USA: +1(669)289-8683 
Sign in
PDF generated using the open source mwlib toolkit. See http://code.pediapress.com/ for more information.
PDF generated at: Thu, 28 Feb 2013 18:32:40 UTC
Internet Protocol Analysis
Learning Guide
Contents
Articles
Overview 1
Internet Protocol Analysis 1
Lesson 1 – Introduction 3
Introduction 3
Ipconfig 8
Private Networks 9
Lesson 2 – Packet Analyzers 10
Packet Analyzers 10
Install Wireshark 14
Capture Network Traffic 16
Filter Displayed Traffic 17
Filter Captured Traffic 18
Lesson 3 – Link Layer 19
Link Layer 19
Display MAC Addresses Using Getmac 24
Display MAC Addresses Using Ipconfig 25
Search for a MAC Address OUI 26
Capture and Analyze Ethernet Traffic 27
Lesson 4 – Address Resolution Protocol (ARP) 29
Address Resolution Protocol (ARP) 29
View the ARP Cache 33
Modify the ARP Cache 34
Capture and Analyze Address Resolution Protocol (ARP) Traffic 37
Lesson 5 – Internet Layer / IPv4 39
Internet Layer / IPv4 39
Search the Whois Database 43
Capture and Analyze Address Resolution Protocol (ARP) Traffic 45
Capture and Analyze Local IPv4 Traffic 47
Capture and Analyze Remote IPv4 Traffic 48
Capture and Analyze Fragmented IPv4 Traffic 50
Lesson 6 – Subnetting 52
Subnetting 52
Lesson 7 – IPv6 56
IPv6 56
Configure IPv6 Settings 61
Capture and Analyze Local IPv6 Traffic 64
Capture and Analyze Remote IPv6 Traffic 65
Capture and Analyze IPv6 Teredo Traffic 67
Capture and Analyze IPv6 6to4 Traffic 68
Capture and Analyze IPv6 6in4 Traffic 69
Lesson 8 – Internet Control Message Protocol (ICMP) 70
Internet Control Message Protocol (ICMP) 70
Capture and Analyze ICMP Echo Traffic 74
Capture and Analyze ICMP Time Exceeded Traffic 75
Capture and Analyze ICMP tracert/traceroute Traffic 76
Capture and Analyze ICMPv6 Echo Traffic 78
Capture and Analyze ICMPv6 Time Exceeded Traffic 79
Capture and Analyze ICMPv6 tracert/traceroute Traffic 81
Ping MTU 82
Lesson 9 – Multicast 84
Multicast 84
Capture and Analyze IPv4 Multicast Traffic 88
Capture and Analyze IPv6 Multicast Traffic 89
Capture and Analyze ICMPv6 Neighbor Discovery Protocol (NDP) Traffic 90
Lesson 10 – Transport Layer 94
Transport Layer 94
Display Protocol Statistics 100
Display All Active Connections and Listening Ports 101
Capture and Analyze User Datagram Protocol (UDP) Traffic 102
Capture and Analyze Transmission Control Protocol (TCP) Traffic 104
Lesson 11 – Address Assignment 108
Address Assignment 108
View and Test a Link-Local Address 112
Capture and Analyze Dynamic Host Configuration Protocol (DHCP) Traffic 114
Capture and Analyze DHCPv6 Traffic 118
Lesson 12 – Name Resolution 123
Name Resolution 123
View the Hosts File 129
Edit the Hosts File 130
Display Host Addresses 131
Display Other Record Types 132
Simulate a Recursive Query 133
Capture and Analyze Domain Name System (DNS) Traffic 134
Capture and Analyze Link Local Multicast Name Resolution (LLNMR) Traffic 136
Display NetBIOS Over TCP/IP Statistics 138
Lesson 13 – Application Layer 139
Application Layer 139
Capture and Analyze Hypertext Transfer Protocol (HTTP) Traffic 144
Capture and Analyze HTTP Secure (HTTPS) Traffic 147
Capture and Analyze Simple Mail Transfer Protocol (SMTP) Traffic 150
Lesson 14 – Routing Protocols 153
Routing Protocols 153
Display the Local Routing Table 157
Modify the Local Routing Table 158
Lesson 15 – Network Monitoring 160
Network Monitoring 160
Install the SNMP Service 163
Configure the SNMP Service 164
Test the SNMP Service 165
References
Article Sources and Contributors 166
Image Sources, Licenses and Contributors 168
Article Licenses
License 169
1
Overview
Internet Protocol Analysis
Internet protocol analysis is an advanced computer
networking topic that uses a packet analyzer to capture, view,
and understand Internet protocols. This course is comprised of
15 lessons that use Wireshark to study and experiment with
Internet protocols. Each lesson includes Wikipedia readings
and hands-on learning activities.
Preparation
This is a second-semester, college-level course. Learners
should already be familiar with introductory networking
concepts.
Lessons
1.1. Introduction
2.2. Packet Analyzers
3.3. Link Layer
4.4. Address Resolution Protocol (ARP)
5.5. Internet Layer / IPv4
6.6. Subnetting
7.7. IPv6
8.8. Internet Control Message Protocol (ICMP)
9.9. Multicast
10.10. Transport Layer
11.11. Address Assignment
12.12. Name Resolution
13.13. Application Layer
14.14. Routing
15.15. Network Monitoring
http://en.wikiversity.org/w/index.php?title=File%3AInternet_Protocol_Analysis
http://en.wikiversity.org/w/index.php?title=Topic:Computer_networks
http://en.wikiversity.org/w/index.php?title=Topic:Computer_networks
http://en.wikiversity.org/w/index.php?title=Wireshark
http://en.wikiversity.org/w/index.php?title=Help:Activity
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_ktip
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_edu_miscellaneous
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Introduction
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Packet_analyzers
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Link_layer
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Address_Resolution_Protocol
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Internet_layer_IPv4
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Subnetting
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/IPv6
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Internet_Control_Message_Protocol
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Multicast
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Transport_layer
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Address_assignment
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Name_resolution
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Application_layer
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Routing
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Network_monitoring
Internet Protocol Analysis 2
References
• Carrell, Jeffrey L., Chappell, Laura & Tittel, Ed (2013). Guide to TCP/IP, Fourth Edition. Cengage. ISBN
9781133019862
• Chappell, Laura A. & Tittel, Ed (2007). Guide to TCP/IP, Third Edition. Course Technology. ISBN
9781418837556
• Davies, Joseph (2012). Understanding IPv6, 3rd Edition. Microsoft Press. ISBN 9780735659148
• Fall, Kevin R. & Stevens, W. Richard (2012). TCP/IP Illustrated, Volume 1: The Protocols, Second Edition.
Pearson. ISBN 9780321336316
http://en.wikiversity.org/w/index.php?title=File:Nuvola_filesystems_folder_orange
3
Lesson 1 – Introduction
Introduction
This lesson introduces Internet protocol analysis by looking at
background information on the Internet protocol suite, the
Request for Comments process and Internet standards, and
comparing the Internet protocol suite to the Open Systems
Interconnection (OSI) model.
Readings
1. Read Wikipedia: Internet protocol suite.
2. Read Wikipedia: Request for Comments.
3. Read Wikipedia: Internet Standard.
4. Read Wikipedia: OSI model.
Activities
1.1. Draw your own personal reference chart comparing the Internet protocol suite four-layer model to the OSI
seven-layer model.
2. Review Internet standards regarding private networks and see if your computer is on a private network.
3. Review Wikipedia: April Fools’ Day Request for Comments for a humorous look at networking standards.
4.4. Consider why the OSI seven layer model is sometimes referred to as a theoretical model while the Internet
protocol suite might be referred to as an operational model.
5. Use the Discuss page to post comments and questions regarding this lesson.
6.6. Review the lesson summary, key terms, review questions and flashcards below.
Lesson Summary
• The Internet protocol suite is the set of communications protocols used for the Internet and similar networks. It is
a four-layer model containing Link, Internet, Transport, and Application layers.[1]
• The Internet protocol suite is maintained by the Internet Engineering Task Force (IETF).[2]
• The Link layer contains communication technologies for a local network.[3]
• The Internet layer connects local networks, thus establishing internetworking.[4]
• The Transport layer handles host-to-host communication.[5]
• The Application layer contains all protocols for specific data communications services on a process-to-process
level.[6]
• A Request for Comments (RFC) is a memorandum published by the Internet Engineering Task Force (IETF)
describing methods, behaviors, research, or innovations applicable to the working of the Internet and
Internet-connected systems.[7]
• Request for Comments are designated with a status of Informational, Experimental, Best Current Practice (BCP),
Standards Track, or Historic. Standards-track documents are further divided into Proposed Standard, Draft
Standard, and Internet Standard.[8]
http://en.wikiversity.org/w/index.php?title=File%3AInternet_Protocol_Analysis_-_Gray
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_bookcase.svg
http://en.wikipedia.org/wiki/Internet_protocol_suite
http://en.wikipedia.org/wiki/Request_for_Comments
http://en.wikipedia.org/wiki/Internet_Standard
http://en.wikipedia.org/wiki/OSI_model
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_korganizer.svg
http://en.wikiversity.org/w/index.php?title=Private_networks
http://en.wikipedia.org/wiki/April_Fools’_Day_Request_for_Comments
http://en.wikiversity.org/w/index.php?title=Talk:Internet_protocol_analysis/Introduction
http://en.wikiversity.org/w/index.php?title=File:Stock_post_message.svg
Introduction 4
• Internet Standard is a special Request for Comments (RFC) or set of RFCs which is characterized by a high
degree of technical maturity and by a generally held belief that the specified protocol or service provides
significant benefit to the Internet community.[9]
• Best Current Practice is a Request for Comments (RFC) that may include official rules, but which does not affect
over the wire data and is not on the standards track.[10]
• The Internet protocol suite protocols are deliberately not as rigidly designed into strict layers as in the OSI
model.[11]
• The Internet Link layer includes the OSI Data Link and Physical layers, as well as parts of OSI’s Network
layer.[12]
• The Internet internetworking layer (Internet layer) is a subset of the OSI Network layer.[13]
• The Internet Transport layer includes the graceful close function of the OSI Session layer as well as the OSI
Transport layer.[14]
• The Internet Application layer includes the OSI Application layer, Presentation layer, and most of the Session
layer.[15]
Key Terms
Advanced Research Projects Agency Network (ARPANET)
The world’s first operational packet switching network and the progenitor of what was to become the global
Internet.[16]
Best Current Practice
Mandatory IETF RFCs, including official rules, but which do not affect over the wire data and are not on the
standards track.[17]
best effort delivery
A network service in which the network does not provide any guarantees that data is delivered or that a user is
given a guaranteed quality of service level or a certain priority.[18]
checksum
A fixed-size datum computed from an arbitrary block of digital data for the purpose of detecting accidental
errors that may have been introduced during its transmission or storage.[19]
communications protocol
A system of digital message formats and rules for exchanging those messages in or between computing
systems and in telecommunications.[20]
Defense Advanced Research Projects Agency (DARPA)
An agency of the United States Department of Defense responsible for the development of new technologies
for use by the military.[21]
encapsulation
A method of designing modular communication protocols in which logically separate functions in the network
are abstracted from their underlying structures by inclusion or information hiding within higher level
objects.[22]
Ethernet
A family of Link layer computer networking technologies for local area networks (LANs).[23]
Internet Architecture Board (IAB)
The committee charged with oversight of the technical and engineering development of the Internet by the
Internet Society (ISOC).[24]
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_kdict
Introduction 5
Internet Drafts
A series of working documents published by the IETF.[25]
Internet Engineering Task Force (IETF)
Develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standards bodies
and dealing in particular with standards of the Internet protocol suite (TCP/IP).[26]
Internet Protocol (IP)
The principal communications protocol used for relaying datagrams (also known as network packets) across
an internetwork using the Internet Protocol Suite responsible for routing packets across network
boundaries.[27]
Internet Society (ISOC)
An international, non-profit organization founded in 1992 to provide leadership in Internet related standards,
education, and policy.[28]
Internet Standard
A normative specification of a technology or methodology applicable to the Internet.[29]
internetworking
The practice of connecting a computer network with other networks through the use of gateways that provide a
common method of routing information packets between the networks.[30]
medium
A material substance (solid, liquid, gas, or plasma) that can propagate energy waves.[31]
Open Systems Interconnection (OSI) model
A product of the Open Systems Interconnection effort at the International Organization for Standardization for
characterizing and standardizing the functions of a communications system in terms of abstraction layers.[32]
packet
A formatted unit of data carried by a computer network.[33]
packet header
Data placed at the beginning of a block of data being stored or transmitted.[34]
protocol stack
An implementation of a computer networking protocol suite.[35]
Request For Comments (RFC)
A memorandum published by the Internet Engineering Task Force (IETF) describing methods, behaviors,
research, or innovations applicable to the working of the Internet and Internet-connected systems.[36]
router
A device that forwards data packets between computer networks.[37]
Transmission Control Protocol (TCP)
A Transport layer protocol that provides reliable, ordered delivery of a stream of octets from a program on one
computer to another program on another computer.[38]
Introduction 6
Review Questions
1. The Internet protocol suite is a _____ layer model.
The Internet protocol suite is a four-layer model.
2. The layers of the Internet protocol suite are _____.
The layers of the Internet protocol suite are Link, Internet, Transport, and Application.
3. The Internet protocol suite is maintained by _____.
The Internet protocol suite is maintained by the Internet Engineering Task Force (IETF).
4. The Internet protocol suite layer that contains communication technologies for a local network is the _____ layer.
The Internet protocol suite layer that contains communication technologies for a local network is the Link layer.
5. The Internet protocol suite layer that connects local networks to establish internetworking is the _____ layer.
The Internet protocol suite layer that connects local networks to establish internetworking is the Internet layer.
6. The Internet protocol suite layer that handles host-to-host communcation is the _____ layer.
The Internet protocol suite layer that handles host-to-host communication is the transport layer.
7. The Internet protocol suite layer that contains all protocols for specific data communications services on a
process-to-process level is the _____ layer.
The Internet protocol suite layer that contains all protocols for specific data communications services on a
process-to-process level is the Application layer.
8. A memorandum published by the Internet Engineering Task Force (IETF) describing methods, behaviors,
research, or innovations applicable to the working of the Internet and Internet-connected systems is known as a
_____.
A memorandum published by the Internet Engineering Task Force (IETF) describing methods, behaviors, research,
or innovations applicable to the working of the Internet and Internet-connected systems is known as a Request for
Comments (RFC).
9. A Request for Comments (RFC) which is characterized by a high degree of technical maturity and by a generally
held belief that the specified protocol or service provides significant benefit to the Internet community is known as
a/an _____.
A Request for Comments (RFC) which is characterized by a high degree of technical maturity and by a generally
held belief that the specified protocol or service provides significant benefit to the Internet community is known as
an Internet Standard.
10. A Request for Comments (RFC) that may include official rules, but which does not affect over the wire data and
is not on the standards track is known as a/an _____.
A Request for Comments (RFC) that may include official rules, but which does not affect over the wire data and is
not on the standards track is known as a Best Current Practice.
11. The Internet protocol suite protocols are _____ (more/less) rigidly designed into strict layers when compared to
the OSI model.
The Internet protocol suite protocols are less rigidly designed into strict layers when compared to the OSI model.
12. The Internet protocol suite layer that includes the OSI Data Link and Physical layers, as well as parts of OSI’s
Network layer is the _____ layer.
The Internet protocol suite layer that includes the OSI Data Link and Physical layers, as well as parts of OSI’s
Network layer is the Link layer.
13. The Internet protocol suite layer that is a subset of the OSI Network layer is the _____ layer.
The Internet protocol suite layer that is a subset of the OSI Network layer is the Internet layer.
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_package_editors
Introduction 7
14. The Internet protocol suite layer that includes the graceful close function of the OSI Session layer as well as the
OSI Transport layer is the _____ layer.
The Internet protocol suite layer that includes the graceful close function of the OSI Session layer as well as the OSI
Transport layer is the Transport layer.
15. The Internet protocol suite layer that includes the OSI Application layer, Presentation layer, and most of the
Session layer is the _____ layer.
The Internet protocol suite layer that includes the OSI Application layer, Presentation layer, and most of the Session
layer is the Application layer.
Flashcards
•• Test your understanding of this lesson.
•• Test your understanding of the key terms.
References
[1][1] Wikipedia: Internet protocol suite
[2][2] Wikipedia: Internet protocol suite
[3][3] Wikipedia: Internet protocol suite#Link layer
[4][4] Wikipedia: Internet protocol suite#Internet layer
[5][5] Wikipedia: Internet protocol suite#Transport layer
[6][6] Wikipedia: Internet protocol suite#Application layer
[7][7] Wikipedia: Request for Comments
[8][8] Wikipedia: Request for Comments#Status
[9][9] Wikipedia: Internet Standard
[10][10] Wikipedia: Request for Comments#Status “best current practice”
[11][11] Wikipedia: OSI model#Comparison with TCP/IP model
[12][12] Wikipedia: OSI model#Comparison with TCP/IP model
[13][13] Wikipedia: OSI model#Comparison with TCP/IP model
[14][14] Wikipedia: OSI model#Comparison with TCP/IP model
[15][15] Wikipedia: OSI model#Comparison with TCP/IP model
[16][16] Wikipedia: ARPANET
[17][17] Wikipedia: Request for Comments#Status “best current practice”
[18][18] Wikipedia: Best effort delivery
[19][19] Wikipedia: Checksum
[20][20] Wikipedia: Communications protocol
[21][21] Wikipedia: Darpa
[22][22] Wikipedia: Encapsulation (networking)
[23][23] Wikipedia: Ethernet
[24][24] Wikipedia: Internet Architecture Board
[25][25] Wikipedia: Internet Draft
[26][26] Wikipedia: IETF
[27][27] Wikipedia: Internet Protocol
[28][28] Wikipedia: Internet Society
[29][29] Wikipedia: Internet Standard
[30][30] Wikipedia: Internetworking
[31][31] Wikipedia: Transmission medium
[32][32] Wikipedia: Osi model
[33][33] Wikipedia: Packet (information technology)
[34][34] Wikipedia: Packet header
[35][35] Wikipedia: Protocol stack
[36][36] Wikipedia: Request for Comments
[37][37] Wikipedia: Router (computing)
[38][38] Wikipedia: Transmission Control Protocol
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_cache
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Introduction/Lesson_flashcards
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Introduction/Terms_flashcards
http://en.wikiversity.org/w/index.php?title=File:Nuvola_filesystems_folder_orange
http://en.wikipedia.org/wiki/Internet_protocol_suite
http://en.wikipedia.org/wiki/Internet_protocol_suite
http://en.wikipedia.org/wiki/Internet_protocol_suite#Link_layer
http://en.wikipedia.org/wiki/Internet_protocol_suite#Internet_layer
http://en.wikipedia.org/wiki/Internet_protocol_suite#Transport_layer
http://en.wikipedia.org/wiki/Internet_protocol_suite#Application_layer
http://en.wikipedia.org/wiki/Request_for_Comments
http://en.wikipedia.org/wiki/Request_for_Comments#Status
http://en.wikipedia.org/wiki/Internet_Standard
http://en.wikipedia.org/wiki/Request_for_Comments#Status_
http://en.wikipedia.org/wiki/OSI_model#Comparison_with_TCP/IP_model
http://en.wikipedia.org/wiki/OSI_model#Comparison_with_TCP/IP_model
http://en.wikipedia.org/wiki/OSI_model#Comparison_with_TCP/IP_model
http://en.wikipedia.org/wiki/OSI_model#Comparison_with_TCP/IP_model
http://en.wikipedia.org/wiki/OSI_model#Comparison_with_TCP/IP_model
http://en.wikipedia.org/wiki/ARPANET
http://en.wikipedia.org/wiki/Request_for_Comments#Status_
http://en.wikipedia.org/wiki/Best_effort_delivery
http://en.wikipedia.org/wiki/Checksum
http://en.wikipedia.org/wiki/Communications_protocol
http://en.wikipedia.org/wiki/Darpa
http://en.wikipedia.org/wiki/Encapsulation_(networking)
http://en.wikipedia.org/wiki/Ethernet
http://en.wikipedia.org/wiki/Internet_Architecture_Board
http://en.wikipedia.org/wiki/Internet_Draft
http://en.wikipedia.org/wiki/IETF
http://en.wikipedia.org/wiki/Internet_Protocol
http://en.wikipedia.org/wiki/Internet_Society
http://en.wikipedia.org/wiki/Internet_Standard
http://en.wikipedia.org/wiki/Internetworking
http://en.wikipedia.org/wiki/Transmission_medium
http://en.wikipedia.org/wiki/Osi_model
http://en.wikipedia.org/wiki/Packet_(information_technology)
http://en.wikipedia.org/wiki/Packet_header
http://en.wikipedia.org/wiki/Protocol_stack
http://en.wikipedia.org/wiki/Request_for_Comments
http://en.wikipedia.org/wiki/Router_(computing)
http://en.wikipedia.org/wiki/Transmission_Control_Protocol
Ipconfig 8
Ipconfig
ipconfig with no options displays the IP address, subnet mask and default gateway for each adapter bound to TCP/IP.
This activity will show you how to use the default ipconfig command.
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
Activity 1 – Display IP Address, Subnet Mask and Default Gateway
To display the IP address, subnet mask and default gateway for each adapter bound to TCP/IP:
1. Open a command prompt.
2. Type ipconfig.
3. Press Enter.
4.4. Observe available adapters and their IP settings.
5.5. Close the command prompt to complete this activity.
Readings
•• Wikipedia: ipconfig
•• Wikipedia: Internet Protocol
References
• Microsoft TechNet: Ipconfig [1]
References
[1] http:/ / technet. microsoft. com/ en-us/ library/ bb490921. aspx
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Open
http://en.wikipedia.org/wiki/Ipconfig
http://en.wikipedia.org/wiki/Internet_Protocol
http://technet.microsoft.com/en-us/library/bb490921.aspx
http://technet.microsoft.com/en-us/library/bb490921.aspx
Private Networks 9
Private Networks
Private networks are networks that use a private Internet Protocol (IP) address space, following the standards
described in Request for Comments (RFC) 1918 and 4193. These activities will review private networks, the
relevant RFCs, and then show you how to identify whether or not your network is using the private IP address space.
Activities
1. Read Wikipedia: Private network.
2. Review RFC 1918 [1] and RFC 4193 [2] and compare the detailed specifications to the Wikipedia summary.
3. Use Ipconfig to view your IP address.
4.4. If you have an IPv4 address, review the private IPv4 address spaces and see if your IP address is within one of the
private address ranges.
5.5. If you have an IPv6 address, review the private IPv6 address spaces and see if your IP address is a unique local
address (fc00::/7), site local address (fec0::/10), link local address (fe80::/10), or public address.
References
•• Wikipedia: Private network
• RFC 1918 [1]
• RFC 4193 [2]
• Microsoft TechNet: Ipconfig [1]
References
[1] http:/ / tools. ietf. org/ html/ rfc1918
[2] http:/ / tools. ietf. org/ html/ rfc4193
http://en.wikipedia.org/wiki/Private_network
http://tools.ietf.org/html/rfc1918
http://tools.ietf.org/html/rfc4193
http://en.wikiversity.org/w/index.php?title=Ipconfig/Default
http://en.wikipedia.org/wiki/Private_network
http://tools.ietf.org/html/rfc1918
http://tools.ietf.org/html/rfc4193
http://technet.microsoft.com/en-us/library/bb490921.aspx
http://tools.ietf.org/html/rfc1918
http://tools.ietf.org/html/rfc4193
10
Lesson 2 – Packet Analyzers
Packet Analyzers
This lesson concludes the introduction to Internet protocol
analysis by looking at packet analyzers in general and the
open source packet analyzer Wireshark in particular.
Activities include installing Wireshark and using it to capture
network traffic.
Readings
1. Read Wikipedia: Packet analyzer.
2. Read Wikipedia: Promiscuous mode.
3. Read Wikipedia: Port mirroring.
4. Read Wikipedia: Wireshark.
5. Read Wikipedia: pcap.
Activities
1. Install Wireshark.
2. Watch YouTube: Getting Started with Wireshark [1].
3. Review Wireshark: User’s Guide [2].
4. Use Wireshark to capture network traffic.
5. Use Wireshark to filter displayed traffic.
6. Use Wireshark to filter captured traffic.
7.7. Consider situations in which a packet analyzer might be used to troubleshoot network traffic.
8. Use the Discuss page to post comments and questions regarding this lesson.
9.9. Review the lesson summary, key terms, review questions and flashcards below.
Lesson Summary
• A packet analyzer is a computer program or a piece of computer hardware that can intercept and log traffic
passing over a digital network.[3]
• Packet analyzers can be software or hardware-based.[4]
• Network interface controllers (NICs) normally drop frames that are not broadcast or multicast, and do not have
the NIC as the destination MAC address.[5]
• Promiscuous mode is a network interface controller (NIC) mode that causes the controller to pass all traffic it
receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to
receive.[6]
• Network interface controllers (NICs) operating in promiscuous mode may or may not be detectable, depending on
firewall settings.[7]
• Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire
VLAN) to a network monitoring connection on another switch port.[8]
http://en.wikiversity.org/w/index.php?title=File%3AInternet_Protocol_Analysis_-_Gray
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_bookcase.svg
http://en.wikipedia.org/wiki/Packet_analyzer
http://en.wikipedia.org/wiki/Promiscuous_mode
http://en.wikipedia.org/wiki/Port_mirroring
http://en.wikipedia.org/wiki/Wireshark
http://en.wikipedia.org/wiki/pcap
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_korganizer.svg
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://www.wireshark.org/docs/wsug_html_chunked/
http://en.wikiversity.org/w/index.php?title=Wireshark/Capture
http://en.wikiversity.org/w/index.php?title=Wireshark/Display_filter
http://en.wikiversity.org/w/index.php?title=Wireshark/Capture_filter
http://en.wikiversity.org/w/index.php?title=Talk:Internet_protocol_analysis/Packet_analyzers
http://en.wikiversity.org/w/index.php?title=File:Stock_post_message.svg
Packet Analyzers 11
• Wireshark is a free and open-source packet analyzer used for network troubleshooting, analysis, software and
communications protocol development, and education.[9]
• Wireshark was originally named Ethereal, but was renamed in May 2006 due to trademark issues.[10]
• Tcpdump is a command line-based packet analyzer available on most Unix-like operating systems.[11]
• As a security precaution, it is best to separate packet capture activities from packet analysis activities. Packet
capture activities must be run with special privileges, but packet analysis does not require special privileges.[12]
• Packet analyzers such as Wireshark and tcpdump depend on a packet capture library known as libpcap or
WinPcap.[13]
Key Terms
broadcast
Transmit a message to all recipients simultaneously.[14]
broadcast domain
A logical division of a computer network in which all nodes can reach each other by broadcast at the data link
layer.[15]
collision domain
A section of a network where data packets can collide with one another when being sent on a shared medium
or through repeaters, in particular, when using early versions of Ethernet.[16]
data stream
A sequence of digitally encoded coherent signals (data packets) used to transmit or receive information.[17]
encryption
The process of encoding messages (or information) in such a way that eavesdroppers cannot read it, but that
authorized parties can.[18]
Ethereal
The original name of the Wireshark packet analyzer, renamed due to trademark issues.[19]
hub
A multiport repeater that links devices and works at the physical layer of the OSI model.[20]
Intrusion Detection System (IDS)
A device or software application that monitors network or system activities for malicious activities or policy
violations and produces reports to a management station.[21]
libpcap
A packet capture library used on Unix-like systems.[22]
multicast
Transmit a message to a group of destination computers simultaneously with a single transmission from the
source.[23]
Network Interface Controller (NIC)
A computer hardware component that connects a computer to a computer network.[24]
packet analyzer
A computer program or a piece of computer hardware that can intercept and log traffic passing over a digital
network.[25]
port mirroring
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_kdict
Packet Analyzers 12
Used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a
network monitoring connection on another switch port.[26]
promiscuous mode
A network interface controller (NIC) mode that causes the controller to pass all traffic it receives to the central
processing unit (CPU) rather than passing only the frames that the controller is intended to receive.[27]
reverse engineering
The process of discovering the technological principles of a device, object, or system through analysis of its
structure, function, and operation.[28]
router
A device that forwards data packets between computer networks and works at the network layer of the OSI
model.[29]
sniffer
Another term for packet analyzer.[30]
switch
A multiport bridge that links network segments or devices and works at the data link layer of the OSI
model.[31]
tcpdump
A command line-based packet analyzer available on most Unix-like operating systems.[32]
unicast
Transmit a message to a single destination identified by a unique address.[33]
Virtual LAN (VLAN)
A concept of partitioning a physical network so that distinct broadcast domains are created.[34]
WinPcap
A packet capture library used on Windows systems.[35]
Wireshark
A free and open-source packet analyzer used for network troubleshooting, analysis, software and
communications protocol development, and education.[36]
Review Questions
1. A computer program or a piece of computer hardware that can intercept and log traffic passing over a digital
network is known as a _____.
A computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network
is known as a packet analyzer.
2. Packet analyzers can be _____ (hardware/software/both) based.
Packet analyzers can be software or hardware-based.
3. Network interface cards (NICs) normally drop frames that are not _____ or _____, and do not have the NIC as the
_____ MAC address..
Network interface cards (NICs) normally drop frames that are not broadcast or multicast, and do not have the NIC as
the destination MAC address.
4. A network interface controller (NIC) mode that causes the controller to pass all traffic it receives to the central
processing unit (CPU) rather than passing only the frames that the controller is intended to receive is known as
_____ mode.
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_package_editors
Packet Analyzers 13
A network interface controller (NIC) mode that causes the controller to pass all traffic it receives to the central
processing unit (CPU) rather than passing only the frames that the controller is intended to receive is known as
promiscuous mode.
5. Network interface controllers (NICs) operating in promiscuous mode may or may not be detectable, depending on
_____ settings.
Network interface controllers (NICs) operating in promiscuous mode may or may not be detectable, depending on
firewall settings.
6. The ability for a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to
a network monitoring connection on another switch port is known as _____.
The ability for a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a
network monitoring connection on another switch port is known as port mirroring.
7. An example of a free and open-source packet analyzer used for network troubleshooting, analysis, software and
communications protocol development, and education is _____.
An example of a free and open-source packet analyzer used for network troubleshooting, analysis, software and
communications protocol development, and education is Wireshark.
8. Wireshark was originally named _____, but was renamed in May 2006 due to trademark issues.
Wireshark was originally named Ethereal, but was renamed in May 2006 due to trademark issues.
9. A command line-based packet analyzer available on most Unix-like operating systems is _____.
A command line-based packet analyzer available on most Unix-like operating systems is tcpdump.
10. Packet _____ activities must be run with special privileges, but packet _____ activities do not require special
privileges.
Packet capture activities must be run with special privileges, but packet analysis activities do not require special
privileges.
11. Packet analyzers such as Wireshark and tcpdump depend on a packet capture library known as _____ or _____.
Packet analyzers such as Wireshark and tcpdump depend on a packet capture library known as libpcap or WinPcap.
Flashcards
•• Test your understanding of this lesson.
•• Test your understanding of the key terms.
References
[1] http:/ / www. youtube. com/ watch?v=Qlc0Wwnwxrs
[2] http:/ / www. wireshark. org/ docs/ wsug_html_chunked/
[3][3] Wikipedia: Packet analyzer
[4][4] Wikipedia: Packet analyzer#Capabilities
[5][5] Wikipedia: Promiscuous mode
[6][6] Wikipedia: Promiscuous mode
[7][7] Wikipedia: Promiscuous mode#Detection
[8][8] Wikipedia: Port mirroring
[9][9] Wikipedia: Wireshark
[10][10] Wikipedia: Wireshark
[11][11] Wikipedia: Wireshark#Functionality
[12][12] Wikipedia: Wireshark#Security
[13][13] Wikipedia: Pcap
[14][14] Wikipedia: Broadcasting (computing)
[15][15] Wikipedia: Broadcast domain
[16][16] Wikipedia: Collision domain
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_cache
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Packet_analyzers/Lesson_flashcards
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Packet_analyzers/Terms_flashcards
http://en.wikiversity.org/w/index.php?title=File:Nuvola_filesystems_folder_orange
http://www.wireshark.org/docs/wsug_html_chunked/
http://en.wikipedia.org/wiki/Packet_analyzer
http://en.wikipedia.org/wiki/Packet_analyzer#Capabilities
http://en.wikipedia.org/wiki/Promiscuous_mode
http://en.wikipedia.org/wiki/Promiscuous_mode
http://en.wikipedia.org/wiki/Promiscuous_mode#Detection
http://en.wikipedia.org/wiki/Port_mirroring
http://en.wikipedia.org/wiki/Wireshark
http://en.wikipedia.org/wiki/Wireshark
http://en.wikipedia.org/wiki/Wireshark#Functionality
http://en.wikipedia.org/wiki/Wireshark#Security
http://en.wikipedia.org/wiki/Pcap
http://en.wikipedia.org/wiki/Broadcasting_(computing)
http://en.wikipedia.org/wiki/Broadcast_domain
http://en.wikipedia.org/wiki/Collision_domain
Packet Analyzers 14
[17][17] Wikipedia: Data stream
[18][18] Wikipedia: Encryption
[19][19] Wikipedia: Wireshark
[20][20] Wikipedia: Network hub
[21][21] Wikipedia: Intrusion detection system
[22][22] Wikipedia: Pcap
[23][23] Wikipedia: Multicast
[24][24] Wikipedia: Network interface controller
[25][25] Wikipedia: Packet analyzer
[26][26] Wikipedia: Port mirroring
[27][27] Wikipedia: Promiscuous mode
[28][28] Wikipedia: Reverse engineering
[29][29] Wikipedia: Router (computing)
[30][30] Wikipedia: Packet analyzer
[31][31] Wikipedia: Network switch
[32][32] Wikipedia: Tcpdump
[33][33] Wikipedia: Unicast
[34][34] Wikipedia: Virtual LAN
[35][35] Wikipedia: Pcap
[36][36] Wikipedia: Wireshark
Install Wireshark
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to download and install Wireshark.
Readings
•• Wikipedia: Wireshark
•• Wikipedia: X86
•• Wikipedia: 32-bit application
•• Wikipedia: 64-bit computing
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
Activity 1 – Determine System Type
To determine system type:
1. Use msinfo32 to display the system type. The system type will either be X86-based PC or X64-based PC.
X86-based PC is a 32-bit system. X64-based PC is a 64-bit system.
2.2. Close msinfo32.
http://en.wikipedia.org/wiki/Data_stream
http://en.wikipedia.org/wiki/Encryption
http://en.wikipedia.org/wiki/Wireshark
http://en.wikipedia.org/wiki/Network_hub
http://en.wikipedia.org/wiki/Intrusion_detection_system
http://en.wikipedia.org/wiki/Pcap
http://en.wikipedia.org/wiki/Multicast
http://en.wikipedia.org/wiki/Network_interface_controller
http://en.wikipedia.org/wiki/Packet_analyzer
http://en.wikipedia.org/wiki/Port_mirroring
http://en.wikipedia.org/wiki/Promiscuous_mode
http://en.wikipedia.org/wiki/Reverse_engineering
http://en.wikipedia.org/wiki/Router_(computing)
http://en.wikipedia.org/wiki/Packet_analyzer
http://en.wikipedia.org/wiki/Network_switch
http://en.wikipedia.org/wiki/Tcpdump
http://en.wikipedia.org/wiki/Unicast
http://en.wikipedia.org/wiki/Virtual_LAN
http://en.wikipedia.org/wiki/Pcap
http://en.wikipedia.org/wiki/Wireshark
http://en.wikipedia.org/wiki/Wireshark
http://en.wikipedia.org/wiki/X86
http://en.wikipedia.org/wiki/32-bit_application
http://en.wikipedia.org/wiki/64-bit_computing
http://en.wikiversity.org/w/index.php?title=Msinfo32/System_summary
Install Wireshark 15
Activity 2 – Download Wireshark
To download Wireshark:
1.1. Open a web browser.
2. Navigate to http:/ / www. wireshark. org”’.
3. Select Download Wireshark.
4.4. Select the Wireshark Windows Installer matching your system type, either 32-bit or 64-bit as determined in
Activity 1. Save the program in the Downloads folder.
5.5. Close the web browser.
Activity 3 – Install Wireshark
To install Wireshark:
1.1. Open Windows Explorer.
2.2. Select the Downloads folder.
3.3. Locate the version of Wireshark you downloaded in Activity 2. Double-click on the file to open it.
4. If you see a User Account Control dialog box, select Yes to allow the program to make changes to this computer.
5. Select Next > to start the Setup Wizard.
6. Review the license agreement. If you agree, select I Agree to continue.
7. Select Next > to accept the default components.
8. Select the shortcuts you would like to have created. Leave the file extensions selected. Select Next > to continue.
9. Select Next > to accept the default install location.
10. Select Install to begin installation.
11. Select Next > to install WinPcap.
12. Select Next > to start the Setup Wizard.
13. Review the license agreement. If you agree, select I Agree to continue.
14. Select Install to begin installation.
15. Select Finish to complete the installation of WinPcap.
16. Select Next > to continue with the installation of Wireshark.
17. Select Finish to complete the installation of Wireshark.
Note: If you encounter compatibility errors, such as with installing WinPcap on Windows 8, try using Compatibility
Mode [1].
References
• Wireshark [2]
References
[1] http:/ / windows. microsoft. com/ en-US/ windows-vista/ Make-older-programs-run-in-this-version-of-Windows
[2] http:/ / www. wireshark. org
http://www.wireshark.org”’.
http://windows.microsoft.com/en-US/windows-vista/Make-older-programs-run-in-this-version-of-Windows
http://www.wireshark.org
http://windows.microsoft.com/en-US/windows-vista/Make-older-programs-run-in-this-version-of-Windows
http://www.wireshark.org
Capture Network Traffic 16
Capture Network Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture network traffic.
Readings
1. Wireshark: User’s Guide [2]
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture Network Traffic
To capture network traffic:
1. Start a Wireshark capture.
2.2. Open a web browser and navigate to a favorite web site.
3. Stop the Wireshark capture.
4.4. Observe the traffic captured in the top Wireshark packet list pane.
5.5. Select a packet you want to analyze.
6.6. Observe the packet details in the middle Wireshark packet details pane.
7.7. Expand various protocol containers to view detailed protocol information.
8. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
http://www.wireshark.org/docs/wsug_html_chunked/
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
http://www.wireshark.org/docs/wsug_html_chunked/
Filter Displayed Traffic 17
Filter Displayed Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and filter network traffic using a display filter.
Readings
1. Wireshark: Display Filters [1]
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture Network Traffic
To capture network traffic:
1. Start a Wireshark capture.
2. Use ping 8.8.8.8 to ping an Internet host by IP address.
3. Stop the Wireshark capture.
Activity 2 – Use a Display Filter
To use a display filter:
1. Type ip.addr == 8.8.8.8 in the Filter box and press Enter.
2.2. Observe that the Packet List Pane is now filtered so that only traffic to (destination) or from (source) IP address
8.8.8.8 is displayed.
3. Click Clear on the Filter toolbar to clear the display filter.
4. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
• Admin Magazine: Wireshark [2]
References
[1] http:/ / wiki. wireshark. org/ DisplayFilters
[2] http:/ / www. admin-magazine. com/ Articles/ Wireshark
http://wiki.wireshark.org/DisplayFilters
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
http://www.wireshark.org/docs/wsug_html_chunked/
http://www.admin-magazine.com/Articles/Wireshark
http://wiki.wireshark.org/DisplayFilters
http://www.admin-magazine.com/Articles/Wireshark
Filter Captured Traffic 18
Filter Captured Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and filter network traffic using a capture filter.
Readings
1. Wireshark: Capture Filters [1]
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture Network Traffic Using a Capture Filter
To capture network traffic using a capture filter:
1. Select either the Capture menu and then the Interfaces dialog box or the List the available capture interfaces
toolbar button.
2. Select Options.
3.3. Double-click on the interface you want to use for the capture.
4. In the Capture Filter box type host 8.8.8.8.
5. Select OK to save the changes.
6. Select Start to start a Wireshark capture.
7. Use ping 8.8.8.8 to ping an Internet host by IP address.
8. Use ping 8.8.4.4 to ping an Internet host by IP address.
9.9. Observe that only traffic to (destination) or from (source) IP address 8.8.8.8 is captured.
10. Stop the Wireshark capture.
11. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
• Admin Magazine: Wireshark [2]
References
[1] http:/ / wiki. wireshark. org/ CaptureFilters
http://wiki.wireshark.org/CaptureFilters
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
http://www.wireshark.org/docs/wsug_html_chunked/
http://www.admin-magazine.com/Articles/Wireshark
http://wiki.wireshark.org/CaptureFilters
19
Lesson 3 – Link Layer
Link Layer
This lesson introduces the Link layer and looks at a variety of
link layer frame types. Activities include identifying MAC
addresses and using Wireshark to examine Ethernet network
traffic.
Readings
1. Read Wikipedia: Link layer.
2. Read Wikipedia: MAC address.
3. Read Wikipedia: Organizationally Unique Identifier.
4. Read Wikipedia: Ethernet frame.
5. Read Wikipedia: EtherType.
6. Read Wikipedia: Token Ring Frame Format.
7. Read Wikipedia: Point-to-Point Protocol (PPP) Frame.
8. Read Wikipedia: IEEE 802.11 Frames.
Activities
1. Display MAC Addresses Using Getmac.
2. Display MAC Addresses Using Ipconfig.
3. Search for a MAC Address OUI.
4. Compare Ethernet and Token Ring frame formats. Which fields are included in both formats? Which fields are
unique to one format or the other?
5. Compare Ethernet and Point-to-Point Protocol frame formats. Which fields are included in both formats? Which
fields are unique to one format or the other?
6. Review Wireshark: Ethernet [1].
7. Use Wireshark to capture and analyze Ethernet traffic.
8. Review Wireshark: WLAN Capture Setup [2].
9.9. If your wireless network adapter supports it, use Wireshark to capture and analyze 802.11 traffic. Are you able to
capture actual 802.11 traffic, or is it translated to Ethernet traffic before it can be captured and displayed?
10.10. Link layer protocols have changed significantly since the introduction of the Internet protocol suite, while the
core TCP/IP protocols have changed very little. Consider possible explanations for the many changes and
performance improvements in link layer protocols over time.
11.11. Consider situations in which a packet analyzer might be used to troubleshoot link layer traffic.
12. Use the Discuss page to post comments and questions regarding this lesson.
13.13. Review the lesson summary, key terms, review questions and flashcards below.
http://en.wikiversity.org/w/index.php?title=File%3AInternet_Protocol_Analysis_-_Link_Layer
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_bookcase.svg
http://en.wikipedia.org/wiki/Link_layer
http://en.wikipedia.org/wiki/MAC_address
http://en.wikipedia.org/wiki/Organizationally_Unique_Identifier
http://en.wikipedia.org/wiki/Ethernet_frame
http://en.wikipedia.org/wiki/EtherType
http://en.wikipedia.org/wiki/Token_ring#Token_ring_frame_format
http://en.wikipedia.org/wiki/Point-to-Point_Protocol#PPP_frame
http://en.wikipedia.org/wiki/IEEE_802.11#Frames
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_korganizer.svg
http://en.wikiversity.org/w/index.php?title=Getmac
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
http://en.wikiversity.org/w/index.php?title=MAC_address/OUI
http://en.wikipedia.org/wiki/Ethernet_frame
http://en.wikipedia.org/wiki/Token_ring#Token_ring_frame_format
http://en.wikipedia.org/wiki/Ethernet_frame
http://en.wikipedia.org/wiki/Point-to-Point_Protocol#PPP_frame
http://wiki.wireshark.org/Ethernet
http://en.wikiversity.org/w/index.php?title=Wireshark/Ethernet
http://wiki.wireshark.org/CaptureSetup/WLAN
http://en.wikiversity.org/w/index.php?title=Talk:Internet_protocol_analysis/Link_layer
Link Layer 20
Lesson Summary
• The Link layer is the lowest layer in the Internet Protocol Suite. It implements the communication protocol
necessary for a host to link to its directly-connected network.[3]
• TCP/IP’s layers are descriptions of operating scopes (application, host-to-host, network, link) and not detailed
prescriptions of operating procedures, data semantics, or networking technologies.[4]
• Layering in TCP/IP is not a principal design criterion and in general is considered to be harmful.[5]
• The standard (IEEE 802) format for printing MAC-48 addresses in human-friendly form is six groups of two
hexadecimal digits, separated by hyphens (-) or colons (:), in transmission order.[6]
• The IEEE expects the MAC-48 space to be exhausted no sooner than the year 2100.[7]
• If the least significant bit of the most significant octet of an address is set to 0 (zero), the frame is meant to reach
only one receiving NIC.[8]
• If the least significant bit of the most significant address octet is set to 1, the frame will still be sent only once;
however, NICs will choose to accept it based on different criteria than a matching MAC address: for example,
based on a configurable list of multicast MAC addresses.[9]
• Packets sent to the broadcast address, all one bits or hexadecimal FF:FF:FF:FF:FF:FF, are received by all stations
on a local area network.[10]
• Packets sent to a multicast address are received by all stations on a LAN that have been configured to receive
packets sent to that address.[11]
• Although intended to be a permanent and globally unique identification, it is possible to change the MAC address
on most modern hardware.[12]
• An Organizationally Unique Identifier (OUI) is a 24-bit number purchased from the Institute of Electrical and
Electronics Engineers, Incorporated (IEEE) Registration Authority and uniquely identifies the vendor or
manufacturer of a network adapter.[13]
• An Ethernet frame includes destination and source MAC addresses, Ethertype, data, and a frame check
sequence.[14]
• Ethertype is a two-octet field used to indicate which protocol is encapsulated in the payload of an Ethernet
Frame.[15]
• A Token Ring frame includes access control, frame control, destination and source MAC addresses, data, and a
frame check sequence.[16]
• A Point-to-Point Protocol (PPP) frame includes protocol and data information.[17]
• An IEEE 802.11 frame includes frame control, destination and source MAC addresses, data, and a frame check
sequence.[18]
Key Terms
802.3
A set of IEEE standards for implementing wired Ethernet.[19]
802.5
A set of IEEE standards for implementing Token Ring.[20]
802.11
A set of IEEE standards for implementing wireless local area network (WLAN) communication.[21]
Carrier Sense Multiple Access with Collision Detection (CSMA/CD)
A Media Access Control (MAC) method in which a carrier sensing scheme is used, and a transmitting data
station that detects another signal while transmitting a frame stops transmitting that frame, transmits a jam
signal, and then waits for a random time interval before trying to resend the frame.[22]
data transmission
http://en.wikiversity.org/w/index.php?title=File:Stock_post_message.svg
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_kdict
Link Layer 21
The physical transfer of data (a digital bit stream) over a point-to-point or point-to-multipoint communication
channel.[23]
Ethernet
A family of computer networking technologies for local area networks (LANs) that was commercially
introduced in 1980 and standardized in 1985 as IEEE 802.3.[24]
Institute of Electrical and Electronics Engineers (IEEE)
A professional association headquartered in New York City that is dedicated to advancing technological
innovation and excellence.[25]
Local Area Network (LAN)
A computer network that interconnects computers in a limited area such as a home, school, computer
laboratory, or office building using network media.[26]
MAC spoofing
A technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a
networked device.[27]
network segment
A portion of a computer network, sometimes used as a synonym for collision domain.[28]
node
A connection point, either a redistribution point or a communication endpoint.[29]
Organizationally Unique Identifier (OUI)
A 24-bit number purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE)
Registration Authority and uniquely identifies the vendor or manufacturer of a network adapter.[30]
Point-to-Point Protocol (PPP)
A data link protocol commonly used in establishing a direct connection between two networking nodes in a
Wide Area Network (WAN) environment.[31]
Token Ring
A data link protocol that uses a ring topology and was standardized as IEEE 802.5.[32]
unique identifier (UID)
Any identifier which is guaranteed to be unique among all identifiers used for a given set of objects and for a
specific purpose.[33]
Wide Area Network (WAN)
A network that covers a broad area (i.e., any telecommunications network that links across metropolitan,
regional, or national boundaries) using private or public network transports.[34]
Link Layer 22
Review Questions
1. The Link layer is the _____ layer in the Internet Protocol Suite. It implements the communication protocol
necessary for a host to link to _____.
