Aplicación de Ethereal ahora Wireshark - Análisis de paquetes y tráfico de red.pdf
Sungkyunkwan University Copyright 2000-2006 Networking Laboratory Ethereal Lab : TCP 2006-04-12...
-
Upload
meaghan-roberson -
Category
Documents
-
view
221 -
download
4
Transcript of Sungkyunkwan University Copyright 2000-2006 Networking Laboratory Ethereal Lab : TCP 2006-04-12...
Sungkyunkwan UniversitySungkyunkwan University
Copyright 2000-2006 Networking Laboratory
Ethereal Lab : TCPEthereal Lab : TCP
2006-04-12
Hyemee [email protected]
Networking Laboratory 2/34Ethereal Lab
ContentsContents
TCP 세그먼트 형식 TCP 전송 캡쳐 필터링 HTTP 를 제외하고 TCP 의 순서 번호를 보기 TCP 세션 연결하기 TCP 혼잡 제어
Networking Laboratory 3/34Ethereal Lab
TCP TCP 세그먼트 형식 세그먼트 형식 (#1/5)(#1/5)
Header Data
Source port number16 bits
Destination port number16 bits
Sequence number32 bits
Acknowledgment number32 bits
HLEN4 bits
Reserved6 bits
FIN
SYN
RST
PSN
ACK
URG
Window size16 bits
Checksum16 bits
Urgent pointer16 bits
Options and Padding
Networking Laboratory 4/34Ethereal Lab
TCP TCP 전송 캡쳐 전송 캡쳐 (#1/2)(#1/2) Browse 버튼을 사용하여 파일을 찾는다 Ethereal 로 패킷 캡쳐를 시작한다 . “Upload alice.txt file” 버튼을 누른다 .
“Congratulations!” 메시지가 뜰 때까지 기다린다 . Ethereal 의 패킷 캡쳐를 중단한다 .
Networking Laboratory 5/34Ethereal Lab
TCP TCP 전송 캡쳐 전송 캡쳐 (#2/2)(#2/2)
Networking Laboratory 6/34Ethereal Lab
필터링필터링
필터창에 “ tcp” 라고 입력한다 . 필터링 후에 남는 TCP 와 HTTP 메시지들
SYN 메시지를 포함하는 3- 단계 핸드셰이크 HTTP POST 메시지 “HTTP Continuation” 의 메시지 시리즈
이것은 하나의 HTTP 메시지를 전송하는데 사용된 여러 TCP 메시지를 표현하는 Ethereald 의 방법이다 .
TCP ACK 세그먼트들
Networking Laboratory 7/34Ethereal Lab
HTTPHTTP 를 제외하고 를 제외하고 TCPTCP 의 순서 번호를 보기의 순서 번호를 보기 이번 장에서는 TCP 에 대해 공부하므로 HTTP 는 걸러낸다 . Ethereal 의 “ listing of captured packets” 을 변경한다 .
Select Analyze → Enabled Protocols HTTP 상자의 체크를 해제 OK 버튼으로 확인
TCP 의 순서 번호를 보기 위하여 Edit → Preferences → Protocols → TCP “relative sequence numbers” 의 체크를 해제
Networking Laboratory 8/34Ethereal Lab
Filtered SegmentsFiltered Segments
Networking Laboratory 9/34Ethereal Lab
Questions #1Questions #1
What is the IP address and TCP port number used by your client computer (source) to transfer the file to gaia.cs.umass.edu? 10.24.22.23 4782 ( 호스트가 임의로 정한 값 )
What is the IP address and port number used by gaia.cs.umass.edu to receive the file. 128.119.245.12 80 (HTTP)
Networking Laboratory 10/34Ethereal Lab
Questions #2Questions #2
What is the sequence number of the TCP SYN segment that is used to initiate the TCP connection between the client computer and gaia.cs.umass.edu? 3446911215
What is it in the segment that identifies the segment as a SYN segment? SYN 플래그
Networking Laboratory 11/34Ethereal Lab
Questions #3Questions #3
What is the sequence number of the SYNACK segment sent by gaia.cs.umass.edu to the client computer in reply to the SYN? 2855197833
What is the value of the ACKnowledgment field in the SYNACK segment? 3446911216
How did gaia.cs.umass.edu determine that value? 3- 단계 핸드세이크의 두번째 단계로써 클라이언트의 ISN+1 을 응답
번호로 전송한다 .
