4/23/2018 Understanding Cisco Cybersecurity Fundamentals

1.21 Understanding the TCP/IP Protocol Suite

Explore the TCP/IP Protocol Suite

Explore the TCP/IP Protocol Suite

TCP and IP are two specific protocols in the TCP/IP protocol suite. As you will see in this guided lab, there are
several other protocols included in the TCP/IP protocol suite. The goal of this lab is to introduce you to these
protocols. To access this lab environment, you use a web browser and specify a hostname. On the surface, you work
with the browser to connect to the lab environment.

But what happens below the surface? That's what this lab exercise is all about. You will use a program that is called
Wireshark to complete two tasks. First, you will capture actual network traffic that is being sent across the network.
Second, you will decode and analyze that traffic, which will expose you to not only how TCP/IP operates, but it will
also give you experience working with your first network security monitoring data type: full packet capture. Finally, at
the top of the stack are applications. Remember, applications are only relevant to networking when they have a
communicating component. HTTP is an example of an application with a communication component.

Examining the Lab Topology Diagram

Take a look at the topology diagram for this lab. There are four systems. There are two VMs on the user subnet. One
runs Windows 10 and the other runs Kali Linux. There is one VM on the server subnet. Between these two subnets is
a router.

Some critical pieces of information must be configured on IP hosts. The four most important pieces of information are
the IP address, subnet mask, default gateway, and DNS server. Both subnets use a 24-bit mask (/24). This mask is
commonly written as 255.255.255.0. In binary, the mask is made up of 24 binary ones followed by 8 binary zeros,
hence the term "24-bit mask." The 24-bit mask is the most7%
common mask in use because it simplifies things. The IP
address bits associated with ones in the subnet mask define the network, and the remaining bits define the host
Initializing...
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 1/12
4/23/2018 Understanding Cisco Cybersecurity Fundamentals
Initializing...
address on the network. With a 24-bit mask, the first three octets of the IP address specify the network, and the last
octet defines the host address on the network. So, IP addresses that start with 10.10.6 are all on the user subnet.
10.10.6.10 is the Inside-Win IP address, 10.10.6.11 is the Inside-Kali address, and 10.10.6.1 is the address of their
default gateway.

In standard IP networks, a subnet is layered over a broadcast domain. In this topology, there are two subnets on two
broadcast domains. The user subnet actually has three active systems. Inside-Win, Inside-Kali, and one of the
network interfaces of the router. If any of these systems sends a broadcast, it will be seen by the other two. But that
broadcast is not seen on the server subnet. Communication between hosts within their subnet is done using their
MAC addresses. IP hosts learn the MAC addresses of their neighbors using a protocol that is called ARP. To
communicate with hosts on remote networks, packets are sent to the router's MAC address and it is the router's
responsibility to forward the packets to the appropriate destination network based on the destination IP address.

While the networking devices work with MAC addresses and IP addresses, people usually work with hostnames.
DNS is a service which maps hostnames to IP addresses. The DNS service allows users to enter inside-srv in the
browser instead of 10.10.4.20. In this topology, the Inside-Srv VM provides DNS services.

As you work through the tasks in this lab exercise, you will be exposed to the operation of the ARP and DNS
protocols. You will also be exposed to how MAC addresses, IP addresses, and hostnames work. And you will be
exposed to the workings of the TCP/IP stack including Ethernet, IP, TCP, UDP, and ICMP.

Lab is currently initializing: 7% complete

Examine the Network Configuration on Inside-Win

In order for a host to function on an IP network, four critical specifications must be configured: IP address, subnet
mask, default gateway, and DNS server. In this task, you will see how to verify the IP configuration on a Windows
host.

Step 1

Access the desktop of the Inside-Win VM.

Step 2

Some of the operations that you will perform in later sections of this lab exercise require administrator
privileges. Open a command prompt window with administrator privileges. Right-click Command Prompt on
the Windows Start menu, and select Run as administrator.

Step 3 Show Me

Enter the ipconfig command and review its output.

Step 4 Show Me

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 2/12
4/23/2018 Understanding Cisco Cybersecurity Fundamentals

More details can be displayed with the ipconfig command if the /all argument is used. Enter the
ipconfig /all command and review its output.

Examine the Network Configuration on Inside-Kali

Step 5

Access the desktop of the Inside-Kali VM.

