1       Computer Networking

1.1     The Basics

A computer network, as defined by Wikipedia, is “a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information.[1]” Devices on a network communicate using many different protocols, which are sets of rules and conventions followed by communicating devices. The most well known set of network protocols is the TCP/IP protocol suite; the suite of protocols which forms the basis of all network communication. Common network devices include computers, routers, and switches. However, networks may have many other components as well, such as printers and servers. There are many important software components as well; one specific example is network firewalls.

 

Further information on these network devices can be found at: http://www.starlancs.com/EducateMe/educate_network_devices.html

 

Further introductory material to networks can be found at:

http://compnetworking.about.com/od/basicnetworkingconcepts/Networking_Basics_Key_Concepts_in_Computer_Networking.htm

1.2     The OSI Reference Model and TCP/IP

In order for data to be successfully moved between two devices, there must be some sort of standard communication model that the devices follow. The Open Systems Interconnection (OSI) Reference Model is the model originally developed for this purpose. It defines how data can flow through a network from one application to another. It accomplishes this by splitting the entire communications system into a set of seven layers. The tasks necessary for communications are sorted into the seven layers, with similar tasks being grouped into the same layer. Each layer performs their task and then passes the data to the next layer in the chain. The seven layers in the OSI model are: Application, Presentation, Session, Transport, Network, Data Link, and Physical Layer.

A similar model to the OSI Model is the TCP/IP Model. This model, based off the original OSI model, forms the basis for all Internet communications. The TCP/IP Model was developed by grouping similar protocols in the TCP/IP protocol suite into layers. TCP/IP includes four layers. The top three layers of the OSI Model are combined into the “Application Layer,” followed by the Transport, Internet, and Link layers. (The Physical Layer in the OSI Model is generally not included in the TCP/IP Model; however, some of its functions are included in the TCP/IP Link Layer. Data that is to be transmitted across the Internet (or other similar network) is passed down these layers. At each layer another protocol adds information (a “header”) to the data it received and pushes it further along towards its destination.

As an example of how such communication works using layers and protocols, we can look at what happens when you request a webpage. (Note: this explanation is highly simplified. Many details are left out here so that the big picture can be understood.) First, your web browser will create an HTTP Request. Here, the web browser is an application utilizing an Application Layer protocol (HTTP.) The request is pushed down to layer four where a TCP (Transport Layer protocol) header is added to the message, creating a TCP packet. The Transport Layer is responsible for ensuring the data is transmitted to the correct application on a device. Every application listens on a different port; this layer ensures that the data is sent to the correct application. The packet is then pushed down to the Internet Layer where an IP (Internet Layer protocol) header is added, creating an IP datagram. This layer is responsible for getting the data to the actual recipient device. The data is then pushed down to the Network Access Layer where another header (possibly from Ethernet or the 802.11 wireless protocol) is added to the datagram as well. This layer is responsible for sending the data to the next hop on the path to its Internet Layer destination. Once the data reaches its destination it works its way back up the layers, with each layer passing the packet upwards to the next layer based on the data in its respective header.

Note: The protocols mentioned in the above example, while common protocols, are not the only protocols that operate at that layer. Depending on different factors, other protocols may be used instead of those mentioned. For example, the HTTP protocol will only be used if we are requesting data from a web server. If we were transferring files over a network instead we would use a different Application Layer protocol, such as FTP.

1.3     Addressing

Network addresses are used to identify devices within a network. Two types of addresses are used; Internet Protocol (IP) addresses for inter-network addressing and Media Access Control (MAC) addresses for intra-network routing.

1.3.1     IP Addresses

IP addresses are used for inter-network routing and address devices at layer three (the IP layer) in the OSI model. There are two versions of the IP protocol in use, IPv4 and IPv6. IPv4 is the version most people are familiar with, but a transition into IPv6 is currently under way. In IPv4 addresses are 32 bit numbers generally specified in “dotted-quad” notation such as, 192.168.1.1.

An IPv4 address has two components, a network component and a host component. The network component indicates the address of the network the host is on while the host component indicates the actual host on the network. A subnet mask is used to indicate how many bits in the address (starting from the leftmost bit) are for the network component. The remaining bits are for the host address. Subnet masks are composed in a manner similar to IP addresses. For example, a common subnet mask is “255.255.255.0.” This indicates that the first 24 bits of the address identify the network[2] while the remaining 8 bits represent the host on the network. In such a network the maximum number of hosts would be 256,[3] since 8 bits can represent the numbers 0-255.

