Experiential Learning Workshop on Understanding Network Basics · Day 1: Basics of Networking • Overview • Introduction to basic networking Tools • Hands-on 1: using networking

Experiential Learning Workshop on

Understanding Network Basics

June 27, 2018

Dr. Ram P Rustagi Professor, CSE Dept

KSIT, Bangalore [email protected]

DrAIT-B/Network Basics RPR

mailto:[email protected]

Resources & Acknowledgements

• Resources– https://rprustagi.com/ELNT/Experiential-

Learning.html• Articles in ACCS Journal https://acc.digital• www.github.com/rprustagi

– Source code and examples for articles– https://www.rprustagi.com/workshops/ieee/drait

• Slides for this talks• Example web pages, and programs

• Acknowledgements:– Computer Networks: A Top Down Approach -

Kurose, Ross

!2DrAIT-B/Network Basics RPR

https://rprustagi.com/ELNT/Experiential-Learning.html

https://rprustagi.com/ELNT/Experiential-Learning.html

https://acc.digital

http://www.github.com/rprustagi

http://www.rprustagi.com/workshops/ieee/drait

Day 1: Basics of Networking• Overview• Introduction to basic networking Tools• Handson 1: using networking tools• TCP/IP Stack 4 layer model • Analysis of layers in IP, TCP/UDP and HTTP• Handson-2: layers in ping, nc, http• IP addressing, subnetting and routing• Hierchical addressing• Handson-3: Subnet mismatch and reachability• Supernetting, longest prefix match• Handson-4: Overlapping subnets, longest match• Summary


Day 2: Basics of Socket Programming• Overview: sockets• Simple client server programs• Handson-1: Writing TCP and UDP server• Errors in socket programming• Network byte order, buffer mgmt, socket close• Handson-2: Network byte order, socket close• Multiple concurrent client communication• Socket call return value and reliability• Handson-3: Handling concurrent clients, listen• TCP Streaming and UDP Message boundary• Handson-4: TCP streaming & UDP msg boundary• Summary


Day 3: Basics of Web Security• Overview: HTTPS protocol• Server certificate and server authentication• Handson-1: Deploying a SSL certificate• Mixed content and browser warnings• Locks icons and HTTP Status• Handson-2: Creating website with mixed content• MITM attack and ARP spoofing• MITM with browser and information stealing• Handson-3: Implementing MITM with arpspoofing• Understanding HSTS, CSP• Handson-4: Implementing ARP Spoofing• Summary


Day 1: Basics of Networking• Overview• Introduction to basic networking Tools• Hands-on 1: using networking tools• TCP/IP Stack 4 layer model • Analysis of layers in IP, TCP/UDP and HTTP• Handson-2: layers in ping, nc, http• IP addressing, subnetting and routing• Hierchical addressing• Handson-3: Subnet mismatch and reachability• Supernetting, longest prefix match• Handson-4: Overlapping subnets, longest match• Summary


NETWORK

Acronym• Novel• Experience of• Theoretical,• Working,• Operational, and• Realized• Knowledge


The Web Today• Total num of hostnames and active sites (June 2018)

– src: http://news.netcraft.com/archives/category/web-server-survey/

– Number of sitenames and active sites• Sitenames: 1.6+B, Active sites: 177+M

– Web server vendors • June 2018: Apache: 25% , MS IIS : 32%, Nginx: 23%

– Web Clients: GUI browsers, text browsers• Communication protocols

– HTTP, HTTPS– Extension of HTTP: WebDAV, CarDAV, CalDAV…


http://news.netcraft.com/archives/category/web-server-survey/



Setup Requirement


S1

Ha: 10.1.1.1/24 Hb: 10.1.1.101/24

1 2

Internet

3



Tools• wireshark •https://www.wireshark.org/docs/wsug_html_chunked/

• Enables viewing of bytes sent/recd on network • Capture and Display filters • Graphical, built on tcpdump • TCP session display • Changing UI options

• tcpdump: command line capture tool •-o output file •-c packet count •-i interface names