Step 6

Launch a terminal window. Click the icon on the desktop launch bar or select it from the Applications menu.

Step 7 Show Me

Enter the ifconfig command and review its output.

Step 8 Show Me

The Linux ifconfig command did not display the DNS server configuration. While not universal in all Linux
distributions, the DNS client configuration is usually stored in the file /etc/resolv.conf. The Linux cat
command can be used to display the contents of files. Enter the cat /etc/resolv.conf command to view the
DNS configuration.

Step 9 Show Me

You still haven't seen what Inside-Kali is using as a default gateway. The netstat command can be used to
display many different aspects of a host's networking status. The command is available in both Windows and
Linux, but the options vary between operating systems. The -r flag shows routes. Enter the netstat -r
command to display the routing table on Inside-Kali.

Verify That Peers Are Not Yet in ARP Cache

There is a bit of a chicken-and-egg situation to start this task. You will explore how ARP works in the sequences that
follow, but, to be sure that those sequences will play out as desired, you must first examine the ARP caches on the
Inside-Win and Inside-Kali VMs and ensure that neither currently references the other in their ARP cache. It may
seem odd to examine the ARP cache before exploring how the ARP cache works, but it will all come together as you
progress through the exercise.

Step 10

Access the desktop of the Inside-Win VM.

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 3/12
4/23/2018 Understanding Cisco Cybersecurity Fundamentals

Step 11

You may have to delete entries in the ARP cache, which requires administrator privileges, so open a command
prompt window as administrator. Right-click Command Prompt on the Windows Start menu, and select Run
as administrator.

Step 12 Show Me

Execute the arp -a command to display all entries in the ARP cache.

Step 13

For now, verify that 10.10.6.11 (the Inside-Kali VM) is not listed in the IP addresses in the ARP cache of the
Inside-Win VM. If you do find that 10.10.6.11 is present, execute the arp -d 10.10.6.11 command to delete
it from the ARP cache.

Step 14

Now you will repeat this process on the Inside-Kali VM. First, access the desktop of the Inside-Kali VM.

Step 15

Open a terminal window. There is an icon on the quick launcher, and it can also be found under Applications
> Favorites > Terminal.

Step 16 Show Me

Again, execute the arp -a command to display all the entries in the ARP cache.

Step 17

For now, verify that 10.10.6.10 (the Inside-Win VM) is not listed in the IP addresses in the ARP cache of the
Inside-Kali VM. If you do find that 10.10.6.10 is present, execute the arp -d 10.10.6.10 command to
remove it.

Initialize the Packet Capture Process

Wireshark is a freely distributable tool. It is available for Windows, OS-X, and most Linux distributions. Most network
security analysts are familiar with Wireshark and find it, and other related tools, to be valuable assets. It facilitates

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 4/12
4/23/2018 Understanding Cisco Cybersecurity Fundamentals

capturing packets, decoding packet contents, and analyzing protocol interactions. In this task, you will launch
Wireshark and start a packet capture.

Step 18

Return to the desktop of the Inside-Win VM.

Step 19

Launch Wireshark. The application is pinned to the Inside-Win Start menu.

Step 20

You may surmise, by the many drop-down menus and smart icons, that Wireshark offers many complex
features. It is pretty easy to do basic packet capture and analysis. In the main Wireshark window, click the
word Ethernet to select the Ethernet interface for capture. Next, select Capture > Start to start the packet
capture. Alternatively you could use the Start Capture smart icon from the drop-down menu.

Step 21

The Wireshark packet capture window opens. It is divided into three panes: top, middle, and bottom. As
packets are captured, they will be displayed in these panes.

Generate and Capture Local LAN Traffic

Wireshark is now actively capturing packets that are processed by the Inside-Win VM’s NIC. In this sequence, you
will simulate some packet activity.

For one host on an Ethernet LAN to send frames to another host on the LAN, it needs to know the other host’s MAC
address. The ARP protocol is used to provide this information. When a host needs to send frames to another host on
the same LAN segment, it first checks its ARP cache to see if it already has the appropriate MAC address. If it does
not, it uses ARP to obtain it. You will see this process in the captured traffic.

The ping command is a very commonly used troubleshooting tool that is great for testing connectivity between two
systems. It generates ICMP echo request packets, which are sent to the target system. If the target is reachable, it
responds with ICMP echo reply packets. The output of the ping command indicates success or failure of the ICMP
echo probes. In this task, you will use ping to stimulate communication between the VMs.

