COMPUTER AND NETWORK
SYSTEM ADMINISTRATION
Summer 1996 - Lesson 13
TCP/IP and Routing
A. ISO/OSI model
1. You've studied it - now forget it!
2. Exhibit A (page 246) is a more informative picture
- requests pass down the layers
- header (and sometimes trailer) information is added at
each layer ("encapsulation into envelopes")
- Exhibit B (page 247) this header information consists of:
+ addresses (MAC = Media Access Control, IP, port)
+ packet size info
+ checksums
- example: NFS packets should have
+ ethernet header
+ IP header
+ UDP header
+ finally some NFS data
- example: ARP packet
+ ethernet header only
3. promiscuous mode
- usually the headers are stripped off as the packet is passed up
through the software layers
- a promiscuous interface allows us to see the header information
- etherfind, tcpdump, snoop are tools that operate via a promisuous
interface
B. Header contents
1. Ethernet header
- can see MAC address from name using: "arp "
- MAC addresses are built into the ethernet card (unique per card)
- if a machine has more than one ethernet interace then it has
more than one MAC address
- 6 bytes means 2^48 different addresses (> 2 x 10E14)
- contents (14 bytes):
+ destination MAC address (6)
+ source MAC address (6)
+ packet type (2)
2. IP header
- can get IP address from name using: nslookup
- IP addresses for a network are assigned by the network
administrator
- networks are assigned by InterNIC Registration Services
- 4-bytes address allows how many potential addresses?
- 2^32 or 4 billion+ seems like it ought to be enough
- however, whole networks are assigned, not individual addresses
- one FSU network is 128.186.0.0
- what class network is this? (class B)
- how many potential IP addresses are there in this network? (2^16 = 64K)
- what if there were only 1000 machines at FSU? (over 63,000 wasted
addresses)
- FSU has 3 class B networks (possibly more by now)
+ 128.186.x.x
+ 144.174.x.x (SCRI)
+ 146.201.x.x (magnet lab)
+ a number of class C networks
- FSU has on the order of 10,000 nodes (likely more now)
- In the future: "IPng" (aka "IPv6") -> 128 bit IP addresses!
"IPng has 665,570,793,348,866,943,898,599 addresses per square meter of the Earth.
Assuming the most pessimistic hierarchical division possible it is estimated that
there is still 1564 addresses per square meter." - from IPng - The Specification.
- contents (20 bytes):
+ version
+ Id number
+ flags
+ time to live (TTL)
+ checksum
+ source IP address
+ destination IP address
- notice no port numbers yet
3. UDP header
- connectionless, unreliable
- contents (8 bytes)
+ source port
+ destination port
+ size (of UDP header+data)
+ checksum
4. TCP header
- connection-oriented, reliable
- contents
+ source port
+ destination port
+ sequence number
+ acknowledgement number
+ flags
+ checksum
C. Packet structure
typical UDP packet
command: etherfind -x -v -between sed sig
UDP from sed.2049 to sig.1020 52 bytes
08 00 20 07 4b c4 08 00 20 1d f1 aa 08 00 45 00
00 48 9f 85 00 00 ff 11 27 a3 80 ba 79 9d 80 ba
79 6a 08 01 03 fc 00 34 00 00 2f 40 80 6c 00 00
00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 0c 2e 2e 2f 76 61 72
2f 73 70 6f 6f 6c
frame size = 86 bytes
DECOMPOSITION:
1. ethernet header (14 bytes)
08 00 20 07 4b c4 08 00 20 1d f1 aa 08 00
----------------- ----------------- ------
sig MAC address sed MAC address packet
type
2. IP header (20 bytes)
45 00 00 48 9f 85 00 00 ff 11 27 a3 80 ba 79 9d 80 ba 79 6a
------ ------ ------------------ ----- ----------- -----------
ver length ID, flags, TTL check sed IP addr sig IP addr
(72) sum
3. UDP header (8 bytes)
08 01 03 fc 00 34 00 00
----- ----- ----- -----
port# port# size check
(2049) (1020) (52) sum
4. data (44 bytes)
2f 40 80 6c 00 00
00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 0c 2e 2e 2f 76 61 72 2f 73 70 6f 6f 6c
. . / v a r / s p o o l
D. Using snoop (Solaris)
- snoop -v
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 3 arrived at 13:18:45.21
ETHER: Packet size = 118 bytes
ETHER: Destination = 8:0:20:f:a2:bb, Sun
ETHER: Source = 8:0:20:10:49:81, Sun
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 104 bytes
IP: Identification = 15195
IP: Flags = 0x0
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 60 seconds/hops
IP: Protocol = 17 (UDP)
IP: Header checksum = 4f7d
IP: Source address = 128.186.121.10, nu
IP: Destination address = 128.186.121.46, mount
IP: No options
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 657
UDP: Destination port = 991 (Sun RPC)
UDP: Length = 84
UDP: Checksum = 0000 (no checksum)
UDP:
RPC: ----- SUN RPC Header -----
RPC:
RPC: Transaction id = 794985215
RPC: Type = 1 (Reply)
RPC: This is a reply to frame 2
RPC: Status = 0 (Accepted)
RPC: Verifier : Flavor = 0 (None), len = 0 bytes
RPC: Accept status = 0 (Success)
RPC:
NIS: ----- Network Information Service -----
NIS:
NIS: Proc = 5 (Return next key-value pair in map)
NIS: Status = 1 (OK)
NIS: Value = backup:*:5:root,kuncick,operator
NIS: Key = backup
NIS:
E. ARP packet
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 3 arrived at 10:04:55.43
ETHER: Packet size = 60 bytes
ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)
ETHER: Source = 0:0:a5:19:4b:0,
ETHER: Ethertype = 0806 (ARP)
ETHER:
ARP: ----- ARP/RARP Frame -----
ARP:
ARP: Hardware type = 1
ARP: Protocol type = 0800 (IP)
ARP: Length of hardware address = 6 bytes
ARP: Length of protocol address = 4 bytes
ARP: Opcode 1 (ARP Request)
ARP: Sender's hardware address = 0:0:a5:19:4b:0
ARP: Sender's protocol address = 128.186.8.101, riscrouter.htl.fsu.edu
ARP: Target hardware address = ?
