Jump to content

Communication Networks/Ethereal

From Wikibooks, open books for an open world

Ethereal

[edit | edit source]

Ethereal is a network packet analyzer or a “packet sniffer” as it is called. It was started by Gerald combs in 1997 to track down network problems. Since then Ethereal has been used as the main tool to track and manage network problems and also for R & D purposes.. Ethereal captures network packets from the network during a live network data transmission and gives a detailed summary or description about the packets such as its source and destination, protocols used, packet parameters, network standard, checksum, ports information and much more.

Ethereal is widely used in the networking field as it has many features. some of them are as follows.

  • Runs on many platforms such as Windows and Unix.
  • Captures live data packets and gives detailed information.
  • Saves all the information to be reviewed later.
  • Filters packet search on many criteria.
  • Supports around 780 protocols.
  • Gives detailed summary and statistics after capturing.
  • Moreover it is an open software.

And many more.

Ethereal does not detect or troubleshoot the network problems, but it is very important for network management and security as it keeps track of all the packets sent to and fro from your network interface.

Getting started

[edit | edit source]
Getting ethereal

Ethereal is a freeware. Simply download the Ethereal installer from: http://www.ethereal.com/download.html#releases and execute it.

After installing the ethereal package we start it to capture packets. The Ethereal’s Menu options are vast and covers almost all the aspects or options of packet capturing. The basic options of File, Edit, View, etc. have their usual functions. We will go in to the details of the menu afterwards. Let's start capturing packets, because then only you will grasp the real sense of using it. In the menu there is a Capture option. If we click on that button it asks for other options which are essential to both start and customize data capture.

Some of the options under capture tab are:

  • Interface: This menu item brings up a dialog box that shows what's going on at the network interfaces Ethereal knows of and we can select our desired interface and capture data on that particular interface.
  • Options: This the most important of all the dialog boxes. This menu item brings up the Capture Options dialog box and allows you to start capturing packets. It has all the main options that are required for any packet capturing. It allows you to capture data in promiscuous mode, assign some capture filter, specify capture file where captured packets are to be stored, specify name resolutions and lot lot more. The capture options window is self explanatory and guides you through the various options and gives information about them. The options window is shown below.


Start: It helps to start capturing data immediately with previous settings.

Capture Filters: This menu item brings up a dialog box that allows you to create and edit capture filters which helps you to be more specific with your data capturing.. You can name filters, and you can save them for future use.

After specifying all the options we can start capturing data. when the capturing is stopped then the detailed information is displayed in form of three panes. Which are as follows:

  1. The Packet List pane: The packet list pane displays all the packets in the current capture file. Each line in the packet list corresponds to one packet in the capture file. If you select a line in this pane, more details will be displayed in the "Packet Details" and "Packet Bytes" panes. This pane gives information regarding the time, destination and source address, protocol used and any other additional information.
  2. The packet details pane: The packet details pane shows the current packet (selected in the "Packet List" pane) in a more detailed form. This pane shows the protocols and protocol fields of the packet selected in the "Packet List" pane. The protocols and fields of the packet are displayed using a tree, which can be expanded and collapsed
  3. The packets bytes pane: The packet bytes pane shows the data of the current packet in the hexdump form. When we select some message in the packet list pane, corresponding information is displayed in the other two panes. All types of descriptions on the various topics related to any data capture are provided in these three panes. Let’s explain this by taking an example.

References: http://www.ethereal.com/docs/

Example 1 - Capture of yahoo messenger

[edit | edit source]

Below is just an explanation of the ethereal capture of the Yahoo messenger. It takes you through all the basic steps and explains each and every step as detailed as possible.Yahoo messenger use client/server technology for communication. The protocol it uses is yahoo messenger protocol. The yahoo protocol is a application layer protocol, which run over the HTTP and TCP.

Yahoo messenger protocol header

[edit | edit source]

The yahoo messenger protocol header is shown below. Each yahoo messenger messages start with the following data format.

4 bytes 4 bytes 2 bytes



YMSG Version Packet Length
service status session
Data
0 to 65535 bytes

HTTP and yahoo messenger protocol header sample

The server acts as a proxy between two clients. All communications between clients go through the server.

Client A < -------------- > server < --------------- > client B

The client and the server both use connection oriented method to establish connection between each other. They use TCP for the same. When the connection is established, they use HTTP protocol to send and receive data. The data portion in the HTTP protocol contain the Yahoo messenger messages. This is decoded by both the server and the client.

When I try to connect to yahoo using yahoo messenger , the following processes happen in the background.

  1. PC gets the yahoo.com IP address from the DNS server.
  2. Using the yahoo IP address PC establishes a TCP connection to the yahoo server.
  3. Then PC sends the yahoo login message through HTTP protocol.