The Link layer is the lowest layer in the Internet Protocol Suite. It implements the communication protocol necessary
for a host to link to its directly-connected network.
2. TCP/IP’s layers are descriptions of operating scopes (application, host-to-host, network, link) and _____ detailed
prescriptions of operating procedures, data semantics, or networking technologies.
TCP/IP’s layers are descriptions of operating scopes (application, host-to-host, network, link) and not detailed
prescriptions of operating procedures, data semantics, or networking technologies.
3. Layering in TCP/IP is not a principal design criterion and in general is considered to be _____.
Layering in TCP/IP is not a principal design criterion and in general is considered to be harmful.
4. The standard (IEEE 802) format for printing MAC-48 addresses in human-friendly form is _____ groups of two
hexadecimal digits, separated by hyphens (-) or colons (:), in transmission order.
The standard (IEEE 802) format for printing MAC-48 addresses in human-friendly form is six groups of two
hexadecimal digits, separated by hyphens (-) or colons (:), in transmission order.
5. The IEEE expects the MAC-48 space to be exhausted no sooner than the year _____.
The IEEE expects the MAC-48 space to be exhausted no sooner than the year 2100.
6. If the least significant bit of the most significant octet of an address is set to 0 (zero), the frame is meant to reach
_____.
If the least significant bit of the most significant octet of an address is set to 0 (zero), the frame is meant to reach
only one receiving NIC.
7. If the least significant bit of the most significant address octet is set to 1, the frame will still be sent only once;
however, NICs will choose to accept it based on different criteria than a matching MAC address: for example, based
on _____.
If the least significant bit of the most significant address octet is set to 1, the frame will still be sent only once;
however, NICs will choose to accept it based on different criteria than a matching MAC address: for example, based
on a configurable list of multicast MAC addresses.
8. Packets sent to the broadcast address, _____, are received by all stations on a local area network.
Packets sent to the broadcast address, all one bits or hexadecimal FF:FF:FF:FF:FF:FF, are received by all stations on
a local area network.
9. Packets sent to a multicast address are received by all stations on a LAN that _____.
Packets sent to a multicast address are received by all stations on a LAN that have been configured to receive
packets sent to that address.
10. Although intended to be a permanent and globally unique identification, it is possible to _____ the MAC address
on most modern hardware.
Although intended to be a permanent and globally unique identification, it is possible to change the MAC address on
most modern hardware.
11. An Organizationally Unique Identifier (OUI) is a 24-bit number purchased from the Institute of Electrical and
Electronics Engineers, Incorporated (IEEE) Registration Authority and uniquely identifies _____.
An Organizationally Unique Identifier (OUI) is a 24-bit number purchased from the Institute of Electrical and
Electronics Engineers, Incorporated (IEEE) Registration Authority and uniquely identifies the vendor or
manufacturer of a network adapter.
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_package_editors
Link Layer 23
12. An Ethernet frame includes _____.
An Ethernet frame includes destination and source MAC addresses, Ethertype, data, and a frame check sequence.
13. Ethertype is a two-octet field used to indicate _____.
Ethertype is a two-octet field used to indicate which protocol is encapsulated in the payload of an Ethernet Frame.
14. A Token Ring frame includes _____.
A Token Ring frame includes access control, frame control, destination and source MAC addresses, data, and a
frame check sequence.
15. A Point-to-Point Protocol (PPP) frame includes _____.
A Point-to-Point Protocol (PPP) frame includes protocol and data information.
16. An IEEE 802.11 frame includes _____.
An IEEE 802.11 frame includes frame control, destination and source MAC addresses, data, and a frame check
sequence.
Flashcards
•• Test your understanding of this lesson.
•• Test your understanding of the key terms.
References
[1] http:/ / wiki. wireshark. org/ Ethernet
[2] http:/ / wiki. wireshark. org/ CaptureSetup/ WLAN
[3][3] RFC 1122 – Requirements for Internet Hosts — Communication Layers
[4][4] Wikipedia: Link layer
[5][5] Wikipedia: Link layer#Relation to OSI model
[6][6] Wikipedia: MAC address#Notational conventions
[7][7] Wikipedia: MAC address#Address details
[8][8] Wikipedia: MAC address#Address details
[9][9] Wikipedia: MAC address#Address details
[10][10] Wikipedia: MAC address#Address details
[11][11] Wikipedia: MAC address#Address details
[12][12] Wikipedia: MAC address#Usage in Hosts
[13][13] Wikipedia: Organizationally Unique Identifier
[14][14] Wikipedia: Ethernet frame
[15][15] Wikipedia: Ethertype
[16][16] Wikipedia: Token ring#Token ring frame format
[17][17] Wikipedia: Point-to-Point Protocol#PPP frame
[18][18] Wikipedia: IEEE 802.11#Frames
[19][19] Wikipedia: 802.3
[20][20] Wikipedia: Token ring
[21][21] Wikipedia: IEEE 802.11
[22][22] Wikipedia: Carrier sense multiple access with collision detection
[23][23] Wikipedia: Data transmission
[24][24] Wikipedia: Ethernet
[25][25] Wikipedia: Institute of Electrical and Electronics Engineers
[26][26] Wikipedia: Local area network
[27][27] Wikipedia: MAC spoofing
[28][28] Wikipedia: Network segment
[29][29] Wikipedia: Node (networking)
[30][30] Wikipedia: Organizationally Unique Identifier
[31][31] Wikipedia: Point-to-Point Protocol
[32][32] Wikipedia: Token ring
[33][33] Wikipedia: Unique identifier
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_cache
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Link_layer/Lesson_flashcards
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Link_layer/Terms_flashcards
http://en.wikiversity.org/w/index.php?title=File:Nuvola_filesystems_folder_orange
http://wiki.wireshark.org/Ethernet
http://wiki.wireshark.org/CaptureSetup/WLAN
http://en.wikipedia.org/wiki/Link_layer
http://en.wikipedia.org/wiki/Link_layer#Relation_to_OSI_model
http://en.wikipedia.org/wiki/MAC_address#Notational_conventions
http://en.wikipedia.org/wiki/MAC_address#Address_details
http://en.wikipedia.org/wiki/MAC_address#Address_details
http://en.wikipedia.org/wiki/MAC_address#Address_details
http://en.wikipedia.org/wiki/MAC_address#Address_details
http://en.wikipedia.org/wiki/MAC_address#Address_details
http://en.wikipedia.org/wiki/MAC_address#Usage_in_Hosts
http://en.wikipedia.org/wiki/Organizationally_Unique_Identifier
http://en.wikipedia.org/wiki/Ethernet_frame
http://en.wikipedia.org/wiki/Ethertype
http://en.wikipedia.org/wiki/Token_ring#Token_ring_frame_format
http://en.wikipedia.org/wiki/Point-to-Point_Protocol#PPP_frame
http://en.wikipedia.org/wiki/IEEE_802.11#Frames
http://en.wikipedia.org/wiki/802.3
http://en.wikipedia.org/wiki/Token_ring
http://en.wikipedia.org/wiki/IEEE_802.11
http://en.wikipedia.org/wiki/Carrier_sense_multiple_access_with_collision_detection
http://en.wikipedia.org/wiki/Data_transmission
http://en.wikipedia.org/wiki/Ethernet
http://en.wikipedia.org/wiki/Institute_of_Electrical_and_Electronics_Engineers
http://en.wikipedia.org/wiki/Local_area_network
http://en.wikipedia.org/wiki/MAC_spoofing
http://en.wikipedia.org/wiki/Network_segment
http://en.wikipedia.org/wiki/Node_(networking)
http://en.wikipedia.org/wiki/Organizationally_Unique_Identifier
http://en.wikipedia.org/wiki/Point-to-Point_Protocol
http://en.wikipedia.org/wiki/Token_ring
http://en.wikipedia.org/wiki/Unique_identifier
Link Layer 24
[34][34] Wikipedia: Wide area network
Display MAC Addresses Using Getmac
Getmac is a Windows command used to display the Media Access Control (MAC) addresses for each network
adapter in the computer. These activities will show you how to use the getmac command to display MAC addresses.
Readings
•• Wikipedia: Media Access Control (MAC) Address
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
Activity 1 – Display MAC Addresses Using Getmac
To display MAC addresses using getmac:
1. Open a command prompt.
2. Type getmac and press Enter.
3.3. Observe the results. You should see a list of physical addresses and transport names in use on the computer.
4.4. Close the command prompt to complete this activity.
References
• Microsoft TechNet: Getmac [1]
References
[1] http:/ / technet. microsoft. com/ en-us/ library/ bb490913. aspx
http://en.wikipedia.org/wiki/Wide_area_network
http://en.wikipedia.org/wiki/MAC_address
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Open
http://technet.microsoft.com/en-us/library/bb490913.aspx
http://technet.microsoft.com/en-us/library/bb490913.aspx
Display MAC Addresses Using Ipconfig 25
Display MAC Addresses Using Ipconfig
ipconfig /all displays all configuration information for each adapter bound to TCP/IP. This activity will show you
how to use ipconfig /all.
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
Activity 1 – Display All IP Configuration Information
To display all configuration information for each adapter bound to TCP/IP:
1. Open a command prompt.
2. Type ipconfig /all.
Note: While the space between ipconfig and /all isn’t required, it’s a good idea to get into the habit of including a
space between a command and any specified options for other commands that do require the space.
3. Press Enter.
4.4. Observe available adapters and their detailed IP settings.
5.5. Close the command prompt to complete this activity.
Readings
•• Wikipedia: ipconfig
•• Wikipedia: Internet Protocol
References
• Microsoft TechNet: Ipconfig [1]
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Open
http://en.wikipedia.org/wiki/Ipconfig
http://en.wikipedia.org/wiki/Internet_Protocol
http://technet.microsoft.com/en-us/library/bb490921.aspx
Search for a MAC Address OUI 26
Search for a MAC Address OUI
A Media Access Control address (MAC address) is a unique identifier assigned to network interfaces for
communications on the physical network segment. The Organizationally Unique Identifier (OUI) is a 24-bit number
that is purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration
Authority and uniquely identifies the vendor or manufacturer of the network adapter.
Readings
•• Wikipedia: Media Access Control (MAC) Address
•• Wikipedia: Organizationally Unique Identifier (OUI)
Activity 1 – Search for a MAC Address OUI
To search for a MAC address OUI:
1. Use getmac or ipconfig to find the MAC address of your network adapter.
2. Using an Internet browser, navigate to the IEEE Standards Association Public OUI Listing [1] and search for the
first three octets (first six hexadecimal digits) of the MAC address you found above to identify the manufacturer /
registrar of your network adapter.
References
•• Wikipedia: Media Access Control (MAC) Address
•• Wikipedia: Organizationally Unique Identifier (OUI)
• IEEE Standards Association Public OUI Listing [1]
References
[1] http:/ / standards. ieee. org/ develop/ regauth/ oui/ public. html
http://en.wikipedia.org/wiki/MAC_address
http://en.wikipedia.org/wiki/Organizationally_Unique_Identifier
http://en.wikiversity.org/w/index.php?title=Getmac
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
http://standards.ieee.org/develop/regauth/oui/public.html
http://en.wikipedia.org/wiki/MAC_address
http://en.wikipedia.org/wiki/Organizationally_Unique_Identifier
http://standards.ieee.org/develop/regauth/oui/public.html
http://standards.ieee.org/develop/regauth/oui/public.html
Capture and Analyze Ethernet Traffic 27
Capture and Analyze Ethernet Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze Ethernet traffic.
Readings
•• Wikipedia: Ethernet
•• Wikipedia: Media Access Control (MAC) Address
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture Ethernet Traffic
To capture Ethernet traffic:
1. Start a Wireshark capture.
2. Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
3. Use ping
4. Stop the Wireshark capture.
Activity 2 – Analyze Ethernet Traffic
To analyze Ethernet traffic:
1.1. Observe the traffic captured in the top Wireshark packet list pane. All of the traffic you see is likely to be
Ethernet traffic. If you want to specifically identify the traffic generated from the ping command above, look for
traffic with ICMP listed as the protocol and Echo (ping) request or Echo (ping) reply in the description.
2.2. Select a packet you want to analyze.
3.3. Observe the packet details in the middle Wireshark packet details pane.
4.4. Select Frame. Notice when you select the frame that the entire frame is highlighted in the bottom packet bytes
pane.
5.5. Expand Frame to view frame details.
6.6. Expand Ethernet II to view Ethernet details. Notice the Destination, Source, and Type fields.
7.7. Select the Destination field. Notice when you select the Destination field that the first six bytes of the frame are
highlighted in the bottom packet bytes pane. This is the destination MAC address for the Ethernet frame.
8.8. Select the Source field. Notice when you select the Source field that the second six bytes of the frame are
highlighted in the bottom packet bytes pane. This is the source MAC address for the Ethernet frame.
9.9. Select the Type field. Notice when you select the Type field that the 13th and 14th bytes of the frame are
highlighted in the bottom packet bytes pane. This is the type of packet encapsulated inside the Ethernet frame.
10.10. Select additional Ethernet frames in the top packet list pane and observe frame details in these packets.
http://en.wikipedia.org/wiki/Ethernet
http://en.wikipedia.org/wiki/MAC_address
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Ipconfig/Default
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
Capture and Analyze Ethernet Traffic 28
Activity 3 – Confirm MAC Addresses in Ethernet Traffic
To confirm MAC addresses in Ethernet traffic:
1. Use ipconfig /all or Getmac to display your computer’s Physical Address.
2.2. Compare your computer’s physical address to the Source and Destination fields in the captured traffic. Identify
which frames were sent by your computer and which frames were received by your computer.
3. Use arp -a to view the ARP cache.
4. Locate the default gateway IP address used in the ping command above and note the Physical Address of the
default gateway.
5.5. Compare your default gateway’s physical address to the Source and Destination fields in the captured traffic.
Identify which frames were sent by the default gateway and and which frames were sent to the default gateway.
6. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
• Wireshark: Ethernet [1]
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
http://en.wikiversity.org/w/index.php?title=Getmac
http://en.wikiversity.org/w/index.php?title=Arp/View
http://www.wireshark.org/docs/wsug_html_chunked/
http://wiki.wireshark.org/Ethernet
29
Lesson 4 – Address Resolution Protocol
(ARP)
Address Resolution Protocol (ARP)
This lesson continues the Link layer and looks at the Address
Resolution Protocol (ARP). Activities include viewing and
modifying the ARP cache and using Wireshark to examine
ARP network traffic.
Readings
1. Read Wikipedia: Address Resolution Protocol.
2. Read Wikipedia: Broadcast address.
Activities
1. View the ARP Cache.
2. Modify the ARP Cache.
3. Review Wireshark: Address Resolution Protocol (ARP) [1].
4. Use Wireshark to capture and analyze Address Resolution Protocol (ARP) traffic.
5.5. Consider situations in which a packet analyzer might be used to troubleshoot ARP traffic.
6. Use the Discuss page to post comments and questions regarding this lesson.
7.7. Review the lesson summary, key terms, review questions and flashcards below.
Lesson Summary
• Address Resolution Protocol (ARP) is a telecommunications protocol used for resolution of network (Internet)
layer addresses into link layer addresses.[2]
• ARP is the name of the program for manipulating Address Resolution Protocol caches in most operating
systems.[3]
• In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by the Neighbor Discovery
Protocol (NDP).[4]
• ARP is a request and reply protocol that runs encapsulated by the line protocol.[5]
• ARP is an Internet Protocol Suite Link layer protocol.[6]
• ARP packets include the sender hardware address, the sender protocol address, the target hardware address, and
the target protocol address.[7] The hardware address is typically the MAC address and the protocol address is
typically the IP address.
• The ARP cache is a memory-cached table of IP addresses and corresponding hardware addresses.[8]
• An ARP probe is an ARP request for one’s own IP address, sent just before a network interface begins to use that
address. This is done to ensure that the IP address is not already in use on the network.[9]
• A gratuitous ARP request is similar to an ARP probe in that an ARP request for one’s own IP address is sent just
before a network interface begins to sue the address. The difference is that an ARP probe involves conflict
detection, while a gratuitous ARP request is simply an announcement of intent to use the given address.[10]
http://en.wikiversity.org/w/index.php?title=File%3AInternet_Protocol_Analysis_-_Link_Layer
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_bookcase.svg
http://en.wikipedia.org/wiki/Address_Resolution_Protocol
http://en.wikipedia.org/wiki/Broadcast_address
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_korganizer.svg
http://en.wikiversity.org/w/index.php?title=Arp/View
http://en.wikiversity.org/w/index.php?title=Arp/Modify
http://wiki.wireshark.org/AddressResolutionProtocol
http://en.wikiversity.org/w/index.php?title=Wireshark/Arp
http://en.wikiversity.org/w/index.php?title=Talk:Internet_protocol_analysis/Address_Resolution_Protocol
http://en.wikiversity.org/w/index.php?title=File:Stock_post_message.svg
Address Resolution Protocol (ARP) 30
• ARP mediation supports the transparent use of ARP requests across a circuit-based virtual private wire service
(circuit-based VPN).[11]
• Inverse ARP is used to resolve link layer addresses into network (Internet) layer addresses.[12]
• Reverse ARP is similar to Inverse ARP in that it was used to resolve a link layer address into a network layer
address. The difference is that Revers ARP was used to resolve one’s own link layer address rather than another
node. Reverse ARP has been replaced by the Bootstrap Protocol (BOOTP) and the Dynamic Host Configuration
Protocol (DHCP).[13]
• Proxy ARP is a technique by which a device on a given network answers the ARP queries for a network address
that is not on that network.[14]
• ARP spoofing is a technique whereby an attacker sends fake Address Resolution Protocol (ARP) messages onto a
Local Area Network to associate the attacker’s MAC address with the IP address of another host.[15]
• The IPv4 broadcast address is 255.255.255.255.[16]
• IPv6 does not define broadcast addresses. IPv6 uses multicast addressing.[17]
• The Ethernet broadcast address is FF:FF:FF:FF:FF:FF.[18]
Key Terms
Asynchronous Transfer Mode (ATM)
A telecommunications protocol defined by ANSI and ITU standards to carry voice, data, and video using
asynchronous time-division multiplexing and small, fixed-sized cells.[19]
Customer Edge (CE)
The router at the customer premises that is connected to the provider edge of a service provider network.[20]
denial-of-service attack (DoS attack)
An attempt to make a machine or network resource unavailable to its intended users.[21]
Fiber Distributed Data Interface (FDDI)
Provides a 100 Mbit/s optical standard for data transmission in a local area network that can extend in range up
to 200 kilometers (120 mi).[22]
Frame Relay
A standardized wide area network technology that specifies the physical and logical link layers of digital
telecommunications channels using a packet switching methodology. Originally designed for transport across
Integrated Services Digital Network (ISDN) infrastructure, it is less expensive than leased lines.[23]
man-in-the-middle attack
A form of active eavesdropping in which the attacker makes independent connections with the victims and
relays messages between them.[24]
Provider Edge (PE)
A router between one network service provider’s area and areas administered by other network providers.[25]
telecommunication
The science and practice of transmitting information by electromagnetic means.[26]
Virtual Private Wire Service (VPWS)
A circuit-based Virtual Private Network (VPN).[27]
X.25
An ITU-T standard protocol suite for packet switched wide area network (WAN) communication using leased
lines, plain old telephone service connections or ISDN connections as physical links.[28]
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_kdict
Address Resolution Protocol (ARP) 31
Review Questions
1. Address Resolution Protocol (ARP) is a telecommunications protocol used for _____.
Address Resolution Protocol (ARP) is a telecommunications protocol used for resolution of network (Internet) layer
addresses into link layer addresses.
2. ARP is the name of the program for manipulating Address Resolution Protocol _____ in most operating systems.
ARP is the name of the program for manipulating Address Resolution Protocol caches in most operating systems.
3. In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by _____.
In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by the Neighbor Discovery
Protocol (NDP).
4. ARP is a request and reply protocol that runs encapsulated by the _____ protocol.
ARP is a request and reply protocol that runs encapsulated by the line protocol.
5. ARP is an Internet Protocol Suite _____ layer protocol.
ARP is an Internet Protocol Suite Link layer protocol.
6. ARP packets include _____.
ARP packets include the sender hardware address, the sender protocol address, the target hardware address, and the
target protocol address.
7. The ARP cache is _____.
The ARP cache is a memory-cached table of IP addresses and corresponding hardware addresses.
8. An ARP probe is _____.
An ARP probe is an ARP request for one’s own IP address, sent just before a network interface begins to use that
address.
9. A gratuitous ARP request is _____.
A gratuitous ARP request is simply an announcement of intent to use the given address.
10. ARP mediation supports the transparent use of ARP requests across _____.
ARP mediation supports the transparent use of ARP requests across a circuit-based virtual private wire service
(circuit-based VPN).
11. Inverse ARP is used to _____.
Inverse ARP is used to resolve link layer addresses into network (Internet) layer addresses.
12. Reverse ARP is similar to Inverse ARP in that it was used to resolve a link layer address into a network layer
address. The difference is that _____.
Reverse ARP is similar to Inverse ARP in that it was used to resolve a link layer address into a network layer
address. The difference is that Reverse ARP was used to resolve one’s own link layer address rather than another
node.
13. Proxy ARP is a technique by which a device on a given network _____.
Proxy ARP is a technique by which a device on a given network answers the ARP queries for a network address that
is not on that network.
14. ARP spoofing is a technique whereby an attacker _____.
ARP spoofing is a technique whereby an attacker sends fake Address Resolution Protocol (ARP) messages onto a
Local Area Network to associate the attacker’s MAC address with the IP address of another host.
15. The IPv4 broadcast address is _____.
The IPv4 broadcast address is 255.255.255.255.
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_package_editors
Address Resolution Protocol (ARP) 32
16. IPv6 does not define broadcast addresses. IPv6 uses _____ addressing.
IPv6 does not define broadcast addresses. IPv6 uses multicast addressing.
17. The Ethernet broadcast address is _____.
The Ethernet broadcast address is FF:FF:FF:FF:FF:FF.
Flashcards
•• Test your understanding of this lesson.
•• Test your understanding of the key terms.
References
[1] http:/ / wiki. wireshark. org/ AddressResolutionProtocol
[2][2] Wikipedia: Address Resolution Protocol
[3][3] Wikipedia: Address Resolution Protocol
[4][4] Wikipedia: Address Resolution Protocol
[5][5] Wikipedia: Address Resolution Protocol#Operating scope
[6][6] Wikipedia: Address Resolution Protocol#Operating scope
[7][7] Wikipedia: Address Resolution Protocol#Packet structure
[8][8] Wikipedia: Address Resolution Protocol#Example
[9][9] RFC 5227
[10][10] RFC 5227
[11][11] Wikipedia: Address Resolution Protocol#ARP mediation
[12][12] Wikipedia: Address Resolution Protocol#Inverse ARP and Reverse ARP
[13][13] Wikipedia: Address Resolution Protocol#Inverse ARP and Reverse ARP
[14][14] Wikipedia: Proxy ARP
[15][15] Wikipedia: ARP spoofing
[16][16] Wikipedia: Broadcast address#IP networking
[17][17] Wikipedia: Broadcast address#IP networking
[18][18] Wikipedia: Broadcast address#Ethernet
[19][19] Wikipedia: Asynchronous Transfer Mode
[20][20] Wikipedia: Customer edge
[21][21] Wikipedia: Denial-of-service
[22][22] Wikipedia: FDDI
[23][23] Wikipedia: Frame Relay
[24][24] Wikipedia: Man-in-the-middle
[25][25] Wikipedia: Provider Edge
[26][26] Wikipedia: Telecommunication
[27][27] Wikipedia: Virtual private network#Virtual private wire and private line services .28VPWS and VPLS.29
[28][28] Wikipedia: X.25
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_cache
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Address_Resolution_Protocol/Lesson_flashcards
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Address_Resolution_Protocol/Terms_flashcards
http://en.wikiversity.org/w/index.php?title=File:Nuvola_filesystems_folder_orange
http://wiki.wireshark.org/AddressResolutionProtocol
http://en.wikipedia.org/wiki/Address_Resolution_Protocol
http://en.wikipedia.org/wiki/Address_Resolution_Protocol
http://en.wikipedia.org/wiki/Address_Resolution_Protocol
http://en.wikipedia.org/wiki/Address_Resolution_Protocol#Operating_scope
http://en.wikipedia.org/wiki/Address_Resolution_Protocol#Operating_scope
http://en.wikipedia.org/wiki/Address_Resolution_Protocol#Packet_structure
http://en.wikipedia.org/wiki/Address_Resolution_Protocol#Example
http://en.wikipedia.org/wiki/Address_Resolution_Protocol#ARP_mediation
http://en.wikipedia.org/wiki/Address_Resolution_Protocol#Inverse_ARP_and_Reverse_ARP
http://en.wikipedia.org/wiki/Address_Resolution_Protocol#Inverse_ARP_and_Reverse_ARP
http://en.wikipedia.org/wiki/Proxy_ARP
http://en.wikipedia.org/wiki/ARP_spoofing
http://en.wikipedia.org/wiki/Broadcast_address#IP_networking
http://en.wikipedia.org/wiki/Broadcast_address#IP_networking
http://en.wikipedia.org/wiki/Broadcast_address#Ethernet
http://en.wikipedia.org/wiki/Asynchronous_Transfer_Mode
http://en.wikipedia.org/wiki/Customer_edge
http://en.wikipedia.org/wiki/Denial-of-service
http://en.wikipedia.org/wiki/FDDI
http://en.wikipedia.org/wiki/Frame_Relay
http://en.wikipedia.org/wiki/Man-in-the-middle
http://en.wikipedia.org/wiki/Provider_Edge
http://en.wikipedia.org/wiki/Telecommunication
http://en.wikipedia.org/wiki/Virtual_private_network#Virtual_private_wire_and_private_line_services_.28VPWS_and_VPLS.29
http://en.wikipedia.org/wiki/X.25
View the ARP Cache 33
View the ARP Cache
Arp is a Windows command used to view and modify the Address Resolution Protocol (ARP) cache. These activities
will show you how to view the ARP cache.
Note: To complete this activity, you must have an administrative user account or know the username and
password of an administrator account you can enter when prompted.
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
Activity 1 – View the ARP Cache
To view the ARP cache:
1. Type arp -a and press Enter.
2.2. Observe the ARP cache entries.
Activity 2 – Clear the ARP Cache
In order to observe the effects of Media Access Control (MAC) address resolution, start by clearing the ARP cache:
1. Open an elevated/administrator command prompt.
2. Type arp -d and press Enter.
Activity 3 – View the ARP Cache
To view the ARP cache:
1. Type arp -a and press Enter.
2.2. Observe the ARP cache entries. There should not be any entries in the list. If there are, a background process on
your computer has contacted a network host or router since the cache was cleared.
Activity 4 – Ping the Default Gateway
To dynamically add an entry to the ARP cache, ping the default gateway:
1. Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
2. Use ping
3.3. Observe the results. You should see replies indicating success.
Activity 5 – View the ARP Cache
To view the ARP cache:
1. Type arp -a and press Enter.
2.2. Observe the ARP cache entries. There should be an entry for the default gateway showing its Internet (IP) address
and physical (MAC) address. There may be other entries, depending on what background process on your
computer has contacted a network host.
3.3. Close the command prompt to complete this activity.
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Elevated
http://en.wikiversity.org/w/index.php?title=Ipconfig/Default
http://en.wikiversity.org/w/index.php?title=Ping/Host
View the ARP Cache 34
Readings
•• Wikipedia: Address Resolution Protocol (ARP)
•• Wikipedia: IP Address
•• Wikipedia: Media Access Control (MAC) Address
References
• Microsoft TechNet: Arp [1]
References
[1] http:/ / technet. microsoft. com/ en-us/ library/ cc754761(v=ws. 10). aspx
Modify the ARP Cache
Arp is a Windows command used to view and modify the Address Resolution Protocol (ARP) cache. These activities
will show you how to modify the ARP cache.
Note: To complete this activity, you must have an administrative user account or know the username and
password of an administrator account you can enter when prompted.
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
Activity 1 – Clear the ARP Cache
In order to limit the amount of information displayed, start by clearing the ARP cache:
1. Open an elevated/administrator command prompt.
2. Type arp -d and press Enter.
Activity 2 – View the ARP Cache
To view the ARP cache:
1. Type arp -a and press Enter.
2.2. Observe the ARP cache entries. There should not be any entries in the list. If there are, either a network host has
contacted your computer, or a background process on your computer has contacted a network host or router since
the cache was cleared.
http://en.wikipedia.org/wiki/Address_Resolution_Protocol
http://en.wikipedia.org/wiki/Ip_address
http://en.wikipedia.org/wiki/MAC_address
http://technet.microsoft.com/en-us/library/cc754761(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc754761(v=ws.10).aspx
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Elevated
Modify the ARP Cache 35
Activity 3 – Ping the Default Gateway
To dynamically add an entry to the ARP cache, ping the default gateway:
1. Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
2. Use ping
3.3. Observe the results. You should see replies indicating success.
Activity 4 – View the ARP Cache
To view the ARP cache:
1. Type arp -a and press Enter.
2.2. Observe the ARP cache entries. There should be an entry for the default gateway showing its Internet (IP) address
and physical (MAC) address. There may be other entries, depending on what other network hosts have contacted
your computer, or what background process on your computer has contacted a network host.
Activity 5 – Modify the ARP Cache
Note: You will lose Internet access with this next step and will restore it again in Activity 8.
Method 1 – Windows XP and Earlier
Modify the ARP cache entry for the default gateway by replacing it with an invalid MAC static address:
1. Type arp -s
Method 2 – Windows 7 and Later
Determine your network adapter interface name and modify the ARP cache entry for the default gateway by
replacing it with an invalid MAC static address:
1. Type netsh interface ipv4 show config.
2.2. Locate the interface with the default gateway listed in Activity 3. The interface name is typically “Local Area
Connection” or “Wireless Network Connection”.
3. Type netsh interface ipv4 add neighbors “
00-11-22-33-44-55, where
is the address of the default gateway listed in Activity 3. For example, if the interface name is “Local Area
Connection” and the default gateway is 192.168.1.1, you would type netsh interface ipv4 add neighbors “Local
Area Connection” 192.168.1.1 00-11-22-33-44-55.
Activity 6 – View the ARP Cache
To view the ARP cache:
1. Type arp -a and press Enter.
2.2. Observe the ARP cache entries. Notice that the default gateway now has the type static and has an invalid MAC
address.
Activity 7 – Ping the Default Gateway
To test the ARP cache entry, attempt to ping the default gateway:
1. Use ping
2.2. Observe the results. You should see “Request timed out.”, indicating the default gateway cannot be reached.
http://en.wikiversity.org/w/index.php?title=Ipconfig/Default
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikiversity.org/w/index.php?title=Ping/Host
Modify the ARP Cache 36
Activity 8 – Reset the ARP Cache
Method 1 – Windows XP and Earlier
To reset the ARP cache:
1. Type arp -d and press Enter.
2. Type arp -a and press Enter to confirm that the static entry has been cleared.
Method 2 – Windows 7 and Later
To reset the ARP cache:
1. Type netsh interface ipv4 delete neighbors and press Enter.
2. Type netsh interface ipv4 show neighbors and press Enter to confirm that the static entry has been cleared.
Activity 9 – Ping the Default Gateway
Ping the default gateway to verify network connectivity to the default gateway:
1. Use ping
2.2. Observe the results. You should see replies indicating success.
Activity 10 – View the ARP Cache
To view the ARP cache:
1. Type arp -a and press Enter.
2.2. Observe the ARP cache entries. Notice that the default gateway now has the type dynamic and its valid MAC
address.
3.3. Close the command prompt to complete this activity.
Readings
•• Wikipedia: Address Resolution Protocol (ARP)
•• Wikipedia: IP Address
•• Wikipedia: Media Access Control (MAC) Address
•• Wikipedia: netsh
References
• Microsoft TechNet: Arp [1]
• Microsoft TechNet: Netsh [1]
References
[1] http:/ / http:/ / technet. microsoft. com/ en-us/ library/ ee404790(v=ws. 10). aspx
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikipedia.org/wiki/Address_Resolution_Protocol
http://en.wikipedia.org/wiki/Ip_address
http://en.wikipedia.org/wiki/MAC_address
http://en.wikipedia.org/wiki/netsh
http://technet.microsoft.com/en-us/library/cc754761(v=ws.10).aspx
http://http://technet.microsoft.com/en-us/library/ee404790(v=ws.10).aspx
http://http://technet.microsoft.com/en-us/library/ee404790(v=ws.10).aspx
Capture and Analyze Address Resolution Protocol (ARP) Traffic 37
Capture and Analyze Address Resolution
Protocol (ARP) Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze Address Resolution Protocol (ARP) traffic.
Readings
•• Wikipedia: Address_Resolution_Protocol (ARP)
•• Wikipedia: Media Access Control (MAC) Address
•• Wikipedia: Broadcast Address
•• Wikipedia: Ethertype
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture ARP Traffic
To capture ARP traffic:
1. Start Wireshark, but do not yet start a capture.
2. Open an elevated/administrator command prompt.
3. Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
4. Start a Wireshark capture.
5. Use arp -d to clear the ARP cache.
6. Use ping
7. Use arp -a to view the ARP cache and confirm an entry has been added for the default gateway address.
8.8. Close the command prompt.
9. Stop the Wireshark capture.
Activity 2 – Analyze an ARP Request
To analyze an ARP request:
1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ARP listed as the
protocol. To view only ARP traffic, type arp (lower case) in the Filter box and press Enter.
2.2. Select the first ARP packet.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Address
Resolution Protocol frame.
4.4. Expand Ethernet II to view Ethernet details.
5.5. Observe the Destination field. Notice that the destination field is the Ethernet broadcast address
(FF:FF:FF:FF:FF:FF). All devices on the network will receive the ARP request.
6. Observe the Source field. This should contain your MAC address. You can use ipconfig /all or getmac to confirm.
7.7. Observe the Type field. Notice that the type is 0x0806, indicating ARP.
8.8. Expand Address Resolution Protocol (request) to view ARP details.
http://en.wikipedia.org/wiki/Address_Resolution_Protocol
http://en.wikipedia.org/wiki/MAC_address
http://en.wikipedia.org/wiki/Broadcast_address
http://en.wikipedia.org/wiki/EtherType
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Elevated
http://en.wikiversity.org/w/index.php?title=Ipconfig/Default
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Arp/Clear
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikiversity.org/w/index.php?title=Arp/View
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
http://en.wikiversity.org/w/index.php?title=Getmac
Capture and Analyze Address Resolution Protocol (ARP) Traffic 38
9.9. Observe the Sender MAC address. Notice that the sender MAC address is your MAC address.
10.10. Observe the Sender IP address. Notice that the sender IP address is your IP address.
11.11. Observe the Target MAC address. Notice that the target MAC address is all zeros, because the target MAC
address is unknown at this point.
12.12. Observe the Target IP address. Notice that the target IP address is the IP address of the default gateway.
Activity 3 – Analyze an ARP Reply
To analyze an ARP reply:
1.1. Select the second ARP packet.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Address
Resolution Protocol frame. Confirm that in the middle packet details pane that the packet is labeled Address
Resolution Protocol (reply).
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination field. Notice that the destination field is your MAC address.
5.5. Observe the Source field. This should be the MAC address of the default gateway.
6.6. Observe the Type field. Notice that the type is 0x0806, indicating ARP.
7.7. Expand Address Resolution Protocol (reply) to view ARP details.
8.8. Observe the Sender MAC address. Notice that the sender MAC address is the MAC address of the default
gateway.
9.9. Observe the Sender IP address. Notice that the sender IP address is the IP address of the default gateway.
10.10. Observe the Target MAC address. Notice that the destination MAC address is your MAC address.
11.11. Observe the Target IP address. Notice that the destination IP address is your IP address.
12. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
• Wireshark: Ethernet [1]
http://www.wireshark.org/docs/wsug_html_chunked/
http://wiki.wireshark.org/Ethernet
39
Lesson 5 – Internet Layer / IPv4
Internet Layer / IPv4
This lesson introduces the Internet layer and looks at IPv4.
Activities include IPv4 addressing and using Wireshark to
examine IPv4 network traffic.
Readings
1. Read Wikipedia: Internet layer.
2. Read Wikipedia: Internet Protocol.
3. Read Wikipedia: IPv4.
4. Read Wikipedia: IP address.
5. Read Wikipedia: Classful network.
Activities
1. Use a Regional Internet Registry to search the Whois database for IP address information.
2. Review Wireshark: Internet Protocol (IP) [1].
3. Use Wireshark to capture and analyze local IPv4 traffic.
4. Use Wireshark to capture and analyze remote IPv4 traffic.
5. Use Wireshark to capture and analyze fragmented IPv4 traffic.
6.6. Consider situations in which a packet analyzer might be used to troubleshoot IPv4 traffic.
7. Use the Discuss page to post comments and questions regarding this lesson.
8.8. Review the lesson summary, key terms, review questions and flashcards below.
Lesson Summary
• The Internet layer is a group of internetworking methods, protocols, and specifications in the Internet protocol
suite that are used to transport datagrams from the originating host across network boundaries, if necessary, to the
destination host specified by a network address.[2]
• The Internet layer is not responsible for reliable transmission. It provides only an unreliable connection-less
service, and “best effort” delivery.[3]
• The core protocols used in the Internet layer are IPv4, IPv6, the Internet Control Message Protocol (ICMP), and
the Internet Group Management Protocol (IGMP).[4]
• The Internet Control Message Protocol (ICMP) is primarily used for error and diagnostic functions.[5]
• The Internet Group Management Protocol (IGMP) is used by IPv4 hosts and adjacent multicast routers to
establish multicast group memberships.[6]
• Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by
authenticating and/or encrypting each IP packet in a data stream.[7]
• Each IP datagram has two components, a header and a data payload. The IP header is tagged with the source IP
address, destination IP address, and other meta-data needed to route and deliver the datagram.[8]
• IPv4 uses 32-bit (four-byte) addresses, most often written in the dotted decimal notation, which consists of four
octets of bit values expressed individually in decimal and separated by periods.[9]
http://en.wikiversity.org/w/index.php?title=File%3AInternet_Protocol_Analysis_-_Internet_Layer
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_bookcase.svg
http://en.wikipedia.org/wiki/Internet_layer
http://en.wikipedia.org/wiki/Internet_Protocol
http://en.wikipedia.org/wiki/IPv4
http://en.wikipedia.org/wiki/IP_address
http://en.wikipedia.org/wiki/Classful_network
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_korganizer.svg
http://en.wikiversity.org/w/index.php?title=Whois/IP_address
http://wiki.wireshark.org/Internet_Protocol
http://en.wikiversity.org/w/index.php?title=Wireshark/IPv4_local
http://en.wikiversity.org/w/index.php?title=Wireshark/IPv4_remote
http://en.wikiversity.org/w/index.php?title=Wireshark/IPv4_fragments
http://en.wikiversity.org/w/index.php?title=Talk:Internet_protocol_analysis/Internet_layer_IPv4
http://en.wikiversity.org/w/index.php?title=File:Stock_post_message.svg
Internet Layer / IPv4 40
• Private IPv4 network address ranges are reserved for use in private networks and include 10.0.0.0/8,
172.16.0.0/12 and 192.168.0.0/16. Private networks communicate with public networks through network address
translation (NAT).[10]
• The link-local IPv4 address range, 169.254.0.0/16, is similar to a private network address range but is not
routable. These addresses are most often used when a host cannot obtain an IP address from a Dynamic Host
Configuration Protocol (DHCP) server.[11]
• The loopback address range, 127.0.0.0/8 is reserved for loopback, or internal host addressing.[12]
• The primary address pool of the Internet, maintained by the Internet Assigned Numbers Authority (IANA), was
exhausted on 3 February 2011.[13]
• Valid IPv4 host addresses have a first octet in the range 1-126 (originally Class A), 128-191 (originally Class B),
or 192-223 (originally Class C). Multicast addresses have a first octet in the range 224-239 (originally Class D).
Addresses with a first octet in the range 240-255 are unused (reserved / experimental).[14][15]
• Classful networking was replaced by Classless Inter-Domain Routing (CIDR) starting in 1993. [16] However, the
addressing concepts developed under classful networking still apply to IPv4. The CIDR changes apply to
subnetting and routing, which will be examined in the next lesson.
Key Terms
American Registry for Internet Numbers (ARIN)
The Regional Internet Registry (RIR) for Canada, many Caribbean and North Atlantic islands, and the United
States.[17]
data corruption
Errors in computer data that occur during writing, reading, storage, transmission, or processing, which
introduce unintended changes to the original data.[18]
datagram
A basic transfer unit associated with a packet-switched network in which the delivery, arrival time, and order
of arrival are not guaranteed by the network service.[19]
gateway
A network point that acts as an entrance to another network.[20]
host
A computer connected to a computer network and assigned a network layer host address.[21]
Internet Assigned Numbers Authority (IANA)
The entity that oversees global IP address allocation, autonomous system number allocation, root zone
management in the Domain Name System (DNS), media types, and other Internet Protocol-related symbols
and numbers.[22]
Internet Protocol (IP)
The principal communications protocol responsible for addressing hosts and routing datagrams (packets) from
a source host to the destination host across one or more networks.[23]
IP fragmentation
The Internet Protocol fragmentation and reassembly procedure that can break a datagram into pieces that may
later be reassembled based on identification, offset, and length.[24]
network address translation (NAT)
The process of modifying IP address information in IP packet headers while in transit across a traffic routing
device.[25]
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_kdict
Internet Layer / IPv4 41
octet
A unit of digital information in computing and telecommunications that consists of eight bits.[26]
packet switching
A digital networking communications method that groups all transmitted data into variably-sized blocks,
called packets, for delivery over a shared network.[27]
Regional Internet Registry (RIR)
An organization that manages the allocation and registration of Internet number resources within a particular
region of the world.[28]
robustness principle
Be liberal in what you accept, and conservative in what you send.[29]
scalability
The ability of a system, network, or process, to handle a growing amount of work in a capable manner or its
ability to be enlarged to accommodate that growth.[30]
Review Questions
1. The Internet layer is a group of internetworking methods, protocols, and specifications in the Internet protocol
suite that are used to _____ from the originating _____ across _____, if necessary, to the destination _____ specified
by a network address.
The Internet layer is a group of internetworking methods, protocols, and specifications in the Internet protocol suite
that are used to transport datagrams from the originating host across network boundaries, if necessary, to the
destination host specified by a network address.
2. The Internet layer is not responsible for reliable transmission. It provides only _____.
The Internet layer is not responsible for reliable transmission. It provides only an unreliable connection-less service,
and “best effort” delivery.
3. The core protocols used in the Internet layer are _____.
The core protocols used in the Internet layer are IPv4, IPv6, the Internet Control Message Protocol (ICMP), and the
Internet Group Management Protocol (IGMP).
4. The _____ is primarily used for error and diagnostic functions.
The Internet Control Message Protocol (ICMP) is primarily used for error and diagnostic functions.
5. The _____ is used by IPv4 hosts and adjacent multicast routers to establish multicast group memberships.
The Internet Group Management Protocol (IGMP) is used by IPv4 hosts and adjacent multicast routers to establish
multicast group memberships.
6. Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by
_____ and/or _____ each IP packet in a data stream.
Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by
authenticating and/or encrypting each IP packet in a data stream.
7. Each IP datagram has two components, a header and a data payload. The IP header is tagged with _____ needed to
route and deliver the datagram.
Each IP datagram has two components, a header and a data payload. The IP header is tagged with the source IP
address, destination IP address, and other meta-data needed to route and deliver the datagram.
8. IPv4 uses _____ addresses, most often written in the _____ notation.
IPv4 uses 32-bit (four-byte) addresses, most often written in the dotted decimal notation.
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_package_editors
Internet Layer / IPv4 42
9. Private IPv4 network address ranges are reserved for use in private networks and include _____.
Private IPv4 network address ranges are reserved for use in private networks and include 10.0.0.0/8, 172.16.0.0/12
and 192.168.0.0/16.
10. Private networks communicate with public networks through _____.
Private networks communicate with public networks through network address translation (NAT).
11. The link-local IPv4 address range, _____, is similar to a private network address range but is not routable.
The link-local IPv4 address range, 169.254.0.0/16, is similar to a private network address range but is not routable.
12. The loopback address range, _____ is reserved for loopback, or internal host addressing.
The loopback address range, 127.0.0.0/8 is reserved for loopback, or internal host addressing.
13. The primary address pool of the Internet, maintained by the Internet Assigned Numbers Authority (IANA), was
exhausted in _____.
The primary address pool of the Internet, maintained by the Internet Assigned Numbers Authority (IANA), was
exhausted in 2011.
14. Valid IPv4 host addresses have a first octet in the range _____ (originally Class A), _____ (originally Class B),
or _____ (originally Class C).
Valid IPv4 host addresses have a first octet in the range 1-126 (originally Class A), 128-191 (originally Class B), or
192-223 (originally Class C).
15. Multicast addresses have a first octet in the range _____ (originally Class D).
Multicast addresses have a first octet in the range 224-239 (originally Class D).
16. Addresses with a first octet in the range _____ are unused (reserved / experimental).
Addresses with a first octet in the range 240-255 are unused (reserved / experimental).
17. Classful networking was replaced by _____ starting in 1993.
Classful networking was replaced by Classless Inter-Domain Routing (CIDR) starting in 1993.
Flashcards
•• Test your understanding of this lesson.
•• Test your understanding of the key terms.
