How
Network Traffic Flows – Getting Started
Gideon
T. Rasmussen - CISSP, CFSO, CFSA, SCSA
To troubleshoot an issue, you need to know how network traffic flows under normal circumstances. This article details what happens when a Web browser is used to access a Web site.
Once the Web site name is entered into a Web browser, a series of communications occurs over various protocols. The table below represents how the network traffic flows:
Line: |
Protocol:
|
Source: |
Destination: |
Data:
|
1 |
ARP |
10.0.1.13 |
Broadcast |
Who
has 10.0.1.1? Tell 10.0.1.13 |
2 |
ARP |
10.0.1.1 |
10.0.1.13 |
10.0.1.1
is at 00:80:c8:57:d3:aa |
3 |
DNS |
10.0.1.13 |
10.0.1.1 |
Standard
query A www.cyberguard.com |
4 |
DNS |
10.0.1.1 |
10.0.1.13
|
Standard
query response CNAME cyberguard.com A 64.94.50.88 |
5 |
TCP |
10.0.1.13
|
64.94.50.88 |
1939
> http [SYN] |
6 |
TCP |
64.94.50.88 |
10.0.1.13 |
http
> 1939 [SYN, ACK] |
7 |
TCP |
10.0.1.13 |
64.94.50.88 |
1939
> http [ACK] |
8 |
HTTP |
10.0.1.13
|
64.94.50.88 |
GET
/ HTTP/1.1 |
9 |
HTTP |
64.94.50.88 |
10.0.1.13 |
HTTP/1.1
200 OK |
10 |
HTTP |
64.94.50.88 |
10.0.1.13 |
HTTP
Continuation |
11 |
TCP |
10.0.1.13 |
64.94.50.88
|
2577
> http [ACK] Seq=388864 Ack=37076821 Win=8241
Len=0 |
12 |
TCP |
10.0.1.13 |
64.94.50.88 |
2577
> http [RST] Seq=388864 Ack=37077089 Win=0 Len=0 |
The ARP Protocol
Before systems can communicate, they need to know each other’s hardware addresses. The Address Resolution Protocol (ARP) is used for this purpose. From its configuration, the workstation knows the IP address of the DNS server.
Line # 1
Protocol: | Source: | Destination: | Data: |
ARP | 10.0.1.13 | Broadcast | Who has 10.0.1.1? Tell 10.0.1.13 |
The workstation broadcasts a request to the devices on its network asking “who has” the IP address it needs to communicate with.
Line # 2
Protocol: | Source: | Destination: | Data: |
ARP | 10.0.1.1 | 10.0.1.13 | 10.0.1.1 is at 00:80:c8:57:d3:aa |
The remote system responds providing its hardware address. Now that the workstation knows the hardware address of the remote system, it can communicate with it.
The
DNS Protocol
The
Domain Name System (DNS) protocol is used to resolve system
names to IP addresses. When a Web site name is entered
into a browser, the workstation needs to know the corresponding
IP address to reach the Web server hosting the site.
Line # 3
Protocol: | Source: | Destination: | Data: |
DNS | 10.0.1.13 | 10.0.1.1 | Standard query A www.cyberguard.com |
The workstation asks the DNS server to provide the IP address of the Web server hosting www.cyberguard.com.
Line # 4
Protocol: | Source: | Destination: | Data: |
DNS | 10.0.1.1 | 10.0.1.13 | Standard query response CNAME cyberguard.com A 64.94.50.88 |
The DNS server responds with the IP address corresponding to www.cyberguard.com.
The TCP Protocol
The Transmission Control Protocol (TCP) protocol is used to transfer data. These next three lines comprise the TCP three-way handshake:
Line # 5
Protocol: | Source: | Destination: | Data: |
TCP | 10.0.1.13 | 64.94.50.88 | 1939 > http [SYN] |
The workstation initiates the connection to the Web server (SYN). SYN is an abbreviation for “synchronize.”
Line # 6
Protocol: | Source: | Destination: | Data: |
TCP | 64.94.50.88 | 10.0.1.13 | http > 1939 [SYN, ACK] |
The Web server responds back indicating that it is ready for transmission (SYN ACK). SYN ACK is an abbreviation for “synchronize acknowledgement.”
Line # 7
Protocol: | Source: | Destination: | Data: |
DNS | 10.0.1.13 | 64.94.50.88 | 1939 > http [ACK] |
The workstation sends to the Web server indicating that it is starting to send traffic (ACK). This acknowledgement indicates that the TCP connection is established and traffic can begin to flow.
The HTTP Protocol
The Hyper Text Transfer Protocol (HTTP) is used to serve up Web pages. You can see evidence of this from the Web site address in your browser (i.e. http://www.cyberguard.com).
Line # 8
Protocol: | Source: | Destination: | Data: |
HTTP | 10.0.1.13 | 64.94.50.88 | GET / HTTP/1.1 |
The browser opens a connection to the Web server.
Line # 9
Protocol: | Source: | Destination: | Data: |
HTTP | 64.94.50.88 | 10.0.1.13 | HTTP/1.1 200 OK |
The Web server accepts the connection.
Line # 10
Protocol: | Source: | Destination: | Data: |
HTTP | 64.94.50.88 | 10.0.1.13 | HTTP Continuation |
The HTTP Continuation lines represent where the contents of the html page are sent over. It includes text, links, etc.
Back to the TCP Protocol
Line # 11
Protocol: | Source: | Destination: | Data: |
TCP | 10.0.1.13 | 64.94.50.88 | 2577 > http [ACK] Seq=388864 Ack=37076821 Win=8241 Len=0 |
This line is actually repeated four times. The workstation is acknowledging the last packet.
Line # 12 (RST)
Protocol: | Source: | Destination: | Data: |
TCP | 10.0.1.13 | 64.94.50.88 | 2577 > http [RST] Seq=388864 Ack=37077089 Win=0 Len=0 |
The workstation sends a reset, effectively tearing down the TCP connection.
Tcpdump and Ethereal
It is important to note that the tcpdump will provide different details depending on where it runs on your network. In this example, tcpdump was run on the internal interface of the firewall with a directly connected workstation. If tcpdump were used to monitor the same traffic flow on the external interface, the source IP address would appear as the external interface of the firewall, providing that Dynamic Network Address Translation (DNAT) was in place. To observe how proxy traffic flows, it makes sense to run tcpdump on both the internal and external interfaces, as the proxy acts as a middleman between the source and destination.
The source of the table was a tcpdump file viewed through Ethereal. The exact syntax used was: “tcpdump -vvpni dec1 -s1514 -w /archive2/dec1.dmp host 10.0.1.13”. The tcpdump command has extensive options for recording very specific traffic flow (i.e. source/destination, ports, and Boolean expressions). For more information, enter “man tcpdump” on the command line. The Windows version is Windump (http://windump.polito.it).
Ethereal is a good tool to view tcpdump files. It is freely available from http://www.ethereal.com.
Some of the ports present in a tcpdump may be unfamiliar to you. The most current list of port numbers can be found at http://www.iana.org/assignments/port-numbers (per RFC 3232).