A sample HTTP protocol and yahoo messenger protocol message captured through ethereal is shown below

0000  00 13 10 d4 d7 56 00 0e  9b 7a af 62 08 00 45 00   .....V.. .z.b..E.
0010  02 61 0f 15 40 00 80 06  8b 84 c0 a8 01 ca d8 9b   .a..@... ........
0020  c2 ef 05 6f 00 50 56 bf  09 3e 08 57 9f dd 50 18   ...o.PV. .>.W..P.
0030  ff f0 75 82 00 00 50 4f  53 54 20 2f 6e 6f 74 69   ..u...PO ST /noti
0040  66 79 2f 20 48 54 54 50  2f 31 2e 31 0d 0a 52 65   fy/ HTTP /1.1..Re
;
; other http packets
;
0220  6f 6e 74 72 6f 6c 3a 20  6e 6f 2d 63 61 63 68 65   ontrol:  no-cache
0230  0d 0a 0d 0a 59 4d 53 47  00 0e 00 00 00 25 00 57   ....YMSG .....%.W
0240  00 00 00 00 7a 40 00 00  31 c0 80 70 75 73 75 6b   ....z@.. 1..pusuk
0250  75 c0 80 30 c0 80 70 75  73 75 6b 75 c0 80 32 34   u..0..pu suku..24
0260  c0 80 36 33 35 39 37 39  35 38 32 c0 80 0d 0a      ..635979 582....

The yahoo messenger protocol is the data portion of the HTTP protocol. The yahoo messenger protocol starts with the header YMSG.

59 4D 53 47 YMSG, yahoo messenger protocol message starts
00 0e 00 00 Version, yahoo messenger version is 14
00 25 Length, packet length 37 bytes or 0x25 bytes
00 57 Yahoo Service, service in this case is YAHOO_SERVICE_AUTH
00 00 00 00 Yahoo Status , Status of the using trying to login in this case is YAHOO_STATUS_AVAILABLE
7a 40 00 00 Yahoo Session ID, Session id of the client and server. Followed by the data

Yahoo messenger protocol background process using ethereal The following explains a simple communication between the yahoo client and yahoo server . In this case client A send a message to client B, where client B is offline. Each process is explained with packet capture using ethereal.

Login process

[edit | edit source]
Client A log in to yahoo messenger.

1. When client A submits the login button of the yahoo messenger with his user id and password the following happens between the client ( Client A yahoo messenger) and yahoo server. Client A says I want to login as <username> here is the session id ‘7a 40 00 00’ and user name pusuku

0230   0d 0a 0d 0a 59 4d 53 47 00 0e 00 00 00 25 00 57  ....YMSG.....%.W
0240   00 00 00 00 7a 40 00 00 31 c0 80 70 75 73 75 6b  ....z@..1..pusuk	 		
0250   75 c0 80 30 c0 80 70 75 73 75 6b 75 c0 80 32 34  u..0..pusuku..24
0260   c0 80 36 33 35 39 37 39 35 38 32 c0 80 0d 0a     ..635979582....

7a 40 00 00 is the session id, Client sents a YAHOO_SERVICE_AUTH (00 57) with status YAHOO_STATUS_AVAILABLE(00 00 00 00)

2. Server responds , Okay , Here is a challenge string , Using this to hash your id and password and send it to me

0170   00 00 59 4d 53 47 00 00 00 00 00 59 00 57 00 00  ..YMSG.....Y.W..
0180   00 01 7a 40 00 00 31 c0 80 70 75 73 75 6b 75 c0  ..z@..1..pusuku.	       	
0190   80 39 34 c0 80 64 7c 67 2d 75 5e 77 2f 79 2d 72  .94..d|g-u^w/y-r
01a0   2b 38 2b 70 2a 6b 2a 7a 2f 61 2d 35 2b 33 2a 62  +8+p*k*z/a-5+3*b
01b0   26 68 25 32 2a 75 2f 6e 2f 28 77 2d 70 2d 75 25  &h%2*u/n/(w-p-u%
01c0   71 2a 76 7c 7a 2a 6e 25 66 2f 67 2a 6e 7c 74 25  q*v|z*n%f/g*n|t%
01d0   79 26 6d 26 6d 29 c0 80 31 33 c0 80 32 c0 80     y&m&m)..13..2..

Server responds with YAHOO_SERVICE_AUTH (00 57) and status YaHOO_STATUS_BRB and the challenge string in the data portion of the yahoo messenger protocol

3. Client says, here is the user id and password hashed with the challenge string

01f0   6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 59  l: no-cache....Y
0200   4d 53 47 00 0e 00 00 03 2f 00 54 00 00 00 0c 7a  MSG...../.T....z		
;
; other hashed messages
;
0540   c0 80 0d 0a                                      ....

Client sends a YAHOO_SERVICE_AUTHRESP (00 54) with user and password hashed with the challenge string , The hashed challenge string is sent as data portion

4. Server verifies the user id and password and responds , okay your authenticated , here is your buddy list

0170   00 00 59 4d 53 47 00 00 00 00 03 c7 00 55 00 00  ..YMSG.......U..
0180   00 05 7a 40 00 00 38 37 c0 80 43 68 61 74 20 46  ..z@..87..Chat F		
0190   72 69 65 6e 64 73 3a 63 6c 75 6d 73 79 64 72 65  riends:clumsydre
01a0   61 6d 73 2c 64 75 72 67 61 6b 73 2c 6b 69 72 75  ams,durgaks,kiru
;
; other buddy list and their status 
;
0510   31 38 35 c0 80 63 6c 75 6d 73 79 64 72 65 61 6d  185..clumsydream
0520   73 2c                                            s, 						

Server on authentication responds with the buddy list YAHOO_SERVICE_LIST (00 55) With this Client A is ready is ready to send the message to Client B , Tough client A knows , Client B is offline client A sends a offline message .

