mercredi 21 avril 2010

basics 2 - tutorial analysis of 2,3,4 layers

In this article, we illustrate the exchanges on the layers 2,3,4 in a practical example: ethernet, IP, TCP, UDP.
French version available on the site.

watch traffic with TCPDUMP

In our lab,, on Windows client, in a term:
C:\clientXP > ping -n 1 192.168.0.2
(one echo request is sent to server)



intrus $ sudo tcpdump
We can observe the IP packets between client WXP and server: echo request.



intrus $ tcpdump icmp and src 192.168.0.10
( listen to ICMP requests from client XP)



the traffic is filtered:
- source = client XP
- protocol ICMP
Intrus $ sudo tcpdump icmp[0]=8
(only echo requests)



analysis of Ethernet header

C:\clientxp > arp -d
C:\clientxp > ping -n 1 192.168.0.2



intrus $ sudo tcpdump -x icmp or arp
( show ICMP or ARP requests inhexadecimal format.)



In the first ARP request, we can see that the MAC destination field is 00:00:00:00:00:00. It is normal because the aim of this request is to ask for the MAC address associated with IP 192.168.0.10.

recall Ethernet frame

In bytes
01234567891011121314 … 15131514151515161517
MAC destination addressMAC source addressType of protocolDataFCS/CRC

Caution, there are different Ethernet frames with other features. For example, the type of protocol field can be filled with these values:
0x0800 : IPv4
0x86DD : IPv6
0x0806 : ARP
C:\clientXP > ipconfig /all


serveur $ ifconfig


analysis of TCP/IP header

C:\clientXP > telnet -l utilisteur 192.168.0.2
intrus $ sudo tcpdump -x src 192.168.0.10


the encapsulated protocol is TCP ( = 6)

the source and destination addresses are:
c0.a8.00.0a (192.168.0.10)
c0.a8.00.02 (192.168.0.2)

the source and destination ports are:
413 (1043d)
17 (23d = telnet)
C:\clientXP > telnet -l utilisteur 192.168.0.2
intrus $ sudo tcpdump -x src 192.168.0.10 or src 192.168.0.2


the TCP flag of the client's request is 02 (SYN):
0 = 0000
ECN = 00
URG = 0
ACK = 0

2 = 0010:
PSH = 0
RST = 0
SYN = 1
FIN = 0

the TCP flag of the response is 14 (ACK - RST)

1 = 0001
ECN = 00
URG = 0
ACK = 1

4 = 0100:
PSH = 0
RST = 1
SYN = 0
FIN = 0



reminders IP packets

(reference [5])

In bytes

1234
IP versionheader length (32 bits words)Type of servicetotal length (bytes)
Identification (for fragments)Flags (for fragments)Fragment offset
TTL Time To LiveProtocolheader control checksum
source address
destination address
Option(s)

recall ARP packet:

(reference: [3])
The next array shows different fields for classical ARP message (protocole TCP/IPv4).

hardware
type
protocol typehardware address sizeprotocol address size Operationsource hardware addresssource protocol addressdestination hardware addressdestination protocol address
2 bytes2 bytes1 byte1 byte2 bytes6 bytes4 bytes6 bytes4 bytes

hardware type: for ethernet, 0x0001
protocol type: for example IPv4
hardware address size : for ethernet, 6 (because ethernet addresses are 6 bytes long)
protocol address size (logical) :
For IPv4, logical address are 4 bytes long
For IPV6, logical addresses are 6 bytes long
Operation :
request (0000.....0001)
response (0000.....0010)

recall TCP segment

(reference [4]
In bits
012345678910111213141516171819202122232425262728293031
Source port 2 octets destination port 2 octets
Sequence number
Numéro d'acquittement
header sizereservedECNURGACKPSHRSTSYNFINwindow
checksumurgent data pointer
OptionsRemplissage
Data

Signification of these fields :
Source port 
Destination port
sequence number : Sequence number of the first byte of the segment
Numéro d'acquittement : sequence number of next byte attended
header size : header length in words 32 bits long ( options are part of header)
Reserved : Reserved for a future usage
ECN : congestion, cf RFC 3168
Flags
URG : URGent data
ACK : packet is ACKnowledgement
PSH : data must be immediatly sent again (PuSH)
RST : anormal break of connexion (ReSeT)
SYN : ask for SYNchronisation or connexion
FIN : ask for END of connexion
Window : size of window asked. Means number of bytes destination wants to receive before asking for a reception acknowledgement.
Checksum : checksum calculated with the whole TCP header and datas, and a pseudo header (calculated with IP header)
Urgent datas pointer : relative position of urgent datas
Options 
Remplissage : Zeros added to align next field with 32 bits word.
Datas

analysis of UDP header

Traceroute uses the UDP protocol. Let's use it on localhost interface

prerequisites: install traceroute:
intrus $ sudo apt-get install traceroute
1st terminal:
intrus $ tcpdump -x -i lo
2nd terminal:
intrus $ sudo traceroute -i lo localhost


source port is: 61168 (0xc7e0)
destination port is: 33434 (0x829a)
Source gives the port it uses, so that destination can send back

recall UDP datagram

(reference [6])
The UDP datagram header is much more simple than TCP:

Source port (16 bits)Destination port (16 bits)
Length (16 bits)Checksum (16 bits)
Datas

analysis of FTP protocol

(Reference [7])

Prerequisites: install FTP server on server
serveur $ sudo apt-get install proftpd
show configuration file:
serveur $ cat /etc/proftp/proftp.conf | less
default configuration is enough bere.



Other prerequisites: installation of FTP FileZilla on client XP
http://filezilla-project.org/download.php?type=client
Other prerequisite: installation of Wireshark on intrus:
intrus $ sudo apt-get install wireshark
start Wireshark (must be sudo):
intrus $ sudo wireshark




description of a trame:

FTP datas are then encapsulated in a TCP segment, which is encapsulated in IP packet.



follow TCP stream:






pseudo and password are sent in clear text. We must use another protocol, like ftps.

references

3) la norme IEE802.3 et les protocoles ARP et ETHERNET - http://yannklein.free.fr/cours/reseau/protocole_ethernet_arp.html
4) Wikipedia – Transmision Control Protocol - http://fr.wikipedia.org/wiki/Transmission_Control_Protocol
5) Wikipedia – Ipv4 - http://fr.wikipedia.org/wiki/IPv4
6) Wikipedia – UDP - http://fr.wikipedia.org/wiki/User_Datagram_Protocol
7) Ubuntu proftpd - http://doc.ubuntu-fr.org/proftpd

Aucun commentaire:

Enregistrer un commentaire