IP Address - Personal Home Pages (at UEL)

loyalsockvillemobΔίκτυα και Επικοινωνίες

27 Οκτ 2013 (πριν από 3 χρόνια και 11 μήνες)

202 εμφανίσεις

Computer Networks

Laboratory Sessions















西南师范大学计算机与信息科学学院

2004

2

Laboratory Sessions



SESSION ONE

INTRODUCTION TO NETWORKING


AND TCP/IP
________________
_
3

SESSION TWO

NETWORK MONITORING


AND TROUBLESHOOTING
__________
_
9

SESSION THREE

TCP/IP
_
_________
_____
_______________________________________2
1

SESSION FOUR

LINUX AND NT NETWORK CONFIGURATION
__________________
37

SESSION FIVE

DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP)
_________
48

SESSION SIX

ROUTING
_________
_________________________________
____________
58

SESSION SEVEN

DNS
________________________________________________________
68

SESSION EIGHT

WINDOWS NT NETBIOS AND WINS
____
_______________________
84

SESSION NINE

WEB SERVERS AND WEB CACHES
___
_______________________
__
102

SESSION TEN

NET
WORK SECURITY
______________________________________
___
125






NOTE:

SUBSTANTIAL PARTS OF THIS DOCUMENT COME FROM

“INTERNETWORKING WITH
MICROSOFT® TCP/IP ON MICROSOFT WINDOWS NT®4.0”,

MICROSOFT PRESS,

1997,

ISBN
1
-
57231
-
623
-
3

Session One
——
In瑲oduc瑩on 瑯
Ne瑷orking and TCP/IP



Outline


1.

Introduction to the Network Cabling.

2.

Introduction to Network Interface Cards (NIC

s).

3.

Introduction to network topologies.

4.

Cable the lab network.

5.

Introduce

ping


as a network connectivit y and debugging tool.

6.

Demonstrate var
ious ways that a network can break.


Laboratory Requirements


6 10baseT
ethernet

hubs with thin
ether
n
et

ports.

18 10baseT hub to computer twisted pair cables.

1 yellow twisted pair crossover cable.

6 thin ethernet cables.

6 thin ethernet T pieces.

4 thin
ethernet terminators.

1 thick
ethernet

cable and transceiver.

1 piece of fibre optic cable.

Several varieties of NIC.

Computers installed with Linux on partition 3 and network enabled.

Computers installed with Windows NT on partition 4 and network enabled.



1.

Introducti
o
n to the Network Cabling (OSI Physical layer)


Time: 15 Minutes


We will
demonstrate

the various types of cables (thick e
thernet,

twisted pair, and fibre optic),spell
out the advantages and disadvantages of each type, and suggest when each

type is appropriate.


Characteristic
s

Thinnet Coaxial

(10Base2)

Thicknet coaxial

(10Base5)

Twisted
-
pair

(10BaseT)

Fibre
-
optic

Cable cost

More per meter
than twisted pair,

B
ut you need less
cable.Least
overall cost.

More than thinnet

Least expensive
per
meter.

Cat3<Cat4<

Cat5

Most expensive

Cable type

RG
-
58 coaxial

Coaxial

Category 3,4 or 5
unshielded

T
wisted pair


Architecture

Bus or Bus
-
Star

Bus

Star or Star
-
Bus

Star

Useable single

C
able length

185 metres

500 metres

50 metres for

transceiver cable

1
00 metres

2 kilometres

Total LAN
length

925 metres

5
-
4
-
3 rule

2,500 metres

5
-
4
-
3 rule

None

None

Computers
per LAN

1024

100

1024


Transmission
rates

10 Mbps

10 Mbps

10/100/100

Mbps

10/100/1000

Mbps >1Gbps

Flexibility

Fairly flexible

Least flexible

Most
flexible

Fairly flexible

Ease of

installation

E
asiest to install

Harder to install

Easy to install

Hardest to

install

Susceptibility
to interference

Good resistance to
interference

Good resistance to
interference

Susceptible to
interference

Not suscep
tible to
interference

Connectors

BNC (British

Naval Connector

), T
-
pieces,

terminators

Vampire Taps and
AUI Transceiver
cables

RJ45

Fibre connectors
Special cutting
and polishing
tools

Special
features

Connection
components are

very cheap

No hub required

Hard to install

Legacy system

No hub required

Same as

telephone wire

and is often

pre
-
installed in

buildings

Requires a hub

Supports voice,

D
ata and video

Expensive to

install due to

costs of cutting

and connecting

Preferred uses

Small sites only

Do no
t use

Any size

organization

Any size

O
rganization

R
equiring speed

and high data

security and

integrity

Reference:


Networking
Essentials


Page 258

Page 260

Page 256

Page 263

2.

Network Interface Cards (OSI Data Link layer)


Time: 20 Minutes

Reference: Ne
tworking Essentials,

Page 119
-
140


Network Interface Cards act as the
physical

interface or connection between the computer and the
network cable. The cards are either installed in an expansion slot in each computer or server, or they
can be built onto the

motherboard of the computer.


The NIC contains the hardware and firmware that
implements

the

Logical Link Control

(LLC)
and

Media Access Control

(MAC) functions in the Data Link Layer of the OSI model.


Put simply, the NIC:



Prepares data from the comp
uter for the network cable.



Puts the data onto the cable.



Controls the flow of data between the computer and the cable.



Listens for packets addressed to it on the cable.



Checks for collisions on the cable and

handles retransmissions.


Video present
ation
:

N
etwork Adapter Cards

Demonst
r
ate ISA 8
-
bit and 16
-
bit NIC’s and PCI NIC’s pointing out the requirement for setting
jumpers on many ISA cards (to set IRQ, I/O Address, Base Memory etc.) and the Plug

N


Play
features of PCI cards. Poin
t out the spee
d differences of
various types of cards.

Open up a PC and demonstrate the installation process.


3.

Introduction to network topologies


Time: 20 Minutes

Reference: Networking Essentials,
Page 33
-
56


The term Network Topology refers to the arrangement or ph
ysical layout of computers, cable,

network hubs, and other components of the network. A network

s topology affects its capabilities.

Choosing one topology over another can impact the:




Type of equipment the network needs.



Capabilities of the network.



Network’s growth.



Speed of a network.

∙The way a network is managed.


Computers have to be connected in order to share resources or perform other communication tasks.
Most networks use cables to connect one computer to another. However, it is not as sim
ple as just
plugging a computer into a cable connecting other
computers
. Different types of cable, combined
with different network cards, network operating systems, and other components require different
types of arrangements. A network

s topology can dete
rmine not only the type of cable used but how
the cabling is

run through floors, ceilings, a
nd walls. Topology can also determine how computers
communicate on the network. Different topologies require different communication
m
ethods, and
these methods have

a great influence on the network.


Video Presentation
:
Network Topology

s
.


Topology Summary


Topology

Advantages

Disadvantages

Bus

Economical use of cable.

Media is inexpensive and easy to
work with.

Simple and easy to extend.

Network can slow down in
h
eavy traffic.

Problems are difficult to isolate.

Cable break can affect many
users.

Ring

Equal access for all computers.

Even performance despite many
users.

Failure of one computer can
impact the rest of the network.

Problems hard to isolate.

Network rec
onfiguration
disrupts

operation.

Star

Easy to modify and add new
computers.

Centralized monitoring and
management.

Failure of one computer does not
affect the rest of the network.

If the centralized point fails,

T
he network fails.


Hubs


O
ne network com
ponent that is now standard equipment in most network is the hub. A hub is the
central component in a star topology. Most hubs are active in that they regenerate and retransmit the
signals and are often called multiport repeaters. Active hubs requires powe
r. Some types of hubs are
passive, for example, wiring panels or punchdown blocks. They act as connection points and do not
amplify or regenerate the signal and hence do not require power.


Advanced hubs that accommodate several different types of cable ar
e called hybrid hubs. For
example, the mini hubs that we are using on each bench can connect eight twisted pair cables and
one thinnet e
thernet

cable.


A hub
-
based network can be expanded by connecting more than one hub. Often, a central hub will
have seve
ral hubs connected to it and this is called cascading. For example, our mini hubs can use
port eight to connect to another hub.


4.

