[ad_1]
10.4.3 Lab – Utilizing Wireshark to Study TCP and UDP Captures (Teacher Model)
Teacher Observe: Purple font coloration or grey highlights point out textual content that seems within the teacher copy solely.
Topology – Half 1 (FTP)
Half 1 will spotlight a TCP seize of an FTP session. This topology consists of the CyberOps Workstation VM with web entry.
Mininet Topology – Half 2 (TFTP)
Targets
- Half 1: Establish TCP Header Fields and Operation Utilizing a Wireshark FTP Session Seize
- Half 2: Establish UDP Header Fields and Operation Utilizing a Wireshark TFTP Session Seize
Background / State of affairs
Two protocols within the TCP/IP transport layer are TCP (outlined in RFC 761) and UDP (outlined in RFC 768). Each protocols help upper-layer protocol communication. For instance, TCP is used to offer transport layer help for the HyperText Switch Protocol (HTTP) and FTP protocols, amongst others. UDP offers transport layer help for the Area Identify System (DNS) and TFTP, amongst others.
In Half 1 of this lab, you’ll use the Wireshark open supply instrument to seize and analyze TCP protocol header fields for FTP file transfers between the host pc and an nameless FTP server. The terminal command line is used to hook up with an nameless FTP server and obtain a file. In Half 2 of this lab, you’ll use Wireshark to seize and analyze UDP header fields for TFTP file transfers between two Mininet host computer systems.
Teacher Observe: Utilizing a packet sniffer, similar to Wireshark could also be thought-about a breach of the safety coverage of the varsity. It is suggested that permission be obtained earlier than working Wireshark for this lab. If utilizing a packet sniffer is a matter, the trainer might want to assign the lab as homework or carry out a walk-through demonstration.
Required Assets
- CyberOps Workstation VM
- Web entry
Directions
Half 1: Establish TCP Header Fields and Operation Utilizing a Wireshark FTP Session Seize
In Half 1, you employ Wireshark to seize an FTP session and examine TCP header fields.
Step 1: Begin a Wireshark seize.
a. Begin and log into the CyberOps Workstation VM. Open a terminal window and begin Wireshark. The ampersand (&) sends the method to the background and permits you to proceed to work in the identical terminal.
[[email protected] ~]$ wireshark &
b. Begin a Wireshark seize for the enp0s3 interface.
c. Open one other terminal window to entry an exterior ftp website. Enter ftp ftp.cdc.gov
on the immediate. Log into the FTP website for Facilities for Illness Management and Prevention (CDC) with person nameless
and no password.
[email protected] ~]$ ftp ftp.cdc.gov Related to ftp.cdc.gov. 220 Microsoft FTP Service Identify (ftp.cdc.gov:analyst): nameless 331 Nameless entry allowed, ship id (e-mail identify) as password. Password: 230 Person logged in. Distant system kind is Windows_NT. ftp>
Step 2: Obtain the Readme file.
a. Find and obtain the Readme file by coming into the ls
command to record the recordsdata.
ftp> ls 200 PORT command profitable. 125 Knowledge connection already open; Switch beginning. -rwxrwxrwx 1 proprietor group 128 Might 9 1995 .change.dir -rwxrwxrwx 1 proprietor group 107 Might 9 1995 .message drwxrwxrwx 1 proprietor group 0 Feb 2 11:21 pub -rwxrwxrwx 1 proprietor group 1428 Might 13 1999 Readme -rwxrwxrwx 1 proprietor group 383 Might 13 1999 Siteinfo -rwxrwxrwx 1 proprietor group 0 Might 17 2005 up.htm drwxrwxrwx 1 proprietor group 0 Might 20 2010 w3c -rwxrwxrwx 1 proprietor group 202 Sep 22 1998 welcome.msg 226 Switch full.
