Network Session 6 Hakim Sabzevari university Dr.Malekzadeh
Network Protocols
ICMP The Internet Control Message Protocol (ICMP) is a Network layer protocol. The ICMP is used for exchanging control information and messages. One of the most common examples of an application that uses ICMP is the ping utility. Ping is a tool that allows you to determine whether a particular TCP/IP host is reachable. Ping sends out an echo request to an IP address and if the destination is alive and reachable it will respond with an echo reply. If there is no route available to the destination, the last router on the path sends a Destination Unreachable message back to the source station.
ARP The Address Resolution Protocol (ARP) is Data link layer protocol. Before two stations in a network communicate with each other, they must know each other’s MAC addresses. The ARP is used to discover a MAC address (layer 2) based on the IP address (layer 3). An ARP request is broadcasted on the local network by source station. All the stations in the network hear the ARP request but only the station with the IP address listed in the ARP request frame will respond with an ARP reply containing its IP and MAC address. Then, the station that requested the MAC address will store it in its local ARP table/cache. To see the contents of ARP cash use arp –a command.
ARP command
Example:
FTP The File Transfer Protocol (FTP) is an Application layer protocol. The FTP provides connection-oriented file transfer between a client and a server. The FTP defines how a file can be transferred from one host to another and to store the files on the requesting host. For a file to be transferred from one host to another, two hosts are involved in an FTP session. One host requests a file, and the other host has a copy of the file and transfers a copy to the requesting host. The FTP transmits data between sender and receiver in an unencrypted format. FTP use TCP port 21 for control and TCP port 20 for data transport.
Example: FTP connects to the FTP server, and the user is requested to log in. The user must supply a username and a password. anonymous is an account that anyone can access files on an FTP server without a password.
SFTP The Secure File Transfer Protocol (SFTP) is a Network layer protocol. The SFTP allows you to implement the same functionality as regular FTP, but in secure way. SFTP is essentially FTP over SSH (Secure Shell), hence provide the same level of security as SSH including: Mutual authentication based on digital certificates Establishing a tunnel between the client and the server through which data is transmitted in an encrypted form. Another advantage is that SFTP operates over the same port as SSH (port 22) and does not require port 20 and 21 to be open as with regular FTP. Another form of a secure FTP is FTPS (FTP over SSL). The SFTP and FTPS are incompatible.
TFTP The Trivial File Transfer Protocol (TFTP) is an Application layer protocol. The TFTP provides no authentication and connectionless file transfer functions. TFTP is a simple and small protocol, which makes it suitable for transferring small amounts of data. TFTP uses UDP port 69 and its common usages are as follow: For updating devices such as routers and switches. For transferring the data required to boot a diskless system over the network.
Email protocols In order to transmit and receive Emails three protocols are used as follow: SMTP POP3 IMAP
SMTP The Simple Mail Transfer Protocol (SMTP) is an Application layer protocol. The SMTP is used for only sending Email to mail servers. SMTP is used when email is sent from an email client, such as Outlook Express, to an email server or when email is delivered from one email server to another. The SMTP uses TCP port 25.
POP3 Post Office Protocol (POP3) is Application layer protocol. While SMTP is used to send email, both POP3 and IMAP are used to receive Email. The POP3 allows an email client to download emails from an email server. In other words, POP3 can be used to access only the "Inbox" folder. POP3 was designed to support offline mail processing. With POP3, Email messages are removed from the server and stored on the local POP3 client, unless the client has been set to leave mail on the server. This puts the data management and security responsibility in the hands of the user. POP3 clients connect to TCP port 110.
IMAP Internet Message Access Protocol (IMAP) is Application layer protocol. IMAP is more complex than POP3 and can be used to access every server-based messaging folder including sent items, deleted items etc. IMAP lets users to keep their email on the server thus eliminates the need for a local repository. IMAP clients connect to TCP port 143.
SMTP vs. POP3 vs. IMAP The main drawback to SMTP is that it can be used only to send email and not to receive them. The main advantage of POP3 is that the email can be stored on the computer even after downloading it. This allows users to read their email at their own PC, even after cutting off Internet connection. The main drawback is that you may mistakenly copy spam email and even viruses in the process. The main advantage of IMAP is speed, since it requires only a relatively small amount of data to be passed. Email messages will only be downloaded upon a specific request from the user. Other advantages include the ability to create email folders and/or mailboxes on the server itself, and user ability to delete messages.