Seting up the Lab Network


Time: 15 Minutes


Get students to wire lab as shown in diagram below by removing the cable from t
he bench socket
and using it as the connection to the mini
-
hubs. In this lab we are using the onboard first e
thernet

interface.

What type of Topology are we wiring up?



5.

PING


as a Network Diagnostic Tool


Time: 15 Minutes

Reference: Internetworking wi
th Microsoft TCP/IP on Windows NT 4.0,
Page 350
-
352

Reference: Inside TCP/IP, Page 354
-
376


PING stands for the Packet Internet Groper and is a tool that uses the Internet Control Message
Protocol (ICMP)
echo request

and
echo reply

messages to determine wh
ether a particular host is
available and functioning. It is the most basic of all network diagnostic tolls used for testing TCP/IP
configurations and network connectivity. Its usage is

ping
hostname


or

ping IP
-
address

,
eg,

ping galdor


or

ping 128.18
4.85.151

.


The first goal in troubleshooting is to make sure that you can successfully ping an IP address. This
verifies communications between the Network Interface Layer and the Internet layer. Ping a host
using its host name only after you can successf
ully ping the host using its IP address. The following
procedure shows how to troubleshoot connections using ping. The general procedure is to start
locally and move out further as each step is successful.


1.

Power up workstations and boot into Windows NT.

2.

L
ogin as

administrator


with password

password

.

3.

Go

Start


menu and

Run


and type in

cmd


and enter.

4.

In the cmd window type

ping

127.0.0.1

. This is one of your local machine addresses.

5.

Try pinging your ip address 128.184.85.{1..18}. Where the last nu
mber is the number of
your computer.

6.

Ping your neighbours IP address 128.184.85. {1..18}.

7.

Ping the default gateway 128.184.85.151.

8.

Ping the address of eros 128.184.2.8.

9.

Ping localhost, netlabxx, netlabyy,galdor85,eros. its. deakin. edu. au, where xx is you
r PC

s
number and yy is one of your neighbours PC

s number.


6.

Network Torture Test


Time: 30 Minutes

This is where we break the network by removing cables, terminators etc.


1.

Remove thinnet cable joining each side of the room and get students to work out
what they
can ping.

2.

Remove terminator from one or both ends of the thinnest to determine what affect it has.

3.

Put a yellow crossover twisted pair cable onto one computer and determine if it is still
reachable.

4.

Turn off one hub and determine the affect on th
e network.

5.

Make a ring out of the bus and determine the affect.

6.

Put in a bad T piece (if I can find one).



Session Two


Network Monitoring and Troubleshooting


Outline


1.

Methods of network troubleshooting.

2.

Introduction to network snooping.

3.

Windows NT

Net
work Monitor

.

4.

Tcpdump for Linux and comparison with

Network Monitor

.


Laboratory Requirements


Network configured as in Session One.


Linux and Windows NT installed on PC

s with first interface operational and configured using
DHCP.


Students should hav
e each bench booted with two PC

s with Linux and one with NT.



























1.

Methods of Network Troubleshooting


Time: 15 Minutes

Reference: Internetworking with TCP/IP on Windows NT 4.0,
Page 347
-
353


There is an orderly process to troubleshoo
ting network problems. This section explains the process
and suggests utilities for troubleshooting network problems. Troubleshooting a problem is easiest
when you can identify the problem source. Network related problems can be grouped into the
following
categories:


Problem Source

Common Characteristics

Resolution

Hardware

No network activity

No lights on NIC or HUB

Check/swap cable.

Check/swap hub port.

Check/swap NIC card.

Configuration

The host will not
initialize

or one
of the services will not star
t

Use
ifconfig

on Linux or
ipconfig

on NT to check the
configuration parameters.

IP Addressing

You may not be able to
communicate with other hosts but
you can talk to localhost

Use
ifconfig/ipconfig
to check
for correct IP address. Check
for duplicate IP
addresses.

MAC Address
Resolution

You can access most hosts but one
may not be reachable

Use
arp

to determine if you
are getting the correct MAC
address for the remote host.

Subnetting

You can ping your workstation or
other local subnet hosts but cannot
ping remote hosts.

Use
ifconfig/ipconfig

to check
for correct subnet mask.

Routing

You can access local subnet hosts
but cannot access remote hosts.

Use

route
to determine if there
is a route to the remote subnet.

Use
ifconfig/ipconfig

to
determine if the
re is a gateway
defined.

Use
traceroute

to determine
where a connection is lost.

NetBIOS name
resolution

You can access a host by its IP
address, but not establish a
connection with a
net

command.

Check that remote host is in
LMHOSTS

file.

Use

ipconfig
to

check if
WINS

servers are defined.

Host Name Resolution

You can access a host by its IP
address, but not by its host address.

Check that the remote host is
in the
hosts

file or that the
Domain Name System is
configured and functioning.
Use

nslookup




Troubleshooting Commands


Students can try these commands as they are introduced.


Use this Command

To

Ping

Verify that TCP/IP is configured correctly and
that another host is available

Arp

View the ARP cache to detect invalid
entries

Netstat

Display p
rotocol statistics and the current state
of TCP/IP connections

Nbtstat

Check the state of current NetBIOS over
TCP/IP connections, update the LMHOSTS
cache, or determine your registered name and
scope ID(NT only)

Ifconfig/Ipconfig

Verify TCP/IP configura
tion including IP
address, netmask, gateway, and DNS servers.
(ifconfig for Linux and ipconfig for NT)

Traceroute

Verify the route to a remote host.(tracert on NT)

Nslookup

Display information from DNS name servers

Event logs

View error messages (/var
/logs/messages on
Linux, Event Viewer on NT).

Network Monitor/tcpdump

Capture incoming and outgoing packets to
analyse a problem.(tcpdump on Linux, Network
Monitor on NT)

SNMP services

The Simple Network Management agents can
be used to look at statistic
al information from
the network services.


Troubleshooting Guidelines


When troubleshooting a network you start with simple connectivity tests like ping and work out
from there. If the setup had been working then check the physical cabling and hardware. I
f it is a
new setup or the physical hardware is not the
problem

then check the software configuration,
working from lowest layers to upper layers. All of the following except for nbtstat and ipconfig,
were run from Linux. Nbtstat and ipconfig are Windows N
T commands.


Ping output


root@netlab20 /root]# ping galdor

PING galdor.cm.deakin.edu.au (128.184.84.151): 56 data bytes

64 bytes from 128.184.84.151: icmp_seq=0 ttl=128 time=0.3 ms

64 bytes from 128.184.84.151: icmp_seq=1 ttl=128 time=0.3 ms

64 bytes fro
m 128.184.84.151: icmp_seq=2 ttl=128 time=0.3 ms

64 bytes from 128.184.84.151: icmp_seq=3 ttl=128 time=0.3 ms

---

galdor.cm deakin.edu.au ping statistics
---

4 packets transmitted, 4 packets received, 0% packet loss

round
-
trip min/avg/max=0.3/0.3/0.3 ms


A
rp output



root@netlab20 /root]# arp

a

netlab21.cm.deakin.edu.au (128.184.85.21) at 00:C0:4F:7A:6B:46 [ether] on eth0

galdor85.cm.deakin.edu.au (128.184.85.151) at 00:A0:C9:D7:C9:3C [ether] on eth0


Netstat output


root@netlab20 /root]# netstat

i

Kernel

Interface table

Iface MTU Met RX
-
OK TX
-
ERR RX
-
DRP RX
-
OVR TX
-
OK TX
-
ERR TX
-
DRP TX
-
OVR Flags

1o 3584 0 3 0 0 0 3 0 0 0 BLRU

eth0 1500 0 360458 0 0 0 673 0 0 0 BNRU


root@netlab20 /root]# netstat

Active Internet connections (w/o servers)

Proto Recv
-
Q Send
-
Q L
ocal Address Foreign Address State

Active UNIX domain sockets (w/o srvers)

