Packet Capture Analysis with Wireshark

The /27 in this address is an indication that the Ip address has its network address with a length of 27 bits (the most significant bits). i.e. when we consider the ip address to be 32 bit long. So, in my case scenario, 154.78.177.00000011 (the last 3 numbers have represented them as binary for purposes of simplicity) up to 154.78.177.000 (8+8+8+3 = 27) is the network address and the remaining 5 bits (00000) is for the host ip addresses (Fuller & Varadhan, 2013).

The network ID is simply the very first address of the total host ip’s while the direct broadcast address is represented by the last address of total host ip’s (Fuller & Varadhan, 2013).

So the conclusion to this question is:

1. The network address becomes 154.78.177.0. This has been realized by setting all the 5 bits of the host id to 0.
2. The direct broadcast address is 154.78.177.31. This has been realized by setting all the 5 bits of the host to 1.
3. The range of available hosts is from 1 to 30 in the very last octet. I.e. from the 154.78.177.1 ip address to 154.78.177.30 ip address (this is because the first and the last ip addresses are reserved for the network address of the block and its direct broadcast address respectively) (Huegen et al, 2011).

Question 2– Allocating subnets from a block (8 marks)

A company has been granted a block of addresses which includes the address 138.77.216.5/24.   Answer the following questions, showing your calculations.

1. Calculate the network address of this block and how many host addresses including special addresses this block can provide  (1 mark)
2. Create the following 6 subnets for this company by calculating the subnet address for each subnet.  Answer this question by filling in the table in the Answer template.  Use CIDR format for the mask.
   1. 2 subnets with 32 addresses each  (2 marks)
   2. 4 subnets with 16 addresses each  (4 marks)
3. After some time, the company decides that it wants another subnet with 1,024 addresses.  Explain whether this can be allocated from the existing block.     (1 mark)

Subnetting is said to have taken place after extending the default subnet mask. Subnetting cannot be performed having the default subnet mask and every class having its own default subnet mask. To be able to know a subnetted subnet mask, the subnet mask is first written down we first. Next on line is finding the host bits which have been borrowed in creating the subnets and then convert them into decimal form. For instance in my question, I first find the subnet mask of my given address 138.77.216.5/24? Since the address belongs to a class B address, and class B addresses usually have default subnet masks of 255.255.0.0[ /16 in CIDR ] (Postel& Mogul, 2015).

This means I have to borrow 8 bits from the host portion to be able to satisfy the requirements for  the address I have been given (/24=/16+8 bits). Bearing in mind that subnetting proceeds from left to right, without skipping any network bit, the subnet mask in my given case in binary form it becomes 11111111. 11111111.11111111.00000000. The first three octet contains the default value so that its value in terms of decimal becomes 255.255.255.  The 4^th octet is characterized by all its bits being off and therefore, the decimal representation is 0+0+0+0+0+0+0+0 =0. So my answer for subnet mask becomes 255.255.255.0 (Postel& Mogul, 2015).

Allocating Subnets in IPv4

To get the total number of subnets which can be realized from a certain subnet mask the formula applied is 2^N, where N = the bits which are obtained from the host part to create the subnets. In my question 138.77.216.5/24, N is 8. Examining the address keenly it is clear that the address belongs to class B and the class B addresses have 255.255.0.0 [/16 in CIDR] as the default subnet mask. From the given address the bits borrowed from the host are 24 – 16 = 8 host bits. Now 2⁸ = 256, so the answer becomes 256 (Postel& Mogul, 2015).

My original network is a class B, so it has 16 bits in its default subnet mask, i borrowed 8 bits from the host part (nnnnnnnn.nnnnnnnn.ssssssss.hhhhhhhh) of the original network, now if i do 2^8 i will get the total number of subnets that the network 138.77.x.x would have, 2^8 = 256. Now to know how many subnets there are in the range of 138.77.216.x/24, i can take in consideration the bits that have been borrowed from the host part only in the fourth octet which are 0 bits, since the first three octets must match the address 138.77.216., so 2^0 = 1, i have 1 subnet that starts with 138.77.216.x.x and that is 138.77.216.0 (Schuler, 2013). 

2 (a)

So the network address for this block of address is 138.77.216.0

2 (b)

1. i) 138.77.216.0 to 138.77.216.31 and

138.77.216.32 to 138.77.216.64

1. ii) 138.77.216.0 to138.77.216.15

138.77.216.16 to 138.77.216.31

138.77.216.32 to 138.77.216.47

138.77.216.48 to 138.77.216.64

2 (c)

From the above calculations, the total number of subnets is 1 (2^0) and the subnet is capable of accommodating 256 hosts. This means the whole block of address will have 256 hosts. This indicates that even if the company decides to add another subnet with 1024 addresses, there would be no room for that.

