Destination port. Notice that it is bootps (67), the BOOTP server port.
- Expand Bootstrap Protocol to view BOOTP details.
- Observe the DHCP Message Type. Notice that it is a Release (7).
- Observe the Client IP address and Client MAC address fields. This is the address that will be released on the DHCP server.
Activity 5 - Analyze DHCP Discover Traffic
[edit | edit source]To analyze DHCP Discover (lease request) traffic:
- In the top Wireshark packet list pane, select the fourth DHCP packet, labeled DHCP Discover.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be the broadcast address ff:ff:ff:ff:ff:ff and the source should be your MAC address. When the client doesn't have an IP address or server information, it has to broadcast to discover a DHCP server.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is 0.0.0.0, indicating no current IP address.
- Observe the Destination address. Notice that the destination address 255.255.255.255, the broadcast IP address.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is bootpc (68), the BOOTP client port.
- Observe the Destination port. Notice that it is bootps (67), the BOOTP server port.
- Expand Bootstrap Protocol to view BOOTP details.
- Observe the DHCP Message Type. Notice that it is a Discover (1).
- Observe the Client IP address, Client MAC address, and DHCP option fields. This is the request to the DHCP server.
Activity 6 - Analyze DHCP Offer Traffic
[edit | edit source]To analyze DHCP Offer (server offer) traffic:
- In the top Wireshark packet list pane, select the fifth DHCP packet, labeled DHCP Offer.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DHCP server's MAC address.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is the DHCP server's IP address.
- Observe the Destination address. Notice that the destination address is 255.255.255.255 (broadcast) address.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is bootps (67), the BOOTP server port.
- Observe the Destination port. Notice that it is bootpc (68), the BOOTP client port.
- Expand Bootstrap Protocol to view BOOTP details.
- Observe the DHCP Message Type. Notice that it is an Offer (2).
- Observe the Client IP address and Client MAC address fields. This is the offer from the DHCP server.
- Observe the DHCP options and expand to view the details for IP Address Lease Time, Subnet Mask, Router (Default Gateway), Domain Name Server, and Domain Name, as well as any other options if included.
Activity 7 - Analyze DHCP Request Traffic
[edit | edit source]To analyze DHCP Request (lease request) traffic:
- In the top Wireshark packet list pane, select the sixth DHCP packet, labeled DHCP Request.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be the broadcast address ff:ff:ff:ff:ff:ff and the source should be your MAC address. When the client doesn't have an IP address or server information, it has to broadcast to request an address lease.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is 0.0.0.0, indicating no current IP address.
- Observe the Destination address. Notice that the destination address 255.255.255.255, the broadcast IP address.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is bootpc (68), the BOOTP client port.
- Observe the Destination port. Notice that it is bootps (67), the BOOTP server port.
- Expand Bootstrap Protocol to view BOOTP details.
- Observe the DHCP Message Type. Notice that it is a Request (3).
- Observe the Client IP address, Client MAC address, and DHCP option fields. This is the request to the DHCP server.
Activity 8 - Analyze DHCP ACK Traffic
[edit | edit source]To analyze DHCP ACK (server acknowledgement) traffic:
- In the top Wireshark packet list pane, select the seventh DHCP packet, labeled DHCP ACK.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DHCP server's MAC address.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is the DHCP server IP address.
- Observe the Destination address. Notice that the destination address is the broadcast address 255.255.255.255.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is bootps (67), the BOOTP server port.
- Observe the Destination port. Notice that it is bootpc (68), the BOOTP client port.
- Expand Bootstrap Protocol to view BOOTP details.
- Observe the DHCP Message Type. Notice that it is an ACK (5).
- Observe the Client IP address and Client MAC address fields. This is the acknowledgement from the DHCP server.
- Observe the DHCP options and expand to view the details for IP Address Lease Time, Subnet Mask, Router (Default Gateway), Domain Name Server, and Domain Name, as well as any other options if included.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze DHCPv6 traffic.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture DHCPv6 Traffic
[edit | edit source]To capture DHCPv6 traffic:
- Start a Wireshark capture.
- Open a command prompt.
- Type ipconfig /renew6 and press Enter.
- Type ipconfig /release6 and press Enter.
- Type ipconfig /renew6 and press Enter.
- Close the command prompt.
- Stop the Wireshark capture.
Activity 2 - Analyze DHCPv6 Renew Traffic
[edit | edit source]To analyze DHCPv6 Renew traffic:
- Observe the traffic captured in the top Wireshark packet list pane. To view only DHCPv6 traffic, type dhcpv6 (lower case) in the Filter box and press Enter.
- In the top Wireshark packet list pane, select the first DHCPv6 packet, labeled DHCPv6 Renew.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be the DHCPv6 multicast MAC address 33:33:00:01:00:02 and the source should be your MAC address. You can use ipconfig /all and netsh interface ipv6 show neighbors to confirm.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Source address. Notice that the source address is your link-local IPv6 address.
- Observe the Destination address. Notice that the destination address is the DHCPv6 multicast address ff02::1:2.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is dhcpv6-client (546).
- Observe the Destination port. Notice that it is dhcpv6-server (547).
- Expand DHCPv6 to view DHCPv6 details.
- Observe the DHCPv6 Message Type. Notice that it is a Renew (5).
- Observe the Client Identifier and Server Identifier fields.
- Expand Option Request to view option details.
- Observe the requested options.
Activity 3 - Analyze DHCPv6 Reply Traffic
[edit | edit source]To analyze DHCPv6 Reply traffic:
- In the top Wireshark packet list pane, select the second DHCPv6 packet, labeled DHCPv6 Reply.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DHCPv6 server's MAC address.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Source address. Notice that the source address is the DHCPv6 server IPv6 address.
- Observe the Destination address. Notice that the destination address is your link-local IPv6 address.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is a dynamic port.
- Observe the Destination port. Notice that it is dhcpv6-client (546).
- Expand DHCPv6 to view DHCPv6 details.
- Observe the DHCPv6 Message Type. Notice that it is a Reply (7).
- Expand Client Identifier, Server Identifier, and Identity Association to view Reply details.
- Observe the MAC addresses, IPv6 addresses, and lease time, as well as any options if included.
Activity 4 - Analyze DHCPv6 Release Traffic
[edit | edit source]To analyze DHCPv6 Release traffic:
- In the top Wireshark packet list pane, select the third DHCPv6 packet, labeled DHCPv6 Release.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be the DHCPv6 multicast MAC address 33:33:00:01:00:02 and the source should be your MAC address.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Source address. Notice that the source address is your link-local IPv6 address.
- Observe the Destination address. Notice that the destination address is the DHCPv6 multicast address ff02::1:2.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is dhcpv6-client (546).
- Observe the Destination port. Notice that it is dhcpv6-server (547).
- Expand DHCPv6 to view DHCPv6 details.
- Observe the DHCPv6 Message Type. Notice that it is a Release (8).
- Expand Client Identifier, Server Identifier, and Identity Association to view Release details.
- Observe the MAC addresses, IPv6 addresses, and lease time, as well as any options if included. This is the address that will be released on the DHCPv6 server.
Activity 5 - Analyze DHCPv6 Reply Traffic
[edit | edit source]To analyze DHCPv6 Reply traffic:
- In the top Wireshark packet list pane, select the second DHCPv6 packet, labeled DHCPv6 Reply.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DHCPv6 server's MAC address.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Source address. Notice that the source address is the DHCPv6 server IPv6 address.
- Observe the Destination address. Notice that the destination address is your link-local IPv6 address.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is a dynamic port.
- Observe the Destination port. Notice that it is dhcpv6-client (546).
- Expand DHCPv6 to view DHCPv6 details.
- Observe the DHCPv6 Message Type. Notice that it is a Reply (7).
- Expand Client Identifier and Server Identifier to view Reply details.
- Observe the MAC addresses and IPv6 addresses. Notice that there is no Identity Association in reply to an address release.
Activity 6 - Analyze DHCPv6 Solicit Traffic
[edit | edit source]To analyze DHCPv6 Solicit traffic:
- In the top Wireshark packet list pane, select the fifth DHCPv6 packet, labeled DHCPv6 Solicit.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be the DHCPv6 multicast MAC address 33:33:00:01:00:02 and the source should be your MAC address.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Source address. Notice that the source address is your link-local IPv6 address.
- Observe the Destination address. Notice that the destination address is the DHCPv6 multicast address ff02::1:2.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is dhcpv6-client (546).
- Observe the Destination port. Notice that it is dhcpv6-server (547).
- Expand DHCPv6 to view DHCPv6 details.
- Observe the DHCPv6 Message Type. Notice that it is a Solicit (1).
- Expand Client Identifier, Identity Association, and Option Request to view Solicit details.
- Observe the MAC address, as well as any options if included.
Activity 7 - Analyze DHCPv6 Advertise Traffic
[edit | edit source]To analyze DHCPv6 Advertise traffic:
- In the top Wireshark packet list pane, select the sixth DHCPv6 packet, labeled DHCPv6 Advertise.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DHCPv6 server's MAC address.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Source address. Notice that the source address is the DHCPv6 server IPv6 address.
- Observe the Destination address. Notice that the destination address is your link-local IPv6 address.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is a dynamic port.
- Observe the Destination port. Notice that it is dhcpv6-client (546).
- Expand DHCPv6 to view DHCPv6 details.
- Observe the DHCPv6 Message Type. Notice that it is an Advertise (2).
- Expand Client Identifier, Server Identifier, and Identity Association to view Advertise details.
- Observe the MAC addresses, IPv6 addresses, and lease time, as well as any options if included.
Activity 8 - Analyze DHCPv6 Request Traffic
[edit | edit source]To analyze DHCPv6 Request traffic:
- In the top Wireshark packet list pane, select the seventh DHCPv6 packet, labeled DHCPv6 Request.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be the DHCPv6 multicast MAC address 33:33:00:01:00:02 and the source should be your MAC address.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Source address. Notice that the source address is your link-local IPv6 address.
- Observe the Destination address. Notice that the destination address is the DHCPv6 multicast address ff02::1:2.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is dhcpv6-client (546).
- Observe the Destination port. Notice that it is dhcpv6-server (547).