Step 22 Show Me

From the Inside-Win VM, ping 10.10.6.11, which is the IP address of the Inside-Kali VM.

Step 23

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 5/12
4/23/2018 Understanding Cisco Cybersecurity Fundamentals

Return to Wireshark. Data should now be displayed in the three panes. Stop the capture before analyzing the
data. Select Capture > Stop. Alternatively, the smart icon can be used to stop the capture.

Examine Packet Summaries

The top pane of the Wireshark capture window displays a table in which each row provides a summary of an
individual captured packet. In this task, you will examine each row of the summary table to gain an understanding of
the packet flow that is associated with the ping command that you entered during the previous task.

Step 24 Show Me

Examine the packet summary table in the top pane of the Wireshark window.

Step 25 Show Me

Take a closer look at the first two interesting packets in the capture. They comprise an ARP exchange. Inside-
Win needs the MAC address of Inside-Kali in order to send the ICMP echo requests. It sends the ARP request,
and Inside-Kali provides its MAC address in the ARP reply.

Step 26 Show Me

Now take a closer look at the next eight packets. They are associated with the ping command. There are four
ICMP echo request/reply pairs.

Step 27 Show Me

Finally take a look at the last two packets. They comprise a second ARP exchange. This time, Inside-Kali is
requesting the MAC address of Inside-Win.

Examine Ethernet Headers

In this task and the next few tasks, you will examine the payloads that are captured within a packet at the various
network layers. You will perform this analysis from the lowest layer up. That is, you will start with the data link layer
and move up through the other layers to the application layer. This analysis is consistent with the processing that
would be done at the destination. As each layer processes its header, it de-encapsulates the payload and passes the
payload up to the next layer for further processing.

In this task, you will focus on analysis of Ethernet headers. Ethernet is the lowest level header. It is the last applied
as a packet is prepared to be put on the wire for transmission. It is the first to be processed by the receiving system.
It specifies the source and destination MAC address and it identifies the network protocol that is encapsulated within
the Ethernet header.

Step 28

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 6/12
4/23/2018 Understanding Cisco Cybersecurity Fundamentals

Select the first ARP packet in the packet capture in the top pane of the Wireshark window, which is the ARP
request from the Inside-Win VM, which will populate the middle and bottom panes of the window. The middle
pane shows a protocol decode of the packet and the bottom pane shows the raw binary data using
hexadecimal notation.

Step 29 Show Me

Expand the Ethernet II section of the protocol decode to examine the contents of the Ethernet header.

Step 30 Show Me

Select the second ARP packet, the ARP reply, and expand the Ethernet header in the middle pane of
Wireshark. Examine the details.

Examine an IP Header
In this task, you will examine an IP header. The IP header contains the source and destination IP addresses. It also
contains the protocol field which specifies the transport layer protocol that is used by this packet.

Step 31

Select the first ICMP packet that is captured in the example. It is an echo request from 10.10.6.10 to
10.10.6.11.

Step 32

Examine the protocol decode in the middle pane. Before you expand the IP header, notice that the summary
for the header shows the two most pertinent fields in the header: the source and destination IP addresses.

Step 33 Show Me

Expand the IP header in the protocol decode pane and examine the contents.

Examine an ICMP Header and Data

You have examined the IP header of an ICMP echo request packet. In this task, you will examine the ICMP payload
in that packet.

Step 34 Show Me

Minimize the IP header and expand the Internet Control Message Protocol. Examine the details presented.

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 7/12
4/23/2018 Understanding Cisco Cybersecurity Fundamentals

Step 35 Show Me

Expand the Data field within the ICMP section of the protocol decode. Then select the data that is depicted.
Examine the results, including what is displayed in the bottom Wireshark pane.

Capture Communication with a Remote LAN

It is important to understand that MAC addresses are only used for communication within a broadcast domain, such
as an Ethernet LAN. If an IP host needs to communicate with an IP host on another LAN, it must use a gateway. If
the host does not already have the MAC address for its gateway in the ARP cache, it will initiate the ARP process to
obtain it. The IP routing process is not the focus of this lab activity. For now, it is important to understand that
communication with the gateway on the local LAN is accomplished via Ethernet using MAC addresses.

