French version available on the site.
watch traffic with TCPDUMP
In our lab,, on Windows client, in a term:C:\clientXP > ping -n 1 192.168.0.2(one echo request is sent to server)
intrus $ sudo tcpdumpWe can observe the IP packets between client WXP and server: echo request.
intrus $ tcpdump icmp and src 192.168.0.10( listen to ICMP requests from client XP)
the traffic is filtered:
- source = client XP
- protocol ICMP
Intrus $ sudo tcpdump icmp[0]=8(only echo requests)
analysis of Ethernet header
C:\clientxp > arp -d
C:\clientxp > ping -n 1 192.168.0.2
intrus $ sudo tcpdump -x icmp or arp( show ICMP or ARP requests inhexadecimal format.)
In the first ARP request, we can see that the MAC destination field is 00:00:00:00:00:00. It is normal because the aim of this request is to ask for the MAC address associated with IP 192.168.0.10.
recall Ethernet frame
In bytes| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 … 1513 | 1514 | 1515 | 1516 | 1517 |
| MAC destination address | MAC source address | Type of protocol | Data | FCS/CRC | ||||||||||||||
Caution, there are different Ethernet frames with other features. For example, the type of protocol field can be filled with these values:
0x0800 : IPv4
0x86DD : IPv6
0x0806 : ARP
C:\clientXP > ipconfig /all
serveur $ ifconfig
analysis of TCP/IP header
C:\clientXP > telnet -l utilisteur 192.168.0.2
intrus $ sudo tcpdump -x src 192.168.0.10
the encapsulated protocol is TCP ( = 6)
the source and destination addresses are:
c0.a8.00.0a (192.168.0.10)
c0.a8.00.02 (192.168.0.2)
the source and destination ports are:
413 (1043d)
17 (23d = telnet)
C:\clientXP > telnet -l utilisteur 192.168.0.2
intrus $ sudo tcpdump -x src 192.168.0.10 or src 192.168.0.2
the TCP flag of the client's request is 02 (SYN):
0 = 0000
ECN = 00
URG = 0
ACK = 0
2 = 0010:
PSH = 0
RST = 0
SYN = 1
FIN = 0
the TCP flag of the response is 14 (ACK - RST)
1 = 0001
ECN = 00
URG = 0
ACK = 1
4 = 0100:
PSH = 0
RST = 1
SYN = 0
FIN = 0
reminders IP packets
(reference [5])In bytes
| 1 | 2 | 3 | 4 | ||
| IP version | header length (32 bits words) | Type of service | total length (bytes) | ||
| Identification (for fragments) | Flags (for fragments) | Fragment offset | |||
| TTL Time To Live | Protocol | header control checksum | |||
| source address | |||||
| destination address | |||||
| Option(s) | |||||
recall ARP packet:
(reference: [3])The next array shows different fields for classical ARP message (protocole TCP/IPv4).
| hardware type | protocol type | hardware address size | protocol address size | Operation | source hardware address | source protocol address | destination hardware address | destination protocol address |
| 2 bytes | 2 bytes | 1 byte | 1 byte | 2 bytes | 6 bytes | 4 bytes | 6 bytes | 4 bytes |
hardware type: for ethernet, 0x0001
protocol type: for example IPv4
hardware address size : for ethernet, 6 (because ethernet addresses are 6 bytes long)
protocol address size (logical) :
For IPv4, logical address are 4 bytes long
For IPV6, logical addresses are 6 bytes long
Operation :
request (0000.....0001)
response (0000.....0010)
recall TCP segment
(reference [4]In bits
| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 |
| Source port 2 octets | destination port 2 octets | ||||||||||||||||||||||||||||||
| Sequence number | |||||||||||||||||||||||||||||||
| Numéro d'acquittement | |||||||||||||||||||||||||||||||
| header size | reserved | ECN | URG | ACK | PSH | RST | SYN | FIN | window | ||||||||||||||||||||||
| checksum | urgent data pointer | ||||||||||||||||||||||||||||||
| Options | Remplissage | ||||||||||||||||||||||||||||||
| Data | |||||||||||||||||||||||||||||||
Signification of these fields :
Source port
Destination port
sequence number : Sequence number of the first byte of the segment
Numéro d'acquittement : sequence number of next byte attended
header size : header length in words 32 bits long ( options are part of header)
Reserved : Reserved for a future usage
ECN : congestion, cf RFC 3168
Flags
URG : URGent data
ACK : packet is ACKnowledgement
PSH : data must be immediatly sent again (PuSH)
RST : anormal break of connexion (ReSeT)
SYN : ask for SYNchronisation or connexion
FIN : ask for END of connexion
Window : size of window asked. Means number of bytes destination wants to receive before asking for a reception acknowledgement.
Checksum : checksum calculated with the whole TCP header and datas, and a pseudo header (calculated with IP header)
Urgent datas pointer : relative position of urgent datas
Options
Remplissage : Zeros added to align next field with 32 bits word.
Datas
analysis of UDP header
Traceroute uses the UDP protocol. Let's use it on localhost interfaceprerequisites: install traceroute:
intrus $ sudo apt-get install traceroute1st terminal:
intrus $ tcpdump -x -i lo2nd terminal:
intrus $ sudo traceroute -i lo localhost
source port is: 61168 (0xc7e0)
destination port is: 33434 (0x829a)
Source gives the port it uses, so that destination can send back
recall UDP datagram
(reference [6])The UDP datagram header is much more simple than TCP:
| Source port (16 bits) | Destination port (16 bits) |
| Length (16 bits) | Checksum (16 bits) |
| Datas | |
analysis of FTP protocol
(Reference [7])Prerequisites: install FTP server on server
serveur $ sudo apt-get install proftpdshow configuration file:
serveur $ cat /etc/proftp/proftp.conf | lessdefault configuration is enough bere.
Other prerequisites: installation of FTP FileZilla on client XP
http://filezilla-project.org/download.php?type=clientOther prerequisite: installation of Wireshark on intrus:
intrus $ sudo apt-get install wiresharkstart Wireshark (must be sudo):
intrus $ sudo wireshark
description of a trame:
FTP datas are then encapsulated in a TCP segment, which is encapsulated in IP packet.
follow TCP stream:
pseudo and password are sent in clear text. We must use another protocol, like ftps.
references
3) la norme IEE802.3 et les protocoles ARP et ETHERNET - http://yannklein.free.fr/cours/reseau/protocole_ethernet_arp.html4) Wikipedia – Transmision Control Protocol - http://fr.wikipedia.org/wiki/Transmission_Control_Protocol
5) Wikipedia – Ipv4 - http://fr.wikipedia.org/wiki/IPv4
6) Wikipedia – UDP - http://fr.wikipedia.org/wiki/User_Datagram_Protocol
7) Ubuntu proftpd - http://doc.ubuntu-fr.org/proftpd
Aucun commentaire:
Enregistrer un commentaire