Communication Networks/Ethereal
Ethereal
[edit | edit source]Ethereal is a network packet analyzer or a “packet sniffer” as it is called. It was started by Gerald combs in 1997 to track down network problems. Since then Ethereal has been used as the main tool to track and manage network problems and also for R & D purposes.. Ethereal captures network packets from the network during a live network data transmission and gives a detailed summary or description about the packets such as its source and destination, protocols used, packet parameters, network standard, checksum, ports information and much more.
Ethereal is widely used in the networking field as it has many features. some of them are as follows.
- Runs on many platforms such as Windows and Unix.
- Captures live data packets and gives detailed information.
- Saves all the information to be reviewed later.
- Filters packet search on many criteria.
- Supports around 780 protocols.
- Gives detailed summary and statistics after capturing.
- Moreover it is an open software.
And many more.
Ethereal does not detect or troubleshoot the network problems, but it is very important for network management and security as it keeps track of all the packets sent to and fro from your network interface.
Getting started
[edit | edit source]- Getting ethereal
Ethereal is a freeware. Simply download the Ethereal installer from: http://www.ethereal.com/download.html#releases and execute it.
After installing the ethereal package we start it to capture packets. The Ethereal’s Menu options are vast and covers almost all the aspects or options of packet capturing. The basic options of File, Edit, View, etc. have their usual functions. We will go in to the details of the menu afterwards. Let's start capturing packets, because then only you will grasp the real sense of using it. In the menu there is a Capture option. If we click on that button it asks for other options which are essential to both start and customize data capture.
Some of the options under capture tab are:
- Interface: This menu item brings up a dialog box that shows what's going on at the network interfaces Ethereal knows of and we can select our desired interface and capture data on that particular interface.
- Options: This the most important of all the dialog boxes. This menu item brings up the Capture Options dialog box and allows you to start capturing packets. It has all the main options that are required for any packet capturing. It allows you to capture data in promiscuous mode, assign some capture filter, specify capture file where captured packets are to be stored, specify name resolutions and lot lot more. The capture options window is self explanatory and guides you through the various options and gives information about them. The options window is shown below.
Start: It helps to start capturing data immediately with previous settings.
Capture Filters: This menu item brings up a dialog box that allows you to create and edit capture filters which helps you to be more specific with your data capturing.. You can name filters, and you can save them for future use.
After specifying all the options we can start capturing data. when the capturing is stopped then the detailed information is displayed in form of three panes. Which are as follows:
- The Packet List pane: The packet list pane displays all the packets in the current capture file. Each line in the packet list corresponds to one packet in the capture file. If you select a line in this pane, more details will be displayed in the "Packet Details" and "Packet Bytes" panes. This pane gives information regarding the time, destination and source address, protocol used and any other additional information.
- The packet details pane: The packet details pane shows the current packet (selected in the "Packet List" pane) in a more detailed form. This pane shows the protocols and protocol fields of the packet selected in the "Packet List" pane. The protocols and fields of the packet are displayed using a tree, which can be expanded and collapsed
- The packets bytes pane: The packet bytes pane shows the data of the current packet in the hexdump form. When we select some message in the packet list pane, corresponding information is displayed in the other two panes. All types of descriptions on the various topics related to any data capture are provided in these three panes. Let’s explain this by taking an example.
References: http://www.ethereal.com/docs/
Example 1 - Capture of yahoo messenger
[edit | edit source]Below is just an explanation of the ethereal capture of the Yahoo messenger. It takes you through all the basic steps and explains each and every step as detailed as possible.Yahoo messenger use client/server technology for communication. The protocol it uses is yahoo messenger protocol. The yahoo protocol is a application layer protocol, which run over the HTTP and TCP.
Yahoo messenger protocol header
[edit | edit source]The yahoo messenger protocol header is shown below. Each yahoo messenger messages start with the following data format.
4 bytes | 4 bytes | 2 bytes | ||
YMSG | Version | Packet Length | ||
service | status | session | ||
Data 0 to 65535 bytes |
HTTP and yahoo messenger protocol header sample
The server acts as a proxy between two clients. All communications between clients go through the server.
Client A < -------------- > server < --------------- > client B
The client and the server both use connection oriented method to establish connection between each other. They use TCP for the same. When the connection is established, they use HTTP protocol to send and receive data. The data portion in the HTTP protocol contain the Yahoo messenger messages. This is decoded by both the server and the client.
When I try to connect to yahoo using yahoo messenger , the following processes happen in the background.
- PC gets the yahoo.com IP address from the DNS server.
- Using the yahoo IP address PC establishes a TCP connection to the yahoo server.
- Then PC sends the yahoo login message through HTTP protocol.