- Expand DHCPv6 to view DHCPv6 details.
- Observe the DHCPv6 Message Type. Notice that it is a Request (3).
- Expand Client Identifier, Identity Association, and Option Request to view Request details.
- Observe the MAC address, as well as any options if included.
Activity 9 - Analyze DHCPv6 Reply Traffic
[edit | edit source]To analyze DHCPv6 Reply traffic:
- In the top Wireshark packet list pane, select the eighth DHCPv6 packet, labeled DHCPv6 Reply.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DHCPv6 server's MAC address.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Source address. Notice that the source address is the DHCPv6 server IPv6 address.
- Observe the Destination address. Notice that the destination address is your link-local IPv6 address.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is a dynamic port.
- Observe the Destination port. Notice that it is dhcpv6-client (546).
- Expand DHCPv6 to view DHCPv6 details.
- Observe the DHCPv6 Message Type. Notice that it is a Reply (7).
- Expand Client Identifier, Server Identifier, and Identity Association to view Reply details.
- Observe the MAC addresses, IPv6 addresses, and lease time, as well as any options if included.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Lesson 12 - Name Resolution
[edit | edit source]This lesson introduces name resolution and looks at hosts files, the Domain Name System (DNS), and NetBIOS over TCP/IP (NetBT). Activities include editing the hosts file and using Wireshark to examine DNS network traffic.
Readings
[edit | edit source]- Wikipedia: Hosts (file)
- Wikipedia: Domain Name System
- Wikipedia: Multicast DNS
- Wikipedia: Link-local Multicast Name Resolution
- Wikipedia: NetBIOS over TCP/IP
Multimedia
[edit | edit source]- YouTube: An Overview of DNS - CompTIA Network+ N10-005: 1.7
- YouTube: DNS Records - CompTIA Network+ N10-005: 1.7
- YouTube: Dynamic DNS - CompTIA Network+ N10-005: 1.7
- YouTube: Basics of ipconfig, ping, tracert, nslookup and netstat
- YouTube: Using nslookup to Resolve Domain Names to IP Addresses
- YouTube: The Nbtstat Command - CompTIA Network+ N10-005: 4.3
Activities
[edit | edit source]- View the Hosts file.
- Edit the Hosts file.
- Use nslookup to display host addresses.
- Use nslookup to display other record types.
- Review the current DNS root zone settings file.
- Use nslookup to simulate a recursive query.
- Review Wireshark: DNS.
- Use Wireshark to capture and analyze Domain Name System (DNS) traffic.
- Use Wireshark to capture and analyze Link Local Multicast Name Resolution (LLNMR) traffic.
- Use nbtstat to display NetBIOS over TCP/IP statistics.
- Consider situations in which a packet analyzer might be used to troubleshoot name resolution traffic.
Lesson Summary
[edit | edit source]- The hosts file is a computer file used in an operating system to map hostnames to IP addresses.[1]
- The hosts file contains lines of text consisting of an IP address in the first text field followed by one or more host names.[2]
- Comments in the hosts file are indicated by a hash character (#) in the first position of such lines.[3]
- The location of the hosts file on Windows systems is %SystemRoot%\system32\drivers\etc\hosts.[4]
- The hosts file may be used to define any hostname or domain name for use by the local system.[5]
- The hosts file represents an attack vector for malicious software, because the hosts file is queried before DNS.[6]
- The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network.[7]
- The Domain Name System distributes the responsibility of assigning domain names and mapping those names to IP addresses. Authoritative name servers are assigned to be responsible for their particular domains, and in turn can assign other authoritative name servers for their sub-domains.[8]
- A domain name consists of one or more parts, technically called labels, that are concatenated and delimited by dots (.).[9]
- The hierarchy of domains within a domain name descends from right to left.[10]
- Each label in a domain name may contain up to 63 characters. The full domain name may not exceed a total length of 253 characters.[11]
- Common DNS record types include A (address), AAAA (IPv6 address), CNAME (canonical or alias name), MX (mail exchange), NS (name server), PTR (pointer), SOA (start of authority), and TXT (text).[12]
- A non-recursive query is one in which the DNS server provides a record for a domain for which it is authoritative itself, or it provides a partial result without querying other servers.[13]
- A recursive query is one for which the DNS server will fully answer the query (or give an error) by querying other name servers as needed.[14]
- Caching DNS servers cache DNS queries and perform recursive queries to improve efficiency, reduce DNS traffic across the Internet, and increase performance in end-user applications.[15]
- A reverse lookup is a query of the DNS for domain names when the IP address is known using the IPv4 domain in-addr.arpa or the IPv6 domain ip6.arpa, and reverse lookup IP addresses are specified in reverse order.[16]
- Link Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link.[17]
- LLMNR responders listen on UDP port 5355 on IPv4 address 224.0.0.252 (MAC address 01-00-5E-00-00-FC) and IPv6 address FF02::1:3 (MAC address 33-33-00-01-00-03).[18]
- NetBIOS over TCP/IP (NBT) is a networking protocol that allows legacy computer applications relying on the NetBIOS API to be used on modern TCP/IP networks.[19]
- NetBIOS provides three distinct services: Name service for name registration and resolution on port 137, Datagram distribution service for connectionless communication on port 138, and Session service for connection-oriented communication on port 139.[20]
- NetBIOS is a legacy protocol used to support computers and applications that predate Windows 2000 and do not support host names. It is enabled by default, though most Windows 2000 and later networks and applications no longer require it.[21]
Key Terms
[edit | edit source]- American Standard Code for Information Interchange (ASCII)
- A character-encoding scheme originally based on the English alphabet.[22]
- authoritative name server
- A name server that gives answers that have been configured by an original source rather than answers that were obtained via a DNS query to another name server.[23]
- Berkley Internet Name Domain (BIND)
- The DNS server service (daemon) included in most Unix and Unix-like operating systems.[24]
- dig (domain information groper)
- A network administration command-line tool for querying Domain Name System (DNS) name servers used on Unix-like systems.[25]
- DNS root zone
- The top-level DNS zone in a hierarchical namespace using the Domain Name System (DNS).[26]
- DNS spoofing
- A computer hacking attack, whereby data is introduced into a Domain Name System (DNS) name server's cache database, causing the name server to return an incorrect IP address and diverting traffic to another computer (often the attacker's).[27]
- DNS zone
- A portion of a domain name space using the Domain Name System (DNS) for which administrative responsibility has been delegated.[28]
- DomainKeys Identified Mail (DKIM)
- A method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message and a recipient to validate that the message was not modified in transit.[29]
- domain name registrar
- An organization or commercial entity that manages the reservation of Internet domain names.[30]
- Dynamic DNS (DDNS)
- A method of updating, in real time, a Domain Name System (DNS) to point to a changing IP address on a network or on the Internet.[31]
- Fully Qualified Domain Name (FQDN)
- A domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS), including the top-level domain and the root zone.[32]
- Internationalizing Domain Names in Applications (IDNA)
- A mechanism for converting domain names containing non-ASCII characters to an ASCII-coded equivalent.[33]
- Letters Digits Hyphen (LDH) rule
- The guideline for characters allowed in a domain name, which include letters, digits, and the hyphen.[34]
- NetBIOS Frames (NBF)
- A non-routable transport-level data protocol most commonly used as one of the layers of Microsoft Windows networking in the 1990s.[35]
- nslookup
- A network administration command-line tool for querying Domain Name System (DNS) name servers used on Windows systems.[36]
- Phishing
- The act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity.[37]
- Punycode
- An instance of a general encoding syntax by which a string of Unicode characters is transformed uniquely and reversibly into a smaller, restricted character set.[38]
- root name server
- A name server for the Domain Name System's root zone.[39]
- Sender Policy Framework (SPF)
- An email validation system designed to prevent email spam by verifying sender IP addresses using the Domain Name System (DNS) and TXT records.[40]
- Server Message Block (SMB)
- An application-layer protocol mainly used for providing shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network, as well as providing an authenticated inter-process communication mechanism.[41]
- top-level domain (TLD)
- One of the domains at the highest level in the hierarchical Domain Name System of the Internet.[42]
- Unicode
- A computing industry standard for the consistent encoding, representation and handling of text expressed in most of the world's writing systems.[43]
- Uniform resource locator (URL)
- A specific character string that constitutes a reference to an Internet resource.[44]
- WHOIS
- A query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information.[45]
- Windows Internet Name Service (WINS)
- Microsoft's implementation of NetBIOS Name Service (NBNS), a name server and service for NetBIOS computer names.[46]
Review Questions
[edit | edit source]Click on a question to see the answer.
-
The _____ file is a computer file used in an operating system to map hostnames to IP addresses.The hosts file is a computer file used in an operating system to map hostnames to IP addresses.
-
The hosts file contains lines of text consisting of _____.The hosts file contains lines of text consisting of an IP address in the first text field followed by one or more host names.
-
Comments in the hosts file are indicated by _____.Comments in the hosts file are indicated by a hash character (#) in the first position of such lines.
-
The location of the hosts file on Windows systems is _____.The location of the hosts file on Windows systems is %SystemRoot%\system32\drivers\etc\hosts.
-
The _____ file may be used to define any hostname or domain name for use by the local system.The hosts file may be used to define any hostname or domain name for use by the local system.
-
The hosts file represents _____ for malicious software.The hosts file represents an attack vector for malicious software.
-
The Domain Name System (DNS) is a _____ for computers, services, or any resource connected to the Internet or a private network.The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network.
-
The Domain Name System _____ the responsibility of assigning domain names and mapping those names to IP addresses. _____ name servers are assigned to be responsible for their particular domains, and in turn can assign other _____ name servers for their sub-domains.The Domain Name System distributes the responsibility of assigning domain names and mapping those names to IP addresses. Authoritative name servers are assigned to be responsible for their particular domains, and in turn can assign other authoritative name servers for their sub-domains.
-
A domain name consists of one or more parts, technically called _____, that are concatenated and delimited by _____.A domain name consists of one or more parts, technically called labels, that are concatenated and delimited by dots (.).
-
The hierarchy of domains within a domain name descends from _____ to _____.The hierarchy of domains within a domain name descends from right to left.