1.3.2     MAC Addresses

MAC addresses, on the other hand, are used to route traffic within a network. Routing via MAC address is performed at layer two in the OSI model. A MAC address is six bytes long and looks like 12:AB:6E:4C:32:11.

 

 

2       Protocols

As was mentioned earlier, protocols are sets of rules and conventions that must be followed by communicating devices. If these rules and conventions aren’t followed then the devices won’t be able to communicate. As an analogy to understand how protocols work, we can consider human conversation. If two people do not speak the same language, they cannot communicate. So too, if two computers do not speak the same language they cannot communicate. Network devices have a set of “languages” (protocols) they understand. If a device attempts to use an unknown protocol (or misuses a known protocol) other devices will not understand him.

There are hundreds of different protocols used throughout this field.  As one performs network forensics work they will become acquainted with a great deal of them. However, before performing any work it is important to become familiar with some of the more common protocols that arise. Here, we will attempt to mention a fair amount of them in varying levels of detail. When you come across a protocol that isn’t mentioned here, a quick Google search should inform you what it is for.

Note: The layer numbers utilized below are based on the OSI Model (after joining the top three layers.) The layers are commonly referred to by these numbers.

2.1     Application Layer Protocols (Layer 5)

2.1.1     Hypertext Transfer Protocol (HTTP)

This is the protocol used for the transmission of data on the World Wide Web. This is the protocol used when requesting web pages. HTTP is a request-response protocol, meaning that a client (web browser) requests data and a web server responds with the data.

 

The format of an HTTP request is as follows:

Method           Resource Requested                Protocol Version

            ex.        GET                /pages/samplePage.html          HTTP/1.1

           

This line is followed by any headers, an empty line, and an optional message body. There are nine HTTP method, but the “GET” method is the most commonly used. (“POST” is a similar method to “GET” and is also used often.) “GET” does exactly what it sounds like; it attempts to get data from a web server.

 

The format of an HTTP response is:

Protocol Version         Status Code                 Reason Phrase

            ex.        HTTP/1.1                   200                              OK

 

This line is again followed by any header lines, an empty line, and the requested page. Different status codes indicate different results:

2xx – Success

3xx – Redirection

4xx – Client Error

5xx – Server Error

As an example, a common error to receive is a 404 – Not Found error. This error means that the page requested was not found on the server, indicating that the client made a bad request.

 

Further information on the specifics of HTTP requests and responses can be found at:

Requests: http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html

Responses: http://www.w3.org/Protocols/rfc2616/rfc2616-sec6.html

 

2.1.2     Dynamic Host Configuration Protocol (DHCP)

This is the protocol often used by a device to obtain an IP address on a network. For example, when a computer joins a network before it can do anything it must have an IP address to enable other devices to communicate with it. To obtain an IP address the device will complete a four-step process with a DHCP server.

  1. DHCP Discover - Client broadcasts a DHCP discovery message to find a DHCP server
  2. DHCP Offer – DHCP server responds to the client with one (or multiple) IP address for the client along with other information
  3. DHCP Request – Client formally requests one of the IP addresses offered to it
  4. DHCP Acknowledgement – DHCP server confirms the client’s requested IP address

 

2.1.3     Domain Name System (DNS)

The DNS protocol is used for translating human readable domain names (such as google.com) into the IP addresses corresponding to them. Essentially it is the phonebook for the internet. When one attempts to view a webpage and types in for example “www.google.com” an HTTP request cannot simply be made to Google because computers can’t communicate using human readable domain names. Instead a DNS request is made to a DNS server asking it the IP address of “www.google.com.” The DNS server responds to the client with an IP address and the client’s original request can then be sent to the correct IP address.

2.2     Transport Layer Protocols (Layer 4)

2.2.1     Transmission Control Protocol (TCP)

This is the protocol upon which many Internet applications rely on. As it is a layer 4 protocol its responsibilities getting data to specific programs on a receiving computer. It is a connection oriented protocol. This means that when using TCP an actual connection is set up between the two communicating programs (for example a web server and client.) Connection setup includes what is known as a TCP “three-way handshake,” where the client first sends a “SYN” packet[4], the server responds with a “SYN-ACK” packet[5], and the client finally responds with an ACK packet.[6]

Additionally, TCP is a reliable protocol. This means that if an application passes data to TCP it is guaranteed that the data will eventually reach the correct destination. TCP accomplished this by utilizing packet acknowledgements (the ACK bit mentioned above.) If data isn’t acknowledged by a receiver, indicating that it was lost in transmission or corrupted, TCP on the sender’s end will resend the data.