ARP: Target protocol address = 128.186.8.255, 128.186.8.255
ARP:
G. tcpdump
07:46:50.444736 test8.scri.fsu.edu.login > ibm9.scri.fsu.edu.1022: P 613206528:613206556(28) ack 4
07:46:50.514737 test8.scri.fsu.edu.1156 > dns.scri.fsu.edu.domain: 1+ (44)
07:46:50.514737 dns.scri.fsu.edu.domain > test8.scri.fsu.edu.1156: 1* 1/0/0 (75)
07:46:50.534737 test8.scri.fsu.edu.1157 > dns.scri.fsu.edu.domain: 2+ (45)
07:46:50.534737 dns.scri.fsu.edu.domain > test8.scri.fsu.edu.1157: 2* 1/0/0 (75)
07:46:50.634739 ibm9.scri.fsu.edu.1022 > test8.scri.fsu.edu.login: . ack 28 win 15092
07:46:51.874760 0:0:ca:3:7:4c > 1:80:c2:0:0:0 802.1d ui/C len=43
0000 0000 0080 0000 00ca 0304 aa00 0000
6e80 0000 00ca 0307 4c80 0100 0114 0002
000f 0001 0100 0000 0000 0038 0331 3734
0331 34
H. software tools
1. ping
2. netstat -i (more on this later)
3. netstat -r (more on this later)
4. etherfind (SunOS 4.x), snoop (SunOS 5.x)
5. traceroute
6. expensive, fancy GUI tools
7. free GUI tools (interman, etherman, tcpview)
Check ftp://sunsite.unc.edu:/pub/Linux/system/Network for lots of goodies!
--> Hardware solutions exist! "Network Sniffers"
I. example "traceroute"
omicron:/usr/bin> traceroute gatech.edu
traceroute to gatech.edu (128.61.1.1), 30 hops max, 40 byte packets
1 scl-hub-fddi.fsu.edu (128.186.8.1) 3.741 ms
2 fddi-bfs.fsu.edu (128.186.254.5) 4.013 ms
3 SURAcisco-Firewall.fsu.edu (192.80.53.23) 4.336 ms
4 suranet.tlh.fl.us (198.102.72.10) 9.043 ms
5 atu2-tau1-c1.sura.net (128.167.125.1) 68.638 ms
6 git-atu2-c3.sura.net (128.167.160.2) 25.409 ms
7 gt-border.gatech.edu (192.221.26.1) 38.683 ms
8 gt-firewall-ext-fddi.gatech.edu (130.207.244.1) 24.813 ms
9 campus2-rtr-int-fddi.gatech.edu (130.207.254.3) 36.845 ms
10 gatech.edu (128.61.1.1) 40.945 ms
traceroute to berkeley.edu (128.32.123.6), 30 hops max, 40 byte packets
1 scl-hub-fddi.fsu.edu (128.186.8.1) 2.556 ms
2 fddi-bfs.fsu.edu (128.186.254.5) 3.641 ms
3 SURAcisco-Firewall.fsu.edu (192.80.53.23) 6.107 ms
4 suranet.tlh.fl.us (198.102.72.10) 7.811 ms
5 atu2-tau1-c1.sura.net (128.167.125.1) 58.469 ms
6 cpe1-fddi1.Atlanta.mci.net (192.221.42.100) 32.362 ms
7 border1-hssi1/0.Atlanta.mci.net (204.70.16.5) 35.987 ms
8 core-fddi-0.Atlanta.mci.net (204.70.2.49) 33.293 ms
9 core-hssi-4.Houston.mci.net (204.70.1.26) 42.221 ms
10 core-hssi-3.LosAngeles.mci.net (204.70.1.34) 87.002 ms
11 core-hssi-4.SanFrancisco.mci.net (204.70.1.42) 124.787 ms
12 border1-fddi0/0.SanFrancisco.mci.net (204.70.2.162) 137.09 ms
13 cpe1-hssi-1.SanFrancisco.mci.net (204.70.32.6) 145.582 ms
14 SU-CM.BARRNET.NET (192.31.48.200) 136.698 ms
15 UCB0.BARRNET.NET (131.119.2.2) 104.799 ms
16 inr-666-dmz.Berkeley.EDU (192.31.161.21) 231.589 ms
17 inr-108-styx.Berkeley.EDU (128.32.1.2) 127.806 ms
18 * inr-105.Berkeley.EDU (128.32.155.105) 87.194 ms
19 sunny.Berkeley.EDU (128.32.123.6) 151.383 ms