-
Each label in a domain name may contain up to _____ characters. The full domain name may not exceed a total length of _____ characters.Each label in a domain name may contain up to 63 characters. The full domain name may not exceed a total length of 253 characters.
-
Common DNS record types include _____ (address), _____ (IPv6 address), _____ (canonical or alias name), _____ (mail exchange), _____ (name server), _____ (pointer), _____ (start of authority), and _____ (text).Common DNS record types include A (address), AAAA (IPv6 address), CNAME (canonical or alias name), MX (mail exchange), NS (name server), PTR (pointer), SOA (start of authority), and TXT (text).
-
A _____ query is one in which the DNS server provides a record for a domain for which it is authoritative itself, or it provides a partial result without querying other servers.A non-recursive query is one in which the DNS server provides a record for a domain for which it is authoritative itself, or it provides a partial result without querying other servers.
-
A _____ query is one for which the DNS server will fully answer the query (or give an error) by querying other name servers as needed.A recursive query is one for which the DNS server will fully answer the query (or give an error) by querying other name servers as needed.
-
Caching DNS servers cache DNS queries and perform recursive queries to _____.Caching DNS servers cache DNS queries and perform recursive queries to improve efficiency, reduce DNS traffic across the Internet, and increase performance in end-user applications.
-
A reverse lookup is a query of the DNS for _____ using the IPv4 domain _____ or the IPv6 domain _____, and reverse lookup IP addresses are specified in _____ order.A reverse lookup is a query of the DNS for domain names when the IP address is known using the IPv4 domain in-addr.arpa or the IPv6 domain ip6.arpa, and reverse lookup IP addresses are specified in reverse order.
-
Link Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to _____.Link Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link.
-
LLMNR responders listen on UDP port _____ on IPv4 address _____ and IPv6 address _____.LLMNR responders listen on UDP port 5355 on IPv4 address 224.0.0.252 (MAC address 01-00-5E-00-00-FC) and IPv6 address FF02::1:3 (MAC address 33-33-00-01-00-03).
-
NetBIOS over TCP/IP (NBT) is a networking protocol that allows _____.NetBIOS over TCP/IP (NBT) is a networking protocol that allows legacy computer applications relying on the NetBIOS API to be used on modern TCP/IP networks.
-
NetBIOS provides three distinct services: _____, _____, and _____.NetBIOS provides three distinct services: Name service for name registration and resolution on port 137, Datagram distribution service for connectionless communication on port 138, and Session service for connection-oriented communication on port 139.
-
NetBIOS is a legacy protocol used to support computers and applications that predate _____ and do not support _____.NetBIOS is a legacy protocol used to support computers and applications that predate Windows 2000 and do not support host names.
Assessments
[edit | edit source]See Also
[edit | edit source]References
[edit | edit source]- ↑ Wikipedia: Hosts (file)
- ↑ Wikipedia: Hosts (file)#File content
- ↑ Wikipedia: Hosts (file)#File content
- ↑ Wikipedia: Hosts (file)#Location in the file system
- ↑ Wikipedia: Hosts (file)#Extended applications
- ↑ Wikipedia: Hosts (file)#Security issues
- ↑ Wikipedia: Domain Name System
- ↑ Wikipedia: Domain Name System
- ↑ Wikipedia: Domain Name System#Domain name syntax
- ↑ Wikipedia: Domain Name System#Domain name syntax
- ↑ Wikipedia: Domain Name System#Domain name syntax
- ↑ Wikipedia: List of DNS record types
- ↑ Wikipedia: Domain Name System#DNS resolvers
- ↑ Wikipedia: Domain Name System#DNS resolvers
- ↑ Wikipedia: Domain Name System#Recursive and caching name server
- ↑ Wikipedia: Domain Name System#Reverse lookup
- ↑ Wikipedia: Link-local Multicast Name Resolution
- ↑ Wikipedia: Link-local Multicast Name Resolution
- ↑ Wikipedia: NetBIOS over TCP/IP
- ↑ http://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP#Services
- ↑ Wikipedia: NetBIOS over TCP/IP#Decreasing relevance in post-NT Client-Server Networks
- ↑ Wikipedia: ASCII
- ↑ Wikipedia: Domain Name System#Authoritative name server
- ↑ Wikipedia: BIND
- ↑ Wikipedia: Domain Information Groper
- ↑ Wikipedia: DNS root zone
- ↑ Wikipedia: DNS spoofing
- ↑ Wikipedia: DNS zone
- ↑ Wikipedia: DomainKeys Identified Mail
- ↑ Wikipedia: Domain name registrar
- ↑ Wikipedia: Dynamic DNS
- ↑ Wikipedia: Fully qualified domain name
- ↑ Wikipedia: Internationalized domain name
- ↑ Wikipedia: Domain Name System#Domain name syntax
- ↑ Wikipedia: NetBIOS Frames protocol
- ↑ Wikipedia: Nslookup
- ↑ Wikipedia: Phishing
- ↑ Wikipedia: Punycode
- ↑ Wikipedia: Root nameserver
- ↑ Wikipedia: Sender Policy Framework
- ↑ Wikipedia: Server Message Block
- ↑ Wikipedia: Top-level domain
- ↑ Wikipedia: Unicode
- ↑ Wikipedia: Uniform Resource Locator
- ↑ Wikipedia: WHOIS
- ↑ Wikipedia: Windows Internet Name Service
The hosts file is a plain text file used to map host names to IP addresses. On Windows, it is located in the C:\Windows\System32\drivers\etc folder. This activity will show you how to view the hosts file.
Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
View the hosts File
[edit | edit source]To view the hosts file:
- Open the Start menu.
- Select All Programs.
- Select Accessories.
- Select Notepad.
- In Notepad, select File then Open.
- Navigate to C:\Windows\System32\drivers\etc.
- Change the file type to open from Text Documents (*.txt) to All Files (*.*).
- Open the hosts file.
- Read the comments in the host file. The comments begin with a # character.
- Observe the host records stored in the file. At a minimum you should find a record for 127.0.0.1 localhost.
- Close Notepad. Do not save any changes.
Readings
[edit | edit source]References
[edit | edit source]The hosts file is a plain text file used to map host names to IP addresses. On Windows, it is located in the C:\Windows\System32\drivers\etc folder.
Note that the "Hosts" file is owned by the "System" account [NT AUTHORITY/SYSTEM] and may only be modified by an administrator.
Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
View the hosts file
[edit | edit source]To view the hosts file:
- Open the Start menu.
- In the Run box, type Notepad.exe and press Enter. Note: If you will be editing the hosts file in the next activity, you must right-click on Notepad and Run as administrator rather than press Enter.
- In Notepad, select File then Open.
- Navigate to C:\Windows\System32\drivers\etc.
- Change the file type to open from Text Documents (*.txt) to All Files (*.*).
- Open the hosts file.
- Read the comments in the host file. The comments begin with a # character.
- Observe the host records stored in the file. At a minimum you should find a record for 127.0.0.1 localhost.
Edit the hosts file
[edit | edit source]To edit the hosts file:
- Change the line 127.0.0.1 localhost to 127.0.0.1 localhost me.
- In Notepad, select File then Save to save the file.
- Open a command prompt.
- Type ping me and press Enter.
- Observe the results. The ping should be successful, because the name me is now defined as an alias for the loopback address 127.0.0.1.
- In Notepad, remove me from the line 127.0.0.1 localhost and then save the hosts file.
- In the command prompt, type ping me and press Enter.
- Observe the results. The ping should fail, because the name me is no longer defined as an alias for the loopback address.
- In Notepad, add a line of 8.8.8.8 googledns and then save the hosts file.
- In the command prompt, type ping googledns and press Enter.
- Observe the results. The ping should be successful, because the name googledns is now defined as an alias for 8.8.8.8.
- In Notepad, remove the line of 8.8.8.8 googledns and then save the hosts file.
- In the command prompt, type ping googledns and press Enter.
- Observe the results. The ping should fail, because the name googledns is no longer defined as an alias for 8.8.8.8.
- Close the command prompt and close Notepad to complete this activity.
Readings
[edit | edit source]References
[edit | edit source]Nslookup is a command-line tool used to query a Domain Name System (DNS) server to obtain an IP address mapping or other DNS records. These activities will show you how to use the nslookup command to display host addresses.
Preparation
[edit | edit source]To prepare for this activity:
- Start your operating system.
- Log in if necessary.
Activity 1 - Observe DNS Settings
[edit | edit source]To observe DNS settings:
- Open a command prompt.
- Use ipconfig /all to display DNS settings.
- Observe the DNS Servers address values.
Activity 2 - Display Host Addresses
[edit | edit source]To display host addresses:
- Type nslookup www.google.com and press Enter.
- Observe the server information. Notice the DNS server address matches one of the values listed for DNS Servers above.
- Observe the results. Notice that both IPv4 and IPv6 addresses are displayed. Google has assigned both IPv4 and IPv6 addresses to this host.
- Type nslookup ipv4.google.com and press Enter.
- Observe the results. Notice that only IPv4 addresses are displayed. Google has not assigned an IPv6 address to this host name.
- Type nslookup ipv6.google.com and press Enter.
- Observe the results. Notice that only IPv6 addresses are displayed. Google has not assigned an IPv4 address to this host name.
Activity 3 - Use a Custom DNS Server
[edit | edit source]To use a custom DNS server:
- Type nslookup www.google.com 8.8.8.8 and press Enter.
- Observe the server information. Notice the DNS server address is 8.8.8.8.
- Type nslookup www.google.com 8.8.4.4 and press Enter.
- Observe the server information. Notice the DNS server address is 8.8.4.4.
- Close the command prompt to complete this activity.
Readings
[edit | edit source]References
[edit | edit source]Nslookup is a command-line tool used to query a Domain Name System (DNS) server to obtain an IP address mapping or other DNS records. These activities will show you how to use the nslookup command to display other record types.
Preparation
[edit | edit source]To prepare for this activity:
- Start your operating system.
- Log in if necessary.
Activity 1 - Display Host Addresses
[edit | edit source]To display host addresses:
- Open a command prompt.
- Type nslookup google.com and press Enter.
- Observe the results. Notice the IP addresses listed for this host name.
