wireshark traceroute pinghy335a/frontistiria/xeim... · what is wireshark? wireshark is a free and...
TRANSCRIPT
Active Monitoring Network Tools
● Active monitoring entails injecting test traffic onto a network and monitoring the flow of that traffic. With active monitoring we can find information about delay/packet loss, topology/routing, bandwidth/throughput.
● Common tools are ping and traceroute that use ICMP protocol.● Passive monitoring instead of injecting traffic into the network passively monitors
existing traffic in the network. Passive monitoring requires a device on the network to capture network packets for analysis.
● Common tools are tcpdump and wireshark.
Internet Control Message Protocol
● ICMP messages are typically used for diagnostic or control purposes or generated in response to errors in IP protocol. ICMP errors are directed to the source IP address of the originating packet.
● ICMP packets are encapsulated in IPv4 packets as payload.● Although it is send in an IP datagram ICMP is at IP layer.● Time-To-Live, Source Address and Destination Address, from IP header, are of
significant importance for ICMP.○ Can you think why?
Internet Control Message Protocol Header
Common Types:
Type 8: echo request.Type 0: echo reply.Type 3: Destination Unreachable
Code 1: Destination Host UnreachableCode 7: Destination Host Unknown
1
1
Internet Control Message Protocol
ICMP
2
The Context
IP-Related Protocol: ICMP
TCP/IP Protocol Stack
Network
Layer
Link Layer
IP
ARPNetwork
Access
Media
ICMP IGMP
Transport
LayerTCP UDP
2
3
Internet Control Message Protocol (ICMP)
The Internet Control Message Protocol (ICMP) is used by
routers and hosts to send network control information to
each other
From a layering point of view, ICMP is a separate protocol
that sits above IP and uses IP to transport messages
In practice, ICMP is an integral part
of IP and all IP modules must support
the ICMP protocol
IP
Transport
TCP/UDP
ICMP
4
Internet Control Message Protocol
ICMP messages are encapsulated in IP datagrams
ICMP frames are identified by IP Protocol field value 1
Used by IP to send error and control messages
Uses IP to send its messages
ICMP Header ICMP Data
IP Header IP Data
Frame Header Frame Data
3
5
ICMP Message Format
ICMP message: content contains the first 8 bytes of IP
datagram causing error, plus other things
Contents depends on type
8-bit
type
8-bit
code 16-bit checksum
6
Types of ICMP Messages
Information messages
— Sender sends a query to another machine (either host or
router) and expects an answer. For example, a host might
want to know if a router is alive
Error indication messages
— The IP software on a host or router has encountered a
problem processing an IP datagram. For example, it may be
unable to route the datagram to its destination.
5
11
ICMP Error Messages
Important Points
— No ICMP error message will be generated in response to a
datagram carrying an ICMP error message
— No ICMP error message will be generated for a fragmented
datagram that is not the first fragment
— No ICMP error message will be generated for a datagram
having a multicast address
— No ICMP error message will be generated for a datagram
having a special address such as 127.0.0.0 or 0.0.0.0
ICMP always reports error messages to the original source.
ICMP Data for Error Messages
12
6
13
ICMP Error Messages (1)
Destination Unreachable (type 3)
— When a gateway (router) cannot route a datagram (e.g., it
doesn't have an appropriate route in its local table, or it
needs to fragment and the DF bit is set), it discards the
message and returns an ICMP "destination unreachable"
message to the sending host.
Source Quench (type 4)
— When a gateway becomes congested and runs out of buffer
space, it may discard a datagram and return a source
quench message. Source quench messages are used to
request that the sender reduce the rate at which it is
sending datagrams
14
ICMP Error Messages (2)
Time Exceeded (type 11)
— As a datagram is processed, routers decrement its time-to-
live (TTL) field. If the TTL value reaches 0, the gateway
discards the datagram and sends a time exceeded
message (code 0) to the sender.
— Code 1 is used by a destination host to show that not all
fragments have arrived within a set time.
What is ping??
● Ping is a computer network administration software utility used to test the reachability of a host on an Internet Protocol (IP) network. It measures the round-trip time for messages sent from the originating host to a destination computer that are echoed back to the source.
● Source host set a TTL counter to the ICMP packet and forwards it.○ Echo Request.
