TCP/IP Addressing and Data Delivery
Protocol Analyzers
A protocol analyzer, or a network analyzer or packet analyzer, is diagnostic software that can examine and display data packets that are being transmitted over a network. It can examine packets from protocols that operate in the Physical, Data Link, Network, and Transport layers of the OSI model. Protocol analyzers can gather all information passed through a network, or selectively record certain types of transactions based on various filtering mechanisms. On a wired network, it is possible to gather information on all or just part of a network. On a wireless network, traffic can be captured one wireless channel at a time. There are numerous uses for a protocol analyzer, including: • Analyzing current network traffic patterns and potential problems • Detecting possible network intrusions • Monitoring network usage for performance analysis • Filtering undesirable network traffic • Launching an eavesdropping attack Different protocol analyzers have different levels of functionality. Some have only software components; others use a combination of hardware and software to gather and analyze network information. High-end solutions usually provide support for more protocols, higher speeds, more analytical information, and the ability to send test traffic. The product you will use depends on your environment and the needs of your network. • Most Windows devices include a basic protocol analyzer tool called Network Monitor that enables you to save each network capture to a log. There are two versions of Network Monitor. The first is one that ships with Windows but is not installed by default. You must add it by using Add/Remove Windows Components. This version of Network Monitor can capture only packets that travel to or from the device on which it is installed. There is also a full version of Network Monitor that is included with Systems Management Server, and can be installed separately from the full Systems Management Server product. This version can capture packets sent to or from any device on the network. • Most Linux distributions include tcpdump, a popular command-line utility for capturing packets. tcpdump can capture IP addresses, MAC addresses, session state and header information as well as data. The capture can be watched in real time, or saved to a file that can be imported and opened by other protocol analyzers. In addition to tcpdump, many Linux system administrators use Wireshark® to capture and analyze traffic on the network. • The netstat utility is included with most UNIX and Linux distributions. netstat can provide a wide range of information, including open ports and sockets, packets transmitted on those ports, routing tables, and multicast memberships. To capture all packets sent on a network, protocol analyzers require a network adapter and driver that support promiscuous mode operation. Promiscuous mode enables the device running the analyzer to recognize all packets being sent over the network, irrespective of the source or destination. In promiscuous mode, a network card passes all network events to the operating system. In normal modes of operation, network traffic that is not intended for the adapter that received it is filtered out and not passed to the operating system, including the error conditions that the protocol analyzer is designed to detect.
IP
Internet Protocol (IP) is a Network-layer (OSI Layer 3) protocol that is responsible for routing IP individual datagrams and addressing. Responsible for packet formatting and the logical addressing scheme, IP is a connectionless protocol and acts as an intermediary between higher protocol layers and the network. It makes no guarantees about packet delivery, corruption of data, or lost packets. IP can carry either TCP or UDP as its payload. When IP is used with TCP, then IP provides the connection and TCP provides reliability because it is a guaranteed-delivery protocol.
The Three-Way Handshake
TCP uses a three-way handshake to establish a connection. Before a client attempts to connect with a server, the server must perform a passive open. To do this, the server binds to and listens at a port to open it up for connections. Once the passive open is established, a client may initiate an active open. To establish a connection, the three-way handshake occurs: 1. SYN: The active open is performed by the client sending a SYN packet to the server. The client sets the packet's sequence number to a random value A. 2. SYN-ACK: In response, the server replies with a SYN-ACK packet. The acknowledgment number is set to one more than the received sequence number (i.e., A+1), and the sequence number that the server chooses for the packet is another random number, B. 3. ACK: Finally, the client sends an ACK packet back to the server. The sequence number is set to the received acknowledgement value (i.e., A+1), and the acknowledgement number is set to one more than the received sequence number (i.e., B+1). Now both the client and server have received an acknowledgment of the connection. The first two steps establish the connection parameter for one direction and it is acknowledged. The last two steps establish the connection parameter for the other direction and it is acknowledged. With these, a full-duplex communication is established.