Activity 2 - Display Other Record Types
[edit | edit source]To display other record types:
- Type nslookup -type=ns google.com and press Enter.
- Observe the results. Notice the name servers listed for this domain name.
- Type nslookup -type=soa google.com and press Enter.
- Observe the results. Notice the start of authority information listed for this zone.
- Type nslookup -type=mx google.com and press Enter.
- Observe the results. Notice the mail exchangers listed for this domain name.
- Type nslookup -type=txt google.com and press Enter.
- Observe the results. Notice the text records listed for this domain name.
- Close the command prompt to complete this activity.
Readings
[edit | edit source]References
[edit | edit source]Nslookup is a command-line tool used to query a Domain Name System (DNS) server to obtain an IP address mapping or other DNS records. These activities will show you how to use the nslookup command to simulate recursive queries.
Preparation
[edit | edit source]To prepare for this activity:
- Start your operating system.
- Log in if necessary.
Activity 1 - Perform a Recursive Query
[edit | edit source]To perform a recursive query:
- Open a command prompt.
- Type nslookup en.wikiversity.org and press Enter.
- Observe the results. Notice the IP address listed for this host name. Note that this is a recursive query. The following activity will simulate the queries necessary to return this address information.
Activity 2 - Simulate a Recursive Query
[edit | edit source]To simulate a recursive query:
- Type nslookup -norecurse -type=ns org. a.root-servers.net and press Enter. The -norecurse option forces nslookup to issue a non-recursive or iterative query. This is the type of query that DNS servers typically issue to other DNS servers.
- Observe the results. Notice the name servers listed for the org. domain. Select the first org. name server IP address returned.
- Type nslookup -norecurse -type=ns wikiversity.org. <org. name server>, where <org. name server> is the first org. name server IP address listed above. Then press Enter.
- Observe the results. Notice the name servers listed for the wikiversity.org. domain. Select the first wikiversity.org. name server IP address returned.
- Type nslookup -norecurse en.wikiversity.org. <wikiversity.org. name server>, where <wikiversity.org. name server> is the first wikiversity.org. name server IP address listed above. Then press Enter.
- Observe the results. Notice the IP address should match the IP address for en.wikiversity.org returned in Activity 1 above.
- Close the command prompt to complete this activity.
Readings
[edit | edit source]References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Domain Name System (DNS) traffic.
Readings
[edit | edit source]Multimedia
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture DNS Traffic
[edit | edit source]To capture DNS traffic:
- Start a Wireshark capture.
- Open a command prompt.
- Type ipconfig /flushdns and press Enter to clear the DNS cache.
- Type ipconfig /displaydns and press Enter to display the DNS cache.
- Observe the results. Notice the only records currently displayed come from the hosts file.
- Type nslookup en.wikiversity.org and press Enter.
- Observe the results. Notice there is an entry in the cache for en.wikiversity.org.
- Close the command prompt.
- Stop the Wireshark capture.
Activity 2 - Analyze DNS Query Traffic
[edit | edit source]To analyze DNS query traffic:
- Observe the traffic captured in the top Wireshark packet list pane. To view only DNS traffic, type udp.port == 53 (lower case) in the Filter box and press Enter.
- Select the DNS packet labeled Standard query A en.wikiversity.org.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Domain Name System (query) frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be either your local DNS server's MAC address or your default gateway's MAC address and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is your IP address.
- Observe the Destination address. Notice that the destination address is the IP address of the DNS server.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is a dynamic port selected for this DNS query.
- Observe the Destination port. Notice that it is domain (53), the DNS server port.
- Expand Domain Name System (query) to view DNS details.
- Expand Flags to view flags details.
- Observe the Recursion desired field. Notice that a recursive query is requested.
- Expand Queries to view query details.
- Observe the query for en.wikiversity.org.
Activity 3 - Analyze DNS Response Traffic
[edit | edit source]To analyze DNS response traffic:
- In the top Wireshark packet list pane, select the next DNS packet, labeled Standard query response CNAME wikiversity....
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Domain Name System (response) frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your MAC address and the source should be your local DNS server's MAC address or your default gateway's MAC address.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is the DNS server IP address.
- Observe the Destination address. Notice that the destination address is your IP address.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is domain (53), the DNS server port.
- Observe the Destination port. Notice that it is the same dynamic port used to make the DNS query in the first packet.
- Expand Domain Name System (query) to view DNS details.
- Expand Flags to view flags details.
- Observe the flags. Notice that this is a recursive response.
- Expand Queries to view query details.
- Observe the query for en.wikiversity.org.
- Expand Answers to view answer details.
- Observe the CNAME and A records returned in response to this DNS query.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Link-Local Multicast Name Resolution (LLMNR) traffic.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture LLMNR Traffic
[edit | edit source]To capture LLMNR traffic:
- Start a Wireshark capture.
- Open a command prompt.
- Type ping <unknown>, where <unknown> is any unknown host name on your network. An unknown host name is used for this activity because names resolved by DNS will not generate LLMNR traffic.
- Close the command prompt.
- Stop the Wireshark capture.
Activity 2 - Analyze LLMNR IPv6 Traffic
[edit | edit source]To analyze LLMNR IPv6 traffic:
- Observe the traffic captured in the top Wireshark packet list pane. To view only LLMNR traffic, type udp.port == 5355 (lower case) in the Filter box and press Enter.
- Select the first LLMNR packet labeled Standard query.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / User Datagram Protocol / Link-local Multicast Name Resolution (query) frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be the LLMNR IPv6 multicast MAC address 33:33:00:01:00:03 and the source should be your MAC address. You can use ipconfig /all and netsh interface ipv6 show neighbors to confirm.
- Expand Internet Protocol Version 6 to view IPv6 details.
- Observe the Source address. Notice that the source address is your link-local IPv6 address.
- Observe the Destination address. Notice that the destination address is the LLMNR multicast IPv6 address ff02::1:3.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is a dynamic port selected for this LLMNR query.
- Observe the Destination port. Notice that it is llmnr (5355).
- Expand Link-local Multicast Name Resolution (query) to view LLMNR details.
- Expand Flags to view flags details.
- Expand Queries to view query details.
- Observe the query generated.
Activity 3 - Analyze LLMNR IPv4 Traffic
[edit | edit source]To analyze LLMNR IPv4 traffic:
- Observe the traffic captured in the top Wireshark packet list pane. To view only LLMNR traffic, type udp.port == 5355 (lower case) in the Filter box and press Enter.
- Select the second LLMNR packet labeled Standard query.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Link-local Multicast Name Resolution (query) frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be the LLMNR IPv4 multicast MAC address 01:00:5e:00:00:fc and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
- Expand Internet Protocol Version 4 to view IPv4 details.
- Observe the Source address. Notice that the source address is your IPv4 address.
- Observe the Destination address. Notice that the destination address is the LLMNR multicast IPv4 address 224.0.0.252.
- Expand User Datagram Protocol to view UDP details.
- Observe the Source port. Notice that it is a dynamic port selected for this LLMNR query.
- Observe the Destination port. Notice that it is llmnr (5355).
- Expand Link-local Multicast Name Resolution (query) to view LLMNR details.
- Expand Flags to view flags details.
- Expand Queries to view query details.
- Observe the query generated.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Nbtstat is a Windows command-line tool that displays NetBIOS over TCP/IP statistics. These activities will show you how to use the nbtstat command.
Readings
[edit | edit source]Activities
[edit | edit source]References
[edit | edit source]Lesson 13 - Application Layer
[edit | edit source]This lesson introduces the Application layer and looks at a variety of application-layer protocols. Activities include using Wireshark to examine Hyper Text Transfer Protocol (HTTP), HTTP Secure (HTTPS), and Simple Mail Transfer Protocol (SMTP) network traffic.
Readings
[edit | edit source]- Wikipedia: Application layer
- Wikipedia: Hypertext Transfer Protocol
- Wikipedia: HTTP Secure
- Wikipedia: Transport Layer Security
- Wikipedia: Simple Mail Transfer Protocol
Multimedia
[edit | edit source]- YouTube: Common TCP and UDP Ports - CompTIA Network+ N10-005: 1.5
- YouTube: Application Protocols - CompTIA Network+ N10-005: 1.6
- YouTube: Telnet Client and Server Demonstration in Windows Vista and XP
Activities
[edit | edit source]- Review Wireshark: Hyper Text Transfer Protocol (HTTP).
- Use Wireshark to capture and analyze Hypertext Transfer Protocol (HTTP) traffic.
- Review Wireshark: SSL.
- Use Wireshark to capture and analyze HTTP Secure (HTTPS) traffic.
- Review Wireshark: Simple Mail Transfer Protocol (SMTP).
- Use Wireshark to capture and analyze Simple Mail Transfer Protocol (SMTP) traffic.
- Consider situations in which a packet analyzer might be used to troubleshoot application layer traffic.
- Use Mozilla Thunderbird as local email client.