Send process

[edit | edit source]

As Client A select Client B window and start typing, 1. The Client says , I am typing message for my buddy

0230   0d 0a 0d 0a 59 4d 53 47 00 0e 00 00 00 4a 00 4b  ....YMSG.....J.K
0240   00 00 00 16 7a 40 00 00 34 39 c0 80 54 59 50 49  ....z@..49..TYPI	 	
0250   4e 47 c0 80 31 c0 80 70 75 73 75 6b 75 c0 80 31  NG..1..pusuku..1	 
0260   34 c0 80 20 c0 80 31 33 c0 80 31 c0 80 35 c0 80  4.. ..13..1..5..
0270   64 73 75 73 61 69 c0 80 30 c0 80 70 75 73 75 6b  dnunai..0..pusuk
0280   75 c0 80 32 34 c0 80 32 31 33 31 30 33 33 39 33  u..24..213103393
0290   c0 80 0d 0a                                      ....					

client sends YAHOO_SERVICE_NOTIFY(00 4b) message saying pusuku is sending message to dnunai with the status YAHOO_SERVICE_TYPING (0x16)

2. When the user presses the send button . The client sends the message to the server client send this message <msg> to my buddy <buddyname> server

0230   65 0d 0a 0d 0a 59 4d 53 47 00 0e 00 00 00 5c 00  e....YMSG.....\.
0240   06 5a 55 aa 56 7a 40 00 00 31 c0 80 70 75 73 75  .ZU.Vz@..1..pusu
0250   6b 75 c0 80 35 c0 80 64 73 75 73 61 69 c0 80 31  ku..5..dnunai..1
0260   34 c0 80 68 69 20 64 65 6c 6c 61 c0 80 39 37 c0  4..hi kella..97.
0270   80 31 c0 80 36 33 c0 80 3b 30 c0 80 36 34 c0 80  .1..63..;0..64..
0280   30 c0 80 32 30 36 c0 80 32 c0 80 30 c0 80 70 75  0..206..2..0..pu
0290   73 75 6b 75 c0 80 32 34 c0 80 32 31 33 31 30 33  suku..24..213103
02a0   33 39 33 c0 80 0d 0a                             393....

client sends YAHOO_SERVICE_MESSAGE(00 06) message to the server The server processes the message , The message is from pusuku to dnunai(who’s status is offline, 5a 55 aa 56) Note the message sent ‘ hi kella’ Since Client B is offline , the server stores the message and sends it to client B , when client B log in. Now, client A has sent the message, time to logout.

Logout process

[edit | edit source]

1. Client A says , I am done , I am logging out .

0230   0d 0a 0d 0a 59 4d 53 47 00 0e 00 00 00 1a 00 02  ....YMSG........
0240   00 00 00 00 7a 40 00 00 30 c0 80 50 55 53 55 4b  ....z@..0..PUSUK
0250   55 c0 80 32 34 c0 80 32 31 33 31 30 33 33 39 33  U..24..213103393
0260   c0 80 0d 0a                                      ....						

client sends YAHOO_SERVICE_LOGOFF(00 02) message to server

2. Server responds , okay .

0170   00 00 59 4d 53 47 00 00 00 00 00 00 00 02 00 00  ..YMSG..........
0180   00 00 7a 40 00 00                                ..z@..

Server responds with empty message with service YAHOO_SERVICE_LOGOFF

Understanding Tracert with Ethereal

[edit | edit source]

Tracert is a windows based tool for tracing the path of the packets taken from your pc to the destination router. This assignment traces the path from my pc to www.yahoo.com using Tracert

C:\DOCUME~1\skva>tracert www.yahoo.com

Tracing route to www.yahoo-ht2.akadns.net [209.131.36.158]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  c-24-6-102-212.hsd1.ca.comcast.net [24.6.102.212]
  2     *        *        *     Request timed out.
  3    11 ms     *        *     GE-2-1-ur01.santaclara.ca.sfba.comcast.net [68.87.198.105]
  4    11 ms    11 ms     *     10g-9-3-ur02.santaclara.ca.sfba.comcast.net [68.87.192.26]
  5    14 ms     *       12 ms  10g-9-4-ar01.oakland.ca.sfba.comcast.net [68.87.192.34]
  6     *        *        *     Request timed out.
  7    13 ms    14 ms    12 ms  12.118.38.5
  8    13 ms    14 ms    17 ms  tbr1-p010802.sffca.ip.att.net [12.123.12.66]
  9    14 ms    14 ms    11 ms  ggr2-p310.sffca.ip.att.net [12.123.12.18]
 10    15 ms    15 ms    14 ms  att-gw.sea.level3.net [192.205.32.206]
 11    16 ms    14 ms    14 ms  4.71.112.14
 12    15 ms    16 ms    17 ms  g-1-0-0-p171.msr2.sp1.yahoo.com [216.115.107.87]
 13    16 ms    16 ms    16 ms  te-8-1.bas-a1.sp1.yahoo.com [209.131.32.17]
 14    19 ms    17 ms    17 ms  f1.www.vip.sp1.yahoo.com [209.131.36.158]

Trace complete.