A sample HTTP protocol and yahoo messenger protocol message captured through ethereal is shown below
0000 00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00 .....V.. .z.b..E. 0010 02 61 0f 15 40 00 80 06 8b 84 c0 a8 01 ca d8 9b .a..@... ........ 0020 c2 ef 05 6f 00 50 56 bf 09 3e 08 57 9f dd 50 18 ...o.PV. .>.W..P. 0030 ff f0 75 82 00 00 50 4f 53 54 20 2f 6e 6f 74 69 ..u...PO ST /noti 0040 66 79 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 52 65 fy/ HTTP /1.1..Re ; ; other http packets ; 0220 6f 6e 74 72 6f 6c 3a 20 6e 6f 2d 63 61 63 68 65 ontrol: no-cache 0230 0d 0a 0d 0a 59 4d 53 47 00 0e 00 00 00 25 00 57 ....YMSG .....%.W 0240 00 00 00 00 7a 40 00 00 31 c0 80 70 75 73 75 6b ....z@.. 1..pusuk 0250 75 c0 80 30 c0 80 70 75 73 75 6b 75 c0 80 32 34 u..0..pu suku..24 0260 c0 80 36 33 35 39 37 39 35 38 32 c0 80 0d 0a ..635979 582....
The yahoo messenger protocol is the data portion of the HTTP protocol. The yahoo messenger protocol starts with the header YMSG.
59 4D 53 47 | YMSG, yahoo messenger protocol message starts |
00 0e 00 00 | Version, yahoo messenger version is 14 |
00 25 | Length, packet length 37 bytes or 0x25 bytes |
00 57 | Yahoo Service, service in this case is YAHOO_SERVICE_AUTH |
00 00 00 00 | Yahoo Status , Status of the using trying to login in this case is YAHOO_STATUS_AVAILABLE |
7a 40 00 00 | Yahoo Session ID, Session id of the client and server. Followed by the data |
Yahoo messenger protocol background process using ethereal The following explains a simple communication between the yahoo client and yahoo server . In this case client A send a message to client B, where client B is offline. Each process is explained with packet capture using ethereal.
Login process
[edit | edit source]- Client A log in to yahoo messenger.
1. When client A submits the login button of the yahoo messenger with his user id and password the following happens between the client ( Client A yahoo messenger) and yahoo server. Client A says I want to login as <username> here is the session id ‘7a 40 00 00’ and user name pusuku
0230 0d 0a 0d 0a 59 4d 53 47 00 0e 00 00 00 25 00 57 ....YMSG.....%.W 0240 00 00 00 00 7a 40 00 00 31 c0 80 70 75 73 75 6b ....z@..1..pusuk 0250 75 c0 80 30 c0 80 70 75 73 75 6b 75 c0 80 32 34 u..0..pusuku..24 0260 c0 80 36 33 35 39 37 39 35 38 32 c0 80 0d 0a ..635979582....
7a 40 00 00 is the session id, Client sents a YAHOO_SERVICE_AUTH (00 57) with status YAHOO_STATUS_AVAILABLE(00 00 00 00)
2. Server responds , Okay , Here is a challenge string , Using this to hash your id and password and send it to me
0170 00 00 59 4d 53 47 00 00 00 00 00 59 00 57 00 00 ..YMSG.....Y.W.. 0180 00 01 7a 40 00 00 31 c0 80 70 75 73 75 6b 75 c0 ..z@..1..pusuku. 0190 80 39 34 c0 80 64 7c 67 2d 75 5e 77 2f 79 2d 72 .94..d|g-u^w/y-r 01a0 2b 38 2b 70 2a 6b 2a 7a 2f 61 2d 35 2b 33 2a 62 +8+p*k*z/a-5+3*b 01b0 26 68 25 32 2a 75 2f 6e 2f 28 77 2d 70 2d 75 25 &h%2*u/n/(w-p-u% 01c0 71 2a 76 7c 7a 2a 6e 25 66 2f 67 2a 6e 7c 74 25 q*v|z*n%f/g*n|t% 01d0 79 26 6d 26 6d 29 c0 80 31 33 c0 80 32 c0 80 y&m&m)..13..2..
Server responds with YAHOO_SERVICE_AUTH (00 57) and status YaHOO_STATUS_BRB and the challenge string in the data portion of the yahoo messenger protocol
3. Client says, here is the user id and password hashed with the challenge string
01f0 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 59 l: no-cache....Y 0200 4d 53 47 00 0e 00 00 03 2f 00 54 00 00 00 0c 7a MSG...../.T....z ; ; other hashed messages ; 0540 c0 80 0d 0a ....
Client sends a YAHOO_SERVICE_AUTHRESP (00 54) with user and password hashed with the challenge string , The hashed challenge string is sent as data portion
4. Server verifies the user id and password and responds , okay your authenticated , here is your buddy list
0170 00 00 59 4d 53 47 00 00 00 00 03 c7 00 55 00 00 ..YMSG.......U.. 0180 00 05 7a 40 00 00 38 37 c0 80 43 68 61 74 20 46 ..z@..87..Chat F 0190 72 69 65 6e 64 73 3a 63 6c 75 6d 73 79 64 72 65 riends:clumsydre 01a0 61 6d 73 2c 64 75 72 67 61 6b 73 2c 6b 69 72 75 ams,durgaks,kiru ; ; other buddy list and their status ; 0510 31 38 35 c0 80 63 6c 75 6d 73 79 64 72 65 61 6d 185..clumsydream 0520 73 2c s,
Server on authentication responds with the buddy list YAHOO_SERVICE_LIST (00 55) With this Client A is ready is ready to send the message to Client B , Tough client A knows , Client B is offline client A sends a offline message .