Observe: It’s possible you’ll obtain the next messages:
421 Service not out there, distant server has closed connection ftp: No management connection for command 501 Server can't entry argument 500 command not understood ftp: bind: Deal with already in use
If this occurs, then the FTP server is at the moment down. Nonetheless, you’ll be able to proceed with the remainder of the lab analyzing these packets that you simply have been capable of seize and studying alongside for packets you didn’t seize. You may also return to the lab later to see if the FTP server is again up.
b. Enter the command get Readme
to obtain the file. When the obtain is full, enter the command stop to exit. (Observe: If you’re unable to obtain the file, you’ll be able to proceed with the remainder of the lab.)
ftp> get Readme 200 PORT command profitable. 125 Knowledge connection already open; Switch beginning. WARNING! 36 naked linefeeds acquired in ASCII mode File might not have transferred appropriately. 226 Switch full. 1428 bytes acquired in 0.056 seconds (24.9 kbytes/s)
c. After the switch is full, enter stop to exit ftp.
Step 3: Cease the Wireshark seize.
Step 4: View the Wireshark important window.
Wireshark captured many packets throughout the FTP session to ftp.cdc.gov. To restrict the quantity of information for evaluation, apply the filter tcp and ip.addr == 198.246.117.106 and click on Apply.
Observe: The IP handle, 198.246.117.106, is the handle for ftp.cdc.gov on the time this lab was created. The IP handle could also be totally different for you. In that case, search for the primary TCP packet that began the 3-way handshake with ftp.cdc.gov. The vacation spot IP handle is the IP handle you need to use to your filter.
Observe: Your Wireshark interface might look barely totally different than the above picture.
Step 5: Analyze the TCP fields.
After the TCP filter has been utilized, the primary three packets (high part) show the sequence of [SYN], [SYN, ACK], and [ACK] which is the TCP three-way handshake.
TCP is routinely used throughout a session to regulate datagram supply, confirm datagram arrival, and handle window measurement. For every information change between the FTP consumer and FTP server, a brand new TCP session is began. On the conclusion of the info switch, the TCP session is closed. When the FTP session is completed, TCP performs an orderly shutdown and termination.
In Wireshark, detailed TCP info is accessible within the packet particulars pane (center part). Spotlight the primary TCP datagram from the host pc, and increase parts of the TCP datagram, as proven under.
The expanded TCP datagram seems much like the packet element pane, as proven under.
The picture above is a TCP datagram diagram. A proof of every area is offered for reference:
- The TCP supply port quantity belongs to the TCP session host that opened a connection. The worth is often a random worth above 1,023.
- The TCP vacation spot port quantity is used to establish the higher layer protocol or utility on the distant website. The values within the vary 0–1,023 symbolize the “well-known ports” and are related to standard companies and purposes (as described in RFC 1700), similar to Telnet, FTP, and HTTP. The mix of the supply IP handle, supply port, vacation spot IP handle, and vacation spot port uniquely identifies the session to the sender and receiver.
Observe: Within the Wireshark seize above, the vacation spot port is 21, which is FTP. FTP servers hear on port 21 for FTP consumer connections.
- The Sequence quantity specifies the variety of the final octet in a phase.
- The Acknowledgment quantity specifies the following octet anticipated by the receiver.
- The Code bits have a particular that means in session administration and within the remedy of segments. Amongst attention-grabbing values are:
- ACK — Acknowledgment of a phase receipt.
- SYN — Synchronize, solely set when a brand new TCP session is negotiated throughout the TCP three-way handshake.
- FIN — End, the request to shut the TCP session.
- The Window measurement is the worth of the sliding window. It determines what number of octets will be despatched earlier than ready for an acknowledgment.
- The Pressing pointer is just used with an Pressing (URG) flag when the sender must ship pressing information to the receiver.
- The Choices has just one possibility at the moment, and it’s outlined as the utmost TCP phase measurement (optionally available worth).
Utilizing the Wireshark seize of the primary TCP session startup (SYN bit set to 1), fill in details about the TCP header. Some fields might not apply to this packet.