What is it in the segment that identifies the segment as a SYNACK segment? ACK 플래그
Networking Laboratory 12/34Ethereal Lab
Questions #4Questions #4
What is the sequence number of the TCP segment containing the HTTP POST command? Note that in order to find the POST command, you’ll need to dig into the packet content field at the bottom of the Ethereal window, looking for a segment with a “POST” within its DATA field.
3446911216
Networking Laboratory 13/34Ethereal Lab
Questions #5 (1/2)Questions #5 (1/2)
Consider the TCP segment containing the HTTP POST as the first segment in the TCP connection.
What are the sequence numbers of the first six segments in the TCP connection (including the segment containing the HTTP POST)?
At what time was each segment sent? When was the ACK for each segment received?
순서번호 전송 시작시간 응답 도착시간 RTT 값 3446911216 4.397153 4.649773 0.25262 3446911818 4.402445 4.649934 0.247489 3446913198 4.649881 4.883355 0.233474 3446914578 4.649918 4.884136 0.234218 3446915958 4.649985 4.886161 0.236176 3446917338 4.650013 4.886553 0.23654
Networking Laboratory 14/34Ethereal Lab
Questions #7Questions #7
What is the minimum amount of available buffer space advertised at the received for the entire trace? 5480
Does the lack of receiver buffer space ever throttle the sender? No
Networking Laboratory 15/34Ethereal Lab
Questions #8Questions #8
Are there any retransmitted segments in the trace file? No
What did you check for (in the trace) in order to answer this question? Info 창에 표시가 되고 세그먼트의 Option 에 표시된다 .
Networking Laboratory 16/34Ethereal Lab
Questions #9Questions #9
What is the throughput (bytes transferred per unit time) for the TCP connection? 152368/5.4 = 약 28,216 bytes
Explain how you calculated this value. 패킷의 크기 / 전송시간
Networking Laboratory 17/34Ethereal Lab
TCP TCP 혼잡 제어혼잡 제어 단위 시간동안 전송된 데이터량 측정
Ethereal 의 TCP 그래프 도구를 사용
데이터를 그려내기 한 TCP 세그먼트를 선택 메뉴에서 다음과 같이 선택
Statistics → TCP Stream Graph → Time-Sequence-Graph(Stevens)
Networking Laboratory 18/34Ethereal Lab
Questions #10Questions #10
Use the Time-Sequence-Graph(Stevens) plotting tool to view the sequence number versus time plot of segments being sent from the client to the gaia.cs.umass.edu server.
Can you identify where TCP’s slowstart phase begins and ends, and where congestion avoidance takes over? 전송되는 데이터량이 작아서 슬로우스타트 구간을 일부분 밖에
확인하지 못한다 . 따라서 혼잡회피 단계로 들어서지 않는다 .
Note that in this “real-world” trace, not everything is quite as neat and clean as in Figure 3.51 (also note that the y-axis labels for the Time-Sequence-Graph (Stevens) plotting tool and Figure 3.51 are different).
Sungkyunkwan UniversitySungkyunkwan University
Copyright 2000-2006 Networking Laboratory
Ethereal Lab : IPEthereal Lab : IP
Networking Laboratory 20/34Ethereal Lab
ContentsContents
Capturing packets from an execution of traceroute
A look at the captured trace Questions
Computer Networking: A Top-down Approach
Featuring the Internet, 3rd edition.
Version: July 2005© 2005 J.F. Kurose, K.W. Ross. All Rights Reserved
Networking Laboratory 21/34Ethereal Lab
TracerouteTraceroute In order to generated a trace of IP datagrams,
We’ll use the traceroute program to send datagrams of differents sizes towards some destination, X.
Traceroute It operates by first sending one or more datagrams with the TTL field set to 1, 2, 3;
and so on. If the TTL reaches 0, the router returns an ICMP message to the sending host. The host executing traceroute can learn the identities of the routers between itself
and destination X.