P
roto RefCnt Flags Type State I
-
Node Path

U
nix 2 [ ] STREAM 1539 /dev/log

U
nix 2 [ ] STREAM

CONNECTED1538

U
nix 2 [ ] STREAM

1459 /tmp/.X11
-
unix/X0

U
nix 2 [ ] STREAM

CONNECTED 1458

U
nix 2 [ ] STREAM

1300 /tmp/.X11
-
unix/ X0

U
nix 2 [ ] STREAM

CONNECTED 1299

U
nix 2 [ ] STREAM

1294 /tmp/.X11
-
unix/ X0

U
nix 2 [ ] STREAM CONNECTED 1293

U
nix 2 [ ] STREAM

1287 /tmp/.X11
-
unix/ X0

U
nix 2 [ ] STREAM

CONNECTED 1286

U
nix 2 [ ] STREAM

1271 /tmp/.X11
-
unix/ X0

U
nix 2 [ ] STREAM

CONNECTED 1270

U
nix 2 [ ] STREAM

1255 /tmp/.X11
-
unix/ X0

U
nix 2 [ ] STREAM

CONNECTED1254

U
nix 2 [ ] STREAM

1247 /tmp/.X11
-
unix/ X0

U
nix 2 [ ] STREAM

CONNECTED 1246

U
nix 2 [ ] STREAM

1088 /tmp/.X11
-
unix/ X0

U
nix 2 [ ] STREAM

CONN
ECTED 1087

U
nix 2 [ ] STREAM

1002 /tmp/.X11
-
unix/ X0

U
nix 2 [ ] STREAM

CONNECTED 1001

U
nix 2 [ ] STREAM

982 /tmp/.X11
-
unix/ X0

U
nix 2 [ ] STREAM CONNECTED 934

U
nix 2 [ ] STREAM 834

U
nix 2 [ ] STREAM

664 /dev/log

U
nix 2 [ ] STREAM CONNECTED 664

root@netlab2
0 /root]# netstat
-
s

Ip:

189087 total packets received

0 with invalid headers

0 with invalid addresses

0 forwarded

0 with unknown protocol

227 incoming packets discarded

59727 incoming packets delivered

96 requests sent out

0 outg
o
ing packets dropped

0 dr
opped because of missing route

0 fragments dropped after timeout

0 reassemblies required

0
packets

reassembled ok

0 packet reassembles failed

0 fragments received ok

0 fragments failed

0 fragments created

Icmp:

22 ICMP messages received

0 input ICMP messag
e failed.

ICMP input histogram:

destination unreachable:2

timeout in transit:9

echo replies:11

0 ICMP messages sent

0 ICMP messages failed

ICMP output histogram:

Tcp:

0 active opens

0 passive opens

0 failed connection attempts

0 connection resets receiv
ed

0 connections established

32 segments received

28 segments send out

1 segments
retransmitted

Udp:

78 packets received

5 packets to unknown port received

227 packet receive errors

40 packets send


Nbtstat Output


C:
\

nbtstat

n

Node IpAddress: [128.184.
85.21] Scope Id:[ ]

NetBIOS Local Name Table

Name Type Status

------------------------------------------------------------------------

00C04F7A6B46 <00> UNIQUE Registered

DU
-
CM
-
LABG <00> GROUP Registered

00C04F7A6B46 <03> UNIQUE Registe
red

ADMINISTRATOR <03> UNIQUE Registered


Ifconfig output


[root@netlab20 / ] # ifconfig

a

lo Link encap: Local Loopback

inet addr:127.0.0.1 Bcast:127.255.255.255 Mask: 255.0.0.0

UP BROADCAST LOOPBACK RUNNING MTU:3584 Metric:1

RX packets:3 errors:0 dropp
ed:0 overruns:0 frame:0

TX packets:3 errors:0 dropped:0 overruns:0 carrier:0

collisions: 0

eth0 Link encap: Ethernet HWaddr 00:C0:4F:7A:6D:CD

inet addr:128.184.85.20 Bcast:128.184.85.255 Mask:255.255.255.0

UP BROADCAST NORTRAILERS RUNNING MULTICAST MTU: 1
500 Metric:1

RXpackets: 358539 errors:0 dropped:0 overruns:0 frame:0

TX packets: 615 errors:0 dropped:0 overruns:0 carrier:1

collisions:0

Interrupt:11 Base address:0xd880


Ipconfig output


C:
\
>ipconfig /all

Windows NT IP Configuration

Host Name

: 00c04f7a6b46.cm.deakin.edu.au

DNS Servers : 128.184.85.151

Node Type : Broadcast

NetBIOS Scope ID :

IP Routing Enabled : No

WINS Proxy Enabled : No

NetBISO Resolution Uses DNS : Yes

Ethernet adapter E190x1:

Description : 3Com 3C90x Ethernet Adapter

Physical Addres :00
-
C0
-
4F
-
7A
-
6B
-
46

DHCP Enabled :Yes

IP Address

: 128.184.85.21

Subnet Mask : 255.255.255.0

Default Gateway : 128.184.85.151

DHCP Server : 128.184.85.151

Lease Obtained : Monday, 25 January 1999 14:53:22

Lease
Expires :
Thursday
, 28 January 1999 14:53:22


Route output


[root@netlab20 / ] # route

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

128.184.85.0 * 255.255.255.0 U 0

0 2 eth0

127.0.0.0 * 255.0.0.0 U 0 0 0 lo


nslookup output


[root@netlab20 / ] # nslookup bajor.its.deakin.edu.au

Server: galdor85.cm.deakin.edu.au

Address: 128.184.85.151

Non
-
authoritative answer:

Name: bajor.it
s.deakin.edu.au

Address: 139.132.19.1


Traceroute output


[root@netlab20 / ] # traceroute eros.its.deakin.edu.au

traceroute to eros.its.deakin.edu.au (128.184.2.8),30 hops max,40 byte packets

1 galdor85.cm.deakin.edu.au (128.184.85.151) 0.337 ms 0.286 ms 0
.275 ms

2 turin
-
gw.cm.deakin.edu.au (128.184.84.254) 1.475 ms 1.382 ms 1.399 ms

3 g
-
union
-
b
-
gw
-
00
-
fddi
-
2
-
0.net.deakin.edu.au (128.184.4.254) 2.390 ms 1.475 ms 1.399 ms

4 eros.ccs.deakin.edu.au (128.184.2.8) 2.500 ms *1.681 ms


2

Intr潤ucti潮 t漠oetw潲k Sn潯oing


Time:5 Minutes


Network snooping is the use of utilities to look at the packets flowing on a network, that is, they
capture packets from the network and display either the packet headers or the packet headers along
with
the packet contents. Network snoopers usually do some work for you and try to categorize the
packets into protocol families and packet streams within families.


Why are Network snoopers useful? We can use the packet information to debug network problems,
t
o understand how the network and
protocols

are functioning, and we can use it to determine what is
normal and abnormal activity on our network, setting up a baseline measurement which we can use
later on to compare with a more recent network trace.


Networ
k snoopers work by putting the NIC into

promiscuous


mode, which is a mode where it
will collect all network traffic and not just the traffic addressed to that interface. Because it captures
all packets on a network it is a very dangerous tool as it can b
e used to spy on the packets of other
people and even to capture their password. To mitigate this risk the turning on of the promiscuous
mode of the NIC is usually restricted to the Superuser or Administrator and hence normal users are
restricted from view
ing the network traffic. Two methods that can be used to reduce the risk of
network data being seen is to use encryption (e.g. SSH), and to use switched network hubs so that
only broadcast packets and packets addressed to an interface are sent to that inte
rface.



Network snoopers usually allow the capture and storage of packet information for later
non
-
real
-
time analysis and sometimes they even allow playback of captured data in order to trigger
particular network problems. They also allow users to set fil
ters so that it only captures data packets
that you have specified an interest in e.g. only ARP packets, only packets from a particular
computer, only packets between two computers, only UDP or TCP or IP packets, only broadcast
packets, etc. They allow thi
s filtering so that you do not become overwhelmed by the amount of
data that can be flowing on a busy network.


Typically network snoopers can interpret more than just TCP/IP traffic. They will usually interpret
TCP/IP, AppleTalk, IPX/SPX (Novell), DECNet
(Digital), etc.