From the VM to CDC server (solely the SYN bit is about to 1):
Description | Wireshark Outcomes |
---|---|
Supply IP handle | 192.168.1.17* |
Vacation spot IP handle | 198.246.117.106 |
Supply port quantity | 49411* |
Vacation spot port quantity | 21 |
Sequence quantity | 0 (relative) |
Acknowledgment quantity | Not relevant for this seize |
Header size | 32 bytes |
Window measurement | 8192 |
Within the second Wireshark filtered seize, the CDC FTP server acknowledges the request from the VM. Observe the values of the SYN and ACK bits.
Fill within the following info concerning the SYN-ACK message.
Description | Wireshark Outcomes |
---|---|
Supply IP handle | 198.246.117.106 |
Vacation spot IP handle | 192.168.1.17* |
Supply port quantity | 21 |
Vacation spot port quantity | 49411* |
Sequence quantity | 0 (relative) |
Acknowledgment quantity | 1 (relative) |
Header size | 32 bytes |
Window measurement | 8192 |
Within the ultimate stage of the negotiation to determine communications, the VM sends an acknowledgment message to the server. Discover that solely the ACK bit is about to 1, and the Sequence quantity has been incremented to 1.
Fill within the following info concerning the ACK message.
Description | Wireshark Outcomes |
---|---|
Supply IP handle | 192.168.1.17* |
Vacation spot IP handle | 198.246.117.106 |
Supply port quantity | 49411* |
Vacation spot port quantity | 21 |
Sequence quantity | 1 (relative) |
Acknowledgment quantity | 1 (relative) |
Header size | 20 |
Window measurement | 8192* |
What number of different TCP datagrams contained a SYN bit?
After a TCP session is established, FTP site visitors can happen between the PC and FTP server. The FTP consumer and server talk with one another, unaware that TCP has management and administration over the session. When the FTP server sends a Response: 220 to the FTP consumer, the TCP session on the FTP consumer sends an acknowledgment to the TCP session on the server. This sequence is seen within the Wireshark seize under.
When the FTP session has completed, the FTP consumer sends a command to “stop”. The FTP server acknowledges the FTP termination with a Response: 221 Goodbye. Right now, the FTP server TCP session sends a TCP datagram to the FTP consumer, saying the termination of the TCP session. The FTP consumer TCP session acknowledges receipt of the termination datagram, then sends its personal TCP session termination. When the originator of the TCP termination (the FTP server) receives a replica termination, an ACK datagram is distributed to acknowledge the termination and the TCP session is closed. This sequence is seen within the diagram and seize under.
By making use of an ftp filter, your complete sequence of the FTP site visitors will be examined in Wireshark. Discover the sequence of the occasions throughout this FTP session. The username anonbymous was used to retrieve the Readme file. After the file switch accomplished, the person ended the FTP session.
Apply the TCP filter once more in Wireshark to look at the termination of the TCP session. 4 packets are transmitted for the termination of the TCP session. As a result of TCP connection is full duplex, every route should terminate independently. Study the supply and vacation spot addresses.
On this instance, the FTP server has no extra information to ship within the stream. It sends a phase with the FIN flag set in body 149. The PC sends an ACK to acknowledge the receipt of the FIN to terminate the session from the server to the consumer in body 150.
In body 151, the PC sends a FIN to the FTP server to terminate the TCP session. The FTP server responds with an ACK to acknowledge the FIN from the PC in body 152. Now the TCP session is terminated between the FTP server and PC.
Half 2: Establish UDP Header Fields and Operation Utilizing a Wireshark TFTP Session Seize
In Half 2, you employ Wireshark to seize a TFTP session and examine the UDP header fields.
Step 1: Begin Mininet and tftpd service.
a. Begin Mininet. Enter cyberops
because the password when prompted.
[[email protected] ~]$ sudo lab.help.recordsdata/scripts/cyberops_topo.py [sudo] password for analyst:
b. Begin H1 and H2 on the mininet> immediate.
*** Beginning CLI: mininet> xterm H1 H2
c. Within the H1 terminal window, begin the tftpd server utilizing the offered script.
