Basic Networking Tools

● Ping

● Traceroute

● Wireshark

Active Monitoring Network Tools

● Active monitoring entails injecting test traffic onto a network and monitoring the flow of that traffic. With active monitoring we can find information about delay/packet loss, topology/routing, bandwidth/throughput.

● Common tools are ping and traceroute that use ICMP protocol.● Passive monitoring instead of injecting traffic into the network passively monitors

existing traffic in the network. Passive monitoring requires a device on the network to capture network packets for analysis.

● Common tools are tcpdump and wireshark.

Internet Control Message Protocol

● ICMP messages are typically used for diagnostic or control purposes or generated in response to errors in IP protocol. ICMP errors are directed to the source IP address of the originating packet.

● ICMP packets are encapsulated in IPv4 packets as payload.● Although it is send in an IP datagram ICMP is at IP layer.● Time-To-Live, Source Address and Destination Address, from IP header, are of

significant importance for ICMP.○ Can you think why?

Internet Control Message Protocol Header

Common Types:

Type 8: echo request.Type 0: echo reply.Type 3: Destination Unreachable

Code 1: Destination Host UnreachableCode 7: Destination Host Unknown

1

1

Internet Control Message Protocol

ICMP

2

The Context

IP-Related Protocol: ICMP

TCP/IP Protocol Stack

Network

Layer

Link Layer

IP

ARPNetwork

Access

Media

ICMP IGMP

Transport

LayerTCP UDP

2

3

Internet Control Message Protocol (ICMP)

The Internet Control Message Protocol (ICMP) is used by

routers and hosts to send network control information to

each other

From a layering point of view, ICMP is a separate protocol

that sits above IP and uses IP to transport messages

In practice, ICMP is an integral part

of IP and all IP modules must support

the ICMP protocol

IP

Transport

TCP/UDP

ICMP

4

Internet Control Message Protocol

ICMP messages are encapsulated in IP datagrams

ICMP frames are identified by IP Protocol field value 1

Used by IP to send error and control messages

Uses IP to send its messages

ICMP Header ICMP Data

IP Header IP Data

Frame Header Frame Data

3

5

ICMP Message Format

ICMP message: content contains the first 8 bytes of IP

datagram causing error, plus other things

Contents depends on type

8-bit

type

8-bit

code 16-bit checksum

6

Types of ICMP Messages

Information messages

— Sender sends a query to another machine (either host or

router) and expects an answer. For example, a host might

want to know if a router is alive

Error indication messages

— The IP software on a host or router has encountered a

problem processing an IP datagram. For example, it may be

unable to route the datagram to its destination.

4

ICMP Types of Messages

7

ICMP Error Reporting

10

5

11

ICMP Error Messages

Important Points

— No ICMP error message will be generated in response to a

datagram carrying an ICMP error message

— No ICMP error message will be generated for a fragmented

datagram that is not the first fragment

— No ICMP error message will be generated for a datagram

having a multicast address

— No ICMP error message will be generated for a datagram

having a special address such as 127.0.0.0 or 0.0.0.0

ICMP always reports error messages to the original source.

ICMP Data for Error Messages

12

6

13

ICMP Error Messages (1)

Destination Unreachable (type 3)

— When a gateway (router) cannot route a datagram (e.g., it

doesn't have an appropriate route in its local table, or it

needs to fragment and the DF bit is set), it discards the

message and returns an ICMP "destination unreachable"

message to the sending host.

Source Quench (type 4)

— When a gateway becomes congested and runs out of buffer

space, it may discard a datagram and return a source

quench message. Source quench messages are used to

request that the sender reduce the rate at which it is

sending datagrams

14

ICMP Error Messages (2)

Time Exceeded (type 11)

— As a datagram is processed, routers decrement its time-to-

live (TTL) field. If the TTL value reaches 0, the gateway

discards the datagram and sends a time exceeded

message (code 0) to the sender.

— Code 1 is used by a destination host to show that not all

fragments have arrived within a set time.

What is ping??

● Ping is a computer network administration software utility used to test the reachability of a host on an Internet Protocol (IP) network. It measures the round-trip time for messages sent from the originating host to a destination computer that are echoed back to the source.

● Source host set a TTL counter to the ICMP packet and forwards it.○ Echo Request.