Send process
[edit | edit source]As Client A select Client B window and start typing, 1. The Client says , I am typing message for my buddy
0230 0d 0a 0d 0a 59 4d 53 47 00 0e 00 00 00 4a 00 4b ....YMSG.....J.K 0240 00 00 00 16 7a 40 00 00 34 39 c0 80 54 59 50 49 ....z@..49..TYPI 0250 4e 47 c0 80 31 c0 80 70 75 73 75 6b 75 c0 80 31 NG..1..pusuku..1 0260 34 c0 80 20 c0 80 31 33 c0 80 31 c0 80 35 c0 80 4.. ..13..1..5.. 0270 64 73 75 73 61 69 c0 80 30 c0 80 70 75 73 75 6b dnunai..0..pusuk 0280 75 c0 80 32 34 c0 80 32 31 33 31 30 33 33 39 33 u..24..213103393 0290 c0 80 0d 0a ....
client sends YAHOO_SERVICE_NOTIFY(00 4b) message saying pusuku is sending message to dnunai with the status YAHOO_SERVICE_TYPING (0x16)
2. When the user presses the send button . The client sends the message to the server client send this message <msg> to my buddy <buddyname> server
0230 65 0d 0a 0d 0a 59 4d 53 47 00 0e 00 00 00 5c 00 e....YMSG.....\. 0240 06 5a 55 aa 56 7a 40 00 00 31 c0 80 70 75 73 75 .ZU.Vz@..1..pusu 0250 6b 75 c0 80 35 c0 80 64 73 75 73 61 69 c0 80 31 ku..5..dnunai..1 0260 34 c0 80 68 69 20 64 65 6c 6c 61 c0 80 39 37 c0 4..hi kella..97. 0270 80 31 c0 80 36 33 c0 80 3b 30 c0 80 36 34 c0 80 .1..63..;0..64.. 0280 30 c0 80 32 30 36 c0 80 32 c0 80 30 c0 80 70 75 0..206..2..0..pu 0290 73 75 6b 75 c0 80 32 34 c0 80 32 31 33 31 30 33 suku..24..213103 02a0 33 39 33 c0 80 0d 0a 393....
client sends YAHOO_SERVICE_MESSAGE(00 06) message to the server The server processes the message , The message is from pusuku to dnunai(who’s status is offline, 5a 55 aa 56) Note the message sent ‘ hi kella’ Since Client B is offline , the server stores the message and sends it to client B , when client B log in. Now, client A has sent the message, time to logout.
Logout process
[edit | edit source]1. Client A says , I am done , I am logging out .
0230 0d 0a 0d 0a 59 4d 53 47 00 0e 00 00 00 1a 00 02 ....YMSG........ 0240 00 00 00 00 7a 40 00 00 30 c0 80 50 55 53 55 4b ....z@..0..PUSUK 0250 55 c0 80 32 34 c0 80 32 31 33 31 30 33 33 39 33 U..24..213103393 0260 c0 80 0d 0a ....
client sends YAHOO_SERVICE_LOGOFF(00 02) message to server
2. Server responds , okay .
0170 00 00 59 4d 53 47 00 00 00 00 00 00 00 02 00 00 ..YMSG.......... 0180 00 00 7a 40 00 00 ..z@..
Server responds with empty message with service YAHOO_SERVICE_LOGOFF
Understanding Tracert with Ethereal
[edit | edit source]Tracert is a windows based tool for tracing the path of the packets taken from your pc to the destination router. This assignment traces the path from my pc to www.yahoo.com using Tracert
C:\DOCUME~1\skva>tracert www.yahoo.com Tracing route to www.yahoo-ht2.akadns.net [209.131.36.158] over a maximum of 30 hops: 1 1 ms 1 ms 1 ms c-24-6-102-212.hsd1.ca.comcast.net [24.6.102.212] 2 * * * Request timed out. 3 11 ms * * GE-2-1-ur01.santaclara.ca.sfba.comcast.net [68.87.198.105] 4 11 ms 11 ms * 10g-9-3-ur02.santaclara.ca.sfba.comcast.net [68.87.192.26] 5 14 ms * 12 ms 10g-9-4-ar01.oakland.ca.sfba.comcast.net [68.87.192.34] 6 * * * Request timed out. 7 13 ms 14 ms 12 ms 12.118.38.5 8 13 ms 14 ms 17 ms tbr1-p010802.sffca.ip.att.net [12.123.12.66] 9 14 ms 14 ms 11 ms ggr2-p310.sffca.ip.att.net [12.123.12.18] 10 15 ms 15 ms 14 ms att-gw.sea.level3.net [192.205.32.206] 11 16 ms 14 ms 14 ms 4.71.112.14 12 15 ms 16 ms 17 ms g-1-0-0-p171.msr2.sp1.yahoo.com [216.115.107.87] 13 16 ms 16 ms 16 ms te-8-1.bas-a1.sp1.yahoo.com [209.131.32.17] 14 19 ms 17 ms 17 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] Trace complete.
The above output from tracert shows the number of routes it took, name of the routers on the way and time taken to reach each router. It took 14 hops to reach the yahoo server from my pc. The asterisk indicate the failed attempt for next route.
When I executed the command ‘tracert www.yahoo.com’ the following happens in the back ground. The packets were captured using ethereal.
Step 1: The PC sends a DNS request to the DNS server to resolve the ip address of yahoo.com.