References
[1] http:/ / wiki. wireshark. org/ Internet_Protocol
[2][2] Wikipedia: Internet layer
[3][3] Wikipedia: Internet layer#Purpose
[4][4] Wikipedia: Internet layer#Core protocols
[5][5] Wikipedia: Internet layer#Core protocols
[6][6] Wikipedia: Internet layer#Core protocols
[7][7] Wikipedia: Internet layer#Security
[8][8] Wikipedia: Internet Protocol#Datagram construction
[9][9] Wikipedia: IPv4#Address representations
[10][10] Wikipedia: IPv4#Private networks
[11][11] Wikipedia: IPv4#Link-local addressing
[12][12] Wikipedia: IPv4#Loopback
[13][13] Wikipedia: IPv4#Address space exhaustion
[14][14] Wikipedia: Classful network
[15][15] Wikipedia: List of assigned /8 IPv4 address blocks
[16][16] Wikipedia: Classful network
[17][17] Wikipedia: American Registry for Internet Numbers
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_cache
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Internet_layer_IPv4/Lesson_flashcards
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Internet_layer_IPv4/Terms_flashcards
http://en.wikiversity.org/w/index.php?title=File:Nuvola_filesystems_folder_orange
http://wiki.wireshark.org/Internet_Protocol
http://en.wikipedia.org/wiki/Internet_layer
http://en.wikipedia.org/wiki/Internet_layer#Purpose
http://en.wikipedia.org/wiki/Internet_layer#Core_protocols
http://en.wikipedia.org/wiki/Internet_layer#Core_protocols
http://en.wikipedia.org/wiki/Internet_layer#Core_protocols
http://en.wikipedia.org/wiki/Internet_layer#Security
http://en.wikipedia.org/wiki/Internet_Protocol#Datagram_construction
http://en.wikipedia.org/wiki/IPv4#Address_representations
http://en.wikipedia.org/wiki/IPv4#Private_networks
http://en.wikipedia.org/wiki/IPv4#Link-local_addressing
http://en.wikipedia.org/wiki/IPv4#Loopback
http://en.wikipedia.org/wiki/IPv4#Address_space_exhaustion
http://en.wikipedia.org/wiki/Classful_network
http://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks
http://en.wikipedia.org/wiki/Classful_network
http://en.wikipedia.org/wiki/American_Registry_for_Internet_Numbers
Internet Layer / IPv4 43
[18][18] Wikipedia: Data corruption
[19][19] Wikipedia: Datagrams
[20][20] Wikipedia: Gateway (telecommunications)#Details
[21][21] Wikipedia: Network host
[22][22] Wikipedia: Internet Assigned Numbers Authority
[23][23] Wikipedia: Internet Protocol
[24][24] RFC 791
[25][25] Wikipedia: Network address translation
[26][26] Wikipedia: Octet (computing)
[27][27] Wikipedia: Packet-switched
[28][28] Wikipedia: Regional Internet registries
[29][29] RFC 1122
[30][30] Wikipedia: Scalability
Search the Whois Database
IP address registration information may be located using one of the five Regional Internet Registry Whois databases.
These activities will show you how to find the registrant or service provider for a given IP address.
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
Activity 1 – Determine your Regional Internet Registry
To determine your Regional Internet Registry:
1. Review Wikipedia: Regional Internet Registry.
Activity 2 – Search for a Public IPv4 Address
To search for a public IPv4 address:
1.1. Navigate to the home page of one of the five regional Internet registries:
• African Network Information Centre [1]
• American Registry for Internet Numbers [2]
• Asia-Pacific Network Information Centre [3]
• Latin America and Caribbean Network Information Centre [4]
• RIPE Network Coordination Centre [5]
2.2. Locate the Whois / Search Database feature on the registry home page.
3. Enter 8.8.8.8 in the search box. This is the IPv4 address of one of Google’s public DNS servers. Press Enter or
select the submit button to submit your search.
4.4. Review the returned registration information.
http://en.wikipedia.org/wiki/Data_corruption
http://en.wikipedia.org/wiki/Datagrams
http://en.wikipedia.org/wiki/Gateway_(telecommunications)#Details
http://en.wikipedia.org/wiki/Network_host
http://en.wikipedia.org/wiki/Internet_Assigned_Numbers_Authority
http://en.wikipedia.org/wiki/Internet_Protocol
http://en.wikipedia.org/wiki/Network_address_translation
http://en.wikipedia.org/wiki/Octet_(computing)
http://en.wikipedia.org/wiki/Packet-switched
http://en.wikipedia.org/wiki/Regional_Internet_registries
http://en.wikipedia.org/wiki/Scalability
http://en.wikipedia.org/wiki/Regional_Internet_registry
http://www.afrinic.net
http://www.arin.net
http://www.apnic.net
http://www.lacnic.net
http://www.ripe.net
Search the Whois Database 44
Activity 3 – Search for a Private IPv4 Address
To search for a private IPv4 address:
1. Enter 192.168.0.1 in the search box. This is a private IP address. Press Enter or select the submit button to
submit your search.
2.2. Review the returned registration information.
Activity 4 – Search for a Link-Local IPv4 Address
To search for a link-local IPv4 address:
1. Enter 169.254.1.1 in the search box. This is a loopback address. Press Enter or select the submit button to submit
your search.
2.2. Review the returned registration information.
Activity 5 – Search for a Loopback IPv4 Address
To search for a loopback IPv4 address:
1. Enter 127.0.0.1 in the search box. This is a loopback address. Press Enter or select the submit button to submit
your search.
2.2. Review the returned registration information.
Activity 6 – Search for a Multicast IPv4 Address
To search for a multicast IPv4 address:
1. Enter 224.0.0.1 in the search box. This is a loopback address. Press Enter or select the submit button to submit
your search.
2.2. Review the returned registration information.
Activity 7 – Search for a Reserved IPv4 Address
To search for a reserved IPv4 address:
1. Enter 240.0.0.1 in the search box. This is a loopback address. Press Enter or select the submit button to submit
your search.
2.2. Review the returned registration information.
Activity 8 – Search for a Public IPv6 Address
To search for a public IPv6 address:
1. Enter 2001:4860:4860::8888 in the search box. This is the IPv6 address of one of Google’s public DNS servers.
Press Enter or select the submit button to submit your search.
2.2. Review the returned registration information.
Search the Whois Database 45
Readings
•• Wikipedia: Regional Internet Registry
•• Wikipedia: Whois
•• Wikipedia: IP Address
References
[1] http:/ / www. afrinic. net
[2] http:/ / www. arin. net
[3] http:/ / www. apnic. net
[4] http:/ / www. lacnic. net
[5] http:/ / www. ripe. net
Capture and Analyze Address Resolution
Protocol (ARP) Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze Address Resolution Protocol (ARP) traffic.
Readings
•• Wikipedia: Address_Resolution_Protocol (ARP)
•• Wikipedia: Media Access Control (MAC) Address
•• Wikipedia: Broadcast Address
•• Wikipedia: Ethertype
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture ARP Traffic
To capture ARP traffic:
1. Start Wireshark, but do not yet start a capture.
2. Open an elevated/administrator command prompt.
3. Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
4. Start a Wireshark capture.
5. Use arp -d to clear the ARP cache.
6. Use ping
7. Use arp -a to view the ARP cache and confirm an entry has been added for the default gateway address.
8.8. Close the command prompt.
9. Stop the Wireshark capture.
http://en.wikipedia.org/wiki/Regional_Internet_registry
http://en.wikipedia.org/wiki/Whois
http://en.wikipedia.org/wiki/IP_address
http://www.afrinic.net
http://www.arin.net
http://www.apnic.net
http://www.lacnic.net
http://www.ripe.net
http://en.wikipedia.org/wiki/Address_Resolution_Protocol
http://en.wikipedia.org/wiki/MAC_address
http://en.wikipedia.org/wiki/Broadcast_address
http://en.wikipedia.org/wiki/EtherType
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Elevated
http://en.wikiversity.org/w/index.php?title=Ipconfig/Default
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Arp/Clear
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikiversity.org/w/index.php?title=Arp/View
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
Capture and Analyze Address Resolution Protocol (ARP) Traffic 46
Activity 2 – Analyze an ARP Request
To analyze an ARP request:
1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ARP listed as the
protocol. To view only ARP traffic, type arp (lower case) in the Filter box and press Enter.
2.2. Select the first ARP packet.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Address
Resolution Protocol frame.
4.4. Expand Ethernet II to view Ethernet details.
5.5. Observe the Destination field. Notice that the destination field is the Ethernet broadcast address
(FF:FF:FF:FF:FF:FF). All devices on the network will receive the ARP request.
6. Observe the Source field. This should contain your MAC address. You can use ipconfig /all or getmac to confirm.
7.7. Observe the Type field. Notice that the type is 0x0806, indicating ARP.
8.8. Expand Address Resolution Protocol (request) to view ARP details.
9.9. Observe the Sender MAC address. Notice that the sender MAC address is your MAC address.
10.10. Observe the Sender IP address. Notice that the sender IP address is your IP address.
11.11. Observe the Target MAC address. Notice that the target MAC address is all zeros, because the target MAC
address is unknown at this point.
12.12. Observe the Target IP address. Notice that the target IP address is the IP address of the default gateway.
Activity 3 – Analyze an ARP Reply
To analyze an ARP reply:
1.1. Select the second ARP packet.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Address
Resolution Protocol frame. Confirm that in the middle packet details pane that the packet is labeled Address
Resolution Protocol (reply).
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination field. Notice that the destination field is your MAC address.
5.5. Observe the Source field. This should be the MAC address of the default gateway.
6.6. Observe the Type field. Notice that the type is 0x0806, indicating ARP.
7.7. Expand Address Resolution Protocol (reply) to view ARP details.
8.8. Observe the Sender MAC address. Notice that the sender MAC address is the MAC address of the default
gateway.
9.9. Observe the Sender IP address. Notice that the sender IP address is the IP address of the default gateway.
10.10. Observe the Target MAC address. Notice that the destination MAC address is your MAC address.
11.11. Observe the Target IP address. Notice that the destination IP address is your IP address.
12. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
• Wireshark: Ethernet [1]
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
http://en.wikiversity.org/w/index.php?title=Getmac
http://www.wireshark.org/docs/wsug_html_chunked/
http://wiki.wireshark.org/Ethernet
Capture and Analyze Local IPv4 Traffic 47
Capture and Analyze Local IPv4 Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze local IPv4 traffic.
Readings
•• Wikipedia: IPv4
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture Local IPv4 Traffic
To capture local IPv4 traffic:
1. Start a Wireshark capture.
2. Use ping
3. Stop the Wireshark capture.
Activity 2 – Analyze Local IPv4 Outbound Traffic
To analyze local IPv4 outbound traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the
protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
2. Select the first ICMP packet, labeled Echo (ping) request.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Internet Control Message Protocol frame.
4.4. Expand Ethernet II to view Ethernet details.
5. Observe the Destination field. This should contain the MAC address of your default gateway. You can use arp -a
to confirm.
6. Observe the Source field. This should contain your MAC address. You can use ipconfig /all or getmac to confirm.
7.7. Observe the Type field. Notice that the type is 0x0800, indicating IP.
8.8. Expand Internet Protocol Version 4 to view IP details.
9.9. Observe the Source address. Notice that the source address is your IP address.
10.10. Observe the Destination address. Notice that the destination address is the default gateway IP address.
http://en.wikipedia.org/wiki/IPv4
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
http://en.wikiversity.org/w/index.php?title=Arp/View
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
http://en.wikiversity.org/w/index.php?title=Getmac
Capture and Analyze Local IPv4 Traffic 48
Activity 3 – Analyze Local IPv4 Inbound Traffic
To analyze local IPv4 inbound traffic:
1. In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Internet Control Message Protocol frame.
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination field. This should contain your MAC address.
5.5. Observe the Source field. This should contain the MAC address of your default gateway.
6.6. Observe the Type field. Notice that the type is 0x0800, indicating IP.
7.7. Expand Internet Protocol Version 4 to view IP details.
8.8. Observe the Source address. Notice that the source address is the default gateway IP address.
9.9. Observe the Destination address. Notice that the destination address is your IP address.
10. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
• Wireshark: IPv4 [1]
References
[1] http:/ / wiki. wireshark. org/ IPv4
Capture and Analyze Remote IPv4 Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze remote IPv4 traffic.
Readings
•• Wikipedia: IPv4
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
http://www.wireshark.org/docs/wsug_html_chunked/
http://wiki.wireshark.org/IPv4
http://wiki.wireshark.org/IPv4
http://en.wikipedia.org/wiki/IPv4
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
Capture and Analyze Remote IPv4 Traffic 49
Activity 1 – Capture Remote IPv4 Traffic
To capture remote IPv4 traffic:
1. Start a Wireshark capture.
2. Use ping 8.8.8.8 to ping an Internet host by IP address.
3. Stop the Wireshark capture.
Activity 2 – Analyze Remote IPv4 Outbound Traffic
To analyze remote IPv4 outbound traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the
protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
2. Select the first ICMP packet, labeled Echo (ping) request.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Internet Control Message Protocol frame.
4.4. Expand Ethernet II to view Ethernet details.
5. Observe the Destination field. This should contain the MAC address of your default gateway. You can use arp -a
to confirm. Notice that remote Internet layer traffic is processed as local Link layer traffic. The default
gateway will route the packet to the Internet.
6. Observe the Source field. This should contain your MAC address. You can use ipconfig /all or getmac to confirm.
7.7. Observe the Type field. Notice that the type is 0x0800, indicating IP.
8.8. Expand Internet Protocol Version 4 to view IP details.
9.9. Observe the Source address. Notice that the source address is your IP address.
10.10. Observe the Destination address. Notice that the destination address is the Internet host IP address.
Activity 3 – Analyze Remote IPv4 Inbound Traffic
To analyze remote IPv4 inbound traffic:
1. In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Internet Control Message Protocol frame.
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination field. This should contain your MAC address.
5. Observe the Source field. This should contain the MAC address of your default gateway. Notice that the remote
Internet layer traffic is returned as local Link layer traffic. The routers between the Internet host and your
network routed the packet back to your router so that it could forward the packet back to your computer.
6.6. Observe the Type field. Notice that the type is 0x0800, indicating IP.
7.7. Expand Internet Protocol Version 4 to view IP details.
8.8. Observe the Source address. Notice that the source address is the Internet host IP address.
9.9. Observe the Destination address. Notice that the destination address is your IP address.
10. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
http://en.wikiversity.org/w/index.php?title=Arp/View
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
http://en.wikiversity.org/w/index.php?title=Getmac
Capture and Analyze Remote IPv4 Traffic 50
References
• Wireshark: User’s Guide [2]
• Wireshark: IPv4 [1]
Capture and Analyze Fragmented IPv4 Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze fragmented IPv4 traffic.
Readings
•• Wikipedia: IPv4
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture Fragmented IPv4 Traffic
To capture fragmented IPv4 traffic:
1. Start a Wireshark capture.
2. Use ping -l 2500
that because the default maximum transmission unit (MTU) for Ethernet frames is 1,500 bytes, this should
generate fragmented packets.
3. Stop the Wireshark capture.
Activity 2 – Analyze Fragmented IPv4 Outbound Traffic
To analyze fragmented IPv4 outbound traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the
protocol. To find only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
2. Select the first ICMP packet, labeled Echo (ping) request.
3.3. If you applied an icmp filter, clear the filter so you can see the IPv4 fragments.
4.4. Select the IPv4 packet immediately above the first ICMP packet.
5.5. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Internet Control Message Protocol frame.
6.6. Expand Internet Protocol Version 4 to view IP details.
7.7. Expand Flags to view flag details.
8.8. Observe the More fragments field. Notice that it is set, indicating more fragments will follow.
9.9. Observe the Fragment offset field. Notice that it is 0, indicating this is the first fragment.
10.10. Observe the Total length and Header length fields. Subtract header length from total length to determine the size
of this fragment.
11. In the top Wireshark packet list pane, select the next packet, labeled Echo (ping) request.
12.12. View IP details.
http://www.wireshark.org/docs/wsug_html_chunked/
http://wiki.wireshark.org/IPv4
http://en.wikipedia.org/wiki/IPv4
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Ping/Length
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
Capture and Analyze Fragmented IPv4 Traffic 51
13.13. Observe the More fragments field. Notice that it is not set, indicating no more fragments will follow.
14.14. Observe the Fragment offset field. Notice that it is the same as the size calculated for the first fragment.
15.15. Observe the Total length and Header length fields. Subtract header length from total length to determine the size
of this fragment.
16.16. Add the sizes of the two fragments together to determine total data length. It should be 2,508, indicating 2,500
bytes of ICMP data and an 8 byte ICMP header.
Activity 3 – Analyze Fragmented IPv4 Inbound Traffic
To analyze fragmented IPv4 inbound traffic:
1. In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
2.2. Select the IPv4 packet immediately above the second ICMP packet.
3.3. View IP details.
4.4. Observe the More fragments field. Notice that it is set, indicating more fragments will follow.
5.5. Observe the Fragment offset field. Notice that it is 0, indicating this is the first fragment.
6.6. Observe the Total length and Header length fields. Subtract header length from total length to determine the size
of this fragment.
7. In the top Wireshark packet list pane, select the next packet, labeled Echo (ping) reply.
8.8. View IP details.
9.9. Observe the More fragments field. Notice that it is not set, indicating no more fragments will follow.
10.10. Observe the Fragment offset field. Notice that it is the same as the size calculated for the first fragment.
11.11. Observe the Total length and Header length fields. Subtract header length from total length to determine the size
of this fragment.
12.12. Add the sizes of the two fragments together to determine total data length. It should be 2,508, indicating 2,500
bytes of ICMP data and an 8 byte ICMP header.
13. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
• Wireshark: IPv4 [1]
http://www.wireshark.org/docs/wsug_html_chunked/
http://wiki.wireshark.org/IPv4
52
Lesson 6 – Subnetting
Subnetting
This lesson continues the Internet layer and looks at
subnetworks, Classless Inter-Domain Routing (CIDR),
subnetting, and supernetworks. Activities include IPv4
subnetting, and using the Cisco Subnet Game.
Readings
1. Read Wikipedia: Subnetwork.
2. Read Wikipedia: IPv4 subnetting reference.
3. Read Wikipedia: CIDR notation.
4. Read Wikipedia: Classless Inter-Domain Routing.
5. Read Wikipedia: Supernetwork.
Activities
1. Review Cisco: IP Addressing and Subnetting for New Users [1].
2. Review Understanding IP Addressing: Everything You Ever Wanted To Know [2].
3. Experiment with the Online IP Subnet Calculator [3].
4. Review EasySubnetting.com subnetting resources [4].
5. Play the Cisco Subnet Game [5].
6.6. Consider situations in which a packet analyzer might be used to troubleshoot subnetting and routing traffic.
7. Use the Discuss page to post comments and questions regarding this lesson.
8.8. Review the lesson summary, key terms, review questions and flashcards below.
Lesson Summary
• An IP address has two fields, a network prefix and a host identifier.[6]
• The network prefix is identified using CIDR notation.[7]
• In IPv4, the network prefix may also be identified using a 32-bit subnet mask in dotted-decimal notation.[8]
• A network is divided into two or more subnetworks by dividing the host identifier field into separate subnet
number and smaller host identifier fields.[9]
• All hosts on a subnetwork have the same network prefix.[10]
• Traffic between subnets is exchanged through a router.[11]
• The first address on any given IPv4 network or subnet is reserved for the network itself.[12]
• The last address on any given IPv4 network or subnet is reserved for broadcast.[13]
• The separation of the network prefix/subnet number from the host identifier is performed by a bitwise AND
operation between the IP address and the (sub)network mask.[14]
• The number of subnetworks created by subnetting can be calculated as 2n, where n is the number of bits used for
subnetting.[15]
• The number of available hosts on each subnet can be calculated as 2n-2, where n is the number of bits available for
the host identifier.[16]
http://en.wikiversity.org/w/index.php?title=File%3AInternet_Protocol_Analysis_-_Internet_Layer
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_bookcase.svg
http://en.wikipedia.org/wiki/Subnetwork
http://en.wikipedia.org/wiki/IPv4_subnetting_reference
http://en.wikipedia.org/wiki/CIDR_notation
http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
http://en.wikipedia.org/wiki/Supernetwork
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_korganizer.svg
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800a67f5.shtml
http://www.apnic.net/services/services-apnic-provides/helpdesk/faqs/obtaining-resources—faqs/3com
http://www.subnet-calculator.com/
http://easysubnetting.com
https://learningnetwork.cisco.com/docs/DOC-1802
http://en.wikiversity.org/w/index.php?title=Talk:Internet_protocol_analysis/Subnetting
http://en.wikiversity.org/w/index.php?title=File:Stock_post_message.svg
Subnetting 53
• The goal of Classless Inter-Domain Routing was to slow the growth of routing tables on routers across the
Internet, and to help slow the rapid exhaustion of IPv4 addresses.[17]
• Classless Inter-Domain Routing is based on variable-length subnet masking (VLSM), which allows a network to
be divided into variously sized subnets, providing the opportunity to size a network more appropriately for local
needs.[18]
• The benefits of supernetting are conservation of address space and efficiencies gained in routers in terms of
memory storage of route information and processing overhead when matching routes.[19]
Key Terms
bitwise AND
A binary operation that takes two representations of equal length and performs the logical AND operation on
each pair of corresponding bits. The result in each position is 1 if the first bit is 1 and the second bit is 1;
otherwise, the result is 0.[20]
CIDR notation
A compact specification of an Internet Protocol address and its associated routing prefix.[21]
provider-independent address space
A block of IP addresses assigned by a regional Internet registry (RIR) directly to an end-user organization.[22]
routing table
A data table stored in a router or a networked computer that lists the routes to particular network destinations,
and in some cases, metrics (distances) associated with those routes.[23]
subnet
A logically visible subdivision of an IP network.[24]
subnet mask
A bitmask that encodes the (sub)network prefix length in dotted-decimal notation, starting with a number of 1
bits equal to the prefix length, ending with 0 bits, and encoded in four-part dotted-decimal format.[25]
subnetting
The practice of dividing a network into two or more networks.[26]
supernet
An Internet Protocol (IP) network that is formed from the combination of two or more networks (or subnets)
with a common Classless Inter-Domain Routing (CIDR) prefix.[27]
Review Questions
1. An IP address has two fields, _____.
An IP address has two fields, a network prefix and a host identifier.
2. The network prefix is identified using _____.
The network prefix is identified using CIDR notation.
3. In IPv4, in addition to using CIDR notation, the network prefix may be identified using _____.
In IPv4, in addition to using CIDR notation, the network prefix may be identified using a 32-bit subnet mask in
dotted-decimal notation.
4. A network is divided into two or more subnetworks by dividing _____.
A network is divided into two or more subnetworks by dividing the host identifier field into separate subnet number
and smaller host identifier fields.
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_kdict
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_package_editors
Subnetting 54
5. All hosts on a subnetwork have the same _____.
All hosts on a subnetwork have the same network prefix.
6. Traffic between subnets is exchanged through a _____.
Traffic between subnets is exchanged through a router.
7. The first address on any given network or subnet is reserved for _____.
The first address on any given IPv4 network or subnet is reserved for the network itself.
8. The last address on any given IPv4 network or subnet is reserved for _____.
The last address on any given IPv4 network or subnet is reserved for broadcast.
9. The separation of the network prefix/subnet number from the host identifier is performed by _____.
The separation of the network prefix/subnet number from the host identifier is performed by a bitwise AND
operation between the IP address and the (sub)network mask.
10. The number of subnetworks created by subnetting can be calculated as _____.
The number of subnetworks created by subnetting can be calculated as 2n, where n is the number of bits used for
subnetting.
11. The number of available hosts on each subnet can be calculated as _____.
The number of available hosts on each subnet can be calculated as 2n-2, where n is the number of bits available for
the host identifier.
12. The goal of Classless Inter-Domain Routing was to _____.
The goal of Classless Inter-Domain Routing was to slow the growth of routing tables on routers across the Internet,
and to help slow the rapid exhaustion of IPv4 addresses.
13. Classless Inter-Domain Routing is based on _____.
Classless Inter-Domain Routing is based on variable-length subnet masking (VLSM).
14. The benefits of supernetting are _____.
The benefits of supernetting are conservation of address space and efficiencies gained in routers in terms of memory
storage of route information and processing overhead when matching routes.
Flashcards
•• Test your understanding of this lesson.
•• Test your understanding of the key terms.
References
[1] http:/ / www. cisco. com/ en/ US/ tech/ tk365/ technologies_tech_note09186a00800a67f5. shtml
[2] http:/ / www. apnic. net/ services/ services-apnic-provides/ helpdesk/ faqs/ obtaining-resources—faqs/ 3com
[3] http:/ / www. subnet-calculator. com/
[4] http:/ / easysubnetting. com
[5] https:/ / learningnetwork. cisco. com/ docs/ DOC-1802
[6][6] Wikipedia: Subnetwork
[7][7] Wikipedia: Subnetwork
[8][8] Wikipedia: Subnetwork
[9][9] Wikipedia: Subnetwork
[10][10] Wikipedia: Subnet mask#Network addressing and routing
[11][11] Wikipedia: Subnetwork
[12][12] Wikipedia: Subnetwork
[13][13] Wikipedia: Subnetwork#Special addresses and subnets
[14][14] Wikipedia: Subnetwork#IPv4 subnetting
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_cache
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Subnetting/Lesson_flashcards
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Subnetting/Terms_flashcards
http://en.wikiversity.org/w/index.php?title=File:Nuvola_filesystems_folder_orange
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800a67f5.shtml
http://www.apnic.net/services/services-apnic-provides/helpdesk/faqs/obtaining-resources—faqs/3com
http://www.subnet-calculator.com/
http://easysubnetting.com
https://learningnetwork.cisco.com/docs/DOC-1802
http://en.wikipedia.org/wiki/Subnetwork
http://en.wikipedia.org/wiki/Subnetwork
http://en.wikipedia.org/wiki/Subnetwork
http://en.wikipedia.org/wiki/Subnetwork
http://en.wikipedia.org/wiki/Subnet_mask#Network_addressing_and_routing
http://en.wikipedia.org/wiki/Subnetwork
http://en.wikipedia.org/wiki/Subnetwork
http://en.wikipedia.org/wiki/Subnetwork#Special_addresses_and_subnets
http://en.wikipedia.org/wiki/Subnetwork#IPv4_subnetting
Subnetting 55
[15][15] Wikipedia: Subnetwork#Subnet and host counts
[16][16] Wikipedia: Subnetwork#Subnet and host counts
[17][17] Wikipedia: Classless Inter-Domain Routing
[18][18] Wikipedia: Classless Inter-Domain Routing#Background
[19][19] Wikipedia: Supernetwork
[20][20] Wikipedia: Bitwise operation#AND
[21][21] Wikipedia: CIDR notation
[22][22] Wikipedia: Provider-independent address space
[23][23] Wikipedia: Routing table
[24][24] Wikipedia: Subnetwork
[25][25] Wikipedia: Classless Inter-Domain Routing#Subnet masks
[26][26] Wikipedia: Subnetwork
[27][27] Wikipedia: Supernetwork
http://en.wikipedia.org/wiki/Subnetwork#Subnet_and_host_counts
http://en.wikipedia.org/wiki/Subnetwork#Subnet_and_host_counts
http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#Background
http://en.wikipedia.org/wiki/Supernetwork
http://en.wikipedia.org/wiki/Bitwise_operation#AND
http://en.wikipedia.org/wiki/CIDR_notation
http://en.wikipedia.org/wiki/Provider-independent_address_space
http://en.wikipedia.org/wiki/Routing_table
http://en.wikipedia.org/wiki/Subnetwork
http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#Subnet_masks
http://en.wikipedia.org/wiki/Subnetwork
http://en.wikipedia.org/wiki/Supernetwork
56
Lesson 7 – IPv6
IPv6
This lesson continues the Internet layer and looks at IPv6 and
a variety of IPv6 transition technologies. Activities include
using Wireshark to examine IPv6 network traffic.
Readings
1. Read Wikipedia: IPv6.
2. Read Wikipedia: Link-local address.
3. Read Wikipedia: Teredo tunneling.
4. Read Wikipedia: ISATAP.
5. Read Wikipedia: 6to4.
6. Read Wikipedia: 6in4.
7. Read Wikipedia: NAT64.
Activities
1. Use netsh to configure IPv6 settings.
2. Use Wireshark to capture and analyze local IPv6 traffic.
3. Use Wireshark to capture and analyze remote IPv6 traffic.
4. Use Wireshark to capture and analyze IPv6 Teredo traffic.
5. Use Wireshark to capture and analyze IPv6 6to4 traffic.
6. Use Wireshark to capture and analyze IPv6 6in4 traffic.
7.7. Consider situations in which a packet analyzer might be used to troubleshoot IPv6 traffic.
8. Use the Discuss page to post comments and questions regarding this lesson.
9.9. Review the lesson summary, key terms, review questions and flashcards below.
Lesson Summary
• IPv6 is an Internet-layer protocol for packet-switched internetworking and provides end-to-end datagram
transmission across multiple IP networks.[1]
• IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of
running out of IPv4 addresses.[2]
• IPv6 uses 128-bit addresses, commonly displayed to users as eight groups of four hexadecimal digits separated by
colons.[3]
• In an IPv6 address, leading zeroes may be removed from any group of hexadecimal digits. Multiple consecutive
groups of zeroes may be replaced with a double colon (::).[4]
• The IPv6 subnet size has been standardized by fixing the size of the host identifier portion of an address to 64
bits.[5]
• IPv6 does not implement interoperability features with IPv4, but essentially creates a parallel, independent
network. Exchanging traffic between the two networks requires special translator gateways.[6]
• Work on IPv6 began by 1992, and was first published in a series of RFCs in 1996.[7]
http://en.wikiversity.org/w/index.php?title=File%3AInternet_Protocol_Analysis_-_Internet_Layer
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_bookcase.svg
http://en.wikipedia.org/wiki/IPv6
http://en.wikipedia.org/wiki/Link-local_address
http://en.wikipedia.org/wiki/Teredo_tunneling
http://en.wikipedia.org/wiki/ISATAP
http://en.wikipedia.org/wiki/6to4
http://en.wikipedia.org/wiki/6in4
http://en.wikipedia.org/wiki/NAT64
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_korganizer.svg
http://en.wikiversity.org/w/index.php?title=Netsh/IPv6
http://en.wikiversity.org/w/index.php?title=Wireshark/IPv6_local
http://en.wikiversity.org/w/index.php?title=Wireshark/IPv6_remote
http://en.wikiversity.org/w/index.php?title=Wireshark/IPv6_Teredo
http://en.wikiversity.org/w/index.php?title=Wireshark/IPv6_6to4
http://en.wikiversity.org/w/index.php?title=Wireshark/IPv6_6in4
http://en.wikiversity.org/w/index.php?title=Talk:Internet_protocol_analysis/IPv6
http://en.wikiversity.org/w/index.php?title=File:Stock_post_message.svg
IPv6 57
• Most transport and application-layer protocols need little or no change to operate over IPv6.[8]
• Multicasting is part of the base specification in IPv6. IPv6 does not implement traditional IP broadcast and does
not define broadcast addresses.[9]
• IPv6 hosts can configure themselves automatically when connected to a routed IPv6 network using the Neighbor
Discovery Protocol via Internet Control Message Protocol version 6 (ICMPv6) router discovery messages.[10]
• IPv6 routers do not perform fragmentation.[11]
• Privacy extensions for IPv6 allow the operating system to generate ephemeral IP addresses by concatenating a
randomly generated host identifier with the assigned network prefix for communication with remote hosts.[12]
• The IPv6 header consists of a fixed portion with minimal functionality required for all packets and may be
followed by optional extensions to implement special features. The fixed header requires 40 octets (320 bits) and
contains the source and destination addresses, traffic classification options, a hop counter, and the type of the
optional extension or payload which follows the fixed header.[13]
• The IPv6 loopback address is ::1.[14]
• Link-local addresses begin with fe80::/10.[15]
• Tunneling may be used to enable IPv4 networks to communicate with IPv6 networks. In tunneling, IPv6 packets
are encapsulated within IPv4 packets, in effect using IPv4 as a link layer for IPv6.[16]
• Teredo is an automatic inter-site tunneling technique that uses UDP encapsulation and can cross Network Address
Translation (NAT) nodes.[17] Teredo addresses begin with 2001:0::/32.[18]
• ISATAP is an automatic intra-site tunneling technique that uses IPv4 encapsulation. It cannot cross NAT
nodes.[19]ISATAP addresses begin with fe80::200:5efe/96.[20]
• 6to4 is an automatic inter-site tunneling technique that uses IPv4 encapsulation. It cannot cross NAT nodes.[21]
6to4 addresses begin with 2002::/16 and relay through 192.88.99.1.[22]
• 6in4 is a configured inter-site tunneling technique that uses IPv4 encapsulation. It can cross NAT nodes with
proper configuration.[23] 6in4 addresses are public addresses assigned by the tunnel broker, and therefore create
security risks.[24]
• NAT64 is a network address translation technique that allows IPv6-only hosts to communicate with IPv4-only
servers. NAT64 server addresses begin with 64:ff9b::/96.[25]
Key Terms
anycast
A network addressing and routing methodology in which datagrams from a single sender are routed to the
topologically nearest node in a group of potential receivers, though it may be sent to several nodes, all
identified by the same destination address.[26]
Data Over Cable Service Interface Specification (DOCSIS)
An international telecommunications standard that permits the addition of high-speed data transfer to an
existing cable TV (CATV) system.[27]
end-to-end principle
A classic computer network design principle which states that application-specific functions ought to reside in
the end hosts of a network rather than in intermediary nodes – provided they can be implemented completely
and correctly in the end hosts.[28]
hop count
A count of the intermediate devices (routers) through which data must pass between source and destination.[29]
jumbogram
An internet layer packet exceeding the standard Maximum Transmission Unit (MTU) of the underlying
network technology.[30]
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_kdict
IPv6 58
Mobile IP
An Internet Engineering Task Force (IETF) standard communications protocol that is designed to allow
mobile device users to move from one network to another while maintaining a permanent IP address.[31]
Path MTU Discovery (PMTUD)
A standardized technique for determining the maximum transmission unit (MTU) size on the network path
between two Internet Protocol (IP) hosts.[32]
proxy server
A computer system or application that acts as an intermediary for requests from clients seeking resources from
other servers.[33]
Quality of Service (QoS)
The ability to provide different priority to different applications, users, or data flows, or to guarantee a certain
level of performance to a data flow.[34]
Stateless Address Autoconfiguration (SLAAC)
A method by which a node automatically creates a link-local address with the prefix fe80::/64 on each
IPv6-enabled interface, even if globally routable addresses are manually configured or obtained through
configuration protocols.[35]
tunneling protocol
The use of one network protocol (the delivery protocol) to encapsulate a different payload protocol.[36]
World IPv6 Launch
The Internet Society declared June 6, 2012 to be the date for “World IPv6 Launch”, with participating major
websites enabling IPv6 permanently, participating ISPs offering IPv6 connectivity, and participating router
manufacturers offering devices enabled for IPv6 by default.[37]
Review Questions
1. IPv6 is an _____-layer protocol for packet-switched internetworking and provides end-to-end datagram
transmission across multiple IP networks.
IPv6 is an Internet-layer protocol for packet-switched internetworking and provides end-to-end datagram
transmission across multiple IP networks.
2. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of
_____.
IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of
running out of IPv4 addresses.
3. IPv6 uses _____-bit addresses, commonly displayed to users as _____ groups of _____ hexadecimal digits
separated by _____.
IPv6 uses 128-bit addresses, commonly displayed to users as eight groups of four hexadecimal digits separated by
colons.
4. In an IPv6 address, leading zeroes may be removed from any group of hexadecimal digits. Multiple consecutive
groups of zeroes may be replaced with _____.
In an IPv6 address, leading zeroes may be removed from any group of hexadecimal digits. Multiple consecutive
groups of zeroes may be replaced with a double colon (::).
5. The IPv6 subnet size has been standardized by fixing the size of the host identifier portion of an address to _____
bits.
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_package_editors
IPv6 59
The IPv6 subnet size has been standardized by fixing the size of the host identifier portion of an address to 64 bits.
6. IPv6 does not implement interoperability features with IPv4, but essentially creates a _____. Exchanging traffic
between the two networks requires special translator _____.
IPv6 does not implement interoperability features with IPv4, but essentially creates a parallel, independent network.
Exchanging traffic between the two networks requires special translator gateways.
7. Work on IPv6 began by _____, and was first published in a series of RFCs in _____.
Work on IPv6 began by 1992, and was first published in a series of RFCs in 1996.
8. Most transport and application-layer protocols need _____ to operate over IPv6.
Most transport and application-layer protocols need little or no change to operate over IPv6.
9. Multicasting is part of the base specification in IPv6. IPv6 does not implement traditional IP _____ and does not
define _____.
Multicasting is part of the base specification in IPv6. IPv6 does not implement traditional IP broadcast and does not
define broadcast addresses.
10. IPv6 hosts can configure themselves automatically when connected to a routed IPv6 network using the _____ via
Internet Control Message Protocol version 6 (ICMPv6) router discovery messages.
IPv6 hosts can configure themselves automatically when connected to a routed IPv6 network using the Neighbor
Discovery Protocol via Internet Control Message Protocol version 6 (ICMPv6) router discovery messages.
11. IPv6 routers do not perform _____.
IPv6 routers do not perform fragmentation.
12. Privacy extensions for IPv6 allow the operating system to generate _____ for communication with remote hosts.
Privacy extensions for IPv6 allow the operating system to generate ephemeral IP addresses by concatenating a
randomly generated host identifier with the assigned network prefix for communication with remote hosts.
13. The IPv6 header consists of a fixed portion with minimal functionality required for all packets and may be
followed by optional extensions to implement special features. The fixed header requires _____ octets (_____ bits)
and contains _____.
The IPv6 header consists of a fixed portion with minimal functionality required for all packets and may be followed
by optional extensions to implement special features. The fixed header requires 40 octets (320 bits) and contains the
source and destination addresses, traffic classification options, a hop counter, and the type of the optional extension
or payload which follows the fixed header.
14. The IPv6 loopback address is _____.
The IPv6 loopback address is ::1.
15. Link-local addresses begin with _____.
Link-local addresses begin with the prefix fe80::/10.
16. Tunneling may be used to enable IPv4 networks to communicate with IPv6 networks. In tunneling, _____
packets are encapsulated within _____ packets, in effect using _____ as a _____ layer for _____.
Tunneling may be used to enable IPv4 networks to communicate with IPv6 networks. In tunneling, IPv6 packets are
encapsulated within IPv4 packets, in effect using IPv4 as a link layer for IPv6.
17. Teredo is an _____ _____-site tunneling technique that uses _____ encapsulation and _____ cross Network
Address Translation (NAT) nodes.
Teredo is an automatic inter-site tunneling technique that uses UDP encapsulation and can cross Network Address
Translation (NAT) nodes.
18. Teredo addresses begin with _____.
IPv6 60
Teredo addresses begin with 2001:0::/32.
19. ISATAP is an _____ _____-site tunneling technique that uses _____ encapsulation. It _____ cross NAT nodes.
ISATAP is an automatic intra-site tunneling technique that uses IPv4 encapsulation. It cannot cross NAT nodes.
20. ISATAP addresses begin with _____.
ISATAP addresses begin with fe80::200:5efe/96.
21. 6to4 is an _____ _____-site tunneling technique that uses _____ encapsulation. It _____ cross NAT nodes.
6to4 is an automatic inter-site tunneling technique that uses IPv4 encapsulation. It cannot cross NAT nodes.
22. 6to4 addresses begin with _____ and relay through _____.
6to4 addresses begin with 2002::/16 and relay through 192.88.99.1.
23. 6in4 is a _____ _____-site tunneling technique that uses _____ encapsulation. It _____ cross NAT nodes.
6in4 is a configured inter-site tunneling technique that uses IPv4 encapsulation. It can cross NAT nodes.
24. 6in4 addresses are _____ addresses assigned by the tunnel broker, and therefore create security risks.
6in4 addresses are _____ addresses assigned by the tunnel broker, and therefore create security risks.
25. NAT64 is a _____ that allows _____-only hosts to communicate with _____-only servers.
NAT64 is a network address translation technique that allows IPv6-only hosts to communicate with IPv4-only
servers.
26. NAT64 server addresses begin with _____.
NAT64 server addresses begin with 64:ff9b::/96.
Flashcards
•• Test your understanding of this lesson.
•• Test your understanding of the key terms.
References
[1][1] Wikipedia: IPv6#Technical definition
[2][2] Wikipedia: IPv6
[3][3] Wikipedia: IPv6
[4][4] Wikipedia: IPv6#Address format
[5][5] Wikipedia: IPv6#Technical definition
[6][6] Wikipedia: IPv6#Technical definition
[7][7] Wikipedia: IPv6#Working-group proposal
[8][8] Wikipedia: IPv6#Comparison to IPv4
[9][9] Wikipedia: IPv6#Multicasting
[10][10] Wikipedia: IPv6#Stateless address autoconfiguration .28SLAAC.29
[11][11] Wikipedia: IPv6#Simplified processing by routers
[12][12] Wikipedia: IPv6#Privacy
[13][13] Wikipedia: IPv6#Packet format
[14][14] Wikipedia: IPv6#Address format
[15][15] Wikipedia: Link-local address
[16][16] Wikipedia: IPv6#Tunneling
[17][17] Wikipedia: IPv6#Automatic tunneling
[18][18] Wikipedia: Teredo tunneling
[19][19] Wikipedia: IPv6#Automatic tunneling
[20][20] Wikipedia: ISATAP
[21][21] Wikipedia: IPv6#Automatic tunneling
[22][22] Wikipedia: 6to4
[23][23] Wikipedia: IPv6#Configured and automated tunneling .286in4.29
[24][24] Wikipedia: 6in4
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_cache
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/IPv6/Lesson_flashcards
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/IPv6/Terms_flashcards
http://en.wikiversity.org/w/index.php?title=File:Nuvola_filesystems_folder_orange
http://en.wikipedia.org/wiki/IPv6#Technical_definition
http://en.wikipedia.org/wiki/IPv6
http://en.wikipedia.org/wiki/IPv6
http://en.wikipedia.org/wiki/IPv6#Address_format
http://en.wikipedia.org/wiki/IPv6#Technical_definition
http://en.wikipedia.org/wiki/IPv6#Technical_definition
http://en.wikipedia.org/wiki/IPv6#Working-group_proposal
http://en.wikipedia.org/wiki/IPv6#Comparison_to_IPv4
http://en.wikipedia.org/wiki/IPv6#Multicasting
http://en.wikipedia.org/wiki/IPv6#Stateless_address_autoconfiguration_.28SLAAC.29
http://en.wikipedia.org/wiki/IPv6#Simplified_processing_by_routers
http://en.wikipedia.org/wiki/IPv6#Privacy
http://en.wikipedia.org/wiki/IPv6#Packet_format
http://en.wikipedia.org/wiki/IPv6#Address_format
http://en.wikipedia.org/wiki/Link-local_address
http://en.wikipedia.org/wiki/IPv6#Tunneling
http://en.wikipedia.org/wiki/IPv6#Automatic_tunneling
http://en.wikipedia.org/wiki/Teredo_tunneling
http://en.wikipedia.org/wiki/IPv6#Automatic_tunneling
http://en.wikipedia.org/wiki/ISATAP
http://en.wikipedia.org/wiki/IPv6#Automatic_tunneling
http://en.wikipedia.org/wiki/6to4
http://en.wikipedia.org/wiki/IPv6#Configured_and_automated_tunneling_.286in4.29
http://en.wikipedia.org/wiki/6in4
IPv6 61
[25][25] Wikipedia: NAT64
[26][26] Wikipedia: Anycast
[27][27] Wikipedia: DOCSIS
[28][28] Wikipedia: End-to-end principle
[29][29] Wikipedia: Hop count
[30][30] Wikipedia: Jumbogram
[31][31] Wikipedia: Mobile IPv6
[32][32] Wikipedia: Path MTU discovery
[33][33] Wikipedia: Proxy server
[34][34] Wikipedia: Quality of service
[35][35] Wikipedia: IPv6 address#Stateless address autoconfiguration
[36][36] Wikipedia: Tunneling protocol
[37][37] Wikipedia: IPv6 deployment#World IPv6 Launch
Configure IPv6 Settings
Netsh is a Windows command used to display and modify the network configuration of a currently running local or
remote computer. These activities will show you how to use the netsh command to configure IPv6 settings.
Note: To complete this activity, you must have an administrative user account or know the username and
password of an administrator account you can enter when prompted.
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
Activity 1 – Display IPv6 Information
To display IPv6 information:
1. Open an elevated/administrator command prompt.
2. Use ipconfig to display IP address information. Observe the results. If IPv6 is enabled, you should see one or
more IPv6 addresses. A typical Windows 7 computer has a Link-local IPv6 Address, an ISATAP tunnel adapter
with media disconnected, and a Teredo tunnel adapter. Link-local addresses begin with fe80::/10. ISATAP
addresses are specific link-local addresses beginning with fe80::200:5efe/96. Teredo addresses begin with
2001:0::/32.
3. Type netsh interface ipv6 show interfaces and press Enter. Observe the results listing the interfaces on which
IPv6 is enabled. Note that all netsh parameters may be abbreviated, as long as the abbreviation is a unique
parameter. netsh interface ipv6 show interfaces may be entered as netsh i ipv6 sh i.
4. Type netsh interface ipv6 show addresses and press Enter. Observe the results listing the interface IPv6
addresses.
5. Type netsh interface ipv6 show addresses and press Enter. Observe the results listing the interface IPv6
addresses.
6. Type netsh interface ipv6 show destinationcache and press Enter. Observe the results listing recent IPv6
destinations.
7. Type netsh interface ipv6 show dnsservers and press Enter. Observe the results listing IPv6 DNS server
settings.
8. Type netsh interface ipv6 show neighbors and press Enter. Observe the results listing IPv6 neighbors. This is
similar to the IPv4 ARP cache.
http://en.wikipedia.org/wiki/NAT64
http://en.wikipedia.org/wiki/Anycast
http://en.wikipedia.org/wiki/DOCSIS
http://en.wikipedia.org/wiki/End-to-end_principle
http://en.wikipedia.org/wiki/Hop_count
http://en.wikipedia.org/wiki/Jumbogram
http://en.wikipedia.org/wiki/Mobile_IPv6
http://en.wikipedia.org/wiki/Path_MTU_discovery
http://en.wikipedia.org/wiki/Proxy_server
http://en.wikipedia.org/wiki/Quality_of_service
http://en.wikipedia.org/wiki/IPv6_address#Stateless_address_autoconfiguration
http://en.wikipedia.org/wiki/Tunneling_protocol
http://en.wikipedia.org/wiki/IPv6_deployment#World_IPv6_Launch
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Elevated
http://en.wikiversity.org/w/index.php?title=Ipconfig/Default
Configure IPv6 Settings 62
9. Type netsh interface ipv6 show route and press Enter. Observe the results listing IPv6 route information.
Activity 2 – Disable Teredo
To disable Teredo:
1. Type netsh interface teredo set state disabled and press Enter.
2. Use ipconfig to confirm that Teredo was disabled.
Activity 3 – Disable ISATAP
To disable ISATAP:
1. Type netsh interface isatap set state disabled and press Enter.
2. Use ipconfig to confirm that ISATAP was disabled.
Activity 4 – Enable 6to4
To enable 6to4:
1. Type netsh interface 6to4 set state enabled and press Enter.
2. Use ipconfig to confirm that 6to4 was enabled.
Note that 6to4 will show media disconnected if you have a private IP address.
