TCP/IP

bai3110

Topics covered

• TCP/IP layers• TCP• UDP• IP• ICMP• Unicast• Broadcast• Multicast

• ARP• IGMP• Sniffing• Port scanning

The TCP/IP suite

• TCP refers to the transmission control protocol.• IP refers to the Internet Protocol.• TCP/IP refers to a suite of protocols that are used to provide

connectivity over the internet between multiple networks.• They ensure reliability and routing between networks and

nodes on a network.• TCP and IP were the first two protocols to be developed in the

suite and so the suite has been named after them.

Protocol Structure

TCP

• TCP provides a reliable connection between two hosts on a network.

• It ensures that two hosts can reach each other before any real data is sent.

• Other protocols such as HTTP, FTP, POP3, SMTP etc, use TCP and store their own data in TCP packets.

• You can think of TCP packets as an envelope that holds the data any other protocol wants to transmit.

• Like an envelope, a TCP packet contains its own information to help the payload arrive at its destination.

TCP/IP header (32 bit)

Header fields

• Version is (IP) 4 or 6.• Flags include syn, ack, fin, and rset bits, used in the

establishment and deconstruction of connections.• TTL (time to live) provides a countdown until the packet must

be discarded (expressed in # of router hops). This stops packets from circling endlessly.

• Source IP is the address of the sending host.• Destination IP is the address of the intended recipient.• Protocol specifies UDP, TCP, ICMP, etc..• CRC check ensures data was not corrupted in transit.

3 way handshake

• Reliable connections are established with TCP by way of the 3 way handshake.

• A series of bits in the TCP packet are turned on or off to signal various stages of the process.

1. Host A connects to host B by sending a TCP syn (synchronize bit turned on) packet.

2. Host B responds by sending a packet with the syn bit turned on and the ack (acknowledge) bit turned on. This is called a syn-ack packet.

3. Host A replies back with an ack packet (ack bit turned on).

Why 3 steps?

• Each party in the communication must be able to receive acknowledgment that the packets they send have been received before we can say that a connection has been established.

• By the end of the second step, host A knows that its packets have been received, but host B cannot say the same.

• The third step ensures that host B knows it’s packets can make a round trip.

• Until the 3 way handshake is established, no payload data is transferred.

Fragmentation

• TCP packets can have a variable size, but there is also a default size.

• For a given set of data that must be transferred, if the data size exceeds the packet size, then that data must be broken up into pieces before it is transmitted.

• Each packet is assigned a sequence number so that the receiving end knows how to reassemble the packets in the correct order.

• This process is referred to as fragmentation and reassembly.• Poorly chosen packet sizes can reduce performance on a

network or for an application.

UDP

• An alternative to TCP is the User Datagram Protocol.• While TCP focuses on establishing a reliable connection, it

comes at the price of increased overhead.• Not all applications need such reliable connections. ie:

streaming media, DHCP, DNS, multicast applications.• If speed is more important than reliability then UDP may be a

better choice as a transport mechanism.• UDP makes no effort to verify that data has arrived safely

(send it and forget it).• No 3 way handshake, but quicker. Basic error checking.

IP

• Internet Protocol handles routing between networks.• It is connectionless in the sense that there is no verification of

a connection prior to sending. It is assumed that the connection will be established at another level, such as TCP.

• The original IP version is IPv4. It defined addresses with 32 bits, part of which represents the network that a host belongs to and part of which represents the unique ID of the host.

• Different classes of addresses have different ratios of network to host bits in the 32 bit address.

• The newer IPv6 specifies 128 bit addresses to respond to the growing need for addresses.

IP

• In effect, IP is what gets data to its destination, while TCP is what makes sure it arrived intact and coherent.

Unicast

• Most connections that occur over the internet involve a connection between a single server and a single client.

• This is referred to as a unicast connection.• You can liken a unicast connection to a telephone conversion.

A single connection is established between two nodes.• There may be many such connections but each of them is

separate.• This works well in many instances, but there are

circumstances where other options are preferred.

Broadcast

• Broadcast is an alternative way to communicate, involving a single source and multiple destinations.

• You can liken it to communication via megaphone. • In this case, data is sent to all members of a subnet or

network. Everyone gets the message.• Broadcast cannot be done using TCP as that would require

numerous connection negotiations.• As such, broadcasts are UDP based and subject to dropped

packets.• They also can be a burden on switches which must pass data

through all of its ports.

Multicast

• Multicast is a more refined way of sending data to multiple clients.

• Clients tune in to the transmission by advertising their participation. Switches detect this and include their ports in multicast traffic, without having to broadcast to everyone.

• This can be likened to tuning into a radio channel.• Clients tune in by adopting a common multicast address.• Multicast is also UDP based for the same reason as broadcast.• Used in system deployment, webcasts, amongst others.

ICMP

• ICMP is a protocol that serves a helper function for TCP/IP transmissions.

• ICMP echo request and ICMP echo reply packets are the best known ICMP packets, associated with the PING command.

