Edward Mitchell 01012631 MSc Advanced Networking Fundamentals of Networking: CO72043 Coursework 1: Trace Interpretation

Coursework 1 Trace Interpretation Abstract - 1

I have been asked by lecturer to provide a detailed report on what happens at packet level during an FTP Session. I am using a program called Ethereal to monitor, trace and analyse the packets and give me the tools to compile this report. I will start with a brief introduction to some of the devices used in the connection and look at the protocols used.

Introduction - 2
This report is the brake down of a communication between and FTP server and a client. I will be looking in depth to how the process begins, flows, and terminates. I will also be looking at some of the other aspects of the network communication and try to give a good understand of what is actually going on. Objectives 2.1 The requirements for this report as follows: Interpret a data trace of a file transfer Relate the processes in the trace to a communication model Report on the operation of the protocols involved with the trace Identify the component parts of the overall download process Distinguish between relevant and non-relevant information

Methodology 2.2 To achieve this aim I have to gain access to software, which will allow me to trace the route, give me routing and network information and show the detailed information needed. For this task I have chosen to use a program called Ethereal. This program allows the user to analyse the network packets to such detail that traces and network diagnostics can be carried out Background 2.3 The computer involved is a computer within Napier University. Hostname: pc165020.napier.ac.uk MAC Address: 00:30:f2:c3:74:00 Assigned IP Address: 146.176.165.20

Edward Mitchell 01012631 MSc Advanced Networking Fundamentals of Networking: CO72043 Coursework 1: Trace Interpretation This host will connect to a web server in a Demilitarised Zone (DMZ), which will then connect to the external FTP server and relay the packets back to the host via Gateway 146.176.165.254.

Theory 3
The protocols that are going to be discussed in this paper as follows: LLC Logical Link Control - IEEE 802.3 ARP Address Resolution Protocol NetBios NetBios SMB Server Message Block WKSSVC Workstation Service DCERPC Distributed Computing Environment / Remote Procedure Calls SRVSVC Server Service TCP Transmission Control Protocol IP Internet Protocol FTP File Transport Protocol

3.1 Logical Link Control - IEEE 802.3 Higher of the 2 Data Link Layer sublayers Deals with error control, flow control framing and Mac-sublayer addressing 3.2 Server Message Block. Allows communication between different O/S types like Unix and windows on a file sharing level. 3.3 Workstation Service The Windows Workstation Creates and maintains client network connections to remote servers, including the Internet, File and Printer Sharing . 3.4 Distributed Computing Environment / Remote Procedure Calls 3.5 Server Service Allows the ability to manage network services like file sharing and network printing.

Edward Mitchell 01012631 MSc Advanced Networking Fundamentals of Networking: CO72043 Coursework 1: Trace Interpretation

3.6 Transmission Control Protocol It is very important to know this Protocol well, so I have expanded this section to allow for a full understanding of the workings of this protocol. TCP Deals with the layer 3 of the TCP/IP Networking Model and layer 4 of the OSI Model TCP TCP is a connection-orientated protocol, which uses error checking. TCP uses ports to connect services or applications. File Transfer Protocol (FTP) Hyper Text Protocol (HTTP) Telnet, Simple Mail Transport Protocol (SMTP), Post Office Protocol (POP) Directory Naming Service (DNS) and Simple Network Management Protocol (SMNP) are all part of the TCP service and are standard networking protocols. FTP uses port 21 for data and port 19 for control and is used to transfer files over the Internet HTTP uses port 80 and is the port the web pages use when you visit a web site. SMTP is used for sending emails and uses port 25 POP is used for receiving mail and uses port 110 Directory Naming Service (DNS) is used for finding the address from a typed URL or find a machine from an IP address to a name. DNS Converts DNS uses port 53 SNMP is used for remotely monitoring and managing networks. SNMP uses port 161 Telnet is an application that is used to remotely connect to computers anywhere in the world. Telnet uses port 23 3.7 Internet Protocol (IP) IP operates at the Layer 3 of the OSI Model and also deserves an in depth explanation. IP Addresses are a 32-bit number that is usually displayed in decimal format, e.g. 192.168.0.1. An IP address consists of 2 sections, the host and the network sections, these are shown below. There are 5 classes of Addresses, they are class A through to E. Classes A C are for commercial use, class D is used for Multicasting and class E is used for research. IP address classes are distinguishable by the first octet. Class A = 0 126 Network.Host.Host.Host (16,777,214 Possible hosts on each Class A) Class B = 128 191 Class B) Network.Network.Host.Host (65,532 Possible hosts on each

Edward Mitchell 01012631 MSc Advanced Networking Fundamentals of Networking: CO72043 Coursework 1: Trace Interpretation Class C = 192 223 Network.Network.Network.Host (254 Possible Hosts on each Class B) Class D = 224 247 Class E = 248 255 Reserved for Multicasting Reserved for Research