HTTP (متن ترکیبی) The Hyper Text Transfer Protocol (HTTP) is an Application layer protocol. The HTTP is used to exchange files on the Internet. This is the protocol that your Web browser application (IE, Firefox, Chrome,…) uses when surfing the Internet. Unlike FTP, HTTP is designed so that very little work is required by users. HTTP transfers preformatted files that are displayed in their browser instead of saving them on disk. The HTTP application runs on a Web server which listens for requests, and then responds by sending files back to the requestor web browser:
HTTP cont… HTTP listens at a TCP port 80 for any requests. After the packet is received, the appropriate file is prepared for delivery to the requestor client. The packets leave the Web server, and upon arrival at the client, the Web browser decodes the Hypertext Markup Language (HTML) file and displays it on screen with proper formatting. HTML is the file format of Web pages on a Web server that can be displayed in a proper format by a Web browser. HTML is the basic language used to write web pages.
What happens when you request a web site You open your Web browser and type in the URL www.google.com. If the URL contains a domain name, the browser first connects to a domain name server (DNS) and retrieves the corresponding IP address for the web server. Most of the web browsers caches DNS information that they don't have to submit a DNS query each time it connects to a recently visited website. Your local DNS servers does the same. Now your browser will use this IP address to establish a communication with the web server that you want to visit. To do this, the TCP/IP stack of your system initiates a TCP 3-way handshake with the IP address of the server.
What happens when you request a web site cont… Once the handshake is successful, the web browser sends an HTTP/GET request for the desired web page. The web server receives the request and checks for the desired page. If the server cannot find the requested page, it will send an HTTP 404 error message which means 'Page Not Found‘. If the page exists, the web server put the file into one or more packets, depending on how big the file is, and it is sent to you.
What happens when you request a web site cont… Your Web browser receives the packets and sends back an acknowledgement that they were received. If the Web server does not get an acknowledgement from you, the packet is resent. Your Web browser displays the information that you requested on your screen as the packets are received.
HTTPS Secure Hypertext Transfer Protocol (HTTPS) is Application layer protocol. It is used in exactly the same way as the HTTP protocol. The differences are that HTTPS uses a default port number, 443, and that HTTPS uses SSL (Secure Socket Layer) to send data in an encrypted form and to authenticate the server. For example, when you buy something online using a credit card, the URL should start with https:// instead of http://. At the bottom right of your browser, you should notice a small padlock. Both indicate that a secure HTTP connection over SSL has been established with a web server and data is transferred in coded form.
PING Ping is used to check the availability of systems by using the ICMP echo request and ICMP echo response messages. The ping utility is a diagnostic tool that you can use to test TCP/IP configurations and connections. It is useful to determine whether a particular TCP/IP host can be reached and is available. The syntax for the ping command is: ping target The target can be either a name (hostname or NetBIOS name) or an IP address.
PING cont… Some common situations where PING can be useful: To verify that TCP/IP is installed, initialized, and bound to your network card, ping the loopback address (ping 127.0.0.1). To verify that the default gateway is available and the computer can communicate with a remote host through a router, ping a host on a remote network. To verify that DNS host name resolution is available, ping an existing host name of a computer you know is online and available (eg, 8.8.8.8).
PING cont…
Ping command options -t = Using this option will ping the target until you force it to stop using Ctrl-C. -n count = This option sets the number of ICMP Echo Request messages to send. If you execute the ping command without this option, four requests will be sent. -l size = Use this option to set the size, in bytes, of the echo request packet from 32 to 65,527. The ping command will send a default size if you don't use the -l option. -f = Use this ping command option to prevent ICMP Echo Requests from being fragmented by routers between you and the target. -i TTL = This option sets the Time to Live (TTL) value, the maximum of which is 255. ping -n 5 -l 1500 www.google.com
Time to live (TTL) The Internet consists of a huge number of routers that are connected to each other. Every router is connected to at least two other routers. The problem is that under certain circumstances link failures could cause packets to travel in circles for infinity, never actually reaching their destination. This is where the TTL value comes into play. Think of the TTL value as a self-destruct mechanism for the packet. The TTL value is initially set at a fairly high number, although this number varies depending on the operating system that is being used. Every time the packet travels across to a router, the packet is said to have performed a hop. Each time that a hop occurs, the TTL value is decremented by one. If the TTL value reaches zero, the packet is destroyed.