● If destination host receives the packet a new ICMP packet is created and send back to the source.
○ Echo Reply.● If TTL counter zeroes before reaching the destination host, the packet is dropped and a
reply is send back to the host.
11
ICMP Queries
23
24
ICMP Query Messages
n Used to diagnose network problems
n In this type of ICMP message, a node sends a message
that is answered in a specific format by the destination
node.
n Echo Request / Reply (types 8 / 0)
— If machine A sends an ICMP echo request message to
machine B, machine B is required to respond with an ICMP
echo reply
— In UNIX, the program ping allows a user to check whether a
machine is reachable and functioning
12
25
Ping
n Uses ICMP Echo request/reply to
— test destination reachability
— compute round trip time
— count the # of hops to destination
n Source sends ICMP echo request message to the
destination address
— echo request packet contains timestamp also
n Destination replies with an ICMP echo reply message
containing the data in the original request message
n Source can calculate RTT of packets
n If no echo reply comes back, destination unreachable
26
Ping (contd.)
n Sample output:
Reply from 164.107.144.3: 48 bytes in 47 msec. TTL: 253
A R1 R2 R3 B
13
ICMP Echo Request / Reply Message
n The identifier and sequence number may be used by the
echo sender to aid in matching the replies with the echo
requests.
27
ICMP Timestamp Request / Reply Message
n Timestamp-request and timestamp-reply messages can be
used to calculate the round-trip time between a source and a
destination machine.
28
14
ICMP Mask Request / Reply Message
n Timestamp-request and timestamp-reply messages can be
used to calculate the round-trip time between a source and a
destination machine.
29
ICMP Router Solicitation / Advertisement
30
What is traceroute?
● Traceroute is a computer network diagnostic tool for displaying the route (path) and measuring transit delays of packets across an Internet Protocol (IP) network.
● Source host sends an echo request to destination with TTL=1. ● Packet expires in the first hop and a echo reply is sent back to source.● Host examines the echo reply source address.
○ Now we know the first hop, and the rtt to the first hop.● Source host increments TTL until echo request reaches the destination hop and then
knows the full route.● Traceroute sends out 3 echo requests per hop. If all 3 are lost 2 times traceroute stops.● RTT is measured in a per hop basis, contrary to ping.
7
15
Recall: Traceroute
Traceroute records the route that packets take
A clever use of ICMP and the TTL field
When a router receives a packet, it decrements TTL
If TTL=0, send ICMP “Time exceeded” back to sender
To determine a route
— Send a packet with TTL = 1 (hop)
— The first router discards the packet and sends ICMP “Time
Exceeded”; when ICMP “Time Exceeded” is received,
record the sender’s (router’s) address
— Increment TTL
— Repeat until the destination host is received or an error
occurs
16
Traceroute (contd.)
A R1 R2 R3 B
8
17
ICMP Error Messages (3)
Parameter Problem (type 12)
— When a host or gateway encounters a problem parsing an
IP datagram, it returns a parameter problem message to the
datagram's sender
Redirection (type 5)
— Sent from a router to a local host on the same network
— Informs the source of a better route to the destination
— A host usually starts with a small routing table that is
gradually augmented and updated. Redirection helps it.
18
ICMP Redirect Example (1)
Host A has one default
router, which is R2
CS Net
R1
LAN1
LAN2
R2
A
9
19
ICMP Redirect Example (2)
When A wants to send a
message to the Campus
Net, it sends it to the
default router (R2)
R2 forwards the message
to R1 R1
LAN1
LAN2
R2
CS Net
To: csgate.csc.vill.edu
A
20
ICMP Redirect Example (3)
R2 also sends an ICMP
redirect message to A,
telling it to use R1 for
connections to
csgate.vill.edu R1
LAN1
LAN2
R2
CS Net
ICMP: redirect to R1 A
10
ICMP Redirect
21
Redirection Message Format
22
ICMP Redirect Example (4)
A sends subsequent
packets directly to R1
Note: some hosts
deliberately ignore ICMP
Redirect messages as a
precaution against network
attacks.
R1
LAN1
LAN2
R2
CS Net
A To: csgate.csc.vill.edu
Run ping and traceroute!