In an IP address each segment separated by dots are always with the number range of 0 255. The IP address in its normal form is Binary, e.g. 192.168.0.1 in binary is 11000000.10101000.00000000.00000001. The reason the number is 0 255 is because if an octet is all ones, that makes a max number of 255 1 due to the numbering system counting 0. e.g. 0 254. 3.8 File Transport Protocol File Transfer Protocol is a way a file is transferred over a network. Where a client can login to an FTP Server over the internet and can download/upload files. It uses port 21 for the data flow and port 19 for control. FTP is a TCP layer protocol. 3.9 The OSI Model Open Systems Interconnection (OSI) Model
TCP/IP uses the Open Systems Interconnection (OSI) model, which consists of a seven Layered system. This system is a very clever way of helping to evolve networking as each layer. The OSI model has evolved quickly due to the Layering system, as in it is possible to work on 1 level and implement it without having to change the entire model. Each layer has its own purpose and always provides a service for the layers above and below depending on what way the data is traveling and hides what goes on to the layers above.

The seven layers are Application Layer - Provides applications programs like email, internet, file transfer etc. Presentation layer - Transforms data in formats that layers above and below can accept, and
handles network redirection and data compression.

Session Layer - Sets up, maintains and ends connections. Transport Layer - Provides reliable end to end error checking and flow control Network Layer - Outlines Protocols used and routing. Data Link Layer Provides access to the Media and converts frames to binary ready to be
transmitted across the network media

Physical Layer - transmits and receives binary data, defines voltage, connector types and cabling.

Edward Mitchell 01012631 MSc Advanced Networking Fundamentals of Networking: CO72043 Coursework 1: Trace Interpretation 3.10 Data Encapsulation
The OSI model provides the means to send and receive data from application data and encapsulates it in a format that the lower level will deal with. This is called data encapsulation. Data encapsulation works by wrapping headers for each layer for the layer beneath and vice versa. ExampleSending an Alphanumeric message over the network User Message Sent and here we go 1. Message to Data (Application, Presentation, Session) 2. Data to Segment (Transport Layer) 3. Segment to Packet or Data gram (Network Layer) 4. Packet or Data gram to Frame (Data-Link Layer) 5. Frame to Bits (Physical Layer)

A Diagram of the Open Standards Internetworking Model

Figure 1

Edward Mitchell 01012631 MSc Advanced Networking Fundamentals of Networking: CO72043 Coursework 1: Trace Interpretation 3.10 The TCP/IP Model This Model is very similar to the 7 layered OSI Model. It is basically the bottom 4 layers of the OSI model but it has combined the data link layer and the Media Access Control (MAC) layer The 4 layers are described below Layer 1 Host to network layer Controls the MAC layer and the DLL layer. Deals with error checking, flow control and physical aspects like hardware and media. Layer 2 Internet Layer Deals with routing and IP Addressing. And permits hosts to transmit any packet in any network it can see and the packets make there own way to the destination. Layer 3 Transport Layer Provides end to end communication Uses 2 protocols TCP and User Datagram Protocol (UDP) Layer 4 Application Layer This layer is the combined layers of the upper 3 layers in the OSI Model. Application, Presentation and Session layers are combined here. They carry out important functions of which are discussed earlier in this document in section 3.9 The OSI Model. This is a diagram of the TCP/IP and ISO Models

Figure 2

Source : www.chu.edu.tw/.../ admin/chapter7/sld024.htm

Edward Mitchell 01012631 MSc Advanced Networking Fundamentals of Networking: CO72043 Coursework 1: Trace Interpretation