ARP
The Address Resolution Protocol (ARP) maps an IP address to a physical or media access control (MAC) address recognized within a local network. ARP resides on Layer 2, or the Data Link layer of the OSI model (Network Interface layer of the TCP/IP model), encapsulated by an Ethernet header. ARP enables you to dynamically discover the mapping of a Layer 3 IP address to a Layer 2 MAC address. ARP supports IP by resolving IP addresses to MAC addresses. Address resolution in ARP is performed in the following three steps: 1. ARP receives an IP address from IP. 2. If ARP has the MAC address in its cache, it returns it to IP. If not, it issues a Layer 2 broadcast to resolve the IP address. 3. A target node with the corresponding IP address responds with a Layer 2 unicast that includes its MAC address. ARP adds the MAC address into its cache and then sends it to IP as requested. ARP plays a critical role in address resolution. If IP needs to deliver a packet to an IP address on the local network, it needs to obtain the MAC address of the destination node directly from ARP. However, if IP needs to deliver a packet to an IP address on a remote network, it needs only the MAC address of the default gateway, and not of the destination node.
ICMP
The Internet Control Message Protocol (ICMP) is used with IP that attempts to report on the condition of ICMP a connection between two nodes. ICMP messages notify a sender of network conditions by reporting on errors. ICMP is connectionless and works at OSI Layer 3. If a node is sending data so quickly that the receiving node's buffers flood, the receiving node sends an ICMP source quench message to slow down data transmission from the sending node. A router could also send an ICMP Destination unreachable or Expired in transit message to a sender. When you ping from one device to another, you are using ICMP echo and echo reply messages. ICMP exists at Layer 3 of the OSI model (the Internet layer of the TCP/IP model). Often, ICMP traffic is blocked on networks for security reasons. A common example of ICMP traffic is using the ping utility to check connectivity.
IGMP
The Internet Group Management Protocol (IGMP) is a protocol in the TCP/IP suite that supports multicasting in a routed environment. Operating at Layer 3 of the OSI model (the Internet layer of the TCP/IP model), it provides one-to-many communications and is used to inform all systems on a network as to what host currently belongs to which multicast group. The routers need to support IGMP and multicast packet routing. Routers use IGMP to periodically send out queries to hosts inquiring about group membership. IGMP on the node responsible for multicast traffic sends a message to the router informing it of the multicast session in progress. The router uses IGMP to poll its interfaces for members of the multicast group, and then forwards the multicast transmission to group members. Hosts send out notifications, called host membership reports, as response to the query. Upon receiving the response from hosts, routers forward the multicast transmission to group members. IGMP can be used for one-to-many networking applications such as streaming videos or deploying images to multiple machines, and allows for more efficient use of resources.
TCP
The TCP/IP protocol suite includes two Transport-layer protocols: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). These protocols correspond to Layer 4 of the OSI model. TCP carries the majority of traffic in today's networks. TCP is a connection-oriented, guaranteed-delivery protocol used to send data packets between devices over a network such as the Internet. It is part of the Internet protocol suite along with the Internet Protocol (IP). TCP is responsible for breaking up data into segments, reassembling them at the other end, resending data lost in transit, and resequencing data. It sends data, waits for an acknowledgement, and retransmits if necessary.
UDP
The User Datagram Protocol (UDP), also known as the Universal Datagram Protocol, is a UDP connectionless Transport-layer protocol in the IP suite. UDP is a best-effort delivery protocol and is used with IP in the same way TCP is. It uses a smaller, simpler header than TCP does, which provides for faster service. And because it is a connectionless protocol, it provides faster service because it does not wait for acknowledgement. UDP is commonly used in streaming media such as Voice over IP (VoIP), real-time video (as opposed to video-on-demand), and network management applications in which a device is polled regularly for its health. It is used when performance is more important than the ability to receive all of the data.