The above output from tracert shows the number of routes it took, name of the routers on the way and time taken to reach each router. It took 14 hops to reach the yahoo server from my pc. The asterisk indicate the failed attempt for next route.

When I executed the command ‘tracert www.yahoo.com’ the following happens in the back ground. The packets were captured using ethereal.

Step 1: The PC sends a DNS request to the DNS server to resolve the ip address of yahoo.com.

192.168.1.101 to 68.87.76.178 DNS standard query A www.yahoo.com
68.87.76.178 to 192.168.1.101 DNS standard query response CNAME 
                              www.yahoo-ht2.akadns.net Address 209.131.36.158

Step 2: After getting yahoo.com ip address , tracert sends icmp echo request message with TTL set to 1, Each echo request is received by the router at the first hop , which responds with ‘time to live exceeded live‘ message. Each hop packets are analyzed below .

Hop 1

[edit | edit source]
1     1 ms     1 ms     1 ms  c-24-6-102-212.hsd1.ca.comcast.net [24.6.102.212]
Echo request packets were sent with TTL set to 1

0000   00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00  .....V...z.b..E.
0010   00 5c a8 f9 00 00 01 01 58 79 c0 a8 01 65 d1 83  .\......Xy...e..
0020   24 9e 08 00 f4 ff 02 00 01 00 00 00 00 00 00 00  $...............
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00                    ..........
45 = IP version 4
01 = TTL (time to live )
01 = ICMP protocol
c0 a8 01 65 = Source ip address = > 192.168.1.101
d1 83 24 9e = Destination ip address = > 209.131.36.158
08 = Type 8 ICMP (Echo (ping) request)
00 = Code , net unreachable
0000   00 0e 9b 7a af 62 00 13 10 d4 d7 56 08 00 45 4f  ...z.b.....V..EO
0010   00 38 0a 93 00 00 40 01 2e fc 18 06 66 d4 c0 a8  .8....@.....f...
0020   01 65 0b 00 f4 ff 00 00 00 00 45 00 00 5c a8 f9  .e........E..\..
0030   00 00 01 01 58 79 c0 a8 01 65 d1 83 24 9e 08 00  ....Xy...e..$...
0040   f4 ff 02 00 01 00                                ......
45 = IP version 4
40 = TTL (time to live ) => 64
01 = ICMP protocol
18 06 66 d4 = Source ip address = > 24.6.102.212
C0 a8 01 65 = Destination ip address = > 192.168.1.101
0b = Type ICMP => 11 (time to live exceeded
00 = Code , net unreachable (time to live exceeded in transit)
0000   00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00  .....V...z.b..E.
0010   00 5c a8 fa 00 00 01 01 58 78 c0 a8 01 65 d1 83  .\......Xx...e..
0020   24 9e 08 00 f3 ff 02 00 02 00 00 00 00 00 00 00  $...............
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00                    ..........
45 = IP version 4
01 = TTL (time to live )
01 = ICMP protocol
c0 a8 01 65 = Source ip address = > 192.168.1.101
d1 83 24 9e = Destination ip address = > 209.131.36.158
08 = Type 8 ICMP (Echo (ping) request)
00 = Code , net unreachable
0000   00 0e 9b 7a af 62 00 13 10 d4 d7 56 08 00 45 4f  ...z.b.....V..EO
0010   00 38 0a 94 00 00 40 01 2e fb 18 06 66 d4 c0 a8  .8....@.....f...
0020   01 65 0b 00 f2 ff 00 00 00 00 45 00 00 5c a8 fa  .e........E..\..
0030   00 00 01 01 58 78 c0 a8 01 65 d1 83 24 9e 08 00  ....Xx...e..$...
0040   f3 ff 02 00 02 00                                ......
45 = IP version 4
40 = TTL (time to live ) => 64
01 = ICMP protocol
18 06 66 d4 = Source ip address = > 24.6.102.212
C0 a8 01 65 = Destination ip address = > 192.168.1.101
0b = Type ICMP (Echo (ping) request) => 11 (time to live exceeded
00 = Code , net unreachable (time to live exceeded in transit)
0000   00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00  .....V...z.b..E.
0010   00 5c a8 fa 00 00 01 01 58 78 c0 a8 01 65 d1 83  .\......Xx...e..
0020   24 9e 08 00 f3 ff 02 00 02 00 00 00 00 00 00 00  $...............
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00                    ..........
45 = IP version 4
01 = TTL (time to live )
01 = ICMP protocol
c0 a8 01 65 = Source ip address = > 192.168.1.101
d1 83 24 9e = Destination ip address = > 209.131.36.158
08 = Type 8 ICMP (Echo (ping) request)
00 = Code , net unreachable
0000   00 0e 9b 7a af 62 00 13 10 d4 d7 56 08 00 45 4f  ...z.b.....V..EO
0010   00 38 0a 94 00 00 40 01 2e fb 18 06 66 d4 c0 a8  .8....@.....f...
0020   01 65 0b 00 f4 ff 00 00 00 00 45 00 00 5c a8 fa  .e........E..\..
0030   00 00 01 01 58 78 c0 a8 01 65 d1 83 24 9e 08 00  ....Xx...e..$...
0040   f3 ff 02 00 02 00                                ......
45 = IP version 4
40 = TTL (time to live ) => 64
01 = ICMP protocol
18 06 66 d4 = Source ip address = > 24.6.102.212
C0 a8 01 65 = Destination ip address = > 192.168.1.101
0b = Type ICMP (Echo (ping) request) => 11 (time to live exceeded
00 = Code , net unreachable (time to live exceeded in transit)