3

坩ndows NT

Network Monitor



Time: 30 Minutes

Reference: Internetworking with TCP/IP on Windows NT 4.0,
Page 18
-
21


Microsoft Network Monitor is a tool that simplifies the task of troubleshooting complex network
problems. Microsoft Net
work Monitor troubleshoots network problems by monitoring and
capturing network traffic for analysis. You can define capture filters so that you save only specific
frames for analysis. You can define filters based on source and destination MAC addresses, s
ource
and destination protocol addresses, and pattern matches. Once Network Monitor captures a packet,
you can display filtering to further analyse a problem. Once Network Monitor captures and filters a
packet, it interprets trace data and presents a real
-
time report.


The version of Network Monitor included with Windows NT is limited to only capturing data for
the local computer. The full version is available with Microsoft Systems Management Server (SMS)
and is the version that we will be installing.


To
Install Network Monitor


1.

Boot into Windows NT. Login as
Administrator

with password
password.

2.

Run

C:
\
Nmext
\
DISK1
\
Setup.exe.

3.

Click
Continue

to

Verify Network Monitor PATH


as C:
\
NM dialogue box.

4.

Click

OK

to create the directory C:
\
NM.

5.

Click

No Password


on the

Network Monitor Password


dialogue box.

6.

Type

Administrator


into the

Network Monitor Information


dialogue box and then click
OK
.

7.

Click
OK

to the

Is the following correct?


dialogue box.

8.

Click
OK

to the

You must install the Microsoft Network Ma
nager driver from the control
panel

.

dialogue box.

9.

At this point the Network Control Panel should appear.

10.

Click
OK

to the

Network Monitor has been successfully installed


dialogue

box.

11.

Click the

Services


tab on the Network Control Panel.

12.

Click
Add
.

13.

Cho
ose the

Network Monitor Agent


in the Network Service list (
NOT

the

Network
monitor Tools and Agent

).

14.

Click
OK
. If you are asked for the full path to the Windows NT distribution files enter
C:
\
i386
and click
Continue
.

15.

In the Network dialog box click

Clo
se
.

16.

Click
Yes

when
prompted

to restart your computer.

17.

Boot into Windows NT and login as Administrator.

18.

Start the

Network Monitor

program and click the
Start Capture

button.

19.

Start an anonymous ftp session to
ftp.deaki
n.edu.au
, do a dir and close the connection.

20.

Go to the Network Monitor and click the
Stop and View Capture

button. The instructor will
take you
trough

some of the features.



Analysing Network Traffic


To analyse network traffic with Network Monitor you n
eed to start the capture process, generate the
network traffic you want to observe, then stop the capture and view the data. To use Network
Monitor click the
Start

button, point to
Programs
, point to
Network Analysis Tools
, and then click
on
Network Monito
r
.


Network Monitor uses many windows for displaying different data. One of the primary windows is
the Capture window. When this window has the focus the toolbar shows you options to start, pause,
or stop and view captured data. On the

Capture

menu click
S
tart

to start a capture. While the
capture process is running Network Monitor display statistical information in the window.


After you have generated the network traffic you are
analy
s
ing
, on the
Capture

menu click
Stop

to
stop the capture. You can then
create another capture or display the current capture data. You can
also click on
Stop and view

to stop a capture and view the captured data immediately.


When opening a capture to view, a summary window appears showing each frame captured. The
summary win
dow contains a frame number, time of frame reception, and source and destination
addresses. It also contains the highest
-
layer protocol used in the frame and a description of the
frame. For more detailed information on a specific frame, double click on the

frame you wish to
zoom into and you will get two additional windows, the
Detail

window and the
Hexadecimal

window. The
Detail

window shows the protocol information in
detail
. The
Hexadecimal

window
shows the raw bytes in the frame.



4. Tcpdump for Linux
and comparison with

Network Monitor



Time: 15 Minutes


Tcpdump

is a program that can run on various flavours of Unix including Linux. It is a command
line driven program that simply snoops the network interface and displays the headers of the
packets it
sees.
Snoop

on Solaris is similar to tcpdump but seems to offer more depth of facilities, in
particular greater packet header detail. Solaris is similar to tcpdump but seems to offer more depth
of facilities, in particular greater packet header detail.


Sa
mple tcpdump output (edited)


13:12:50.128830 aragorn.cm.deakin.edu.au.965 >

smaug.cm.deakin.edu.au.32771: S 2933428491:2933428491 (0) win 16060 <mss

1460, sackOK, timestamp 33427410 [|tcp]> (DF)

13:12:50.129551 smaug.cm.deakin.edu.au.32771 >

aragorn
.cm.de
akin.edu.au.965: S 3998651932:3998651932 (0) ack 2933428492 win

10136 <nop, nop, timestamp 520172504 33427410, nop, [|tcp]> (DF)

13:12:57.525418 arp who
-
has tolkien
-
gw.cm.deakin.edu.au tell

isildur.cm.deakin.edu.au

13:12:57.531194 0:0:a2:69:9d:10 > 1:80:c
2:0:0:0 802.1d ui/C len=43

0000 0000 0080 0000 00a2 699d 1000 0000

0080 0000 00a2 699d 1080 0300 0014 0002

000f 0000 0000 5555 5555 55

13:12:57.537916 smaug.cm.deakin.edu.au.nfs >

aragorn
.cm.deakin.edu.au.106824448: reply ok 96 write [|nfs] (DF)

13:12:57.5
37962 smaug.cm.deakin.edu.au.nfs >

aragorn
.cm.deakin.edu.au.123601664: reply ok 96 write [|nfs] (DF)

13:12:57.565808

aragorn
.cm.deakin.edu.au.pcserver >

smaug.cm.deakin.edu.au.32771: S 2934071445:2934071445 (0) win 16060 <mss

1460, sack OK, timestamp 33428
153 [|tcp]> (DF)

13:12:57.566448 smaug.cm.deakin.edu.au.32771 >

aragorn
.cm.deakin.edu.au..pcserver: S 4009106691:4009106691(0) ack

2934071446 win 10136 <nop, nop, timestamp 520173248 33428153, nop, [|tcp]> (DF)

13:12:59.377152 arp who
-
has bree.cm.deakin.ed
u.au tell

aragorn
.cm.deakin.edu.au

13:12:59.377396 arp reply bree.cm.deakin.edu.au is
-
at 0:0:f8:1f:86:c6

13:12:59.439589 bree.cm.deakin.edu.au.2882 > 255.255.255.255.sunrpc: udp 80

13:12:59.664028 62 > 20 at
-
lap#14 59

13:13:00.314103 2:a0:0:20:ed:e3 > 1:0:
81:0:1:0 sap aa ui/C len=35

fd00 060a 2001 0200 0055 5555 5555 5555

5555 5555 5555 5555 5555 5555 5555 5555

5555 55

13:13:00.314111 2:a0:0:20:ed:e3 > 1:0:81:0:1:1 sap aa ui/C len=35

fd00 060a 2001 0200 0055 5555 5555 5555

5555 5555 5555 5555 5555 5555 555
5 5555

5555 55

13:13:01.531073 0:0:a2:69:9d:10 > 1:80:c2:0:0:0 802.1d ui/C len=43

0000 0000 0080 0000 00a2 699d 1000 0000

0080 0000 00a2 699d 1080 0300 0014 0002

000f 0000 0000 5555 5555 55

13:13:03.531188 0:0:a2:69:9d:10 > 1:80:c2:0:0:0 802.1d ui/C len=4
3

0000 0000 0080 0000 00a2 699d 1000 0000

0080 0000 00a2 699d 1080 0300 0014 0002

000f 00ff ffff 5555 5555 55

13:13:06.583776 84 > 2 at
-
lap# 122 593

13:13:06.584633 179 > 0 at
-
lap# 75 176

13:13:06.689454 41 > 0 at
-
lap#14 38

13:13:07.112478 tolkien
-
gw.cm.
deakin.edu.au.route >255.255.255.255.toute:

rip
-
resp 25: 128.184.154.0(2)[|rip]

13:13:07.112831 tolkien
-
gw.cm.deakin.edu.au.route >255.255.255.255.toute:

rip
-
resp 12: 128.184.237.0(3)[|rip]

13:13:07.170824 smaug.cm.deakin.edu.au.nfs >

aragorn.cm.deakin.edu
.au.241042176: reply ok 96 write [|nfs] (DF)

13:13:07.531437 0:0:a2:69:9d:10 > 1:80:c2:0:0:0 802.1d ui/C len=43

0000 0000 0080 0000 00a2 699d 1000 0000

0080 0000 00a2 699d 1080 0300 0014 0002

000f 00ff ffff 5555 5555 55


As you can see the
tcpdump
output

is considerably harder to interpret than the

Network Monitor
output and hence the remainder of the labs will mostly use the

Network Monitor to view traffic.