TTL cont… TTL is something that deals with routers not computers. Every time that the ping reach a router it decrements TTL by 1 as it passes. The TTL field is 8 bits so the max value is 255 but you can change that. # of hops=# of routers away=255-TTL For example if after ping Google, the TTL is 64, it means there are 191 routers between your router and Google. Or if the destination is 3 hops away, the TTL is 253 because: Router 1 : 255 Router 2 : 254 Router 3 : 253
IPCONFIG Displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Ipconfig without parameters displays the IP address, subnet mask, and default gateway for all adapters.
IPCONFIG cont…
IPCONFIG /all
Reset TCP/IP stack: Netsh int ip reset rest.log Netsh winsock reset catalog Reboot Ipconfig /flushdns Ipconfig /renew
DHCP Dynamic Host Configuration Protocol (DHCP) is the automatic IP-address giver which means it is a host running a service to lease (give) IP addresses to other hosts. The hosts need to have an IP address to use any TCP/IP communications and applications. Without an IP address, the host can still use local applications but the network functionality is unavailable. Thus, a host does the four-step process of DHCP to obtain an IP address: Discover Offer Request Acknowledgment
DHCP discover The first thing that a client needs to do is to find a DHCP server. Because the client doesn't know where one is, nor does it has an address yet, it broadcasts a DHCP discover packet. The client broadcasts a DHCP discover message which says, “I need a DHCP server!“. All hosts on the network will receive it-one of which is hopefully a DHCP server.
DHCP offer The DHCP server monitors every incoming packet to check whether or not it is a DHCP discover packet. When a DHCP discover packet is received, the DHCP server examines its pools of IP addresses to see whether any of those addresses correspond to the network that the request is coming from. If the DHCP server has an available address for the network where the DHCP discover packet originated, the server creates a DHCP offer packet which says: “I'm a DHCP server, do you want this address?“ The DHCP offer the packet including the IP address that the server is offering to the client. Also included in this packet is the subnet mask, the length of the lease, and a few other parameters.
DHCP offer cont… The server broadcasts the DHCP offer packet back onto the network because the DHCP client does not yet have an IP address that the server could use to send the packet directly to the client. The client will know that the packet is intended for it because the DHCP discover packet included the client's MAC address, and the DHCP offer packet also contains the same address. It's possible that the network administrator has set up more than one DHCP server. Therefore, the DHCP client might receive more than one DHCP offer. If the DHCP client receives more than one offer, the client will take the first offer that is received.
DHCP request After the DHCP client receives a DHCP offer, the client sends back a DHCP request packet. This packet lets the DHCP server to know that the offer is being accepted as it says "Yes, I would like to have this IP address.“ The DHCP client broadcasts the DHCP request packet onto the network for two reasons: The client still does not have a valid IP address needed to address a packet for direct delivery.
DHCP request cont… Since several DHCP servers might have broadcast DHCP offers and the IP addresses offered are marked as reserved so that they would not be offered to any other host, by broadcasting the DHCP request, the client enables all DHCP servers to hear the request. Then if the DHCP request was not the IP address that it offered is considered denied and the DHCP server's offer is considered denied. The DHCP server can put that IP address back into the pool and offer it to another client.
DHCP acknowledgment ACK is the final step in using DHCP to lease a new IP address. The DHCP server receives the DHCP request and prepares a DHCP acknowledgment packet to close the deal. Like the other packets, this one is also broadcasted because the DHCP client still does not have a valid IP address. The DHCP ack packet simply says, "I received your request for the IP address that I offered you, and yes, you can have that address”. After the client receives this, it knows that the work is done and it has a valid IP address now.