Lesson Summary
[edit | edit source]- The application layer is an abstraction layer reserved for communications protocols and methods designed for process-to-process communications across an Internet Protocol (IP) computer network.[1]
- Application layer protocols use the underlying transport layer protocols to establish host-to-host connections.[2]
- The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia information systems.[3]
- HTTP functions as a request-response protocol in the client-server computing model.[4]
- HTTP uses TCP as its transport protocol and servers listen on port 80 by default.[5]
- HTTP defines methods that may be performed on the desired resource. Methods include GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, CONNECT, and PATCH.[6]
- HTTP requests include a request line, headers, an empty line, and an optional message body.[7]
- HTTP responses include a status line, header, an empty line, and an optional message body.[8]
- Hypertext Transfer Protocol Secure (HTTPS) is a widely used communications protocol for secure communication over a computer network, with especially wide deployment on the Internet. Technically, it is not a protocol in itself; rather, it is the result of simply layering the Hypertext Transfer Protocol (HTTP) on top of the Secure Sockets Layer / Transport Layer Security (SSL/TLS) protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications.[9]
- HTTPS uses TCP as its transport protocol and servers listen on port 443 by default.[10]
- Web servers supporting HTTPS connections must have a public key certificate signed by a certificate authority the web browser trusts in order to connect without a client warning.[11]
- TLS and SSL encrypt the segments of network connections at the Application Layer for the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for confidentiality, and message authentication codes for message integrity.[12]
- TLS handshaking includes the exchange of settings, server authentication, optional client authentication, and public key encryption of a symmetric session key.[13]
- Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (e-mail) transmission across Internet Protocol (IP) networks.[14]
- Client applications use SMTP for sending messages to a mail server, but usually use either the Post Office Protocol (POP) or the Internet Message Access Protocol (IMAP) or a proprietary system to access their mail box accounts on a mail server.[15]
- Client applications should use TCP port 587 to submit SMTP messages to a server. Servers use TCP port 25 to transfer SMTP messages to destination servers.[16]
- SMTP transactions include commands for MAIL, RCPT, and DATA.[17]
Key Terms
[edit | edit source]- abstraction layer
- A way of hiding the implementation details of a particular set of functionality.[18]
- authentication
- The act of confirming the identity of a person, software program, or computer system.[19]
- eavesdropping
- The act of secretly listening to the private conversation of others without their consent.[20]
- hypermedia
- A logical extension of the term hypertext in which graphics, audio, video, plain text and hyperlinks intertwine to create a generally non-linear medium of information.[21]
- HyperText Markup Language (HTML)
- The main markup language for displaying web pages and other information that can be displayed in a web browser.[22]
- Internet Message Access Protocol (IMAP)
- An Application Layer Internet protocol that allows an e-mail client to access e-mail on a remote mail server.[23]
- man-in-the-middle attack
- A form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection.[24]
- Post Office Protocol (POP)
- An application-layer Internet standard protocol used by local e-mail clients to retrieve e-mail from a remote server over a TCP/IP connection.[25]
- public-key cryptography
- A cryptographic system requiring two separate keys, one of which is secret and one of which is public.[26]
- stateless protocol
- A communications protocol that treats each request as an independent transaction that is unrelated to any previous request so that the communication consists of independent pairs of requests and responses.[27]
- symmetric-key algorithms
- A class of algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext.[28]
- tampering
- The deliberate altering or adulteration of information, a product, a package, or system.[29]
- web cache
- A mechanism for the temporary storage (caching) of web documents, such as HTML pages and images, to reduce bandwidth usage, server load, and perceived lag.[30]
- web crawler
- A computer program that browses the World Wide Web in a methodical, automated manner or in an orderly fashion.[31]
- World Wide Web Consortium (W3C)
- The main international standards organization for the World Wide Web.[32]
Review Questions
[edit | edit source]Click on a question to see the answer.
-
The application layer is an abstraction layer reserved for communications protocols and methods designed for _____ communications across an Internet Protocol (IP) computer network.The application layer is an abstraction layer reserved for communications protocols and methods designed for process-to-process communications across an Internet Protocol (IP) computer network.
-
Application layer protocols use the underlying transport layer protocols to establish _____ connections.Application layer protocols use the underlying transport layer protocols to establish host-to-host connections.
-
The Hypertext Transfer Protocol (HTTP) is an application protocol for _____.The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia information systems.
-
HTTP functions as a _____ protocol in the _____ computing model.HTTP functions as a request-response protocol in the client-server computing model.
-
HTTP uses _____ as its transport protocol and servers listen on port _____ by default.HTTP uses TCP as its transport protocol and servers listen on port 80 by default.
-
HTTP defines methods that may be performed on the desired resource. Methods include _____.HTTP defines methods that may be performed on the desired resource. Methods include GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, CONNECT, and PATCH.
-
HTTP requests include _____.HTTP requests include a request line, headers, an empty line, and an optional message body.
-
HTTP responses include _____.HTTP responses include a status line, header, an empty line, and an optional message body.
-
Hypertext Transfer Protocol Secure (HTTPS) is a widely used communications protocol for secure communication over a computer network, with especially wide deployment on the Internet. Technically, it is not a protocol in itself; rather, it is _____.Hypertext Transfer Protocol Secure (HTTPS) is a widely used communications protocol for secure communication over a computer network, with especially wide deployment on the Internet. Technically, it is not a protocol in itself; rather, it is the result of simply layering the Hypertext Transfer Protocol (HTTP) on top of the Secure Sockets Layer / Transport Layer Security (SSL/TLS) protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications.
-
HTTPS uses _____ as its transport protocol and servers listen on port _____ by default.HTTPS uses TCP as its transport protocol and servers listen on port 443 by default.
-
Web servers supporting HTTPS connections must have a public key certificate _____.Web servers supporting HTTPS connections must have a public key certificate signed by a certificate authority the web browser trusts in order to connect without a client warning.
-
TLS and SSL encrypt the segments of network connections at the Application Layer for the Transport Layer, using _____.TLS and SSL encrypt the segments of network connections at the Application Layer for the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for confidentiality, and message authentication codes for message integrity.
-
TLS handshaking includes _____.TLS handshaking includes the exchange of settings, server authentication, optional client authentication, and public key encryption of a symmetric session key.
-
Simple Mail Transfer Protocol (SMTP) is an Internet standard for _____.Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (e-mail) transmission across Internet Protocol (IP) networks.
-
Client applications use _____ for sending messages to a mail server, but usually use either _____ or _____ or a proprietary system to access their mail box accounts on a mail server.Client applications use SMTP for sending messages to a mail server, but usually use either the Post Office Protocol (POP) or the Internet Message Access Protocol (IMAP) or a proprietary system to access their mail box accounts on a mail server.
-
Client applications should use TCP port _____ to submit SMTP messages to a server. Servers use TCP port _____ to transfer SMTP messages to destination servers.Client applications should use TCP port 587 to submit SMTP messages to a server. Servers use TCP port 25 to transfer SMTP messages to destination servers.
-
SMTP transactions include commands for _____.SMTP transactions include commands for MAIL, RCPT, and DATA.
Assessments
[edit | edit source]See Also
[edit | edit source]References
[edit | edit source]- ↑ Wikipedia: Application layer
- ↑ Wikipedia: Application layer
- ↑ Wikipedia: Hypertext Transfer Protocol
- ↑ Wikipedia: Hypertext Transfer Protocol#Technical overview
- ↑ Wikipedia: Hypertext Transfer Protocol#HTTP session
- ↑ Wikipedia: Hypertext Transfer Protocol#Request methods
- ↑ Wikipedia: Hypertext Transfer Protocol#Request message
- ↑ Wikipedia: Hypertext Transfer Protocol#Response message
- ↑ Wikipedia: HTTP Secure
- ↑ Wikipedia: HTTP Secure#Difference from HTTP
- ↑ Wikipedia: HTTP Secure#Server setup
- ↑ Wikipedia: Transport Layer Security
- ↑ Wikipedia: Transport Layer Security#Simple TLS handshake
- ↑ Wikipedia: Simple Mail Transfer Protocol
- ↑ Wikipedia: Simple Mail Transfer Protocol
- ↑ Wikipedia: Simple Mail Transfer Protocol#Mail processing model
- ↑ Wikipedia: Simple Mail Transfer Protocol#Protocol overview
- ↑ Wikipedia: Abstraction layer
- ↑ Wikipedia: Authentication
- ↑ Wikipedia: Eavesdropping
- ↑ Wikipedia: Hypermedia
- ↑ Wikipedia: HTML
- ↑ Wikipedia: Internet Message Access Protocol
- ↑ Wikipedia: Man-in-the-middle attack
- ↑ Wikipedia: Post Office Protocol
- ↑ Wikipedia: Public-key cryptography
- ↑ Wikipedia: Stateless protocol
- ↑ Wikipedia: Symmetric-key algorithm
- ↑ Wikipedia: Tamper-evident
- ↑ Wikipedia: Web cache
- ↑ Wikipedia: Web crawler
- ↑ Wikipedia: World Wide Web Consortium
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze HTTP (Hypertext Transfer Protocol) traffic.
Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture HTTP Traffic
[edit | edit source]To capture HTTP traffic:
- Open a new web browser window or tab.
- Search the Internet for an http (rather than https) website.
- Start a Wireshark capture.
- Navigate to the website found in your search.
- Stop the Wireshark capture.
Activity 2 - Select Destination Traffic
[edit | edit source]To select destination traffic:
- Observe the traffic captured in the top Wireshark packet list pane. To view only HTTP traffic, type http (lower case) in the Filter box and press Enter.
- Select the first HTTP packet labeled GET /.
- Observe the destination IP address.
- To view all related traffic for this connection, change the filter to ip.addr == <destination>, where <destination> is the destination address of the HTTP packet.
Activity 3 - Analyze TCP Connection Traffic
[edit | edit source]To analyze TCP connection traffic:
- Observe the traffic captured in the top Wireshark packet list pane. The first three packets (TCP SYN, TCP SYN/ACK, TCP ACK) are the TCP three way handshake. Select the first packet.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your default gateway's MAC address and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is your IP address.
- Observe the Destination address. Notice that the destination address is the IP address of the HTTP server.
- Expand Transmission Control Protocol to view TCP details.
- Observe the Source port. Notice that it is a dynamic port selected for this HTTP connection.
- Observe the Destination port. Notice that it is http (80). Note that all of the packets for this connection will have matching MAC addresses, IP addresses, and port numbers.
Activity 4 - Analyze HTTP Request Traffic
[edit | edit source]To analyze HTTP request traffic:
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the fourth packet, which is the first HTTP packet and labeled GET /.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol / Hypertext Transfer Protocol frame. Also notice that the Ethernet II, Internet Protocol Version 4, and Transmission Control Protocol values are consistent with the TCP connection analyzed in Activity 3.
- Expand Hypertext Transfer Protocol to view HTTP details.
- Observe the GET request, Host, Connection, User-Agent, Referrer, Accept, and Cookie fields. This is the information passed to the HTTP server with the GET request.
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the fifth packet, labeled TCP ACK. This is the server TCP acknowledgement of receiving the GET request.
Activity 5 - Analyze HTTP Response Traffic
[edit | edit source]To analyze HTTP response traffic:
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the second HTTP packet, labeled 301 Moved Permanently.
- Observe the packet details in the middle Wireshark packet details pane.
- Expand Hypertext Transfer Protocol to view HTTP details.