● To run ping open a terminal.○ Ping command: ping google.gr○ Find out about ping options, some are interesting : man ping.○ Try to send specific number of packets.○ Try to change the payload size. Do you see anything weird from google?
● To run traceroute open a terminal.○ Traceroute command: traceroute google.gr (tracert for windows)○ Find out about traceroute options: man traceroute.○ Who is your ISP? Can you find out from traceroute?
What is Wireshark?
● Wireshark is a free and open source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.
● Is cross-platform and uses pcap* to capture packets.● Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated
sorting and filtering options.● Wireshark is not preinstalled.
○ For windows users download from site.○ For *nix users download from repositories. e.g sudo apt install wireshark.
* API for capturing packets. Unix uses libpcap library and windows a port of libcap called WinPcap
packetlife.net
by Jeremy Stretch v2.0
WIRESHARK DISPLAY FILTERS · PART 1Ethernet
eth.addr eth.srceth.len
eth.dst eth.trailereth.lg
eth.ig eth.typeeth.multicast
IEEE 802.1Q
vlan.cfi vlan.priorityvlan.id
vlan.etype vlan.trailervlan.len
IPv4
ARP
ip.fragment.overlap.conflictip.addr
ip.checksum ip.fragment.toolongfragment
ip.fragmentsip.checksum_bad
ip.checksum_good ip.hdr_len
ip.hostip.dsfield
ip.dsfield.ce ip.id
ip.lenip.dsfield.dscp
ip.dsfield.ect ip.proto
ip.reassembled_inip.dst
ip.dst_host ip.src
ip.src_hostip.flags
ip.flags.df ip.tos
ip.tos.costip.flags.mf
ip.flags.rb ip.tos.delay
ip.tos.precedenceip.frag_offset
ip.fragment ip.tos.reliability
ip.tos.throughputip.fragment.error
ip.fragment.multipletails ip.ttl
ip.versionip.fragment.overlap
IPv6
ipv6.hop_optipv6.addr
ipv6.class ipv6.host
ipv6.mipv6_home_addressipv6.dst
ipv6.dst_host ipv6.mipv6_length
ipv6.mipv6_typeipv6.dst_opt
ipv6.flow ipv6.nxt
ipv6.opt.pad1ipv6.fragment
ipv6.fragment.error ipv6.opt.padn
ipv6.plenipv6.fragment.more
ipv6.fragment.multipletails ipv6.reassembled_in
ipv6.routing_hdripv6.fragment.offset
ipv6.fragment.overlap ipv6.routing_hdr.addr
ipv6.routing_hdr.leftipv6.fragment.overlap.conflict
ipv6.fragment.toolongfragment ipv6.routing_hdr.type
ipv6.srcipv6.fragments
ipv6.fragment.id ipv6.src_host
ipv6.versionipv6.hlim
arp.dst.hw_mac arp.proto.size
arp.dst.proto_ipv4 arp.proto.type
arp.hw.size arp.src.hw_mac
arp.hw.type arp.src.proto_ipv4
arp.opcode
TCP
tcp.options.qstcp.ack
tcp.checksum tcp.options.sack
tcp.options.sack_letcp.checksum_bad
tcp.checksum_good tcp.options.sack_perm
tcp.options.sack_retcp.continuation_to
tcp.dstport tcp.options.time_stamp
tcp.options.wscaletcp.flags
tcp.flags.ack tcp.options.wscale_val
tcp.pdu.last_frametcp.flags.cwr
tcp.flags.ecn tcp.pdu.size
tcp.pdu.timetcp.flags.fin
tcp.flags.push tcp.port
tcp.reassembled_intcp.flags.reset
tcp.flags.syn tcp.segment
tcp.segment.errortcp.flags.urg
tcp.hdr_len tcp.segment.multipletails
tcp.segment.overlaptcp.len
tcp.nxtseq tcp.segment.overlap.conflict
tcp.segment.toolongfragmenttcp.options
tcp.options.cc tcp.segments
tcp.seqtcp.options.ccecho
tcp.options.ccnew tcp.srcport
tcp.time_deltatcp.options.echo
