hey everybody this is mr mckee again with sec 210 today i'll be going over packet tracer 10.4. i believe it's three yep all right and it is this thing is situated all right using wireshark to examine tcp and udp captures all right so we're going to be using internet connection router and then ftp client right let's see part one would highlight a tcp capture from an ftp session this topology consists of the subrops workstation vm with internet access all right so when you're using the mini net all right that's pretty much the state the same as we've done before all right two protocols in the tcp transport layer or tcp and udp both protocols support upper layer protocol communication for example tcp is used to provide transport layer support for the hypertext transport protocol and ftp protocols among others edp provides transport layer support for the domain name system and tftp or trivial ftp among others in part one of this lab you will use wireshark open source tool to capture and analyze tcp protocol header fields for ftp file transfers between a host computer and an anonymous ftp server the terminal command line is used to connect to a anonymous ftp server and download a file in part two of this lab you will use wireshark to capture and analyze gdp header fields for tftp file transfers between two mini net host computers all right so let's get started all right so start wire short so we need a terminal this is pretty much what we've been doing a bunch of r shark at the inside all right so it looks like there's traffic one across uh ethernet np os3 and i guess whatever that is any all right so start little wire short capture for the enps emp 0s3 all right so let's go double click that and now we're going to open another terminal window and i'm just going to do another trimmer window since that's already up there all right so we're going to ftp to ftp dot cdc.gov all right name anonymous all right anonymous access loud send identity as password all right so i'll use um let's just use well whatever all right so just hit enter no password all right so notice system type windows nt we're at the ftp um terminal all right download the readme file so let's list all right so it's taking a while notice we have a bunch of packets going across the network a bunch of that stuff is coming from my cameras and my router switches and stuff so maybe you're not going to be as slow as mine is so if you get any of those errors up there ftp server is currently down however you can proceed to the rest of the lab analyzing those packets that you're able to capture in reading along for packets that you did not capture you can also return to the lab later to see if the ftp servers back up all right so i'm going to pause this video while i'm waiting for the ftp server to respond with all the files that are in that um folder all right it looks like the ftp server is slow but i just put in the um instead of the listing all the files in that folder i just did the um get readme right so hopefully it downloaded it for me all right after the transfer is complete type quit all right back to the command line all right start stop the packet capture all right wireshark capture many packets during the ftp session to ftp.cdc.gov to limit the amount of data for analysis apply the filter tcp and right here tcp and ipad people all right so the address 198.246.117.106 is the address for ftp.cdc.gov at the time this lab was created the ip address may be different which it did work if so look for the first tcp packet that started the through a handshake with that website alright so it looks like 254.90 all right so that's going to yeah it looks like it works so to notice the sink sink and ack through a handshake your wireshark interface might look slightly different than the above image analyze tcp fields uh after the tcp footer has been applied the first three packets right there sync sync and ack tcp is routinely used during a section to control datagram delivery verify datagram arrival and manage windows size for each data exchange between the ftp client ftp server a new tcp session is started at the conclusion of the data transfer the tcp session is closed when the ftp session is finished tcp performs an orderly shutdown determination right and wireshark the detail tcp information is available in the packet details pane all right we'll get into that which is the middle section highlight the first datagram from the host computer right there and expand portions of the tcb datagram and they have let's see they've opened the flag up all right see the expanded tcp datagram appears similar to the packet detail pane as shown below see if i can get this a little bit bigger okay all right the image above is a tcp datagram diagram an example of each field is provided for reference all right tcp source port number belongs to ccp session host and open that connection the values are normally a random value above 1023 because member zero to 1023 or well-known ports let's see if i can find it there you go source port right there all right tcp destination port number is used to identify upper letter protocol or application on the remote site the values in the range zero to one thousand twenty three represent one imports they're associated with popular services and applications such as telnet ftp and http the combination of source ip address source port destination ip and destination port uniquely identifies the session to the sender and receiver all right in the wireshark capture above the destination report is 21 and it's right there which is http ftp servers listed on port 21 for ftp client connections the secret number specifies the number of the last octet in the segment all right the acknowledgement number specifies the next octet expected by the receiver right there let's see all zeros down there all right so the code bits have a special meaning in session management and the treated treatment of segments among interesting values are ack sync and fin like ack sync fin all right acknowledgement of the segment uh receipt sync synchronized only set when the new tcp session is negotiated during tcp through the handshake which this is starting the three-way