Activity 5 – Disable 6to4
To disable 6to4:
1. Type netsh interface 6to4 set state disabled and press Enter.
2. Use ipconfig to confirm that 6to4 was disabled.
Activity 6 – Enable 6in4
To enable a functioning 6in4 tunnel, you must register with a tunnel broker:
1. Visit http:/ / tunnelbroker. net.
2.2. Register with the service.
3.3. Complete the NewB certification.
4.4. Create a Regular Tunnel. Fill in the necessary information.
5.5. View Example Configurations. Select your operating system. For recent Windows operating systems, the netsh
command sequence would be similar to:
• netsh interface ipv6 add v6v4tunnel IP6Tunnel
• netsh interface ipv6 add address IP6Tunnel
• netsh interface ipv6 add route ::/0 IP6Tunnel
6. Use ipconfig to confirm that a 6in4 tunnel was created.
http://en.wikiversity.org/w/index.php?title=Ipconfig/Default
http://en.wikiversity.org/w/index.php?title=Ipconfig/Default
http://en.wikiversity.org/w/index.php?title=Ipconfig/Default
http://en.wikiversity.org/w/index.php?title=Ipconfig/Default
http://tunnelbroker.net.
http://en.wikiversity.org/w/index.php?title=Ipconfig/Default
Configure IPv6 Settings 63
Activity 7 – Disable 6in4
1. Type netsh interface ipv6 show interface and press Enter.
2.2. Identify the interface ID of the 6in4 tunnel created in Activity 6.
3. Type netsh interface ipv6 delete interface id, where id is the ID number of the 6in4 tunnel. Then press Enter.
4. Use ipconfig to confirm that the 6in4 tunnel was deleted.
Activity 8 – Enable Teredo
To enable Teredo:
1. Type netsh interface teredo set state enabled and press Enter.
2. Use ipconfig to confirm that Teredo was enabled.
Activity 9 – Enable ISATAP
To enable ISATAP:
1. Type netsh interface isatap set state enabled and press Enter.
2. Use ipconfig to confirm that ISATAP was enabled.
3.3. Close the command prompt to complete this activity.
Activity 10 – Reset IPv6
To reset IPv6:
1. Type netsh interface ipv6 reset and press Enter.
2.2. Close the command prompt and restart the computer to complete this activity.
Readings
•• Wikipedia: IPv6
•• Wikipedia: Teredo
•• Wikipedia: ISATAP
•• Wikipedia: 6to4
•• Wikipedia: 6in4
References
• Microsoft TechNet: Netsh commands for Interface IPv4 and IPv6 [1]
• Hurricane Electric Free IPv6 Tunnel Broker [2]
References
[1] http:/ / technet. microsoft. com/ en-us/ library/ cc770948(v=ws. 10). aspx
[2] http:/ / tunnelbroker. net/
http://en.wikiversity.org/w/index.php?title=Ipconfig/Default
http://en.wikiversity.org/w/index.php?title=Ipconfig/Default
http://en.wikiversity.org/w/index.php?title=Ipconfig/Default
http://en.wikipedia.org/wiki/IPv6
http://en.wikipedia.org/wiki/Teredo
http://en.wikipedia.org/wiki/ISATAP
http://en.wikipedia.org/wiki/6to4
http://en.wikipedia.org/wiki/6in4
http://technet.microsoft.com/en-us/library/cc770948(v=ws.10).aspx
http://tunnelbroker.net/
http://technet.microsoft.com/en-us/library/cc770948(v=ws.10).aspx
http://tunnelbroker.net/
Capture and Analyze Local IPv6 Traffic 64
Capture and Analyze Local IPv6 Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze local IPv6 traffic.
Readings
•• Wikipedia: IPv6
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture Local IPv6 Traffic
To capture local IPv6 traffic:
1. Use ipconfig to display the default gateway address. Note the Default Gateway displayed. Be sure to select an
IPv6 address. If you don’t have an IPv6 default gateway, just review the follow instructions for content
understanding.
2. Start a Wireshark capture.
3. Use ping
4. Stop the Wireshark capture.
Activity 2 – Analyze Local IPv6 Outbound Traffic
To analyze local IPv6 outbound traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMPv6 listed as the
protocol. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
2. Select the first ICMPv6 packet or scroll down if necessary to locate the first packet labeled Echo (ping) request.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 / Internet Control Message Protocol v6 frame.
4.4. Expand Ethernet II to view Ethernet details.
5.5. Observe the Destination field. This should contain the MAC address of your default gateway. You can use netsh
interface ipv6 show neighbors to confirm.
6. Observe the Source field. This should contain your MAC address. You can use ipconfig /all or getmac to confirm.
7.7. Observe the Type field. Notice that the type is 0x86dd, indicating IPv6.
8.8. Expand Internet Protocol Version 6 to view IPv6 details.
9.9. Observe the Source address. Notice that the source address is your IPv6 address.
10.10. Observe the Destination address. Notice that the destination address is the default gateway IPv6 address.
http://en.wikipedia.org/wiki/IPv6
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Ipconfig/Default
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
http://en.wikiversity.org/w/index.php?title=Getmac
Capture and Analyze Local IPv6 Traffic 65
Activity 3 – Analyze Local IPv6 Inbound Traffic
To analyze local IPv6 inbound traffic:
1. In the top Wireshark packet list pane, select the next ICMPv6 packet, labeled Echo (ping) reply.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 / Internet Control Message Protocol v6 frame.
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination field. This should contain your MAC address.
5.5. Observe the Source field. This should contain the MAC address of your default gateway.
6.6. Observe the Type field. Notice that the type is 0x86dd, indicating IP.
7.7. Expand Internet Protocol Version 6 to view IPv6 details.
8.8. Observe the Source address. Notice that the source address is the default gateway IPv6 address.
9.9. Observe the Destination address. Notice that the destination address is your IPv6 address.
10. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
• Wireshark: IPv4 [1]
Capture and Analyze Remote IPv6 Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze remote IPv6 traffic.
Readings
•• Wikipedia: IPv6
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture Remote IPv6 Traffic
To capture remote IPv6 traffic:
1. Start a Wireshark capture.
2. Use ping 2001:4860:4860::8888 to ping an Internet host by IPv6 address.
3. Stop the Wireshark capture.
Activity 2 – Analyze Remote IPv6 Outbound Traffic
To analyze remote IPv6 outbound traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMPv6 listed as the
protocol. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
http://www.wireshark.org/docs/wsug_html_chunked/
http://wiki.wireshark.org/IPv4
http://en.wikipedia.org/wiki/IPv6
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
Capture and Analyze Remote IPv6 Traffic 66
2. Select the first ICMPv6 packet, labeled Echo (ping) request.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 / Internet Control Message Protocol v6 frame.
4.4. Expand Ethernet II to view Ethernet details.
5. Observe the Destination field. This should contain the MAC address of your default gateway. You can use netsh
interface ipv6 show neighbors to confirm. Notice that remote Internet layer traffic is processed as local Link
layer traffic. The default gateway will route the packet to the Internet.
6. Observe the Source field. This should contain your MAC address. You can use ipconfig /all or getmac to confirm.
7.7. Observe the Type field. Notice that the type is 0x86dd, indicating IPv6.
8.8. Expand Internet Protocol Version 6 to view IPv6 details.
9.9. Observe the Source address. Notice that the source address is your IPv6 address.
10.10. Observe the Destination address. Notice that the destination address is the Internet host IPv6 address.
Activity 3 – Analyze Remote IPv6 Inbound Traffic
To analyze remote IPv6 inbound traffic:
1. In the top Wireshark packet list pane, select the next ICMPv6 packet, labeled Echo (ping) reply.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 / Internet Control Message Protocol v6 frame.
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination field. This should contain your MAC address.
5. Observe the Source field. This should contain the MAC address of your default gateway. Notice that the remote
Internet layer traffic is returned as local Link layer traffic. The routers between the Internet host and your
network routed the packet back to your router so that it could forward the packet back to your computer.
6.6. Observe the Type field. Notice that the type is 0x86dd, indicating IPv6.
7.7. Expand Internet Protocol Version 6 to view IPv6 details.
8.8. Observe the Source address. Notice that the source address is the Internet host IPv6 address.
9.9. Observe the Destination address. Notice that the destination address is your IPv6 address.
10. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
• Wireshark: IPv6 [1]
References
[1] http:/ / wiki. wireshark. org/ IPv6
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
http://en.wikiversity.org/w/index.php?title=Getmac
http://www.wireshark.org/docs/wsug_html_chunked/
http://wiki.wireshark.org/IPv6
http://wiki.wireshark.org/IPv6
Capture and Analyze IPv6 Teredo Traffic 67
Capture and Analyze IPv6 Teredo Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze IPv6 Teredo traffic.
Readings
•• Wikipedia: IPv6
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
4. Enable Teredo if necessary.
Activity 1 – Capture IPv6 Teredo Traffic
To capture IPv6 Teredo traffic:
1. Use ipconfig /all to verify that you have a Teredo tunnel adapter. If not, simply read along to understand the
following concepts.
2. Start a Wireshark capture.
3. Use ping 2001:4860:4860::8888 to ping an Internet host by IPv6 address.
4. Stop the Wireshark capture.
Activity 2 – Analyze IPv6 Teredo Traffic
To analyze IPv6 Teredo traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. Type teredo (lower case) in the Filter box and
press Enter to select Teredo traffic.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / User Datagram Protocol / Teredo IPv6 Over UDP Tunneling / Internet Protocol Version 6 /
Internet Control Message Protocol v6 frame. The IPv6 / ICMPv6 packets are encapsulated inside IPv4 / UDP
packets and forwarded to a Teredo server for IPv6 forwarding.
3. Expand Internet Protocol Version 6 and identify the Source Teredo Port number.
4. Modify the Filter box to teredo || udp.port ==
you would enter a filter of teredo || udp.port == 54321. Then press Enter.
5.5. Observe the IPv6 Teredo traffic.
6. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
http://en.wikipedia.org/wiki/IPv6
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Netsh/Teredo
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
http://www.wireshark.org/docs/wsug_html_chunked/
Capture and Analyze IPv6 6to4 Traffic 68
Capture and Analyze IPv6 6to4 Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze IPv6 6to4 traffic.
Readings
•• Wikipedia: IPv6
•• Wikipedia: 6to4
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
4. Enable 6to4 if necessary.
Activity 1 – Capture IPv6 6to4 Traffic
To capture IPv6 6to4 traffic:
1. Use ipconfig /all to verify that you have a 6TO4 tunnel adapter. If not, simply read along to understand the
following concepts.
2. Start a Wireshark capture.
3. Use ping 2001:4860:4860::8888 to ping an Internet host by IPv6 address.
4. Stop the Wireshark capture.
Activity 2 – Analyze IPv6 6to4 Traffic
To analyze IPv6 6to4 traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. Type ipv6.addr == 2001:4860:4860::8888
(lower case) in the Filter box and press Enter to select the generated traffic.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. The IPv6 /
ICMPv6 packets are encapsulated inside IPv4 packets and forwarded to the 6to4 relay at 192.88.99.1 for
IPv6 forwarding.
3. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
http://en.wikipedia.org/wiki/IPv6
http://en.wikipedia.org/wiki/6to4
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Netsh/6to4
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
http://www.wireshark.org/docs/wsug_html_chunked/
Capture and Analyze IPv6 6in4 Traffic 69
Capture and Analyze IPv6 6in4 Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze IPv6 6in4 traffic.
Readings
•• Wikipedia: IPv6
•• Wikipedia: 6in4
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
4.4. Establish an IPv6 6in4 tunnel.
Activity 1 – Capture IPv6 6in4 Traffic
To capture IPv6 6in4 traffic:
1. Use ipconfig /all to verify that you have an IPv6 tunnel adapter. If not, simply read along to understand the
following concepts.
2. Start a Wireshark capture.
3. Use ping 2001:4860:4860::8888 to ping an Internet host by IPv6 address.
4. Stop the Wireshark capture.
Activity 2 – Analyze IPv6 6in4 Traffic
To analyze IPv6 6in4 traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. Type ipv6.addr == 2001:4860:4860::8888
(lower case) in the Filter box and press Enter to select the generated traffic.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. The IPv6 /
ICMPv6 packets are encapsulated inside IPv4 packets and forwarded to a 6in4 IPv6 server for IPv6
forwarding.
3. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
http://en.wikipedia.org/wiki/IPv6
http://en.wikipedia.org/wiki/6in4
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
http://www.wireshark.org/docs/wsug_html_chunked/
70
Lesson 8 – Internet Control Message
Protocol (ICMP)
Internet Control Message Protocol (ICMP)
This lesson continues the Internet layer and looks at the
Internet Control Message Protocol (ICMP and ICMPv6).
Activities include using Wireshark to examine ICMP and
ICMPv6 network traffic.
Readings
1. Read Wikipedia: Internet Control Message Protocol.
2. Read Wikipedia: ICMPv6.
3. Read Wikipedia: Path MTU Discovery.
Activities
1. Review Wireshark: Internet Control Message Protocol (ICMP) [1].
2. Use Wireshark to capture and analyze ICMP Echo traffic.
3. Use Wireshark to capture and analyze ICMP Time Exceeded traffic.
4. Use Wireshark to capture and analyze ICMP tracert/traceroute traffic.
5. Review Wireshark: ICMPv6 [2].
6. Use Wireshark to capture and analyze ICMPv6 Echo traffic.
7. Use Wireshark to capture and analyze ICMPv6 Time Exceeded traffic.
8. Use Wireshark to capture and analyze ICMPv6 tracert/traceroute traffic.
9. Use ping to determine local network MTU.
10. Use ping to determine Path MTU to an Internet host such as Google’s public DNS server 8.8.8.8. Note that
Internet routers frequently drop large ICMP packets to prevent Denial of Service attacks, so it may not be possible
to capture ICMPv6 Packet Too Big messages with this approach.
11.11. Consider situations in which a packet analyzer might be used to troubleshoot ICMP traffic.
12. Use the Discuss page to post comments and questions regarding this lesson.
13.13. Review the lesson summary, key terms, review questions and flashcards below.
http://en.wikiversity.org/w/index.php?title=File%3AInternet_Protocol_Analysis_-_Internet_Layer
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_bookcase.svg
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
http://en.wikipedia.org/wiki/ICMPv6
http://en.wikipedia.org/wiki/Path_MTU_Discovery
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_korganizer.svg
http://wiki.wireshark.org/Internet_Control_Message_Protocol
http://en.wikiversity.org/w/index.php?title=Wireshark/ICMP_Echo
http://en.wikiversity.org/w/index.php?title=Wireshark/ICMP_Time_Exceeded
http://en.wikiversity.org/w/index.php?title=Wireshark/ICMP_Trace
http://wiki.wireshark.org/ICMPv6
http://en.wikiversity.org/w/index.php?title=Wireshark/ICMPv6_Echo
http://en.wikiversity.org/w/index.php?title=Wireshark/ICMPv6_Time_Exceeded
http://en.wikiversity.org/w/index.php?title=Wireshark/ICMPv6_Trace
http://en.wikiversity.org/w/index.php?title=Ping/MTU
http://en.wikiversity.org/w/index.php?title=Ping/MTU
http://en.wikiversity.org/w/index.php?title=Talk:Internet_protocol_analysis/Internet_Control_Message_Protocol
Internet Control Message Protocol (ICMP) 71
Lesson Summary
• ICMP is a core protocol operating in the Internet layer of the Internet Protocol Suite.[3]
• ICMP messages are used for diagnostic or control purposes or generated in response to errors in IP operations.[4]
• ICMP messages may be classified into two categories: error messages and information messages.[5]
• ICMP errors are directed to the source IP address of the originating packet.[6]
• ICMPv6 is an integral part of IPv6 and performs error reporting, diagnostic functions (e.g., ping), and provides a
framework for extensions to implement future changes.[7]
• ICMPv6 error messages include Destination Unreachable, Packet Too Big, Time Exceeded, and Parameter
Problem.[8]
• ICMPv6 informational messages include Echo Request, Echo Reply, and a variety of multicast messages that will
be covered in the next lesson.[9]
• The tracert (traceroute) and Pathping commands are implemented by transmitting datagrams with specially set IP
TTL header fields and looking for ICMP Time Exceeded and Destination Unreachable messages generated in
response.[10]
• The ping utility is implemented using ICMP Echo Request and Echo Reply messages.[11]
• Path MTU Discovery in IPv4 is performed by routers and supported through fragmentation.[12]
• Path MTU Discovery in IPv6 must be performed by the sending host, because IPv6 routers do not support
fragmentation.[13]
Key Terms
Destination Unreachable
An ICMP error message which is generated by the host or its inbound gateway to inform the client that the
destination is unreachable for some reason.[14]
Echo Reply
An ICMP informational message response to an echo request.[15]
Echo Request
An ICMP informational message whose data is expected to be received back in an echo reply.[16]
Packet Too Big
An ICMP error message which is generated by a gateway to inform the source of a discarded datagram due to
the size being too large for the link layer.[17]
Parameter Problem
An ICMP error message which is generated by a host to inform the source of a problem with a field in the
IPv6 header or extension headers of a packet that has been discarded.[18]
Path MTU Discovery (PMTUD)
A standardized technique in computer networking for determining the maximum transmission unit (MTU) size
on the network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP
fragmentation.[19]
Redirect Message
An ICMP message which informs a host to update its routing information (to send packets on an alternate
route).[20]
Source Quench
An ICMP message which requests that the sender decrease the rate of messages sent to a router or host.[21]
Time Exceeded
http://en.wikiversity.org/w/index.php?title=File:Stock_post_message.svg
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_kdict
Internet Control Message Protocol (ICMP) 72
An ICMP error message which is generated by a gateway to inform the source of a discarded datagram due to
the time to live / hop count field reaching zero.[22]
Review Questions
1. ICMP is a core protocol operating in the _____ layer of the Internet Protocol Suite.
ICMP is a core protocol operating in the Internet layer of the Internet Protocol Suite.
2. ICMP messages are used for _____.
ICMP messages are used for diagnostic or control purposes or generated in response to errors in IP operations.
3. ICMP messages may be classified into two categories: _____ and _____.
ICMP messages may be classified into two categories: error messages and information messages.
4. ICMP errors are directed to _____.
ICMP errors are directed to the source IP address of the originating packet.
5. ICMPv6 is an integral part of IPv6 and performs _____, and provides _____.
ICMPv6 is an integral part of IPv6 and performs error reporting, diagnostic functions (e.g., ping), and provides a
framework for extensions to implement future changes.
6. ICMPv6 error messages include _____.
ICMPv6 error messages include Destination Unreachable, Packet Too Big, Time Exceeded, and Parameter Problem.
7. ICMPv6 informational messages include _____.
ICMPv6 informational messages include Echo Request, Echo Reply, and a variety of multicast messages.
8. The _____ utilities are implemented by transmitting datagrams with specially set IP TTL header fields and
looking for ICMP Time Exceeded and Destination Unreachable messages generated in response.
The tracert (traceroute) and Pathping utilities are implemented by transmitting datagrams with specially set IP TTL
header fields and looking for ICMP Time Exceeded and Destination Unreachable messages generated in response.
9. The _____ utility is implemented using ICMP Echo Request and Echo Reply messages.
The _____ utility is implemented using ICMP Echo Request and Echo Reply messages.
10. Path MTU Discovery in _____ is performed by routers.
Path MTU Discovery in IPv4 is performed by routers.
11. Path MTU Discovery in _____ must be performed by the sending host.
Path MTU Discovery in IPv6 must be performed by the sending host.
12. ICMP stands for _____.
ICMP stands for Internet Control Message Protocol.
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_package_editors
Internet Control Message Protocol (ICMP) 73
Flashcards
•• Test your understanding of this lesson.
•• Test your understanding of the key terms.
References
[1] http:/ / wiki. wireshark. org/ Internet_Control_Message_Protocol
[2] http:/ / wiki. wireshark. org/ ICMPv6
[3][3] Wikipedia: Internet Control Message Protocol
[4][4] Wikipedia: Internet Control Message Protocol#Technical details
[5][5] Wikipedia: ICMPv6#Technical details
[6][6] Wikipedia: Internet Control Message Protocol#Technical details
[7][7] Wikipedia: ICMPv6
[8][8] Wikipedia: ICMPv6#Types of ICMPv6 messages
[9][9] Wikipedia: ICMPv6#Types of ICMPv6 messages
[10][10] Wikipedia: Internet Control Message Protocol#Technical details
[11][11] Wikipedia: Internet Control Message Protocol#Technical details
[12][12] Wikipedia: Path MTU Discovery
[13][13] Wikipedia: Path MTU Discovery
[14][14] Wikipedia: Destination Unreachable
[15][15] Wikipedia: Ping (networking utility)#Echo reply
[16][16] Wikipedia: Echo Reply#Echo request
[17][17] Wikipedia: IPv6 packet#Fragmentation
[18][18] RFC 4443 section-3.4
[19][19] Wikipedia: Path MTU Discovery
[20][20] Wikipedia: ICMP Redirect Message
[21][21] Wikipedia: ICMP Source Quench
[22][22] Wikipedia: Time Exceeded
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_cache
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Internet_Control_Message_Protocol/Lesson_flashcards
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Internet_Control_Message_Protocol/Terms_flashcards
http://en.wikiversity.org/w/index.php?title=File:Nuvola_filesystems_folder_orange
http://wiki.wireshark.org/Internet_Control_Message_Protocol
http://wiki.wireshark.org/ICMPv6
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Technical_details
http://en.wikipedia.org/wiki/ICMPv6#Technical_details
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Technical_details
http://en.wikipedia.org/wiki/ICMPv6
http://en.wikipedia.org/wiki/ICMPv6#Types_of_ICMPv6_messages
http://en.wikipedia.org/wiki/ICMPv6#Types_of_ICMPv6_messages
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Technical_details
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Technical_details
http://en.wikipedia.org/wiki/Path_MTU_Discovery
http://en.wikipedia.org/wiki/Path_MTU_Discovery
http://en.wikipedia.org/wiki/Destination_Unreachable
http://en.wikipedia.org/wiki/Ping_(networking_utility)#Echo_reply
http://en.wikipedia.org/wiki/Echo_Reply#Echo_request
http://en.wikipedia.org/wiki/IPv6_packet#Fragmentation
http://en.wikipedia.org/wiki/Path_MTU_Discovery
http://en.wikipedia.org/wiki/ICMP_Redirect_Message
http://en.wikipedia.org/wiki/ICMP_Source_Quench
http://en.wikipedia.org/wiki/Time_Exceeded
Capture and Analyze ICMP Echo Traffic 74
Capture and Analyze ICMP Echo Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze Internet Control Message Protocol (ICMP) Echo traffic.
Readings
•• Wikipedia: Internet Control Message Protocol
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture ICMP Echo Traffic
To capture ICMP Echo traffic:
1. Start a Wireshark capture.
2. Use ping
3. Stop the Wireshark capture.
Activity 2 – Analyze ICMP Echo Request Traffic
To analyze ICMP Echo Request traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the
protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
2. Select the first ICMP packet, labeled Echo (ping) request.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Internet Control Message Protocol frame.
4.4. Expand Internet Control Message Protocol to view ICMP details.
5.5. Observe the Type. Notice that the type is 8 (Echo (ping) request).
6.6. Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
7.7. Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that Windows sends an alphabet
sequence during ping requests.
Activity 3 – Analyze ICMP Echo Reply Traffic
To analyze ICMP Echo Reply traffic:
1. In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Internet Control Message Protocol frame.
3.3. Expand Internet Control Message Protocol to view ICMP details.
4.4. Observe the Type. Notice that the type is 0 (Echo (ping) reply).
5.5. Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
6.6. Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that the reply echoes the request
sequence.
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
Capture and Analyze ICMP Echo Traffic 75
7. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
• Wireshark: Internet Control Message Protocol [1]
Capture and Analyze ICMP Time Exceeded
Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze Internet Control Message Protocol (ICMP) Time
Exceeded traffic.
Readings
•• Wikipedia: Internet Control Message Protocol
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture ICMP Time Exceeded Traffic
To capture ICMP Time Exceeded traffic:
1. Start a Wireshark capture.
2. Use ping -i 1 8.8.8.8 to ping one of Google’s public DNS servers with a Time To Live setting of 1.
3. Stop the Wireshark capture.
Activity 2 – Analyze ICMP Echo Request Traffic
To analyze ICMP Echo Request traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the
protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
2. Select the first ICMP packet, labeled Echo (ping) request.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Internet Control Message Protocol frame.
4.4. Expand Internet Protocol Version 4 to view IPv4 details.
5.5. Observe the Time to live. Notice that the time to live is set to 1.
6.6. Expand Internet Control Message Protocol to view ICMP details.
7.7. Observe the Type. Notice that the type is 8 (Echo (ping) request).
8.8. Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
9.9. Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that Windows sends an alphabet
sequence during ping requests.
http://www.wireshark.org/docs/wsug_html_chunked/
http://wiki.wireshark.org/Internet_Control_Message_Protocol
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Ping/TTL
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
Capture and Analyze ICMP Time Exceeded Traffic 76
Activity 3 – Analyze ICMP Time Exceeded Traffic
To analyze ICMP Time Exceeded traffic:
1. In the top Wireshark packet list pane, select the second ICMP packet, labeled Time-to-live exceeded.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Internet Control Message Protocol frame.
3.3. Expand Internet Protocol Version 4 to view IPv4 details.
4.4. Observe the Source. This is the IP address of the router where the time was exceeded.
5.5. Expand Internet Control Message Protocol to view ICMP details.
6.6. Observe the Type. Notice that the type is 11 (Time-to-live exceeded).
7.7. Observe the Code. Notice that the code is 0 (Time to live exceeded in transit).
8.8. Observe the fields that follow. Notice that the contents of the request packet are returned with the time exceeded
error.
9. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
• Wireshark: Internet Control Message Protocol [1]
Capture and Analyze ICMP tracert/traceroute
Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze tracert/traceroute traffic. Tracing routes is accomplished
through the use of Internet Control Message Protocol (ICMP) Time Exceeded.
Readings
•• Wikipedia: Internet Control Message Protocol
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
http://www.wireshark.org/docs/wsug_html_chunked/
http://wiki.wireshark.org/Internet_Control_Message_Protocol
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
Capture and Analyze ICMP tracert/traceroute Traffic 77
Activity 1 – Capture Tracert Traffic
To capture ICMP tracert traffic:
1. Start a Wireshark capture.
2. Open a command prompt.
3. Type tracert -d 8.8.8.8 and press Enter to trace the route to one of Google’s public DNS servers. The -d option
prevents DNS name resolution, which in this case will improve performance and reduce the amount of captured
traffic.
4.4. When the trace is complete, close the command prompt.
5. Stop the Wireshark capture.
Activity 2 – Analyze Tracert Traffic
To analyze tracert traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the
protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
2. Select the first ICMP packet, labeled Echo (ping) request.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Internet Control Message Protocol frame.
4.4. Expand Internet Protocol Version 4 to view IPv4 details.
5.5. Observe the Time to live. Notice that the time to live is set to 1.
6.6. Expand Internet Control Message Protocol to view ICMP details.
7.7. Observe the Type. Notice that the type is 8 (Echo (ping) request). Tracert is performed through a series of ICMP
Echo requests, varying the Time-To-Live (TTL) until the destination is found.
8. In the top Wireshark packet list pane, select the second ICMP packet, labeled Time-to-live exceeded.
9.9. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Internet Control Message Protocol frame.
10.10. Expand Internet Protocol Version 4 to view IPv4 details.
11.11. Observe the Source. This is the IP address of the router where the time was exceeded.
12.12. Expand Internet Control Message Protocol to view ICMP details.
13.13. Observe the Type. Notice that the type is 11 (Time-to-live exceeded).
14.14. Observe the Code. Notice that the code is 0 (Time to live exceeded in transit).
15.15. Observe the fields that follow. Notice that the contents of the request packet are returned with the time exceeded
error.
16.16. Continue selecting alternate ICMP Echo Request and ICMP Time-To-Live Exceeded packets. Notice that the
request is repeated three times for each time-to-live count, and each reply indicates the IP address of the router
where the time to live was exceeded.
17. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
• Wireshark: Internet Control Message Protocol [1]
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Open
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
http://www.wireshark.org/docs/wsug_html_chunked/
http://wiki.wireshark.org/Internet_Control_Message_Protocol
Capture and Analyze ICMPv6 Echo Traffic 78
Capture and Analyze ICMPv6 Echo Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze Internet Control Message Protocol Version 6 (ICMPv6)
Echo traffic.
Readings
•• Wikipedia: Internet Control Message Protocol Version 6 (ICMPv6)
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture ICMPv6 Echo Traffic
To capture ICMPv6 Echo traffic:
1. Start a Wireshark capture.
2. Use ping 2001:4860:4860::8888 to ping one of Google’s public IPv6 DNS servers.
3. Stop the Wireshark capture.
Activity 2 – Analyze ICMPv6 Echo Request Traffic
To analyze ICMPv6 Echo Request traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMPv6 listed as the
protocol. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
2. Select the first ICMPv6 packet, labeled Echo (ping) request.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 / Internet Control Message Protocol v6 frame. Note if you are using an IPv6 tunnel, your IPv6
packet may be encapsulated inside an IPv4 or UDP packet.
4.4. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
5.5. Observe the Type. Notice that the type is Echo (ping) request (128).
6.6. Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
7.7. Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that Windows sends an alphabet
sequence during ping requests.
Activity 3 – Analyze ICMPv6 Echo Reply Traffic
To analyze ICMPv6 Echo Reply traffic:
1. In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 / Internet Control Message Protocol v6 frame. Again, if you are using an IPv6 tunnel, your
IPv6 packet may be encapsulated inside an IPv4 or UDP packet.
3.3. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
4.4. Observe the Type. Notice that the type is Echo (ping) reply (129).
http://en.wikipedia.org/wiki/ICMPv6
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
Capture and Analyze ICMPv6 Echo Traffic 79
5.5. Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
6.6. Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that the reply echoes the request
sequence.
7. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
• Wireshark: ICMPv6 [2]
Capture and Analyze ICMPv6 Time Exceeded
Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze Internet Control Message Protocol Version 6 (ICMPv6)
Time Exceeded traffic.
Readings
•• Wikipedia: Internet Control Message Protocol Version 6 (ICMPv6)
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture ICMPv6 Time Exceeded Traffic
To capture ICMPv6 Time Exceeded traffic:
1. Start a Wireshark capture.
2. Use ping -i 1 2001:4860:4860::8888 to ping one of Google’s public IPv6 DNS servers with a hop limit of 1.
3. Stop the Wireshark capture.
Activity 2 – Analyze ICMPv6 Echo Request Traffic
To analyze ICMPv6 Echo Request traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMPv6 listed as the
protocol. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
2. Select the first ICMPv6 packet, labeled Echo (ping) request.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 / Internet Control Message Protocol v6 frame. Note if you are using an IPv6 tunnel, your IPv6
packet may be encapsulated inside an IPv4 or UDP packet.
4.4. Expand Internet Protocol Version 6 to view IPv6 details.
5.5. Observe the Hop limit. Notice that the hop limit is set to 1.
6.6. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
http://www.wireshark.org/docs/wsug_html_chunked/
http://wiki.wireshark.org/ICMPv6
http://en.wikipedia.org/wiki/ICMPv6
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Ping/TTL
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
Capture and Analyze ICMPv6 Time Exceeded Traffic 80
7.7. Observe the Type. Notice that the type is Echo (ping) request (128).
8.8. Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
9.9. Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that Windows sends an alphabet
sequence during ping requests.
Activity 3 – Analyze ICMP Time Exceeded Traffic
To analyze ICMPv6 Time Exceeded traffic:
1. In the top Wireshark packet list pane, select the second ICMPv6 packet, labeled Time Exceeded.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 / Internet Control Message Protocol v6 frame. Again, if you are using an IPv6 tunnel, your
IPv6 packet may be encapsulated inside an IPv4 or UDP packet.
3.3. Expand Internet Protocol Version 6 to view IPv6 details.
4.4. Observe the Source. This is the IP address of the router where the hop limit was exceeded.
5.5. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
6.6. Observe the Type. Notice that the type is Time Exceeded (3).
7.7. Observe the Code. Notice that the code is 0 (Hop limit exceeded in transit).
8.8. Observe the fields that follow. Notice that the contents of the request packet are returned with the time exceeded
error.
9. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
• Wireshark: ICMPv6 [2]
http://www.wireshark.org/docs/wsug_html_chunked/
http://wiki.wireshark.org/ICMPv6
Capture and Analyze ICMPv6 tracert/traceroute Traffic 81
Capture and Analyze ICMPv6 tracert/traceroute
Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze tracert/traceroute traffic. Tracing routes is accomplished
through the use of Internet Control Message Protocol (ICMPv6) Time Exceeded.
Readings
•• Wikipedia: Internet Control Message Protocol Version 6 (ICMPv6)
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture Tracert Traffic
To capture ICMPv6 tracert traffic:
1. Start a Wireshark capture.
2. Open a command prompt.
3. Type tracert -d 2001:4860:4860::8888 and press Enter to trace the route to one of Google’s public IPv6 DNS
servers. The -d option prevents DNS name resolution, which in this case will improve performance and reduce the
amount of captured traffic.
4.4. When the trace is complete, close the command prompt.
5. Stop the Wireshark capture.
Activity 2 – Analyze Tracert Traffic
To analyze tracert traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMPv6 listed as the
protocol. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
2. Select the first ICMPv6 packet, labeled Echo (ping) request.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 / Internet Control Message Protocol frame. Note if you are using an IPv6 tunnel, your IPv6
packet may be encapsulated inside an IPv4 or UDP packet.
4.4. Expand Internet Protocol Version 6 to view IPv6 details.
5.5. Observe the Hop limit. Notice that the hop limit is set to 1.
6.6. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
7.7. Observe the Type. Notice that the type is Echo (ping) request (128). Tracert is performed through a series of
ICMPv6 Echo requests, varying the hop limit until the destination is found.
8. In the top Wireshark packet list pane, select the second ICMPv6 packet, labeled Time Exceeded.
9.9. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 / Internet Control Message Protocol frame. Again, if you are using an IPv6 tunnel, your IPv6
packet may be encapsulated inside an IPv4 or UDP packet.
http://en.wikipedia.org/wiki/ICMPv6
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Open
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
Capture and Analyze ICMPv6 tracert/traceroute Traffic 82
10.10. Expand Internet Protocol Version 6 to view IPv6 details.
11.11. Observe the Source. This is the IPv6 address of the router where the time was exceeded.
12.12. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
13.13. Observe the Type. Notice that the type is Time Exceeded (3).
14.14. Observe the Code. Notice that the code is 0 (hop limit exceeded in transit).
15.15. Observe the fields that follow. Notice that the contents of the request packet are returned with the time exceeded
error.
16.16. Continue selecting alternate ICMPv6 Echo Request and ICMPv6 Time Exceeded packets. Notice that the
request is repeated three times for each hop limit count, and each reply indicates the IPv6 address of the router
where the time to live was exceeded.
17. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
• Wireshark: ICMPv6 [2]
Ping MTU
The ping command has an option to configure the length or size of the buffer to be transmitted. These activities will
show you how to use the ping command with a custom packet length to test the network’s maximum transmission
unit (MTU).
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
Activity 1 – Ping the Default Gateway with a Custom Packet Length
To ping the default gateway with a custom packet length:
1. Open a command prompt.
2. Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
3. Type ping -l 1000
displayed above. For example, if the default gateway address was 192.168.1.1, you would type ping -l 1000
192.168.1.1. Then press Enter.
4.4. Observe the results.
http://www.wireshark.org/docs/wsug_html_chunked/
http://wiki.wireshark.org/ICMPv6
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Open
http://en.wikiversity.org/w/index.php?title=Ipconfig/Default
Ping MTU 83
Activity 2 – Ping the Default Gateway with a Custom Packet Length and Do
Not Fragment
To ping the default gateway with a custom packet length and do not fragment:
1. Type ping -f -l 1000
fragmentation of the packet.
2.2. Observe the results.
Activity 3 – Vary Packet Length to Determine MTU
To determine MTU:
1.1. Repeat Activity 2 but vary the length of the packet up or down as necessary until you determine the largest packet
size that delivers successfully on your network. When the packet is too long, you will see an error similar to,
“Packet needs to be fragmented but DF set.” The maximum packet length for a standard Ethernet network is 1500
bytes, minus 20 bytes for Internet Protocol (IP) overhead, minus 8 bytes for Internet Control Message Protocol
(ICMP) overhead, or an MTU of 1472. Your results are likely to be 1472 or lower, depending on the network
equipment between your computer and the target host.
2.2. Close the command prompt to complete this activity.
Readings
•• Wikipedia: Ping (networking utility)
•• Wikipedia: Maximum transmission unit
•• Wikipedia: Internet Protocol
•• Wikipedia: Internet Control Message Protocol (ICMP)
References
• Microsoft TechNet: Ping [1]
References
[1] http:/ / technet. microsoft. com/ en-us/ library/ cc940091. aspx
http://en.wikipedia.org/wiki/Ping_(networking_utility)
http://en.wikipedia.org/wiki/Maximum_transmission_unit
http://en.wikipedia.org/wiki/Internet_Protocol
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
http://technet.microsoft.com/en-us/library/cc940091.aspx
http://technet.microsoft.com/en-us/library/cc940091.aspx
84
Lesson 9 – Multicast
Multicast
This lesson concludes the Internet layer and looks at
multicasting. Activities include using Wireshark to examine
multicast and Neighbor Discovery Protocol (NDP) network
traffic.
Readings
1. Read Wikipedia: Multicast.
2. Read Wikipedia: Multicast address.
3. Read Wikipedia: Internet Group Management Protocol.
4. Read Wikipedia: Multicast Listener Discovery.
5. Read Wikipedia: Neighbor Discovery Protocol.
Activities
1. Review Wireshark: Internet Group Management Protocol (IGMP) [1].
2. Use Wireshark to capture and analyze IPv4 multicast traffic.
3. Use Wireshark to capture and analyze IPv6 multicast traffic.
4. Use Wireshark to capture and analyze ICMPv6 Neighbor Discovery Protocol (NDP) traffic.
5.5. Consider situations in which a packet analyzer might be used to troubleshoot multicast traffic.
6. Use the Discuss page to post comments and questions regarding this lesson.
7.7. Review the lesson summary, key terms, review questions and flashcards below.
Lesson Summary
• Multicast is the delivery of a message or information to a group of destination computers simultaneously in a
single transmission from the source.[2]
• Multicast uses network infrastructure efficiently by requiring the source to send a packet only once, even if it
needs to be delivered to a large number of receivers. The nodes in the network take care of replicating the packet
to reach multiple receivers when necessary.[3]
• In multicast routing, there is always one source and a group of destinations. Broadcasting is a special case of
muticasting in which the group contains all hosts.[4]
• IPv4 multicast addresses were originally designated as Class D. The Classless Inter-Domain Routing (CIDR)
prefix of this group is 224.0.0.0/4 and includes addresses from 224.0.0.0 through 239.255.255.255.[5]
• The 239.0.0.0/8 range is assigned by RFC 2365 for private use within an organization.[6]
• IPv6 multicast addresses start with ff00::/8.[7]
• Ethernet frames with a value of 1 in the least-significant bit of the first octet of the destination address are treated
as multicast (broadcast) frames and are sent to all network hosts. The recipient host Ethernet controller determines
by address hashing whether to receive or drop the multicast frame.[8]
• Ethernet IPv4 multicast frames have a destination MAC address starting with 01-00-5E-xx-xx-xx.[9]
• Ethernet IPv6 multicast frames have a destination MAC address starting with 33-33-xx-xx-xx-xx.[10]
http://en.wikiversity.org/w/index.php?title=File%3AInternet_Protocol_Analysis_-_Internet_Layer
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_bookcase.svg
http://en.wikipedia.org/wiki/Multicast
http://en.wikipedia.org/wiki/Multicast_address
http://en.wikipedia.org/wiki/Internet_Group_Management_Protocol
http://en.wikipedia.org/wiki/Multicast_Listener_Discovery
http://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_korganizer.svg
http://wiki.wireshark.org/IGMP
http://en.wikiversity.org/w/index.php?title=Wireshark/IPv4_multicast
http://en.wikiversity.org/w/index.php?title=Wireshark/IPv6_multicast
http://en.wikiversity.org/w/index.php?title=Wireshark/ICMPv6_NDP
http://en.wikiversity.org/w/index.php?title=Talk:Internet_protocol_analysis/Multicast
http://en.wikiversity.org/w/index.php?title=File:Stock_post_message.svg
Multicast 85
• The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts and adjacent
routers on IP networks to establish multicast group memberships. IGMP is used on IPv4 networks.[11]
• Multicast management on IPv6 networks is handled by Multicast Listener Discovery (MLD) which uses ICMPv6
messaging in contrast to IGMP’s bare IP encapsulation.[12][13]
• Neighbor Discovery Protocol (NDP) is an Internet layer protocol in the Internet Protocol Suite used with IPv6.[14]
• NDP is responsible for address autoconfiguration of nodes, discovery of other nodes on the link, determining the
Link Layer addresses of other nodes, duplicate address detection, finding available routers and Domain Name
System (DNS) servers, address prefix discovery, and maintaining reachability information about the paths to other
active neighbor nodes.[15]
• NDP defines five ICMPv6 packet types: Router Solicitation, Router Advertisement, Neighbor Solicitation,
Neighbor Advertisement, and Redirect.[16]
Key Terms
Internet Protocol television (IPTV)
A system through which television services are delivered using the Internet protocol suite over a
packet-switched network such as the Internet, instead of being delivered through traditional terrestrial, satellite
signal, and cable television formats.[17]
Internet Relay Chat (IRC)
A protocol for real-time Internet text messaging (chat) or synchronous conferencing.[18]
overlay network
A computer network which is built on the top of another network where nodes in the overlay can be thought of
as being connected by virtual or logical links in the underlying physical network.[19]
Neighbor Advertisement
An ICMPv6 NDP packet type that nodes use to respond to a Neighbor Solicitation message.[20]
Neighbor Solicitation
An ICMPv6 NDP packet type that nodes use to determine the link-layer address of a neighbor, or to verify that
a neighbor is still reachable via a cached link-layer address.[21]
peer-to-peer (P2P)
A computer network in which each computer in the network can act as a client or server for the other
computers in the network.[22]
presence information
A status indicator that conveys ability and willingness of a potential communication partner—for example a
user–to communicate.[23]
Redirect
An ICMPv6 NDP packet type that routers use to inform hosts of a better first hop for a destination.[24]
Router Advertisement
An ICMPv6 NDP packet type that routers use to advertise their presence together with various link and
Internet parameters either periodically, or in response to a Router Solicitation message.[25]
Router Solicitation
An ICMPv6 NDP packet type that hosts use to request routers to generate Router Advertisements immediately
rather than at their next scheduled time.[26]
streaming media
Multimedia that is constantly received by and presented to an end-user while being delivered by a provider.[27]
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_kdict
Multicast 86
Review Questions
1. Multicast is the delivery of a message or information to _____.
Multicast is the delivery of a message or information to a group of destination computers simultaneously in a single
transmission from the source.
2. Multicast uses network infrastructure efficiently by requiring the source to send a packet _____, even if it needs to
be delivered to a large number of receivers.
Multicast uses network infrastructure efficiently by requiring the source to send a packet only once, even if it needs
to be delivered to a large number of receivers.
3. In multicast routing, there is always _____.
In multicast routing, there is always one source and a group of destinations.
4. Broadcasting is a special case of muticasting in which _____.
Broadcasting is a special case of muticasting in which the group contains all hosts.
5. IPv4 multicast addresses were originally designated as Class _____. The Classless Inter-Domain Routing (CIDR)
prefix of this group is _____ and includes addresses from _____ through _____.
IPv4 multicast addresses were originally designated as Class D. The Classless Inter-Domain Routing (CIDR) prefix
of this group is 224.0.0.0/4 and includes addresses from 224.0.0.0 through 239.255.255.255.
6. The _____ range is assigned by RFC 2365 for private multicast use within an organization.
The 239.0.0.0/8 range is assigned by RFC 2365 for private multicast use within an organization.
7. IPv6 multicast addresses start with _____.
IPv6 multicast addresses start with ff00::/8.
8. Ethernet frames with a value of 1 in the least-significant bit of the _____ are treated as multicast (broadcast)
frames and are sent to all network hosts.
Ethernet frames with a value of 1 in the least-significant bit of the first octet of the destination address are treated as
multicast (broadcast) frames and are sent to all network hosts.
9. Ethernet IPv4 multicast frames have a destination MAC address starting with _____.
Ethernet IPv4 multicast frames have a destination MAC address starting with 01-00-5E-xx-xx-xx.
10. Ethernet IPv6 multicast frames have a destination MAC address starting with _____.
Ethernet IPv6 multicast frames have a destination MAC address starting with 33-33-xx-xx-xx-xx.
11. The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts and adjacent
routers on IPv4 networks to _____.
The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts and adjacent routers
on IPv4 networks to establish multicast group memberships.
12. Multicast management on IPv6 networks is handled by _____ which uses _____ messaging.
Multicast management on IPv6 networks is handled by Multicast Listener Discovery (MLD) which uses ICMPv6
messaging.
13. Neighbor Discovery Protocol (NDP) is an _____ layer protocol in the Internet Protocol Suite used with IPv6.
Neighbor Discovery Protocol (NDP) is an Internet layer protocol in the Internet Protocol Suite used with IPv6.
14. NDP is responsible for _____.
NDP is responsible for address autoconfiguration of nodes, discovery of other nodes on the link, determining the
Link Layer addresses of other nodes, duplicate address detection, finding available routers and Domain Name
System (DNS) servers, address prefix discovery, and maintaining reachability information about the paths to other
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_package_editors
Multicast 87
active neighbor nodes.
15. NDP defines five ICMPv6 packet types: _____.
NDP defines five ICMPv6 packet types: Router Solicitation, Router Advertisement, Neighbor Solicitation, Neighbor
Advertisement, and Redirect.
Flashcards
•• Test your understanding of this lesson.
•• Test your understanding of the key terms.