1.

Shutdown Windows NT and restart the machine into Linux.

2.

Login as
root

with password
password
.

3.

At
the terminal window run

tcpdump

and view the output.

4.

Start a new terminal window and type
man tcpdump
.

5.

Look through the manual entry and try various options to
tcpdump

in your first terminal
window. For example try:
tcpdump broadcast
,

tcpdump ip
,
tcpdump a
rp
, or t
cpdump

host

some
-
IP
-
address

and then create some traffic to that IP address.









































Session Three


TCP/IP

Outline


1.

Introduction to
TCP
/
IP

2.

Address Resolution Protocol
(
ARP
)

3.

Reverse Address Resolution Protocol (
RARP
)

4.

Internet Control Message Protocol

(
ICMP
)

5.

Internet Protocol

(
IP
)

6.

Transmission Control Protocol

(
TCP
)

7.

User Datagram Protocol

(
UDP
)


Laboratory

Requirements



N
etwork configured as in Session One.


W
indows NT installed on PC

s with the motherboard inte
rface operational and configured
using DHCP.


S
tudents should have bench booted with two PC

s with Linux and one with NT.


1.

Introduction to the TCP/IP Protocol Suite


Time: 30 minutes

R
eference: internetworking with TCP/IP on Windows NT 4.0
page 25
-
28



T
his 15
-
minute multimedia presentation provides an overview of the TCP/IP protocol suite and
explains how the protocols in the suite work internally and with other protocols.
I
t describes how
the TCP/IP protocol suite maps to a four
-
layer model.


Mul
timedia Presentation:

Overview of the TCP/IP Protocol Suite


T
he Four
-
Layer Model


TCP/IP protocols
follow

a four
-
layer conceptual model:
Application, Transport, Internet,
a
nd
Network Interface
.
T
he TCP/IP core protocols provide a set of standards for how
computers
communicate and how networks are interconnected.




N
etwork
Interface Layer


A
t the base of the model is the
Network Interface Layer
.
T
his layer is responsible for sending and
receiving frames, which are packets of information transmitted on a
network as a single unit.
T
he
Network Interface Laye
r puts frames on the
network
, and pulls frames of the network.
T
his layer is
equivalent to the network cable,
Network Interface Card

(NIC), and the NIC driver.
W
indows NT IP
uses the
Network Device Interf
ace Specificat
ion (NDIS) to submit frames to the network interface
layer. IP supports LAN and WAN interface technologies.


I
nternet Layer


I
nternet protocols encapsulate packets into Internet datagrams and run all of the
necessary

routing
algorithms.
T
he
four Internet protocols are
I
nternet
P
rotocol (
IP
),
A
ddress
R
esolution
P
rotocol
(
ARP
),
I
nternet
C
ontrol
M
essage
P
rotocol

(
ICMP
),
a
nd
I
nternet
G
roup
M
anagement

P
rotocol

(
IGMP
)
.



IP is primarily responsible for addressing and routing packets between hosts and

networks.



ARP obtains hardware addresses of hosts located on the same physical network.



ICMP sends messages and reports errors regarding the delivery of a packet.



IGMP is used by IP hosts to report host group memberships to local multicast routers.


Trans
port Layer


T
ransport
protocols

provide communication sessions
between

computers.
T
he two Transport
protocols are
T
ransmission
C
ontrol
P
rotocol

(
TCP
)

and
U
ser
D
atagram
P
rotocol

(
UDP
)
.
T
he
transport protocol used depends upon the preferred method of data de
livery.

TCP provides connection
-
oriented, reliable communications for
applications

that typically transfer
large
amounts

of data at one time.
I
t is also used for applications that require an acknowledgment
for data received.
E
xamples of TCP
applications

ar
e
telnet

and
ftp
.


UDP
provides

connectionless communications and does not guarantee to deliver packets.
A
pplications that use UDP typically transfer small amounts of data at one time.
R
eliable delivery of
data is the responsibility
of

the applications.
E
x
amples of UDP applications are

NFS

(in its original
version), and
NTP

which is a network time synchronization protocol.


Application

Layer


A
t the top of the TCP/IP model is the Application layer.
T
his layer is where applications gain access
to the networ
k.
T
here are many standard TCP/IP utilities and services at the application layer such
as FTP,
Telnet
, SNMP, and DNS.


Microsoft TCP/IP provides two interfaces for network applications to use the services of the TCP/IP
protocol stack.
T
he first, called Win
dows Sockets provides a standard application
-
programming
interface (API) under
Microsoft

Windows for Transport protocols such as TCP/IP and IPX (the
Novell network stack).


T
he second interface for network applications is
NetBIOS
.
T
his interface provides a

standard
interface to protocols that
support

the NetBIOS naming and
messaging

serv
ices, such as TCP/IP and
NetBEUI.
W
e will look at NetBIOS in a later session.


2. Address Resolution Protocol (ARP)


Time: 20 Minutes

Reference
: Internetworking with TCP/IP
on Windows NT 4.0
Page 29
-
39
, RFC 826


H
osts must know the hardware address (MAC address) of other hosts to communicate on a network.
Address resolution is the process

of mapping a host

s IP address to its hardware address.
T
he
Address Resolution Protocol
(ARP), which is part of the TCP/IP Internet layer, obtains hardware
addresses of hosts that are located on the same
physical

network as the computer making the ARP
request.


ARP is responsible for obtaining hardware addresses of TCP/IP hosts on broadcast b
ased networks.
ARP uses a local broadcast of the destination IP address to acquire the hardware address of the
destination host or gateway.
O
nce ARP obtains the hardware address, both the IP address and the
hardware address are stored as one entry in the A
RP cache. ARP always checks the ARP
cache

for
an IP address and hardware address mapping before initiating an ARP request broadcast.




T
he ARP Cache


T
o minimize the number of broadcasts, ARP maintains address mappings in
cache

for
future

use.
T
he ARP ca
che maintains both static and dynamic entries.
D
ynamic
entries

are added and deleted
automatically and are deleted from the cache after a default time period has elapsed.
F
or Windows
NT this time is two minutes on unused entries and ten minutes on used ent
ries.
S
tatic entries remain
in the cache until the computer is restarted or the entry is deleted using the
arp

d

hostname

command.
S
tatic ARP entries are added by using the
arp

s

hostname ether
-
addr

command.
F
or
Windows NT the

ether
-
addr

is separated by
hyphens while in Unix it is separated by a colon.


A
dditionally, the ARP cache always maintains the hardware broadcast address FFFFFFFFFFFF for
the local subnet as a permanent entry.
T
his entry allows a host to accept ARP broadcasts.
T
his
address does not
appear when you view the cache.


ARP cache entries are viewed using the command
arp

a
. the following show a sample ARP cache:

H:
\
>arp

a

Interface: 128.184.80.49 on Interface 2

Internet Address Physical Address Type

128.184.80.1 00
-
90
-
27
-
le
-
c8
-
ad dynamic

128.184.80.148 00
-
a0
-
c9
-
9a
-
fb
-
0f dynamic

128.184.80.150 08
-
00
-
20
-
73
-
36
-
ba dynamic

128.184.80.254 00
-
00
-
0c
-
04
-
6d
-
8a dynamic




Viewing ARP packets


1.

Login

to
Windows

NT as administrator.

2.

Open a
Command Prompt
window.

3.

Run
arp

a
to view the
current

ARP cache
and note the entries.

4.

Open the
Network Monitor

program
.

5.

Start

the Network Monitor Capture.

6.

At the
Command Prompt

type ping
128.184.85.1

or the IP address of a neighbours PC
that is not in the ARP cache.

7.

Switch back to
Network Monitor

and
Stop

the capture.

8.

Now
View

the captured data.

9.

To make viewing of the data easier go to the
Display

menu and click on
Colours
.

10.