Hop 2

[edit | edit source]
2     *        *        *     Request timed out.
Echo request packets were sent with TTL set to 2 

0000   00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00  .....V...z.b..E.
0010   00 5c a9 01 00 00 02 01 57 71 c0 a8 01 65 d1 83  .\......Wq...e..
0020   24 9e 08 00 f1 ff 02 00 04 00 00 00 00 00 00 00  $...............
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00                    ..........
45 = IP version 4
02 = TTL (time to live ) => 2
01 = ICMP protocol
c0 a8 01 65 = Source ip address = > 192.168.1.101
d1 83 24 9e = Destination ip address = > 209.131.36.158
08 = Type 8 ICMP (Echo (ping) request)
00 = Code , net unreachable
0000   00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00  .....V...z.b..E.
0010   00 5c a9 01 00 00 02 01 57 71 c0 a8 01 65 d1 83  .\......Wq...e..
0020   24 9e 08 00 f1 ff 02 00 04 00 00 00 00 00 00 00  $...............
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00                    ..........
45 = IP version 4
02 = TTL (time to live ) => 2
01 = ICMP protocol
c0 a8 01 65 = Source ip address = > 192.168.1.101
d1 83 24 9e = Destination ip address = > 209.131.36.158
08 = Type 8 ICMP (Echo (ping) request)
00 = Code , net unreachable
0000   00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00  .....V...z.b..E.
0010   00 5c a9 01 00 00 02 01 57 71 c0 a8 01 65 d1 83  .\......Wq...e..
0020   24 9e 08 00 f1 ff 02 00 04 00 00 00 00 00 00 00  $...............
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00                    ..........
45 = IP version 4
02 = TTL (time to live ) => 2
01 = ICMP protocol
c0 a8 01 65 = Source ip address = > 192.168.1.101
d1 83 24 9e = Destination ip address = > 209.131.36.158
08 = Type 8 ICMP (Echo (ping) request)
00 = Code , net unreachable

Hop 3

[edit | edit source]
3    11 ms     *        *     GE-2-1-ur01.santaclara.ca.sfba.comcast.net [68.87.198.105]
Echo request packets were sent with TTL set to 3

0000   00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00  .....V...z.b..E.
0010   00 5c a9 41 00 00 03 01 56 31 c0 a8 01 65 d1 83  .\.A....V1...e..
0020   24 9e 08 00 ee ff 02 00 07 00 00 00 00 00 00 00  $...............
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00                    ..........
45 = IP version 4
03 = TTL (time to live ) => 3
01 = ICMP protocol
c0 a8 01 65 = Source ip address = > 192.168.1.101
d1 83 24 9e = Destination ip address = > 209.131.36.158
08 = Type 8 ICMP (Echo (ping) request)
00 = Code , net unreachable
0000   00 0e 9b 7a af 62 00 13 10 d4 d7 56 08 00 45 c0  ...z.b.....V..E.
0010   00 38 23 76 00 00 fd 01 cc c0 44 57 c6 69 c0 a8  .8#v......DW.i..
0020   01 65 0b 00 f4 ff 00 00 00 00 45 20 00 5c a9 41  .e........E .\.A
0030   00 00 01 01 58 11 c0 a8 01 65 d1 83 24 9e 08 00  ....X....e..$...
0040   ee ff 02 00 07 00                                ......
45 = IP version 4
fd = TTL (time to live ) => 253
01 = ICMP protocol
44 57 c6 69 = Source ip address = > 68.87.198.105
a8 01 65 = Destination ip address = > 192.168.1.101
0b = Type ICMP (Echo (ping) request) => 11 (time to live exceeded
00 = Code , net unreachable (time to live exceeded in transit)
0000   00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00  .....V...z.b..E.
0010   00 5c a9 42 00 00 03 01 56 30 c0 a8 01 65 d1 83  .\.B....V0...e..
0020   24 9e 08 00 ed ff 02 00 08 00 00 00 00 00 00 00  $...............
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00                    ..........
45 = IP version 4
03 = TTL (time to live ) => 3
01 = ICMP protocol
c0 a8 01 65 = Source ip address = > 192.168.1.101
d1 83 24 9e = Destination ip address = > 209.131.36.158
08 = Type 8 ICMP (Echo (ping) request)
00 = Code, net unreachable
0000   00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00  .....V...z.b..E.
0010   00 5c a9 59 00 00 03 01 56 19 c0 a8 01 65 d1 83  .\.Y....V....e..
0020   24 9e 08 00 ec ff 02 00 09 00 00 00 00 00 00 00  $...............
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00                    ..........
45 = IP version 4
03 = TTL (time to live ) => 3
01 = ICMP protocol
c0 a8 01 65 = Source ip address = > 192.168.1.101
d1 83 24 9e = Destination ip address = > 209.131.36.158
08 = Type 8 ICMP (Echo (ping) request)
00 = Code, net unreachable