Often the best way to gain an initial familiarity with network tools is to simply use them, at a basic level in exploratory mode as suggested in some of the tutorial exercises.  Netstat and Tracert are included in Windows, while Wireshark is free to download and install.  Explore Wireshark, Netstat and Tracert, then complete this question.

1. A Wireshark scan has produced a packet capture, saved to a file named pcapngand available on the Unit website.  Download the file and open it in Wireshark, then answer these questions about the scan:
2. Very briefly summarise in your own words the content in each of the three horizontal display windows in Wireshark (.5 mark)
3. In Frame 3, what brand of computer launched this scan and what was its IP address?  State where this information is found (.5 mark)

• Briefly explain the exchange event captured in frames 4 – 6 (.5 mark)

1. Describe in your own words two specific network problems that a network administrator could use Wireshark for as a troubleshooting tool?   

A (I)

Wireshark_ it denotes the software which was used in order to arrive at the results in the given capture

Capture01_ it denotes the position in which this capture occupies in the repository folder of the Wireshark software, for instance, in this case there was no any other capture in the repository and that means that this capture was the first one

Troubleshooting Various Network Problems using Wireshark

.pcapng_ (PCAP Next Generation Dump File Format) was adopted to overcome the limitations of the format which was being used (libpcap format).it is a flexible and extensible successor of the libpcap format. A file being saved in the format pcapng on default is a clear indication that the version of Wireshark being used is 1.8 and later because prior Versions used libpcap (Asrodia & Patel, 2012).

A (ii)

Mac computer, Ip address=10.0.0.58:139. This information is found in the 5^th line of event capture and which shows winsock2.h

A (iii)

Indicates the route followed by the packets from launch until they reaches the destination.

A (iv)

Wireshark which was initially known as Ethereal is a powerful tool in the network security analysis being used by network administrators. As one of network packet analyzer, Wireshark is used by the network administrators to peer into networks to examine the specifics of network traffic at different levels which range from connection-level information to specific bits making a single packet. The flexibility as well as the depth of such an inspection enables the network administrators to analyze security in a network and troubleshoot any security issues (Banerjee, Vashishtha & Saxena, 2010).

The second important use of Wireshark is in troubleshooting security devices. Specifically, when it comes to network firewall rules; whenever there are systems running in connection with Wireshark on either side of the firewall, Wireshark makes it easy for the network administrator to see the packets successfully traversing the device, and also can identify the cause of a connectivity problem if associated with the firewall (Liu, 2012).

1. A ‘NETSTAT –aon’ command has given the output below (excerpted).   Briefly describe each column heading, and the states LISTENING, ESTABLISHED and CLOSE_WAIT.     (1 mark)

Proto  Local Address       Foreign Address      State         PID

TCP    10.0.0.58:139          0.0.0.0:0              LISTENING       

TCP    10.0.0.58:5040         0.0.0.0:0              LISTENING       7480

TCP    10.0.0.118:139         0.0.0.0:0              LISTENING       4

TCP    10.0.0.118:52450       52.63.165.133:443      ESTABLISHED     14080

TCP    10.0.0.118:52458       104.116.191.195:443    CLOSE_WAIT      8912

TCP    10.0.0.118:52791       40.100.151.2:443       ESTABLISHED     22400

TCP    10.0.0.118:52811       162.125.34.129:443     ESTABLISHED     4696

TCP    10.0.0.118:52820       34.232.224.128:443     CLOSE_WAIT      4696

TCP    10.0.0.118:52879       162.125.34.129:443     ESTABLISHED     4696

Proto: The Proto column represents the protocol name which has been involved in the operation. It can either be TCP or UDP.

Local Address: This column represents IP addresses of local computers and the respective ports which are being utilized

Foreign Address: The Foreign Address column represents IP addresses as well as the port numbers of the computers which are being accessed remotely.

The PID: This column shows the process identifier (PID) which is associated with a certain TCP or UDP connection.

State: This column represents the TCP or UDP connections state. There are several states which a connection can be. These states are (Liu, 2012):