In the
Protocol Colours

dialogue box select
APR_RARP
under

Name
.

11.

Under
Colours

set
Foreground

to
Red

and then click
OK
.

12.

Know all ARP packets should
appear in red.

13.

To view the
ARP Request

packet details double
-
click the
ARP: Request

packet

from your
computer.

14.

In the Detail window click the
Plus Sign

(+) next to the
Frame

line and view the frame
details.

15.

Expand and view the contents of the
ETHERNET:ETYP
E

and

ARP_RARP

frames as
well.



W
hat is the destination address?



W
hat is the source address?



W
hat type of e
thernet

frame is this?



W
hat is the sender

s hardware address?



W
hat is the target

s hardware address?



W
hat is the target

s
protocol

address?

16.

Now examin
e an

ARP:Reply

packet and expand the .
ETHERNET:ETYPE

and

ARP_RARP

sections.



W
hat is the destination address?



D
oes the
destination

refer to a
physical

address?



W
hat is the source address?



W
hat type of e
thernet

frame is this?



W
hat is the sender

s hardware a
ddress?

17.

Now look at the

ARP
cache again and note the differences.


3. Reverse Address Resolution Protocol (RARP)

Time: 10 Minutes

Reference: Inside TCP/IP,
Page 244
-
253
; RFC 906


R
everse address resolution is the process of mapping a host

s hardware addr
ess to an IP address.
T
he Reverse Address Resolution Protocol (RARP)
broadcasts

the host

s hardware address onto the
network and waits for a RARP sever to reply with the hosts

IP address. RARP is most commonly
used to boot a
diskless

computer.
W
hen the com
puter boots it only knows its hardware address so it
broadcasts a RARP request at the Data Link layer.
T
his request goes to all the
computers

on the
local network but only the computer running a RARP
server

replies to the request.
T
he RARP
server looks up
the hardware address in a local table and returns the IP address in a RARP reply
packet
, which is directed, back to the RARP client.
T
he RARP client then uses the first RARP reply
that it receives to set its IP address and continues on with the boot proces
s (typically TFTP

ing a
boot loader form the server that provided the RARP reply).


I
f no RARP servers respond the RARP
client

will continually send out RARP broadcast requests
which every computer on the
network

has to process.
I
f the number of RARP clien
ts is
large

then
this can lead to RARP broadcast storms resulting in heavy network traffic and increased load on all
the computers.

I
t is not possible to do a hands on RARP session.







RARP request packet.


Packet Number : 4

Length : 64 bytes

10:37:20 PM

ether: = = = = = = = = = = = = Ethernet Datalink Layer = = = = = = = = = = = = = =


Station: 00
-
00
-
c0
-
24
-
28
-
2D
-------


FF
-
FF
-
FF
-
FF
-
FF
-
FF


TYPE: 0x8035 (RARP)

rarp: = = = = = = = = Reverse Address R
esolution

Protocol = = =

= = = = = = = = =


Hardware: Ethernet


Protocol: 08x0800 (IP)


O
peration:

RARP Request


Hardware address length: 6


Protocol address length: 4



Sender Hardware Address
: 00
-
00
-
C0
-
24
-
28
-
2
D


S
ender
Protocol Address: 82.
65.82.80


Target Hardware Address : 00
-
00
-
C0
-
24
-
28
-
2
D


Target Protocol


Address: 0.0.0.0
















RARP reply packet.


Packet Number : 5

Length : 64 bytes 10:37:20 PM

ether: = = = = = = = = = = = = Ethernet Datalink Layer =

= = = = = = = = = = = = =


Station: 08
-
00
-
20
-
71
-
9B
-
FA
-------


00
-
00
-
c0
-
24
-
28
-
2D


TYPE: 0x0806 (RARP)

rarp: = = = = = = = = Reverse Address R
esolution

Protocol = = = = = = = = = = = =


Hardware: Ethernet


Protocol: 08x0800 (IP)



O
peration:

RARP Reply


Hardware address length: 6


Protocol address length: 4



Sender Hardware Address
:
08
-
00
-
20
-
71
-
9B
-
FA


S
ender
Protocol Address:
199
.
245
.
180
.
33


T
arget
Hardware Address : 00
-
00
-
C0
-
24
-
28
-
2
D


T
arget
Prot
ocol


Address:
199
.
245
.
180
.
3





4. Internet Control Message Protocol (ICMP)


Time: 15 Minutes

Reference: Inside TCP/IP,

Page 342
-
388


T
he Internet Control Message Protocol (
ICMP
) reports errors and controls messages on behalf of
IP.ICMP does not attem
pt to make IP a reliable protocol, but merely attempts to report errors and
provide feedback on specific conditions. ICMP messages are carried as IP datagrams and are
therefore unreliable.


F
or example, if a TCP/IP host is sending packets to another host a
t a rate that is saturating the
routers or links between them, the router can send an
ICMP source quench

message.
T
he source
quench message asks the sender to slow down the rate of the
transmission
.


T
here are quite a
few

ICMP message types with the most c
ommon being the following:




E
cho.
T
his is used by
ping
to
determine

the reach
ability

of an IP node.



D
estination Unreachable.
U
sed to indicate that a destination IP node is not reachable
because there is no route to it.



S
ource Quench.
U
sed to indicate a co
ngestion problem to an IP node.



R
edirect.

U
sed by routers to inform of an alternate route.



T
ime Exceeded.

U
sed to
indicate

the expiration of the IP header Time To Live (TTL)
value.



A
ddress Mask.
U
sed to obtain the subnet mask information for the network.



T
imestamp.

Used for time measurements on an internet.


D
estination Unreachable


I
n this session we will look at the ICMP
D
estination Unreachable message.


1.

Login to Windows NT as Administrator.

2.

Start a
Command Prompt.

3.

Start

Network Monitor
.

4.

Start
Network Mon
itor Capture
.

5.

In
t
he
Command Prompt

type
ping 139.132.118.2.

6.

Go back to the
Network Monitor

and
Stop and View

the capture.

7.

Under the

Display

menu select
Colours

and change the
ICMP
name to
Red.

8.

Find your
ICMP ping

packet and the following
ICMP Destination
Unreachable

packet.

9.

Expand this packet and investigate the fields.


T
raceroute Packets


T
he traceroute command works by pinging the selected host but setting the IP Time To Live (TTL)
value to one initially.

T
he packet will get sent to the first router whi
ch decrements the TTL by one.

T
he router notices that the TTL is now zero and returns an
ICMP Time Exceeded
packet to the
sending host.

T
raceroute now has an ICMP packet with the
address

of the first router, which it displays.

T
aceroute now sends two more
packets with a TTL of one to get an average of the ping time to the
first router.

I
t now sets the TTL to two so that it
reaches

the second r=outer
before

the TTL becomes zero.

T
he second router now returns an
ICMP Time Exceeded

packet back to the
sending

host.

T
raceroute continues to increment the TTL until an
ICMP Echo
reply is received form the
destination

host.

1.

Login to Windows NT as Administrator.

2.

Start a
Command Prompt
.

3.

Start

Network Monitor
.

4.

Start
Network Monitor Capture
.

5.

In
t
he
Command Prompt

type
t
racert 139.132.118.2
and wait for
tracer
t to finish
executing.

6.

Go back to the
Network Monitor
and
Stop and View

the capture.

7.

Under the
Display

menu select
Colours
and change the
ICMP name
to
Red.

8.

Find your

ICMP ping
packet and expand the IP frame and look
at the TTL value


is
should be 1.

9.

The next ICMP packet sent to your hosts should be an
ICMP Time Exceeded

packet
form
the first router.

10.

There should be another two
ICMP ping
packets with a
TTL

of one and two more
ICMP
Time Exceeded
packets
.

11.

The next
ICMP
ping

packet should have a
TTL

of two.

12.

Continue through all of the

ICMP

packets to and from your host to follow what is going
on.


5.

Internet Protocol (IP)


Time: 15 minutes

Reference
: Internetworking with TCP/IP on Windows NT,

Page 42
-
45


IP is a connecti
onless protocol primarily
responsible

for addressing and routing packets between
hosts. IP is connectionless because it does not establish a session before exchanging data. IP is
unreliable
because

it does not guarantee delivery.
I
t always makes a

best ef
fort


attempt to deliver
a packet.
A
long the way, a packet may be lost, delivered out of sequence,
duplicated,

or
delayed.
Although on modern network equipment, most of this is highly unlikely.