192.168.1.101 to 68.87.76.178 DNS standard query A www.yahoo.com 68.87.76.178 to 192.168.1.101 DNS standard query response CNAME www.yahoo-ht2.akadns.net Address 209.131.36.158
Step 2: After getting yahoo.com ip address , tracert sends icmp echo request message with TTL set to 1, Each echo request is received by the router at the first hop , which responds with ‘time to live exceeded live‘ message. Each hop packets are analyzed below .
Hop 1
[edit | edit source]1 1 ms 1 ms 1 ms c-24-6-102-212.hsd1.ca.comcast.net [24.6.102.212] Echo request packets were sent with TTL set to 1 0000 00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00 .....V...z.b..E. 0010 00 5c a8 f9 00 00 01 01 58 79 c0 a8 01 65 d1 83 .\......Xy...e.. 0020 24 9e 08 00 f4 ff 02 00 01 00 00 00 00 00 00 00 $............... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 ..........
45 | = IP version 4 |
01 | = TTL (time to live ) |
01 | = ICMP protocol |
c0 a8 01 65 | = Source ip address = > 192.168.1.101 |
d1 83 24 9e | = Destination ip address = > 209.131.36.158 |
08 | = Type 8 ICMP (Echo (ping) request) |
00 | = Code , net unreachable |
0000 00 0e 9b 7a af 62 00 13 10 d4 d7 56 08 00 45 4f ...z.b.....V..EO 0010 00 38 0a 93 00 00 40 01 2e fc 18 06 66 d4 c0 a8 .8....@.....f... 0020 01 65 0b 00 f4 ff 00 00 00 00 45 00 00 5c a8 f9 .e........E..\.. 0030 00 00 01 01 58 79 c0 a8 01 65 d1 83 24 9e 08 00 ....Xy...e..$... 0040 f4 ff 02 00 01 00 ......
45 | = IP version 4 |
40 | = TTL (time to live ) => 64 |
01 | = ICMP protocol |
18 06 66 d4 | = Source ip address = > 24.6.102.212 |
C0 a8 01 65 | = Destination ip address = > 192.168.1.101 |
0b | = Type ICMP => 11 (time to live exceeded |
00 | = Code , net unreachable (time to live exceeded in transit) |
0000 00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00 .....V...z.b..E. 0010 00 5c a8 fa 00 00 01 01 58 78 c0 a8 01 65 d1 83 .\......Xx...e.. 0020 24 9e 08 00 f3 ff 02 00 02 00 00 00 00 00 00 00 $............... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 ..........
45 | = IP version 4 |
01 | = TTL (time to live ) |
01 | = ICMP protocol |
c0 a8 01 65 | = Source ip address = > 192.168.1.101 |
d1 83 24 9e | = Destination ip address = > 209.131.36.158 |
08 | = Type 8 ICMP (Echo (ping) request) |
00 | = Code , net unreachable |
0000 00 0e 9b 7a af 62 00 13 10 d4 d7 56 08 00 45 4f ...z.b.....V..EO 0010 00 38 0a 94 00 00 40 01 2e fb 18 06 66 d4 c0 a8 .8....@.....f... 0020 01 65 0b 00 f2 ff 00 00 00 00 45 00 00 5c a8 fa .e........E..\.. 0030 00 00 01 01 58 78 c0 a8 01 65 d1 83 24 9e 08 00 ....Xx...e..$... 0040 f3 ff 02 00 02 00 ......
45 | = IP version 4 |
40 | = TTL (time to live ) => 64 |
01 | = ICMP protocol |
18 06 66 d4 | = Source ip address = > 24.6.102.212 |
C0 a8 01 65 | = Destination ip address = > 192.168.1.101 |
0b | = Type ICMP (Echo (ping) request) => 11 (time to live exceeded |
00 | = Code , net unreachable (time to live exceeded in transit) |
0000 00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00 .....V...z.b..E. 0010 00 5c a8 fa 00 00 01 01 58 78 c0 a8 01 65 d1 83 .\......Xx...e.. 0020 24 9e 08 00 f3 ff 02 00 02 00 00 00 00 00 00 00 $............... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 ..........
45 | = IP version 4 |
01 | = TTL (time to live ) |
01 | = ICMP protocol |
c0 a8 01 65 | = Source ip address = > 192.168.1.101 |
d1 83 24 9e | = Destination ip address = > 209.131.36.158 |
08 | = Type 8 ICMP (Echo (ping) request) |
00 | = Code , net unreachable |
0000 00 0e 9b 7a af 62 00 13 10 d4 d7 56 08 00 45 4f ...z.b.....V..EO 0010 00 38 0a 94 00 00 40 01 2e fb 18 06 66 d4 c0 a8 .8....@.....f... 0020 01 65 0b 00 f4 ff 00 00 00 00 45 00 00 5c a8 fa .e........E..\.. 0030 00 00 01 01 58 78 c0 a8 01 65 d1 83 24 9e 08 00 ....Xx...e..$... 0040 f3 ff 02 00 02 00 ......