[[email protected] analyst]# /residence/analyst/lab.help.recordsdata/scripts/start_tftpd.sh [[email protected] analyst]#
Step 2: Create a file for tftp switch.
a. Create a textual content file on the H1 terminal immediate within the /srv/tftp/ folder.
[[email protected] analyst]# echo "This file incorporates my tftp information." > /srv/tftp/my_tftp_data
b. Confirm that the file has been created with the specified information within the folder.
[[email protected] analyst]# cat /srv/tftp/my_tftp_data This file incorporates my tftp information.
c. Due to the safety measure for this specific tftp server, the identify of the receiving file must exist already. On H2, create a file named my_tftp_data
.
[[email protected] analyst]# contact my_tftp_data
Step 3: Seize a TFTP session in Wireshark
a. Begin Wireshark in H1.
[[email protected] analyst]# wireshark &
b. From the Edit menu, select Preferences and click on the arrow to increase Protocols. Scroll down and choose UDP. Click on the Validate the UDP checksum if potential examine field and click on OK.
c. Begin a Wireshark seize on the interface H1-eth0.
d. Begin a tftp session from H2 to the tftp server on H1 and get the file my_tftp_data.
[[email protected] analyst]# tftp 10.0.0.11 -c get my_tftp_data
e. Cease the Wireshark seize. Set the filter to tftp and click on Apply. Use the three TFTP packets to fill within the desk and reply the questions in the remainder of this lab.
Teacher Observe: If college students level out UDP acknowledgments, clarify that the UDP header doesn’t include an acknowledgment area. It’s the accountability of the upper-layer protocol, on this case TFTP, to handle information switch and receipt info. This might be proven throughout the UDP datagram examination.
Detailed UDP info is accessible within the Wireshark packet particulars pane. Spotlight the primary UDP datagram from the host pc and transfer the mouse pointer to the packet particulars pane. It might be mandatory to regulate the packet particulars pane and increase the UDP file by clicking the protocol increase field. The expanded UDP datagram ought to look much like the diagram under.
The determine under is a UDP datagram diagram. Header info is sparse, in comparison with the TCP datagram. Just like TCP, every UDP datagram is recognized by the UDP supply port and UDP vacation spot port.
Utilizing the Wireshark seize of the primary UDP datagram, fill in details about the UDP header. The checksum worth is a hexadecimal (base 16) worth, denoted by the previous 0x code:
Description | Wireshark Outcomes |
---|---|
Supply IP handle | 10.0.0.12 |
Vacation spot IP handle | 10.0.0.11 |
Supply port quantity | 47844 |
Vacation spot port quantity | 69 |
UDP message size | 32 bytes* |
UDP checksum | 0x2029 [correct]* |
How does UDP confirm datagram integrity?
Study the primary body returned from the tftpd server. Fill within the details about the UDP header:
Description | Wireshark Outcomes |
---|---|
Supply IP handle | 10.0.0.11 |
Vacation spot IP handle | 10.0.0.12 |
Supply port quantity | 58047* |
Vacation spot port quantity | 47844* |
UDP message size | 46 bytes* |
UDP checksum | Checksum: 0x1456 [incorrect, should be 0x8cce (maybe caused by “UDP checksum offload”?)]* |
Discover that the return UDP datagram has a unique UDP supply port, however this supply port is used for the rest of the TFTP switch. As a result of there isn’t a dependable connection, solely the unique supply port used to start the TFTP session is used to take care of the TFTP switch.
Additionally, discover that the UDP Checksum is inaccurate. That is more than likely attributable to UDP checksum offload. You’ll be able to be taught extra about why this occurs by looking for “UDP checksum offload”.
Step 4: Clear up
On this step, you’ll shut down and clear up Mininet.
a. Within the terminal that began Mininet, enter stop
on the immediate.
mininet> stop
b. On the immediate, enter sudo mn –c
to scrub up the processes began by Mininet.
[[email protected] ~]$ sudo mn -c
Reflection Query
This lab offered the chance to investigate TCP and UDP protocol operations from captured FTP and TFTP classes. How does TCP handle communication otherwise than UDP?
[ad_2]