L2 L3 L4 L7

Wireshark: UI Options


�Color coding �Time format �Packet reordering (in display) �Defining protocol �Using display filter �Following TCP Stream �Capture packets with proper capture filter

�needed for analyzing packet layers

Wireshark capture filters

• Traffic between A and either B or Chost A and $ B or C$

• Traffic between A any host except Bhost A and not B

• Capture TCP SYN or FIN pktstcp[tcpflags] & (tcp-syn|tcp-fin) != 0

• Web traffic containing data i.e. avoid TCP ackstcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)


Wireshark Display Filters

!17DrAIT-B/Network Basics

�Source IP filter �ip.src == 10.1.1.1

�Destination IP filter �ip.dst == 10.1.1.101 �ip.dst != 10.1.1.101

�Protocol filter �http || icmp

�Port number �tcp.port eq 80

�TCP Seq �tcp.stream eq 1

RPR

Wireshark - Misc

!18DrAIT-B/Network Basics

�Saving file �Saving selected packets

�Reading from file �Time display format �Statistics �Other options

RPR

tcpdump

�Command line interface �ASCII content �Capture full packet �Capture filters �Output file �Ethernet frame display


tcpdump - Usage Examples

�To capture between two specified hosts and save $ sudo tcpdump -n -i eth0 -w file.pcap host <A> and host <B>

�To capture 100 packets received from server X $ tcpdump -n -i eth0 -c 100 src <X>

�To capture HTTP packets with data $ sudo tcpdump -n -i eth0 ‘tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'


Application Software

• Apache Web Server (www.apache.org)– Configurations (/etc/apache2/apache2.config)

– /etc/apache2/sites-available/000-default.conf• Directives• Logging• DocumentRoot• Loadable Modules• Virtual Host

• Firefox browser– Options for configurations: about:config

• Nginx server, IIS server.


http://www.apache.org

about:config

Tools• wget: wget [options] <url>‣ Options ‣ -d # to debug headers‣ -O <file> # to save with different name‣ -i <urlsfile> # list of urls in a file‣ -c # to resume to broken download‣ -b # run in background‣ --limit-rate=500k‣ --header=<headers>‣ --http-user=user --http-password=..‣ -mk # mirroring with local link conversion‣ …


Tools - nc

�nc (netcat) �Works as both layer client & server �Supports both TCP and UDP �Supports both IPv4 and IPv6 �Common use

�Simple TCP/UDP based data transfer �Shell script based HTTP clients and servers �Network daemon testing �SOCKS or HTTP ProxyCommand for ssh


Tools - nc�nc usage

�-l acting as server �-u use UDP �-i for interval based transmission (lines) �-k for keeping server up after connection close

�Examples �nc <servername> <server port> # client �nc -l port # server �To transfer files

�Server: nc -l <port> >file.dat �Client: cat <file> | nc <servername> <port>


Usage: nc

�Terminating connection after idle time �nc -w 10 <server> <port> # timeout 10s

�Don’t use with server option �Providing remote shell access on server to a

client �Create a FIFO file

�rm -f /tmp/f; mkfifo /tmp/f

�run nc on server by executing the shell �cat /tmp/f | /bin/bash -i 2>&1 | nc -l 2222 > /tmp/f


Tools - ping

�ping (Packet Inter Network Groper) �Checking reachability

�ping hostname • -i changing packet interval

• -c packet count

• -f flooding the network

• -q quite mode

• -s change packet size

• -W response timeout


Usage: ping


$ ping -c 10 www.google.com PING www.google.com (74.125.203.104): 56 data bytes 64 bytes from 74.125.203.104: icmp_seq=0 ttl=47 time=93.346 ms 64 bytes from 74.125.203.104: icmp_seq=1 ttl=47 time=94.300 ms 64 bytes from 74.125.203.104: icmp_seq=2 ttl=47 time=99.392 ms 64 bytes from 74.125.203.104: icmp_seq=3 ttl=47 time=140.457 ms 64 bytes from 74.125.203.104: icmp_seq=4 ttl=47 time=168.882 ms 64 bytes from 74.125.203.104: icmp_seq=5 ttl=47 time=218.813 ms 64 bytes from 74.125.203.104: icmp_seq=6 ttl=47 time=270.833 ms 64 bytes from 74.125.203.104: icmp_seq=7 ttl=47 time=312.594 ms 64 bytes from 74.125.203.104: icmp_seq=8 ttl=47 time=263.280 ms 64 bytes from 74.125.203.104: icmp_seq=9 ttl=47 time=309.129 ms

