RE: How Network Traffic Flows – Getting Started

[Pamela Gott <PGott () Ceon com>]

Thanks for the article - a good start. Anyone know where I can get more
information on how to read packet captures and how to interpret the
information once you read it?

Pamela Gott 




-----Original Message-----
From: Gideon Rasmussen, CISSP, CFSO, CFSA, SCSA
[mailto:gideon () infostruct net]
Sent: Thursday, January 22, 2004 1:10 PM
To: security-basics () securityfocus com
Subject: How Network Traffic Flows – Getting Started


http://www.cyberguard.com/news_room/news_newsletter_011904traffic.cfm

How Network Traffic Flows – Getting Started
Gideon T. Rasmussen - CISSP, CFSO, CFSA, SCSA

To troubleshoot an issue, you need to know how network traffic flows
under normal circumstances. This article details what happens when a Web
browser is used to access a Web site.

Once the Web site name is entered into a Web browser, a series of
communications occurs over various protocols. The table below represents
how the network traffic flows:

Line: Protocol: Source:     Destination: Data:
1     ARP       10.0.1.13   Broadcast    Who has 10.0.1.1? Tell 10.0.1.13
2     ARP       10.0.1.1    10.0.1.13    10.0.1.1 is at 00:80:c8:57:d3:aa
3     DNS       10.0.1.13   10.0.1.1     Standard query A
www.cyberguard.com
4     DNS       10.0.1.1    10.0.1.13    Standard query response CNAME
cyberguard.com A 64.94.50.88
5     TCP       10.0.1.13   64.94.50.88  1939 > http [SYN]
6     TCP       64.94.50.88 10.0.1.13    http > 1939 [SYN, ACK]
7     TCP       10.0.1.13   64.94.50.88  1939 > http [ACK]
8     HTTP      10.0.1.13   64.94.50.88  GET / HTTP/1.1
9     HTTP      64.94.50.88 10.0.1.13    HTTP/1.1 200 OK
10    HTTP      64.94.50.88 10.0.1.13    HTTP Continuation
11    TCP       10.0.1.13   64.94.50.88  2577 > http [ACK] Seq=388864
Ack=37076821 Win=8241 Len=0
12    TCP       10.0.1.13   64.94.50.88  2577 > http [RST] Seq=388864
Ack=37077089 Win=0 Len=0

The ARP Protocol

Before systems can communicate, they need to know each other’s hardware
addresses. The Address Resolution Protocol (ARP) is used for this
purpose. From its configuration, the workstation knows the IP address of
the DNS server.

Line # 1

Protocol: Source:     Destination: Data:
ARP       10.0.1.13   Broadcast    Who has 10.0.1.1? Tell 10.0.1.13

The workstation broadcasts a request to the devices on its network
asking “who has” the IP address it needs to communicate with.

Line # 2

Protocol: Source:     Destination: Data:
ARP       10.0.1.1    10.0.1.13    10.0.1.1 is at 00:80:c8:57:d3:aa

The remote system responds providing its hardware address. Now that the
workstation knows the hardware address of the remote system, it can
communicate with it.

The DNS Protocol
The Domain Name System (DNS) protocol is used to resolve system names to
IP addresses. When a Web site name is entered into a browser, the
workstation needs to know the corresponding IP address to reach the Web
server hosting the site.

Line # 3

Protocol: Source:     Destination: Data:
DNS       10.0.1.13   10.0.1.1     Standard query A www.cyberguard.com

The workstation asks the DNS server to provide the IP address of the Web
server hosting www.cyberguard.com.

Line # 4

Protocol: Source:     Destination: Data:
DNS       10.0.1.1    10.0.1.13    Standard query response CNAME
cyberguard.com A 64.94.50.88

The DNS server responds with the IP address corresponding to
www.cyberguard.com.

The TCP Protocol

The Transmission Control Protocol (TCP) protocol is used to transfer
data. These next three lines comprise the TCP three-way handshake:

Line # 5

Protocol: Source:     Destination: Data:
TCP       10.0.1.13   64.94.50.88 1939 > http [SYN]

The workstation initiates the connection to the Web server (SYN). SYN is
an abbreviation for “synchronize.”

Line # 6

Protocol: Source:     Destination: Data:
TCP       64.94.50.88 10.0.1.13    http > 1939 [SYN, ACK]

The Web server responds back indicating that it is ready for
transmission (SYN ACK). SYN ACK is an abbreviation for “synchronize
acknowledgement.”

Line # 7

Protocol: Source:     Destination: Data:
TCP       10.0.1.13   64.94.50.88  1939 > http [ACK]

The workstation sends to the Web server indicating that it is starting
to send traffic (ACK). This acknowledgement indicates that the TCP
connection is established and traffic can begin to flow.

The HTTP Protocol

The Hyper Text Transfer Protocol (HTTP) is used to serve up Web pages.
You can see evidence of this from the Web site address in your browser
(i.e. http://www.cyberguard.com).

Line # 8

Protocol: Source:     Destination: Data:
HTTP      10.0.1.13   64.94.50.88  GET / HTTP/1.1

The browser opens a connection to the Web server.

Line # 9

Protocol: Source:     Destination: Data:
HTTP      64.94.50.88 10.0.1.13    HTTP/1.1 200 OK

The Web server accepts the connection.

Line # 10

Protocol: Source:     Destination: Data:
HTTP      64.94.50.88 10.0.1.13    HTTP Continuation

The HTTP Continuation lines represent where the contents of the html
page are sent over. It includes text, links, etc.

Back to the TCP Protocol

Line # 11

Protocol: Source:     Destination: Data:
TCP       10.0.1.13   64.94.50.88  2577 > http [ACK] Seq=388864
Ack=37076821 Win=8241 Len=0

This line is actually repeated four times. The workstation is
acknowledging the last packet.

Line # 12 (RST)

Protocol: Source:     Destination: Data:
TCP       10.0.1.13   64.94.50.88  2577 > http [RST] Seq=388864
Ack=37077089 Win=0 Len=0

The workstation sends a reset, effectively tearing down the TCP connection.

Tcpdump and Ethereal

It is important to note that the tcpdump will provide different details
depending on where it runs on your network. In this example, tcpdump was
run on the internal interface of the firewall with a directly connected
workstation. If tcpdump were used to monitor the same traffic flow on
the external interface, the source IP address would appear as the
external interface of the firewall, providing that Dynamic Network
Address Translation (DNAT) was in place. To observe how proxy traffic
flows, it makes sense to run tcpdump on both the internal and external
interfaces, as the proxy acts as a middleman between the source and
destination.

The source of the table was a tcpdump file viewed through Ethereal. The
exact syntax used was: “tcpdump -vvpni dec1 -s1514 -w /archive2/dec1.dmp
host 10.0.1.13”. The tcpdump command has extensive options for recording
very specific traffic flow (i.e. source/destination, ports, and Boolean
expressions). For more information, enter “man tcpdump” on the command
line. The Windows version is Windump (http://windump.polito.it).

Ethereal is a good tool to view tcpdump files. It is freely available
from http://www.ethereal.com.

Some of the ports present in a tcpdump may be unfamiliar to you. The
most current list of port numbers can be found at
http://www.iana.org/assignments/port-numbers (per RFC 3232).






---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
----------------------------------------------------------------------------