Hop 4

[edit | edit source]
4    11 ms    11 ms     *     10g-9-3-ur02.santaclara.ca.sfba.comcast.net [68.87.192.26]
Echo request packets were sent with TTL set to 4

0000   00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00  .....V...z.b..E.
0010   00 5c a9 6c 00 00 04 01 55 06 c0 a8 01 65 d1 83  .\.l....U....e..
0020   24 9e 08 00 eb ff 02 00 0a 00 00 00 00 00 00 00  $...............
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00                    ..........
45 = IP version 4
04 = TTL (time to live ) => 4
01 = ICMP protocol
c0 a8 01 65 = Source ip address = > 192.168.1.101
d1 83 24 9e = Destination ip address = > 209.131.36.158
08 = Type 8 ICMP (Echo (ping) request)
00 = Code, net unreachable
0000   00 0e 9b 7a af 62 00 13 10 d4 d7 56 08 00 45 c0  ...z.b.....V..E.
0010   00 38 6e 22 00 00 fd 01 88 63 44 57 c0 1a c0 a8  .8n".....cDW....
0020   01 65 0b 00 f4 ff 00 00 00 00 45 20 00 5c a9 6c  .e........E .\.l
0030   00 00 01 01 57 e6 c0 a8 01 65 d1 83 24 9e 08 00  ....W....e..$...
0040   eb ff 02 00 0a 00                                ......
45 = IP version 4
fd = TTL (time to live ) => 253
01 = ICMP protocol
44 57 c0 1a = Source ip address = > 68.87.192.26
c0 a8 01 65 = Destination ip address = > 192.168.1.101
0b = Type ICMP (Echo (ping) request) => 11 (time to live exceeded
00 = Code , net unreachable (time to live exceeded in transit)
0000   00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00  .....V...z.b..E.
0010   00 5c a9 6d 00 00 04 01 55 05 c0 a8 01 65 d1 83  .\.m....U....e..
0020   24 9e 08 00 ea ff 02 00 0b 00 00 00 00 00 00 00  $...............
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00                    ..........
45 = IP version 4
04 = TTL (time to live ) => 4
01 = ICMP protocol
c0 a8 01 65 = Source ip address = > 192.168.1.101
d1 83 24 9e = Destination ip address = > 209.131.36.158
08 = Type 8 ICMP (Echo (ping) request)
00 = Code, net unreachable
0000   00 0e 9b 7a af 62 00 13 10 d4 d7 56 08 00 45 c0  ...z.b.....V..E.
0010   00 38 6e 23 00 00 fd 01 88 62 44 57 c0 1a c0 a8  .8n#.....bDW....
0020   01 65 0b 00 f4 ff 00 00 00 00 45 20 00 5c a9 6d  .e........E .\.m
0030   00 00 01 01 57 e5 c0 a8 01 65 d1 83 24 9e 08 00  ....W....e..$...
0040   ea ff 02 00 0b 00                                ......
45 = IP version 4
fd = TTL (time to live ) => 253
01 = ICMP protocol
44 57 c0 1a = Source ip address = > 68.87.192.26
c0 a8 01 65 = Destination ip address = > 192.168.1.101
0b = Type ICMP (Echo (ping) request) => 11 (time to live exceeded
00 = Code , net unreachable (time to live exceeded in transit)
0000   00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00  .....V...z.b..E.
0010   00 5c a9 6e 00 00 04 01 55 04 c0 a8 01 65 d1 83  .\.n....U....e..
0020   24 9e 08 00 e9 ff 02 00 0c 00 00 00 00 00 00 00  $...............
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00                    ..........
45 = IP version 4
04 = TTL (time to live ) => 4
01 = ICMP protocol
c0 a8 01 65 = Source ip address = > 192.168.1.101
d1 83 24 9e = Destination ip address = > 209.131.36.158
08 = Type 8 ICMP (Echo (ping) request)
00 = Code, net unreachable

Hop 5

[edit | edit source]
5    14 ms     *       12 ms  10g-9-4-ar01.oakland.ca.sfba.comcast.net [68.87.192.34]
Echo request packets were sent with TTL set to 5