--- www.google.com ping statistics --- 10 packets transmitted, 10 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 93.346/197.103/312.594/84.298 ms MacBook-Pro:EL-Understanding-Network-Delays ramrustagi$



Hands-On 1

• nc : chat between two systems– Using both UDP and TCP

• ping: understand delay and response.– check google and yahoo reachability.– check your favourite website reachability

• wget:– Downline contents of a website for offline use.

• wireshark – Access www.dr-ait.org and check capture.– chat (nc) and analyze capture– traceroute a site and analyze capture


http://www.dr-ait.org



ISO/OSI reference model

• Internet stack “missing” following layers!• presentation: allow applications

to interpret meaning of data, e.g., encryption, compression, machine-specific conventions

• session: synchronization, checkpointing, recovery of data exchange


application

presentation

session

transport

network

link

physicalSource: Kurose, Ross: Computer Networking, A Top Down Approach

Internet protocol stack

• Application: supporting network applications- FTP, SMTP, HTTP

• Transport: process-process data transfer - TCP, UDP

• Network: routing of datagrams from source to destination• IP, routing protocols

• Data Link: data transfer between neighboring network elements• Ethernet, 802.11 (WiFi), PPP

• Physical: bits “on the wire”

application

transport

network

link

physical


Source: Kurose, Ross: Computer Networking, A Top Down Approach

Encapsulation


sourceapplication transport network

link physical

HtHn M

segment Htdatagram

destinationapplication transport network

link physical

HtHnHl M

HtHn M

Ht M

M

network link

physical

link physical

HtHnHl M

HtHn M

HtHn M

HtHnHl M

router

switch

message M

Ht M

Hnframe


HTTP overview

• HTTP: Hyper Text Transfer Protocol

• Application layer protocol• Defines how client requests

web page from server• A client/server model

• client: browser that requests, receives, (using HTTP protocol) and “displays” Web objects

• server: Web server sends (using HTTP protocol) objects in response to requests

PC running Firefox browser

server running

Apache Web server

iphone running Safari browser

HTTP requestHTTP response

HTTP request

HTTP response



HTTP overview…

• Underlying protocol: TCP• HTTP is stateless protocol

• Server has no information about past requests from same clients.


• Stateful protocol• Server is aware of past requests from clients.• Server maintains the state of the client.• If server crashes, the state may become inconsistent.

HTTP request message

• Two types of HTTP messages: request, response• HTTP request message:

•ASCII (human-readable format)


request line (GET, POST, HEAD commands)

header lines

carriage return, line feed at start of line indicates end of header lines

GET /Workshop/PESU/hello.html HTTP/1.1\r\n Host: 10.1.12.2\r\n User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5)\r\n Accept: text/html,application/xhtml+xml\r\n Accept-Language: en-us,en;q=0.5\r\n Accept-Encoding: gzip,deflate\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7\r\n Keep-Alive: 115\r\n Connection: keep-alive\r\n If-Modified-Since: Tue, 26 Jul 2016 05:47:12 GMT \r\n

carriage return character

line-feed character

HTTP response message

status line (protocol status code status phrase)

header lines

data, e.g., requested HTML file

HTTP/1.1 200 OK\r\n Date: Sun, 26 Sep 2010 20:09:20 GMT\r\n Server: Apache/2.0.52 (CentOS)\r\n Last-Modified: Tue, 30 Oct 2007 17:00:02 GMT\r\n ETag: "17dc6-a5c-bf716880"\r\n Accept-Ranges: bytes\r\n Content-Length: 2652\r\n Keep-Alive: timeout=10, max=100\r\n Connection: Keep-Alive\r\n Content-Type: text/html; charset=ISO-8859-1\r\n \r\n data data data data data ...