- Observe the HTTP response, Server, Expires, Location, and other available information. This response indicates that the requested page has permanently moved to the location provided.
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the next packet, labeled TCP ACK. This is the client TCP acknowledgement of receiving the HTTP response.
Activity 6 - Analyze HTTP Request Traffic
[edit | edit source]To analyze HTTP request traffic:
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the third HTTP packet, labeled GET /wiki/Wikiversity:Main_Page.
- Observe the packet details in the middle Wireshark packet details pane.
- Expand Hypertext Transfer Protocol to view HTTP details.
- Observe the HTTP request fields. Notice that the request is similar to the request in Activity 4 above, except that the new page location is requested.
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the next packet, labeled TCP ACK. This is the server TCP acknowledgement of receiving the GET request.
Activity 7 - Analyze HTTP Response Traffic
[edit | edit source]To play HTTP response traffic:
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the next packet, labeled TCP segment of a reassembled PDU. Notice that because the server response is longer than the maximum segment PDU size, the response has been split into several TCP segments.
- Observe the packet details in the middle Wireshark packet details pane.
- Observe the packet contents in the bottom Wireshark packet bytes pane.
- Observe the traffic captured in the top Wireshark packet list pane. Notice that for every two TCP segments of data, there is a TCP ACK acknowledgement of receiving the HTTP response.
- Select the last HTTP packet, labeled HTTP 200 OK.
- Observe the packet details in the middle Wireshark packet details pane. Notice the Reassembled TCP Segments listed.
- Expand Hypertext Transfer Protocol to view HTTP details.
- Observe the full HTTP response to be passed to the web browser.
- Expand Line-based text data to observe web page content.
- In the web browser, right-click on the web page and view the page source. Notice that it is identical to the line-based text captured in Wireshark.
- Close the web browser.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Hypertext Transfer Protocol Secure (HTTPS) traffic.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture HTTPS Traffic
[edit | edit source]To capture HTTPS traffic:
- Open a new web browser window or tab.
- Start a Wireshark capture.
- Navigate to https://en.wikiversity.org.
- Stop the Wireshark capture.
- Close the web browser window or tab.
Activity 2 - Select Destination Traffic
[edit | edit source]To select destination traffic:
- Observe the traffic captured in the top Wireshark packet list pane. To view only HTTPS traffic, type ssl (lower case) in the Filter box and press Enter.
- Select the first TLS packet labeled Client Hello.
- Observe the destination IP address.
- To view all related traffic for this connection, change the filter to ip.addr == <destination>, where <destination> is the destination address of the HTTP packet.
Activity 3 - Analyze TCP Connection Traffic
[edit | edit source]To analyze TCP connection traffic:
- Observe the traffic captured in the top Wireshark packet list pane. The first three packets (TCP SYN, TCP SYN/ACK, TCP ACK) are the TCP three way handshake. Select the first packet.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your default gateway's MAC address and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is your IP address.
- Observe the Destination address. Notice that the destination address is the IP address of the HTTPS server.
- Expand Transmission Control Protocol to view TCP details.
- Observe the Source port. Notice that it is a dynamic port selected for this HTTPS connection.
- Observe the Destination port. Notice that it is https (443). Note that all of the packets for this connection will have matching MAC addresses, IP addresses, and port numbers.
Activity 4 - Analyze SSL/TLS Client Hello Traffic
[edit | edit source]To analyze SSL/TLS connection traffic:
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the first TLS packet, labeled Client Hello.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol / Secure Sockets Layer frame. Also notice that the Ethernet II, Internet Protocol Version 4, and Transmission Control Protocol values are consistent with the TCP connection analyzed in Activity 3.
- Expand Secure Sockets Layer, TLS, and Handshake Protocol to view SSL/TLS details.
- Observe the Cipher Suites and Extensions supported.
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the next packet, labeled TCP ACK. This is the server TCP acknowledgement of receiving the Client Hello request.
Activity 5 - Analyze SSL/TLS Server Hello Traffic
[edit | edit source]To analyze SSL/TLS Server Hello traffic:
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the second TLS packet, labeled Server Hello.
- Observe the packet details in the middle Wireshark packet details pane.
- Expand Secure Sockets Layer, TLS, and Handshake Protocol to view SSL/TLS details.
- Observe the Cipher Suites and Extensions supported.
Activity 6 - Analyze SSL/TLS Certificate Traffic
[edit | edit source]To analyze SSL/TLS Certificate traffic:
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the third TLS packet, labeled Certificate, Server Key Exchange, Server Hello Done.
- Observe the packet details in the middle Wireshark packet details pane.
- Expand Secure Sockets Layer, TLS, Handshake Protocol, and Certificates to view SSL/TLS details.
- Observe the certificate information provided.
- Expand TLS, Handshake Protocol, and EC Diffie-Hellman Server Params to view the public key and signature. The client uses the certificate to validate the public key and signature.
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the next TCP packet, labeled TCP ACK. This is the client TCP acknowledgement of <receiving the Server Hello and Certificate responses.
Activity 7 - Analyze SSL/TLS Client Key Exchange Traffic
[edit | edit source]To analyze SSL/TLS Client Key Exchange traffic:
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the fourth TLS packet, labeled Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message.
- Observe the packet details in the middle Wireshark packet details pane.
- Expand Secure Sockets Layer, TLS, Handshake Protocol, and Encrypted Handshake Message to view SSL/TLS details.
- Observe the encrypted handshake message. This encrypted handshake contains the session key that will be used to encrypt session traffic.
Activity 8 - Analyze SSL/TLS New Session Ticket Traffic
[edit | edit source]To analyze SSL/TLS New Session Ticket traffic:
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the TLS packet labeled New Session Ticket ....
- Observe the packet details in the middle Wireshark packet details pane.
- Expand Secure Sockets Layer, TLS, Handshake Protocol, TLS Session Ticket, and Encrypted Handshake Message to view SSL/TLS details.
- Observe the encrypted handshake message. This is the server confirming the encrypted session.
Activity 9 - Analyze HTTPS Encrypted Data Exchange
[edit | edit source]To analyze HTTPS encrypted data exchange:
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the various TLS packets labeled Application Data.
- Observe the packet details in the middle Wireshark packet details pane.
- Expand Secure Sockets Layer and TLS to view SSL/TLS details.
- Observe the encrypted application data. Notice that the application data protocol is http.
- Observe the data in the bottom Wireshark packet bytes pane. Notice that the application data is encrypted.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Simple Mail Transfer Protocol (SMTP) traffic.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
- Install the Telnet client.
Activity 1 - Capture SMTP Traffic
[edit | edit source]To capture SMTP traffic:
- Start a Wireshark capture.
- Open a command prompt.
- Type telnet gmail-smtp-in.l.google.com 25 and press Enter. If this does not work, your ISP may be blocking outbound traffic on port 25. You can try telnet smtp.gmail.com 587 instead to generate SMTP traffic and then filter on port 587 in the next activity.
- Observe the server response.
- Type helo and press Enter.
- Observe the server response. Note that at this point you could enter mail, rcpt and data to send an SMTP message, but this only works on servers configured to allow clear text relay without authentication.
- Type quit and press Enter to close the connection.
- Observe the server response.
- Close the command prompt.
- Stop the Wireshark capture.
Activity 2 - Select Destination Traffic
[edit | edit source]To select destination traffic:
- Observe the traffic captured in the top Wireshark packet list pane. To view only SMTP traffic, type smtp (lower case) in the Filter box and press Enter.
- Select the first SMTP packet labeled 220 ....
- Observe the destination IP address.
- To view all related traffic for this connection, change the filter to ip.addr == <destination>, where <destination> is the destination address of the SMTP packet.
Activity 3 - Analyze TCP Connection Traffic
[edit | edit source]To analyze TCP connection traffic:
- Observe the traffic captured in the top Wireshark packet list pane. The first three packets (TCP SYN, TCP SYN/ACK, TCP ACK) are the TCP three way handshake. Select the first packet.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your default gateway's MAC address and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is your IP address.
- Observe the Destination address. Notice that the destination address is the IP address of the SMTP server.
- Expand Transmission Control Protocol to view TCP details.
- Observe the Source port. Notice that it is a dynamic port selected for this HTTP connection.
- Observe the Destination port. Notice that it is smtp (25). Note that all of the packets for this connection will have matching MAC addresses, IP addresses, and port numbers.
Activity 4 - Analyze SMTP Service Ready Traffic
[edit | edit source]To analyze SMTP Service Ready traffic:
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the fourth packet, which is the first SMTP packet and labeled 220 ....
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol / Hypertext Transfer Protocol frame. Also notice that the Ethernet II, Internet Protocol Version 4, and Transmission Control Protocol values are consistent with the TCP connection analyzed in Activity 3.
- Expand Simple Mail Transfer Protocol and Response to view SMTP details.
- Observe the Response code and Response parameter.
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the fifth packet, labeled TCP ACK. This is the client TCP acknowledgement of receiving the Service Ready message.
Activity 5 - Analyze SMTP HELO Traffic
[edit | edit source]To analyze SMTP HELO traffic:
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the following TCP segments and acknowledgements. If you observe the packet details in the bottom Wireshark packet bytes pane carefully, you will see that the segments spell out the helo message. The sequence ends with a Wireshark-combined SMTP client helo message, followed by a server TCP acknowledgement.
Activity 6 - Analyze SMTP Completed Traffic
[edit | edit source]To analyze SMTP Completed traffic:
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the following SMTP packet, labeled 250 ...
- Observe the packet details in the middle Wireshark packet details pane.
- Expand Simple Mail Transfer Protocol and Response to view SMTP details.
- Observe the Response code and Response parameter.
Activity 7 - Analyze SMTP QUIT Traffic
[edit | edit source]To analyze SMTP QUIT traffic:
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the following TCP segments and acknowledgements. If you observe the packet details in the bottom Wireshark packet bytes pane carefully, you will see that the segments spell out the quit message. The sequence ends with a Wireshark-combined SMTP client quit message, followed by a server TCP acknowledgement.
Activity 8 - Analyze SMTP Closing Traffic
[edit | edit source]To analyze SMTP Closing traffic:
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the following SMTP packet, labeled 221 ...