45 | = IP version 4 |
40 | = TTL (time to live ) => 64 |
01 | = ICMP protocol |
18 06 66 d4 | = Source ip address = > 24.6.102.212 |
C0 a8 01 65 | = Destination ip address = > 192.168.1.101 |
0b | = Type ICMP (Echo (ping) request) => 11 (time to live exceeded |
00 | = Code , net unreachable (time to live exceeded in transit) |
Hop 2
[edit | edit source]2 * * * Request timed out. Echo request packets were sent with TTL set to 2 0000 00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00 .....V...z.b..E. 0010 00 5c a9 01 00 00 02 01 57 71 c0 a8 01 65 d1 83 .\......Wq...e.. 0020 24 9e 08 00 f1 ff 02 00 04 00 00 00 00 00 00 00 $............... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 ..........
45 | = IP version 4 |
02 | = TTL (time to live ) => 2 |
01 | = ICMP protocol |
c0 a8 01 65 | = Source ip address = > 192.168.1.101 |
d1 83 24 9e | = Destination ip address = > 209.131.36.158 |
08 | = Type 8 ICMP (Echo (ping) request) |
00 | = Code , net unreachable |
0000 00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00 .....V...z.b..E. 0010 00 5c a9 01 00 00 02 01 57 71 c0 a8 01 65 d1 83 .\......Wq...e.. 0020 24 9e 08 00 f1 ff 02 00 04 00 00 00 00 00 00 00 $............... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 ..........
45 | = IP version 4 |
02 | = TTL (time to live ) => 2 |
01 | = ICMP protocol |
c0 a8 01 65 | = Source ip address = > 192.168.1.101 |
d1 83 24 9e | = Destination ip address = > 209.131.36.158 |
08 | = Type 8 ICMP (Echo (ping) request) |
00 | = Code , net unreachable |
0000 00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00 .....V...z.b..E. 0010 00 5c a9 01 00 00 02 01 57 71 c0 a8 01 65 d1 83 .\......Wq...e.. 0020 24 9e 08 00 f1 ff 02 00 04 00 00 00 00 00 00 00 $............... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 ..........
45 | = IP version 4 |
02 | = TTL (time to live ) => 2 |
01 | = ICMP protocol |
c0 a8 01 65 | = Source ip address = > 192.168.1.101 |
d1 83 24 9e | = Destination ip address = > 209.131.36.158 |
08 | = Type 8 ICMP (Echo (ping) request) |
00 | = Code , net unreachable |
Hop 3
[edit | edit source]3 11 ms * * GE-2-1-ur01.santaclara.ca.sfba.comcast.net [68.87.198.105] Echo request packets were sent with TTL set to 3 0000 00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00 .....V...z.b..E. 0010 00 5c a9 41 00 00 03 01 56 31 c0 a8 01 65 d1 83 .\.A....V1...e.. 0020 24 9e 08 00 ee ff 02 00 07 00 00 00 00 00 00 00 $............... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 ..........
45 | = IP version 4 |
03 | = TTL (time to live ) => 3 |
01 | = ICMP protocol |
c0 a8 01 65 | = Source ip address = > 192.168.1.101 |
d1 83 24 9e | = Destination ip address = > 209.131.36.158 |
08 | = Type 8 ICMP (Echo (ping) request) |
00 | = Code , net unreachable |
0000 00 0e 9b 7a af 62 00 13 10 d4 d7 56 08 00 45 c0 ...z.b.....V..E. 0010 00 38 23 76 00 00 fd 01 cc c0 44 57 c6 69 c0 a8 .8#v......DW.i.. 0020 01 65 0b 00 f4 ff 00 00 00 00 45 20 00 5c a9 41 .e........E .\.A 0030 00 00 01 01 58 11 c0 a8 01 65 d1 83 24 9e 08 00 ....X....e..$... 0040 ee ff 02 00 07 00 ......
45 | = IP version 4 |
fd | = TTL (time to live ) => 253 |
01 | = ICMP protocol |
44 57 c6 69 | = Source ip address = > 68.87.198.105 |
a8 01 65 | = Destination ip address = > 192.168.1.101 |
0b | = Type ICMP (Echo (ping) request) => 11 (time to live exceeded |
00 | = Code , net unreachable (time to live exceeded in transit) |
0000 00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00 .....V...z.b..E. 0010 00 5c a9 42 00 00 03 01 56 30 c0 a8 01 65 d1 83 .\.B....V0...e.. 0020 24 9e 08 00 ed ff 02 00 08 00 00 00 00 00 00 00 $............... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 ..........
45 | = IP version 4 |
03 | = TTL (time to live ) => 3 |
01 | = ICMP protocol |
c0 a8 01 65 | = Source ip address = > 192.168.1.101 |
d1 83 24 9e | = Destination ip address = > 209.131.36.158 |
08 | = Type 8 ICMP (Echo (ping) request) |
00 | = Code, net unreachable |
0000 00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00 .....V...z.b..E. 0010 00 5c a9 59 00 00 03 01 56 19 c0 a8 01 65 d1 83 .\.Y....V....e.. 0020 24 9e 08 00 ec ff 02 00 09 00 00 00 00 00 00 00 $............... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 ..........