HTTP request message: general format

request line

header lines

body

method sp sp cr lfversionURL

cr lfvalueheader field name

cr lfvalueheader field name

~~ ~~

cr lf

entity body~~ ~~


TCP segment structure

source port # dest port #

32 bits

application data

(variable length)

sequence number

acknowledgement numberreceive window

Urg data pointerchecksum

FSRPAUhead len

not used

options (variable length)

URG: urgent data (generally not used)

ACK: ACK # valid

PSH: push data now (generally not used)

RST, SYN, FIN: connection estab (setup, teardown

commands)

# bytes rcvr willing to accept

counting by bytes of data (not segments!)

Internet checksum

(as in UDP)



Wireshark Capture Filters• Connection setup

–‘tcp[tcpflags] & (tcp-syn) != 0’

• Connection teardown only§ ‘tcp[tcpflags] & (tcp-fin) != 0’

• Connection reset only§ ‘tcp[tcpflags] & (tcp-rst) != 0’

• HTTP connections with some data–'port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)’


TCP seq. numbers, ACKs

User types

‘C’

host ACKs receipt

of echoed ‘C’

host ACKs receipt of ‘C’, echoes back ‘C’

simple telnet scenario

Host BHost A

Seq=42, ACK=79, data = ‘C’

Seq=79, ACK=43, data = ‘C’

Seq=43, ACK=80



TCP seq. numbers, ACKsvTCP Bi-Directional Data Xfer : Simple examplevServer program:(i=6; while [ $i -gt 0 ]; do sleep 1; echo "From Server, the value is $i"; i=$(($i - 1)); done) | nc -l 3333

vClient programs:(i=0; while [ $i -le 5 ]; do echo "Request $i"; sleep 1; i=$(($i + 1)); done) | nc <m/c IP> 3333


Transport Layer Protocol Characteristics

• Connection less– May arrive out of order

• In order delivery requires pkts to be numbered.– No acknowledgement, Packets may be lost– No prior handshake

• Connection oriented– Setup, data transfer and teardown phase– Provides reliability, ordered delivery– Handles error control in a better way


*

Transport Layer Reliability Support

• Reliability– Needs error and flow control

• Compels slower service • Unreliable protocol

– No extra overheads• Reliability at data link layer

– Provides error and flow control– Why do we need it at Transport layer when Link

layer provides the same


*

ver length

32 bits

data (variable length, typically a TCP

or UDP segment)

16-bit identifier

header checksum

time to live

32 bit source IP address

head. len

type of service

flgsfragment offset

upper layer

32 bit destination IP address

options (if any)

IP datagram formatIP protocol version

number

header length (bytes)

upper layer protocol to deliver payload to

total datagram length (bytes)

“type” of data for fragmentation/ reassembly

max number remaining hops

(decremented at each router)

e.g. timestamp, record route taken, specify list of routers to visit.

how much overhead? ❖ 20 bytes of TCP ❖ 20 bytes of IP ❖ = 40 bytes + app layer

overhead


ARP: IP to MAC• 32-bit IP address:

• Network-layer address for interface • MAC (or Ethernet) address:

• 48 bit MAC address (burned in NIC)• Sometimes software settable• e.g.: 1A-2F-BB-76-09-AD


Ethernet frame structure

• Encapsulates IP datagram (or other network layer protocol packet) in Ethernet frame

• Structure of Ethernet Framepreamble: • 7 bytes with pattern 10101010 followed by one

byte with pattern 10101011• used to synchronize receiver, sender clock rates


dest. address source

address data (payload) CRCpreamble

type

Ethernet frame structure

• addresses: 6 byte - src, dstn MAC addresses• Adaptor receives pkt based on dstn MAC field• Forwards to higher layer on matching unicast,

multicast or broadcast address• Discards otherwise

• type: higher layer protocol (e.g. IP) • CRC: error detected: frame is dropped

dest. address source

address data (payload) CRCpreamble

type


Ethernet: unreliable, connectionless• Connectionless: no handshaking between sending

and receiving machines • Unreliable: receiver doesnt send acks/nacks• Ethernet’s MAC protocol based on unslotted