- Observe the packet details in the middle Wireshark packet details pane.
- Expand Simple Mail Transfer Protocol and Response to view SMTP details.
- Observe the Response code and Response parameter.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
[edit | edit source]Lesson 14 - Routing Protocols
[edit | edit source]This lesson introduces routing and routing protocols. Activities include configuring routing on Windows workstations and using Wireshark to examine Routing Information Protocol (RIP), Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), and Border Gateway Protocol (BGP) network traffic.
Readings
[edit | edit source]- Wikipedia: Routing
- Wikipedia: Distance-vector routing protocol
- Wikipedia: Link-state routing protocol
- Wikipedia: Routing Information Protocol
- Wikipedia: Open Shortest Path First
- Wikipedia: Enhanced Interior Gateway Routing Protocol
- Wikipedia: Border Gateway Protocol
Multimedia
[edit | edit source]- YouTube: Routing Tables - CompTIA Network+ N10-005: 1.4
- YouTube: Using the Route Command - CompTIA Network+ N10-005: 4.3
- YouTube: Configuring Routing Tables - CompTIA Network+ N10-005: 2.1
- YouTube: Routing Protocols Overview (Distance Vector and Link-State) CCNA Part 1
- YouTube: Routing Protocols Overview (Cisco CCNA- RIP, RIPv2, EIGRP, OSPF) Part 2
Activities
[edit | edit source]- Use the route command to display the local routing table.
- Use the route command to modify the local routing table.
- Review Wireshark: Routing Information Protocol (RIP).
- Review Wireshark: Open Shortest Path First (OSPF).
- Review Wireshark: Enhanced Interior Gateway Routing Protocol (EIGRP).
- Review Wireshark: Border Gateway Protocol (BGP).
- Consider situations in which a packet analyzer might be used to troubleshoot routing traffic.
Lesson Summary
[edit | edit source]- Routing is the process of selecting paths in a network along which to send network traffic.[1]
- Static routing involves manual updating of routing tables with fixed paths to destination networks.[2]
- Dynamic or adaptive routing involves automatic updating of routing tables based on information carried by routing protocols.[3]
- Routing protocols are divided into interior and exterior protocols. Interior protocols are further divided into distance-vector protocols and link-state protocols.[4] Distance-vector routing protocols are simple and efficient in small networks. Larger networks use link-state routing protocols.[5]
- Distance-vector routing protocols require that a router informs its neighbors of topology changes periodically.[6] Each link is assigned a numeric distance or cost value, and information is shared among neighboring routers to accumulate a total cost to a given destination.[7]
- Link-state protocols require that a router inform all the nodes in a network of topology changes.[8] Each node shares information regarding the nodes it can connect to with the entire network so that each node can build its own network map and determine for itself the least cost path to any given node.[9]
- Routing Information Protocol (RIP) is a distance-vector routing protocol which employs the hop count as a routing metric. RIP uses the User Datagram Protocol (UDP) as its transport protocol, and is assigned the reserved port number 520.[10]
- Open Shortest Path First (OSPF) is a link-state routing protocol.[11] OSPF does not use a TCP/IP transport protocol (UDP, TCP), but is encapsulated directly in IP datagrams with protocol number 89.[12]
- Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary advanced distance-vector routing protocol, with optimizations to minimize both the routing instability incurred after topology changes, as well as the use of bandwidth and processing power in the router.[13]
- Border Gateway Protocol (BGP) is the protocol which makes core routing decisions on the Internet.[14] BGP uses the Transmission Control Protocol (TCP) as its transport protocol, and is assigned the reserved port 179.[15]
Key Terms
[edit | edit source]- Autonomous System (AS)
- A collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet.[16]
- convergence
- The state of a set of routers that have the same topological information about the internetwork in which they operate.[17]
- convergence time
- A measure of how fast a group of routers reach the state of convergence.[18]
- count-to-infinity problem
- An error in distance-vector routing protocols caused by the routers being unable to determine if routing loops exist in the information provided.[19]
- exterior gateway protocol
- A routing protocol that is used to determine network reachability between autonomous systems and makes use of interior gateway protocols to resolve routes within an autonomous system.[20]
- holddown timer
- A timer used by link-state routers that prevents invalid updates within a given period of time after they first receive information about a network that is unreachable.[21]
- interior gateway protocol
- A routing protocol that is used to exchange routing information within an autonomous system (AS).[22]
- route poisoning
- A link-state method of notifying a router that a previously available route has become invalid.[23]
- split-horizon route advertisement
- A method of preventing routing loops in distance-vector routing protocols by prohibiting a router from advertising a route back onto the interface from which it was learned.[24]
Review Questions
[edit | edit source]Click on a question to see the answer.
-
Routing is the process of _____.Routing is the process of selecting paths in a network along which to send network traffic.
-
Static routing involves _____ updating of routing tables with _____ paths to destination networks.Static routing involves manual updating of routing tables with fixed paths to destination networks.
-
Dynamic or adaptive routing involves _____ updating of routing tables based on _____.Dynamic or adaptive routing involves automatic updating of routing tables based on information carried by routing protocols.
-
Routing protocols are divided into _____ and _____ protocols. _____ protocols are further divided into _____ protocols and _____ protocols.Routing protocols are divided into interior and exterior protocols. Interior protocols are further divided into distance-vector protocols and link-state protocols.
-
_____ routing protocols are simple and efficient in small networks. Larger networks use _____ routing protocols.Distance-vector routing protocols are simple and efficient in small networks. Larger networks use link-state routing protocols.
-
_____ routing protocols require that a router informs its neighbors of topology changes periodically. Each link is assigned a numeric distance or cost value, and information is shared among neighboring routers to accumulate a total cost to a given destination.Distance-vector routing protocols require that a router informs its neighbors of topology changes periodically. Each link is assigned a numeric distance or cost value, and information is shared among neighboring routers to accumulate a total cost to a given destination.
-
_____ protocols require that a router inform all the nodes in a network of topology changes. Each node shares information regarding the nodes it can connect to with the entire network so that each node can build its own network map and determine for itself the least cost path to any given node.Link-state protocols require that a router inform all the nodes in a network of topology changes. Each node shares information regarding the nodes it can connect to with the entire network so that each node can build its own network map and determine for itself the least cost path to any given node.
-
Routing Information Protocol (RIP) is a _____ routing protocol which employs the hop count as a routing metric. RIP uses _____ as its transport protocol, and is assigned the reserved port number _____.Routing Information Protocol (RIP) is a distance-vector routing protocol which employs the hop count as a routing metric. RIP uses the User Datagram Protocol (UDP) as its transport protocol, and is assigned the reserved port number 520.
-
Open Shortest Path First (OSPF) is a _____ routing protocol. OSPF does not use a TCP/IP transport protocol (UDP, TCP), but is encapsulated directly in IP datagrams with protocol number _____.Open Shortest Path First (OSPF) is a link-state routing protocol. OSPF does not use a TCP/IP transport protocol (UDP, TCP), but is encapsulated directly in IP datagrams with protocol number 89.
-
Enhanced Interior Gateway Routing Protocol (EIGRP) is a _____ routing protocol, with optimizations to minimize both the routing instability incurred after topology changes, as well as the use of bandwidth and processing power in the router.Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary advanced distance-vector routing protocol, with optimizations to minimize both the routing instability incurred after topology changes, as well as the use of bandwidth and processing power in the router.
-
Border Gateway Protocol (BGP) is the protocol which makes core routing decisions on the Internet. BGP uses _____ as its transport protocol, and is assigned the reserved port _____.Border Gateway Protocol (BGP) is the protocol which makes core routing decisions on the Internet. BGP uses the Transmission Control Protocol (TCP) as its transport protocol, and is assigned the reserved port 179.
Assessments
[edit | edit source]See Also
[edit | edit source]References
[edit | edit source]- ↑ Wikipedia: Routing
- ↑ Wikipedia: Routing#Topology distribution
- ↑ Wikipedia: Routing#Topology distribution
- ↑ Wikipedia: Routing#Path vector protocol
- ↑ Wikipedia: Routing#Comparison of routing algorithms
- ↑ Wikipedia: Distance-vector routing protocol
- ↑ Wikipedia: Routing#Distance vector algorithms
- ↑ Wikipedia: Distance-vector routing protocol
- ↑ Wikipedia: Routing#Link-state algorithms
- ↑ Wikipedia: Routing Information Protocol
- ↑ Wikipedia: Open Shortest Path First
- ↑ Wikipedia: Open Shortest Path First#Overview
- ↑ Wikipedia: Enhanced Interior Gateway Routing Protocol
- ↑ Wikipedia: Border Gateway Protocol
- ↑ Wikipedia: Border Gateway Protocol#Operation
- ↑ Wikipedia: Autonomous System (Internet)
- ↑ Wikipedia: Convergence (routing)
- ↑ Wikipedia: Convergence (routing)#Convergence time
- ↑ Wikipedia: Distance-vector routing protocol#Count-to-infinity problem
- ↑ Wikipedia: Interior gateway protocol
- ↑ Wikipedia: Holddown
- ↑ Wikipedia: Interior gateway protocol
- ↑ Wikipedia: Route poisoning
- ↑ Wikipedia: Split horizon route advertisement
Route is a Windows command that displays and updates the network routing table. These activities will show you how to use the route command to display the local routing table.
Readings
[edit | edit source]Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
Display Local Routing Table
[edit | edit source]To display the local routing table:
- Open a command prompt.
- Type route print.
- Press Enter.
- Observe the active routes by destination, network mask, gateway, interface, and metric.
- Close the command prompt to complete this activity.
References
[edit | edit source]Route is a Windows command that displays and updates the network routing table. These activities will show you how to use the route command to modify the local routing table.
Note: To complete this activity, you must have an administrative user account or know the username and password of an administrator account you can enter when prompted.
Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
Display Local Routing Table
[edit | edit source]To display the local routing table:
- Open an elevated/administrator command prompt.
- Type route print and press Enter.
- Observe the active routes by destination, network mask, gateway, interface, and metric.
Delete a Route
[edit | edit source]To delete a route:
- Observe the routing table entry for network destination 0.0.0.0 listed in Activity 1. The gateway listed for this network is the default gateway. Make note of this gateway address for use in restoring this route.