1. LISTENING- this state indicates that a certain server is waiting for a connection bid from any remote port or a TCP packet
2. SYN-SENT- it’s a state of any client waiting for any equivalent connection bid after broadcasting a connection request.
3. SYN-RECEIVED-it’s a state of a server when waiting connection bid acknowledgment confirmation after it both sends and receives a connection request.
4. ESTABLISHED- it’s a state associated with both the servers and clients and which indicates the presence of an exposed connection where data received in either can be conveyed to the users.
5. FIN-WAIT-1-this state is evident both in servers and clients to indicate a state of waiting for a response in regard to connection cessation request already sent or connection closure request from a secluded TCP
6. FIN-WAIT-2-is a state evident both in servers and clients to indicate a state of waiting for connection cessation request from a secluded TCP.
7. CLOSE-WAIT-is a state evident both in servers and clients to indicate a state of waiting for connection cessation request from a local users.
8. CLOSING-is a state evident both in servers and clients to indicate a state of waiting for acknowledgment a remote TCP on connection termination request.
9. LAST-ACK-this state is evident both in servers and clients to indicate a state of waiting for an acknowledgement in regard to connection termination request which had been formerly sent to a secluded TCP
10. TIME-WAIT-this state is shared by both servers and clients to indicate that either a server or a client is waiting for some adequate time to elapse to be sure that acknowledgement was received by the remote TCP about its request to terminate the connection.  
11. CLOSED-this state is shared by both servers and clients to indicate a state of no connection at all.
12. c) Do a TRACERT on your computer to google.com.  Paste the output to your assignment answer template and discuss the information being displayed (1 mark)

Understanding Network Protocols, IP Addresses and Ports through Netstat

Output after running the TRACERT on my computer

Tracing route to www.google.com [74.125.196.104]

  1     3 ms     1 ms     1 ms www.huaweimobilewifi.com [192.168.8.1]

  2     *        *        *     Request timed out.

  3     *        *        *     Request timed out.

  4     *        *        *     Request timed out.

  5     *        *        *     Request timed out.

  6     *        *       79 ms  154.79.241.202

  7    75 ms    76 ms    56 ms  72.14.203.47

  8    52 ms    71 ms    53 ms  72.14.203.46

  9   175 ms   196 ms   178 ms  108.170.229.83

 10   195 ms   236 ms   198 ms  216.239.35.207

 11  1066 ms   732 ms   262 ms  209.85.143.216

 12   271 ms   262 ms   271 ms  216.239.48.9

 13   267 ms   270 ms   264 ms  216.239.40.138

 14   277 ms   266 ms   270 ms  216.239.50.104

 15   266 ms   263 ms   290 ms  108.170.231.169

Results description

Evident from the above results, each hop has been displayed on a different line (although the and each numbered, so clearly from the results after running the command on my computer it took 25 hops to be able to reach the final destination server, yk-in-f104.1e100.net [74.125.196.104],which is simply the Google website (Liu, 2012).

Each row has been displayed in 6 columns. The very first column is simply the number of the hop.

1    3 ms     1 ms     1 ms www.huaweimobilewifi.com [192.168.8.1]

What Traceroute did was actually sending three packets of data, and measuring the time taken for each packet. In the hop of my results, each packet took different time in terms of milliseconds. The server at the first hop is called www.huaweimobilewifi.com, and its address on the Internet is 192.168.8.1. Also, from the results is clear that it took between 886, 546 and 517 milliseconds to get data right from the destination server, as indicated by the last hop (Liu, 2012).

25   886 ms   546 ms   517 ms  yk-in-f104.1e100.net [74.125.196.104]

Hop number 16-24 in the obtained results indicated no time data and Request time out errors. This is associated with the servers at those hops rejecting the Internet Control Message Protocol (ICMP) traffic. Traceroute requests for information at such servers have therefore been ignored. However, it is evident that the command could still sent data to the next hops as the results indicate. Request timed out error should not be a big issue to worry about as some network providers just choose to disable the ICMP traffic especially whenever their networks are under heavy loads (Liu, 2012).

References

Asrodia, P., & Patel, H. (2012). Analysis of various packet sniffing tools for network monitoring and analysis. International Journal of Electrical, Electronics and Computer Engineering, 1(1), 55-58.

Banerjee, U., Vashishtha, A., & Saxena, M. (2010). Evaluation of the Capabilities of WireShark as a tool for Intrusion Detection. International Journal of computer applications, 6(7).

Orebaugh, A., Ramirez, G., & Beale, J. (2016). Wireshark & Ethereal network protocol analyzer toolkit. Elsevier.

Schuler, T. P. (2013). U.S. Patent Application No. 11/776,651.

Postel, J., & Mogul, J. C. (2015). Internet standard subnetting procedure.

Liu, H. (2012, October). A new form of DOS attack in a cloud and its avoidance mechanism. In Proceedings of the 2010 ACM workshop on Cloud computing security workshop (pp. 65-76). ACM.

Huegen, C. A., Dobbins, E. R., Foo, I., & Gleichauf, R. E. (2011). U.S. Patent No. 8,068,414. Washington, DC: U.S. Patent and Trademark Office.

Fuller, V., Li, T., Yu, J., & Varadhan, K. (2013). Classless inter-domain routing (CIDR): an address assignment and aggregation strategy (No. RFC 1519).