References
[1] http:/ / wiki. wireshark. org/ IGMP
[2][2] Wikipedia: Multicast
[3][3] Wikipedia: Multicast#IP multicast
[4][4] Wikipedia: Multicast#Multicast Routing
[5][5] Wikipedia: Multicast address#IPv4
[6][6] Wikipedia: Multicast address#Administratively Scoped IPv4 Multicast addresses
[7][7] Wikipedia: Multicast address#IPv6
[8][8] Wikipedia: Multicast address#Ethernet
[9][9] Wikipedia: Multicast address#Ethernet
[10][10] Wikipedia: Multicast address#Ethernet
[11][11] Wikipedia: Internet Group Management Protocol
[12][12] Wikipedia: Internet Group Management Protocol
[13][13] Wikipedia: Multicast Listener Discovery
[14][14] Wikipedia: Neighbor Discovery Protocol
[15][15] Wikipedia: Neighbor Discovery Protocol
[16][16] Wikipedia: Neighbor Discovery Protocol#Technical details
[17][17] Wikipedia: IPTV
[18][18] Wikipedia: Internet Relay Chat
[19][19] Wikipedia: Overlay network
[20][20] RFC 4861
[21][21] RFC 4861
[22][22] Wikipedia: Peer-to-peer
[23][23] Wikipedia: Presence information
[24][24] RFC 4861
[25][25] RFC 4861
[26][26] RFC 4861
[27][27] Wikipedia: Streaming media
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_cache
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Multicast/Lesson_flashcards
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Multicast/Terms_flashcards
http://en.wikiversity.org/w/index.php?title=File:Nuvola_filesystems_folder_orange
http://wiki.wireshark.org/IGMP
http://en.wikipedia.org/wiki/Multicast
http://en.wikipedia.org/wiki/Multicast#IP_multicast
http://en.wikipedia.org/wiki/Multicast#Multicast_Routing
http://en.wikipedia.org/wiki/Multicast_address#IPv4
http://en.wikipedia.org/wiki/Multicast_address#Administratively_Scoped_IPv4_Multicast_addresses
http://en.wikipedia.org/wiki/Multicast_address#IPv6
http://en.wikipedia.org/wiki/Multicast_address#Ethernet
http://en.wikipedia.org/wiki/Multicast_address#Ethernet
http://en.wikipedia.org/wiki/Multicast_address#Ethernet
http://en.wikipedia.org/wiki/Internet_Group_Management_Protocol
http://en.wikipedia.org/wiki/Internet_Group_Management_Protocol
http://en.wikipedia.org/wiki/Multicast_Listener_Discovery
http://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol
http://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol
http://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol#Technical_details
http://en.wikipedia.org/wiki/IPTV
http://en.wikipedia.org/wiki/Internet_Relay_Chat
http://en.wikipedia.org/wiki/Overlay_network
http://en.wikipedia.org/wiki/Peer-to-peer
http://en.wikipedia.org/wiki/Presence_information
http://en.wikipedia.org/wiki/Streaming_media
Capture and Analyze IPv4 Multicast Traffic 88
Capture and Analyze IPv4 Multicast Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze IPv4 multicast traffic.
Readings
•• Wikipedia: Multicast
•• Wikipedia: Multicast Address
•• Wikipedia: Simple Service Discovery Protocol (SSDP)
•• Wikipedia: Web Services Dynamic Discovery (WS-Discovery)
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture IPv4 Multicast Traffic
To capture IPv4 multicast traffic:
1. Start a Wireshark capture.
2. In Windows, select Start and then type Network and Sharing Center in the Run box. Press Enter.
3. Select Change advanced sharing settings.
4. Note the current status of Network discovery. If it is already on, select Turn off network discovery and Save
changes.
5. Select Turn on network discovery and Save changes.
6.6. Wait a few seconds for network discovery to generate multicast traffic.
7. If Network discovery was initially off, select Turn off network discovery and Save changes to return the status
to the original setting. If network discovery was initially on, leave it on.
8. Stop the Wireshark capture.
Activity 2 – Analyze IPv4 Multicast Traffic
To analyze IPv4 multicast traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. To view only IPv4 multicast traffic, type
ip.addr >= 224.0.0.0 (lower case) in the Filter box and press Enter.
2.2. The traffic you are most likely to see is Simple Service Discovery Protocol (SSDP) traffic. You may also see
Web Services Dynamic Discovery (WS-Discovery) traffic or other multicast traffic. Whatever you find, select the
first frame.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 frame.
4.4. Expand Ethernet II to view the Ethernet details.
5.5. Observe the Destination address. Notice that it starts with 01:00:5e, the Ethernet multicast address for IPv4.
6.6. Expand Internet Protocol Version 4 to view IPv4 details.
7.7. Observe the Destination address. Notice that it is in the 224.0.0.0 – 239.255.255.255 IPv4 multicast range. If it is
SSDP or WS-Discovery traffic, it will be addressed to 239.255.255.250.
http://en.wikipedia.org/wiki/Multicast
http://en.wikipedia.org/wiki/Multicast_address
http://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol
http://en.wikipedia.org/wiki/WS-Discovery
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
Capture and Analyze IPv4 Multicast Traffic 89
8.8. Select additional frames and observe the Ethernet and IPv4 details for multicast traffic.
9. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
Capture and Analyze IPv6 Multicast Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze IPv6 multicast traffic.
Readings
•• Wikipedia: Multicast
•• Wikipedia: Multicast Address
•• Wikipedia: Simple Service Discovery Protocol (SSDP)
•• Wikipedia: Web Services Dynamic Discovery (WS-Discovery)
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture IPv6 Multicast Traffic
To capture IPv6 multicast traffic:
1. Start a Wireshark capture.
2. In Windows, select Start and then type Network and Sharing Center in the Run box. Press Enter.
3. Select Change advanced sharing settings.
4. Note the current status of Network discovery. If it is already on, select Turn off network discovery and Save
changes.
5. Select Turn on network discovery and Save changes.
6.6. Wait a few seconds for network discovery to generate multicast traffic.
7. If Network discovery was initially off, select Turn off network discovery and Save changes to return the status
to the original setting. If network discovery was initially on, leave it on.
8. Stop the Wireshark capture.
http://www.wireshark.org/docs/wsug_html_chunked/
http://en.wikipedia.org/wiki/Multicast
http://en.wikipedia.org/wiki/Multicast_address
http://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol
http://en.wikipedia.org/wiki/WS-Discovery
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
Capture and Analyze IPv6 Multicast Traffic 90
Activity 2 – Analyze IPv6 Multicast Traffic
To analyze IPv6 multicast traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. To view only IPv6 multicast traffic, type
ipv6.addr >= ff00:: (lower case) in the Filter box and press Enter.
2.2. The traffic you are most likely to see is ICMPv6 and Simple Service Discovery Protocol (SSDP) traffic. You may
also see Web Services Dynamic Discovery (WS-Discovery) traffic or other multicast traffic. Whatever you find,
select the first frame.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 frame.
4.4. Expand Ethernet II to view the Ethernet details.
5.5. Observe the Destination address. Notice that it starts with 33:33, the Ethernet multicast address for IPv6.
6.6. Expand Internet Protocol Version 6 to view IPv6 details.
7.7. Observe the Destination address. Notice that it begins with ff (ff00::/8), the IPv6 multicast range. If it is SSDP or
WS-Discovery traffic, it will be addressed to ff02::c.
8.8. Select additional frames and observe the Ethernet and IPv6 details for multicast traffic.
9. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
Capture and Analyze ICMPv6 Neighbor
Discovery Protocol (NDP) Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze ICMPv6 Neighbor Discovery Protocol (NDP) traffic.
Note: To complete this activity, you must have an administrative user account or know the username and
password of an administrator account you can enter when prompted.
Readings
•• Wikipedia: ICMPv6
•• Wikipedia: Neighbor Discovery Protocol (NDP)
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Display Teredo Status
To display Teredo status:
1. Open an elevated/administrator command prompt.
2. Type netsh interface teredo show status and press Enter.
http://www.wireshark.org/docs/wsug_html_chunked/
http://en.wikipedia.org/wiki/ICMPv6
http://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Elevated
Capture and Analyze ICMPv6 Neighbor Discovery Protocol (NDP) Traffic 91
3.3. Observe the Teredo status.
Activity 2 – Disable Teredo
If Teredo is currently enabled, disable it:
1. Type netsh interface teredo set state disabled and press Enter.
2. Use ipconfig to confirm that Teredo was disabled.
Activity 3 – Capture ICMPv6 NDP Traffic
To capture ICMPv6 NDP traffic:
1. Start a Wireshark capture.
2. Type netsh interface teredo set state enabled and press Enter.
3. Use ipconfig to display Teredo settings. Note your IPv6 addresses.
4. Use ping 2001:4860:4860::8888 to ping an Internet host by IPv6 address.
5.5. Close the command prompt.
6. Stop the Wireshark capture.
Activity 4 – Analyze Neighbor Solicitation Traffic
To analyze Neighbor Solicitation traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. To view only ICMPv6 traffic, type icmpv6
(lower case) in the Filter box and press Enter.
2. Select the first ICMPv6 packet labeled Neighbor Solicitation.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 / Internet Control Message Protocol v6 frame.
4.4. Expand Ethernet II to view the Ethernet details.
5.5. Observe the Destination address. Notice that it starts with 33:33, the Ethernet multicast address for IPv6.
6.6. Expand Internet Protocol Version 6 to view IPv6 details.
7.7. Observe the Destination address. Notice that it begins with ff (ff00::/8), the IPv6 multicast range.
8.8. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
9.9. Observe the Type, Target Address, and Source link-layer address.
Activity 5 – Analyze Neighbor Advertisement Traffic
To analyze Neighbor Advertisement traffic:
1.1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the next ICMPv6 packet labeled Neighbor Advertisement.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 / Internet Control Message Protocol v6 frame.
4.4. Expand Ethernet II to view the Ethernet details.
5.5. Observe the Destination address. Notice that it matches the source link-layer address from the Neighbor
Solicitation packet above.
6.6. Expand Internet Protocol Version 6 to view IPv6 details.
7.7. Observe the Source address. Notice that it matches the target address from the Neighbor Solicitation packet
above.
8.8. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
http://en.wikiversity.org/w/index.php?title=Ipconfig/Default
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Ipconfig/Default
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
Capture and Analyze ICMPv6 Neighbor Discovery Protocol (NDP) Traffic 92
9.9. Observe the Type, Target Address, and Target link-layer address. Notice that the Neighbor Advertisement is a
direct response to the Neighbor Solicitation in the previous packet.
Activity 6 – Analyze Multicast Listener Report Traffic
To analyze Multicast Listener Report traffic:
1.1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the next ICMPv6 packet labeled Multicast Listener Report Message v2.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 / Internet Control Message Protocol v6 frame.
4.4. Expand Ethernet II to view the Ethernet details.
5.5. Observe the Destination address. Notice that it starts with 33:33, the Ethernet multicast address for IPv6.
6.6. Expand Internet Protocol Version 6 to view IPv6 details.
7.7. Observe the Destination address. Notice that it begins with ff (ff00::/8), the IPv6 multicast range.
8.8. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
9.9. Observe the Type and the Multicast Address Record Changed. The address ff02::1:3 is used for LLMNR.
Activity 7 – Analyze Router Solicitation Traffic
To analyze Router Solicitation traffic:
1.1. Observe the traffic captured in the top Wireshark packet list pane.
2. Scroll down to select the next ICMPv6 packet labeled Router Solicitation.
3.3. Observe the packet details in the middle Wireshark packet details pane. If this is a Teredo packet, you will see
that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Teredo IPv6 Over UDP tunneling
/ Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
4.4. Expand Internet Protocol Version 6 to view IPv6 details.
5.5. Observe the Source address and Destination address. Notice that the Destination address is ff02::2, the IPv6
multicast router address.
Activity 8 – Analyze Router Advertisement Traffic
To analyze Router Advertisement traffic:
1.1. Observe the traffic captured in the top Wireshark packet list pane.
2. Scroll down to select the next ICMPv6 packet labeled Router Advertisement.
3.3. Observe the packet details in the middle Wireshark packet details pane. If this is a Teredo packet, you will see
that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Teredo IPv6 Over UDP tunneling
/ Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
4.4. Expand Internet Protocol Version 6 to view IPv6 details.
5.5. Observe the Source address and Destination address. Notice that the Destination address matches the Source
address in the Router Solicitation packet above.
6.6. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
7.7. Observe Router Advertisement details.
8.8. Expand ICMPv6 Option to view Prefix information.
9.9. Observe Prefix details.
10. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
Capture and Analyze ICMPv6 Neighbor Discovery Protocol (NDP) Traffic 93
Activity 9 – Disable Teredo
If Teredo was initially disabled on your system, you should disable it again:
1. Open an elevated/administrator command prompt.
2. Type netsh interface teredo set state disabled and press Enter.
3. Use ipconfig to confirm that Teredo was disabled.
4.4. Close the command prompt to complete this activity.
References
• Wireshark: User’s Guide [2]
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Elevated
http://en.wikiversity.org/w/index.php?title=Ipconfig/Default
http://www.wireshark.org/docs/wsug_html_chunked/
94
Lesson 10 – Transport Layer
Transport Layer
This lesson introduces the Transport layer and looks at User
Datagram Protocol (UDP) and Transmission Control Protocol
(TCP). Activities include using netstat to display protocol
statistics and using Wireshark to examine UDP and TCP
network traffic.
Readings
1. Read Wikipedia: Transport layer.
2. Read Wikipedia: User Datagram Protocol.
3. Read Wikipedia: Transmission Control Protocol.
Activities
1. Use netstat to display protocol statistics.
2. Use netstat to display all active connections and listening ports.
3. Use Wireshark to capture and analyze User Datagram Protocol (UDP) traffic.
4. Use Wireshark to capture and analyze Transmission Control Protocol (TCP) traffic.
5.5. Consider situations in which a packet analyzer might be used to troubleshoot transport layer traffic.
6. Use the Discuss page to post comments and questions regarding this lesson.
7.7. Review the lesson summary, key terms, review questions and flashcards below.
Lesson Summary
• The transport layer provides end-to-end communication services for applications.[1]
• The transport layer provides services such as connection-oriented data stream support, reliability, flow control,
and multiplexing.[2]
• The Transmission Control Protocol (TCP) is used for connection-oriented transmissions. The User Datagram
Protocol (UDP) is used for connection-less messaging transmissions.[3]
• Many of the services attributed to the transport layer are specific to TCP and do not apply to UDP. These include
connections, byte oriented data streams, sequencing, reliability, flow control, and congestion avoidance.[4]
• Transport layer protocols include source and destination port numbers to identify process-to-process
communication.[5] Sessions are identified using the client’s IP address and port number.[6]
• TCP packets are referred to as segments. UDP packets are referred to as datagrams.[7]
• UDP has no handshaking dialogues, and thus exposes any unreliability of the underlying network protocol to the
user’s program.[8]
• UDP provides checksums for data integrity, and port numbers for addressing different functions at the source and
destination of the datagram.[9]
• UDP is simple and stateless, with minimal delay, and works well in unidirectional (broadcast / multicast)
communication.[10]
• The UDP header includes fields for: source port, destination port, length, and checksum.[11]
http://en.wikiversity.org/w/index.php?title=File%3AInternet_Protocol_Analysis_-_Transport_Layer
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_bookcase.svg
http://en.wikipedia.org/wiki/Transport_layer
http://en.wikipedia.org/wiki/User_Datagram_Protocol
http://en.wikipedia.org/wiki/Transmission_Control_Protocol
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_korganizer.svg
http://en.wikiversity.org/w/index.php?title=Netstat/Statistics
http://en.wikiversity.org/w/index.php?title=Netstat/All
http://en.wikiversity.org/w/index.php?title=Wireshark/UDP
http://en.wikiversity.org/w/index.php?title=Wireshark/TCP
http://en.wikiversity.org/w/index.php?title=Talk:Internet_protocol_analysis/Transport_layer
http://en.wikiversity.org/w/index.php?title=File:Stock_post_message.svg
Transport Layer 95
• TCP is reliable, ordered, heavyweight, and streaming.[12]
• UDP is unreliable, un-ordered, lightweight, and without streaming or connection control.[13]
• UDP provides a datagram service that emphasizes reduced latency over TCP stream reliability.[14] TCP is
optimized for accurate delivery rather than timely delivery.[15]
• TCP is a reliable stream delivery service that guarantees that all bytes received will be identical with bytes sent
and in the correct order.[16]
• The TCP header includes fields for: source port, destination port, sequence number, acknowledgement number,
data offset, flags, window size, checksum, and an urgent pointer.[17]
• TCP protocol operations are divided into three phases: connection establishment, data transfer, and connection
termination.[18]
• TCP connection establishment is performed through a three-way handshake exchanging sequence numbers and
acknowledgements (SYN, SYN-ACK, ACK).[19]
• TCP connection termination is performed through a four-way handshake of exchanging finish flags and
acknowledgements (FIN, ACK, FIN, ACK).[20]
• TCP achieves reliable transmission by using a sequence number to account for each byte of data.[21]
• TCP performs error detection through sequence numbers, acknowledgements, and a checksum for each packet.[22]
• TCP uses a sliding window flow control process in which the receiver specifies the amount of additional data that
it is willing to accept for the connection and the sending host can send only up to that amount of data before it
must wait for an acknowledgment from the receiving host.[23]
• TCP achieves congestion control through slow-start, congestion avoidance, fast retransmit, fast recovery, and
retransmission timeout.[24]
• TCP and UDP port numbers range from 0 to 65535.[25]
• The Internet Assigned Numbers Authority has divided TCP and UDP port numbers into three ranges. Port
numbers 0 through 1023 are used for common, well-known services. Port numbers 1024 through 49151 are
registered ports used for IANA-registered services. Ports 49152 through 65535 are dynamic ports that can be used
for any purpose.[26]
Key Terms
ACK
An acknowledgement signal passed between communicating processes or computers to signify
acknowledgement, or receipt of response, as part of a communications protocol.[27]
application programming interface (API)
A protocol intended to be used as an interface by software components to communicate with each other.[28]
Automatic Repeat reQuest (ARQ) (or Automatic Repeat Query)
An error-control method for data transmission that uses acknowledgements (messages sent by the receiver
indicating that it has correctly received a data frame or packet) and timeouts (specified periods of time allowed
to elapse before an acknowledgment is to be received) to achieve reliable data transmission over an unreliable
service.[29]
buffer
A region of a physical memory storage used to temporarily prevent data from continuing while it is being
moved from one place to another.[30]
buffer underrun
A state occurring when a buffer used to communicate between two devices or processes is fed with data at a
lower speed than the data is being read from it.[31]
checksum
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_kdict
Transport Layer 96
A fixed-size datum computed from an arbitrary block of digital data for the purpose of detecting accidental
errors that may have been introduced during its transmission or storage.[32]
connection-oriented communication
A data communication mode whereby the devices at the end points use a protocol to establish an end-to-end
logical or physical connection before any data may be sent.[33]
connectionless
A data communication mode in which a message can be sent from one end point to another without prior
arrangement.[34]
data stream
A sequence of digitally encoded coherent signals (packets of data or data packets) used to transmit or receive
information that is in the process of being transmitted.[35]
datagram
A basic transfer unit associated with a packet-switched network in which the delivery, arrival time, and order
of arrival are not guaranteed by the network service.[36]
deadlock
A situation in which two or more competing actions are each waiting for the other to finish, and thus neither
ever does.[37]
ephemeral port
A short-lived transport protocol port allocated automatically from a predefined range.[38]
error detection
Techniques that enable reliable delivery of digital data over unreliable communication channels.[39]
flow control
The process of managing the rate of data transmission between two nodes to prevent a fast sender from
outrunning a slow receiver.[40]
handshaking
An automated process of negotiation that dynamically sets parameters of a communications channel
established between two entities before normal communication over the channel begins.[41]
latency
A measure of time delay experienced in a system.[42]
maximum segment size (MSS)
A parameter of the TCP protocol that specifies the largest amount of data that a computer or communications
device can receive in a single TCP segment.[43]
multiplexing
A method by which multiple analog message signals or digital data streams are combined into one signal over
a shared medium.[44]
NAK
A negative acknowledgement signal passed between communicating processes or computers to signify an
error or lack of acceptance as part of a communications protocol.[45]
network congestion
A data communication situation in which a link or node is carrying so much data that its quality of service
deteriorates.[46]
Transport Layer 97
registered port
A transport protocol port assigned by the Internet Assigned Numbers Authority (IANA) for use with a certain
protocol or application.[47]
reliability
A reliable protocol is one that provides reliability properties with respect to the delivery of data to the intended
recipient(s), as opposed to an unreliable protocol, which does not provide notifications to the sender as to the
delivery of transmitted data.[48]
Slow-start
One of the algorithms that TCP uses to control congestion inside the network, in which the TCP window size
is increased each time an acknowledgment is received.[49]
TCP window scale option
An option to increase the TCP receive window size above its maximum value of 65,535 bytes.[50]
Review Questions
1. The transport layer provides _____.
The transport layer provides end-to-end communication services for applications.
2. The transport layer provides services such as _____.
The transport layer provides services such as connection-oriented data stream support, reliability, flow control, and
multiplexing.
3. The Transmission Control Protocol (TCP) is used for _____ transmissions. The User Datagram Protocol (UDP) is
used for _____ transmissions.
The Transmission Control Protocol (TCP) is used for connection-oriented transmissions. The User Datagram
Protocol (UDP) is used for connection-less messaging transmissions.
4. Many of the services attributed to the transport layer are specific to _____ and do not apply to _____. These
include connections, byte oriented data streams, sequencing, reliability, flow control, and congestion avoidance.
Many of the services attributed to the transport layer are specific to TCP and do not apply to UDP. These include
connections, byte oriented data streams, sequencing, reliability, flow control, and congestion avoidance.
5. Transport layer protocols include source and destination _____ to identify process-to-process communication.
Sessions are identified using _____.
Transport layer protocols include source and destination port numbers to identify process-to-process communication.
Sessions are identified using the client’s IP address and port number.
6. TCP packets are referred to as _____. UDP packets are referred to as _____.
TCP packets are referred to as segments. UDP packets are referred to as datagrams.
7. UDP has no _____, and thus exposes any unreliability of the underlying network protocol to the user’s program.
UDP has no handshaking dialogues, and thus exposes any unreliability of the underlying network protocol to the
user’s program.
8. UDP provides _____ for data integrity, and _____ for addressing different functions at the source and destination
of the datagram.
UDP provides checksums for data integrity, and port numbers for addressing different functions at the source and
destination of the datagram.
9. UDP is _____, with _____ delay, and works well in unidirectional (broadcast / multicast) communication.
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_package_editors
Transport Layer 98
UDP is simple and stateless, with minimal delay, and works well in unidirectional (broadcast / multicast)
communication.
10. The UDP header includes fields for: _____.
The UDP header includes fields for: source port, destination port, length, and checksum.
11. TCP is _____.
TCP is reliable, ordered, heavyweight, and streaming.
12. UDP is _____.
UDP is unreliable, un-ordered, lightweight, and without streaming or connection control.
13. UDP provides a datagram service that emphasizes _____ over TCP _____. TCP is optimized for _____ rather
than _____.
UDP provides a datagram service that emphasizes reduced latency over TCP stream reliability. TCP is optimized for
accurate delivery rather than timely delivery.
14. TCP is a _____ delivery service that _____.
TCP is a reliable stream delivery service that guarantees that all bytes received will be identical with bytes sent and
in the correct order.
15. The TCP header includes fields for: _____.
The TCP header includes fields for: source port, destination port, sequence number, acknowledgement number, data
offset, flags, window size, checksum, and an urgent pointer.
16. TCP protocol operations are divided into three phases: _____.
TCP protocol operations are divided into three phases: connection establishment, data transfer, and connection
termination.
17. TCP connection establishment is performed through _____.
TCP connection establishment is performed through a three-way handshake exchanging sequence numbers and
acknowledgements (SYN, SYN-ACK, ACK).
18. TCP connection termination is performed through _____.
TCP connection termination is performed through a four-way handshake of exchanging finish flags and
acknowledgements (FIN, ACK, FIN, ACK).
19. TCP achieves reliable transmission by using _____.
TCP achieves reliable transmission by using a sequence number to account for each byte of data.
20. TCP performs error detection through _____.
TCP performs error detection through sequence numbers, acknowledgements, and a checksum for each packet.
21. TCP uses a sliding window flow control process in which _____.
TCP uses a sliding window flow control process in which the receiver specifies the amount of additional data that it
is willing to accept for the connection and the sending host can send only up to that amount of data before it must
wait for an acknowledgment from the receiving host.
22. TCP achieves congestion control through _____.
TCP achieves congestion control through slow-start, congestion avoidance, fast retransmit, fast recovery, and
retransmission timeout.
23. TCP and UDP port numbers range from _____.
TCP and UDP port numbers range from 0 to 65535.
Transport Layer 99
24. The Internet Assigned Numbers Authority has divided TCP and UDP port numbers into three ranges. Port
numbers _____ are used for common, well-known services. Port numbers _____ are registered ports used for
IANA-registered services. Ports _____ are dynamic ports that can be used for any purpose.
The Internet Assigned Numbers Authority has divided TCP and UDP port numbers into three ranges. Port numbers 0
through 1023 are used for common, well-known services. Port numbers 1024 through 49151 are registered ports
used for IANA-registered services. Ports 49152 through 65535 are dynamic ports that can be used for any purpose.
Flashcards
•• Test your understanding of this lesson.
•• Test your understanding of the key terms.
References
[1][1] Wikipedia: Transport layer
[2][2] Wikipedia: Transport layer
[3][3] Wikipedia: Transport layer
[4][4] Wikipedia: Transport layer#Services
[5][5] Wikipedia: Transport layer#Analysis
[6][6] Wikipedia: Transmission Control Protocol#Resource usage
[7][7] Wikipedia: Transport layer#Analysis
[8][8] Wikipedia: User Datagram Protocol
[9][9] Wikipedia: User Datagram Protocol
[10][10] Wikipedia: User Datagram Protocol
[11][11] Wikipedia: User Datagram Protocol#Packet structure
[12][12] Wikipedia: User Datagram Protocol#Comparison of UDP and TCP
[13][13] Wikipedia: User Datagram Protocol#Comparison of UDP and TCP
[14][14] Wikipedia: Transmission Control Protocol
[15][15] Wikipedia: Transmission Control Protocol#Network function
[16][16] Wikipedia: Transmission Control Protocol#Network function
[17][17] Wikipedia: Transmission Control Protocol#TCP segment structure
[18][18] Wikipedia: Transmission Control Protocol#Protocol operation
[19][19] Wikipedia: Transmission Control Protocol#Protocol operation
[20][20] Wikipedia: Transmission Control Protocol#Protocol operation
[21][21] Wikipedia: Transmission Control Protocol#Reliable transmission
[22][22] Wikipedia: Transmission Control Protocol#Error detection
[23][23] Wikipedia: Transmission Control Protocol#Flow control
[24][24] Wikipedia: Transmission Control Protocol#Congestion control
[25][25] Wikipedia: Port (computer networking)#Common port numbers
[26][26] Wikipedia: Port (computer networking)#Common port numbers
[27][27] Wikipedia: Acknowledgement (data networks)
[28][28] Wikipedia: Application programming interface
[29][29] Wikipedia: Automatic repeat request
[30][30] Wikipedia: Data buffer
[31][31] Wikipedia: Buffer underrun
[32][32] Wikipedia: Checksums
[33][33] Wikipedia: Connection-oriented communication
[34][34] Wikipedia: Connectionless protocol
[35][35] Wikipedia: Data stream
[36][36] Wikipedia: Datagram
[37][37] Wikipedia: Deadlock
[38][38] Wikipedia: Ephemeral port
[39][39] Wikipedia: Error detection and correction
[40][40] Wikipedia: Flow control (data)
[41][41] Wikipedia: Handshaking
[42][42] Wikipedia: Latency (engineering)
[43][43] Wikipedia: Maximum segment size
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_cache
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Transport_layer/Lesson_flashcards
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Transport_layer/Terms_flashcards
http://en.wikiversity.org/w/index.php?title=File:Nuvola_filesystems_folder_orange
http://en.wikipedia.org/wiki/Transport_layer
http://en.wikipedia.org/wiki/Transport_layer
http://en.wikipedia.org/wiki/Transport_layer
http://en.wikipedia.org/wiki/Transport_layer#Services
http://en.wikipedia.org/wiki/Transport_layer#Analysis
http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Resource_usage
http://en.wikipedia.org/wiki/Transport_layer#Analysis
http://en.wikipedia.org/wiki/User_Datagram_Protocol
http://en.wikipedia.org/wiki/User_Datagram_Protocol
http://en.wikipedia.org/wiki/User_Datagram_Protocol
http://en.wikipedia.org/wiki/User_Datagram_Protocol#Packet_structure
http://en.wikipedia.org/wiki/User_Datagram_Protocol#Comparison_of_UDP_and_TCP
http://en.wikipedia.org/wiki/User_Datagram_Protocol#Comparison_of_UDP_and_TCP
http://en.wikipedia.org/wiki/Transmission_Control_Protocol
http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Network_function
http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Network_function
http://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure
http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Protocol_operation
http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Protocol_operation
http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Protocol_operation
http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Reliable_transmission
http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Error_detection
http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Flow_control
http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Congestion_control
http://en.wikipedia.org/wiki/Port_(computer_networking)#Common_port_numbers
http://en.wikipedia.org/wiki/Port_(computer_networking)#Common_port_numbers
http://en.wikipedia.org/wiki/Acknowledgement_(data_networks)
http://en.wikipedia.org/wiki/Application_programming_interface
http://en.wikipedia.org/wiki/Automatic_repeat_request
http://en.wikipedia.org/wiki/Data_buffer
http://en.wikipedia.org/wiki/Buffer_underrun
http://en.wikipedia.org/wiki/Checksums
http://en.wikipedia.org/wiki/Connection-oriented_communication
http://en.wikipedia.org/wiki/Connectionless_protocol
http://en.wikipedia.org/wiki/Data_stream
http://en.wikipedia.org/wiki/Datagram
http://en.wikipedia.org/wiki/Deadlock
http://en.wikipedia.org/wiki/Ephemeral_port
http://en.wikipedia.org/wiki/Error_detection_and_correction
http://en.wikipedia.org/wiki/Flow_control_(data)
http://en.wikipedia.org/wiki/Handshaking
http://en.wikipedia.org/wiki/Latency_(engineering)
http://en.wikipedia.org/wiki/Maximum_segment_size
Transport Layer 100
[44][44] Wikipedia: Multiplexing
[45][45] Wikipedia: Negative-acknowledge character
[46][46] Wikipedia: Network congestion
[47][47] Wikipedia: Registered port
[48][48] Wikipedia: Reliability (computer networking)
[49][49] Wikipedia: Slow-start
[50][50] Wikipedia: TCP window scale option
Display Protocol Statistics
Netstat is a command-line tool that displays network statistics on a variety of operating systems. This activity will
show you how to use the netstat command to display statistics by protocol.
Preparation
To prepare for this activity:
1.1. Start your operating system.
2.2. Log in if necessary.
Activity 1 – Display Statistics by Protocol
To display statistics by protocol:
1. Open a command prompt.
2. Type netstat -s.
3. Press Enter.
4.4. Observe the statistics for IPv4, IPv6, ICMPv4, ICMPv6, TCP, and UDP.
5.5. Close the command prompt to complete this activity.
References
• Microsoft TechNet: Netstat [1]
References
[1] http:/ / technet. microsoft. com/ en-us/ library/ bb490947. aspx
http://en.wikipedia.org/wiki/Multiplexing
http://en.wikipedia.org/wiki/Negative-acknowledge_character
http://en.wikipedia.org/wiki/Network_congestion
http://en.wikipedia.org/wiki/Registered_port
http://en.wikipedia.org/wiki/Reliability_(computer_networking)
http://en.wikipedia.org/wiki/Slow-start
http://en.wikipedia.org/wiki/TCP_window_scale_option
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Open
http://technet.microsoft.com/en-us/library/bb490947.aspx
http://technet.microsoft.com/en-us/library/bb490947.aspx
Display All Active Connections and Listening Ports 101
Display All Active Connections and Listening
Ports
Netstat is a command-line tool that displays network statistics on a variety of operating systems. This activity will
show you how to use the netstat command to display all active connections (TCP and UDP)
Preparation
To prepare for this activity:
1.1. Start your operating system.
2.2. Log in if necessary.
Activity 1 – Display All Active Connections
To display all active connections:
1. Open a command prompt.
2. Type netstat -a.
3. Press Enter.
4.4. Observe active TCP and UDP connections and listening ports, the local address and port number, the remote
name or address and port number if a connection is established, and the connection status.
Activity 2 – Display All Active Connections by Number
To display all active connections by number (IP address) instead of by host name:
1. Type netstat -a -n.
2. Press Enter.
3.3. Observe active TCP and UDP connections and listening ports, the local address and port number, the remote
name or address and port number if a connection is established, and the connection status.
4.4. Close the command prompt to complete this activity.
References
• Microsoft TechNet: Netstat [1]
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Open
http://technet.microsoft.com/en-us/library/bb490947.aspx
Capture and Analyze User Datagram Protocol (UDP) Traffic 102
Capture and Analyze User Datagram Protocol
(UDP) Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze User Datagram Protocol (UDP) traffic.
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture UDP Traffic
To capture UDP traffic:
1. Start a Wireshark capture.
2. Open a command prompt.
3. Type ipconfig /renew and press Enter to renew your DHCP assigned IP address. If you have a static address,
this will not generate any UDP traffic.
4. Type ipconfig /flushdns and press Enter to clear your DNS name cache.
5. Type nslookup 8.8.8.8 and press Enter to look up the hostname for IP address 8.8.8.8.
6.6. Close the command prompt.
7. Stop the Wireshark capture.
Activity 2 – Analyze UDP DHCP Traffic
To analyze UDP DHCP traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. To view only UDP traffic related to the DHCP
renewal, type udp.port == 68 (lower case) in the Filter box and press Enter.
2. Select the first DHCP packet, labeled DHCP Request.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
4.4. Expand Ethernet II to view Ethernet details.
5. Observe the Destination and Source fields. The destination should be your DHCP server’s MAC address and the
source should be your MAC address. You can use ipconfig /all to confirm.
6.6. Expand Internet Protocol Version 4 to view IP details.
7.7. Observe the Source address. Notice that the source address is your IP address.
8.8. Observe the Destination address. Notice that the destination address is the DHCP server IP address.
9.9. Expand User Datagram Protocol to view UDP details.
10.10. Observe the Source port. Notice that it is bootpc (68), the bootp client port.
11.11. Observe the Destination port. Notice that it is bootps (67), the bootp server port.
12. In the top Wireshark packet list pane, select the second DHCP packet, labeled DHCP ACK.
13.13. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
14.14. Expand Ethernet II to view Ethernet details.
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Open
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
Capture and Analyze User Datagram Protocol (UDP) Traffic 103
15.15. Observe the Destination and Source fields. The destination should be your MAC address and the source should
be your DHCP server’s MAC address.
16.16. Expand Internet Protocol Version 4 to view IP details.
17.17. Observe the Source address. Notice that the source address is the DHCP server IP address.
18.18. Observe the Destination address. Notice that the destination address is your IP address.
19.19. Expand User Datagram Protocol to view UDP details.
20.20. Observe the Source port. Notice that it is bootps (67), the bootp server port.
21.21. Observe the Destination port. Notice that it is bootpc (68), the bootp client port.
Activity 3 – Analyze UDP DNS Traffic
To analyze UDP DNS traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. To view only UDP traffic related to the DHCP
renewal, type udp.port == 53 (lower case) in the Filter box and press Enter.
2. Select the first DNS packet, labeled Standard query.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / User Datagram Protocol / Domain Name System (query) frame.
4.4. Expand Ethernet II to view Ethernet details.
5. Observe the Destination and Source fields. The destination should be your DNS server’s MAC address if it is
local, or your default gateway’s MAC address if the DNS server is remote. The source should be your MAC
address. You can use ipconfig /all to confirm.
6.6. Expand Internet Protocol Version 4 to view IP details.
7.7. Observe the Source address. Notice that the source address is your IP address.
8.8. Observe the Destination address. Notice that the destination address is the DNS server IP address.
9.9. Expand User Datagram Protocol to view UDP details.
10.10. Observe the Source port. Notice that it is a dynamic port selected for this DNS query.
11.11. Observe the Destination port. Notice that it is domain (53), the DNS server port.
12. In the top Wireshark packet list pane, select the second DNS packet, labeled Standard query response.
13.13. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / User Datagram Protocol / Domain Name System (response) frame.
14.14. Expand Ethernet II to view Ethernet details.
15.15. Observe the Destination and Source fields. The destination should be your MAC address and the source should
be your DNS server’s MAC address if it is local, or your default gateway’s MAC address if the DNS server is
remote.
16.16. Expand Internet Protocol Version 4 to view IP details.
17.17. Observe the Source address. Notice that the source address is the DNS server IP address.
18.18. Observe the Destination address. Notice that the destination address is your IP address.
19.19. Expand User Datagram Protocol to view UDP details.
20.20. Observe the Source port. Notice that it is domain (53) the DNS server port.
21.21. Observe the Destination port. Notice that it is the same dynamic port used to make the DNS query in the first
packet.
22. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
Capture and Analyze User Datagram Protocol (UDP) Traffic 104
References
• Wireshark: User’s Guide [2]
• Wireshark: User Datagram Protocol [1]
References
[1] http:/ / wiki. wireshark. org/ User_Datagram_Protocol
Capture and Analyze Transmission Control
Protocol (TCP) Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze Transmission Control Protocol (TCP) traffic.
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
4. Install the Telnet client.
Activity 1 – Capture TCP Traffic
To capture TCP traffic:
1. Start a Wireshark capture.
2. Open a command prompt.
3. Type telnet www.google.com 80 and press Enter.
4.4. Close the command prompt to close the TCP connection.
5. Stop the Wireshark capture.
Activity 2 – Analyze TCP SYN Traffic
To analyze TCP SYN traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. To view only TCP traffic related to the web
server connection, type tcp.port == 80 (lower case) in the Filter box and press Enter.
2. Select the first TCP packet, labeled http [SYN].
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Transmission Control Protocol frame.
4.4. Expand Ethernet II to view Ethernet details.
5. Observe the Destination and Source fields. The destination should be your default gateway’s MAC address and
the source should be your MAC address. You can use ipconfig /all to confirm.
6.6. Expand Internet Protocol Version 4 to view IP details.
7.7. Observe the Source address. Notice that the source address is your IP address.
8.8. Observe the Destination address. Notice that the destination address is the IP address of one of Google’s web
servers.
9.9. Expand Transmission Control Protocol to view TCP details.
http://www.wireshark.org/docs/wsug_html_chunked/
http://wiki.wireshark.org/User_Datagram_Protocol
http://wiki.wireshark.org/User_Datagram_Protocol
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Telnet/Client_install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Open
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
Capture and Analyze Transmission Control Protocol (TCP) Traffic 105
10.10. Observe the Source port. Notice that it is a dynamic port selected for this connection.
11.11. Observe the Destination port. Notice that it is http (80).
12.12. Observe the Sequence number. Notice that it is 0 (relative sequence number). To see the actual sequence
number, select Sequence number to highlight the sequence number in the bottom Wireshark bytes pane.
13.13. Expand Flags to view flag details.
14.14. Observe the flag settings. Notice that SYN is set, indicating the first segment in the TCP three-way handshake.
Activity 3 – Analyze TCP SYN, ACK Traffic
To analyze TCP SYN, ACK traffic:
1. In the top Wireshark packet list pane, select the second TCP packet, labeled SYN, ACK.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Transmission Control Protocol frame.
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination and Source fields. The destination should be your MAC address and the source should
be your default gateway MAC address.
5.5. Expand Internet Protocol Version 4 to view IP details.
6.6. Observe the Source address. Notice that the source address is the Google web server IP address.
7.7. Observe the Destination address. Notice that the destination address is your IP address.
8.8. Expand Transmission Control Protocol to view TCP details.
9.9. Observe the Source port. Notice that it is http (80).
10.10. Observe the Destination port. Notice that it is the same dynamic port selected for this connection.
11.11. Observe the Sequence number. Notice that it is 0 (relative sequence number). To see the actual sequence
number, select Sequence number to highlight the sequence number in the bottom Wireshark bytes pane.
12.12. Observe the Acknowledgement number. Notice that it is 1 (relative ack number). To see the actual
acknowledgement number, select Acknowledgement number to highlight the acknowledgement number in the
bottom pane. Notice that the actual acknowledgement number is one greater than the sequence number in the
previous segment.
13.13. Expand Flags to view flag details.
14.14. Observe the flag settings. Notice that SYN and ACK are set, indicating the second segment in the TCP
three-way handshake.
Activity 4 – Analyze TCP ACK Traffic
To analyze TCP ACK traffic:
1. In the top Wireshark packet list pane, select the third TCP packet, labeled http ACK.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Transmission Control Protocol frame.
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination and Source fields. The destination should be your default gateway MAC address and the
source should be your MAC address.
5.5. Expand Internet Protocol Version 4 to view IP details.
6.6. Observe the Source address. Notice that the source address is your IP address.
7.7. Observe the Destination address. Notice that the destination address is the Google web server IP address.
8.8. Expand Transmission Control Protocol to view TCP details.
9.9. Observe the Source port. Notice that it is the same dynamic port selected for this connection.
10.10. Observe the Destination port. Notice that it is http (80).
Capture and Analyze Transmission Control Protocol (TCP) Traffic 106
11.11. Observe the Sequence number. Notice that it is 1 (relative sequence number). To see the actual sequence
number, select Sequence number to highlight the sequence number in the bottom Wireshark bytes pane.
12.12. Observe the Acknowledgement number. Notice that it is 1 (relative ack number). To see the actual
acknowledgement number, select Acknowledgement number to highlight the acknowledgement number in the
bottom pane.
13.13. Expand Flags to view flag details.
14.14. Observe the flag settings. Notice that ACK is set, indicating the third segment in the TCP three-way handshake.
The client has established a TCP connection with the server.
Activity 5 – Analyze TCP FIN ACK Traffic
To analyze TCP FIN ACK traffic:
1. In the top Wireshark packet list pane, select the fourth TCP packet, labeled http FIN, ACK.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Transmission Control Protocol frame.
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination and Source fields. The destination should be your default gateway MAC address and the
source should be your MAC address.
5.5. Expand Internet Protocol Version 4 to view IP details.
6.6. Observe the Source address. Notice that the source address is your IP address.
7.7. Observe the Destination address. Notice that the destination address is the Google web server IP address.
8.8. Expand Transmission Control Protocol to view TCP details.
9.9. Observe the Source port. Notice that it is the same dynamic port selected for this connection.
10.10. Observe the Destination port. Notice that it is http (80).
11.11. Observe the Sequence number. Notice that it is 1 (relative sequence number).
12.12. Observe the Acknowledgement number. Notice that it is 1 (relative ack number).
13.13. Expand Flags to view flag details.
14.14. Observe the flag settings. Notice that FIN and ACK are set, indicating the first segment in the TCP teardown
handshake. The client has indicated it is closing the TCP connection with the server.
Activity 6 – Analyze TCP FIN ACK Traffic
To analyze TCP FIN ACK traffic:
1. In the top Wireshark packet list pane, select the fifth TCP packet, labeled FIN, ACK.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Transmission Control Protocol frame.
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination and Source fields. The destination should be your MAC address and the source should
be your default gateway MAC address.
5.5. Expand Internet Protocol Version 4 to view IP details.
6.6. Observe the Source address. Notice that the source address is the Google web server IP address.
7.7. Observe the Destination address. Notice that the destination address is your IP address.
8.8. Expand Transmission Control Protocol to view TCP details.
9.9. Observe the Source port. Notice that it is http (80).
10.10. Observe the Destination port. Notice that it is the same dynamic port selected for this connection.
11.11. Observe the Sequence number. Notice that it is 1 (relative sequence number).
12.12. Observe the Acknowledgement number. Notice that it is 2 (relative ack number).
13.13. Expand Flags to view flag details.
Capture and Analyze Transmission Control Protocol (TCP) Traffic 107
14.14. Observe the flag settings. Notice that FIN and ACK are set, indicating the second segment in the TCP three-way
handshake. The server has indicated it is closing the TCP connection with the client.
Activity 7 – Analyze TCP ACK Traffic
To analyze TCP ACK traffic:
1. In the top Wireshark packet list pane, select the sixth TCP packet, labeled http ACK.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Transmission Control Protocol frame.
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination and Source fields. The destination should be your default gateway MAC address and the
source should be your MAC address.
5.5. Expand Internet Protocol Version 4 to view IP details.
6.6. Observe the Source address. Notice that the source address is your IP address.
7.7. Observe the Destination address. Notice that the destination address is the Google web server IP address.
8.8. Expand Transmission Control Protocol to view TCP details.
9.9. Observe the Source port. Notice that it is the same dynamic port selected for this connection.
10.10. Observe the Destination port. Notice that it is http (80).
11.11. Observe the Sequence number. Notice that it is 2 (relative sequence number).
12.12. Observe the Acknowledgement number. Notice that it is 2 (relative ack number).
13.13. Expand Flags to view flag details.
14.14. Observe the flag settings. Notice that ACK is set, indicating the third segment in the TCP teardown handshake.
The client has acknowledged the server closing the TCP connection.
15. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
• Wireshark: Transmission Control Protocol [1]
References
[1] http:/ / wiki. wireshark. org/ Transmission_Control_Protocol
http://www.wireshark.org/docs/wsug_html_chunked/
http://wiki.wireshark.org/Transmission_Control_Protocol
http://wiki.wireshark.org/Transmission_Control_Protocol
108
Lesson 11 – Address Assignment
Address Assignment
This lesson introduces dynamic addressing and looks at the
Bootstrap Protocol (BOOTP) and the Dynamic Host
Configuration Protocol for IPv4 (DHCP) and IPv6 (DHCPv6).
Activities include using Wireshark to examine BOOTP,
DHCP, and DHCPv6 network traffic.