In this task, you will prepare a packet capture of an HTTP transaction between Inside-Win and Inside-Srv. When you
analyze the capture, you will see a lot of what makes modern networking work, including ARP, DNS, routing, UDP,
TCP, and HTTP.

Step 36

Return to the command prompt window on the Inside-Win VM.

Step 37 Show Me

View the ARP cache on Inside-Win. (Your output may differ slightly from what is shown in the example.) If you
find that there is an entry for 10.10.6.1, remove it using the arp -d command. 10.10.6.1 is the default
gateway that is configured on Inside-Win. Once you have verified that there is no entry for 10.10.6.1, proceed
to the next step.

Step 38

On the Inside-Win VM, return to the Wireshark window.

Step 39

Select Capture > Start to begin a new capture. You don't need the previous capture anymore, so choose to
continue without saving when prompted.

Step 40

Open Firefox on Inside-Win. It is pinned to both the Windows task bar and the Windows start menu. When
you launch Firefox, you will see the home page of the HTTP service that is running locally on Inside-Win.

Step 41
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 8/12
4/23/2018 Understanding Cisco Cybersecurity Fundamentals

Enter inside-srv.abc.private in the Firefox URL entry field. The home page of the Inside-Srv web site will be
displayed.

Step 42

Return to Wireshark and select Capture > Stop to stop the packet capture.

Examine How the Communication Started

The packet capture has hundreds of packets. In this task, you will look at the first several interesting packets.

You are already familiar with how ARP helps IP hosts learn the MAC address of their neighbors on the network.
Since the scenario involves communication between hosts on different networks, Inside-Win must learn the MAC
address of 10.10.6.1. You will see that exchange.

IP addresses are the fundamental location specification on IP networks, but they are not easy for people to work
with. Hostnames such as www.cisco.com are preferred. As ARP provides a mapping of IP address to MAC
address, DNS provides a mapping of hostname to IP address. You will examine the DNS resolution that is involved in
mapping inside-srv.abc.private to an IP address.

Step 43 Show Me

Scroll to the top of the packet summary pane in Wireshark. While there may be some spurious packets, you
should see a pair of ARP packets and then some DNS packets.

Step 44

10.10.4.20 is the DNS server that is configured on Inside-Win. To communicate with this server, Inside-Win
must use its default gateway. Its default gateway is 10.10.6.1. You are familiar with ARP and how it facilitates
learning the MAC address of your local IP peers. Examine the two ARP packets. Inside-Win now knows the
MAC address that corresponds to 10.10.6.1. That MAC address is 0a:07:0a:0a:04:02.

Step 45

When Firefox is opened, it initiates communication with several sites on the Internet. You want to focus on
traffic between Inside-Win (10.10.6.10) and the Inside-Srv (10.10.4.20). Wireshark provides several ways of
filtering data, so you can focus on what you need. In Wireshark, select Statistics > Conversations. Then
select the IPv4 tab. Next, select the row that includes 10.10.6.10 and 10.10.4.20 as the two addresses. Next,
right-click and select Apply as Filter > Selected > A<>B. Finally, close the Wireshark Conversations window.
A filter is now defined in the main Wireshark window. Only packets between the two selected IP addresses are
displayed.

Step 46

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 9/12
4/23/2018 Understanding Cisco Cybersecurity Fundamentals

Now look at the summary of the first DNS packet from 10.10.6.10 (Inside-Win) that is destined for the DNS
server (10.10.4.20) and is a query for inside-srv.abc.private, the host that Firefox is trying to reach.

Step 47 Show Me

Select this first DNS query and examine the protocol decode in the Wireshark middle pane. Expand the User
Datagram Protocol section. Examine the UDP header details.

Step 48 Show Me

With the first DNS query still selected, examine the protocol decode in the Wireshark middle pane. Expand the
Domain Name System (query) content, including the Queries field. Examine the details.

Step 49 Show Me

Select the first DNS query response and examine the protocol decode in the Wireshark middle pane. Expand
the Domain Name System (response) content, including the Queries field and Answers field. Examine the
details.

Examine a TCP Connection

TCP is a connection-oriented protocol that provides reliable delivery. It is the most commonly used transport layer
protocol in the TCP/IP protocol suite. In this task, you will take a close look at the TCP connection process, and the
data that is carried in the TCP header.

