640 likes | 752 Views
Packets and Protocols. Chapter One Introduction. Packets and Protocols. Course title: Introduction to TCP/IP Course No: CIS Prerequisite: CIS Credit Hrs: 4 Text Book: Wireshark and Ethereal - Syngress
E N D
Packets and Protocols Chapter One Introduction
Packets and Protocols • Course title: Introduction to TCP/IP • Course No: CIS • Prerequisite: CIS • Credit Hrs: 4 • Text Book: Wireshark and Ethereal - Syngress • We cannot troubleshoot networks until we understand how they work. To know how protocols work at their most basic level means that you have a clear understanding of how protocols and their associated packets work. With this knowledge you will be able to troubleshoot a myriad of network problems.
Packets and Protocols • Class structure - http://cis.sc4.edu/ • Start – 6:15 • Breaks – 2 –various times • End – NLT 10:00 • Contact time – 5:25 – 6:15 • Instructor – John Kowalski • john.kowalski@sc4.edu
Packets and Protocols • Silly-bus • Course website • Grading scale • Slides • Course outcomes • White hat agreement
Packets and Protocols • Name • Background/Experiences/Certifications, etc? • What do you know about the use of sniffers?
Packets and Protocols • Network analysis – defined • The process of capturing network traffic for the purpose of troubleshooting network anomalies with various tools and techniques. • What is a sniffer ? • Technically it is a product produced by NetScout • It is a tool that converts bits and bytes into a format that we can understand.
Packets and Protocols • What is a network analyzer • Can be anything! • Portable laptop • Dedicated hardware • Generic PC used for packet captures • What does an analyzer tool look like?
Packets and Protocols SUMMARY DETAIL DATA
Packets and Protocols • A packet analyzer is composed of five basic components • Hardware • Driver • Buffer • Real-Time Analysis Tool • Decode
Packets and Protocols • What is a protocol analysis tool used for? • Converting binary to English • Troubleshooting • Performance analysis • Logging traffic • Establishing benchmarks • Discovering faulty devices • Intrusion detection • Virus detection
Packets and Protocols • The Good, the Bad and the Ugly • Like any tool the possibility for misuse exists • Hackers can steal info • The “curious” can snoop • Passwords can be captured • Learn what viruses would be most effective • Learn IP addressing schemes for DOS attacks
Packets and Protocols • Other network analyzers • WinDump • Network General Sniffer (now NetScout) • Network Monitor • EthehrPeek • TCP Dump • Snoop • Snort • Dsniff • Ettercap • Etc….
Packets and Protocols • How does a sniffer……sniff? • All Ethernet enabled devices see all of the traffic on “the wire” • Ethernet is not a secure protocol so sniffers are the perfect tool for troubleshooting • Normal NIC behavior • Unicasts, bcasts, mcasts • Promiscuous mode • All-Unicasts, all-bcasts, all-mcasts, all-traffic!
Packets and Protocols End node in Normal mode
Packets and Protocols End node in Promiscuous mode
Packets and Protocols • A word about MAC addresses • Media Access Control Addresses: • Are unique • Can be viewed by ipconfig (windows) • Can be overridden (spoofing) • DOS attack • SYN attack • Smurf Attack • Consist of an Organization Unique Identifier • http://standards.ieee.org/regauth/oui/oui.txt
Local Area Networks Ethernet address types • Addresses are 6 bytes long • Generally written in hexadecimal • Globally unique (unicast) • Aka – Burned-in-address 00.0C.12.34.AB.CD FF.FF.FF.FF.FF.FF 00.00.01.10.45.G2 - Legal - Legal - Illegal
Packets and Protocols • The OSI Model • A method of moving data from point to point using seven distinct steps • The TCP/IP • TCP/IP (aka DoD model) is newer and only contains four layers
Packets and Protocols Allows users to transfer files, send mail, etc. Only layer that users can communicate with directly Key features are ease of use and functionality 7 Application Standardized data encoding and decoding Data compression Data encryption and decryption Provides Services 6 Presentation Manages user sessions Reports upper-layer errors Supports Remote Procedure Call activities 5 Session Connects processes Connection management (e.g., TCP) Error and flow control Connectionless, unreliable (e.g., UDP) 4 Transport Internetwork packet routing Minimizes subnet congestion Resolves differences between subnets 3 Network Moves Data Network access control - MAC address Packet framing Error and flow control 2 Data Link Moves bits across a physical medium Interface between network medium and network devices Defines electrical and mechanical characteristics of LAN Physical 1
Packets and Protocols • OSI vs. TCP Model
Packets and Protocols The Physical Layer • The Physical Layer only transmits bits to, and receives bits from, the physical medium. It does not “see” the bits as organized into meaningful patterns, such as an address. • The Physical Layer operates depending on the chosen network topology.
Packets and Protocols The Physical Layer cont. • A physical address is also referred to as a: • Hardware address • Adapter address • Network interface card (NIC) address • Medium Access Control (MAC) address • A physical address is required for network devices to ultimately deliver information to a given network node.