tcp.options.echo_reply tcp.time_relative
tcp.urgent_pointertcp.options.md5
tcp.options.mss tcp.window_size
tcp.options.mss_val
UDP
udp.checksum udp.srcportudp.dstport
udp.checksum_bad udp.length
udp.checksum_good udp.port
Operators
eq or ==
ne or !=
gt or >
lt or <
ge or >=
le or <=
Logic
Logical ANDand or &&
or or || Logical OR
Logical XORxor or ^^
not or ! Logical NOT
Substring operator[n] […]
packetlife.net
by Jeremy Stretch v2.0
WIRESHARK DISPLAY FILTERS · PART 2Frame Relay
fr.defr.becn
fr.chdlctype fr.dlci
fr.dlcore_controlfr.control
fr.control.f fr.ea
fr.fecnfr.control.ftype
fr.control.n_r fr.lower_dlci
fr.nlpidfr.control.n_s
fr.control.p fr.second_dlci
fr.snap.ouifr.control.s_ftype
fr.control.u_modifier_cmd fr.snap.pid
fr.snaptypefr.control.u_modifier_resp
fr.cr fr.third_dlci
fr.upper_dlcifr.dc
ICMPv6
icmpv6.all_comp
icmpv6.checksum
icmpv6.option.name_type.fqdn
icmpv6.option.name_x501
icmpv6.checksum_bad
icmpv6.code
icmpv6.option.rsa.key_hash
icmpv6.option.type
icmpv6.comp
icmpv6.haad.ha_addrs
icmpv6.ra.cur_hop_limit
icmpv6.ra.reachable_time
icmpv6.identifier
icmpv6.option
icmpv6.ra.retrans_timer
icmpv6.ra.router_lifetime
icmpv6.option.cga
icmpv6.option.length
icmpv6.recursive_dns_serv
icmpv6.type
icmpv6.option.name_type
RIP
BGP
bgp.mp_reach_nlri_ipv4_prefixbgp.aggregator_as
bgp.aggregator_origin bgp.mp_unreach_nlri_ipv4_prefix
bgp.multi_exit_discbgp.as_path
bgp.cluster_identifier bgp.next_hop
bgp.nlri_prefixbgp.cluster_list
bgp.community_as bgp.origin
bgp.originator_idbgp.community_value
bgp.local_pref bgp.type
bgp.withdrawn_prefixbgp.mp_nlri_tnl_id
HTTP
http.proxy_authorizationhttp.accept
http.accept_encoding http.proxy_connect_host
http.proxy_connect_porthttp.accept_language
http.authbasic http.referer
http.requesthttp.authorization
http.cache_control http.request.method
http.request.urihttp.connection
http.content_encoding http.request.version
http.responsehttp.content_length
http.content_type http.response.code
http.serverhttp.cookie
http.date http.set_cookie
http.transfer_encodinghttp.host
http.last_modified http.user_agent
http.www_authenticatehttp.location
http.notification http.x_forwarded_for
http.proxy_authenticate
PPP
ppp.address ppp.direction
ppp.control ppp.protocol
rip.auth.passwd rip.route_tagrip.ip
rip.auth.type rip.routing_domainrip.metric
rip.command rip.versionrip.netmask
rip.family rip.next_hop
MPLS
mpls.oam.defect_locationmpls.bottom
mpls.cw.control mpls.oam.defect_type
mpls.oam.frequencympls.cw.res
mpls.exp mpls.oam.function_type
mpls.oam.ttsimpls.label
mpls.oam.bip16 mpls.ttl
ICMP
icmp.checksum icmp.seqicmp.ident
icmp.checksum_bad icmp.typeicmp.mtu
icmp.code icmp.redir_gw
DTP
dtp.neighbor vtp.neighbordtp.tlv_type
dtp.tlv_len dtp.version
VTP
vtp.vlan_info.802_10_indexvtp.code
vtp.conf_rev_num vtp.vlan_info.isl_vlan_id
vtp.vlan_info.lenvtp.followers
vtp.md vtp.vlan_info.mtu_size
vtp.vlan_info.status.vlan_suspvtp.md5_digest
vtp.md_len vtp.vlan_info.tlv_len
vtp.vlan_info.tlv_typevtp.seq_num
vtp.start_value vtp.vlan_info.vlan_name
vtp.vlan_info.vlan_name_lenvtp.upd_id
vtp.upd_ts vtp.vlan_info.vlan_type
vtp.version