Step 50

Return your attention to the top packet summary pane in Wireshark. Just after the last DNS packet, you should
see a TCP packet with a source address of 10.10.6.10 and a destination address of 10.10.4.20. Select that
packet.

Step 51 Show Me

The packet capture includes hundreds of frames facilitating multiple TCP connections and other network
traffic. Wireshark provides various packet filtering features to limit packet display to conditions of interest. With
that first TCP packet selected, right-click and select Conversation Filter > TCP.

Step 52 Show Me

Take a closer look at the first three packets.

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 10/12
4/23/2018 Understanding Cisco Cybersecurity Fundamentals

Step 53 Show Me

Select the SYN ACK packet and then examine the protocol decode and raw data panes in Wireshark. Expand
the Transmission Control Protocol section of the decode. Select the Sequence number field in the decode
pane, highlighting the actual sequence number in the raw data pane.

Step 54 Show Me

Return your attention to the packet summary pane. Examine the last four packets in this TCP connection.

Examine the First HTTP Transactions

When you look at the filtered packet summary, you can see that some of the packets are classified as TCP and
others as HTTP. HTTP is indeed the application that is being carried within this TCP connection. Wireshark decides
how to classify each packet. Generally, if the packet contains HTTP headers, it is classified as HTTP. HTTP
responses are often large enough that they must be spread across multiple TCP packets. In these cases, the HTTP
header is only in the first of these packets. Wireshark classifies the first packet as HTTP and the following as TCP.
Wireshark also classifies the packets that are associated with connection maintenance, such as the TCP three-way
handshake and the TCP FIN exchange, as TCP.

Step 55 Show Me

To view the data that is transferred between the two hosts across all these TCP packets, select any packet in
the filtered TCP summary, right-click and select Follow > TCP Stream. Examine the data that are presented in
the Follow TCP Stream window.

Step 56

Close the Follow TCP Stream window.

Examine TCP Connections

The TCP connection that you examined provided all the data that was necessary for Firefox to render the home page
of the Inside-Srv. In this task, you will examine the behavior of multiple, concurrent, TCP connections. You could
examine them by scrolling through the packet summary window, but instead, let Wireshark summarize the
conversations for you.

Step 57

The Wireshark display filter is currently set to tcp.stream eq 0. Either highlight this text and delete it, or click
the X icon to the right of the display filter field. All packets in the capture are now represented in the summary
pane.

Note

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 11/12
4/23/2018 Understanding Cisco Cybersecurity Fundamentals

Wireshark indexes the TCP connections within a capture. The display filter is currently set to tcp.stream
= N where N is the internal index value that Wireshark has assigned to the TCP connection that you just
analyzed. Therefore, the internal index value that you see may be something other than 0.

Step 58

Select Statistics > Conversations. The Wireshark Conversations window is displayed.

Step 59 Show Me

Select the TCP tab. A table summarizing each TCP connection as a row is displayed. Examine the data that is
presented.

Compare and Contrast TCP and UDP

From what you've seen so far in this lab exercise, you have a basic understanding of the differences between TCP
and UDP.

• TCP is a connection-oriented protocol. It uses a three-way handshake to exchange sequence numbers. Tracking
sequence numbers with acknowledgements provides a mechanism for retransmission when packets are lost or
when packets are received but corrupted. TCP also uses dynamic window sizing to maximize performance in
different networking conditions. These features come at a price, however. The TCP three-way handshake and FIN
exchange consume network resources. The TCP header is also quite large.

• UDP does not provide any guarantees on delivery, but it is a very light and efficient protocol. Some network
services are better served by UDP than TCP. DNS requests are an example. A DNS request and response is a
quick, two-packet interaction. If either packet is lost or corrupted, the recovery mechanism is simple. The DNS
client simply repeats its request. VoIP is another example where UDP is better than TCP. VoIP must carry phone
conversations in real time. It splits audio data over many small UDP packets. If one of the packets is lost, there is
no time to request retransmission. The receiver must do the best that it can with the data that it has in real time.
There is no benefit to using TCP for VoIP, but the overhead of a larger header is certainly a detriment.

This last task in this lab exercise is self-directed.

Step 60

Consider the discussion of TCP and UDP above. Go back and look at the packet capture data in Wireshark.
Observe how DNS uses UDP. Observe how HTTP uses TCP. Compare the TCP header and the UDP header
to understand the differences in header overhead.

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/1/pages/21 12/12