Readings
1. Read Wikipedia: Link-local address.
2. Read Wikipedia: Bootstrap Protocol.
3. Read Wikipedia: Dynamic Host Configuration Protocol.
4. Read Wikipedia: DHCPv6.
Activities
1. View and test a link-local address.
2. Use Wireshark to capture and analyze Dynamic Host Configuration Protocol (DHCP) traffic.
3. Use Wireshark to capture and analyze DHCPv6 traffic.
4.4. Consider situations in which a packet analyzer might be used to troubleshoot address assignment traffic.
5. Use the Discuss page to post comments and questions regarding this lesson.
6.6. Review the lesson summary, key terms, review questions and flashcards below.
Lesson Summary
• A link-local address is an Internet Protocol address that is intended only for communications within the segment
of a local network (a link) or a point-to-point connection that a host is connected to.[1]
• Routers do not forward packets with link-local addresses.[2]
• Link-local addresses for IPv4 are defined in the address block 169.254.0.0/16.[3]
• Link-local addresses for IPv6 are defined with the prefix fe80::/64.[4]
• Unlike IPv4, IPv6 requires a link-local address to be assigned to every network interface on which the IPv6
protocol is enabled, even when one or more routable addresses are also assigned.[5]
• The IPv6 link-local address is required for sublayer operations of the Neighbor Discovery Protocol (NDP) and
DHCPv6.[6]
• The Bootstrap Protocol, or BOOTP, is a network protocol used by a network client to obtain an IP address from a
configuration server.[7]
• The Dynamic Host Configuration Protocol (DHCP) is a more advanced protocol for the same purpose as BOOTP
and has superseded the use of BOOTP.[8] DHCP is an extension of BOOTP and uses the same datagram format.[9]
• Most DHCP servers also function as BOOTP servers.[10]
• The BOOTP protocol replaced the Reverse Address Resolution Protocol (RARP).[11]
• BOOTP, and therefore DHCP, supports the use of a relay agent, which allows BOOTP packets to be forwarded
from the local network so that one central BOOTP server can serve hosts on many subnets.[12]
http://en.wikiversity.org/w/index.php?title=File%3AInternet_Protocol_Analysis_-_Application_Layer
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_bookcase.svg
http://en.wikipedia.org/wiki/Link-local_address
http://en.wikipedia.org/wiki/Bootstrap_Protocol
http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol
http://en.wikipedia.org/wiki/DHCPv6
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_korganizer.svg
http://en.wikiversity.org/w/index.php?title=Link-local_address
http://en.wikiversity.org/w/index.php?title=Wireshark/DHCP
http://en.wikiversity.org/w/index.php?title=Wireshark/DHCPv6
http://en.wikiversity.org/w/index.php?title=Talk:Internet_protocol_analysis/Address_assignment
http://en.wikiversity.org/w/index.php?title=File:Stock_post_message.svg
Address Assignment 109
• The Dynamic Host Configuration Protocol (DHCP) is a network protocol that is used to configure network
devices so that they can communicate on an IP network.[13]
• DHCP servers maintain a database of available IP addresses and configuration information.[14]
• Network links without a DHCP server can use DHCP relay agents to receive messages from DHCP clients and
forward them to DHCP servers. DHCP servers send responses back to the relay agent, and the relay agent then
sends these responses to the DHCP client on the local network link.[15]
• DHCP servers typically grant IP addresses to clients only for a limited interval. DHCP clients are responsible for
renewing their IP address before that interval has expired, and must stop using the address once the interval has
expired, if they have not been able to renew it.[16]
• By default, clients attempt to renew their lease using unicast (directed) traffic starting at one half of lease time,
also known as renewal time (T1).[17]
• By default, clients attempt to renew their lease using broadcast traffic starting at 87.5% of lease time, also known
as rebinding time (T2).[18]
• DHCP servers assign addresses through either dynamic or automatic allocation, or thorough static allocation
(address reservations).[19]
• DHCPv4 operations fall into four basic phases: IP discovery, IP lease offer, IP request, and IP lease
acknowledgement. These points are often abbreviated as DORA (Discovery, Offer, Request,
Acknowledgement).[20]
• DHCPv4 options provided to clients include subnet mask, router (default gateway), domain name server, domain
name, NetBIOS name servers (WINS), lease time, renewal time (T1), rebinding time (T2), and others.[21]
• The base DHCP protocol does not include any mechanism for authentication. Because of this, it is vulnerable to a
variety of attacks including unauthorized servers, unauthorized clients, and address exhaustion attacks from
malicious clients.[22]
• DHCPv6 operations are similar to DHCPv4, but are described as Solicit, Advertise, Request, and Reply.[23]
Renewals are processed with Renew and Reply.[24]
Key Terms
Automatic Private IP Addressing (APIPA)
Microsoft’s terminology for link-local addressing.[25]
Bootstrapping
A self-sustaining process that proceeds without external help.[26]
diskless node
A workstation or personal computer without disk drives, which employs network booting to load its operating
system from a server.[27]
fault-tolerant
A design that enables a system to continue operation, possibly at a reduced level, rather than failing
completely when some part of the system fails.[28]
Preboot eXecution Environment (PXE, sometimes pronounced “pixie”)
An environment to boot computers using a network interface independent of local data storage devices (like
hard disks) or installed operating systems.[29]
Reverse Address Resolution Protocol (RARP)
An obsolete protocol that finds the logical IP address for a machine that knows only its physical address.[30]
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_kdict
Address Assignment 110
Review Questions
1. A link-local address is an Internet Protocol address that is _____.
A link-local address is an Internet Protocol address that is intended only for communications within the segment of a
local network (a link) or a point-to-point connection that a host is connected to.
2. Routers _____ packets with link-local addresses.
Routers do not forward packets with link-local addresses.
3. Link-local addresses for IPv4 are defined in the address block _____.
Link-local addresses for IPv4 are defined in the address block 169.254.0.0/16.
4. Link-local addresses for IPv6 are defined with the prefix _____.
Link-local addresses for IPv6 are defined with the prefix fe80::/64.
5. Unlike _____, _____ requires a link-local address to be assigned to every network interface on which the _____
protocol is enabled, even when one or more routable addresses are also assigned.
Unlike IPv4, IPv6 requires a link-local address to be assigned to every network interface on which the IPv6 protocol
is enabled, even when one or more routable addresses are also assigned.
6. The IPv6 link-local address is required for sublayer operations of _____.
The IPv6 link-local address is required for sublayer operations of the Neighbor Discovery Protocol (NDP) and
DHCPv6.
7. The Bootstrap Protocol, or BOOTP, is a network protocol used by a network client to _____.
The Bootstrap Protocol, or BOOTP, is a network protocol used by a network client to obtain an IP address from a
configuration server.
8. The Dynamic Host Configuration Protocol (DHCP) is a more advanced protocol for the same purpose as _____
and has superseded the use of _____. DHCP is an extension of _____ and uses the same datagram format.
The Dynamic Host Configuration Protocol (DHCP) is a more advanced protocol for the same purpose as BOOTP
and has superseded the use of BOOTP. DHCP is an extension of BOOTP and uses the same datagram format.
9. Most DHCP servers also function as _____ servers.
Most DHCP servers also function as BOOTP servers.
10. The BOOTP protocol replaced _____.
The BOOTP protocol replaced the Reverse Address Resolution Protocol (RARP).
11. BOOTP, and therefore DHCP, supports the use of a relay agent, which _____.
BOOTP, and therefore DHCP, supports the use of a relay agent, which allows BOOTP packets to be forwarded from
the local network so that one central BOOTP server can serve hosts on many subnets.
12. The Dynamic Host Configuration Protocol (DHCP) is a network protocol that is used to _____.
The Dynamic Host Configuration Protocol (DHCP) is a network protocol that is used to configure network devices
so that they can communicate on an IP network.
13. DHCP servers maintain _____.
DHCP servers maintain a database of available IP addresses and configuration information.
14. Network links without a DHCP server can use _____ to receive messages from DHCP clients and forward them
to DHCP servers.
Network links without a DHCP server can use DHCP relay agents to receive messages from DHCP clients and
forward them to DHCP servers.
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_package_editors
Address Assignment 111
15. DHCP servers typically grant IP addresses to clients only for _____. DHCP clients are responsible for _____,
and must _____.
DHCP servers typically grant IP addresses to clients only for a limited interval. DHCP clients are responsible for
renewing their IP address before that interval has expired, and must stop using the address once the interval has
expired, if they have not been able to renew it.
16. By default, clients attempt to renew their lease using _____ traffic starting at one half of lease time, also known
as _____ time (T1).
By default, clients attempt to renew their lease using unicast (directed) traffic starting at one half of lease time, also
known as renewal time (T1).
17. By default, clients attempt to renew their lease using _____ traffic starting at 87.5% of lease time, also known as
_____ time (T2).
By default, clients attempt to renew their lease using broadcast traffic starting at 87.5% of lease time, also known as
rebinding time (T2).
18. DHCP servers assign addresses through either _____.
DHCP servers assign addresses through either dynamic or automatic allocation, or thorough static allocation (address
reservations).
19. DHCPv4 operations fall into four basic phases: _____. These points are often abbreviated as _____.
DHCPv4 operations fall into four basic phases: IP discovery, IP lease offer, IP request, and IP lease
acknowledgement. These points are often abbreviated as DORA (Discovery, Offer, Request, Acknowledgement).
20. DHCPv4 options provided to clients include _____.
DHCPv4 options provided to clients include subnet mask, router (default gateway), domain name server, domain
name, NetBIOS name servers (WINS), lease time, renewal time (T1), rebinding time (T2), and others.
21. The base DHCP protocol does not include any mechanism for authentication. Because of this, it is vulnerable to
a variety of attacks including _____.
The base DHCP protocol does not include any mechanism for authentication. Because of this, it is vulnerable to a
variety of attacks including unauthorized servers, unauthorized clients, and address exhaustion attacks from
malicious clients.
22. DHCPv6 operations are similar to DHCPv4, but are described as _____. Renewals are processed with _____.
DHCPv6 operations are similar to DHCPv4, but are described as Solicit, Advertise, Request, and Reply. Renewals
are processed with Renew and Reply.
Flashcards
•• Test your understanding of this lesson.
•• Test your understanding of the key terms.
References
[1][1] Wikipedia: Link-local address
[2][2] Wikipedia: Link-local address
[3][3] Wikipedia: Link-local address
[4][4] Wikipedia: Link-local address
[5][5] Wikipedia: Link-local address#IPv6
[6][6] Wikipedia: Link-local address#IPv6
[7][7] Wikipedia: Bootstrap Protocol
[8][8] Wikipedia: Bootstrap Protocol
[9][9] Wikipedia: Dynamic Host Configuration Protocol#History
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_cache
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Address_assignment/Lesson_flashcards
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Address_assignment/Terms_flashcards
http://en.wikiversity.org/w/index.php?title=File:Nuvola_filesystems_folder_orange
http://en.wikipedia.org/wiki/Link-local_address
http://en.wikipedia.org/wiki/Link-local_address
http://en.wikipedia.org/wiki/Link-local_address
http://en.wikipedia.org/wiki/Link-local_address
http://en.wikipedia.org/wiki/Link-local_address#IPv6
http://en.wikipedia.org/wiki/Link-local_address#IPv6
http://en.wikipedia.org/wiki/Bootstrap_Protocol
http://en.wikipedia.org/wiki/Bootstrap_Protocol
http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#History
Address Assignment 112
[10][10] Wikipedia: Bootstrap Protocol
[11][11] Wikipedia: Bootstrap Protocol#History
[12][12] Wikipedia: Bootstrap Protocol#History
[13][13] Wikipedia: Dynamic Host Configuration Protocol
[14][14] Wikipedia: Dynamic Host Configuration Protocol
[15][15] Wikipedia: Dynamic Host Configuration Protocol
[16][16] Wikipedia: Dynamic Host Configuration Protocol
[17][17] RFC 2131
[18][18] RFC 2131
[19][19] Wikipedia: Dynamic Host Configuration Protocol#Technical overview
[20][20] Wikipedia: Dynamic Host Configuration Protocol#Technical details
[21][21] Wikipedia: Dynamic Host Configuration Protocol#DHCP options
[22][22] Wikipedia: Dynamic Host Configuration Protocol#Security
[23][23] Wikipedia: DHCPv6
[24][24] RFC 3315
[25][25] Wikipedia: Link-local address#IPv4
[26][26] Wikipedia: Bootstrapping
[27][27] Wikipedia: Diskless workstation
[28][28] Wikipedia: Fault-tolerant design
[29][29] Wikipedia: Preboot Execution Environment
[30][30] Wikipedia: Reverse Address Resolution Protocol
View and Test a Link-Local Address
A link-local address is an Internet Protocol address that is intended only for communications within the segment of a
local network (a link) or a point-to-point connection that a host is connected to. These activities will show you how
to view and test link-local addresses.
Activity 1 – Confirm DHCP Address
1. Open a command prompt.
2. Use ipconfig /all to verify that you have a DHCP-assigned IP address. You should see DHCP Enabled Yes and a
DHCP Server IP address. If not, just read along with the following activities rather than completing them.
Activity 2 – Test Internet Connectivity
1. Use ping 8.8.8.8 to ping an Internet host by IP address.
2.2. Observe the results. The ping request should be successful, indicating Internet connectivity.
Activity 3 – Obtain a Link-Local Address
To obtain a link-local address:
1. Type ipconfig /release and press Enter to release any DHCP-assigned IP addresses.
2.2. Observe that no IPv4 address is assigned.
3. Wait ten seconds and then type ipconfig and press Enter again. Repeat if necessary. After ten seconds, your
computer should obtain a link local IP address in the range 169.254.0.0 – 169.254.255.255 (169.254.0.0/16).
4.4. If IPv6 is configured, you should also see a link local IPv6 address starting with fe80::/64.
http://en.wikipedia.org/wiki/Bootstrap_Protocol
http://en.wikipedia.org/wiki/Bootstrap_Protocol#History
http://en.wikipedia.org/wiki/Bootstrap_Protocol#History
http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol
http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol
http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol
http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol
http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#Technical_overview
http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#Technical_details
http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#DHCP_options
http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#Security
http://en.wikipedia.org/wiki/DHCPv6
http://en.wikipedia.org/wiki/Link-local_address#IPv4
http://en.wikipedia.org/wiki/Bootstrapping
http://en.wikipedia.org/wiki/Diskless_workstation
http://en.wikipedia.org/wiki/Fault-tolerant_design
http://en.wikipedia.org/wiki/Preboot_Execution_Environment
http://en.wikipedia.org/wiki/Reverse_Address_Resolution_Protocol
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Open
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
http://en.wikiversity.org/w/index.php?title=Ping/Host
View and Test a Link-Local Address 113
Activity 4 – Test the Link-Local Address
To test the link-local address:
1. Use ping 8.8.8.8 to ping an Internet host by IP address.
2.2. Observe the results. The ping request should fail, because link-local addresses do not have a default gateway
assigned and are not routable to the Internet.
Activity 5 – Restore a DHCP-Assigned Address
To restore a DHCP-assigned address:
1. Type ipconfig /renew and press Enter.
2.2. Observe the results. An IP address should be assigned from the DHCP server.
Activity 6 – Test Internet Connectivity
1. Use ping 8.8.8.8 to ping an Internet host by IP address.
2.2. Observe the results. The ping request should be successful, indicating Internet connectivity.
3.3. Close the command prompt to complete this activity.
See Also
•• Internet Protocol Analysis – Address Assignment
References
• Microsoft TechNet: Ipconfig [1]
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Address_assignment
http://technet.microsoft.com/en-us/library/bb490921.aspx
Capture and Analyze Dynamic Host Configuration Protocol (DHCP) Traffic 114
Capture and Analyze Dynamic Host
Configuration Protocol (DHCP) Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze Dynamic Host Configuration Protocol (DHCP) traffic.
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture DHCP Traffic
To capture DHCP traffic:
1. Start a Wireshark capture.
2. Open a command prompt.
3. Type ipconfig /renew and press Enter.
4. Type ipconfig /release and press Enter.
5. Type ipconfig /renew and press Enter.
6.6. Close the command prompt.
7. Stop the Wireshark capture.
Activity 2 – Analyze DHCP Request Traffic
To analyze DHCP Request (lease renewal) traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. To view only DHCP traffic, type udp.port ==
68 (lower case) in the Filter box and press Enter.
2. In the top Wireshark packet list pane, select the first DHCP packet, labeled DHCP Request.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
4.4. Expand Ethernet II to view Ethernet details.
5. Observe the Destination and Source fields. The destination should be your DHCP server’s MAC address and the
source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
6.6. Expand Internet Protocol Version 4 to view IP details.
7.7. Observe the Source address. Notice that the source address is your IP address.
8.8. Observe the Destination address. Notice that the destination address is the IP address of the DHCP server.
9.9. Expand User Datagram Protocol to view UDP details.
10.10. Observe the Source port. Notice that it is bootpc (68), the BOOTP client port.
11.11. Observe the Destination port. Notice that it is bootps (67), the BOOTP server port.
12.12. Expand Bootstrap Protocol to view BOOTP details.
13.13. Observe the DHCP Message Type. Notice that it is a Request (3).
14.14. Observe the Client IP address, Client MAC address, and DHCP option fields. This is the request to the DHCP
server.
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Open
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
http://en.wikiversity.org/w/index.php?title=Arp/View
Capture and Analyze Dynamic Host Configuration Protocol (DHCP) Traffic 115
Activity 3 – Analyze DHCP ACK Traffic
To analyze DHCP ACK (server acknowledgement) traffic:
1. In the top Wireshark packet list pane, select the second DHCP packet, labeled DHCP ACK.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination and Source fields. The destination should be your MAC address and the source should
be your DHCP server’s MAC address.
5.5. Expand Internet Protocol Version 4 to view IP details.
6.6. Observe the Source address. Notice that the source address is the DHCP server IP address.
7.7. Observe the Destination address. Notice that the destination address is your IP address.
8.8. Expand User Datagram Protocol to view UDP details.
9.9. Observe the Source port. Notice that it is bootps (67), the BOOTP server port.
10.10. Observe the Destination port. Notice that it is bootpc (68), the BOOTP client port.
11.11. Expand Bootstrap Protocol to view BOOTP details.
12.12. Observe the DHCP Message Type. Notice that it is an ACK (5).
13.13. Observe the Client IP address and Client MAC address fields. This is the acknowledgement from the DHCP
server.
14.14. Observe the DHCP options and expand to view the details for IP Address Lease Time, Subnet Mask, Router
(Default Gateway), Domain Name Server, and Domain Name, as well as any other options if included.
Activity 4 – Analyze DHCP Release Traffic
To analyze DHCP Release traffic:
1. In the top Wireshark packet list pane, select the third DHCP packet, labeled DHCP Release.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
3.3. Expand Ethernet II to view Ethernet details.
4. Observe the Destination and Source fields. The destination should be your DHCP server’s MAC address and the
source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
5.5. Expand Internet Protocol Version 4 to view IP details.
6.6. Observe the Source address. Notice that the source address is your IP address.
7.7. Observe the Destination address. Notice that the destination address is the IP address of the DHCP server.
8.8. Expand User Datagram Protocol to view UDP details.
9.9. Observe the Source port. Notice that it is bootpc (68), the BOOTP client port.
10.10. Observe the Destination port. Notice that it is bootps (67), the BOOTP server port.
11.11. Expand Bootstrap Protocol to view BOOTP details.
12.12. Observe the DHCP Message Type. Notice that it is a Release (7).
13.13. Observe the Client IP address and Client MAC address fields. This is the address that will be released on the
DHCP server.
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
http://en.wikiversity.org/w/index.php?title=Arp/View
Capture and Analyze Dynamic Host Configuration Protocol (DHCP) Traffic 116
Activity 5 – Analyze DHCP Discover Traffic
To analyze DHCP Discover (lease request) traffic:
1. In the top Wireshark packet list pane, select the fourth DHCP packet, labeled DHCP Discover.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination and Source fields. The destination should be the broadcast address ff:ff:ff:ff:ff:ff and the
source should be your MAC address. When the client doesn’t have an IP address or server information, it has to
broadcast to discover a DHCP server.
5.5. Expand Internet Protocol Version 4 to view IP details.
6.6. Observe the Source address. Notice that the source address is 0.0.0.0, indicating no current IP address.
7.7. Observe the Destination address. Notice that the destination address 255.255.255.255, the broadcast IP address.
8.8. Expand User Datagram Protocol to view UDP details.
9.9. Observe the Source port. Notice that it is bootpc (68), the BOOTP client port.
10.10. Observe the Destination port. Notice that it is bootps (67), the BOOTP server port.
11.11. Expand Bootstrap Protocol to view BOOTP details.
12.12. Observe the DHCP Message Type. Notice that it is a Discover (3).
13.13. Observe the Client IP address, Client MAC address, and DHCP option fields. This is the request to the DHCP
server.
Activity 6 – Analyze DHCP Offer Traffic
To analyze DHCP Offer (server offer) traffic:
1. In the top Wireshark packet list pane, select the fifth DHCP packet, labeled DHCP Offer.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination and Source fields. The destination should be your MAC address and the source should
be your DHCP server’s MAC address.
5.5. Expand Internet Protocol Version 4 to view IP details.
6.6. Observe the Source address. Notice that the source address is the DHCP server IP address.
7.7. Observe the Destination address. Notice that the destination address is your IP address.
8.8. Expand User Datagram Protocol to view UDP details.
9.9. Observe the Source port. Notice that it is bootps (67), the BOOTP server port.
10.10. Observe the Destination port. Notice that it is bootpc (68), the BOOTP client port.
11.11. Expand Bootstrap Protocol to view BOOTP details.
12.12. Observe the DHCP Message Type. Notice that it is an ACK (5).
13.13. Observe the Client IP address and Client MAC address fields. This is the offer from the DHCP server.
14.14. Observe the DHCP options and expand to view the details for IP Address Lease Time, Subnet Mask, Router
(Default Gateway), Domain Name Server, and Domain Name, as well as any other options if included.
Capture and Analyze Dynamic Host Configuration Protocol (DHCP) Traffic 117
Activity 7 – Analyze DHCP Request Traffic
To analyze DHCP Request (lease request) traffic:
1. In the top Wireshark packet list pane, select the sixth DHCP packet, labeled DHCP Request.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination and Source fields. The destination should be the broadcast address ff:ff:ff:ff:ff:ff and the
source should be your MAC address. When the client doesn’t have an IP address or server information, it has to
broadcast to request an address lease.
5.5. Expand Internet Protocol Version 4 to view IP details.
6.6. Observe the Source address. Notice that the source address is 0.0.0.0, indicating no current IP address.
7.7. Observe the Destination address. Notice that the destination address 255.255.255.255, the broadcast IP address.
8.8. Expand User Datagram Protocol to view UDP details.
9.9. Observe the Source port. Notice that it is bootpc (68), the BOOTP client port.
10.10. Observe the Destination port. Notice that it is bootps (67), the BOOTP server port.
11.11. Expand Bootstrap Protocol to view BOOTP details.
12.12. Observe the DHCP Message Type. Notice that it is a Request (3).
13.13. Observe the Client IP address, Client MAC address, and DHCP option fields. This is the request to the DHCP
server.
Activity 8 – Analyze DHCP ACK Traffic
To analyze DHCP ACK (server acknowledgement) traffic:
1. In the top Wireshark packet list pane, select the seventh DHCP packet, labeled DHCP ACK.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination and Source fields. The destination should be your MAC address and the source should
be your DHCP server’s MAC address.
5.5. Expand Internet Protocol Version 4 to view IP details.
6.6. Observe the Source address. Notice that the source address is the DHCP server IP address.
7.7. Observe the Destination address. Notice that the destination address is your IP address.
8.8. Expand User Datagram Protocol to view UDP details.
9.9. Observe the Source port. Notice that it is bootps (67), the BOOTP server port.
10.10. Observe the Destination port. Notice that it is bootpc (68), the BOOTP client port.
11.11. Expand Bootstrap Protocol to view BOOTP details.
12.12. Observe the DHCP Message Type. Notice that it is an ACK (5).
13.13. Observe the Client IP address and Client MAC address fields. This is the acknowledgement from the DHCP
server.
14.14. Observe the DHCP options and expand to view the details for IP Address Lease Time, Subnet Mask, Router
(Default Gateway), Domain Name Server, and Domain Name, as well as any other options if included.
15. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
Capture and Analyze Dynamic Host Configuration Protocol (DHCP) Traffic 118
References
• Wireshark: User’s Guide [2]
• Wireshark: DHCP [1]
References
[1] http:/ / wiki. wireshark. org/ DHCP
Capture and Analyze DHCPv6 Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze DHCPv6 traffic.
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture DHCPv6 Traffic
To capture DHCPv6 traffic:
1. Start a Wireshark capture.
2. Open a command prompt.
3. Type ipconfig /renew6 and press Enter.
4. Type ipconfig /release6 and press Enter.
5. Type ipconfig /renew6 and press Enter.
6.6. Close the command prompt.
7. Stop the Wireshark capture.
Activity 2 – Analyze DHCPv6 Renew Traffic
To analyze DHCPv6 Renew traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. To view only DHCPv6 traffic, type dhcpv6
(lower case) in the Filter box and press Enter.
2. In the top Wireshark packet list pane, select the first DHCPv6 packet, labeled DHCPv6 Renew.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
4.4. Expand Ethernet II to view Ethernet details.
5. Observe the Destination and Source fields. The destination should be the DHCPv6 multicast MAC address
33:33:00:01:00:02 and the source should be your MAC address. You can use ipconfig /all and netsh interface ipv6
show neighbors to confirm.
6.6. Expand Internet Protocol Version 6 to view IPv6 details.
7.7. Observe the Source address. Notice that the source address is your link-local IPv6 address.
8.8. Observe the Destination address. Notice that the destination address is the DHCPv6 multicast address ff02::1:2.
9.9. Expand User Datagram Protocol to view UDP details.
http://www.wireshark.org/docs/wsug_html_chunked/
http://wiki.wireshark.org/DHCP
http://wiki.wireshark.org/DHCP
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Open
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
http://en.wikiversity.org/w/index.php?title=Netsh
http://en.wikiversity.org/w/index.php?title=Netsh
Capture and Analyze DHCPv6 Traffic 119
10.10. Observe the Source port. Notice that it is dhcpv6-client (546).
11.11. Observe the Destination port. Notice that it is dhcpv6-server (547).
12.12. Expand DHCPv6 to view DHCPv6 details.
13.13. Observe the DHCPv6 Message Type. Notice that it is a Renew (5).
14.14. Observe the Client Identifier and Server Identifier fields.
15.15. Expand Option Request to view option details.
16.16. Observe the requested options.
Activity 3 – Analyze DHCPv6 Reply Traffic
To analyze DHCPv6 Reply traffic:
1. In the top Wireshark packet list pane, select the second DHCPv6 packet, labeled DHCPv6 Reply.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination and Source fields. The destination should be your MAC address and the source should
be your DHCPv6 server’s MAC address.
5.5. Expand Internet Protocol Version 6 to view IPv6 details.
6.6. Observe the Source address. Notice that the source address is the DHCPv6 server IPv6 address.
7.7. Observe the Destination address. Notice that the destination address is your link-local IPv6 address.
8.8. Expand User Datagram Protocol to view UDP details.
9.9. Observe the Source port. Notice that it is a dynamic port.
10.10. Observe the Destination port. Notice that it is dhcpv6-client (546).
11.11. Expand DHCPv6 to view DHCPv6 details.
12.12. Observe the DHCPv6 Message Type. Notice that it is a Reply (7).
13.13. Expand Client Identifier, Server Identifier, and Identity Association to view Reply details.
14.14. Observe the MAC addresses, IPv6 addresses, and lease time, as well as any options if included.
Activity 4 – Analyze DHCPv6 Release Traffic
To analyze DHCPv6 Release traffic:
1. In the top Wireshark packet list pane, select the third DHCPv6 packet, labeled DHCPv6 Release.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination and Source fields. The destination should be the DHCPv6 multicast MAC address
33:33:00:01:00:02 and the source should be your MAC address.
5.5. Expand Internet Protocol Version 6 to view IPv6 details.
6.6. Observe the Source address. Notice that the source address is your link-local IPv6 address.
7.7. Observe the Destination address. Notice that the destination address is the DHCPv6 multicast address ff02::1:2.
8.8. Expand User Datagram Protocol to view UDP details.
9.9. Observe the Source port. Notice that it is dhcpv6-client (546).
10.10. Observe the Destination port. Notice that it is dhcpv6-server (547).
11.11. Expand DHCPv6 to view DHCPv6 details.
12.12. Observe the DHCPv6 Message Type. Notice that it is a Release (8).
13.13. Expand Client Identifier, Server Identifier, and Identity Association to view Release details.
14.14. Observe the MAC addresses, IPv6 addresses, and lease time, as well as any options if included. This is the
address that will be released on the DHCPv6 server.
Capture and Analyze DHCPv6 Traffic 120
Activity 5 – Analyze DHCPv6 Reply Traffic
To analyze DHCPv6 Reply traffic:
1. In the top Wireshark packet list pane, select the second DHCPv6 packet, labeled DHCPv6 Reply.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination and Source fields. The destination should be your MAC address and the source should
be your DHCPv6 server’s MAC address.
5.5. Expand Internet Protocol Version 6 to view IPv6 details.
6.6. Observe the Source address. Notice that the source address is the DHCPv6 server IPv6 address.
7.7. Observe the Destination address. Notice that the destination address is your link-local IPv6 address.
8.8. Expand User Datagram Protocol to view UDP details.
9.9. Observe the Source port. Notice that it is a dynamic port.
10.10. Observe the Destination port. Notice that it is dhcpv6-client (546).
11.11. Expand DHCPv6 to view DHCPv6 details.
12.12. Observe the DHCPv6 Message Type. Notice that it is a Reply (7).
13.13. Expand Client Identifier and Server Identifier to view Reply details.
14.14. Observe the MAC addresses and IPv6 addresses. Notice that there is no Identity Association in reply to an
address release.
Activity 6 – Analyze DHCPv6 Solicit Traffic
To analyze DHCPv6 Solicit traffic:
1. In the top Wireshark packet list pane, select the fifth DHCPv6 packet, labeled DHCPv6 Solicit.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination and Source fields. The destination should be the DHCPv6 multicast MAC address
33:33:00:01:00:02 and the source should be your MAC address.
5.5. Expand Internet Protocol Version 6 to view IPv6 details.
6.6. Observe the Source address. Notice that the source address is your link-local IPv6 address.
7.7. Observe the Destination address. Notice that the destination address is the DHCPv6 multicast address ff02::1:2.
8.8. Expand User Datagram Protocol to view UDP details.
9.9. Observe the Source port. Notice that it is dhcpv6-client (546).
10.10. Observe the Destination port. Notice that it is dhcpv6-server (547).
11.11. Expand DHCPv6 to view DHCPv6 details.
12.12. Observe the DHCPv6 Message Type. Notice that it is a Solicit (1).
13.13. Expand Client Identifier, Identity Association, and Option Request to view Solicit details.
14.14. Observe the MAC address, as well as any options if included.
Capture and Analyze DHCPv6 Traffic 121
Activity 7 – Analyze DHCPv6 Advertise Traffic
To analyze DHCPv6 Advertise traffic:
1. In the top Wireshark packet list pane, select the sixth DHCPv6 packet, labeled DHCPv6 Advertise.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination and Source fields. The destination should be your MAC address and the source should
be your DHCPv6 server’s MAC address.
5.5. Expand Internet Protocol Version 6 to view IPv6 details.
6.6. Observe the Source address. Notice that the source address is the DHCPv6 server IPv6 address.
7.7. Observe the Destination address. Notice that the destination address is your link-local IPv6 address.
8.8. Expand User Datagram Protocol to view UDP details.
9.9. Observe the Source port. Notice that it is a dynamic port.
10.10. Observe the Destination port. Notice that it is dhcpv6-client (546).
11.11. Expand DHCPv6 to view DHCPv6 details.
12.12. Observe the DHCPv6 Message Type. Notice that it is an Advertise (2).
13.13. Expand Client Identifier, Server Identifier, and Identity Association to view Advertise details.
14.14. Observe the MAC addresses, IPv6 addresses, and lease time, as well as any options if included.
Activity 8 – Analyze DHCPv6 Request Traffic
To analyze DHCPv6 Request traffic:
1. In the top Wireshark packet list pane, select the seventh DHCPv6 packet, labeled DHCPv6 Request.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination and Source fields. The destination should be the DHCPv6 multicast MAC address
33:33:00:01:00:02 and the source should be your MAC address.
5.5. Expand Internet Protocol Version 6 to view IPv6 details.
6.6. Observe the Source address. Notice that the source address is your link-local IPv6 address.
7.7. Observe the Destination address. Notice that the destination address is the DHCPv6 multicast address ff02::1:2.
8.8. Expand User Datagram Protocol to view UDP details.
9.9. Observe the Source port. Notice that it is dhcpv6-client (546).
10.10. Observe the Destination port. Notice that it is dhcpv6-server (547).
11.11. Expand DHCPv6 to view DHCPv6 details.
12.12. Observe the DHCPv6 Message Type. Notice that it is a Request (3).
13.13. Expand Client Identifier, Identity Association, and Option Request to view Request details.
14.14. Observe the MAC address, as well as any options if included.
Capture and Analyze DHCPv6 Traffic 122
Activity 9 – Analyze DHCPv6 Reply Traffic
To analyze DHCPv6 Reply traffic:
1. In the top Wireshark packet list pane, select the eighth DHCPv6 packet, labeled DHCPv6 Reply.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 / User Datagram Protocol / DHCPv6 frame.
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination and Source fields. The destination should be your MAC address and the source should
be your DHCPv6 server’s MAC address.
5.5. Expand Internet Protocol Version 6 to view IPv6 details.
6.6. Observe the Source address. Notice that the source address is the DHCPv6 server IPv6 address.
7.7. Observe the Destination address. Notice that the destination address is your link-local IPv6 address.
8.8. Expand User Datagram Protocol to view UDP details.
9.9. Observe the Source port. Notice that it is a dynamic port.
10.10. Observe the Destination port. Notice that it is dhcpv6-client (546).
11.11. Expand DHCPv6 to view DHCPv6 details.
12.12. Observe the DHCPv6 Message Type. Notice that it is a Reply (7).
13.13. Expand Client Identifier, Server Identifier, and Identity Association to view Reply details.
14.14. Observe the MAC addresses, IPv6 addresses, and lease time, as well as any options if included.
15. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
• Wireshark: DHCP [1]
References
[1] http:/ / wiki. wireshark. org/ DHCPv6
http://www.wireshark.org/docs/wsug_html_chunked/
http://wiki.wireshark.org/DHCPv6
http://wiki.wireshark.org/DHCPv6
123
Lesson 12 – Name Resolution
Name Resolution
This lesson introduces name resolution and looks at hosts
files, the Domain Name System (DNS), and NetBIOS over
TCP/IP (NetBT). Activities include editing the hosts file and
using Wireshark to examine DNS network traffic.
Readings
1. Read Wikipedia: Hosts (file).
2. Read Wikipedia: Domain Name System.
3. Read Wikipedia: Multicast DNS.
4. Read Wikipedia: Link-local Multicast Name Resolution.
5. Read Wikipedia: NetBIOS over TCP/IP.
Activities
1. View the Hosts file.
2. Edit the Hosts file.
3. Use nslookup to display host addresses.
4. Use nslookup to display other record types.
5. Review the current DNS root zone settings file [1].
6. Use nslookup to simulate a recursive query.
7. Review Wireshark: DNS [2].
8. Use Wireshark to capture and analyze Domain Name System (DNS) traffic.
9. Use Wireshark to capture and analyze Link Local Multicast Name Resolution (LLNMR) traffic.
10. Use nbtstat to display NetBIOS over TCP/IP statistics.
11.11. Consider situations in which a packet analyzer might be used to troubleshoot name resolution traffic.
12. Use the Discuss page to post comments and questions regarding this lesson.
13.13. Review the lesson summary, key terms, review questions and flashcards below.
Lesson Summary
• The hosts file is a computer file used in an operating system to map hostnames to IP addresses.[3]
• The hosts file contains lines of text consisting of an IP address in the first text field followed by one or more host
names.[4]
• Comments in the hosts file are indicated by a hash character (#) in the first position of such lines.[5]
• The location of the hosts file on Windows systems is %SystemRoot%\system32\drivers\etc\hosts.[6]
• The hosts file may be used to define any hostname or domain name for use by the local system.[7]
• The hosts file represents an attack vector for malicious software.[8]
• The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any
resource connected to the Internet or a private network.[9]
http://en.wikiversity.org/w/index.php?title=File%3AInternet_Protocol_Analysis_-_Application_Layer
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_bookcase.svg
http://en.wikipedia.org/wiki/Hosts_(file)
http://en.wikipedia.org/wiki/Domain_Name_System
http://en.wikipedia.org/wiki/Multicast_DNS
http://en.wikipedia.org/wiki/Link-local_Multicast_Name_Resolution
http://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_korganizer.svg
http://en.wikiversity.org/w/index.php?title=Hosts_file/View
http://en.wikiversity.org/w/index.php?title=Hosts_file/Edit
http://en.wikiversity.org/w/index.php?title=Nslookup/Host
http://en.wikiversity.org/w/index.php?title=Nslookup/Type
http://www.internic.net/zones/named.root
http://en.wikiversity.org/w/index.php?title=Nslookup/Recurse
http://wiki.wireshark.org/DNS
http://en.wikiversity.org/w/index.php?title=Wireshark/DNS
http://en.wikiversity.org/w/index.php?title=Wireshark/LLMNR
http://en.wikiversity.org/w/index.php?title=Nbtstat
http://en.wikiversity.org/w/index.php?title=Talk:Internet_protocol_analysis/Name_resolution
http://en.wikiversity.org/w/index.php?title=File:Stock_post_message.svg
Name Resolution 124
• The Domain Name System distributes the responsibility of assigning domain names and mapping those names to
IP addresses. Authoritative name servers are assigned to be responsible for their particular domains, and in turn
can assign other authoritative name servers for their sub-domains.[10]
• A domain name consists of one or more parts, technically called labels, that are concatenated and delimited by
dots (.).[11]
• The hierarchy of domains within a domain name descends from right to left.[12]
• Each label in a domain name may contain up to 63 characters. The full domain name may not exceed a total
length of 253 characters.[13]
• Common DNS record types include A (address), AAAA (IPv6 address), CNAME (canonical or alias name), MX
(mail exchange), NS (name server), PTR (pointer), SOA (start of authority), and TXT (text).[14]
• A non-recursive query is one in which the DNS server provides a record for a domain for which it is authoritative
itself, or it provides a partial result without querying other servers.[15]
• A recursive query is one for which the DNS server will fully answer the query (or give an error) by querying
other name servers as needed.[16]
• Caching DNS servers cache DNS queries and perform recursive queries to improve efficiency, reduce DNS traffic
across the Internet, and increase performance in end-user applications.[17]
• A reverse lookup is a query of the DNS for domain names when the IP address is known using the IPv4 domain
in-addr.arpa or the IPv6 domain ip6.arpa, and reverse lookup IP addresses are specified in reverse order.[18]
• Link Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS) packet
format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link.[19]
• LLMNR responders listen on UDP port 5355 on IPv4 address 224.0.0.252 (MAC address 01-00-5E-00-00-FC)
and IPv6 address FF02::1:3 (MAC address 33-33-00-01-00-03).[20]
• NetBIOS over TCP/IP (NBT) is a networking protocol that allows legacy computer applications relying on the
NetBIOS API to be used on modern TCP/IP networks.[21]
• NetBIOS provides three distinct services: Name service for name registration and resolution on port 137,
Datagram distribution service for connectionless communication on port 138, and Session service for
connection-oriented communication on port 139.[22]
• NetBIOS is a legacy protocol used to support computers and applications that predate Windows 2000 and do not
support host names. It is enabled by default, though most Windows 2000 and later networks and applications no
longer require it.[23]
Key Terms
American Standard Code for Information Interchange (ASCII)
A character-encoding scheme originally based on the English alphabet.[24]
authoritative name server
A name server that gives answers that have been configured by an original source rather than answers that
were obtained via a DNS query to another name server.[25]
Berkley Internet Name Domain (BIND)
The DNS server service (daemon) included in most Unix and Unix-like operating systems.[26]
dig (domain information groper)
A network administration command-line tool for querying Domain Name System (DNS) name servers used on
Unix-like systems.[27]
DNS root zone
The top-level DNS zone in a hierarchical namespace using the Domain Name System (DNS).[28]
DNS spoofing
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_kdict
Name Resolution 125
A computer hacking attack, whereby data is introduced into a Domain Name System (DNS) name server’s
cache database, causing the name server to return an incorrect IP address and diverting traffic to another
computer (often the attacker’s).[29]
DNS zone
A portion of a domain name space using the Domain Name System (DNS) for which administrative
responsibility has been delegated.[30]
DomainKeys Identified Mail (DKIM)
A method for associating a domain name to an email message, thereby allowing a person, role, or organization
to claim some responsibility for the message and a recipient to validate that the message was not modified in
transit.[31]
domain name registrar
An organization or commercial entity that manages the reservation of Internet domain names.[32]
Dynamic DNS (DDNS)
A method of updating, in real time, a Domain Name System (DNS) to point to a changing IP address on a
network or on the Internet.[33]
Fully Qualified Domain Name (FQDN)
A domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS),
including the top-level domain and the root zone.[34]
Internationalizing Domain Names in Applications (IDNA)
A mechanism for converting domain names containing non-ASCII characters to an ASCII-coded
equivalent.[35]
Letters Digits Hyphen (LDH) rule
The guideline for characters allowed in a domain name, which include letters, digits, and the hyphen.[36]
NetBIOS Frames (NBF)
A non-routable transport-level data protocol most commonly used as one of the layers of Microsoft Windows
networking in the 1990s.[37]
nslookup
A network administration command-line tool for querying Domain Name System (DNS) name servers used on
Windows systems.[38]
Phishing
The act of attempting to acquire information such as usernames, passwords, and credit card details (and
sometimes, indirectly, money) by masquerading as a trustworthy entity.[39]
Punycode
An instance of a general encoding syntax by which a string of Unicode characters is transformed uniquely and
reversibly into a smaller, restricted character set.[40]
root name server
A name server for the Domain Name System’s root zone.[41]
Sender Policy Framework (SPF)
An email validation system designed to prevent email spam by verifying sender IP addresses using the
Domain Name System (DNS) and TXT records.[42]
Server Message Block (SMB)
Name Resolution 126
An application-layer protocol mainly used for providing shared access to files, printers, serial ports, and
miscellaneous communications between nodes on a network, as well as providing an authenticated
inter-process communication mechanism.[43]
top-level domain (TLD)
One of the domains at the highest level in the hierarchical Domain Name System of the Internet.[44]
Unicode
A computing industry standard for the consistent encoding, representation and handling of text expressed in
most of the world’s writing systems.[45]
Uniform resource locator (URL)
A specific character string that constitutes a reference to an Internet resource.[46]
WHOIS
A query and response protocol that is widely used for querying databases that store the registered users or
assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but
is also used for a wider range of other information.[47]
Windows Internet Name Service (WINS)
Microsoft’s implementation of NetBIOS Name Service (NBNS), a name server and service for NetBIOS
computer names.[48]
Review Questions
1. The _____ file is a computer file used in an operating system to map hostnames to IP addresses.
The hosts file is a computer file used in an operating system to map hostnames to IP addresses.
2. The hosts file contains lines of text consisting of _____.
The hosts file contains lines of text consisting of an IP address in the first text field followed by one or more host
names.
3. Comments in the hosts file are indicated by _____.
Comments in the hosts file are indicated by a hash character (#) in the first position of such lines.
4. The location of the hosts file on Windows systems is _____.
The location of the hosts file on Windows systems is %SystemRoot%\system32\drivers\etc\hosts.
5. The _____ file may be used to define any hostname or domain name for use by the local system.
The hosts file may be used to define any hostname or domain name for use by the local system.
6. The hosts file represents _____ for malicious software.
The hosts file represents an attack vector for malicious software.
7. The Domain Name System (DNS) is a _____ for computers, services, or any resource connected to the Internet or
a private network.
The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any
resource connected to the Internet or a private network.
8. The Domain Name System _____ the responsibility of assigning domain names and mapping those names to IP
addresses. _____ name servers are assigned to be responsible for their particular domains, and in turn can assign
other _____ name servers for their sub-domains.
The Domain Name System distributes the responsibility of assigning domain names and mapping those names to IP
addresses. Authoritative name servers are assigned to be responsible for their particular domains, and in turn can
assign other authoritative name servers for their sub-domains.
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_package_editors
Name Resolution 127
9. A domain name consists of one or more parts, technically called _____, that are concatenated and delimited by
_____.
A domain name consists of one or more parts, technically called labels, that are concatenated and delimited by dots
(.).
10. The hierarchy of domains within a domain name descends from _____ to _____.
The hierarchy of domains within a domain name descends from right to left.
11. Each label in a domain name may contain up to _____ characters. The full domain name may not exceed a total
length of _____ characters.
Each label in a domain name may contain up to 63 characters. The full domain name may not exceed a total length
of 253 characters.
12. Common DNS record types include _____ (address), _____ (IPv6 address), _____ (canonical or alias name),
_____ (mail exchange), _____ (name server), _____ (pointer), _____ (start of authority), and _____ (text).
Common DNS record types include A (address), AAAA (IPv6 address), CNAME (canonical or alias name), MX
(mail exchange), NS (name server), PTR (pointer), SOA (start of authority), and TXT (text).
13. A _____ query is one in which the DNS server provides a record for a domain for which it is authoritative itself,
or it provides a partial result without querying other servers.
A non-recursive query is one in which the DNS server provides a record for a domain for which it is authoritative
itself, or it provides a partial result without querying other servers.
14. A _____ query is one for which the DNS server will fully answer the query (or give an error) by querying other
name servers as needed.
A recursive query is one for which the DNS server will fully answer the query (or give an error) by querying other
name servers as needed.
15. Caching DNS servers cache DNS queries and perform recursive queries to _____.
Caching DNS servers cache DNS queries and perform recursive queries to improve efficiency, reduce DNS traffic
across the Internet, and increase performance in end-user applications.
16. A reverse lookup is a query of the DNS for _____ using the IPv4 domain _____ or the IPv6 domain _____, and
reverse lookup IP addresses are specified in _____ order.
A reverse lookup is a query of the DNS for domain names when the IP address is known using the IPv4 domain
in-addr.arpa or the IPv6 domain ip6.arpa, and reverse lookup IP addresses are specified in reverse order.
17. Link Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS)
packet format that allows both IPv4 and IPv6 hosts to _____.
Link Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS) packet
format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link.
18. LLMNR responders listen on UDP port _____ on IPv4 address _____ and IPv6 address _____.
LLMNR responders listen on UDP port 5355 on IPv4 address 224.0.0.252 (MAC address 01-00-5E-00-00-FC) and
IPv6 address FF02::1:3 (MAC address 33-33-00-01-00-03).
19. NetBIOS over TCP/IP (NBT) is a networking protocol that allows _____.
NetBIOS over TCP/IP (NBT) is a networking protocol that allows legacy computer applications relying on the
NetBIOS API to be used on modern TCP/IP networks.
20. NetBIOS provides three distinct services: _____, _____, and _____.
NetBIOS provides three distinct services: Name service for name registration and resolution on port 137, Datagram
distribution service for connectionless communication on port 138, and Session service for connection-oriented
communication on port 139.
Name Resolution 128
21. NetBIOS is a legacy protocol used to support computers and applications that predate _____ and do not support
_____.
NetBIOS is a legacy protocol used to support computers and applications that predate Windows 2000 and do not
support host names.