CSMA/CD with binary backoff


A

A’

B

B’ C

C’

1 2

345

6

Self-learning, forwarding: example

A A’

Source: ADest: A’

MAC addr interface TTL

switch table (initially empty)

A 1 60

A A’A A’A A’A A’A A’

v frame destination, A’, location unknown:

flood

A’ A

vdestination A location known:

A’ 4 60

selectively send on just one link




Handson 2: Analysis of TCP/IP Layers

• Use wireshark to analyze TCP/IP layers• Application layer:

– Capture web page access, analyze HTTP headers• Transport layer:

– Use nc to communicate between two hosts– Analyse TCP headers

• IP Layer:– Analyze IP headers in web packets & nc chat

• Ethernet layer– Analyze src and dstn MAC and type for ping, nc– Analyze src/dstn MAC when ping to google.




src: Chuck Semeria, NSD Marketing, 3Com Corp, 1996

Initial IP Addressing (Classful)

Dotted Decimal Notation

Network Layer 4-40

SubnetsvIP address:

§subnet part - high order bits §host part - low order bits

vwhat’s a subnet ? §device interfaces with same subnet part of IP address §can physically reach each other without intervening router

network consisting of 3 subnets

223.1.1.1

223.1.1.3

223.1.1.4 223.1.2.9

223.1.3.2223.1.3.1

subnet

223.1.1.2

223.1.3.27223.1.2.2

223.1.2.1

SubnetsvSubnet are Identified by subnet masks vA subnet mask defines one network vA router is needed to connect two networks vMasks for classful addresses

§ Class A: 255.0.0.0 or /8 § Class B: 255.255.0.0 or /16 § Class C: 255.255.255.0 or /24

vClassful addressing is obsolete now § replaced with classless addressing (CIDR)

IP Subnetting

Network Layer 4-43

IP addressing: CIDR

CIDR: Classless InterDomain Routing §subnet portion of address of arbitrary length §address format: a.b.c.d/x, where x is # bits in subnet portion of address

11001000 00010111 00010000 00000000

subnet part

host part

200.23.16.0/23

SubnetsvFew terms to understand

§ network portion and host portion § network number

• apply subnet mask to IP address (bitwise AND)

§ Broadcast address • set all bits to 1 in host portion

§ network mask • set all bits to 0 in host portion

§ first available address in the block • value of host portion = 1

§ last available address in the block • value of host portion = 2n-2

Subnetting

Network Layer 4-42

how many?223.1.1.1

223.1.1.3

223.1.1.4

223.1.2.2223.1.2.1

223.1.2.6

223.1.3.2223.1.3.1

223.1.3.27

223.1.1.2

223.1.7.0

223.1.7.1223.1.8.0223.1.8.1

223.1.9.1

223.1.9.2

Subnets



Route Aggregation

200.23.16.0/23 11001000 00010111 00010000 00000000

200.23.18.0/23 11001000 00010111 00010010 00000000

200.23.20.0/23 11001000 00010111 00010100 00000000

200.23.22.0/23 11001000 00010111 00010110 00000000

200.23.24.0/23 11001000 00010111 00011000 00000000

200.23.26.0/23 11001000 00010111 00011010 00000000

200.23.28.0/23 11001000 00010111 00011100 00000000

200.23.30.0/23 11001000 00010111 00011110 00000000

Exercise: Summary Route

Summary Route ?

