Universitatea Tehnic a Moldovei

Facultatea Calculatoare Informatic i Microelectronic

Programarea n Reea
Lucrarea de laborator #5

Subiect: Inginerie invers n reea

Realizat: VLAS Mihai

Verificat: CIORB Dumitru

Chiinu 2017
 Content:
1. Problem & domain analysis
2. Wireshark and working principles. Quick Chat
3. Practical Part
4. Conclusion
Problem & Domain Analysis
The Internet Protocol (IP) is the fundamental protocol of the family. IP handles the
routing of datagrams based on destination address. It allows for the interconnection of
multiple networks by routing datagrams across network boundaries when necessary.
Datagrams can be routed through Ethernet segments, serial lines, phone lines, or
satellite links.
IP is often referred to as a "connectionless" delivery system because it routes each
datagram separately. When it receives a sequence of datagrams from a higher-level
protocol, IP routes each datagram in the sequence individually. That is, each datagram
in the sequence may, or may not, travel over the same path to the same destination.
The IP service makes a best-effort attempt to deliver all datagrams, but if some
datagrams get lost due to network hardware problems or resources that are overloaded,
higher-level protocols, not IP, will retransmit the datagrams.
"Connectionless" can also describe the logical view of an IP internet. Hosts and
gateways on the Internet all operate autonomously, routing and delivering datagrams
without any coordination with the original sender. Though nodes on the Internet are
connected physically in various ways, users see the Internet as a single virtual network
where the physical connections are irrelevant.
IP also defines the format of a datagram. The general format is a datagram header,
followed by a data area. The header includes such fields as version of the IP protocol,
length of the header, total length of the datagram, and the source and destination IP
addresses.
Three fields in the datagram header control fragmentation and reassembly of
datagrams. IP can be used with many different physical network implementations, each
of which can specify a different maximum size for physical data frames. On some
physical networks, IP datagrams must be fragmented to fit into one physical data frame.
IP handles fragmenting and reassembly of datagrams, using data in the fragmentation
fields of the header.
The Time-To-Live (TTL) field in the IP header controls how long a datagram is allowed
to remain in the Internet system. The sender of a datagram sets this field. Each gateway
along the path from source to destination checks the time remaining and discards the
datagram when the TTL value reaches zero. This feature prevents datagrams from
traveling around the Internet forever, should the routing tables be temporarily
corrupted.
The data portion of an IP datagram is used by IP to forward information passed to it
from higher-level protocols, such as the TCP header and data. One field in the IP
 header specifies which protocol is used in the data portion of the IP datagram.

Fig 1.1 TCP/IP Layers and protocols

The Internet Control Message Protocol (ICMP) is used for error messages intended
for the IP network software, rather than any particular user program. For example, a
gateway might send an ICMP datagram to inform another gateway that a subnetwork or
a node on a subnetwork is unavailable.
Because the IP Internet is a connectionless system, gateways and hosts route
datagrams without coordinating with the original sender. This works fine except when a
problem delivering a datagram occurs. Problems occur when nodes or whole networks
become disconnected, the time-to-live counter expires, or gateways become too
congested to process more traffic. ICMP is used to send messages about these and
other error conditions.
ICMP is also used for testing the reachability and status of destinations. A host or
gateway sends an ICMP echo request message to test whether a destination is alive.
Machines that receive echo requests must reply with the exact same data that was sent
to them.
ICMP is a required protocol for any Internet that uses IP. IP routing will not be
successful unless ICMP is used for reporting unexpected circumstances. ICMP
messages travel across the Internet in the data portion of IP datagrams. The IP
software on the destination machine processes the ICMP messages; they are not sent
to higher-level protocols.