● If destination host receives the packet a new ICMP packet is created and send back to the source.

○ Echo Reply.● If TTL counter zeroes before reaching the destination host, the packet is dropped and a

reply is send back to the host.

11

ICMP Queries

23

24

ICMP Query Messages

n Used to diagnose network problems

n In this type of ICMP message, a node sends a message

that is answered in a specific format by the destination

node.

n Echo Request / Reply (types 8 / 0)

— If machine A sends an ICMP echo request message to

machine B, machine B is required to respond with an ICMP

echo reply

— In UNIX, the program ping allows a user to check whether a

machine is reachable and functioning

12

25

Ping

n Uses ICMP Echo request/reply to

— test destination reachability

— compute round trip time

— count the # of hops to destination

n Source sends ICMP echo request message to the

destination address

— echo request packet contains timestamp also

n Destination replies with an ICMP echo reply message

containing the data in the original request message

n Source can calculate RTT of packets

n If no echo reply comes back, destination unreachable

26

Ping (contd.)

n Sample output:

Reply from 164.107.144.3: 48 bytes in 47 msec. TTL: 253

A R1 R2 R3 B

13

ICMP Echo Request / Reply Message

n The identifier and sequence number may be used by the

echo sender to aid in matching the replies with the echo

requests.

27

ICMP Timestamp Request / Reply Message

n Timestamp-request and timestamp-reply messages can be

used to calculate the round-trip time between a source and a

destination machine.

28

14

ICMP Mask Request / Reply Message

n Timestamp-request and timestamp-reply messages can be

used to calculate the round-trip time between a source and a

destination machine.

29

ICMP Router Solicitation / Advertisement

30

What is traceroute?

● Traceroute is a computer network diagnostic tool for displaying the route (path) and measuring transit delays of packets across an Internet Protocol (IP) network.

● Source host sends an echo request to destination with TTL=1. ● Packet expires in the first hop and a echo reply is sent back to source.● Host examines the echo reply source address.

○ Now we know the first hop, and the rtt to the first hop.● Source host increments TTL until echo request reaches the destination hop and then

knows the full route.● Traceroute sends out 3 echo requests per hop. If all 3 are lost 2 times traceroute stops.● RTT is measured in a per hop basis, contrary to ping.

7

15

Recall: Traceroute

Traceroute records the route that packets take

A clever use of ICMP and the TTL field

When a router receives a packet, it decrements TTL

If TTL=0, send ICMP “Time exceeded” back to sender

To determine a route

— Send a packet with TTL = 1 (hop)

— The first router discards the packet and sends ICMP “Time

Exceeded”; when ICMP “Time Exceeded” is received,

record the sender’s (router’s) address

— Increment TTL

— Repeat until the destination host is received or an error

occurs

16

Traceroute (contd.)

A R1 R2 R3 B

8

17

ICMP Error Messages (3)

Parameter Problem (type 12)

— When a host or gateway encounters a problem parsing an

IP datagram, it returns a parameter problem message to the

datagram's sender

Redirection (type 5)

— Sent from a router to a local host on the same network

— Informs the source of a better route to the destination

— A host usually starts with a small routing table that is

gradually augmented and updated. Redirection helps it.

18

ICMP Redirect Example (1)

Host A has one default

router, which is R2

CS Net

R1

LAN1

LAN2

R2

A

9

19

ICMP Redirect Example (2)

When A wants to send a

message to the Campus

Net, it sends it to the

default router (R2)

R2 forwards the message

to R1 R1

LAN1

LAN2

R2

CS Net

To: csgate.csc.vill.edu

A

20

ICMP Redirect Example (3)

R2 also sends an ICMP

redirect message to A,

telling it to use R1 for

connections to

csgate.vill.edu R1

LAN1

LAN2

R2

CS Net

ICMP: redirect to R1 A

10

ICMP Redirect

21

Redirection Message Format

22

ICMP Redirect Example (4)

A sends subsequent

packets directly to R1

Note: some hosts

deliberately ignore ICMP

Redirect messages as a

precaution against network

attacks.

R1

LAN1

LAN2

R2

CS Net

A To: csgate.csc.vill.edu

Run ping and traceroute!

● To run ping open a terminal.○ Ping command: ping google.gr○ Find out about ping options, some are interesting : man ping.○ Try to send specific number of packets.○ Try to change the payload size. Do you see anything weird from google?