handshake so that makes sense finn finished the request is to close the tcp session the window size notice right there window size value is the value of the sliding window it determines how many octets can be sent before waiting for an acknowledgement all right and notice that right there's an hex it looks like fa f0 all right so the urgent pointer right there is is used is only used when an urgent flag when the senders needs to send urgent data to the receiver the options see options down here urgent pointer there options has only one option current currently and it is defined as a maximum tcp segment size right notice maximum segment size 1460 bytes using the wireshark capture for the first tcp session startup sync bit set to one which that's what we have right now fill in the information about the tcp header some fields may have not applied to this packet all right so you guys can go ahead and fill that out in the second wireshark filtered capture the cdc ftp server acknowledges the request from the vm someone click on the second one all right notice the second one has acknowledgement and sync fill up the following information regarding the sync act message which is the second one knows sync ack all right in the final stage of the negotiation to establish connect communications the vm sends an acknowledgement message to the server notice that only the acknowledgement bit is set to one so let's go ahead and click on that all right notice sync is not set but acknowledgement is set all right and the sequence number is incremented to one notice right there sequence number okay all right fill the following information regarding the ack message any other tcp datagrams contained async bit and i'm assuming it's referring to the other you guys can look through there and find those you can see a lot of sync bits in there all right after a tcp session is established ftp traffic can occur between the pc and ftp server let's get back up here all right so three-way handshake next one's an ftp all right the ftp client and server communicate with each other unaware that tcpa has control and management over the session all right when the ftp server sends a response 220 to the ftp client the tcp session on the ftp client sends an acknowledgement to the tcp session on the server all right the sequence is visible in the wireshark capture below alright notice response 220 microsoft ftp service remember this is a we're communicating with a windows it says windows nt or microsoft nt when the ftp session has finished the uh ftp client sends a command to quit the ftp server acknowledges the ftp termination with a response 221 at this time ftp server or tcp session sends a tcp datagram to the ftp client announcing the termination of the tcp session the ftp client tcp session acknowledges the receipt of the termination datagram then sends its own tcp session termination when the originator of the tcp termination the ftb server receives the duplicate determination and ack datagram is sent to the acknowledge the termination and the tcp session is closed this sequence is visible in the datagram and capture below alright so if we notice here let's see that's why we requested um access as anonymous access was granted user logged in response 215 let's see if i can find a 221 all right so that there you go there's 220 let's find 221 there you go there's 221 ftp quit response coming from the server to us saying goodbye all right by applying the ftp filter the entire sequence of the ftp traffic can be examined in our shark so let's do that [Music] all right and notice you can see all the stuff there password required pass either well you couldn't log in the first time but i tried it again all right the username anonymous was used to retrieve the readme file after the file transfer completed the user into the tcp session apply the tcp filter again to wireshark to examine the determination all right so tcp pcp all right so that's required all right notice let's see if i can find my fin ack all right there is a ftp quit ftp response goodbye finn and hack okay all right so we applied the filter four packets are transmitted for the termination of tcp session because tcp connection is full duplex each direction must terminate independently examine the source and destination addresses in this example the ftp server has no more data to send in the stream it sends a segment in uh with the fin flag set in frame 149. now my friends will be different pc sends an acknowledgement uh to acknowledge the receipt of the thin act all right finn acknowledgement finnac acknowledgement all right let's see in frame 151 the pc sends a fin to the tc ftp server to terminate the tcp session the ftp server responds with an act to acknowledge the fin from the pc and frame now frame 152 now the tcp session is terminated between the ftp server and pc all right so now we're going to identify udp header fields and operation using the wireshark tftp session capture you can use wireshark to capture a tftp session and inspect the udp header fields all right so let's shut this down for now quit without saving that's fine all right i'm going to clear the screen all right so i'm going to do sudo lab support files scripts whoops scripts and cyber ops topo all right subrops all right my mini net is started okay so we're going to open up h1 and h2 and next term h1 whoops extern h2 all right so there's our two hosts terminals all right create a text file on the h1 uh terminal prompt in the serv tftp server all right so let's look at this all right so we're just going to use echo this file contains my team oops tftp data all right and save that to srd tftp i underscore t f t p underscore data all right verify the file has been created with the desired data in the folder cat srv tftp my tftp all right this file contains my tftp data all right so it's in there all right because of the security measure for this particular tftp server the name of the receiving file needs to exist already i want h2 create a file name my ftp data all right so we use touch my t ftp underscore data all right so that started that well i'm not going to even show you good guys because it's it's it's