Академический Документы
Профессиональный Документы
Культура Документы
TCP and IP are two specific protocols in the TCP/IP protocol suite. As you will see in this guided lab, there are
several other protocols included in the TCP/IP protocol suite. The goal of this lab is to introduce you to these
protocols. To access this lab environment, you use a web browser and specify a hostname. On the surface, you work
with the browser to connect to the lab environment.
But what happens below the surface? That's what this lab exercise is all about. You will use a program that is called
Wireshark to complete two tasks. First, you will capture actual network traffic that is being sent across the network.
Second, you will decode and analyze that traffic, which will expose you to not only how TCP/IP operates, but it will
also give you experience working with your first network security monitoring data type: full packet capture. Finally, at
the top of the stack are applications. Remember, applications are only relevant to networking when they have a
communicating component. HTTP is an example of an application with a communication component.
Some critical pieces of information must be configured on IP hosts. The four most important pieces of information are
the IP address, subnet mask, default gateway, and DNS server. Both subnets use a 24-bit mask (/24). This mask is
commonly written as 255.255.255.0. In binary, the mask is made up of 24 binary ones followed by 8 binary zeros,
hence the term "24-bit mask." The 24-bit mask is the most7%
common mask in use because it simplifies things. The IP
address bits associated with ones in the subnet mask define the network, and the remaining bits define the host
Initializing...
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 1/12
4/23/2018 Understanding Cisco Cybersecurity Fundamentals
Initializing...
address on the network. With a 24-bit mask, the first three octets of the IP address specify the network, and the last
octet defines the host address on the network. So, IP addresses that start with 10.10.6 are all on the user subnet.
10.10.6.10 is the Inside-Win IP address, 10.10.6.11 is the Inside-Kali address, and 10.10.6.1 is the address of their
default gateway.
In standard IP networks, a subnet is layered over a broadcast domain. In this topology, there are two subnets on two
broadcast domains. The user subnet actually has three active systems. Inside-Win, Inside-Kali, and one of the
network interfaces of the router. If any of these systems sends a broadcast, it will be seen by the other two. But that
broadcast is not seen on the server subnet. Communication between hosts within their subnet is done using their
MAC addresses. IP hosts learn the MAC addresses of their neighbors using a protocol that is called ARP. To
communicate with hosts on remote networks, packets are sent to the router's MAC address and it is the router's
responsibility to forward the packets to the appropriate destination network based on the destination IP address.
While the networking devices work with MAC addresses and IP addresses, people usually work with hostnames.
DNS is a service which maps hostnames to IP addresses. The DNS service allows users to enter inside-srv in the
browser instead of 10.10.4.20. In this topology, the Inside-Srv VM provides DNS services.
As you work through the tasks in this lab exercise, you will be exposed to the operation of the ARP and DNS
protocols. You will also be exposed to how MAC addresses, IP addresses, and hostnames work. And you will be
exposed to the workings of the TCP/IP stack including Ethernet, IP, TCP, UDP, and ICMP.
Step 1
Step 2
Some of the operations that you will perform in later sections of this lab exercise require administrator
privileges. Open a command prompt window with administrator privileges. Right-click Command Prompt on
the Windows Start menu, and select Run as administrator.
Step 3 Show Me
Step 4 Show Me
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 2/12
4/23/2018 Understanding Cisco Cybersecurity Fundamentals
More details can be displayed with the ipconfig command if the /all argument is used. Enter the
ipconfig /all command and review its output.
Step 5
Step 6
Launch a terminal window. Click the icon on the desktop launch bar or select it from the Applications menu.
Step 7 Show Me
Step 8 Show Me
The Linux ifconfig command did not display the DNS server configuration. While not universal in all Linux
distributions, the DNS client configuration is usually stored in the file /etc/resolv.conf. The Linux cat
command can be used to display the contents of files. Enter the cat /etc/resolv.conf command to view the
DNS configuration.
Step 9 Show Me
You still haven't seen what Inside-Kali is using as a default gateway. The netstat command can be used to
display many different aspects of a host's networking status. The command is available in both Windows and
Linux, but the options vary between operating systems. The -r flag shows routes. Enter the netstat -r
command to display the routing table on Inside-Kali.