● To run traceroute open a terminal.○ Traceroute command: traceroute google.gr (tracert for windows)○ Find out about traceroute options: man traceroute.○ Who is your ISP? Can you find out from traceroute?

What is Wireshark?

● Wireshark is a free and open source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

● Is cross-platform and uses pcap* to capture packets.● Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated

sorting and filtering options.● Wireshark is not preinstalled.

○ For windows users download from site.○ For *nix users download from repositories. e.g sudo apt install wireshark.

* API for capturing packets. Unix uses libpcap library and windows a port of libcap called WinPcap

16

ARP packetsARP packets

17

UDP with specific destination IPUDP with specific destination IP

18

TCP with specific source portTCP with specific source port

19

DNS responsesDNS responses

packetlife.net

by Jeremy Stretch v2.0

WIRESHARK DISPLAY FILTERS · PART 1Ethernet

eth.addr eth.srceth.len

eth.dst eth.trailereth.lg

eth.ig eth.typeeth.multicast

IEEE 802.1Q

vlan.cfi vlan.priorityvlan.id

vlan.etype vlan.trailervlan.len

IPv4

ARP

ip.fragment.overlap.conflictip.addr

ip.checksum ip.fragment.toolongfragment

ip.fragmentsip.checksum_bad

ip.checksum_good ip.hdr_len

ip.hostip.dsfield

ip.dsfield.ce ip.id

ip.lenip.dsfield.dscp

ip.dsfield.ect ip.proto

ip.reassembled_inip.dst

ip.dst_host ip.src

ip.src_hostip.flags

ip.flags.df ip.tos

ip.tos.costip.flags.mf

ip.flags.rb ip.tos.delay

ip.tos.precedenceip.frag_offset

ip.fragment ip.tos.reliability

ip.tos.throughputip.fragment.error

ip.fragment.multipletails ip.ttl

ip.versionip.fragment.overlap

IPv6

ipv6.hop_optipv6.addr

ipv6.class ipv6.host

ipv6.mipv6_home_addressipv6.dst

ipv6.dst_host ipv6.mipv6_length

ipv6.mipv6_typeipv6.dst_opt

ipv6.flow ipv6.nxt

ipv6.opt.pad1ipv6.fragment

ipv6.fragment.error ipv6.opt.padn

ipv6.plenipv6.fragment.more

ipv6.fragment.multipletails ipv6.reassembled_in

ipv6.routing_hdripv6.fragment.offset

ipv6.fragment.overlap ipv6.routing_hdr.addr

ipv6.routing_hdr.leftipv6.fragment.overlap.conflict

ipv6.fragment.toolongfragment ipv6.routing_hdr.type

ipv6.srcipv6.fragments

ipv6.fragment.id ipv6.src_host

ipv6.versionipv6.hlim

arp.dst.hw_mac arp.proto.size

arp.dst.proto_ipv4 arp.proto.type

arp.hw.size arp.src.hw_mac

arp.hw.type arp.src.proto_ipv4

arp.opcode

TCP

tcp.options.qstcp.ack

tcp.checksum tcp.options.sack

tcp.options.sack_letcp.checksum_bad

tcp.checksum_good tcp.options.sack_perm

tcp.options.sack_retcp.continuation_to

tcp.dstport tcp.options.time_stamp

tcp.options.wscaletcp.flags

tcp.flags.ack tcp.options.wscale_val

tcp.pdu.last_frametcp.flags.cwr

tcp.flags.ecn tcp.pdu.size

tcp.pdu.timetcp.flags.fin

tcp.flags.push tcp.port

tcp.reassembled_intcp.flags.reset

tcp.flags.syn tcp.segment

tcp.segment.errortcp.flags.urg

tcp.hdr_len tcp.segment.multipletails

tcp.segment.overlaptcp.len

tcp.nxtseq tcp.segment.overlap.conflict

tcp.segment.toolongfragmenttcp.options

tcp.options.cc tcp.segments

tcp.seqtcp.options.ccecho

tcp.options.ccnew tcp.srcport

tcp.time_deltatcp.options.echo

tcp.options.echo_reply tcp.time_relative

tcp.urgent_pointertcp.options.md5

tcp.options.mss tcp.window_size

tcp.options.mss_val

UDP

udp.checksum udp.srcportudp.dstport

udp.checksum_bad udp.length

udp.checksum_good udp.port

Operators

eq or ==

ne or !=

gt or >

lt or <

ge or >=

le or <=

Logic

Logical ANDand or &&

or or || Logical OR

Logical XORxor or ^^

not or ! Logical NOT

Substring operator[n] […]