IP dose not
require

an acknowledgment when data is received.
T
he sender or receiver is informed
when a packet is lost or sent out of sequence.
T
he acknowledgment of
packets is the responsibility
of a higher
transport

layer, such as TCP.
T
he IP datagram fields in the following table are added to
the header when a pac
ket is passed down from the transport layer.




F
ield Function

Source IP Address Identifies the sender of the datagram by the IP address.


Destination IP
Address

Identifies

the destination of the

datagram by the IP address


Protocol Informs IP at the destination host whether to pass the packet up to TCP or
UDP.


C
hecksum
A simple mathematical computation that is

used to verify that the packet
arrived

intact.


Time to Live (TTL) Designates the number of seconds a datagram is allowed to stay on the
wire before it

s discarded. This prevents packets from
endlessly

looping around an internetwork. Routers are required to decrement
this valu
e by at least one send every time it passes through.


I
f IP identifies a destination address as a local address, IP
transmits

the packet
directly

to that host.
I
f the
d
estination IP address is a remote address, IP checks the
locals

routing table for a rout
er to

the
remote host.
I
f it finds a route, IP sends the packet using that route.
I
f IP does not find a route,

it
sends the
packet

to the
source

host

s default gateway, also called a router.


W
hen a router receives a
packet
, the
packet

is passed up to IP,
which does the following:


1.

IP decrement the TTL by at least 1 or more if the packet is stuck at the router due to
congestion.
I
f the TTL reaches zero, the packet is discarded.

2.

IP may fragment the packet into smaller packets if the packet is too large for t
he
underlying network.

3.

if the packet is fragmented, IP creates a new header for each new packet, which include:



A
Flag

to indicate that other fragments follow.



A
Fragment

ID

to
identify

fragments that belong together.



A
Fragment

Offset

to tell the receivin
g host how to reassemble the packet.

4.

IP calculates a new checksum..

5.

IP
obtains

the destination hardware address of the next router.

6.

IP forwards the packet.


T
his entire process is repeated at each router until the packet reaches its final destination.
W
hen

the
packets arrive at their final destination, IP reassembles the pieces into the
original

packet.


6.
Transmission Control Protocol (TCP)


Time: 20 minutes


Reference: Internetworking with TCP/IP on Windows NT,
Page 46
-
50


TCP is a reliable, connection
-
orientated delivery service. TCP data is transmitted in segments, and a
session must be
established

before hosts can exchange data. TCP uses byte
-
stream communications,
which means that the data is treated as a sequence of bytes.


I
t achieves
reliability

b
y assigning a sequence number to each segment transmitted by TCP.
I
f a
segment is broken into smaller pieces, the receiving host knows whether all pieces have been
received.
A
n acknowledgement verifies that the other host received the data.
F
or each segmen
t sent,
the receiving host return an
acknowledgment

(ACK) within s specified period.


I
f the sender does not receive and ACK, the data is retransmitted.
I
f the segment is received
damaged, the receiving host discards it.
B
ecause an ACK is not sent, the sen
der retransmits the
segment.


Ports


S
ockets applications identify themselves within a computer by using a

protocol port number
.
F
or
example, the FTP server application uses a specific TCP port number so that other applications can
communicate with it.

P
or
ts can use any number
between

0 and 65,536. P

ort numbers for client
-
side applications are
dynamically assigned by the operating
system

when there is a request
for

service.
P
ort numbers for

well
-
known

server
-
side applications are pre
-
assigned by the Intern
et Assigned Numbers Authority
(IANA) and do not change.
Y
ou can examine port numbers by looking at the

services
file which can
be found at /etc/services on Unix, and at C:
\
WinNT
\
System32
\
Driver
\
Etc
\
Services on Windows NT.


Sockets


A socket is similar in
concept to a file handle in that it functions as an endpoint for network
communication.
A
n application creates a socket by specifying three items:



T
he IP address of the host.



T
he type of service (TCP or UDP).



The port the application is using.


A
n
applicat
ion

can create a socket and use it to send connectionless traffic to remote
applications
.
A
n application can also create a socket and connect it to another application

s socket.
D
ata can then
be reliably sent over this connection.


G
enerically a socket is
a programming interface that can be used to communicate data using any
transport.
F
or example, a socket can use a FIFO buffer to transfer data, or use other network
protocols such as IPX/SPX.



TCP Ports


A

TCP port provides a specific l
ocation for delivery of
messages
.
P
ort numbers below 1024 are
defined as commonly used ports.
T
he following table shows a few commonly used ports.


Port Description

21 FTP

23 Telnet

25

Simple Mail
Transfer Protocol (
SMTP
)

53
D
omain
Name System (
DNS
)

110 Post Office Protocol (
POP
)

139 Net
BIOS

session service


TCP Three
-
Way Handshake


]
A

TCP session is
initialized

through a three
-
way
handshake
.
T
he purpose of the three
-
way
handshake is to synchronize the sending and rec
eiving of segments, inform the other host of the
amount of data it is able to receive at once, and establish a virtual connection.
T
he following steps
outline the three
-
way handshake process.


1.

The initiating host requests a session by sending out a segment

with the
synchronization

(SYN) flay set to
on
.

2.

The receiving host acknowledges the request by sending back a segment with:



T
he synchronization flag set to
on
.



A

sequence number to indicate the starting byte for a segment it may send.



A
n acknowledgment wit
h the byte sequence number of
the

next segment it expects to
receive
.

3.

The
requesting

host sends back a segment with the acknowledged sequence number and
the acknowledgment number.


TCP use a similar handshake process to end a connection.
T
his guarantees th
at both hosts have
finished

transmitting and that they received all of the data.




TCP Sliding Windows


TCP buffers data for
transmission

between two hosts by using sliding wind
ows.
E
ach TCP/IP host
maintains two sliding windows: one for receiving data, and the other for sending data.
T
he size of
the window indicates the amount of data that can be buffered on a computer.


I
n this seven
-
minute presentation, you see how TCP sliding

windows work and how the size of a
sliding window can affect performance.
R
un TCP Sliding Window Video


Practical


1.

In Windows NT start the
Network Monitor

and start capturing data.

2.

In a DOS window enter
ftp g
ollum

and login with username
anonymous

and

pas
sword
your
-
login
-
name
@
deakin.edu.au
, and issue a
dir

command and then
quit

the ftp
application.

3.

Stop and View

the Network Monitor capture and highlight the
TCP

packets with
Red

and
the
FTP

packets with
Green
.

4.

View the FTP connection packets and note the
so
urce

and destination IP addresses and the
source and destination port numbers.

5.

Find the three
-
way handshake packets and look at the
Flags

section of TCP to see the
Synchronization

and
Acknowledge
ment

flags
that

are set during the handshake.

6.

Look up the por
t numbers in the services file.



7.
User Datagram Protocol (UDP)

Time: 15 minutes

R
eference:
Internetworking

with TCP/IP on Windows NT,
Page 51
-
52


User Datagram Protocol (UDP) provides a connectionless datagram service that offers unreliable,

best effor
t


delivery.
T
his means that the arrival of datagrams or correct sequencing of delivered
packets is not guaranteed. UDP is used by applications that do not
require

an acknowledgement of
data receipt.
T
hese applications typically transmit small amounts of d
ata at one time.
Examples

of
services

and applications that use UDP are the NetBIOS name service, NetBIOS datagram service,
and

the
Simple Network Management Protocol
SNMP.


To use UDP, the application must supply the IP address and port number of the dest
ination
application.
A

port provides a location for sending messages and is identified by a unique number.
A

port functions as a
multiplexed

message queue, meaning that it can receive multiple messages at a
time.
I
t is important to
note

that the UDP ports
listed in the following table are distinct
and

separate
from TCP ports even though some of them use the same port number.


P
ort Keyword Description

15 NETSTAT Network status

53 DOMAIN Domain Name Server

69 TFTP

Trivial
File Transfer Protocol

137 NETBIOS
-
NS NetBIOS name service

138 NETBIOS
-
DGM NetBIOS datagram service

161 SNMP SNMP network monitor


The fields in the following table are combined in the 8
-
byte UDP header.