Step 10
Step 11
You may have to delete entries in the ARP cache, which requires administrator privileges, so open a command
prompt window as administrator. Right-click Command Prompt on the Windows Start menu, and select Run
as administrator.
Step 12 Show Me
Execute the arp -a command to display all entries in the ARP cache.
Step 13
For now, verify that 10.10.6.11 (the Inside-Kali VM) is not listed in the IP addresses in the ARP cache of the
Inside-Win VM. If you do find that 10.10.6.11 is present, execute the arp -d 10.10.6.11 command to delete
it from the ARP cache.
Step 14
Now you will repeat this process on the Inside-Kali VM. First, access the desktop of the Inside-Kali VM.
Step 15
Open a terminal window. There is an icon on the quick launcher, and it can also be found under Applications
> Favorites > Terminal.
Step 16 Show Me
Again, execute the arp -a command to display all the entries in the ARP cache.
Step 17
For now, verify that 10.10.6.10 (the Inside-Win VM) is not listed in the IP addresses in the ARP cache of the
Inside-Kali VM. If you do find that 10.10.6.10 is present, execute the arp -d 10.10.6.10 command to
remove it.
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 4/12
4/23/2018 Understanding Cisco Cybersecurity Fundamentals
capturing packets, decoding packet contents, and analyzing protocol interactions. In this task, you will launch
Wireshark and start a packet capture.
Step 18
Step 19
Step 20
You may surmise, by the many drop-down menus and smart icons, that Wireshark offers many complex
features. It is pretty easy to do basic packet capture and analysis. In the main Wireshark window, click the
word Ethernet to select the Ethernet interface for capture. Next, select Capture > Start to start the packet
capture. Alternatively you could use the Start Capture smart icon from the drop-down menu.
Step 21
The Wireshark packet capture window opens. It is divided into three panes: top, middle, and bottom. As
packets are captured, they will be displayed in these panes.
For one host on an Ethernet LAN to send frames to another host on the LAN, it needs to know the other host’s MAC
address. The ARP protocol is used to provide this information. When a host needs to send frames to another host on
the same LAN segment, it first checks its ARP cache to see if it already has the appropriate MAC address. If it does
not, it uses ARP to obtain it. You will see this process in the captured traffic.
The ping command is a very commonly used troubleshooting tool that is great for testing connectivity between two
systems. It generates ICMP echo request packets, which are sent to the target system. If the target is reachable, it
responds with ICMP echo reply packets. The output of the ping command indicates success or failure of the ICMP
echo probes. In this task, you will use ping to stimulate communication between the VMs.
Step 22 Show Me
From the Inside-Win VM, ping 10.10.6.11, which is the IP address of the Inside-Kali VM.
Step 23
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 5/12
4/23/2018 Understanding Cisco Cybersecurity Fundamentals
Return to Wireshark. Data should now be displayed in the three panes. Stop the capture before analyzing the
data. Select Capture > Stop. Alternatively, the smart icon can be used to stop the capture.
Step 24 Show Me
Examine the packet summary table in the top pane of the Wireshark window.
Step 25 Show Me
Take a closer look at the first two interesting packets in the capture. They comprise an ARP exchange. Inside-
Win needs the MAC address of Inside-Kali in order to send the ICMP echo requests. It sends the ARP request,
and Inside-Kali provides its MAC address in the ARP reply.
Step 26 Show Me
Now take a closer look at the next eight packets. They are associated with the ping command. There are four
ICMP echo request/reply pairs.
Step 27 Show Me
Finally take a look at the last two packets. They comprise a second ARP exchange. This time, Inside-Kali is
requesting the MAC address of Inside-Win.
In this task, you will focus on analysis of Ethernet headers. Ethernet is the lowest level header. It is the last applied
as a packet is prepared to be put on the wire for transmission. It is the first to be processed by the receiving system.
It specifies the source and destination MAC address and it identifies the network protocol that is encapsulated within
the Ethernet header.
Step 28
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 6/12
4/23/2018 Understanding Cisco Cybersecurity Fundamentals
Select the first ARP packet in the packet capture in the top pane of the Wireshark window, which is the ARP
request from the Inside-Win VM, which will populate the middle and bottom panes of the window. The middle
pane shows a protocol decode of the packet and the bottom pane shows the raw binary data using
hexadecimal notation.