 

 


A TCP header includes a variety of different data as can be in the diagram below.

 

Some important components of the header are as follows:

  1. Source Port – the port from which the data was sent (and which packets sent in response should be addressed to. Remember, each application on a system listens for communications on a specific port.)
  2. Destination Port – the port to which the data should be sent
  3. Sequence Number – The first byte of data contained in this packet. (As TCP establishes a connection, multiple packets are sent. The total number of bytes transmitted is kept track of to aid in ensuring all packets are received and that they are placed into the correct order.)
  4. Acknowledgment number – the data, previously received, which is being acknowledged by this packet. (The number used is the next byte the receiver expects to receive. For example, if 500 bytes have already been received, this field will contain the number 501.

 

2.2.2     User Datagram Protocol (UDP)

UDP is the other primary protocol used at layer 4. It differs from TCP in that it is a much simpler protocol. It does not establish a connection, nor does it provide reliable service. It is often used for applications that, for whatever reason, do not wish to retransmit lost packets. One example of this would be in real-time video, since if a packet is lost it is no longer useful as the video stream has no use for non-live data. UDP is also used for DNS requests as it would be wasteful to set up a connection as only one packet is sent in each direction, a DNS request and a DNS response.

 

The format of a UDP header is:

 

 

2.3     Internet Layer Protocols (Layer 3)

2.3.1     Internet Protocol (IP)

The IP protocol is perhaps the most well known of all the protocols in computer networking. It is responsible for routing packets from one host to another host on different networks. (Layer 2 protocols are used for intra-network routing. The IP protocol is mainly for inter-network routing.) Routing is accomplished by forwarding packets based on their destination IP addresses, which were discussed earlier.

 

 

Figure 3 – Obtained from: http://en.wikipedia.org/wiki/IPv4


An IP header looks as follows:

Some of the important fields in the IP header are:

  1. Version – indicates if IPv4 or IPv6 is being used
  2. Total Length – the total length of the header + data in the packet
  3. Identification, Flags, Fragment Offset – these are all used for fragmentation purposes, i.e. if the packet needs to be split into parts because it is too large to be transmitted across one of the hops on its path to the destination
  4. Time to Live – The number of hops this packet can go through before the packet won’t be forwarded anymore. It is used to prevent packets from being routed forever.
  5. Protocol – The upper layer protocol which is being used for this packet
  6. Source and Destination IP Address – self explanatory

 

2.3.2     Internet Control Management Protocol (ICMP)

This protocol is used to relay information and error messages between systems. Examples where it would be used are if the Destination IP address is unreachable or if the Time to Live is exceeded.

2.4     Network Access Layer Protocols (Layer 2)

2.4.1     Address Resolution Protocol (ARP)

This protocol is used to translate layer three IP addresses into layer two MAC addresses. This is a common necessity in a network when one device desires to communicate with another device (or to forward data to another device,) but only has the device’s IP address. The device will send out an ARP request, essentially asking all the devices on the network, “Do you have such and such IP address, and if so what is your MAC address.” The device with the desired IP address sends an ARP response with its MAC address.

 

[1] Definition obtained from: http://en.wikipedia.org/wiki/Computer_network

[2] This is because the value 255 in binary is 8 ones, so such a subnet mask has the first 24 bits set to 1.

[3] Actually, the maximum number of hosts is slightly less due to addresses which are reserved, but that is not covered here.

[4] SYN, or synchronize, is one of the flags in a TCP header. This bit, when set, indicates that one is trying to set up a connection, or synchronize, with the other party.

[5] ACK, or acknowledge, is used to acknowledge receipt of a packet from a sender. A SYN-ACK packet means that both the SYN and ACK bits are set. The server is attempting to set up the corresponding connection with the client that just requested a connection setup and acknowledging that it received the client’s SYN packet.

[6] This ACK packet acknowledges receipt of the server’s SYN-ACK packet.

1. Use the `nslookup` command to determine the IP addresses for `www.poly.edu`
2. Use the `telnet` command to find the hidden text in the content of the webpage:
http://isis.poly.edu/~cyfor/NetworkingChallengeExample.html
Note: Yes, I know there are easier ways to solve this!

Answers can be found in the resources section in the file `AnswersToNetworkingChallenge.pdf`

AnswersToNetworkingChallenge.pdf(91.93 KB) marcbudofsky, Mar 17 2013, 9:42 PM


You must Sign-In to post a comment.