45 | = IP version 4 |
03 | = TTL (time to live ) => 3 |
01 | = ICMP protocol |
c0 a8 01 65 | = Source ip address = > 192.168.1.101 |
d1 83 24 9e | = Destination ip address = > 209.131.36.158 |
08 | = Type 8 ICMP (Echo (ping) request) |
00 | = Code, net unreachable |
Hop 4
[edit | edit source]4 11 ms 11 ms * 10g-9-3-ur02.santaclara.ca.sfba.comcast.net [68.87.192.26] Echo request packets were sent with TTL set to 4 0000 00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00 .....V...z.b..E. 0010 00 5c a9 6c 00 00 04 01 55 06 c0 a8 01 65 d1 83 .\.l....U....e.. 0020 24 9e 08 00 eb ff 02 00 0a 00 00 00 00 00 00 00 $............... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 ..........
45 | = IP version 4 |
04 | = TTL (time to live ) => 4 |
01 | = ICMP protocol |
c0 a8 01 65 | = Source ip address = > 192.168.1.101 |
d1 83 24 9e | = Destination ip address = > 209.131.36.158 |
08 | = Type 8 ICMP (Echo (ping) request) |
00 | = Code, net unreachable |
0000 00 0e 9b 7a af 62 00 13 10 d4 d7 56 08 00 45 c0 ...z.b.....V..E. 0010 00 38 6e 22 00 00 fd 01 88 63 44 57 c0 1a c0 a8 .8n".....cDW.... 0020 01 65 0b 00 f4 ff 00 00 00 00 45 20 00 5c a9 6c .e........E .\.l 0030 00 00 01 01 57 e6 c0 a8 01 65 d1 83 24 9e 08 00 ....W....e..$... 0040 eb ff 02 00 0a 00 ......
45 | = IP version 4 |
fd | = TTL (time to live ) => 253 |
01 | = ICMP protocol |
44 57 c0 1a | = Source ip address = > 68.87.192.26 |
c0 a8 01 65 | = Destination ip address = > 192.168.1.101 |
0b | = Type ICMP (Echo (ping) request) => 11 (time to live exceeded |
00 | = Code , net unreachable (time to live exceeded in transit) |
0000 00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00 .....V...z.b..E. 0010 00 5c a9 6d 00 00 04 01 55 05 c0 a8 01 65 d1 83 .\.m....U....e.. 0020 24 9e 08 00 ea ff 02 00 0b 00 00 00 00 00 00 00 $............... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 ..........
45 | = IP version 4 |
04 | = TTL (time to live ) => 4 |
01 | = ICMP protocol |
c0 a8 01 65 | = Source ip address = > 192.168.1.101 |
d1 83 24 9e | = Destination ip address = > 209.131.36.158 |
08 | = Type 8 ICMP (Echo (ping) request) |
00 | = Code, net unreachable |
0000 00 0e 9b 7a af 62 00 13 10 d4 d7 56 08 00 45 c0 ...z.b.....V..E. 0010 00 38 6e 23 00 00 fd 01 88 62 44 57 c0 1a c0 a8 .8n#.....bDW.... 0020 01 65 0b 00 f4 ff 00 00 00 00 45 20 00 5c a9 6d .e........E .\.m 0030 00 00 01 01 57 e5 c0 a8 01 65 d1 83 24 9e 08 00 ....W....e..$... 0040 ea ff 02 00 0b 00 ......
45 | = IP version 4 |
fd | = TTL (time to live ) => 253 |
01 | = ICMP protocol |
44 57 c0 1a | = Source ip address = > 68.87.192.26 |
c0 a8 01 65 | = Destination ip address = > 192.168.1.101 |
0b | = Type ICMP (Echo (ping) request) => 11 (time to live exceeded |
00 | = Code , net unreachable (time to live exceeded in transit) |
0000 00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00 .....V...z.b..E. 0010 00 5c a9 6e 00 00 04 01 55 04 c0 a8 01 65 d1 83 .\.n....U....e.. 0020 24 9e 08 00 e9 ff 02 00 0c 00 00 00 00 00 00 00 $............... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 ..........
45 | = IP version 4 |
04 | = TTL (time to live ) => 4 |
01 | = ICMP protocol |
c0 a8 01 65 | = Source ip address = > 192.168.1.101 |
d1 83 24 9e | = Destination ip address = > 209.131.36.158 |
08 | = Type 8 ICMP (Echo (ping) request) |
00 | = Code, net unreachable |
Hop 5
[edit | edit source]5 14 ms * 12 ms 10g-9-4-ar01.oakland.ca.sfba.comcast.net [68.87.192.34] Echo request packets were sent with TTL set to 5 0000 00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00 .....V...z.b..E. 0010 00 5c a9 89 00 00 05 01 53 e9 c0 a8 01 65 d1 83 .\......S....e.. 0020 24 9e 08 00 e8 ff 02 00 0d 00 00 00 00 00 00 00 $............... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 ..........
45 | = IP version 4 |
05 | = TTL (time to live ) => 5 |
01 | = ICMP protocol |
c0 a8 01 65 | = Source ip address = > 192.168.1.101 |
d1 83 24 9e | = Destination ip address = > 209.131.36.158 |
08 | = Type 8 ICMP (Echo (ping) request) |
00 | = Code, net unreachable |
0000 00 0e 9b 7a af 62 00 13 10 d4 d7 56 08 00 45 c0 ...z.b.....V..E. 0010 00 38 fa 4e 00 00 fc 01 fd 2e 44 57 c0 22 c0 a8 .8.N......DW.".. 0020 01 65 0b 00 f4 ff 00 00 00 00 45 20 00 5c a9 89 .e........E .\.. 0030 00 00 01 01 57 c9 c0 a8 01 65 d1 83 24 9e 08 00 ....W....e..$... 0040 e8 ff 02 00 0d 00 ......