Flashcards
•• Test your understanding of this lesson.
•• Test your understanding of the key terms.
References
[1] http:/ / www. internic. net/ zones/ named. root
[2] http:/ / wiki. wireshark. org/ DNS
[3][3] Wikipedia: Hosts (file)
[4][4] Wikipedia: Hosts (file)#File content
[5][5] Wikipedia: Hosts (file)#File content
[6][6] Wikipedia: Hosts (file)#Location in the file system
[7][7] Wikipedia: Hosts (file)#Extended applications
[8][8] Wikipedia: Hosts (file)#Security issues
[9][9] Wikipedia: Domain Name System
[10][10] Wikipedia: Domain Name System
[11][11] Wikipedia: Domain Name System#Domain name syntax
[12][12] Wikipedia: Domain Name System#Domain name syntax
[13][13] Wikipedia: Domain Name System#Domain name syntax
[14][14] Wikipedia: List of DNS record types
[15][15] Wikipedia: Domain Name System#DNS resolvers
[16][16] Wikipedia: Domain Name System#DNS resolvers
[17][17] Wikipedia: Domain Name System#Recursive and caching name server
[18][18] Wikipedia: Domain Name System#Reverse lookup
[19][19] Wikipedia: Link-local Multicast Name Resolution
[20][20] Wikipedia: Link-local Multicast Name Resolution
[21][21] Wikipedia: NetBIOS over TCP/IP
[22] http:/ / en. wikipedia. org/ wiki/ NetBIOS_over_TCP/ IP#Services
[23][23] Wikipedia: NetBIOS over TCP/IP#Decreasing relevance in post-NT Client-Server Networks
[24][24] Wikipedia: ASCII
[25][25] Wikipedia: Domain Name System#Authoritative name server
[26][26] Wikipedia: BIND
[27][27] Wikipedia: Domain Information Groper
[28][28] Wikipedia: DNS root zone
[29][29] Wikipedia: DNS spoofing
[30][30] Wikipedia: DNS zone
[31][31] Wikipedia: DomainKeys Identified Mail
[32][32] Wikipedia: Domain name registrar
[33][33] Wikipedia: Dynamic DNS
[34][34] Wikipedia: Fully qualified domain name
[35][35] Wikipedia: Internationalized domain name
[36][36] Wikipedia: Domain Name System#Domain name syntax
[37][37] Wikipedia: NetBIOS Frames protocol
[38][38] Wikipedia: Nslookup
[39][39] Wikipedia: Phishing
[40][40] Wikipedia: Punycode
[41][41] Wikipedia: Root nameserver
[42][42] Wikipedia: Sender Policy Framework
[43][43] Wikipedia: Server Message Block
[44][44] Wikipedia: Top-level domain
[45][45] Wikipedia: Unicode
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_cache
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Name_resolution/Lesson_flashcards
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Name_resolution/Terms_flashcards
http://en.wikiversity.org/w/index.php?title=File:Nuvola_filesystems_folder_orange
http://www.internic.net/zones/named.root
http://wiki.wireshark.org/DNS
http://en.wikipedia.org/wiki/Hosts_(file)
http://en.wikipedia.org/wiki/Hosts_(file)#File_content
http://en.wikipedia.org/wiki/Hosts_(file)#File_content
http://en.wikipedia.org/wiki/Hosts_(file)#Location_in_the_file_system
http://en.wikipedia.org/wiki/Hosts_(file)#Extended_applications
http://en.wikipedia.org/wiki/Hosts_(file)#Security_issues
http://en.wikipedia.org/wiki/Domain_Name_System
http://en.wikipedia.org/wiki/Domain_Name_System
http://en.wikipedia.org/wiki/Domain_Name_System#Domain_name_syntax
http://en.wikipedia.org/wiki/Domain_Name_System#Domain_name_syntax
http://en.wikipedia.org/wiki/Domain_Name_System#Domain_name_syntax
http://en.wikipedia.org/wiki/List_of_DNS_record_types
http://en.wikipedia.org/wiki/Domain_Name_System#DNS_resolvers
http://en.wikipedia.org/wiki/Domain_Name_System#DNS_resolvers
http://en.wikipedia.org/wiki/Domain_Name_System#Recursive_and_caching_name_server
http://en.wikipedia.org/wiki/Domain_Name_System#Reverse_lookup
http://en.wikipedia.org/wiki/Link-local_Multicast_Name_Resolution
http://en.wikipedia.org/wiki/Link-local_Multicast_Name_Resolution
http://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP
http://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP#Services
http://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP#Decreasing_relevance_in_post-NT_Client-Server_Networks
http://en.wikipedia.org/wiki/ASCII
http://en.wikipedia.org/wiki/Domain_Name_System#Authoritative_name_server
http://en.wikipedia.org/wiki/BIND
http://en.wikipedia.org/wiki/Domain_Information_Groper
http://en.wikipedia.org/wiki/DNS_root_zone
http://en.wikipedia.org/wiki/DNS_spoofing
http://en.wikipedia.org/wiki/DNS_zone
http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
http://en.wikipedia.org/wiki/Domain_name_registrar
http://en.wikipedia.org/wiki/Dynamic_DNS
http://en.wikipedia.org/wiki/Fully_qualified_domain_name
http://en.wikipedia.org/wiki/Internationalized_domain_name
http://en.wikipedia.org/wiki/Domain_Name_System#Domain_name_syntax
http://en.wikipedia.org/wiki/NetBIOS_Frames_protocol
http://en.wikipedia.org/wiki/Nslookup
http://en.wikipedia.org/wiki/Phishing
http://en.wikipedia.org/wiki/Punycode
http://en.wikipedia.org/wiki/Root_nameserver
http://en.wikipedia.org/wiki/Sender_Policy_Framework
http://en.wikipedia.org/wiki/Server_Message_Block
http://en.wikipedia.org/wiki/Top-level_domain
http://en.wikipedia.org/wiki/Unicode
Name Resolution 129
[46][46] Wikipedia: Uniform Resource Locator
[47][47] Wikipedia: WHOIS
[48][48] Wikipedia: Windows Internet Name Service
View the Hosts File
The hosts file is a plain text file used to map host names to IP addresses. On Windows, it is located in the
C:\Windows\System32\drivers\etc folder. This activity will show you how to view the hosts file.
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
Activity 1 – View the hosts File
To view the hosts file:
1. Open the Start menu.
2. Select All Programs.
3. Select Accessories.
4. Select Notepad.
5. In Notepad, select File then Open.
6. Navigate to C:\Windows\System32\drivers\etc.
7. Change the file type to open from Text Documents (*.txt) to All Files (*.*).
8. Open the hosts file.
9.9. Read the comments in the host file. The comments begin with a # character.
10. Observe the host records stored in the file. At a minimum you should find a record for 127.0.0.1 localhost.
11.11. Close Notepad. Do not save any changes.
Readings
•• Wikipedia: hosts file
•• Wikipedia: Internet Protocol
•• Wikipedia: Domain Name System
References
• Microsoft TechNet: Setting Up HOSTS Files [1]
References
[1] http:/ / technet. microsoft. com/ en-us/ library/ cc751132. aspx
http://en.wikipedia.org/wiki/Uniform_Resource_Locator
http://en.wikipedia.org/wiki/WHOIS
http://en.wikipedia.org/wiki/Windows_Internet_Name_Service
http://en.wikipedia.org/wiki/Hosts_(file)
http://en.wikipedia.org/wiki/Internet_Protocol
http://en.wikipedia.org/wiki/Domain_Name_System
http://technet.microsoft.com/en-us/library/cc751132.aspx
http://technet.microsoft.com/en-us/library/cc751132.aspx
Edit the Hosts File 130
Edit the Hosts File
The hosts file is a plain text file used to map host names to IP addresses. On Windows, it is located in the
C:\Windows\System32\drivers\etc folder. This activity will show you how to edit the hosts file.
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
Activity 1 – View the hosts File
To view the hosts file:
1. Open the Start menu.
2. In the Run box, type Notepad.exe and press Enter.
3. In Notepad, select File then Open.
4. Navigate to C:\Windows\System32\drivers\etc.
5. Change the file type to open from Text Documents (*.txt) to All Files (*.*).
6. Open the hosts file.
7.7. Read the comments in the host file. The comments begin with a # character.
8. Observe the host records stored in the file. At a minimum you should find a record for 127.0.0.1 localhost.
Activity 2 – Edit the hosts File
To edit the hosts file:
1. Change the line 127.0.0.1 localhost to 127.0.0.1 localhost me.
2. In Notepad, select File then Save to save the file.
3. Open a command prompt.
4. Type ping me and press Enter.
5. Observe the results. The ping should be successful, because the name me is now defined as an alias for the
loopback address 127.0.0.1.
6. In Notepad, remove me from the line 127.0.0.1 localhost and then save the hosts file.
7. In the command prompt, type ping me and press Enter.
8. Observe the results. The ping should fail, because the name me is no longer defined as an alias for the loopback
address.
9. In Notepad, add a line of 8.8.8.8 googledns and then save the hosts file.
10. In the command prompt, type ping googledns and press Enter.
11. Observe the results. The ping should be successful, because the name googledns is now defined as an alias for
8.8.8.8.
12. In Notepad, remove the line of 8.8.8.8 googledns and then save the hosts file.
13. In the command prompt, type ping googledns and press Enter.
14. Observe the results. The ping should fail, because the name googledns is no longer defined as an alias for
8.8.8.8.
15.15. Close the command prompt and close Notepad to complete this activity.
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Open
Edit the Hosts File 131
Readings
•• Wikipedia: hosts file
•• Wikipedia: Internet Protocol
•• Wikipedia: Domain Name System
References
• Microsoft TechNet: Setting Up HOSTS Files [1]
Display Host Addresses
Nslookup is a command-line tool used to query a Domain Name System (DNS) server to obtain an IP address
mapping or other DNS records. These activities will show you how to use the nslookup command to display host
addresses.
Preparation
To prepare for this activity:
1.1. Start your operating system.
2.2. Log in if necessary.
Activity 1 – Observe DNS Settings
To observe DNS settings:
1. Open a command prompt.
2. Use ipconfig /all to display DNS settings.
3. Observe the DNS Servers address values.
Activity 2 – Display Host Addresses
To display host addresses:
1. Type nslookup www.google.com and press Enter.
2.2. Observe the server information. Notice the DNS server address matches one of the values listed for DNS Servers
above.
3.3. Observe the results. Notice that both IPv4 and IPv6 addresses are displayed. Google has assigned both IPv4 and
IPv6 addresses to this host.
4. Type nslookup ipv4.google.com and press Enter.
5.5. Observe the results. Notice that only IPv4 addresses are displayed. Google has not assigned an IPv6 address to
this host name.
6. Type nslookup ipv6.google.com and press Enter.
7.7. Observe the results. Notice that only IPv6 addresses are displayed. Google has not assigned an IPv4 address to
this host name.
http://en.wikipedia.org/wiki/Hosts_(file)
http://en.wikipedia.org/wiki/Internet_Protocol
http://en.wikipedia.org/wiki/Domain_Name_System
http://technet.microsoft.com/en-us/library/cc751132.aspx
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Open
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
Display Host Addresses 132
Activity 3 – Use a Custom DNS Server
To use a custom DNS server:
1. Type nslookup www.google.com 8.8.8.8 and press Enter.
2.2. Observe the server information. Notice the DNS server address is 8.8.8.8.
3. Type nslookup www.google.com 8.8.4.4 and press Enter.
4.4. Observe the server information. Notice the DNS server address is 8.8.4.4.
5.5. Close the command prompt to complete this activity.
References
• Microsoft TechNet: Nslookup [1]
References
[1] http:/ / technet. microsoft. com/ en-us/ library/ bb490950. aspx
Display Other Record Types
Nslookup is a command-line tool used to query a Domain Name System (DNS) server to obtain an IP address
mapping or other DNS records. These activities will show you how to use the nslookup command to display other
record types.
Preparation
To prepare for this activity:
1.1. Start your operating system.
2.2. Log in if necessary.
Activity 1 – Display Host Addresses
To display host addresses:
1. Open a command prompt.
2. Type nslookup google.com and press Enter.
3.3. Observe the results. Notice the IP addresses listed for this host name.
Activity 2 – Display Other Record Types
To display other record types:
1. Type nslookup -type=ns google.com and press Enter.
2.2. Observe the results. Notice the name servers listed for this domain name.
3. Type nslookup -type=soa google.com and press Enter.
4.4. Observe the results. Notice the start of authority information listed for this zone.
5. Type nslookup -type=mx google.com and press Enter.
6.6. Observe the results. Notice the mail exchangers listed for this domain name.
7. Type nslookup -type=txt google.com and press Enter.
8.8. Observe the results. Notice the text records listed for this domain name.
9.9. Close the command prompt to complete this activity.
http://technet.microsoft.com/en-us/library/bb490950.aspx
http://technet.microsoft.com/en-us/library/bb490950.aspx
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Open
Display Other Record Types 133
References
• Microsoft TechNet: Nslookup [1]
Simulate a Recursive Query
Nslookup is a command-line tool used to query a Domain Name System (DNS) server to obtain an IP address
mapping or other DNS records. These activities will show you how to use the nslookup command to simulate
recursive queries.
Preparation
To prepare for this activity:
1.1. Start your operating system.
2.2. Log in if necessary.
Activity 1 – Perform a Recursive Query
To perform a recursive query:
1. Open a command prompt.
2. Type nslookup en.wikiversity.org and press Enter.
3.3. Observe the results. Notice the IP address listed for this host name. Note that this is a recursive query. The
following activity will simulate the queries necessary to return this address information.
Activity 2 – Simulate a Recursive Query
To simulate a recursive query:
1. Type nslookup -norecurse -type=ns org. a.root-servers.net and press Enter. The -norecurse option forces
nslookup to issue a non-recursive or iterative query. This is the type of query that DNS servers typically issue to
other DNS servers.
2. Observe the results. Notice the name servers listed for the org. domain. Select the first org. name server IP
address returned.
3. Type nslookup -norecurse -type=ns wikiversity.org.
first org. name server IP address listed above. Then press Enter.
4. Observe the results. Notice the name servers listed for the wikiversity.org. domain. Select the first
wikiversity.org. name server IP address returned.
5. Type nslookup -norecurse en.wikiversity.org.
6.6. Observe the results. Notice the IP address should match the IP address for en.wikiversity.org returned in Activity
1 above.
7.7. Close the command prompt to complete this activity.
http://technet.microsoft.com/en-us/library/bb490950.aspx
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Open
Simulate a Recursive Query 134
References
• Microsoft TechNet: Nslookup [1]
Capture and Analyze Domain Name System
(DNS) Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze Domain Name System (DNS) traffic.
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture DNS Traffic
To capture DNS traffic:
1. Start a Wireshark capture.
2. Open a command prompt.
3. Type ipconfig /flushdns and press Enter to clear the DNS cache.
4. Type ipconfig /displaydns and press Enter to display the DNS cache.
5. Observe the results. Notice the only records currently displayed come from the hosts file.
6. Type nslookup en.wikiversity.org and press Enter.
7. Observe the results. Notice there is an entry in the cache for en.wikiversity.org.
8.8. Close the command prompt.
9. Stop the Wireshark capture.
Activity 2 – Analyze DNS Query Traffic
To analyze DNS query traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. To view only DNS traffic, type udp.port ==
53 (lower case) in the Filter box and press Enter.
2. Select the DNS packet labeled Standard query A en.wikiversity.org.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / User Datagram Protocol / Domain Name System (query) frame.
4.4. Expand Ethernet II to view Ethernet details.
5. Observe the Destination and Source fields. The destination should be either your local DNS server’s MAC
address or your default gateway’s MAC address and the source should be your MAC address. You can use
ipconfig /all and arp -a to confirm.
6.6. Expand Internet Protocol Version 4 to view IP details.
7.7. Observe the Source address. Notice that the source address is your IP address.
8.8. Observe the Destination address. Notice that the destination address is the IP address of the DNS server.
9.9. Expand User Datagram Protocol to view UDP details.
10.10. Observe the Source port. Notice that it is a dynamic port selected for this DNS query.
http://technet.microsoft.com/en-us/library/bb490950.aspx
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Open
http://en.wikiversity.org/w/index.php?title=Hosts_file
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
http://en.wikiversity.org/w/index.php?title=Arp/View
Capture and Analyze Domain Name System (DNS) Traffic 135
11.11. Observe the Destination port. Notice that it is domain (53), the DNS server port.
12.12. Expand Domain Name System (query) to view DNS details.
13.13. Expand Flags to view flags details.
14.14. Observe the Recursion desired field. Notice that a recursive query is requested.
15.15. Expand Queries to view query details.
16.16. Observe the query for en.wikiversity.org.
Activity 3 – Analyze DNS Response Traffic
To analyze DNS response traffic:
1. In the top Wireshark packet list pane, select the next DNS packet, labeled Standard query response CNAME
wikiversity….
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / User Datagram Protocol / Domain Name System (response) frame.
3.3. Expand Ethernet II to view Ethernet details.
4.4. Observe the Destination and Source fields. The destination should be your MAC address and the source should
be your local DNS server’s MAC address or your default gateway’s MAC address.
5.5. Expand Internet Protocol Version 4 to view IP details.
6.6. Observe the Source address. Notice that the source address is the DNS server IP address.
7.7. Observe the Destination address. Notice that the destination address is your IP address.
8.8. Expand User Datagram Protocol to view UDP details.
9.9. Observe the Source port. Notice that it is domain (53), the DNS server port.
10.10. Observe the Destination port. Notice that it is the same dynamic port used to make the DNS query in the first
packet.
11.11. Expand Domain Name System (query) to view DNS details.
12.12. Expand Flags to view flags details.
13.13. Observe the flags. Notice that this is a recursive response.
14.14. Expand Queries to view query details.
15.15. Observe the query for en.wikiversity.org.
16.16. Expand Answers to view answer details.
17.17. Observe the CNAME and A records returned in response to this DNS query.
18. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
• Wireshark: DNS [2]
http://www.wireshark.org/docs/wsug_html_chunked/
http://wiki.wireshark.org/DNS
Capture and Analyze Link Local Multicast Name Resolution (LLNMR) Traffic 136
Capture and Analyze Link Local Multicast Name
Resolution (LLNMR) Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze Link-Local Multicast Name Resolution (LLMNR)
traffic.
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture LLMNR Traffic
To capture LLMNR traffic:
1. Start a Wireshark capture.
2. Open a command prompt.
3. Type ping
is used for this activity because names resolved by DNS will not generate LLMNR traffic.
4.4. Close the command prompt.
5. Stop the Wireshark capture.
Activity 2 – Analyze LLMNR IPv6 Traffic
To analyze LLMNR IPv6 traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. To view only LLMNR traffic, type udp.port
== 5355 (lower case) in the Filter box and press Enter.
2. Select the first LLMNR packet labeled Standard query.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 6 / User Datagram Protocol / Link-local Multicast Name Resolution (query) frame.
4.4. Expand Ethernet II to view Ethernet details.
5. Observe the Destination and Source fields. The destination should be the LLMNR IPv6 multicast MAC address
33:33:00:01:00:03 and the source should be your MAC address. You can use ipconfig /all and netsh interface ipv6
show neighbors to confirm.
6.6. Expand Internet Protocol Version 6 to view IPv6 details.
7.7. Observe the Source address. Notice that the source address is your link-local IPv6 address.
8.8. Observe the Destination address. Notice that the destination address is the LLMNR multicast IPv6 address
ff02::1:3.
9.9. Expand User Datagram Protocol to view UDP details.
10.10. Observe the Source port. Notice that it is a dynamic port selected for this LLMNR query.
11.11. Observe the Destination port. Notice that it is llmnr (5355).
12.12. Expand Link-local Multicast Name Resolution (query) to view LLMNR details.
13.13. Expand Flags to view flags details.
14.14. Expand Queries to view query details.
15.15. Observe the query generated.
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Open
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
http://en.wikiversity.org/w/index.php?title=Netsh
http://en.wikiversity.org/w/index.php?title=Netsh
Capture and Analyze Link Local Multicast Name Resolution (LLNMR) Traffic 137
Activity 3 – Analyze LLMNR IPv4 Traffic
To analyze LLMNR IPv4 traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. To view only LLMNR traffic, type udp.port
== 5355 (lower case) in the Filter box and press Enter.
2. Select the second LLMNR packet labeled Standard query.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / User Datagram Protocol / Link-local Multicast Name Resolution (query) frame.
4.4. Expand Ethernet II to view Ethernet details.
5. Observe the Destination and Source fields. The destination should be the LLMNR IPv4 multicast MAC address
01:00:5e:00:00:fc and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
6.6. Expand Internet Protocol Version 4 to view IPv4 details.
7.7. Observe the Source address. Notice that the source address is your IPv4 address.
8.8. Observe the Destination address. Notice that the destination address is the LLMNR multicast IPv4 address
224.0.0.252.
9.9. Expand User Datagram Protocol to view UDP details.
10.10. Observe the Source port. Notice that it is a dynamic port selected for this LLMNR query.
11.11. Observe the Destination port. Notice that it is llmnr (5355).
12.12. Expand Link-local Multicast Name Resolution (query) to view LLMNR details.
13.13. Expand Flags to view flags details.
14.14. Expand Queries to view query details.
15.15. Observe the query generated.
16. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
http://en.wikiversity.org/w/index.php?title=Arp/View
http://www.wireshark.org/docs/wsug_html_chunked/
Display NetBIOS Over TCP/IP Statistics 138
Display NetBIOS Over TCP/IP Statistics
Nbtstat is a Windows command-line tool that displays NetBIOS over TCP/IP statistics. These activities will show
you how to use the nbtstat command.
Activities
•• Display NetBIOS Cache Names and IP Addresses
•• Display Local Computer NetBIOS Names
References
• Microsoft TechNet: Nbtstat [1]
References
[1] http:/ / technet. microsoft. com/ en-us/ library/ bb490938. aspx
http://en.wikiversity.org/w/index.php?title=Nbtstat/Cache
http://en.wikiversity.org/w/index.php?title=Nbtstat/Names
http://technet.microsoft.com/en-us/library/bb490938.aspx
http://technet.microsoft.com/en-us/library/bb490938.aspx
139
Lesson 13 – Application Layer
Application Layer
This lesson introduces the Application layer and looks at a
variety of application-layer protocols. Activities include using
Wireshark to examine Hyper Text Transfer Protocol (HTTP),
HTTP Secure (HTTPS), and Simple Mail Transfer Protocol
(SMTP) network traffic.
Readings
1. Read Wikipedia: Application layer.
2. Read Wikipedia: Hypertext Transfer Protocol.
3. Read Wikipedia: HTTP Secure.
4. Read Wikipedia: Transport Layer Security.
5. Read Wikipedia: Simple Mail Transfer Protocol.
Activities
1. Review Wireshark: Hyper Text Transfer Protocol (HTTP) [1].
2. Use Wireshark to capture and analyze Hypertext Transfer Protocol (HTTP) traffic.
3. Review Wireshark: SSL [2].
4. Use Wireshark to capture and analyze HTTP Secure (HTTPS) traffic.
5. Review Wireshark: Simple Mail Transfer Protocol (SMTP) [3].
6. Use Wireshark to capture and analyze Simple Mail Transfer Protocol (SMTP) traffic.
7.7. Consider situations in which a packet analyzer might be used to troubleshoot application layer traffic.
8. Use the Discuss page to post comments and questions regarding this lesson.
9.9. Review the lesson summary, key terms, review questions and flashcards below.
Lesson Summary
• The application layer is an abstraction layer reserved for communications protocols and methods designed for
process-to-process communications across an Internet Protocol (IP) computer network.[4]
• Application layer protocols use the underlying transport layer protocols to establish host-to-host connections.[5]
• The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia
information systems.[6]
• HTTP functions as a request-response protocol in the client-server computing model.[7]
• HTTP uses TCP as its transport protocol and servers listen on port 80 by default.[8]
• HTTP defines methods that may be performed on the desired resource. Methods include GET, HEAD, POST,
PUT, DELETE, TRACE, OPTIONS, CONNECT, and PATCH.[9]
• HTTP requests include a request line, headers, an empty line, and an optional message body.[10]
• HTTP responses include a status line, header, an empty line, and an optional message body.[11]
• Hypertext Transfer Protocol Secure (HTTPS) is a widely used communications protocol for secure
communication over a computer network, with especially wide deployment on the Internet. Technically, it is not a
http://en.wikiversity.org/w/index.php?title=File%3AInternet_Protocol_Analysis_-_Application_Layer
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_bookcase.svg
http://en.wikipedia.org/wiki/Application_layer
http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol
http://en.wikipedia.org/wiki/HTTP_Secure
http://en.wikipedia.org/wiki/Transport_Layer_Security
http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_korganizer.svg
http://wiki.wireshark.org/Hyper_Text_Transfer_Protocol
http://en.wikiversity.org/w/index.php?title=Wireshark/HTTP
http://wiki.wireshark.org/SSL
http://en.wikiversity.org/w/index.php?title=Wireshark/HTTPS
http://wiki.wireshark.org/SMTP
http://en.wikiversity.org/w/index.php?title=Wireshark/SMTP
http://en.wikiversity.org/w/index.php?title=Talk:Internet_protocol_analysis/Application_layer
http://en.wikiversity.org/w/index.php?title=File:Stock_post_message.svg
Application Layer 140
protocol in itself; rather, it is the result of simply layering the Hypertext Transfer Protocol (HTTP) on top of the
Secure Sockets Layer / Transport Layer Security (SSL/TLS) protocol, thus adding the security capabilities of
SSL/TLS to standard HTTP communications.[12]
• HTTPS uses TCP as its transport protocol and servers listen on port 443 by default.[13]
• Web servers supporting HTTPS connections must have a public key certificate signed by a certificate authority
the web browser trusts in order to connect without a client warning.[14]
• TLS and SSL encrypt the segments of network connections at the Application Layer for the Transport Layer,
using asymmetric cryptography for key exchange, symmetric encryption for confidentiality, and message
authentication codes for message integrity.[15]
• TLS handshaking includes the exchange of settings, server authentication, optional client authentication, and
public key encryption of a symmetric session key.[16]
• Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (e-mail) transmission across
Internet Protocol (IP) networks.[17]
• Client applications use SMTP for sending messages to a mail server, but usually use either the Post Office
Protocol (POP) or the Internet Message Access Protocol (IMAP) or a proprietary system to access their mail box
accounts on a mail server.[18]
• Client applications should use TCP port 587 to submit SMTP messages to a server. Servers use TCP port 25 to
transfer SMTP messages to destination servers.[19]
• SMTP transactions include commands for MAIL, RCPT, and DATA.[20]
Key Terms
abstraction layer
A way of hiding the implementation details of a particular set of functionality.[21]
authentication
The act of confirming the identity of a person, software program, or computer system.[22]
eavesdropping
The act of secretly listening to the private conversation of others without their consent.[23]
hypermedia
A logical extension of the term hypertext in which graphics, audio, video, plain text and hyperlinks intertwine
to create a generally non-linear medium of information.[24]
HyperText Markup Language (HTML)
The main markup language for displaying web pages and other information that can be displayed in a web
browser.[25]
Internet Message Access Protocol (IMAP)
An Application Layer Internet protocol that allows an e-mail client to access e-mail on a remote mail
server.[26]
man-in-the-middle attack
A form of active eavesdropping in which the attacker makes independent connections with the victims and
relays messages between them, making them believe that they are talking directly to each other over a private
connection.[27]
Post Office Protocol (POP)
An application-layer Internet standard protocol used by local e-mail clients to retrieve e-mail from a remote
server over a TCP/IP connection.[28]
public-key cryptography
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_kdict
Application Layer 141
A cryptographic system requiring two separate keys, one of which is secret and one of which is public.[29]
stateless protocol
A communications protocol that treats each request as an independent transaction that is unrelated to any
previous request so that the communication consists of independent pairs of requests and responses.[30]
symmetric-key algorithms
A class of algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext
and decryption of ciphertext.[31]
tampering
The deliberate altering or adulteration of information, a product, a package, or system.[32]
web cache
A mechanism for the temporary storage (caching) of web documents, such as HTML pages and images, to
reduce bandwidth usage, server load, and perceived lag.[33]
web crawler
A computer program that browses the World Wide Web in a methodical, automated manner or in an orderly
fashion.[34]
World Wide Web Consortium (W3C)
The main international standards organization for the World Wide Web.[35]
Review Questions
1. The application layer is an abstraction layer reserved for communications protocols and methods designed for
_____ communications across an Internet Protocol (IP) computer network.
The application layer is an abstraction layer reserved for communications protocols and methods designed for
process-to-process communications across an Internet Protocol (IP) computer network.
2. Application layer protocols use the underlying transport layer protocols to establish _____ connections.
Application layer protocols use the underlying transport layer protocols to establish host-to-host connections.
3. The Hypertext Transfer Protocol (HTTP) is an application protocol for _____.
The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia
information systems.
4. HTTP functions as a _____ protocol in the _____ computing model.
HTTP functions as a request-response protocol in the client-server computing model.
5. HTTP uses _____ as its transport protocol and servers listen on port _____ by default.
HTTP uses TCP as its transport protocol and servers listen on port 80 by default.
6. HTTP defines methods that may be performed on the desired resource. Methods include _____.
HTTP defines methods that may be performed on the desired resource. Methods include GET, HEAD, POST, PUT,
DELETE, TRACE, OPTIONS, CONNECT, and PATCH.
7. HTTP requests include _____.
HTTP requests include a request line, headers, an empty line, and an optional message body.
8. HTTP responses include _____.
HTTP responses include a status line, header, an empty line, and an optional message body.
9. Hypertext Transfer Protocol Secure (HTTPS) is a widely used communications protocol for secure
communication over a computer network, with especially wide deployment on the Internet. Technically, it is not a
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_package_editors
Application Layer 142
protocol in itself; rather, it is _____.
Hypertext Transfer Protocol Secure (HTTPS) is a widely used communications protocol for secure communication
over a computer network, with especially wide deployment on the Internet. Technically, it is not a protocol in itself;
rather, it is the result of simply layering the Hypertext Transfer Protocol (HTTP) on top of the Secure Sockets Layer
/ Transport Layer Security (SSL/TLS) protocol, thus adding the security capabilities of SSL/TLS to standard HTTP
communications.
10. HTTPS uses _____ as its transport protocol and servers listen on port _____ by default.
HTTPS uses TCP as its transport protocol and servers listen on port 443 by default.
11. Web servers supporting HTTPS connections must have a public key certificate _____.
Web servers supporting HTTPS connections must have a public key certificate signed by a certificate authority the
web browser trusts in order to connect without a client warning.
12. TLS and SSL encrypt the segments of network connections at the Application Layer for the Transport Layer,
using _____.
TLS and SSL encrypt the segments of network connections at the Application Layer for the Transport Layer, using
asymmetric cryptography for key exchange, symmetric encryption for confidentiality, and message authentication
codes for message integrity.
13. TLS handshaking includes _____.
TLS handshaking includes the exchange of settings, server authentication, optional client authentication, and public
key encryption of a symmetric session key.
14. Simple Mail Transfer Protocol (SMTP) is an Internet standard for _____.
Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (e-mail) transmission across
Internet Protocol (IP) networks.
15. Client applications use _____ for sending messages to a mail server, but usually use either _____ or _____ or a
proprietary system to access their mail box accounts on a mail server.
Client applications use SMTP for sending messages to a mail server, but usually use either the Post Office Protocol
(POP) or the Internet Message Access Protocol (IMAP) or a proprietary system to access their mail box accounts on
a mail server.
16. Client applications should use TCP port _____ to submit SMTP messages to a server. Servers use TCP port
_____ to transfer SMTP messages to destination servers.
Client applications should use TCP port 587 to submit SMTP messages to a server. Servers use TCP port 25 to
transfer SMTP messages to destination servers.
17. SMTP transactions include commands for _____.
SMTP transactions include commands for MAIL, RCPT, and DATA.
Application Layer 143
Flashcards
•• Test your understanding of this lesson.
•• Test your understanding of the key terms.
References
[1] http:/ / wiki. wireshark. org/ Hyper_Text_Transfer_Protocol
[2] http:/ / wiki. wireshark. org/ SSL
[3] http:/ / wiki. wireshark. org/ SMTP
[4][4] Wikipedia: Application layer
[5][5] Wikipedia: Application layer
[6][6] Wikipedia: Hypertext Transfer Protocol
[7][7] Wikipedia: Hypertext Transfer Protocol#Technical overview
[8][8] Wikipedia: Hypertext Transfer Protocol#HTTP session
[9][9] Wikipedia: Hypertext Transfer Protocol#Request methods
[10][10] Wikipedia: Hypertext Transfer Protocol#Request message
[11][11] Wikipedia: Hypertext Transfer Protocol#Response message
[12][12] Wikipedia: HTTP Secure
[13][13] Wikipedia: HTTP Secure#Difference from HTTP
[14][14] Wikipedia: HTTP Secure#Server setup
[15][15] Wikipedia: Transport Layer Security
[16][16] Wikipedia: Transport Layer Security#Simple TLS handshake
[17][17] Wikipedia: Simple Mail Transfer Protocol
[18][18] Wikipedia: Simple Mail Transfer Protocol
[19][19] Wikipedia: Simple Mail Transfer Protocol#Mail processing model
[20][20] Wikipedia: Simple Mail Transfer Protocol#Protocol overview
[21][21] Wikipedia: Abstraction layer
[22][22] Wikipedia: Authentication
[23][23] Wikipedia: Eavesdropping
[24][24] Wikipedia: Hypermedia
[25][25] Wikipedia: HTML
[26][26] Wikipedia: Internet Message Access Protocol
[27][27] Wikipedia: Man-in-the-middle attack
[28][28] Wikipedia: Post Office Protocol
[29][29] Wikipedia: Public-key cryptography
[30][30] Wikipedia: Stateless protocol
[31][31] Wikipedia: Symmetric-key algorithm
[32][32] Wikipedia: Tamper-evident
[33][33] Wikipedia: Web cache
[34][34] Wikipedia: Web crawler
[35][35] Wikipedia: World Wide Web Consortium
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_cache
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Application_layer/Lesson_flashcards
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Application_layer/Terms_flashcards
http://en.wikiversity.org/w/index.php?title=File:Nuvola_filesystems_folder_orange
http://wiki.wireshark.org/Hyper_Text_Transfer_Protocol
http://wiki.wireshark.org/SSL
http://wiki.wireshark.org/SMTP
http://en.wikipedia.org/wiki/Application_layer
http://en.wikipedia.org/wiki/Application_layer
http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol
http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Technical_overview
http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#HTTP_session
http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Request_methods
http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Request_message
http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Response_message
http://en.wikipedia.org/wiki/HTTP_Secure
http://en.wikipedia.org/wiki/HTTP_Secure#Difference_from_HTTP
http://en.wikipedia.org/wiki/HTTP_Secure#Server_setup
http://en.wikipedia.org/wiki/Transport_Layer_Security
http://en.wikipedia.org/wiki/Transport_Layer_Security#Simple_TLS_handshake
http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol
http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol
http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#Mail_processing_model
http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#Protocol_overview
http://en.wikipedia.org/wiki/Abstraction_layer
http://en.wikipedia.org/wiki/Authentication
http://en.wikipedia.org/wiki/Eavesdropping
http://en.wikipedia.org/wiki/Hypermedia
http://en.wikipedia.org/wiki/HTML
http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
http://en.wikipedia.org/wiki/Post_Office_Protocol
http://en.wikipedia.org/wiki/Public-key_cryptography
http://en.wikipedia.org/wiki/Stateless_protocol
http://en.wikipedia.org/wiki/Symmetric-key_algorithm
http://en.wikipedia.org/wiki/Tamper-evident
http://en.wikipedia.org/wiki/Web_cache
http://en.wikipedia.org/wiki/Web_crawler
http://en.wikipedia.org/wiki/World_Wide_Web_Consortium
Capture and Analyze Hypertext Transfer Protocol (HTTP) Traffic 144
Capture and Analyze Hypertext Transfer
Protocol (HTTP) Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze Hypertext Transfer Protocol (HTTP) traffic.
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture HTTP Traffic
To capture HTTP traffic:
1.1. Open a new web browser window or tab.
2. Start a Wireshark capture.
3. Navigate to http:/ / en. wikiversity. org”’.
4. Stop the Wireshark capture.
Activity 2 – Select Destination Traffic
To select destination traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. To view only HTTP traffic, type http (lower
case) in the Filter box and press Enter.
2. Select the first HTTP packet labeled GET /.
3.3. Observe the destination IP address.
4. To view all related traffic for this connection, change the filter to ip.addr ==
Activity 3 – Analyze TCP Connection Traffic
To analyze TCP connection traffic:
1.1. Observe the traffic captured in the top Wireshark packet list pane. The first three packets (TCP SYN, TCP
SYN/ACK, TCP ACK) are the TCP three way handshake. Select the first packet.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Transmission Control Protocol frame.
3.3. Expand Ethernet II to view Ethernet details.
4. Observe the Destination and Source fields. The destination should be your default gateway’s MAC address and
the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
5.5. Expand Internet Protocol Version 4 to view IP details.
6.6. Observe the Source address. Notice that the source address is your IP address.
7.7. Observe the Destination address. Notice that the destination address is the IP address of the HTTP server.
8.8. Expand Transmission Control Protocol to view TCP details.
9.9. Observe the Source port. Notice that it is a dynamic port selected for this HTTP connection.
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org”’.
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
http://en.wikiversity.org/w/index.php?title=Arp/View
Capture and Analyze Hypertext Transfer Protocol (HTTP) Traffic 145
10.10. Observe the Destination port. Notice that it is http (80). Note that all of the packets for this connection will have
matching MAC addresses, IP addresses, and port numbers.
Activity 4 – Analyze HTTP Request Traffic
To analyze HTTP request traffic:
1.1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the fourth packet, which is the first HTTP packet and labeled GET /.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Transmission Control Protocol / Hypertext Transfer Protocol frame. Also notice that the
Ethernet II, Internet Protocol Version 4, and Transmission Control Protocol values are consistent with the TCP
connection analyzed in Activity 3.
4.4. Expand Hypertext Transfer Protocol to view HTTP details.
5.5. Observe the GET request, Host, Connection, User-Agent, Referrer, Accept, and Cookie fields. This is the
information passed to the HTTP server with the GET request.
6.6. Observe the traffic captured in the top Wireshark packet list pane.
7. Select the fifth packet, labeled TCP ACK. This is the server TCP acknowledgement of receiving the GET
request.
Activity 5 – Analyze HTTP Response Traffic
To analyze HTTP response traffic:
1.1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the second HTTP packet, labeled 301 Moved Permanently.
3.3. Observe the packet details in the middle Wireshark packet details pane.
4.4. Expand Hypertext Transfer Protocol to view HTTP details.
5.5. Observe the HTTP response, Server, Expires, Location, and other available information. This response indicates
that the requested page has permanently moved to the location provided.
6.6. Observe the traffic captured in the top Wireshark packet list pane.
7. Select the next packet, labeled TCP ACK. This is the client TCP acknowledgement of receiving the HTTP
response.
Activity 6 – Analyze HTTP Request Traffic
To analyze HTTP request traffic:
1.1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the third HTTP packet, labeled GET /wiki/Wikiversity:Main_Page.
3.3. Observe the packet details in the middle Wireshark packet details pane.
4.4. Expand Hypertext Transfer Protocol to view HTTP details.
5.5. Observe the HTTP request fields. Notice that the request is similar to the request in Activity 4 above, except that
the new page location is requested.
6.6. Observe the traffic captured in the top Wireshark packet list pane.
7. Select the next packet, labeled TCP ACK. This is the server TCP acknowledgement of receiving the GET
request.
Capture and Analyze Hypertext Transfer Protocol (HTTP) Traffic 146
Activity 7 – Analyze HTTP Response Traffic
To analyze HTTP response traffic:
1.1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the next packet, labeled TCP segment of a reassembled PDU. Notice that because the server response is
longer than the maximum segment PDU size, the response has been split into several TCP segments.
3.3. Observe the packet details in the middle Wireshark packet details pane.
4.4. Observe the packet contents in the bottom Wireshark packet bytes pane.
5.5. Observe the traffic captured in the top Wireshark packet list pane. Notice that for every two TCP segments of
data, there is a TCP ACK acknowledgement of receiving the HTTP response.
6. Select the last HTTP packet, labeled HTTP 200 OK.
7.7. Observe the packet details in the middle Wireshark packet details pane. Notice the Reassembled TCP Segments
listed.
8.8. Expand Hypertext Transfer Protocol to view HTTP details.
9.9. Observe the full HTTP response to be passed to the web browser.
10.10. Expand Line-based text data to observe web page content.
11.11. In the web browser, right-click on the web page and view the page source. Notice that it is identical to the
line-based text captured in Wireshark.
12.12. Close the web browser.
13. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
• Wireshark: Hyper Text Transfer Protocol [1]
http://www.wireshark.org/docs/wsug_html_chunked/
http://wiki.wireshark.org/Hyper_Text_Transfer_Protocol
Capture and Analyze HTTP Secure (HTTPS) Traffic 147
Capture and Analyze HTTP Secure (HTTPS)
Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze Hypertext Transfer Protocol Secure (HTTPS) traffic.
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
Activity 1 – Capture HTTPS Traffic
To capture HTTPS traffic:
1.1. Open a new web browser window or tab.
2. Start a Wireshark capture.
3. Navigate to https:/ / en. wikiversity. org”’.
4. Stop the Wireshark capture.
5.5. Close the web browser window or tab.
Activity 2 – Select Destination Traffic
To select destination traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. To view only HTTPS traffic, type ssl (lower
case) in the Filter box and press Enter.
2. Select the first TLS packet labeled Client Hello.
3.3. Observe the destination IP address.
4. To view all related traffic for this connection, change the filter to ip.addr ==
Activity 3 – Analyze TCP Connection Traffic
To analyze TCP connection traffic:
1.1. Observe the traffic captured in the top Wireshark packet list pane. The first three packets (TCP SYN, TCP
SYN/ACK, TCP ACK) are the TCP three way handshake. Select the first packet.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Transmission Control Protocol frame.
3.3. Expand Ethernet II to view Ethernet details.
4. Observe the Destination and Source fields. The destination should be your default gateway’s MAC address and
the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
5.5. Expand Internet Protocol Version 4 to view IP details.
6.6. Observe the Source address. Notice that the source address is your IP address.
7.7. Observe the Destination address. Notice that the destination address is the IP address of the HTTPS server.
8.8. Expand Transmission Control Protocol to view TCP details.
9.9. Observe the Source port. Notice that it is a dynamic port selected for this HTTPS connection.
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
https://en.wikiversity.org”’.
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
http://en.wikiversity.org/w/index.php?title=Arp/View
Capture and Analyze HTTP Secure (HTTPS) Traffic 148
10.10. Observe the Destination port. Notice that it is https (443). Note that all of the packets for this connection will
have matching MAC addresses, IP addresses, and port numbers.
Activity 4 – Analyze SSL/TLS Client Hello Traffic
To analyze SSL/TLS connection traffic:
1.1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the first TLS packet, labeled Client Hello.
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Transmission Control Protocol / Secure Sockets Layer frame. Also notice that the Ethernet
II, Internet Protocol Version 4, and Transmission Control Protocol values are consistent with the TCP connection
analyzed in Activity 3.
4.4. Expand Secure Sockets Layer, TLS, and Handshake Protocol to view SSL/TLS details.
5.5. Observe the Cipher Suites and Extensions supported.
6.6. Observe the traffic captured in the top Wireshark packet list pane.
7. Select the next packet, labeled TCP ACK. This is the server TCP acknowledgement of receiving the Client Hello
request.
Activity 5 – Analyze SSL/TLS Server Hello Traffic
To analyze SSL/TLS Server Hello traffic:
1.1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the second TLS packet, labeled Server Hello.
3.3. Observe the packet details in the middle Wireshark packet details pane.
4.4. Expand Secure Sockets Layer, TLS, and Handshake Protocol to view SSL/TLS details.
5.5. Observe the Cipher Suites and Extensions supported.
Activity 6 – Analyze SSL/TLS Certificate Traffic
To analyze SSL/TLS Certificate traffic:
1.1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the third TLS packet, labeled Certificate, Server Key Exchange, Server Hello Done.
3.3. Observe the packet details in the middle Wireshark packet details pane.
4.4. Expand Secure Sockets Layer, TLS, Handshake Protocol, and Certificates to view SSL/TLS details.
5.5. Observe the certificate information provided.
6.6. Expand TLS, Handshake Protocol, and EC Diffie-Hellman Server Params to view the public key and signature.
The client uses the certificate to validate the public key and signature.
7.7. Observe the traffic captured in the top Wireshark packet list pane.
8. Select the next TCP packet, labeled TCP ACK. This is the client TCP acknowledgement of receiving the Server
Hello and Certificate responses.
Capture and Analyze HTTP Secure (HTTPS) Traffic 149
Activity 7 – Analyze SSL/TLS Client Key Exchange Traffic
To analyze SSL/TLS Client Key Exchange traffic:
1.1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the fourth TLS packet, labeled Client Key Exchange, Change Cipher Spec, Encrypted Handshake
Message.
3.3. Observe the packet details in the middle Wireshark packet details pane.
4.4. Expand Secure Sockets Layer, TLS, Handshake Protocol, and Encrypted Handshake Message to view SSL/TLS
details.
5.5. Observe the encrypted handshake message. This encrypted handshake contains the session key that will be used
to encrypt session traffic.
Activity 8 – Analyze SSL/TLS New Session Ticket Traffic
To analyze SSL/TLS New Session Ticket traffic:
1.1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the TLS packet labeled New Session Ticket ….
3.3. Observe the packet details in the middle Wireshark packet details pane.
4.4. Expand Secure Sockets Layer, TLS, Handshake Protocol, TLS Session Ticket, and Encrypted Handshake
Message to view SSL/TLS details.
5.5. Observe the encrypted handshake message. This is the server confirming the encrypted session.
Activity 9 – Analyze HTTPS Encrypted Data Exchange
To analyze HTTPS encrypted data exchange:
1.1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the various TLS packets labeled Application Data.
3.3. Observe the packet details in the middle Wireshark packet details pane.
4.4. Expand Secure Sockets Layer and TLS to view SSL/TLS details.
5.5. Observe the encrypted application data. Notice that the application data protocol is http.
6.6. Observe the data in the bottom Wireshark packet bytes pane. Notice that the application data is encrypted.
7. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
• Wireshark: SSL [2]
http://www.wireshark.org/docs/wsug_html_chunked/
http://wiki.wireshark.org/SSL
Capture and Analyze Simple Mail Transfer Protocol (SMTP) Traffic 150
Capture and Analyze Simple Mail Transfer
Protocol (SMTP) Traffic
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities
will show you how to use Wireshark to capture and analyze Simple Mail Transfer Protocol (SMTP) traffic.