0000   00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00  .....V...z.b..E.
0010   00 5c a9 89 00 00 05 01 53 e9 c0 a8 01 65 d1 83  .\......S....e..
0020   24 9e 08 00 e8 ff 02 00 0d 00 00 00 00 00 00 00  $...............
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00                    ..........
45 = IP version 4
05 = TTL (time to live ) => 5
01 = ICMP protocol
c0 a8 01 65 = Source ip address = > 192.168.1.101
d1 83 24 9e = Destination ip address = > 209.131.36.158
08 = Type 8 ICMP (Echo (ping) request)
00 = Code, net unreachable
0000   00 0e 9b 7a af 62 00 13 10 d4 d7 56 08 00 45 c0  ...z.b.....V..E.
0010   00 38 fa 4e 00 00 fc 01 fd 2e 44 57 c0 22 c0 a8  .8.N......DW."..
0020   01 65 0b 00 f4 ff 00 00 00 00 45 20 00 5c a9 89  .e........E .\..
0030   00 00 01 01 57 c9 c0 a8 01 65 d1 83 24 9e 08 00  ....W....e..$...
0040   e8 ff 02 00 0d 00                                ......
45 = IP version 4
fd = TTL (time to live ) => 252
01 = ICMP protocol
44 57 c0 22 = Source ip address = > 68.87.192.34
c0 a8 01 65 = Destination ip address = > 192.168.1.101
0b = Type ICMP (Echo (ping) request) => 11 (time to live exceeded
00 = Code , net unreachable (time to live exceeded in transit)
0000   00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00  .....V...z.b..E.
0010   00 5c a9 8a 00 00 05 01 53 e8 c0 a8 01 65 d1 83  .\......S....e..
0020   24 9e 08 00 e7 ff 02 00 0e 00 00 00 00 00 00 00  $...............
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00                    ..........
45 = IP version 4
05 = TTL (time to live ) => 5
01 = ICMP protocol
c0 a8 01 65 = Source ip address = > 192.168.1.101
d1 83 24 9e = Destination ip address = > 209.131.36.158
08 = Type 8 ICMP (Echo (ping) request)
00 = Code, net unreachable
0000   00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00  .....V...z.b..E.
0010   00 5c a9 9f 00 00 05 01 53 d3 c0 a8 01 65 d1 83  .\......S....e..
0020   24 9e 08 00 e6 ff 02 00 0f 00 00 00 00 00 00 00  $...............
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00                    ..........
45 = IP version 4
05 = TTL (time to live ) => 5
01 = ICMP protocol
c0 a8 01 65 = Source ip address = > 192.168.1.101
d1 83 24 9e = Destination ip address = > 209.131.36.158
08 = Type 8 ICMP (Echo (ping) request)
00 = Code, net unreachable
0000   00 0e 9b 7a af 62 00 13 10 d4 d7 56 08 00 45 c0  ...z.b.....V..E.
0010   00 38 fc 75 00 00 fc 01 fb 07 44 57 c0 22 c0 a8  .8.u......DW."..
0020   01 65 0b 00 f4 ff 00 00 00 00 45 20 00 5c a9 9f  .e........E .\..
0030   00 00 01 01 57 b3 c0 a8 01 65 d1 83 24 9e 08 00  ....W....e..$...
0040   e6 ff 02 00 0f 00                                ......
45 = IP version 4
fd = TTL (time to live ) => 252
01 = ICMP protocol
44 57 c0 22 = Source ip address = > 68.87.192.34
c0 a8 01 65 = Destination ip address = > 192.168.1.101
0b = Type ICMP (Echo (ping) request) => 11 (time to live exceeded
00 = Code , net unreachable (time to live exceeded in transit)

Hop 6

[edit | edit source]
6     *        *        *     Request timed out.
Echo request packets were sent with TTL set to 6

0000   00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00  .....V...z.b..E.
0010   00 5c a9 a5 00 00 06 01 52 cd c0 a8 01 65 d1 83  .\......R....e..
0020   24 9e 08 00 e5 ff 02 00 10 00 00 00 00 00 00 00  $...............
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00                    ..........
45 = IP version 4
06 = TTL (time to live ) => 6
01 = ICMP protocol
c0 a8 01 65 = Source ip address = > 192.168.1.101
d1 83 24 9e = Destination ip address = > 209.131.36.158
08 = Type 8 ICMP (Echo (ping) request)
00 = Code, net unreachable
0000   00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00  .....V...z.b..E.
0010   00 5c a9 a5 00 00 06 01 52 cd c0 a8 01 65 d1 83  .\......R....e..
0020   24 9e 08 00 e4 ff 02 00 10 00 00 00 00 00 00 00  $...............
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00                    ..........
45 = IP version 4
06 = TTL (time to live ) => 6
01 = ICMP protocol
c0 a8 01 65 = Source ip address = > 192.168.1.101
d1 83 24 9e = Destination ip address = > 209.131.36.158
08 = Type 8 ICMP (Echo (ping) request)
00 = Code, net unreachable
0000   00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00  .....V...z.b..E.
0010   00 5c a9 a5 00 00 06 01 52 cd c0 a8 01 65 d1 83  .\......R....e..
0020   24 9e 08 00 e5 ff 02 00 10 00 00 00 00 00 00 00  $...............
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00                    ..........
45 = IP version 4
06 = TTL (time to live ) => 6
01 = ICMP protocol
c0 a8 01 65 = Source ip address = > 192.168.1.101
d1 83 24 9e = Destination ip address = > 209.131.36.158
08 = Type 8 ICMP (Echo (ping) request)
00 = Code, net unreachable

Hop 7

[edit | edit source]
7    13 ms    14 ms    12 ms  12.118.38.5
Echo request packets were sent with TTL set to 7