UDP (User Datagram Protocol) is an alternative communications protocol to

Transmission Control Protocol (TCP) used primarily for establishing low-latency and
loss tolerating connections between applications on the Internet. Both UDP and TCP
run on top of the Internet Protocol (IP) and are sometimes referred to as UDP/IP or
TCP/IP. Both protocols send short packets of data, called datagrams.
UDP provides two services not provided by the IP layer. It provides port numbers to
help distinguish different user requests and, optionally, a checksum capability to verify
that the data arrived intact.
TCP has emerged as the dominant protocol used for the bulk of Internet connectivity
owing to services for breaking large data sets into individual packets, checking for and
resending lost packets and reassembling packets into the correct sequence. But these
additional services come at a cost in terms of additional data overhead, and delays
called latency.
In contrast, UDP just sends the packets, which means that it has much
lower bandwidth overhead and latency. But packets can be lost or received out of order
as a result, owing to the different paths individual packets traverse between sender and
receiver.
UDP is an ideal protocol for network applications in which perceived latency is critical
such as gaming, voice and video communications, which can suffer some data loss
without adversely affecting perceived quality. In some cases, forward error correction
techniques are used to improve audio and video quality in spite of some loss.
UDP can also be used in applications that require lossless data transmission when the
application is configured to manage the process of retransmitting lost packets and
correctly arranging received packets. This approach can help to improve the data
transfer rate of large files compared with TCP.
In the Open Systems Interconnection (OSI) communication model, UDP, like TCP, is in
layer 4, the Transport Layer. UDP works in conjunction with higher level protocols to
help manage data transmission services including Trivial File Transfer Protocol (TFTP),
Real Time Streaming Protocol (RTSP), Simple Network Protocol (SNP) and Domain
Name System (DNS) lookups.

With the User Datagram Protocol (UDP), user processes can send and receive data
across the network without the error-checking or session-management facilities of TCP.
This avoids the overhead involved with establishing and maintaining an active and
error-free TCP session.
UDP is often used for transporting unknown protocols. For example, when UDP is used
to transport AppleTalk protocol data on an Ethernet-based internetwork, the AppleTalk
data can get passed through the standard Ethernet nodes that don't understand
AppleTalk, and eventually reach a node that does understand it.
Another important feature of both UDP and TCP is that they have the ability to
distinguish among multiple destinations within a given host computer. The existence of
a port number allows UDP and TCP users to distinguish among various applications on
one machine, such as file transfer, remote job entry, and echo. In addition to the data
sent by a user process, each UDP or TCP message includes an identifier, called a "port
number" for the destination and source processes. By convention, some port numbers
are reserved for well-known processes such as FTP, Telnet, name server, and
authentication service.
Wireshark & working principles. QuickChat

Wireshark is a network packet analyzer. A network packet analyzer will try to capture
network packets and tries to display that packet data as detailed as possible.

You could think of a network packet analyzer as a measuring device used to examine
whats going on inside a network cable, just like a voltmeter is used by an electrician
to examine whats going on inside an electric cable (but at a higher level, of course).

In the past, such tools were either very expensive, proprietary, or both. However, with
the advent of Wireshark, all that has changed.

Wireshark is perhaps one of the best open source packet analyzers available today.

Fig 2.1 Wireshark Working Principle

Capturing takes packets from a network adapter and saves them to a file on your hard
disk.

Since raw network adapter access requires elevated privileges these functions are
isolated into the dumpcap program. Its only this program that needs these privileges,
allowing the main part of the code (dissectors, user interface, etc) to run with normal
user privileges.

To hide all the low-level machine dependent details from Wireshark, the libpcap and
WinPcap libraries are used. These libraries provide a general purpose interface to
capture packets and are used by a wide variety of applications.

Wireshark can read and write capture files in its natural file formats, pcapng and pcap,
which are used by many other network capturing tools, such as tcpdump. In addition
to this, as one of its strengths, Wireshark can read and write files in many different
file formats of other network capturing tools. The wiretap library, developed together
with Wireshark, provides a general purpose interface to read and write all the file
formats. If you need to add support for another capture file format this is the place to
start. While Wireshark is loading packets from a file each packet is dissected.
Wireshark tries to detect the packet type and gets as much information from the
packet as possible. In this run though, only the information shown in the packet list
pane is needed.

As the user selects a specific packet in the packet list pane this packet will be
dissected again. This time, Wireshark tries to get every single piece of information
and put it into the packet details pane.