45 | = IP version 4 |
fd | = TTL (time to live ) => 252 |
01 | = ICMP protocol |
44 57 c0 22 | = Source ip address = > 68.87.192.34 |
c0 a8 01 65 | = Destination ip address = > 192.168.1.101 |
0b | = Type ICMP (Echo (ping) request) => 11 (time to live exceeded |
00 | = Code , net unreachable (time to live exceeded in transit) |
0000 00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00 .....V...z.b..E. 0010 00 5c a9 8a 00 00 05 01 53 e8 c0 a8 01 65 d1 83 .\......S....e.. 0020 24 9e 08 00 e7 ff 02 00 0e 00 00 00 00 00 00 00 $............... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 ..........
45 | = IP version 4 |
05 | = TTL (time to live ) => 5 |
01 | = ICMP protocol |
c0 a8 01 65 | = Source ip address = > 192.168.1.101 |
d1 83 24 9e | = Destination ip address = > 209.131.36.158 |
08 | = Type 8 ICMP (Echo (ping) request) |
00 | = Code, net unreachable |
0000 00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00 .....V...z.b..E. 0010 00 5c a9 9f 00 00 05 01 53 d3 c0 a8 01 65 d1 83 .\......S....e.. 0020 24 9e 08 00 e6 ff 02 00 0f 00 00 00 00 00 00 00 $............... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 ..........
45 | = IP version 4 |
05 | = TTL (time to live ) => 5 |
01 | = ICMP protocol |
c0 a8 01 65 | = Source ip address = > 192.168.1.101 |
d1 83 24 9e | = Destination ip address = > 209.131.36.158 |
08 | = Type 8 ICMP (Echo (ping) request) |
00 | = Code, net unreachable |
0000 00 0e 9b 7a af 62 00 13 10 d4 d7 56 08 00 45 c0 ...z.b.....V..E. 0010 00 38 fc 75 00 00 fc 01 fb 07 44 57 c0 22 c0 a8 .8.u......DW.".. 0020 01 65 0b 00 f4 ff 00 00 00 00 45 20 00 5c a9 9f .e........E .\.. 0030 00 00 01 01 57 b3 c0 a8 01 65 d1 83 24 9e 08 00 ....W....e..$... 0040 e6 ff 02 00 0f 00 ......
45 | = IP version 4 |
fd | = TTL (time to live ) => 252 |
01 | = ICMP protocol |
44 57 c0 22 | = Source ip address = > 68.87.192.34 |
c0 a8 01 65 | = Destination ip address = > 192.168.1.101 |
0b | = Type ICMP (Echo (ping) request) => 11 (time to live exceeded |
00 | = Code , net unreachable (time to live exceeded in transit) |
Hop 6
[edit | edit source]6 * * * Request timed out. Echo request packets were sent with TTL set to 6 0000 00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00 .....V...z.b..E. 0010 00 5c a9 a5 00 00 06 01 52 cd c0 a8 01 65 d1 83 .\......R....e.. 0020 24 9e 08 00 e5 ff 02 00 10 00 00 00 00 00 00 00 $............... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 ..........
45 | = IP version 4 |
06 | = TTL (time to live ) => 6 |
01 | = ICMP protocol |
c0 a8 01 65 | = Source ip address = > 192.168.1.101 |
d1 83 24 9e | = Destination ip address = > 209.131.36.158 |
08 | = Type 8 ICMP (Echo (ping) request) |
00 | = Code, net unreachable |
0000 00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00 .....V...z.b..E. 0010 00 5c a9 a5 00 00 06 01 52 cd c0 a8 01 65 d1 83 .\......R....e.. 0020 24 9e 08 00 e4 ff 02 00 10 00 00 00 00 00 00 00 $............... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 ..........
45 | = IP version 4 |
06 | = TTL (time to live ) => 6 |
01 | = ICMP protocol |
c0 a8 01 65 | = Source ip address = > 192.168.1.101 |
d1 83 24 9e | = Destination ip address = > 209.131.36.158 |
08 | = Type 8 ICMP (Echo (ping) request) |
00 | = Code, net unreachable |
0000 00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00 .....V...z.b..E. 0010 00 5c a9 a5 00 00 06 01 52 cd c0 a8 01 65 d1 83 .\......R....e.. 0020 24 9e 08 00 e5 ff 02 00 10 00 00 00 00 00 00 00 $............... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 ..........
45 | = IP version 4 |
06 | = TTL (time to live ) => 6 |
01 | = ICMP protocol |
c0 a8 01 65 | = Source ip address = > 192.168.1.101 |
d1 83 24 9e | = Destination ip address = > 209.131.36.158 |
08 | = Type 8 ICMP (Echo (ping) request) |
00 | = Code, net unreachable |
Hop 7
[edit | edit source]7 13 ms 14 ms 12 ms 12.118.38.5 Echo request packets were sent with TTL set to 7 0000 00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00 .....V...z.b..E. 0010 00 5c a9 dc 00 00 07 01 51 96 c0 a8 01 65 d1 83 .\......Q....e.. 0020 24 9e 08 00 e2 ff 02 00 13 00 00 00 00 00 00 00 $............... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 ..........
