Project Objective: To analyze captured network packets and discuss different network protocols
Tools: Kali-Linux, Wireshark
An IP address is a logical address representing a unique location on a network/web.
A protocol is a set of rules that control the connection, communication of data between two or more endpoints. Network protocols play an important role on the internet and modern digital communication because they are responsible for handling communication worldwide.
DHCP
Dynamic Host Configuration Protocol is a network protocol used to assign clients/hosts with IP addresses on a network. The process used by DHCP is known as the DHCP DORA where D- Discover, O- Offer, R- Request, A- Acknowledge. I used a .pcapng file retrieved from here for the analysis.
Discover- the client connects to a network with an IP address of 0.0.0.0 and sends a DHCP Discover packet over port 68. This is used to find and ask the DHCP server for an IP address. It’s a broadcast message with IP address 255.255.255.255 (all devices on a network are recipients).
Offer- The DHCP server with an IP address of 192.168.1.5 responds with a DHCP Offer message containing information regarding a particular IP address.
Request- The client replies with a Request packet telling the server that it will accept the IP address. The client still has an IP address of 0.0.0.0.
Acknowledge– The DHCP server replies with an acknowledge packet containing the assigned IP address and other relevant information. The client has now been assigned an IP address of 192.168.1.10.
Next, we closely look at what happens when a client pings another machine. This analysis will cover the following protocols ARP, DNS, and ICMP.
As we can see, the client pings google.com with the IP address of 142.251.33.174
ARP
ARP (Address Resolution Protocol) is used to map IP addresses to MAC addresses. For devices to communicate with one another on a network, the MAC addresses of hosts must be known, and this is where ARP comes in.
The client sends an ARP request, a broadcast message saying who owns this 10.0.2.1 IP address, which is the IP address of the default gateway needed to forward data outside Kali’s local network to reach the IP address of google.com. The device with 10.0.2.1 responds with an ARP reply packet saying I am 10.0.2.1, and this is my MAC address. The Kali Linux machine can send data to that IP address now.
DNS
Our browsers can only retrieve data from websites using their IP addresses which is difficult for people to remember, and that’s where DNS comes in. DNS stands for Domain Name Service and resolves human-readable domain names to IP addresses that the computer can understand. It’s like a phone book our browsers use to identify the server’s IP address (websites are located on a server).
Here the kali machine needs to ping google.com, and it requires the IP address for that. It then sends a DNS query to the DNS server (192.168.0.1) asking what the IP address for google.com is and the DNS server responds with a DNS response with information relating to the IP address.
ICMP
Internet Control Message Protocol (ICMP) is a protocol network technicians use to test and diagnose reachability and communication between devices/endpoints. Ping works by sending an ICMP Echo Request to a host and expecting an ICMP Echo Response.
When a ping command is issued, a ping signal (Echo Request) is sent to a specified address (google.com/142.25.33.174). The target host receives the echo request and responds by sending an Echo-Reply packet.
TCP
Transmission Control Protocol and Internet Protocol (TCP/IP) are communication protocols that define how data should travel across the internet. TCP is a connection-based protocol that establishes and maintains a formal connection between the two devices in communication. It is reliable and guarantees data delivery through acknowledgment and retransmits missing packets.
TCP 3-Way Handshake
To formally initiate a connection, both hosts ( client and server) must go through the 3-way handshake before transmitting data. It takes place right after the other protocols have been executed
- DHCP: Client gets assigned its IP address
- ARP: Client gets the MAC address of the default gateway
- DNS: Client gets the IP address of the server it desires to communicate with
- The client (192.168.1.107) starts by sending a SYN (synchronization)packet to the server (98.129.229.28) to initiate the connection.
- The server responds with the SYN/ACK (Synchronization and Acknowledgement) packet, telling the client that it received its SYN packet and wants to connect.
- The client then responds with an ACK packet indicating it received the server’s SYN packet. With the connection established, they can both send and receive data from each other. The client sends a HTTP Get request to the server to retrieve a webpage.
We discussed the basics of how hosts are assigned IP addresses and how a connection is established and data is sent over a network.