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3. Install Wireshark.
4. Install the Telnet client.
Activity 1 – Capture SMTP Traffic
To capture SMTP traffic:
1. Start a Wireshark capture.
2. Open a command prompt.
3. Type telnet aspmx.l.google.com 25 and press Enter.
4.4. Observe the server response.
5. Type helo and press Enter.
6.6. Observe the server response. Note that at this point you could enter mail, rcpt and data to send an SMTP message,
but this only works on servers configured to allow clear text relay without authentication.
7. Type quit and press Enter to close the connection.
8.8. Observe the server response.
9.9. Close the command prompt.
10. Stop the Wireshark capture.
Activity 2 – Select Destination Traffic
To select destination traffic:
1. Observe the traffic captured in the top Wireshark packet list pane. To view only SMTP traffic, type smtp (lower
case) in the Filter box and press Enter.
2. Select the first SMTP packet labeled 220 ….
3.3. Observe the destination IP address.
4. To view all related traffic for this connection, change the filter to ip.addr ==
http://en.wikiversity.org/w/index.php?title=Wireshark/Install
http://en.wikiversity.org/w/index.php?title=Telnet/Client_install
http://en.wikiversity.org/w/index.php?title=Wireshark/Start
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Open
http://en.wikiversity.org/w/index.php?title=Wireshark/Stop
Capture and Analyze Simple Mail Transfer Protocol (SMTP) Traffic 151
Activity 3 – Analyze TCP Connection Traffic
To analyze TCP connection traffic:
1.1. Observe the traffic captured in the top Wireshark packet list pane. The first three packets (TCP SYN, TCP
SYN/ACK, TCP ACK) are the TCP three way handshake. Select the first packet.
2.2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Transmission Control Protocol frame.
3.3. Expand Ethernet II to view Ethernet details.
4. Observe the Destination and Source fields. The destination should be your default gateway’s MAC address and
the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
5.5. Expand Internet Protocol Version 4 to view IP details.
6.6. Observe the Source address. Notice that the source address is your IP address.
7.7. Observe the Destination address. Notice that the destination address is the IP address of the SMTP server.
8.8. Expand Transmission Control Protocol to view TCP details.
9.9. Observe the Source port. Notice that it is a dynamic port selected for this HTTP connection.
10.10. Observe the Destination port. Notice that it is smtp (25). Note that all of the packets for this connection will
have matching MAC addresses, IP addresses, and port numbers.
Activity 4 – Analyze SMTP Service Ready Traffic
To analyze SMTP Service Ready traffic:
1.1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the fourth packet, which is the first SMTP packet and labeled 220 ….
3.3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet
Protocol Version 4 / Transmission Control Protocol / Hypertext Transfer Protocol frame. Also notice that the
Ethernet II, Internet Protocol Version 4, and Transmission Control Protocol values are consistent with the TCP
connection analyzed in Activity 3.
4.4. Expand Simple Mail Transfer Protocol and Response to view SMTP details.
5.5. Observe the Response code and Response parameter.
6.6. Observe the traffic captured in the top Wireshark packet list pane.
7. Select the fifth packet, labeled TCP ACK. This is the client TCP acknowledgement of receiving the Service
Ready message.
Activity 5 – Analyze SMTP HELO Traffic
To analyze SMTP HELO traffic:
1.1. Observe the traffic captured in the top Wireshark packet list pane.
2.2. Select the following TCP segments and acknowledgements. If you observe the packet details in the bottom
Wireshark packet bytes pane carefully, you will see that the segments spell out the helo message. The sequence
ends with a Wireshark-combined SMTP client helo message, followed by a server TCP acknowledgement.
http://en.wikiversity.org/w/index.php?title=Ipconfig/All
http://en.wikiversity.org/w/index.php?title=Arp/View
Capture and Analyze Simple Mail Transfer Protocol (SMTP) Traffic 152
Activity 6 – Analyze SMTP Completed Traffic
To analyze SMTP Completed traffic:
1.1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the following SMTP packet, labeled 250 …
3.3. Observe the packet details in the middle Wireshark packet details pane.
4.4. Expand Simple Mail Transfer Protocol and Response to view SMTP details.
5.5. Observe the Response code and Response parameter.
Activity 7 – Analyze SMTP QUIT Traffic
To analyze SMTP QUIT traffic:
1.1. Observe the traffic captured in the top Wireshark packet list pane.
2.2. Select the following TCP segments and acknowledgements. If you observe the packet details in the bottom
Wireshark packet bytes pane carefully, you will see that the segments spell out the quit message. The sequence
ends with a Wireshark-combined SMTP client quit message, followed by a server TCP acknowledgement.
Activity 8 – Analyze SMTP Closing Traffic
To analyze SMTP Closing traffic:
1.1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the following SMTP packet, labeled 221 …
3.3. Observe the packet details in the middle Wireshark packet details pane.
4.4. Expand Simple Mail Transfer Protocol and Response to view SMTP details.
5.5. Observe the Response code and Response parameter.
6. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.
References
• Wireshark: User’s Guide [2]
• Wireshark: Hyper Text Transfer Protocol [1]
http://www.wireshark.org/docs/wsug_html_chunked/
http://wiki.wireshark.org/Hyper_Text_Transfer_Protocol
153
Lesson 14 – Routing Protocols
Routing Protocols
This lesson introduces routing and routing protocols.
Activities include configuring routing on Windows
workstations and using Wireshark to examine Routing
Information Protocol (RIP), Open Shortest Path First (OSPF),
Enhanced Interior Gateway Routing Protocol (EIGRP), and
Border Gateway Protocol (BGP) network traffic.
Readings
1. Read Wikipedia: Routing.
2. Read Wikipedia: Distance-vector routing protocol.
3. Read Wikipedia: Link-state routing protocol.
4. Read Wikipedia: Routing Information Protocol.
5. Read Wikipedia: Open Shortest Path First.
6. Read Wikipedia: Enhanced Interior Gateway Routing Protocol.
7. Read Wikipedia: Border Gateway Protocol.
Activities
1. Use the route command to display the local routing table.
2. Use the route command to modify the local routing table.
3. Review Wireshark: Routing Information Protocol (RIP) [1].
4. Review Wireshark: Open Shortest Path First (OSPF) [2].
5. Review Wireshark: Enhanced Interior Gateway Routing Protocol (EIGRP) [3].
6. Review Wireshark: Border Gateway Protocol (BGP) [4].
7.7. Consider situations in which a packet analyzer might be used to troubleshoot routing traffic.
8. Use the Discuss page to post comments and questions regarding this lesson.
9.9. Review the lesson summary, key terms, review questions and flashcards below.
Lesson Summary
• Routing is the process of selecting paths in a network along which to send network traffic.[5]
• Static routing involves manual updating of routing tables with fixed paths to destination networks.[6]
• Dynamic or adaptive routing involves automatic updating of routing tables based on information carried by
routing protocols.[7]
• Routing protocols are divided into interior and exterior protocols. Interior protocols are further divided into
distance-vector protocols and link-state protocols.[8] Distance-vector routing protocols are simple and efficient in
small networks. Larger networks use link-state routing protocols.[9]
• Distance-vector routing protocols require that a router informs its neighbors of topology changes periodically.[10]
Each link is assigned a numeric distance or cost value, and information is shared among neighboring routers to
accumulate a total cost to a given destination.[11]
http://en.wikiversity.org/w/index.php?title=File%3AInternet_Protocol_Analysis_-_Application_Layer
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_bookcase.svg
http://en.wikipedia.org/wiki/Routing
http://en.wikipedia.org/wiki/Distance-vector_routing_protocol
http://en.wikipedia.org/wiki/Link-state_routing_protocol
http://en.wikipedia.org/wiki/Routing_Information_Protocol
http://en.wikipedia.org/wiki/Open_Shortest_Path_First
http://en.wikipedia.org/wiki/Enhanced_Interior_Gateway_Routing_Protocol
http://en.wikipedia.org/wiki/Border_Gateway_Protocol
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_korganizer.svg
http://en.wikiversity.org/w/index.php?title=Route_command/Print
http://en.wikiversity.org/w/index.php?title=Route_command/Modify
http://wiki.wireshark.org/RIP
http://wiki.wireshark.org/OSPF
http://wiki.wireshark.org/EIGRP
http://wiki.wireshark.org/BGP
http://en.wikiversity.org/w/index.php?title=Talk:Internet_protocol_analysis/Routing
http://en.wikiversity.org/w/index.php?title=File:Stock_post_message.svg
Routing Protocols 154
• Link-state protocols require that a router inform all the nodes in a network of topology changes.[12] Each node
shares information regarding the nodes it can connect to with the entire network so that each node can build its
own network map and determine for itself the least cost path to any given node.[13]
• Routing Information Protocol (RIP) is a distance-vector routing protocol which employs the hop count as a
routing metric. RIP uses the User Datagram Protocol (UDP) as its transport protocol, and is assigned the reserved
port number 520.[14]
• Open Shortest Path First (OSPF) is a link-state routing protocol.[15] OSPF does not use a TCP/IP transport
protocol (UDP, TCP), but is encapsulated directly in IP datagrams with protocol number 89.[16]
• Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary advanced distance-vector routing
protocol, with optimizations to minimize both the routing instability incurred after topology changes, as well as
the use of bandwidth and processing power in the router.[17]
• Border Gateway Protocol (BGP) is the protocol which makes core routing decisions on the Internet.[18] BGP uses
the Transmission Control Protocol (TCP) as its transport protocol, and is assigned the reserved port 179.[19]
Key Terms
Autonomous System (AS)
A collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network
operators that presents a common, clearly defined routing policy to the Internet.[20]
convergence
The state of a set of routers that have the same topological information about the internetwork in which they
operate.[21]
convergence time
A measure of how fast a group of routers reach the state of convergence.[22]
count-to-infinity problem
An error in distance-vector routing protocols caused by the routers being unable to determine if routing loops
exist in the information provided.[23]
exterior gateway protocol
A routing protocol that is used to determine network reachability between autonomous systems and makes use
of interior gateway protocols to resolve routes within an autonomous system.[24]
holddown timer
A timer used by link-state routers that prevents invalid updates within a given period of time after they first
receive information about a network that is unreachable.[25]
interior gateway protocol
A routing protocol that is used to exchange routing information within an autonomous system (AS).[26]
route poisoning
A link-state method of notifying a router that a previously available route has become invalid.[27]
split-horizon route advertisement
A method of preventing routing loops in distance-vector routing protocols by prohibiting a router from
advertising a route back onto the interface from which it was learned.[28]
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_kdict
Routing Protocols 155
Review Questions
1. Routing is the process of _____.
Routing is the process of selecting paths in a network along which to send network traffic.
2. Static routing involves _____ updating of routing tables with _____ paths to destination networks.
Static routing involves manual updating of routing tables with fixed paths to destination networks.
3. Dynamic or adaptive routing involves _____ updating of routing tables based on _____.
Dynamic or adaptive routing involves automatic updating of routing tables based on information carried by routing
protocols.
4. Routing protocols are divided into _____ and _____ protocols. _____ protocols are further divided into _____
protocols and _____ protocols. Distance-vector routing protocols are simple and efficient in small networks. Larger
networks use link-state routing protocols.
Routing protocols are divided into interior and exterior protocols. Interior protocols are further divided into
distance-vector protocols and link-state protocols. Distance-vector routing protocols are simple and efficient in small
networks. Larger networks use link-state routing protocols.
5. _____ routing protocols are simple and efficient in small networks. Larger networks use _____ routing protocols.
Distance-vector routing protocols are simple and efficient in small networks. Larger networks use link-state routing
protocols.
6. _____ routing protocols require that a router informs its neighbors of topology changes periodically. Each link is
assigned a numeric distance or cost value, and information is shared among neighboring routers to accumulate a total
cost to a given destination.
Distance-vector routing protocols require that a router informs its neighbors of topology changes periodically. Each
link is assigned a numeric distance or cost value, and information is shared among neighboring routers to accumulate
a total cost to a given destination.
7. _____ protocols require that a router inform all the nodes in a network of topology changes. Each node shares
information regarding the nodes it can connect to with the entire network so that each node can build its own
network map and determine for itself the least cost path to any given node.
Link-state protocols require that a router inform all the nodes in a network of topology changes. Each node shares
information regarding the nodes it can connect to with the entire network so that each node can build its own
network map and determine for itself the least cost path to any given node.
8. Routing Information Protocol (RIP) is a _____ routing protocol which employs the hop count as a routing metric.
RIP uses _____ as its transport protocol, and is assigned the reserved port number _____.
Routing Information Protocol (RIP) is a distance-vector routing protocol which employs the hop count as a routing
metric. RIP uses the User Datagram Protocol (UDP) as its transport protocol, and is assigned the reserved port
number 520.
9. Open Shortest Path First (OSPF) is a _____ routing protocol. OSPF does not use a TCP/IP transport protocol
(UDP, TCP), but is encapsulated directly in IP datagrams with protocol number _____.
Open Shortest Path First (OSPF) is a link-state routing protocol. OSPF does not use a TCP/IP transport protocol
(UDP, TCP), but is encapsulated directly in IP datagrams with protocol number 89.
10. Enhanced Interior Gateway Routing Protocol (EIGRP) is a _____ routing protocol, with optimizations to
minimize both the routing instability incurred after topology changes, as well as the use of bandwidth and processing
power in the router.
Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary advanced distance-vector routing
protocol, with optimizations to minimize both the routing instability incurred after topology changes, as well as the
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_package_editors
Routing Protocols 156
use of bandwidth and processing power in the router.
11. Border Gateway Protocol (BGP) is the protocol which makes core routing decisions on the Internet. BGP uses
_____ as its transport protocol, and is assigned the reserved port _____.
Border Gateway Protocol (BGP) is the protocol which makes core routing decisions on the Internet. BGP uses the
Transmission Control Protocol (TCP) as its transport protocol, and is assigned the reserved port 179.
Flashcards
•• Test your understanding of this lesson.
•• Test your understanding of the key terms.
References
[1] http:/ / wiki. wireshark. org/ RIP
[2] http:/ / wiki. wireshark. org/ OSPF
[3] http:/ / wiki. wireshark. org/ EIGRP
[4] http:/ / wiki. wireshark. org/ BGP
[5][5] Wikipedia: Routing
[6][6] Wikipedia: Routing#Topology distribution
[7][7] Wikipedia: Routing#Topology distribution
[8][8] Wikipedia: Routing#Path vector protocol
[9][9] Wikipedia: Routing#Comparison of routing algorithms
[10][10] Wikipedia: Distance-vector routing protocol
[11][11] Wikipedia: Routing#Distance vector algorithms
[12][12] Wikipedia: Distance-vector routing protocol
[13][13] Wikipedia: Routing#Link-state algorithms
[14][14] Wikipedia: Routing Information Protocol
[15][15] Wikipedia: Open Shortest Path First
[16][16] Wikipedia: Open Shortest Path First#Overview
[17][17] Wikipedia: Enhanced Interior Gateway Routing Protocol
[18][18] Wikipedia: Border Gateway Protocol
[19][19] Wikipedia: Border Gateway Protocol#Operation
[20][20] Wikipedia: Autonomous System (Internet)
[21][21] Wikipedia: Convergence (routing)
[22][22] Wikipedia: Convergence (routing)#Convergence time
[23][23] Wikipedia: Distance-vector routing protocol#Count-to-infinity problem
[24][24] Wikipedia: Interior gateway protocol
[25][25] Wikipedia: Holddown
[26][26] Wikipedia: Interior gateway protocol
[27][27] Wikipedia: Route poisoning
[28][28] Wikipedia: Split horizon route advertisement
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_cache
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Routing/Lesson_flashcards
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Routing/Terms_flashcards
http://en.wikiversity.org/w/index.php?title=File:Nuvola_filesystems_folder_orange
http://wiki.wireshark.org/RIP
http://wiki.wireshark.org/OSPF
http://wiki.wireshark.org/EIGRP
http://wiki.wireshark.org/BGP
http://en.wikipedia.org/wiki/Routing
http://en.wikipedia.org/wiki/Routing#Topology_distribution
http://en.wikipedia.org/wiki/Routing#Topology_distribution
http://en.wikipedia.org/wiki/Routing#Path_vector_protocol
http://en.wikipedia.org/wiki/Routing#Comparison_of_routing_algorithms
http://en.wikipedia.org/wiki/Distance-vector_routing_protocol
http://en.wikipedia.org/wiki/Routing#Distance_vector_algorithms
http://en.wikipedia.org/wiki/Distance-vector_routing_protocol
http://en.wikipedia.org/wiki/Routing#Link-state_algorithms
http://en.wikipedia.org/wiki/Routing_Information_Protocol
http://en.wikipedia.org/wiki/Open_Shortest_Path_First
http://en.wikipedia.org/wiki/Open_Shortest_Path_First#Overview
http://en.wikipedia.org/wiki/Enhanced_Interior_Gateway_Routing_Protocol
http://en.wikipedia.org/wiki/Border_Gateway_Protocol
http://en.wikipedia.org/wiki/Border_Gateway_Protocol#Operation
http://en.wikipedia.org/wiki/Autonomous_System_(Internet)
http://en.wikipedia.org/wiki/Convergence_(routing)
http://en.wikipedia.org/wiki/Convergence_(routing)#Convergence_time
http://en.wikipedia.org/wiki/Distance-vector_routing_protocol#Count-to-infinity_problem
http://en.wikipedia.org/wiki/Interior_gateway_protocol
http://en.wikipedia.org/wiki/Holddown
http://en.wikipedia.org/wiki/Interior_gateway_protocol
http://en.wikipedia.org/wiki/Route_poisoning
http://en.wikipedia.org/wiki/Split_horizon_route_advertisement
Display the Local Routing Table 157
Display the Local Routing Table
Route is a Windows command that displays and updates the network routing table. These activities will show you
how to use the route command to display the local routing table.
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
Activity 1 – Display Local Routing Table
To display the local routing table:
1. Open a command prompt.
2. Type route print.
3. Press Enter.
4.4. Observe the active routes by destination, network mask, gateway, interface, and metric.
5.5. Close the command prompt to complete this activity.
References
• Microsoft TechNet: Route [1]
References
[1] http:/ / technet. microsoft. com/ en-us/ library/ bb490991. aspx
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Open
http://technet.microsoft.com/en-us/library/bb490991.aspx
http://technet.microsoft.com/en-us/library/bb490991.aspx
Modify the Local Routing Table 158
Modify the Local Routing Table
Route is a Windows command that displays and updates the network routing table. These activities will show you
how to use the route command to modify the local routing table.
Note: To complete this activity, you must have an administrative user account or know the username and
password of an administrator account you can enter when prompted.
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
Activity 1 – Display Local Routing Table
To display the local routing table:
1. Open an elevated/administrator command prompt.
2. Type route print and press Enter.
3.3. Observe the active routes by destination, network mask, gateway, interface, and metric.
Activity 2 – Delete a Route
To delete a route:
1.1. Observe the routing table entry for network destination 0.0.0.0 listed in Activity 1. The gateway listed for this
network is the default gateway. Make note of this gateway address for use in restoring this route.
2. Type ping 8.8.8.8 to test Internet connectivity. The ping should be successful.
3. Type route delete 0.0.0.0 and press Enter to delete the routing table entry for the default gateway.
4. Type route print and press Enter.
5.5. Observe the active routes by destination, network mask, gateway, interface, and metric. Note the missing entry
for network destination 0.0.0.0.
6. Type ping 8.8.8.8 to test Internet connectivity. The ping should fail.
Activity 3 – Add a Route
To add a route:
1. Type route add 0.0.0.0 mask 0.0.0.0
destination 0.0.0.0 in Activity 1. For example, if the gateway was 192.168.1.1, you would type route add 0.0.0.0
mask 0.0.0.0 192.168.1.1. Then press Enter.
2. Type ping 8.8.8.8 to test Internet connectivity. The ping should be successful. If not, repeat Activity 2 and then
use ipconfig /renew to update your DHCP-assigned IP address and default gateway.
3.3. Close the command prompt to complete this activity.
http://en.wikiversity.org/w/index.php?title=Command_Prompt/Elevated
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikiversity.org/w/index.php?title=Ping/Host
http://en.wikiversity.org/w/index.php?title=Ipconfig/Renew
Modify the Local Routing Table 159
References
• Microsoft TechNet: Route [1]
http://technet.microsoft.com/en-us/library/bb490991.aspx
160
Lesson 15 – Network Monitoring
Network Monitoring
This lesson introduces network monitoring and looks at the
Simple Network Monitoring Protocol (SNMP). Activities
include installing, configuring and testing the SNMP service,
using Wireshark to examine SNMP network traffic, and using
OpenNMS to monitor a network.
Readings
1. Read Wikipedia: Network monitoring.
2. Read Wikipedia: Simple Network Management Protocol.
3. Read Wikipedia: Management information base.
Activities
1.1. Install the SNMP Service.
2.2. Configure the SNMP Service.
3.3. Test the SNMP Service.
4.4. Use OpenNMS to monitor a network.
5. Review Wireshark: Simple Network Management Protocol (SNMP) [1].
6.6. Consider situations in which a packet analyzer might be used to troubleshoot network monitoring traffic.
7. Use the Discuss page to post comments and questions regarding this lesson.
8.8. Review the lesson summary, key terms, review questions and flashcards below.
Lesson Summary
• Network monitoring describes the use of a system that constantly monitors a computer network for slow or failing
components and that notifies the network administrator (via email, SMS or other alarms) in case of outages.[2]
• Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP
networks.[3] With SNMP, administrative computers called managers monitor or manage a group of hosts on a
computer network. Each managed system executes an agent which reports information via SNMP to the
manager.[4]
• SNMP uses a Management Information Base (MIB) to describe the structure of the management data of a device
subsystem. The MIB is a hierarchical namespace containing object identifiers (OID), and each OID identifies a
variable that can be read or set via SNMP.[5]
• SNMP is an application layer protocol. SNMP agents receive requests on UDP port 161. SNMP managers receive
notifications (Traps and InformRequests) on UDP port 162.[6]
• SNMP messages from managers include GetRequest, SetRequest, GetNextRequest, and GetBulkRequest. SNMP
messages from agents include Response and Trap. SNMP messages from manager to manager include
InformRequest.[7]
• SNMP versions 1 and 2 support limited security through the use of a clear-text password known as a community
string. SNMP version 3 supports encryption on UDP ports 10161 and 10162.[8][9]
http://en.wikiversity.org/w/index.php?title=File%3AInternet_Protocol_Analysis_-_Application_Layer
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_bookcase.svg
http://en.wikipedia.org/wiki/Network_monitoring
http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
http://en.wikipedia.org/wiki/Management_information_base
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_korganizer.svg
http://en.wikiversity.org/w/index.php?title=SNMP_Service/Install
http://en.wikiversity.org/w/index.php?title=SNMP_Service/Configure
http://en.wikiversity.org/w/index.php?title=SNMP_Service/Test
http://en.wikiversity.org/w/index.php?title=OpenNMS/Demo
http://wiki.wireshark.org/SNMP
http://en.wikiversity.org/w/index.php?title=Talk:Internet_protocol_analysis/Network_monitoring
http://en.wikiversity.org/w/index.php?title=File:Stock_post_message.svg
Network Monitoring 161
• Default SNMP settings present a variety of security issues that must be addressed when SNMP is implemented on
a network.[10]
Key Terms
agent
A software component that runs on managed devices and responds to requests from the network management
system.[11]
availability
The degree to which a system, subsystem, or equipment is in a specified operable and committable state.[12]
managed device
A network node that implements an SNMP interface that allows unidirectional (read-only) or bidirectional
access to node-specific information.[13]
network management system
A combination of hardware and software used to monitor and administer a computer network or networks.[14]
response time
The interval between the receipt of the end of transmission of an inquiry message and the beginning of the
transmission of a response message to the station originating the inquiry.[15]
uptime
A measure of the time a machine has been up without any downtime.[16]
Review Questions
1. Network monitoring describes the use of a system that _____ and that _____.
Network monitoring describes the use of a system that constantly monitors a computer network for slow or failing
components and that notifies the network administrator (via email, SMS or other alarms) in case of outages.
2. Simple Network Management Protocol (SNMP) is an Internet-standard protocol for _____. With SNMP,
administrative computers called _____ monitor or manage a group of hosts on a computer network. Each managed
system executes an _____ which reports information via SNMP to the manager.
Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP
networks. With SNMP, administrative computers called managers monitor or manage a group of hosts on a
computer network. Each managed system executes an agent which reports information via SNMP to the manager.
3. SNMP uses a _____ to describe the structure of the management data of a device subsystem. The _____ is a
hierarchical namespace containing _____, and each _____ identifies a variable that can be read or set via SNMP.
SNMP uses a Management Information Base (MIB) to describe the structure of the management data of a device
subsystem. The MIB is a hierarchical namespace containing object identifiers (OID), and each OID identifies a
variable that can be read or set via SNMP.
4. SNMP is an _____ layer protocol. SNMP _____ receive requests on _____ port _____. SNMP _____ receive
notifications on _____ port _____.
SNMP is an application layer protocol. SNMP agents receive requests on UDP port 161. SNMP managers receive
notifications on UDP port 162.
5. SNMP messages from managers include _____. SNMP messages from agents include _____. SNMP messages
from manager to manager include _____.
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_kdict
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_package_editors
Network Monitoring 162
SNMP messages from managers include GetRequest, SetRequest, GetNextRequest, and GetBulkRequest. SNMP
messages from agents include Response and Trap. SNMP messages from manager to manager include
InformRequest.
6. SNMP versions 1 and 2 support limited security through the use of a clear-text password known as a _____.
SNMP version 3 supports encryption on _____ ports _____ and _____.
SNMP versions 1 and 2 support limited security through the use of a clear-text password known as a community
string. SNMP version 3 supports encryption on UDP ports 10161 and 10162.
7. Default SNMP settings present a variety of _____ that must be addressed when SNMP is implemented on a
network.
Default SNMP settings present a variety of security issues that must be addressed when SNMP is implemented on a
network.
Flashcards
•• Test your understanding of this lesson.
•• Test your understanding of the key terms.
References
[1] http:/ / wiki. wireshark. org/ SNMP
[2][2] Wikipedia: Network monitoring
[3][3] Wikipedia: Simple Network Management Protocol
[4][4] Wikipedia: Simple Network Management Protocol#Overview and basic concepts
[5][5] Wikipedia: Simple Network Management Protocol#Management information base (MIB)
[6][6] Wikipedia: Simple Network Management Protocol#Protocol details
[7][7] Wikipedia: Simple Network Management Protocol#Protocol details
[8][8] Wikipedia: Simple Network Management Protocol#Protocol details
[9][9] Wikipedia: Simple Network Management Protocol#Development and usage
[10][10] Wikipedia: Simple Network Management Protocol#Security implications
[11][11] Wikipedia: Simple Network Management Protocol#Overview and basic concepts
[12][12] Wikipedia: Availability
[13][13] Wikipedia: Simple Network Management Protocol#Overview and basic concepts
[14][14] Wikipedia: Network management system
[15][15] Wikipedia: Response time (technology)
[16][16] Wikipedia: Uptime
http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_cache
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Network_monitoring/Lesson_flashcards
http://en.wikiversity.org/w/index.php?title=Internet_protocol_analysis/Network_monitoring/Terms_flashcards
http://en.wikiversity.org/w/index.php?title=File:Nuvola_filesystems_folder_orange
http://wiki.wireshark.org/SNMP
http://en.wikipedia.org/wiki/Network_monitoring
http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Overview_and_basic_concepts
http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Management_information_base_(MIB)
http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Protocol_details
http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Protocol_details
http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Protocol_details
http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Development_and_usage
http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Security_implications
http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Overview_and_basic_concepts
http://en.wikipedia.org/wiki/Availability
http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Overview_and_basic_concepts
http://en.wikipedia.org/wiki/Network_management_system
http://en.wikipedia.org/wiki/Response_time_(technology)
http://en.wikipedia.org/wiki/Uptime
Install the SNMP Service 163
Install the SNMP Service
The SNMP Service is a Windows service that provides a Simple Network Management Protocol (SNMP) agent that
can be used to monitor and manage Windows workstations and servers. These activities will show you how to install
the SNMP Service.
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
Activity 1 – Install the SNMP Service
To install the SNMP Service:
1. Open the Start menu.
2. Select Control Panel.
3. Select Programs.
4. Select Turn Windows features on or off.
5. Select the check box for Simple Network Management Protocol (SNMP).
6. Select OK to complete this activity.
Readings
•• Wikipedia: Simple Network Management Protocol (SNMP)
References
• Microsoft TechNet: Install the SNMP Service [1]
• Turn Windows features on or off [2]
References
[1] http:/ / technet. microsoft. com/ en-us/ library/ cc759570(v=ws. 10). aspx
[2] http:/ / windows. microsoft. com/ en-US/ windows-vista/ Turn-Windows-features-on-or-off
http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
http://technet.microsoft.com/en-us/library/cc759570(v=ws.10).aspx
http://windows.microsoft.com/en-US/windows-vista/Turn-Windows-features-on-or-off
http://technet.microsoft.com/en-us/library/cc759570(v=ws.10).aspx
http://windows.microsoft.com/en-US/windows-vista/Turn-Windows-features-on-or-off
Configure the SNMP Service 164
Configure the SNMP Service
The SNMP Service is a Windows service that provides a Simple Network Management Protocol (SNMP) agent that
can be used to monitor and manage Windows workstations and servers. These activities will show you how to
configure the SNMP Service.
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3.3. Install the SNMP Service.
Activity 1 – Configure the SNMP Service
To configure the SNMP Service:
1. Open the Start menu.
2. In the Run box type Services or Services.msc.
3. Press Enter.
4. In the Services console, find SNMP Service. Double-click on it to view SNMP Service properties.
5. Select the Agent tab.
6. Enter values for Contact and Location for this workstation.
7.7. Select all five check boxes (Physical, Applications, Datalink and subnetwork, Internet, and End-to-end).
8. Apply changes.
9. Select the Security tab.
10. Clear the Send authentication trap check box.
11. Add an accepted community name of public with READ ONLY rights.
12. Select OK to apply changes and close the dialog box.
13.13. Close the Services console to complete this activity.
References
• Microsoft TechNet: Install the SNMP Service [1]
• Microsoft TechNet: Configure agent properties [1]
• Microsoft TechNet: Configure SNMP security properties [2]
References
[1] http:/ / technet. microsoft. com/ en-us/ library/ cc736962(v=ws. 10). aspx
[2] http:/ / technet. microsoft. com/ en-us/ library/ cc783571(v=ws. 10). aspx
http://en.wikiversity.org/w/index.php?title=SNMP_Service/Install
http://technet.microsoft.com/en-us/library/cc759570(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc736962(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc783571(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc736962(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc783571(v=ws.10).aspx
Test the SNMP Service 165
Test the SNMP Service
The SNMP Service is a Windows service that provides a Simple Network Management Protocol (SNMP) agent that
can be used to monitor and manage Windows workstations and servers. These activities will show you how to test
the SNMP Service.
Preparation
To prepare for this activity:
1.1. Start Windows.
2.2. Log in if necessary.
3.3. Install the SNMP Service.
4.4. Configure the SNMP Service.
Activity 1 – Install the iReasoning MIB Browser Free Personal Edition
To install the iReasoning MIB Browser Free Personal Edition:
1.1. Open a web browser.
2. Navigate to http:/ / www. ireasoning. com/ downloadmibbrowserfree. php.
3. Download and run setup.exe.
4. If you see a User Account Control dialog box, select Yes to allow the program to make changes to this computer.
5. Review the license agreement and select I Agree if you agree.
6. Select Next > to select the default components.
7. Select Install to install the program in the default location.
8. Select Close when the installation is completed.
9. Select Yes to launch the MIB Browser now.
Activity 2 – Test the SNMP Service
To test the SNMP Service:
1.1. In the iReasoning MIB Browser, expand the MIB Tree and navigate to a subtree that interests you.
2. In the Operations pulldown, select Get Subtree.
3.3. Observe the settings reported by the SNMP service.
4.4. Continue selecting different subtrees and review reported settings.
5.5. Close the iReasoning MDB Browser to complete this activity.
References
• iReasoning MIB Browser License Agreement (Personal Edition) [1]
References
[1] http:/ / www. ireasoning. com/ downloadmibbrowserlicense. shtml
http://en.wikiversity.org/w/index.php?title=SNMP_Service/Install
http://en.wikiversity.org/w/index.php?title=SNMP_Service/Configure
http://www.ireasoning.com/downloadmibbrowserfree.php.
http://www.ireasoning.com/downloadmibbrowserlicense.shtml
http://www.ireasoning.com/downloadmibbrowserlicense.shtml
Article Sources and Contributors 166
Article Sources and Contributors
Internet Protocol Analysis Source: http://en.wikiversity.org/w/index.php?oldid=990072 Contributors: Dave Braunschweig, Michael Ten, 1 anonymous edits
Introduction Source: http://en.wikiversity.org/w/index.php?oldid=990971 Contributors: Dave Braunschweig, Julien Dethurens, 1 anonymous edits
Ipconfig Source: http://en.wikiversity.org/w/index.php?oldid=987050 Contributors: Dave Braunschweig
Private Networks Source: http://en.wikiversity.org/w/index.php?oldid=987092 Contributors: Dave Braunschweig
Packet Analyzers Source: http://en.wikiversity.org/w/index.php?oldid=992698 Contributors: Dave Braunschweig
Install Wireshark Source: http://en.wikiversity.org/w/index.php?oldid=997059 Contributors: Dave Braunschweig
Capture Network Traffic Source: http://en.wikiversity.org/w/index.php?oldid=988570 Contributors: Dave Braunschweig
Filter Displayed Traffic Source: http://en.wikiversity.org/w/index.php?oldid=988571 Contributors: Dave Braunschweig
Filter Captured Traffic Source: http://en.wikiversity.org/w/index.php?oldid=988572 Contributors: Dave Braunschweig
Link Layer Source: http://en.wikiversity.org/w/index.php?oldid=990976 Contributors: Dave Braunschweig
Display MAC Addresses Using Getmac Source: http://en.wikiversity.org/w/index.php?oldid=987045 Contributors: Dave Braunschweig
Display MAC Addresses Using Ipconfig Source: http://en.wikiversity.org/w/index.php?oldid=987051 Contributors: Dave Braunschweig
Search for a MAC Address OUI Source: http://en.wikiversity.org/w/index.php?oldid=987055 Contributors: Dave Braunschweig
Capture and Analyze Ethernet Traffic Source: http://en.wikiversity.org/w/index.php?oldid=988573 Contributors: Dave Braunschweig
Address Resolution Protocol (ARP) Source: http://en.wikiversity.org/w/index.php?oldid=990977 Contributors: Dave Braunschweig
View the ARP Cache Source: http://en.wikiversity.org/w/index.php?oldid=984925 Contributors: Dave Braunschweig
Modify the ARP Cache Source: http://en.wikiversity.org/w/index.php?oldid=1001071 Contributors: Dave Braunschweig
Capture and Analyze Address Resolution Protocol (ARP) Traffic Source: http://en.wikiversity.org/w/index.php?oldid=990320 Contributors: Dave Braunschweig
Internet Layer / IPv4 Source: http://en.wikiversity.org/w/index.php?oldid=990978 Contributors: Dave Braunschweig
Search the Whois Database Source: http://en.wikiversity.org/w/index.php?oldid=987099 Contributors: Dave Braunschweig
Capture and Analyze Address Resolution Protocol (ARP) Traffic Source: http://en.wikiversity.org/w/index.php?oldid=990320 Contributors: Dave Braunschweig
Capture and Analyze Local IPv4 Traffic Source: http://en.wikiversity.org/w/index.php?oldid=988578 Contributors: Dave Braunschweig
Capture and Analyze Remote IPv4 Traffic Source: http://en.wikiversity.org/w/index.php?oldid=988579 Contributors: Dave Braunschweig
Capture and Analyze Fragmented IPv4 Traffic Source: http://en.wikiversity.org/w/index.php?oldid=988580 Contributors: Dave Braunschweig
Subnetting Source: http://en.wikiversity.org/w/index.php?oldid=990979 Contributors: Dave Braunschweig
IPv6 Source: http://en.wikiversity.org/w/index.php?oldid=990981 Contributors: Dave Braunschweig
Configure IPv6 Settings Source: http://en.wikiversity.org/w/index.php?oldid=987929 Contributors: Dave Braunschweig
Capture and Analyze Local IPv6 Traffic Source: http://en.wikiversity.org/w/index.php?oldid=988582 Contributors: Dave Braunschweig
Capture and Analyze Remote IPv6 Traffic Source: http://en.wikiversity.org/w/index.php?oldid=988583 Contributors: Dave Braunschweig
Capture and Analyze IPv6 Teredo Traffic Source: http://en.wikiversity.org/w/index.php?oldid=988585 Contributors: Dave Braunschweig
Capture and Analyze IPv6 6to4 Traffic Source: http://en.wikiversity.org/w/index.php?oldid=988586 Contributors: Dave Braunschweig
Capture and Analyze IPv6 6in4 Traffic Source: http://en.wikiversity.org/w/index.php?oldid=988587 Contributors: Dave Braunschweig
Internet Control Message Protocol (ICMP) Source: http://en.wikiversity.org/w/index.php?oldid=990980 Contributors: Dave Braunschweig
Capture and Analyze ICMP Echo Traffic Source: http://en.wikiversity.org/w/index.php?oldid=988588 Contributors: Dave Braunschweig
Capture and Analyze ICMP Time Exceeded Traffic Source: http://en.wikiversity.org/w/index.php?oldid=988594 Contributors: Dave Braunschweig
Capture and Analyze ICMP tracert/traceroute Traffic Source: http://en.wikiversity.org/w/index.php?oldid=990321 Contributors: Dave Braunschweig
Capture and Analyze ICMPv6 Echo Traffic Source: http://en.wikiversity.org/w/index.php?oldid=988590 Contributors: Dave Braunschweig
Capture and Analyze ICMPv6 Time Exceeded Traffic Source: http://en.wikiversity.org/w/index.php?oldid=988591 Contributors: Dave Braunschweig
Capture and Analyze ICMPv6 tracert/traceroute Traffic Source: http://en.wikiversity.org/w/index.php?oldid=990322 Contributors: Dave Braunschweig
Ping MTU Source: http://en.wikiversity.org/w/index.php?oldid=987088 Contributors: Dave Braunschweig
Multicast Source: http://en.wikiversity.org/w/index.php?oldid=990982 Contributors: Dave Braunschweig
Capture and Analyze IPv4 Multicast Traffic Source: http://en.wikiversity.org/w/index.php?oldid=988581 Contributors: Dave Braunschweig
Capture and Analyze IPv6 Multicast Traffic Source: http://en.wikiversity.org/w/index.php?oldid=988584 Contributors: Dave Braunschweig
Capture and Analyze ICMPv6 Neighbor Discovery Protocol (NDP) Traffic Source: http://en.wikiversity.org/w/index.php?oldid=990323 Contributors: Dave Braunschweig
Transport Layer Source: http://en.wikiversity.org/w/index.php?oldid=990983 Contributors: Dave Braunschweig
Display Protocol Statistics Source: http://en.wikiversity.org/w/index.php?oldid=988506 Contributors: Dave Braunschweig
Display All Active Connections and Listening Ports Source: http://en.wikiversity.org/w/index.php?oldid=988508 Contributors: Dave Braunschweig
Capture and Analyze User Datagram Protocol (UDP) Traffic Source: http://en.wikiversity.org/w/index.php?oldid=990324 Contributors: Dave Braunschweig
Capture and Analyze Transmission Control Protocol (TCP) Traffic Source: http://en.wikiversity.org/w/index.php?oldid=990495 Contributors: Dave Braunschweig
Article Sources and Contributors 167
Address Assignment Source: http://en.wikiversity.org/w/index.php?oldid=990992 Contributors: Dave Braunschweig
View and Test a Link-Local Address Source: http://en.wikiversity.org/w/index.php?oldid=988651 Contributors: Dave Braunschweig
Capture and Analyze Dynamic Host Configuration Protocol (DHCP) Traffic Source: http://en.wikiversity.org/w/index.php?oldid=990325 Contributors: Dave Braunschweig
Capture and Analyze DHCPv6 Traffic Source: http://en.wikiversity.org/w/index.php?oldid=990326 Contributors: Dave Braunschweig
Name Resolution Source: http://en.wikiversity.org/w/index.php?oldid=992411 Contributors: Dave Braunschweig
View the Hosts File Source: http://en.wikiversity.org/w/index.php?oldid=989021 Contributors: Dave Braunschweig
Edit the Hosts File Source: http://en.wikiversity.org/w/index.php?oldid=990020 Contributors: Dave Braunschweig
Display Host Addresses Source: http://en.wikiversity.org/w/index.php?oldid=990044 Contributors: Dave Braunschweig
Display Other Record Types Source: http://en.wikiversity.org/w/index.php?oldid=990046 Contributors: Dave Braunschweig
Simulate a Recursive Query Source: http://en.wikiversity.org/w/index.php?oldid=990052 Contributors: Dave Braunschweig
Capture and Analyze Domain Name System (DNS) Traffic Source: http://en.wikiversity.org/w/index.php?oldid=990327 Contributors: Dave Braunschweig
Capture and Analyze Link Local Multicast Name Resolution (LLNMR) Traffic Source: http://en.wikiversity.org/w/index.php?oldid=990318 Contributors: Dave Braunschweig
Display NetBIOS Over TCP/IP Statistics Source: http://en.wikiversity.org/w/index.php?oldid=990355 Contributors: Dave Braunschweig
Application Layer Source: http://en.wikiversity.org/w/index.php?oldid=992699 Contributors: Dave Braunschweig
Capture and Analyze Hypertext Transfer Protocol (HTTP) Traffic Source: http://en.wikiversity.org/w/index.php?oldid=990488 Contributors: Dave Braunschweig
Capture and Analyze HTTP Secure (HTTPS) Traffic Source: http://en.wikiversity.org/w/index.php?oldid=990493 Contributors: Dave Braunschweig
Capture and Analyze Simple Mail Transfer Protocol (SMTP) Traffic Source: http://en.wikiversity.org/w/index.php?oldid=990500 Contributors: Dave Braunschweig
Routing Protocols Source: http://en.wikiversity.org/w/index.php?oldid=990994 Contributors: Dave Braunschweig
Display the Local Routing Table Source: http://en.wikiversity.org/w/index.php?oldid=990512 Contributors: Dave Braunschweig
Modify the Local Routing Table Source: http://en.wikiversity.org/w/index.php?oldid=990521 Contributors: Dave Braunschweig
Network Monitoring Source: http://en.wikiversity.org/w/index.php?oldid=990995 Contributors: Dave Braunschweig
Install the SNMP Service Source: http://en.wikiversity.org/w/index.php?oldid=987094 Contributors: Dave Braunschweig
Configure the SNMP Service Source: http://en.wikiversity.org/w/index.php?oldid=987095 Contributors: Dave Braunschweig
Test the SNMP Service Source: http://en.wikiversity.org/w/index.php?oldid=987096 Contributors: Dave Braunschweig
Image Sources, Licenses and Contributors 168
Image Sources, Licenses and Contributors
Image:Internet Protocol Analysis Source: http://en.wikiversity.org/w/index.php?title=File:Internet_Protocol_Analysis License: Creative Commons Attribution-Sharealike 3.0
Contributors: User:Dave Braunschweig
image:Nuvola_apps_ktip Source: http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_ktip License: unknown Contributors: Alphax, It Is Me Here, Matthias M., Rocket000
image:Nuvola_apps_edu_miscellaneous Source: http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_edu_miscellaneous License: unknown Contributors: Alno, Alphax,
Augiasstallputzer, Bobarino, Cwbm (commons), Kimse, Martin Kraus, Pierpao, Pseudomoi, Rocket000, Stannered, WikipediaMaster, Wutsje, Ysangkok, 3 anonymous edits
image:Nuvola_filesystems_folder_orange Source: http://en.wikiversity.org/w/index.php?title=File:Nuvola_filesystems_folder_orange License: unknown Contributors: Alphax,
Cwbm (commons), CyberSkull, Trần Nguyễn Minh Huy
Image:Internet Protocol Analysis – Gray Source: http://en.wikiversity.org/w/index.php?title=File:Internet_Protocol_Analysis_-_Gray License: Creative Commons
Attribution-Sharealike 3.0 Contributors: User:Dave Braunschweig
image:Nuvola_apps_bookcase.svg Source: http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_bookcase.svg License: GNU Lesser General Public License Contributors: Peter
Kemp
image:Nuvola_apps_korganizer.svg Source: http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_korganizer.svg License: GNU Lesser General Public License Contributors: David
Vignoni, User:Stannered
image:Stock_post_message.svg Source: http://en.wikiversity.org/w/index.php?title=File:Stock_post_message.svg License: GNU Lesser General Public License Contributors: David Vignoni
image:Nuvola_apps_kdict Source: http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_kdict License: GNU Lesser General Public License Contributors: AVRS, Alno,
Alphax, Deerstop, ReyBrujo, Rocket000, Romram, Urhixidur, Urutseg, VIGNERON
image:Nuvola_apps_package_editors Source: http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_package_editors License: GNU Lesser General Public License
Contributors: Alno, Alphax, Elektrik Shoos, It Is Me Here, MithrandirMage, Sinigagl, Wikiborg
image:Nuvola_apps_cache Source: http://en.wikiversity.org/w/index.php?title=File:Nuvola_apps_cache License: GNU Lesser General Public License Contributors: Alno, Alphax,
Ch1902, It Is Me Here, Muro de Aguas, Origamiemensch, Pierpao, Pseudomoi, WikipediaMaster, Wst, 1 anonymous edits
Image:Internet Protocol Analysis – Link Layer Source: http://en.wikiversity.org/w/index.php?title=File:Internet_Protocol_Analysis_-_Link_Layer License: Creative Commons
Attribution-Sharealike 3.0 Contributors: User:Dave Braunschweig
Image:Internet Protocol Analysis – Internet Layer Source: http://en.wikiversity.org/w/index.php?title=File:Internet_Protocol_Analysis_-_Internet_Layer License: Creative Commons
Attribution-Sharealike 3.0 Contributors: User:Dave Braunschweig
Image:Internet Protocol Analysis – Transport Layer Source: http://en.wikiversity.org/w/index.php?title=File:Internet_Protocol_Analysis_-_Transport_Layer License: Creative
Commons Attribution-Sharealike 3.0 Contributors: User:Dave Braunschweig
Image:Internet Protocol Analysis – Application Layer Source: http://en.wikiversity.org/w/index.php?title=File:Internet_Protocol_Analysis_-_Application_Layer License: Creative
Commons Attribution-Sharealike 3.0 Contributors: User:Dave Braunschweig
License 169
License
Creative Commons Attribution-Share Alike 3.0 Unported
//creativecommons.org/licenses/by-sa/3.0/