Source Destination
TTL(1)
TTL(2)
TTL(3)
TTL(4)
TTL(5)
Echo request
TTL-exceeded reply
Networking Laboratory 22/34Ethereal Lab
Send datagrams of various lengthsSend datagrams of various lengths
Windows http://www.pingplotter.com (shareware and freeware version) The size of the ICMP echo request message can be explicitly set in
pingplotter Edit Advanced Options Packet Options
The default packet size is 56 bytes.
Linux/Unix The size of the UDP datagram sent towards the destination can be
explicitly set by indicating the number of bytes in the datagram Traceroute monet.skku.ac.kr 2000
Networking Laboratory 23/34Ethereal Lab
Do the following 1/3Do the following 1/3
Ethereal: Begin packet capture (Capture Start) Windows: pingplotter
Enter the name of a target destination Enter 3 in the “# of times to Trace” field Edit Options Packet Options Enter a value of 56 in the Packet Size field and then press OK Then press the Trace button, You should see a pingplotter window Edit Advanced Options Packet Options Enter a value of 2000 in the Packet Size field and then press OK Then press Resume button Stop Ethereal tracing
Networking Laboratory 24/34Ethereal Lab
Do the following 2/3Do the following 2/3 Pingplotter window
Networking Laboratory 25/34Ethereal Lab
Do the following 3/3Do the following 3/3
Unix: enter three traceroute commands A length of 56 bytes A length of 2000 bytes Stop ethereal tracing
Networking Laboratory 26/34Ethereal Lab
A look at the captured traceA look at the captured trace
In your trace, you should be able to see S D: The series of ICMP Echo Request or UDP segment D S: ICMP TTL-exceeded messages
To print packet File Print Choose Selected packet only Choose Packet summary line Select the minimum amount of packet detail that you need
Networking Laboratory 27/34Ethereal Lab
Questions 1/8Questions 1/8 Select the first ICMP Echo Request message sent by your computer What is the IP
address of your computer?
Within the IPPacket Header,What is the valuein the upperlayer protocolfield?
Source Address
Networking Laboratory 28/34Ethereal Lab
Questions 2/8Questions 2/8 How many bytes are in the IP
header? How many bytes
are in the payload of the IP datagram?
Explain how you determined the number of payload bytes.
IP header length
Total length
56 – 20 = 36 bytespayload
Networking Laboratory 29/34Ethereal Lab
Questions 3/8Questions 3/8 Has this IP datagram been fragmented? Explain how you
determined whether or not the datagram has been fragmented.
Fragment offset
Fragment’s position in original datagram
More Fragments
Fragmented or not
Networking Laboratory 30/34Ethereal Lab
Questions 4/8Questions 4/8 Sort the packets according to IP source address Which fields in
the IP datagram always change from one datagram to the next within this series of ICMP message sent by your computer?Time to live
Increase TTL field
Networking Laboratory 31/34Ethereal Lab
Questions 5/8Questions 5/8 Which fields stay constant? Which of the fields must stay constant?
Which fields must change?
Stay ConstantSource & Destination
Must ChangeTime-to-live
Networking Laboratory 32/34Ethereal Lab
Questions 6/8Questions 6/8 Describe the pattern you see in the values in the Identification field of
the IP datagram
Identification fieldIncreased
Identification
Networking Laboratory 33/34Ethereal Lab
Questions 7/8Questions 7/8 Find the series of ICMP TTL-exceeded replies sent to your computer b
y the nearest router What is the
value in the Identification field and the TTL field?
Do these values remain unchang-ed for all of the ICMP TTL-exceeded replies sent to your com-puter by the nea-rest (first hop) router? Why?
Identification field:Identification field:Used to identify the fragments of one datagram from those of another.The originating protocol module of an internet datagram sets the identification field to a value that must be unique for that source-destination pair and protocol for the time the datagram will be active in the internet system.
Networking Laboratory 34/34Ethereal Lab
Questions 8/8Questions 8/8
Sort the packet listing according to time Find the first ICMP
Echo Request message that was sent after you changed the Packet Size to be 3500.
Fragment offset Last fragment or not
Identification
Payload (1480)H
1500
Payload (1480)H
1500
Payload (520)H
540
What information in the IP headerindicates whether this is first fragmentversus a latter fragment? Fragment OffsetHow long is this IP datagram? 3