F
ield

Function

Source Port UDP port of sending host.
T
he sending port value is optional.
I
f not used,
it is set to zero.

Destination Port UDP port of destination host.
T
his provides an endpoint for
communications.

Message Length The size
of the UDP message.
T
he minimum UDP Packet contains only
the header information (8 bytes).

Checksum Verifies that the header is not corrupted.


Practical



1.

In Windows NT start the
Network Monitor

and start capturing packets.

2.

In a DOS window en
ter
tftp turin GET motd
.
T
his uses the TFTP protocol to fetch a
file from turin.
Y
ou can
type motd

to ensure that you received the file.

3.

Stop and View

the network capture and use Colours to highlight
UDP

packets.

4.

Find the
TFTP

packets and note the source a
nd destination IP addresses and port
numbers for each packet.

5.

Prior to the TFTP packets you will find some
DNS

packets.
O
pen these up and note that
they are using UDP for transmission and find what port it is using.


























Session Four
-
Li
nux and NT Network Configuration


Outline


1.
Device Drivers, protocols, binding, and services.

2.
IP Addressing

3.
Subnetting and subnet masks.

4.
Configure the second network interface on Linux.

5. Install a NIC driver into Windows NT.


Laboratory Requir
ements



Lab network cabled as in Session One except the onboard Ethernet should be
connected

to the
bench
socket

and the second Ethernet card should be connected to the mini
-
hub.The mini
-
hubs
should be connected together using ThinNet and one hub should

also be
connected
(uplink) to the
network.



Linux installed on each PC with network code in kernel but second interface unconfigured.


Windows NT
installed

on each PC with second interface unconfigured.


1. Device drivers, protocols, binding, and servi
ces.


Time: 10 minutes

Reference: Networking Essentials, Page 181
-
183


Device Drivers


A device drivers is software that enables a computer to work with a particular hardware device.
Although a device may be installed into a computer, the computer

s ope
rating system cannot
communicate with the device until the driver for that device has been installed and
configured
. It is
the software driver that tells the computer how to drive or work with the device so that the device
performs the job it is supposed t
o.


There are drivers for nearly every type of computer device and peripheral, including:




Input devices, such as mouse devices and keyboards.



SCSI and IDE disk controllers



Floppy disk controllers.



Printers, plotters, scanners.



Network interface cards.


Us
ually it is the computer

s operating system that works with the driver in making the device
perform. There are usually two places from which you can obtain drivers. One is from the operating
system distribution, for example, Linux has a certain set of hard
ware devices, which it supports and
provides drivers for. The second option is that the supplier of the hardware device will provide a
disk of drivers for various operating systems. Unfortunately, these drivers usually only support
operating systems like W
indows 95/98/NT, IBM OS2, and NetWare and not Linux. Therefore when
putting systems together for rarer operating systems you need to pay particular attention to the
supported hardware of that operating system.


Network adapter card drivers reside in the Me
dia Access Control (MAC) sublayer of the Data
Linker layer of the OSI model. The Media Access Control sublayer is responsible for providing
shared access for the computer

s network adapter cards to the Physical Layer. In other words, the
network adapter ca
rd drivers ensure direct communication between the computer and the network
adapter card. This, in turn, provides a link between the computer and the rest of the network.


Protocols


Protocols are rules and procedures for communicating. When several comput
ers are networked, the
rules and technical procedures governing their communication and interaction are called protocols.
There are four points to keep in mind about protocols in a network environment:


1.

There are many protocols. While each protocol allows
basic communications, they have
different purposes and accomplish different tasks. Each protocol has its own advantages and
restrictions.

2.

Some protocols work at various OSI layers. The layer at which a protocol works describes its
function. For example, a
certain protocol works at the Physical layer, meaning that the protocol
at that layer ensures that the data packet passes through the network adapter card and out onto
the network.

3.

Several protocols may work together (at different OSI layers) in what is kn
own as a protocol
stack or suite, e.g. TCP/IP.

4.

Several protocol stacks may exist side
-
by
-
side in a computer to enable multiple protocol paths
to the network. For example, the TCP/IP protocol stack may exist alongside the Appletalk
protocol stack and the Ne
tware (IPX/SPX) protocol stack.


Binding


The binding process allows a great deal of flexibility in setting up a network.
P
rotocols and network
adapter cards can be mixed and matched on an as
-
needed basis. For example, two protocol stacks,
such as IPX/SPX

and TCP/IP, can be bound to one network adapter card. If there is more than one
network adapter card in the computer, one protocol stack can be bound to either or both network
adapter cards.


In Microsoft operating systems, the binding order determines th
e order in which the operating
system runs the protocol. If there are multiple protocols bound to one network adapter card, it
indicates the order in which the protocols will be used to attempt a successful connection. For
example, if TCP/IP is bound as th
e first protocol, TCP/IP will be used to attempt a network
connection. If this network connection fails, your computer will transparently attempt to make a
connection using the next protocol in the binding order.



Services


Network services are network o
perating system application layer programs that use the lower layer
network protocol stacks to provide some service to the network. For example, in Windows NT the
Server service provides for sharing of local resources with other computers, or the DHCP serv
er
service provides IP addresses to clients upon request.

On Unix systems the services are called daemons. So, for
example
, the telnet daemon provides a
service to incoming telnet connections, and the DHCP daemon provides for IP address allocations to
clie
nts.


2.

IP Addressing


Time: 15 minutes

Reference: Internetworking with TCP/IP on Windows NT, P age 55
-
79


Static IP Address allocation (hosts files)


Every interface on the network has to have a unique address so that other computers can address
pac
kets to the destination computer, just as every piece of postal mail has to have an address on it.


In TCP/IP the IP address identifies a system

s location on the network. Each address has two parts


a network ID and a host ID. The network ID identifies a

physical network. All computers on the
same network require the same network ID, which should be unique to the internetwork, or if you
are directly connected to the Internet then the network ID must be unique for the entire Internet. The
host ID identifie
s a particular workstation, server, router, or other TCP/IP host within a network.
The host ID must be unique to the network ID.


The human readable format of an IP address is referred to as a
dotted decimal notation.

An example
is the galdor lab server ad
dress of 128.184.85.151. In IP the IP address is usually associated with a
more friendly, and easier to remember name, called a
hostname
, e.g. eros or galdor. This hostname
must then be converted (or resolved) to the IP address before communication can tak
e place. This
name resolution can be done in two ways. The most popular method is dynamic name resolution,
which we will look at in session seven. The simpler method is to look up the hostname in a simple
text file, which has lines of IP address and hostna
me pairs. This is termed static IP address
assignment. The file in which the names and addresses are kept is called a
hosts file
. On Unix
systems the file is kept in
/etc/hosts

while on Windows NT is usually in
C:/Winnt/System32/Drivers/Etc/Hosts.


An exa
mple /etc/hosts file is shown below:


#

# Internet host table

#

127.0.0.1 localhost

128.184.85.1 netlab01 . cm . deakin . deu .au netlab01

128.184.85.151 galdor . cm . deakin . edu . au galdor


You may notice several names associated wit
h some IP addresses and these are just aliases for the
machine. With this fie in place you could

ping 128.184.85.1

,
’ping netlab01 .

cm . deakin . deu .
au


and get the same result.


Address Classes


There are different classes of IP addresses. Each clas
s defines the part of the IP address that
identifies the network ID and the part that identifies the host ID. The Internet
community

has
defined five IP address classes to accommodate networks of varying sizes. The class of address
defines which bits in th
e address are used for the host ID. The class also defines the possible
number of hosts per network.


You can identify the class of address by the number in the first octet. The 32
-
bit IP
addressing

scheme supports a total of 3,720,314,628 possible address
es. The following chart shows the
network and host ID fields for class A, B, and C IP addressing:


Class

High
-
order
Bits

Ip
Address

Network
ID

No. of
Nets

Range of Net ID

s

Host
ID

No.of
Host

A

0

w.x.y.z

w

126

1
-
126

w.y.z

16777214

B

10

w.x.y.z

w.x

16,384

128.1
-
191.254