Fig 2.2 Wireshark GUI

 Fig 2.3 Wireshark Capturing table

As we observe, the protocol used to transfer data is UDP, in wireshark we have several
columns that we can use as filters such as:

No.- Number of the packet

Time- displays the time when the packet was captured by wireshark
Source- displays source IP address
Destination- displays destination IP address
Protocol- shows used protocol for certain message
Length indicate the length of the data transferred
Info- shows information about the received message

QuickChat.
QuickChat is a simple messenger for two (or more, payment needed) persons with a
simple working principle. Using User Datagram Protocol, users manage to transfer
messages to each other by adding first of all the IPs of the person, after this the
connection is set and an automatic name (default as the name of the PC) is selected.
 Fig 2.4 QuickChats GUI
As chatting options for this app we have the following:
1) Main Chat with all the participants at the Topic

Fig 2.5 #Main Chat

2) Private Messages for Users

 Fig. 2.6 Private Message Window

3) Creation of Private Channels with selective access

Fig. 2.7 Private Channel

Practical Part
For practical part, at this point we have to launch 2 QuickChat accounts on two different
machines (can be virtual), for this I operated with a laptop and a PC.
So first of all we ran 2 quickchats and added the IP addresses of each other user to
create a common #Main chat channel.

Fig. 3.1 #Main chat channel.

By the same time, we run Wireshark, and catch the interface for Wireless Network, after
that we filter the IP address of our second device.

Fig 3.2 Wireshark filtering the address of the second device

In the next section will be presented every action made in QuickChat and the message
it transfer to other user.

So first of all we sent a message from one device to other with the text hello which we
can see in the message transferred to other user.

Fig 3.3 Wireshark message tracking

As the communication channel is not secured, we can see the message we wrote from
another device. Here we can observe that with our text message hello quickchat also
sent a couple of information such as, #Main that indicates the Discussion channel and
the name of the user that sent the message (mich201).

Fig 3.4 Message sent by quickchat via UDP

 Fig.3.5 QuickChat creating another channel and sending messages

Fig 3.6 Message displayed in wireshark

Now that we changed the channel, we can observe that the sent data contains the #Lab
channel information.

Now lets try to exit the quickchat and see which message will be sent to user:

Fig 3.7 User left QuickChat

When a user reconnects to quickchat we can observe that we receive his name and the
topic he joined.
 Fig 3.8 User Reconnects to quickchat
When someone changes the topic, the message transferred to another user will contain
the new topic name and the name of the user who changed it.

Fig. 3.9 User change the topic name

Fig 3.10 Message received by the user about the topic changes.
 When someone change its name, the following message will be sent:

Fig 3.11 Name change in QuickChat

Fig 3.12 Message received by the user about name changing.

Lets see the difference when we send a message in general chat channel and when we
send it privately:
 Fig 3.13 Message sent in global channel and its data transferred

Fig 3.14 Message sent privately

We can observe the difference in first number sent, which indicates the channel, and
the fact that we dont have the channel name specification.
#Table of general UDP messages pattern using QuickChat
QuickChat action UDP message
Writing in main chat 2#Main. (username) . (message).
Writing in another created channel 2#(channel_name).(username).(message).
Reconnecting to the chat C(topic_name = autocreated by).
Changing the topic B(topic_name).
Changing the username 3(old_username).(new_username).
Writing a private message 6(username_from).(username_to).(message)

We can observe some related patterns in the messages transferred by UDP protocol
while we use QuickChat, for example:
Number 2 is the first symbol of the message when we send it in Main channel or
others we created.
Letter C is set at the beginning of the UDP message when someone reconnects
to the quickchat.
Letter B is set when someone changes the topic of the channel
Number 3 is the beginning of the UDP message when an user changes its
username
Also we can see that every UDP messages ends in . and also the separation of
the entities is made with the . symbol
Conclusion:
This Laboratory work, offered an interesting challenge and knowledge about how we can track the
messages sent to each other via protocols. Required information for this laboratory was the IP addresses
and UDP protocol usage. The software used here was Wireshark which is one of the most known
programs for data transfer capturing. Using QuickChat, which in my opinion is very simple based
message delivery system, using UDP protocol, we could see the messages directly without need of
external decryption tools. Interesting thing about this laboratory work was to work a bit as testers,
because its the first time I used QuickChat soft and had to try every button, every message and feature,
before tracking its message. This laboratory work gave me very useful knowledge about addresses and
Wireshark, which I will definitely use in my future career.

References:
1. https://www.wireshark.org/docs/wsug_html_chunked/ChWorkDisplayFilterSection.html
2. https://moodle.ati.utm.md/mod/page/view.php?id=1268
3. http://www.thegeekstuff.com/2012/07/wireshark-filter/?ref=driverlayer
4. http://warthman.com/images/DTN_Tutorial_v2.0.pdf