empty but if we did a list you can see it right here where's that my ftp data all right clear this all right so capture a tfcp session and wire shark start wireshark in h1 all right all right so that's starting from the edit menu choose preferences all right and click the arrow to expand protocols like such scroll down and select udp udp is right there right click to validate the edp checksum if possible and click ok all right start the wireshark capture on the h1 ethernet zero interface all right now it started all right so start the ftp session from h2 to the tftp server on h1 and get the file all right so t f t t p 10.0.0.11. get ftp data all right start stop the wire shark capture actually i don't know if i got enough packets hmm i got two yeah i should have tft protocol [Music] tp all right let's just do tftp all right there we go all right use the three tft package to fill in the table and answer the questions in the rest of the lab all right so i'm going to actually clear this do that all right so now i'm going to stop it all right tftp datanet it's weird i'm getting that my all right gftp data oh let's look here server all right i had to back up some i missed one line i didn't start my tftp server that made sense all right so right here starting at step one all right started up mininet all right i'm going to start my sue so i'm actually right here extern h1 h2 alright let's start my two terminals now what i didn't do that time was let's go home analyst you know oh yeah i'm messing this thing up all right on h1 there we go all right so home analyst lab support files scripts start underscore t ftp let's see if it calculated that right now now tftp started now let's create a file all right so h1 all right so let's see okay srvt sorry but that was super loud all right tftp my underscore t ftp underscore data all right oh i'm sorry you know what h1 creative phone h1 prompt server tftp all right [Applause] goodness [Music] ftp there's space left on device all right well let's go cd srp all right now i took that file out because i've created earlier i just want to redo it all right echo this file contains my ftp data sorry tfcp all right so i'm gonna try this one more time i reloaded my virtual machine because it was out of memory that's very strange all right so i'm going to start at part two once more all right so let's do sudo add sport files spritz and all right there's my mini net all right let's start up x turn with h1 and h2 right there's those two all right so in h1 let's do home analyst lab export files scripts and start underscore tftp you can't see it tftp dot show okay all right so that should be running all right create a file at the h1 terminal this file contains tftpmi underscore tftp underscore data all right so let's do cat srv tftp my tftp data all right there we go that looks good all right so and then because of the security measure for this particular tftp server the name of the receiving file needs to exist already on h2 touch my underscore t ftp underscore data all right so i got that now start wireshark on each one all right so there's our shark from the edit go to choose preferences whoops go back file edit preferences all right expand protocols and then udp all right all the way down udp like such and validate evp checksum okay i gotta see some traffic on there all right start starting a wire capture on my interface h1 ethernet zero all right there we go all right start at titp session from h2 option c get all my let's see if it works now i'm gonna wait to make sure it goes through transfer timed out um what in the world all right let's stop this let's look at eftp hmm very strange oh duh let's put about ip address in there actually let's stop this and go here like so now let's go all right there we go finally all right tftp data block acknowledgement all right now we'll stop that finally it worked all right and we're searching we're sorting by tftp all right detailed utp udp information is available in the water short packet data uh details pane all right use your datagram and make this a little bit bigger all right so that is source port and destination port all right tftp is right down here all right notice read request and source file my tftp data all right use the wireshark capture the first udp datagram fill in the information about the edp header right which is right there all right so how does udp verify data integrity datagram integrity all right might be able to look on there all right examine the first frame returned from the tftp server which is right here data packet what's weird it got checked some was incorrect should be maybe caused by udp check some offload which is strange because still got the payload right there this this file contains my tft data all right fill out the information about the udp header all right so let's see all right there's the second header all right so just fill it up notice the return udp datagram has a different udp source port all right but this source port is used for the remainder of the tftp transfer because there's no reliable connection only the original source port used to begin the tftp session is used to maintain the tftp transfer also notice that the edp checksum is incorrect all right as it shows this is most likely caused by udp checksum overload you can learn more about why this happens by searching uh udp checksum offload all right so now that we've seen that i'm gonna go to quit mininet all right and then sue all right cyber box okay the lab provided the opportunity to analyze tcp and edp protocol operations from captured ftp and tftp sessions how does ccp manage communication differently than udp i'll let you guys answer that and do a little web search if you don't know for sure all right and that's it thanks for watching yeah um what i did though i downloaded if you guys have the same problem where it says um you're out of memory on your um h1 or h2 i actually reinstalled the um virtual machine and also make sure when you're um running your vbox make sure you have a good snapshot all right like a first snapshot do that first thing when you when you set up your um virtual machine again and that's it thanks for watching