packetlife.net

by Jeremy Stretch v2.0

WIRESHARK DISPLAY FILTERS · PART 2Frame Relay

fr.defr.becn

fr.chdlctype fr.dlci

fr.dlcore_controlfr.control

fr.control.f fr.ea

fr.fecnfr.control.ftype

fr.control.n_r fr.lower_dlci

fr.nlpidfr.control.n_s

fr.control.p fr.second_dlci

fr.snap.ouifr.control.s_ftype

fr.control.u_modifier_cmd fr.snap.pid

fr.snaptypefr.control.u_modifier_resp

fr.cr fr.third_dlci

fr.upper_dlcifr.dc

ICMPv6

icmpv6.all_comp

icmpv6.checksum

icmpv6.option.name_type.fqdn

icmpv6.option.name_x501

icmpv6.checksum_bad

icmpv6.code

icmpv6.option.rsa.key_hash

icmpv6.option.type

icmpv6.comp

icmpv6.haad.ha_addrs

icmpv6.ra.cur_hop_limit

icmpv6.ra.reachable_time

icmpv6.identifier

icmpv6.option

icmpv6.ra.retrans_timer

icmpv6.ra.router_lifetime

icmpv6.option.cga

icmpv6.option.length

icmpv6.recursive_dns_serv

icmpv6.type

icmpv6.option.name_type

RIP

BGP

bgp.mp_reach_nlri_ipv4_prefixbgp.aggregator_as

bgp.aggregator_origin bgp.mp_unreach_nlri_ipv4_prefix

bgp.multi_exit_discbgp.as_path

bgp.cluster_identifier bgp.next_hop

bgp.nlri_prefixbgp.cluster_list

bgp.community_as bgp.origin

bgp.originator_idbgp.community_value

bgp.local_pref bgp.type

bgp.withdrawn_prefixbgp.mp_nlri_tnl_id

HTTP

http.proxy_authorizationhttp.accept

http.accept_encoding http.proxy_connect_host

http.proxy_connect_porthttp.accept_language

http.authbasic http.referer

http.requesthttp.authorization

http.cache_control http.request.method

http.request.urihttp.connection

http.content_encoding http.request.version

http.responsehttp.content_length

http.content_type http.response.code

http.serverhttp.cookie

http.date http.set_cookie

http.transfer_encodinghttp.host

http.last_modified http.user_agent

http.www_authenticatehttp.location

http.notification http.x_forwarded_for

http.proxy_authenticate

PPP

ppp.address ppp.direction

ppp.control ppp.protocol

rip.auth.passwd rip.route_tagrip.ip

rip.auth.type rip.routing_domainrip.metric

rip.command rip.versionrip.netmask

rip.family rip.next_hop

MPLS

mpls.oam.defect_locationmpls.bottom

mpls.cw.control mpls.oam.defect_type

mpls.oam.frequencympls.cw.res

mpls.exp mpls.oam.function_type

mpls.oam.ttsimpls.label

mpls.oam.bip16 mpls.ttl

ICMP

icmp.checksum icmp.seqicmp.ident

icmp.checksum_bad icmp.typeicmp.mtu

icmp.code icmp.redir_gw

DTP

dtp.neighbor vtp.neighbordtp.tlv_type

dtp.tlv_len dtp.version

VTP

vtp.vlan_info.802_10_indexvtp.code

vtp.conf_rev_num vtp.vlan_info.isl_vlan_id

vtp.vlan_info.lenvtp.followers

vtp.md vtp.vlan_info.mtu_size

vtp.vlan_info.status.vlan_suspvtp.md5_digest

vtp.md_len vtp.vlan_info.tlv_len

vtp.vlan_info.tlv_typevtp.seq_num

vtp.start_value vtp.vlan_info.vlan_name

vtp.vlan_info.vlan_name_lenvtp.upd_id

vtp.upd_ts vtp.vlan_info.vlan_type

vtp.version