Packets and Protocols The Data Link Layer • We can categorize physical addresses, for the purposes of networking, into two general types: • A LAN address is commonly found in an Ethernet or Token Ring LAN environment. • WAN addresses in High-Level Data Link Control (HDLC) or frame relay network protocol addressing • Divided into two distinct parts • MAC • The MAC address of the node – interfaces with lower layers • LLC • Tags and identifies protocols - interfaces with upper layers • Think of it as a universal adapter
Packets and Protocols The Network Layer • A logical address is generally implemented as a software entity rather than a hardware entity. • There are two primary types of logical addresses, as follows: • Network addresses, processed at the Network Layer • Port or process addresses, processed at the Transport Layer
Packets and Protocols The Transport Layer • The Well-Known Port Numbers Table lists some of the more commonly used TCP and User Datagram Protocol (UDP) addresses.
Packets and Protocols The Transport Layer cont. • The Transport Layer is responsible not only for application addressing, but also for providing reliable communications over the best effort Layer 3 protocols. • The Transport Layer provides: • Flow control • Windowing • Data sequencing • Recovery
Packets and Protocols The Transport Layer cont. • Two protocols most commonly associated with layer 4 • TCP • High overhead • Connection oriented • Reliable • UDP • Low overhead • Connectionless • Unreliable • Fast
Packets and Protocols The Session Layer • The Session Layer: • establishes, manages, and terminates sessions between applications. • provides its services to the Presentation Layer. • synchronizes dialog between Presentation Layer entities and manages their data exchange.
Packets and Protocols The Presentation Layer • The Presentation Layer: • ensures that information sent by the Application Layer of one system is formatted in a manner in which the destination system’s Application Layer can read it. • can translate between multiple data representation formats, if necessary.
Packets and Protocols The Application Layer • The Application Layer: • is the layer closest to the user. • provides user application services to application processes outside the OSI model’s scope and does not support the other layers. • identifies and establishes the intended communication partners availability, synchronizes cooperating applications, and establishes agreed procedures for application error recovery and data integrity control. • determines whether sufficient resources exist for the intended communications.
Packets and Protocols Ethernet communication steps • Arbitration—Determines when it is appropriate to use the physical medium • Addressing—Ensures that the correct recipient(s) receives and processes the data that is sent • Error detection—Determines whether the data made the trip across the physical medium successfully • Identification of the encapsulated data—Determines the type of header that follows the data link header
Packets and Protocols CSMA/CD • CSMA • Node Listens • Node Sends Data • Node Listens • CD • Collision detected • Nodes “back off” • Node retransmits
Packets and Protocols • Top four protocols: • IP • ICMP • TCP • UDP • While there are certainly more than four protocols these make up the bulk of network traffic.
Packets and Protocols • IP • Connectionless • Moves data from one layer three address to another • Several fields: • IPID Field • Protocol • TTL • Source IP • Destination IP
Packets and Protocols • ICMP • The “tattle tale” protocol • Echo • Request/reply • Unreachable • Destination • Network • Port • Time exceeded • TTL
Packets and Protocols • TCP • The protocol you can count on • Uses include • Web • E-mail • FTP • SSH • Reliable • Ack • Handshake • Sequencing • Disassembles and reassembles large payloads
Packets and Protocols • UDP • Quick but unreliable • Guaranteed fast! (but not guaranteed to get there) • Uses • VoIP • DHCP • DNS • Gaming
Packets and Protocols Repeaters • Repeaters are used to • Amplify signals and pass them to other network segments • Packets are received, amplified and retransmitted • Repeaters have limited abilities • Repeaters cannotfilter or error check packets • They are physical level devices with no built in algorithms • Function is limited to digital signal amplification
Packets and Protocols Hubs • Hubs are multi-port repeaters • Multi-port repeaters are also known as Hubs • Connect workstations to the network • Hubs can have multiple port connections an be stacked • Use Twisted-pair cabling
Packets and Protocols Bridge • A bridge provides for • Creation of a single “logical” LAN longer than any one cable • Offers electrical & traffic isolation between cable segments • Keeps local traffic local on the LAN • Forwards only necessary traffic on to the WAN • Bridges are protocol independent • Can support any protocol on the LAN • Most common use of a bridge is to filter traffic • Purpose is to separate LAN traffic based on MAC addresses • Supports asynchronous or synchronous WAN connections
Packets and Protocols LAN Segmentation
Packets and Protocols • Transparent Bridges perform three functions: • Learn MAC addresses by examining the source MAC address of each frame received by the bridge • 2. Deciding when to forward a frame or when to filter (not forward) a frame, based on the destination MAC address • 3. Create a loop-free environment with other bridges by using the Spanning Tree Protocol TRANSPARENT BRIDGES • Ethernet bridges are known as because they are invisible – or – transparent to the end devices
Packets and Protocols • Bridges observe traffic as it passes and record the MAC addresses • Bridges forward all broadcast and unknown unicast packets
Packets and Protocols Switch (multi-port bridge) • Used to alleviate network congestion • Divide networks into virtual LAN (VLAN) segments • Ability to dedicate more bandwidth • Function at data link layer of workgroups • Function at Network layer of network backbones • Switches provide 100 Mbps ports for user connections • Ethernet switches have replaced bridges in large networks • Can also filter traffic based on MAC address • Ethernet switches function as a repeater and a bridge
Packets and Protocols Switches actually make packet analysis more difficult
Packets and Protocols Router • Layer 3 device • Interconnects networks • A Layer 3 switch is a multi-port router
Packets and Protocols Routers stop the flow of broadcasts
Packets and Protocols How many collision domains are there? There are six collision domains
Packets and Protocols • Firewalls • Specialized devices • Ability to examine packets at virtually every layer of the OSI model • Generally placed at the “edge” of the network • Offloads “policing” policies from the core routers