The Packet trace

Within the packet trace file there is a lot going on. I am going to concentrate on FTP part of it in this description. The FTP part starts at packet 50 when the node 146.176..165.20 (will be referred to from now on as the host) requests a DNS lookup of the DNS name of sunsite.uakom.sk from the DNS server 146.176.1.5. Packet 51 replies with the IP address of 192.108.131.14 (from now on will be referred to the FTP Server). The Host then contacts the FTP Server using the TCP port 1188 in packet 52. In packet 53 the FTP server then initiates a TCP connection on port 1188 for the FTP dialogue. Packet 54 is when the host Acknowledges (Acks) the connection. The FTP server then announces that it is ready for the new user n packet 55. The host then Acks the announcement. Host requests an anonymous user connection to the server is packet 62, to which the FTP server then Acks in packet 63. The FTP server then requests a password for user anonymous in packet 64. The host then Acks the request in packet 65 and then send another packet, packet 75 to the FTP Server with the password. Packet 76 is where the server Acks that the password was good and announces the host to proceed. To which the host then Acks in packet 77. In packet 78 the FTP server then announces that the logon is a guest logon and that service restrictions apply. To which the host replies with an Ack in packet 79 The Host then sends a Destination Service Access Point (DSAP) packet to a file server on the local network to prepare for a file to be transferred to a network drive (packet 85). To which the node 3com_46:7D:92 (to be known as 3com) replies in Packet 86 with Source Service Access Point (SSAP) . Packet 88 is where 3COM then sends a command Netbios Individual SSAP DSAP, where the Host the responds to the command with SSAP and DSAP in packet 89. Host then resumes the conversation with FTP server and requests the Current Working Directory (CWD) command with a PUB argument. This happens in packet 95. Next the FTP server responds with command successful in packet 96 and the host Acks in packet 101. The Host then requests the CWD with the argument of DOC (changes directory from PUB to DOC) in packet 179. The FTP server then announces the requests as successful in packet 180. Host then Acks the packet 180 in packet 181 and in packet 183 requests CWD RTC (change to directory RTC). To which the FTP server then replies command successful in packet 184. Then the host Acks this Ack in packet 185. Host then communicates with 3COM with a DSAP NetBios individual SSAP NetBios Individual command (preparing the network storage to receive data) in packet 201. 3COM the replies in packet 202 with DSAP NetBios individual SSAP NetBios Individual response.

Edward Mitchell 01012631 MSc Advanced Networking Fundamentals of Networking: CO72043 Coursework 1: Trace Interpretation Host send command in packet 203 DSAP NetBios individual SSAP NetBios Individual command 3COM then responds with DSAP NetBios individual SSAP NetBios Individual response in packet 204 Host send command in packet 205 DSAP NetBios individual SSAP NetBios Individual command. Host the requests port 146.176.165.20.4.165 in packet 206 The FTP server then responds with port command successful in packet 207 Host then acks the reply and requests file name rtc2549.txt in packet 208. FTP server then requests a connection from source port 20 to destination port 1189 in packet 209. Host then Acks the request in packet 210 FTP server then Acks the Ack from host in packet 211 FTP server then opens an ASCII connection to port 1189 from port 20 in packet 212 FTP server then sends an FTP packet at the maximum 1380 bytes to host in packet 213 FTP server then sends an FTP packet at the maximum 1380 bytes to host in packet 214 Host then Acks the packet FTP-data on port 1188 in packet 215 FTP server then sends FTP-Data to host size = 1380 bytes in packet 216 FTP server then sends FTP-Data to host size = 1380 bytes in packet 218 Host Acks the packets on port 1189 in packet 219 FTP server then sends the next packet 1380 bytes to host on packet 220 FTP server then sends the next packet 1292 bytes to host on packet 221 Host then acks the first packet of the last two sent in packet 222 Host then sends an FTP Ack to FTP server. In packet 223 FTP server then states that data was lost 286 bytes in the later of the two FTP Data segments (In packet 224) Host then Acks the TCP dump in packet 225 FTP server then sends a TCP Retransmission FTP-Data packet = 1380 to host (In packet 226) Host Acks this in packet 227 Host Acks the end of the complete file (packet 228) FTP server then Acks this statement in packet 229 FTP server then announces transfer is complete (packet 230) Host then Acks the announcement in packet 231 Host requests to quit session in packet 251 FTP server then announces you have transferred 9858 bytes in1files (packet 252) Host then Acks this in packet 253 FTP Server then announces that total traffic for the session was 10357 bytes in one transfer. (packet 254) Host then sends an Ack to the server in packet 255 Host then acks session is over (packet 256 FTP server then Acks this in packet 257.

Edward Mitchell 01012631 MSc Advanced Networking Fundamentals of Networking: CO72043 Coursework 1: Trace Interpretation The connection is now closed. Summary of the Trace Within this trace we have seen than first of all the Host requested a DNS look up of the FTP server. Once the DNS translated the name to an address it then connected to the server and logged on as an anonymous user with the password of test@test.com. Once this was confirmed by the FTP server, the FTP server then announced access restrictions applied. The host then changed some directories whilst looking for a file and once the file was discovered the Host requested a session with the file server in the LAN. Once this was set-up the host then requested the file from the FTP server. This file came in 4 segments, each of 1380 bytes, as this is the MTU size. One of the segments was reported as incomplete, as a loss of 286 bytes was reported by the server, as when the Host replied with an Ack it reported a size of 1292. The FTP server then retransmitted the segment and this time it was the correct size. The connection was brought down and session terminated. TCP/IP Model comparison to the trace Host File FTP Server File

The host application layer (layer 4) requests a file from the FTP server application layer (Layer 4). The request is sent to the Host layer 3, which encapsulates the file and sets up a session between the Host and server and then passes the file to the next layer. Layer 3 then deals with the path to the server and an passes the file to layer 1 which then converts the file to binary and sends it to the destination (FTP Server) via various network components. This process is reversed from the server end.