45 | = IP version 4 |
07 | = TTL (time to live ) => 7 |
01 | = ICMP protocol |
c0 a8 01 65 | = Source ip address = > 192.168.1.101 |
d1 83 24 9e | = Destination ip address = > 209.131.36.158 |
08 | = Type 8 ICMP (Echo (ping) request) |
00 | = Code, net unreachable |
0000 00 0e 9b 7a af 62 00 13 10 d4 d7 56 08 00 45 00 ...z.b.....V..E. 0010 00 38 00 00 00 00 f8 01 ce 3c 0c 76 26 05 c0 a8 .8.......<.v&... 0020 01 65 0b 00 f4 ff 00 00 00 00 45 20 00 5c a9 dc .e........E .\.. 0030 00 00 01 01 57 76 c0 a8 01 65 d1 83 24 9e 08 00 ....Wv...e..$... 0040 e2 ff 02 00 13 00 ......
45 | = IP version 4 |
F8 | = TTL (time to live ) => 248 |
01 | = ICMP protocol |
44 57 c0 22 | = Source ip address = > 12.118.38.5 |
c0 a8 01 65 | = Destination ip address = > 192.168.1.101 |
0b | = Type ICMP (Echo (ping) request) => 11 (time to live exceeded |
00 | = Code , net unreachable (time to live exceeded in transit) |
Hop 8 to Hop 13
[edit | edit source]Echo request packets were sent with TTL set to 8 to 13 respectively 8 13 ms 14 ms 17 ms tbr1-p010802.sffca.ip.att.net [12.123.12.66] 9 14 ms 14 ms 11 ms ggr2-p310.sffca.ip.att.net [12.123.12.18] 10 15 ms 15 ms 14 ms att-gw.sea.level3.net [192.205.32.206] 11 16 ms 14 ms 14 ms 4.71.112.14 12 15 ms 16 ms 17 ms g-1-0-0-p171.msr2.sp1.yahoo.com [216.115.107.87] 13 16 ms 16 ms 16 ms te-8-1.bas-a1.sp1.yahoo.com [209.131.32.17]
Hop 14
[edit | edit source]14 19 ms 17 ms 17 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] Echo request packets were sent with TTL set to 2 0000 00 13 10 d4 d7 56 00 0e 9b 7a af 62 08 00 45 00 .....V...z.b..E. 0010 00 5c aa 22 00 00 0e 01 4a 50 c0 a8 01 65 d1 83 .\."....JP...e.. 0020 24 9e 08 00 cd ff 02 00 28 00 00 00 00 00 00 00 $.......(....... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 ..........
45 | = IP version 4 |
0e | = TTL (time to live ) => 14 |
01 | = ICMP protocol |
c0 a8 01 65 | = Source ip address = > 192.168.1.101 |
d1 83 24 9e | = Destination ip address = > 209.131.36.158 |
08 | = Type 8 ICMP (Echo (ping) request) |
00 | = Code, net unreachable |
0000 00 0e 9b 7a af 62 00 13 10 d4 d7 56 08 00 45 00 ...z.b.....V..E. 0010 00 5c 92 b2 00 00 33 01 3c c0 d1 83 24 9e c0 a8 .\....3.<...$... 0020 01 65 00 00 d5 ff 02 00 28 00 00 00 00 00 00 00 .e......(....... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 ..........
45 | = IP version 4 |
33 | = TTL (time to live ) => 51 |
01 | = ICMP protocol |
D1 83 24 9e | = Source ip address = > 209.131.36.158 |
c0 a8 01 65 | = Destination ip address = > 192.168.1.101 |
00 | = Type ICMP (Echo (ping) reply => 0 |
00 | = Code |
The above reply indicates the destination, www.yahoo.com . Thus tracert tool can be used to troubleshooting the network and finding the path of the network .
Conclusion
[edit | edit source]Ethereal is a powerful tool to capture and analyze many networking protocols. It does not detect or solve any network problem by itself but it can always be used to do so. It gives all the relevant details for any communication so it is used in research work and other relevant fields.
Questions and Answers
[edit | edit source]Q1. What is the value for ICMP protocol message
a. 0x10
b. 10
c. 0x01
d. 1
Ans: a, 0x10
Q2. How does yahoo messenger protocol header start ? a. YHOO
b. YMSG
c. YCHT
d. No such yahoo messenger protocol
Ans: b, YMSG
Q3. Study the following figure Ethereal capture shown below:
1. What is the selected message(no: 18) all about?
Answer: the sync message is the first message sent from the client to the server as the first message in of the three way handshake protocol in order to establish the connection with the server. The sync message establishes the connection and synchronizes the client and the server. The server then sends the acknowledgement signal.
2. What is the four tuple of this communication? Answer: Four tuple of any exercise is source IP, source port no: and destination IP, destination port no:. for this communication the four tuple would be:
- 192.168.1.76, 1942
- 203.84.221.151, 80