Step 29 Show Me
Expand the Ethernet II section of the protocol decode to examine the contents of the Ethernet header.
Step 30 Show Me
Select the second ARP packet, the ARP reply, and expand the Ethernet header in the middle pane of
Wireshark. Examine the details.
Examine an IP Header
In this task, you will examine an IP header. The IP header contains the source and destination IP addresses. It also
contains the protocol field which specifies the transport layer protocol that is used by this packet.
Step 31
Select the first ICMP packet that is captured in the example. It is an echo request from 10.10.6.10 to
10.10.6.11.
Step 32
Examine the protocol decode in the middle pane. Before you expand the IP header, notice that the summary
for the header shows the two most pertinent fields in the header: the source and destination IP addresses.
Step 33 Show Me
Expand the IP header in the protocol decode pane and examine the contents.
Step 34 Show Me
Minimize the IP header and expand the Internet Control Message Protocol. Examine the details presented.
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 7/12
4/23/2018 Understanding Cisco Cybersecurity Fundamentals
Step 35 Show Me
Expand the Data field within the ICMP section of the protocol decode. Then select the data that is depicted.
Examine the results, including what is displayed in the bottom Wireshark pane.
In this task, you will prepare a packet capture of an HTTP transaction between Inside-Win and Inside-Srv. When you
analyze the capture, you will see a lot of what makes modern networking work, including ARP, DNS, routing, UDP,
TCP, and HTTP.
Step 36
Step 37 Show Me
View the ARP cache on Inside-Win. (Your output may differ slightly from what is shown in the example.) If you
find that there is an entry for 10.10.6.1, remove it using the arp -d command. 10.10.6.1 is the default
gateway that is configured on Inside-Win. Once you have verified that there is no entry for 10.10.6.1, proceed
to the next step.
Step 38
Step 39
Select Capture > Start to begin a new capture. You don't need the previous capture anymore, so choose to
continue without saving when prompted.
Step 40
Open Firefox on Inside-Win. It is pinned to both the Windows task bar and the Windows start menu. When
you launch Firefox, you will see the home page of the HTTP service that is running locally on Inside-Win.
Step 41
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 8/12
4/23/2018 Understanding Cisco Cybersecurity Fundamentals
Enter inside-srv.abc.private in the Firefox URL entry field. The home page of the Inside-Srv web site will be
displayed.
Step 42
Return to Wireshark and select Capture > Stop to stop the packet capture.
You are already familiar with how ARP helps IP hosts learn the MAC address of their neighbors on the network.
Since the scenario involves communication between hosts on different networks, Inside-Win must learn the MAC
address of 10.10.6.1. You will see that exchange.
IP addresses are the fundamental location specification on IP networks, but they are not easy for people to work
with. Hostnames such as www.cisco.com are preferred. As ARP provides a mapping of IP address to MAC
address, DNS provides a mapping of hostname to IP address. You will examine the DNS resolution that is involved in
mapping inside-srv.abc.private to an IP address.
Step 43 Show Me
Scroll to the top of the packet summary pane in Wireshark. While there may be some spurious packets, you
should see a pair of ARP packets and then some DNS packets.
Step 44
10.10.4.20 is the DNS server that is configured on Inside-Win. To communicate with this server, Inside-Win
must use its default gateway. Its default gateway is 10.10.6.1. You are familiar with ARP and how it facilitates
learning the MAC address of your local IP peers. Examine the two ARP packets. Inside-Win now knows the
MAC address that corresponds to 10.10.6.1. That MAC address is 0a:07:0a:0a:04:02.
Step 45
When Firefox is opened, it initiates communication with several sites on the Internet. You want to focus on
traffic between Inside-Win (10.10.6.10) and the Inside-Srv (10.10.4.20). Wireshark provides several ways of
filtering data, so you can focus on what you need. In Wireshark, select Statistics > Conversations. Then
select the IPv4 tab. Next, select the row that includes 10.10.6.10 and 10.10.4.20 as the two addresses. Next,
right-click and select Apply as Filter > Selected > A<>B. Finally, close the Wireshark Conversations window.