0000   00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00  .....V...z.b..E.
0010   00 5c a9 dc 00 00 07 01 51 96 c0 a8 01 65 d1 83  .\......Q....e..
0020   24 9e 08 00 e2 ff 02 00 13 00 00 00 00 00 00 00  $...............
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00                    ..........
45 = IP version 4
07 = TTL (time to live ) => 7
01 = ICMP protocol
c0 a8 01 65 = Source ip address = > 192.168.1.101
d1 83 24 9e = Destination ip address = > 209.131.36.158
08 = Type 8 ICMP (Echo (ping) request)
00 = Code, net unreachable
0000   00 0e 9b 7a af 62 00 13 10 d4 d7 56 08 00 45 00  ...z.b.....V..E.
0010   00 38 00 00 00 00 f8 01 ce 3c 0c 76 26 05 c0 a8  .8.......<.v&...
0020   01 65 0b 00 f4 ff 00 00 00 00 45 20 00 5c a9 dc  .e........E .\..
0030   00 00 01 01 57 76 c0 a8 01 65 d1 83 24 9e 08 00  ....Wv...e..$...
0040   e2 ff 02 00 13 00                                ......
45 = IP version 4
F8 = TTL (time to live ) => 248
01 = ICMP protocol
44 57 c0 22 = Source ip address = > 12.118.38.5
c0 a8 01 65 = Destination ip address = > 192.168.1.101
0b = Type ICMP (Echo (ping) request) => 11 (time to live exceeded
00 = Code , net unreachable (time to live exceeded in transit)

Hop 8 to Hop 13

[edit | edit source]
Echo request packets were sent with TTL set to 8 to 13 respectively

  8    13 ms    14 ms    17 ms  tbr1-p010802.sffca.ip.att.net [12.123.12.66]
  9    14 ms    14 ms    11 ms  ggr2-p310.sffca.ip.att.net [12.123.12.18]
 10    15 ms    15 ms    14 ms  att-gw.sea.level3.net [192.205.32.206]
 11    16 ms    14 ms    14 ms  4.71.112.14
 12    15 ms    16 ms    17 ms  g-1-0-0-p171.msr2.sp1.yahoo.com [216.115.107.87]
 13    16 ms    16 ms    16 ms  te-8-1.bas-a1.sp1.yahoo.com [209.131.32.17]

Hop 14

[edit | edit source]
14    19 ms    17 ms    17 ms  f1.www.vip.sp1.yahoo.com [209.131.36.158]
Echo request packets were sent with TTL set to 2

0000   00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00  .....V...z.b..E.
0010   00 5c aa 22 00 00 0e 01 4a 50 c0 a8 01 65 d1 83  .\."....JP...e..
0020   24 9e 08 00 cd ff 02 00 28 00 00 00 00 00 00 00  $.......(.......
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00                    ..........
45 = IP version 4
0e = TTL (time to live ) => 14
01 = ICMP protocol
c0 a8 01 65 = Source ip address = > 192.168.1.101
d1 83 24 9e = Destination ip address = > 209.131.36.158
08 = Type 8 ICMP (Echo (ping) request)
00 = Code, net unreachable
0000   00 0e 9b 7a af 62 00 13 10 d4 d7 56 08 00 45 00  ...z.b.....V..E.
0010   00 5c 92 b2 00 00 33 01 3c c0 d1 83 24 9e c0 a8  .\....3.<...$...
0020   01 65 00 00 d5 ff 02 00 28 00 00 00 00 00 00 00  .e......(.......
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0060   00 00 00 00 00 00 00 00 00 00                    ..........
45 = IP version 4
33 = TTL (time to live ) => 51
01 = ICMP protocol
D1 83 24 9e = Source ip address = > 209.131.36.158
c0 a8 01 65 = Destination ip address = > 192.168.1.101
00 = Type ICMP (Echo (ping) reply => 0
00 = Code

The above reply indicates the destination, www.yahoo.com . Thus tracert tool can be used to troubleshooting the network and finding the path of the network .

Conclusion

[edit | edit source]

Ethereal is a powerful tool to capture and analyze many networking protocols. It does not detect or solve any network problem by itself but it can always be used to do so. It gives all the relevant details for any communication so it is used in research work and other relevant fields.


Questions and Answers

[edit | edit source]

Q1. What is the value for ICMP protocol message

a. 0x10

b. 10

c. 0x01

d. 1


Ans: a, 0x10

Q2. How does yahoo messenger protocol header start ? a. YHOO

b. YMSG

c. YCHT

d. No such yahoo messenger protocol


Ans: b, YMSG


Q3. Study the following figure Ethereal capture shown below:


1. What is the selected message(no: 18) all about?

Answer: the sync message is the first message sent from the client to the server as the first message in of the three way handshake protocol in order to establish the connection with the server. The sync message establishes the connection and synchronizes the client and the server. The server then sends the acknowledgement signal.

2. What is the four tuple of this communication? Answer: Four tuple of any exercise is source IP, source port no: and destination IP, destination port no:. for this communication the four tuple would be:

  • 192.168.1.76, 1942
  • 203.84.221.151, 80