Renew an IP address Because IP addresses are leased from the DHCP server, the DHCP client must renew the lease on the address at a specified time. When half of the time to live (TTL) value has expired, the DHCP client will send a DHCP request to the DHCP server asking for a new lease. For example, if the IP address is leased for 24 hours, after 12 hours the DHCP client will send a DHCP request directly to the DHCP server. The DHCP request is not broadcasted this time because the DHCP client has a valid IP address and a valid lease, and the client knows the IP address of the DHCP server. Time to live (TTL) is the amount of time that the lease on an IP address is valid.
Name resolution It is difficult for us to remember numbers while it is easier to remember names. These names can be given to computers (hostname) or web sites (URL). But TCP/IP cannot find or connect to another computer with names; TCP/IP needs an IP address. Therefore, the names that we use must be resolved to an IP address before TCP/IP can do anything with them. Resolving (translating) the name to an IP address is called name resolution. After a name is resolved to an IP address, the host can then figure out whether the destination is local or remote and can continue with the communication. This is similar to finding a phone number when all you know is a name.
URL A URL has the following format: hostname.DomainName.TLD TLD part as the rightmost part is the Top Level Domain. They are categories of host names—for example, commercial organizations are in the .com domain, and educational institutions are in the .edu domain. domain part is second-level domains which will reach you to the required network. hostname part would reach you the exact computer in the required network Within every top-level domain there is a huge list of second-level domains. Every name in the top-level domain must be unique.
URL cont… If the entire address consists of only 2 parts (one dot), then the hostname is equivalent to the domain name. If the entire address consists of more than 2 parts, then the hostname is equivalent to all the left most pieces before the right 2 parts (or the domain name) Hostname and domain name together form a fully qualified domain name (FQDN). Note: sometimes you can refer to the full address as a hostname.
Example: Full Address Hostname Domain Name TLD www.bleepingcomputer.com www bleepingcomputer.com com www.google.net google.net net my.www.bleepingcomputer.com my.www
URL cont… Each top-level domain maintains a database of the second-level domains. The second-level domains maintain the next layer, and so on. An easy way to get a handle on what the Internet looks like is to view a map of the domain name space. Domain name space is the term used to reference how the Internet is subdivided. The top of the domain name space is the root. The root of the domain name space is represented by a period (.).
DNS Domain Name System (DNS) is a system used to resolve names to IP addresses on the Internet. All the URLs that need to get resolution are in a DNS database somewhere on the Internet. A DNS database administrator has entered the name and IP address into the database.
Querying a DNS server Harry wants the IP address of www.sybex.com. He knows to ask Diane the DNS Server for resolution help because the administrator who configured Harry's IP address also configured Harry with the IP address of his DNS server. The DNS server can be on the same network or it can be at an ISP. In the illustration below, Harry the Host is the resolver and Diane is the DNS server.
Querying a DNS server cont… Since Diane the DNS Server has the IP address of the root name servers, she sends a request to the root name server asking if he knows the IP address of www.sybex.com. The root name servers have IP addresses of the top-level domain name servers. So the root name server responds to Diane and says "No, I don't know www.sybex.com, but I do have the address for .com." The root name server sends back the best information it has.
Querying a DNS server cont…
Querying a DNS server cont… Now Diane has the address of a .com server. So, Diane the DNS Server sends a request to the .com name server asking for resolution to www.sybex.com. The .com name server does not have the IP address of www.sybex.com, but does have the IP address of sybex.com. The .com name server sends a response to Diane that says, "I don't know the IP address of www.sybex.com, but I do know the address of sybex.com." The .com name server responds with the IP address of sybex.com.
Querying a DNS server cont…
Querying a DNS server cont… When Diane the DNS Server receives the response from the .com server, she caches the IP address of sybex.com. Diane then sends a request to the IP address of sybex.com asking for resolution to www.sybex.com. The DNS server at sybex.com has the address of www.sybex.com. The sybex.com name server responds, "Yes, I do have the IP address for www.sybex.com; here it is.”
Querying a DNS server cont…
Querying a DNS server cont… Now that Diane the DNS Server has the IP address for www.sybex.com, she caches the IP address and then sends a packet to Harry. In this response to Harry, Diane sends the IP address of www.sybex.com. Now that Harry has the address, Harry's TCP/IP stack sends an HTTP request to the IP address sent by Diane. Diane, the client also caches that obtained address of because sometime soon she may be asked again for resolution to that URL. With the address cached, she won't have to bother the DNS with the same process.