A filter is now defined in the main Wireshark window. Only packets between the two selected IP addresses are
displayed.
Step 46
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 9/12
4/23/2018 Understanding Cisco Cybersecurity Fundamentals
Now look at the summary of the first DNS packet from 10.10.6.10 (Inside-Win) that is destined for the DNS
server (10.10.4.20) and is a query for inside-srv.abc.private, the host that Firefox is trying to reach.
Step 47 Show Me
Select this first DNS query and examine the protocol decode in the Wireshark middle pane. Expand the User
Datagram Protocol section. Examine the UDP header details.
Step 48 Show Me
With the first DNS query still selected, examine the protocol decode in the Wireshark middle pane. Expand the
Domain Name System (query) content, including the Queries field. Examine the details.
Step 49 Show Me
Select the first DNS query response and examine the protocol decode in the Wireshark middle pane. Expand
the Domain Name System (response) content, including the Queries field and Answers field. Examine the
details.
Step 50
Return your attention to the top packet summary pane in Wireshark. Just after the last DNS packet, you should
see a TCP packet with a source address of 10.10.6.10 and a destination address of 10.10.4.20. Select that
packet.
Step 51 Show Me
The packet capture includes hundreds of frames facilitating multiple TCP connections and other network
traffic. Wireshark provides various packet filtering features to limit packet display to conditions of interest. With
that first TCP packet selected, right-click and select Conversation Filter > TCP.
Step 52 Show Me
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 10/12
4/23/2018 Understanding Cisco Cybersecurity Fundamentals
Step 53 Show Me
Select the SYN ACK packet and then examine the protocol decode and raw data panes in Wireshark. Expand
the Transmission Control Protocol section of the decode. Select the Sequence number field in the decode
pane, highlighting the actual sequence number in the raw data pane.
Step 54 Show Me
Return your attention to the packet summary pane. Examine the last four packets in this TCP connection.
Step 55 Show Me
To view the data that is transferred between the two hosts across all these TCP packets, select any packet in
the filtered TCP summary, right-click and select Follow > TCP Stream. Examine the data that are presented in
the Follow TCP Stream window.
Step 56
Step 57
The Wireshark display filter is currently set to tcp.stream eq 0. Either highlight this text and delete it, or click
the X icon to the right of the display filter field. All packets in the capture are now represented in the summary
pane.
Note
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 11/12
4/23/2018 Understanding Cisco Cybersecurity Fundamentals
Wireshark indexes the TCP connections within a capture. The display filter is currently set to tcp.stream
= N where N is the internal index value that Wireshark has assigned to the TCP connection that you just
analyzed. Therefore, the internal index value that you see may be something other than 0.
Step 58
Step 59 Show Me
Select the TCP tab. A table summarizing each TCP connection as a row is displayed. Examine the data that is
presented.
• TCP is a connection-oriented protocol. It uses a three-way handshake to exchange sequence numbers. Tracking
sequence numbers with acknowledgements provides a mechanism for retransmission when packets are lost or
when packets are received but corrupted. TCP also uses dynamic window sizing to maximize performance in
different networking conditions. These features come at a price, however. The TCP three-way handshake and FIN
exchange consume network resources. The TCP header is also quite large.
• UDP does not provide any guarantees on delivery, but it is a very light and efficient protocol. Some network
services are better served by UDP than TCP. DNS requests are an example. A DNS request and response is a
quick, two-packet interaction. If either packet is lost or corrupted, the recovery mechanism is simple. The DNS
client simply repeats its request. VoIP is another example where UDP is better than TCP. VoIP must carry phone
conversations in real time. It splits audio data over many small UDP packets. If one of the packets is lost, there is
no time to request retransmission. The receiver must do the best that it can with the data that it has in real time.
There is no benefit to using TCP for VoIP, but the overhead of a larger header is certainly a detriment.
Step 60
Consider the discussion of TCP and UDP above. Go back and look at the packet capture data in Wireshark.
Observe how DNS uses UDP. Observe how HTTP uses TCP. Compare the TCP header and the UDP header
to understand the differences in header overhead.
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 12/12