How Network Traffic Flows – Getting Started
Gideon T. Rasmussen - CISSP, CFSO, CFSA, SCSA

To troubleshoot an issue, you need to know how network traffic flows under normal circumstances. This article details what happens when a Web browser is used to access a Web site.

Once the Web site name is entered into a Web browser, a series of communications occurs over various protocols. The table below represents how the network traffic flows:

Line:
Protocol:
Source:
Destination:
Data:
1
ARP
10.0.1.13
Broadcast
Who has 10.0.1.1? Tell 10.0.1.13
2
ARP
10.0.1.1
10.0.1.13
10.0.1.1 is at 00:80:c8:57:d3:aa
3
DNS
10.0.1.13
10.0.1.1
Standard query A www.cyberguard.com
4
DNS
10.0.1.1
10.0.1.13
Standard query response CNAME cyberguard.com A 64.94.50.88
5
TCP
10.0.1.13
64.94.50.88
1939 > http [SYN]
6
TCP
64.94.50.88
10.0.1.13
http > 1939 [SYN, ACK]
7
TCP
10.0.1.13
64.94.50.88
1939 > http [ACK]
8
HTTP
10.0.1.13
64.94.50.88
GET / HTTP/1.1
9
HTTP
64.94.50.88
10.0.1.13
HTTP/1.1 200 OK
10
HTTP
64.94.50.88
10.0.1.13
HTTP Continuation
11
TCP
10.0.1.13
64.94.50.88
2577 > http [ACK] Seq=388864 Ack=37076821 Win=8241 Len=0
12
TCP
10.0.1.13
64.94.50.88
2577 > http [RST] Seq=388864 Ack=37077089 Win=0 Len=0

The ARP Protocol

Before systems can communicate, they need to know each other’s hardware addresses. The Address Resolution Protocol (ARP) is used for this purpose. From its configuration, the workstation knows the IP address of the DNS server.

Line # 1

Protocol: Source: Destination: Data:
ARP 10.0.1.13 Broadcast Who has 10.0.1.1? Tell 10.0.1.13

The workstation broadcasts a request to the devices on its network asking “who has” the IP address it needs to communicate with.

Line # 2

Protocol: Source: Destination: Data:
ARP 10.0.1.1 10.0.1.13 10.0.1.1 is at 00:80:c8:57:d3:aa

The remote system responds providing its hardware address. Now that the workstation knows the hardware address of the remote system, it can communicate with it.

The DNS Protocol
The Domain Name System (DNS) protocol is used to resolve system names to IP addresses. When a Web site name is entered into a browser, the workstation needs to know the corresponding IP address to reach the Web server hosting the site.

Line # 3

Protocol: Source: Destination: Data:
DNS 10.0.1.13 10.0.1.1 Standard query A www.cyberguard.com

The workstation asks the DNS server to provide the IP address of the Web server hosting www.cyberguard.com.

Line # 4

Protocol: Source: Destination: Data:
DNS 10.0.1.1 10.0.1.13 Standard query response CNAME cyberguard.com A 64.94.50.88

The DNS server responds with the IP address corresponding to www.cyberguard.com.

The TCP Protocol

The Transmission Control Protocol (TCP) protocol is used to transfer data. These next three lines comprise the TCP three-way handshake:

Line # 5

Protocol: Source: Destination: Data:
TCP 10.0.1.13 64.94.50.88 1939 > http [SYN]

The workstation initiates the connection to the Web server (SYN). SYN is an abbreviation for “synchronize.”

Line # 6

Protocol: Source: Destination: Data:
TCP 64.94.50.88 10.0.1.13 http > 1939 [SYN, ACK]

The Web server responds back indicating that it is ready for transmission (SYN ACK). SYN ACK is an abbreviation for “synchronize acknowledgement.”

Line # 7

Protocol: Source: Destination: Data:
DNS 10.0.1.13 64.94.50.88 1939 > http [ACK]

The workstation sends to the Web server indicating that it is starting to send traffic (ACK). This acknowledgement indicates that the TCP connection is established and traffic can begin to flow.

The HTTP Protocol

The Hyper Text Transfer Protocol (HTTP) is used to serve up Web pages. You can see evidence of this from the Web site address in your browser (i.e. http://www.cyberguard.com).

Line # 8

Protocol: Source: Destination: Data:
HTTP 10.0.1.13 64.94.50.88 GET / HTTP/1.1

The browser opens a connection to the Web server.

Line # 9

Protocol: Source: Destination: Data:
HTTP 64.94.50.88 10.0.1.13 HTTP/1.1 200 OK

The Web server accepts the connection.

Line # 10

Protocol: Source: Destination: Data:
HTTP 64.94.50.88 10.0.1.13 HTTP Continuation

The HTTP Continuation lines represent where the contents of the html page are sent over. It includes text, links, etc.

Back to the TCP Protocol

Line # 11

Protocol: Source: Destination: Data:
TCP 10.0.1.13 64.94.50.88 2577 > http [ACK] Seq=388864 Ack=37076821 Win=8241 Len=0

This line is actually repeated four times. The workstation is acknowledging the last packet.

Line # 12 (RST)

Protocol: Source: Destination: Data:
TCP 10.0.1.13 64.94.50.88 2577 > http [RST] Seq=388864 Ack=37077089 Win=0 Len=0

The workstation sends a reset, effectively tearing down the TCP connection.

Tcpdump and Ethereal

It is important to note that the tcpdump will provide different details depending on where it runs on your network. In this example, tcpdump was run on the internal interface of the firewall with a directly connected workstation. If tcpdump were used to monitor the same traffic flow on the external interface, the source IP address would appear as the external interface of the firewall, providing that Dynamic Network Address Translation (DNAT) was in place. To observe how proxy traffic flows, it makes sense to run tcpdump on both the internal and external interfaces, as the proxy acts as a middleman between the source and destination.

The source of the table was a tcpdump file viewed through Ethereal. The exact syntax used was: “tcpdump -vvpni dec1 -s1514 -w /archive2/dec1.dmp host 10.0.1.13”. The tcpdump command has extensive options for recording very specific traffic flow (i.e. source/destination, ports, and Boolean expressions). For more information, enter “man tcpdump” on the command line. The Windows version is Windump (http://windump.polito.it).

Ethereal is a good tool to view tcpdump files. It is freely available from http://www.ethereal.com.

Some of the ports present in a tcpdump may be unfamiliar to you. The most current list of port numbers can be found at http://www.iana.org/assignments/port-numbers (per RFC 3232).