Hierarchical addressing: route aggregation

Src: Furouzan - Data Communication and Networking, SIE 4th ed

Subnet exampleBase Net: 11000001.00000001.00000001.00000000

= 193.1.1.0/24 Subnet #0: 11000001.00000001.00000001.00000000

= 193.1.1.0/27 Subnet #1: 11000001.00000001.00000001.00100000

= 193.1.1.32/27 Subnet #2: 11000001.00000001.00000001.01000000

= 193.1.1.64/27 Subnet #3: 11000001.00000001.00000001.01100000

= 193.1.1.96/27 Subnet #4: 11000001.00000001.00000001.10000000

= 193.1.1.128/27 Subnet #5: 11000001.00000001.00000001.10100000

= 193.1.1.160/27 Subnet #6: 11000001.00000001.00000001.11000000

= 193.1.1.192/27 Subnet #7: 11000001.00000001.00000001.11100000

= 193.1.1.224/27



Hands-On 3


S1Ha: 192.168.2.1/24

Hb: 192.168.2.126/25

1 2 2

Hc: 192.168.2.65/26

3

Internet

Hands-On 3


S1Ha: 192.168.2.1/26

Hb: 192.168.2.129/25 192.168.2.62/25

1 2 2

Hc: 192.168.2.65/26

3

Internet



Forwarding TablevNeeds at least 4 entries in forwarding table

§Network Address §Network Mask §Next Hop Address §Interface

vForwarding table principles §Each routers makes its decision independently §Different routers may have different information §Tells how to reach destination but not how to get back

vEffect of Forwarding Table principles §Packets are forwarded on hop by hop basis §Packets from A to B go via path X but return via path Y

Using Forwarding (Routing) TablevFor a given packet

§ take the destination address §repeat the following for each entry in routing table §apply the netmask §match the computed n/w number with routing table

entry § if matches

•forward the packet to next-hop on listed interface

•exit §else

•continue to next entry §when no match found (assuming 0.0.0.0/0 not defined)

•drop the packet

Network Layer 4-54

ISPs-R-Us has a more specific route to Organization 1

“Send me anything with addresses beginning 200.23.16.0/20”

200.23.16.0/23

200.23.18.0/23

200.23.30.0/23

Fly-By-Night-ISP

Organization 0

Organization 7Internet

Organization 1

ISPs-R-Us “Send me anything with addresses beginning 199.31.0.0/16 or 200.23.18.0/23”

200.23.20.0/23Organization 2

...

...

Longest Prefix Match

Route Aggregation w/ Longest Prefix Match

“Send me anything with addresses beginning 200.23.16.0/20”

200.23.16.0/23

200.23.18.0/23

200.23.30.0/23

Organization 0

Organization 7

Internet

Organization 1

“Send me anything with addresses beginning 199.31.0.0/16 or 200.23.18.0/23”

200.23.20.0/23Organization 2

...

...R1

R2

R3

m0m2

m7

m0

m1

m1

Exercise: Build Forwarding Table for R1, R2 and R3 Note: R3 will use longest prefix match

m0

m1

Design the subnetting/routing

N/w given: 192.168.0.0/24 - Each LAN has 10 hosts - serial link n/w needs two addresses - LAN of R3-R7-R6 needs 3 addresses



Hands-On 4


S11 2 2

3

Internet

Ha: 10.1.1.1/24

Hb: 10.1.1.126/24

Hc: 10.1.1.65/24

lo i/f: 10.1.2.1/24

lo i/f: 10.1.2.129/27

Pkts to 10.1.2.129, and 10.1.2.1?

Hands-On 4


S1Ha: 10.1.1.1/24

Hb: 10.1.1.3/24

1 2 2

Hc: 10.1.1.2/24

3

Internet

H’a: 10.2.1.1/24 10.2.1.161/28

Ha: 10.2.1.129/27

Pkts to 10.2.1.129, and 10.2.1.1, and 10.2.1.161?

Summary

• Network Tools: wireshark, nc, ping, ssh• TCP/IP Stack• Packet format: HTTP, TCP, IP, Ethernet• IP Addressing• IP routing• Subnetting• Hierarchical addressing


Thank You


Documents

Experiential Learning Workshop on Understanding Network Basics · Day 1: Basics of Networking • Overview • Introduction to basic networking Tools • Hands-on 1: using networking