• They can tell us whether a host is reachable on the network.• There are a number of ICMP message types, all of which can

be used for diagnostic and informational purposes, to determine if there are network problems.

• ICMP works directly over IP, without the use of either TCP or UDP.

ARP

• Address Resolution Protocol resolves IP addresses to ethernet MAC addresses.

• It allows for the transition from the network layer to the data link layer.

• Transmissions at the LAN level ultimately take place via ethernet packets, thus ARP is an essential part of the TCP/IP model.

• The IPv6 equivalent to ARP is Neighbor Discovery Protocol

ARP

• When a client has an IP address it wants to send to on the local LAN, it needs to find out the corresponding destination MAC address.

• To do so, an ARP broadcast is sent out advertising that it wants to know who has that IP.

• The system with the destination IP will then respond via ARP by providing its own Ethernet address.

• Once this is done, data can be transferred directly to the destination, without the need for broadcasts.

IGMP

• The Internet Group Management Protocol is used by hosts and routers to advertise membership in multicast groups.

• It serves a similar function as ICMP does in unicast transmission.

• Switches that are multicast aware can listen in on these exchanges to help make decisions about which ports to send multicast traffic through.

• This is what differentiates multicast from broadcast at a switch level.

Why Learn This?

• A solid understanding of TCP/IP is useful when troubleshooting any network based problems.

• This includes firewall problems, multicast deployment issues, network congestion, and troubleshooting application level problems at a server level.

• A variety of tools may be used to help determine where a breakdown occurs in the execution of a network application.

• Among these tools are network port scanners and network sniffers.

Sniffers

• Sniffers listen into traffic on the network by putting a NIC into “promiscuous mode”.

• In promiscuous mode, the NIC will capture all traffic it receives, not just broadcast packets and the ones that were addressed specifically to it.

• In a switched environment, it is harder for a sniffer to capture packets that were not intended for it, even when in promiscuous mode. This is because the switch determines what data travels down the port that the NIC is listening on.

• Wireless networks act more like hubs, where everyone can listen to everyone else’s packets. Sniffing is much more effective in this case. Note that WPA2 does not alter this fact.

Sniffers

• One popular sniffer (also referred to as a protocol analyzer) is Wireshark.

• Used to go by the name Ethereal.• Wireshark is an open-source sniffer, meaning that you may

freely use it and redistribute it, without fear of copyright infringement.

• Beyond it’s reasonable cost (free), Wireshark is popular because of it’s relative user-friendliness.

• A graphical user interface provides copious amounts of information on packets passing through the NIC in question.

Port Scanners

• Port scanners are another useful set of tools to help analyze and map your (or another) network layout.

• Port scanners send TCP/IP packets to hosts on the network in order to determine what services are offered by which hosts.

• Different types of scans are possible, including TCP, UDP, ICMP scanning.

• By manipulating TCP/IP packets, scanners can perform scans that are harder to detect, or that can bypass firewall security.

Port Scanners

• For example, one may be able to bypass packet filtering firewalls by sending a TCP packet with the fin bit set.

• Typically, such firewalls will filter out packets with the syn bit set, preventing the establishment of a TCP session.

• By sending a fin-bit-packet prior to any other, the firewall may assume that a connection had been established from inside the network and allow the packet through.

• This will not allow the establishment of a session, but it may tell the port scanner if a service is offered on the specified port.

OS fingerprinting

• By sending combinations of non-standard packets to a destination, it may also be possible for the port scanner to identify the OS of a host.

• For example, the TCP/IP protocols do not define how to respond to a packet where both the syn and fin bits are set.

• Different operating systems have been implemented to respond to this in different ways. Some will send an rset response, others won’t.

• This, amongst other tricks, can be used to identify what operating system a host is running.

• Does not always arrive at a final conclusion, firewalls may hinder the process.

Scanners

• An example of a popular open-source port scanner is nmap.• Nmap is a command line tool, though it is possible to install a

GUI frontend.• It has a series of options that allow the user to control what

type of scan is performed.• Network administrators can use port scanners to determine if

unauthorized services are being offered on a network.• It can also be used for malicious purposes to map out

networks prior to attempting to hack into systems.

Summary

• The TCP/IP suite was named after the transmission control protocol and the internet protocol.

• It includes a series of other protocols such as UDP, ICMP, IGMP and ARP.

• It provides routing, delivery, and reliability services to higher level protocols such as FTP, HTTP, SMTP, DNS, DHCP, etc…

• TCP provides unicast services, while UDP can service multicast and broadcast needs (UDP can also do unicast).

• TCP/IP packets store delivery information in the header of the packet.

Summary

• TCP sessions are established by way of the 3 way handshake.• ARP allows for IP->MAC address resolution on the LAN• ICMP and IGMP are helper protocols that can provide

diagnostic and troubleshooting information.• Sniffers can be used to watch the traffic that is passing over a

network in order to troubleshoot network issues.• Port scanners can be used to map out networks and identify

unauthorized services.