- Type ping 8.8.8.8 to test Internet connectivity. The ping should be successful.
- Type route delete 0.0.0.0 and press Enter to delete the routing table entry for the default gateway.
- Type route print and press Enter.
- Observe the active routes by destination, network mask, gateway, interface, and metric. Note the missing entry for network destination 0.0.0.0.
- Type ping 8.8.8.8 to test Internet connectivity. The ping should fail.
Add a Route
[edit | edit source]To add a route:
- Type route add 0.0.0.0 mask 0.0.0.0 <gateway>, where <gateway> is the gateway address listed for network destination 0.0.0.0 in Activity 1. For example, if the gateway was 192.168.1.1, you would type route add 0.0.0.0 mask 0.0.0.0 192.168.1.1. Then press Enter.
- Type ping 8.8.8.8 to test Internet connectivity. The ping should be successful. If not, repeat Activity 2 and then use ipconfig /renew to update your DHCP-assigned IP address and default gateway.
- Close the command prompt to complete this activity.
Readings
[edit | edit source]References
[edit | edit source]Lesson 15 - Network Monitoring
[edit | edit source]This lesson introduces network monitoring and looks at the Simple Network Monitoring Protocol (SNMP). Activities include installing, configuring and testing the SNMP service, using Wireshark to examine SNMP network traffic, and using OpenNMS to monitor a network.
Readings
[edit | edit source]- Wikipedia: Network monitoring
- Wikipedia: Simple Network Management Protocol
- Wikipedia: Management information base
Multimedia
[edit | edit source]Activities
[edit | edit source]- Install the SNMP Service.
- Configure the SNMP Service.
- Test the SNMP Service.
- Use a free or open source network monitoring tool to monitor a network:
- Review Wireshark: Simple Network Management Protocol (SNMP).
- Consider situations in which a packet analyzer might be used to troubleshoot network monitoring traffic.
Lesson Summary
[edit | edit source]- Network monitoring describes the use of a system that constantly monitors a computer network for slow or failing components and that notifies the network administrator (via email, SMS or other alarms) in case of outages.[1]
- Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks.[2] With SNMP, administrative computers called managers monitor or manage a group of hosts on a computer network. Each managed system executes an agent which reports information via SNMP to the manager.[3]
- SNMP uses a Management Information Base (MIB) to describe the structure of the management data of a device subsystem. The MIB is a hierarchical namespace containing object identifiers (OID), and each OID identifies a variable that can be read or set via SNMP.[4]
- SNMP is an application layer protocol. SNMP agents receive requests on UDP port 161. SNMP managers receive notifications (Traps and InformRequests) on UDP port 162.[5]
- SNMP messages from managers include GetRequest, SetRequest, GetNextRequest, and GetBulkRequest. SNMP messages from agents include Response and Trap. SNMP messages from manager to manager include InformRequest.[6]
- SNMP versions 1 and 2 support limited security through the use of a clear-text password known as a community string. SNMP version 3 supports encryption on UDP ports 10161 and 10162.[7][8]
- Default SNMP settings present a variety of security issues that must be addressed when SNMP is implemented on a network.[9]
Key Terms
[edit | edit source]- agent
- A software component that runs on managed devices and responds to requests from the network management system.[10]
- availability
- The degree to which a system, subsystem, or equipment is in a specified operable and committable state.[11]
- managed device
- A network node that implements an SNMP interface that allows unidirectional (read-only) or bidirectional access to node-specific information.[12]
- network management system
- A combination of hardware and software used to monitor and administer a computer network or networks.[13]
- response time
- The interval between the receipt of the end of transmission of an inquiry message and the beginning of the transmission of a response message to the station originating the inquiry.[14]
- uptime
- A measure of the time a machine has been up without any downtime.[15]
Review Questions
[edit | edit source]Click on a question to see the answer.
-
Network monitoring describes the use of a system that _____ and that _____.Network monitoring describes the use of a system that constantly monitors a computer network for slow or failing components and that notifies the network administrator (via email, SMS or other alarms) in case of outages.
-
Simple Network Management Protocol (SNMP) is an Internet-standard protocol for _____. With SNMP, administrative computers called _____ monitor or manage a group of hosts on a computer network. Each managed system executes an _____ which reports information via SNMP to the manager.Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. With SNMP, administrative computers called managers monitor or manage a group of hosts on a computer network. Each managed system executes an agent which reports information via SNMP to the manager.
-
SNMP uses a _____ to describe the structure of the management data of a device subsystem. The _____ is a hierarchical namespace containing _____, and each _____ identifies a variable that can be read or set via SNMP.SNMP uses a Management Information Base (MIB) to describe the structure of the management data of a device subsystem. The MIB is a hierarchical namespace containing object identifiers (OID), and each OID identifies a variable that can be read or set via SNMP.
-
SNMP is an _____ layer protocol. SNMP _____ receive requests on _____ port _____. SNMP _____ receive notifications on _____ port _____.SNMP is an application layer protocol. SNMP agents receive requests on UDP port 161. SNMP managers receive notifications on UDP port 162.
-
SNMP messages from managers include _____. SNMP messages from agents include _____. SNMP messages from manager to manager include _____.SNMP messages from managers include GetRequest, SetRequest, GetNextRequest, and GetBulkRequest. SNMP messages from agents include Response and Trap. SNMP messages from manager to manager include InformRequest.
-
SNMP versions 1 and 2 support limited security through the use of a clear-text password known as a _____. SNMP version 3 supports encryption on _____ ports _____ and _____.SNMP versions 1 and 2 support limited security through the use of a clear-text password known as a community string. SNMP version 3 supports encryption on UDP ports 10161 and 10162.
-
Default SNMP settings present a variety of _____ that must be addressed when SNMP is implemented on a network.Default SNMP settings present a variety of security issues that must be addressed when SNMP is implemented on a network.
Assessments
[edit | edit source]See Also
[edit | edit source]References
[edit | edit source]- ↑ Wikipedia: Network monitoring
- ↑ Wikipedia: Simple Network Management Protocol
- ↑ Wikipedia: Simple Network Management Protocol#Overview and basic concepts
- ↑ Wikipedia: Simple Network Management Protocol#Management information base (MIB)
- ↑ Wikipedia: Simple Network Management Protocol#Protocol details
- ↑ Wikipedia: Simple Network Management Protocol#Protocol details
- ↑ Wikipedia: Simple Network Management Protocol#Protocol details
- ↑ Wikipedia: Simple Network Management Protocol#Development and usage
- ↑ Wikipedia: Simple Network Management Protocol#Security implications
- ↑ Wikipedia: Simple Network Management Protocol#Overview and basic concepts
- ↑ Wikipedia: Availability
- ↑ Wikipedia: Simple Network Management Protocol#Overview and basic concepts
- ↑ Wikipedia: Network management system
- ↑ Wikipedia: Response time (technology)
- ↑ Wikipedia: Uptime
The SNMP Service is a Windows service that provides a Simple Network Management Protocol (SNMP) agent that can be used to monitor and manage Windows workstations and servers. These activities will show you how to install the SNMP Service.
Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
Activity 1 - Install the SNMP Service
[edit | edit source]To install the SNMP Service:
- Open the Start menu.
- Select Control Panel.
- Select Programs.
- Select Turn Windows features on or off.
- Select the check box for Simple Network Management Protocol (SNMP).
- Select OK to complete this activity.
Readings
[edit | edit source]References
[edit | edit source]The SNMP Service is a Windows service that provides a Simple Network Management Protocol (SNMP) agent that can be used to monitor and manage Windows workstations and servers. These activities will show you how to configure the SNMP Service.
Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install the SNMP Service.
Activity 1 - Configure the SNMP Service
[edit | edit source]To configure the SNMP Service:
- Open the Start menu.
- In the Run box type Services or Services.msc.
- Press Enter.
- In the Services console, find SNMP Service. Double-click on it to view SNMP Service properties.
- Select the Agent tab.
- Enter values for Contact and Location for this workstation.
- Select all five check boxes (Physical, Applications, Datalink and subnetwork, Internet, and End-to-end).
- Apply changes.
- Select the Security tab.
- Clear the Send authentication trap check box.
- Add an accepted community name of public with READ ONLY rights.
- Select OK to apply changes and close the dialog box.
- Close the Services console to complete this activity.
References
[edit | edit source]- Microsoft TechNet: Install the SNMP Service
- Microsoft TechNet: Configure agent properties
- Microsoft TechNet: Configure SNMP security properties
The SNMP Service is a Windows service that provides a Simple Network Management Protocol (SNMP) agent that can be used to monitor and manage Windows workstations and servers. These activities will show you how to test the SNMP Service.
Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install the SNMP Service.
- Configure the SNMP Service.
Activity 1 - Install the iReasoning MIB Browser Free Personal Edition
[edit | edit source]To install the iReasoning MIB Browser Free Personal Edition:
- Open a web browser.
- Navigate to http://www.ireasoning.com/downloadmibbrowserfree.php.
- Download and run setup.exe.
- If you see a User Account Control dialog box, select Yes to allow the program to make changes to this computer.
- Review the license agreement and select I Agree if you agree.
- Select Next > to select the default components.
- Select Install to install the program in the default location.
- Select Close when the installation is completed.
- Select Yes to launch the MIB Browser now.
Activity 2 - Test the SNMP Service
[edit | edit source]To test the SNMP Service:
- In the iReasoning MIB Browser, enter 127.0.0.1 in the Address box.
- Navigate to a subtree that interests you.
- In the Operations pulldown, select Get Subtree and Go.
- Observe the settings reported by the SNMP service.
- Continue selecting different subtrees and review reported settings.
- Close the iReasoning MIB Browser to complete this activity.
References
[edit | edit source]- Information technology
- Networking
- Tertiary Education
- Technology courses
- Study guides
- Internet Protocol Analysis
- Completed resources
- Lessons
- Ipconfig
- Activities
- Wireshark
- Arp
- Netsh
- Ping
- Netstat
- Dynamic Host Configuration Protocol
- Computer networks
- Hosts file
- Nslookup
- Domain Name System
- Computer Networks
- Hypertext Transfer Protocol
- SNMP Service