Defining the Layers in the OSI Model

5. Use Wireshark to capture and analyze ICMP packets as follows

a. Download and install the Wireshark protocol analyzer (previously known as Ethereal) from: http://www.wireshark.org/. At the time of the writing of this book, the latest stable version is 1.2.8. Install WinPCap as part of the Wireshark installation.

b. Go back to the command prompt and run a continuous ping to another computer, for example, ping –t 192.168.1.2. Verify that you get replies, and leave the command prompt open and pinging the other computer while you complete the packet capture.

c. In the Wireshark utility, select the interface that serves as your main network adapter from the Interface List. This will start the capture of data from that network adapter.

d. After a minute or so, stop the capture by clicking Capture on the menu bar and selecting Stop.

e. View the list of captured packets in the top half of the screen. In the Protocol col- umn, you should see many ICMP packets. Select one that says “reply” in the Info.

column. When you do so, the packet’s information should show up in the middle win- dow pane, similar to Figure 2-5. The dark blue packet numbered 98 in the figure is the highlighted packet. Now, let’s drill down to see the details of the packet.

Hardware-based and personal firewalls can possibly block some of the following tests and exercises. You might need to disable one or more firewalls to complete the exercises properly.

TAKE NOTE

*

Figure 2-5

Wireshark packet capture

c02DefiningNetworkswiththeOSIMod37 Page 37 12/23/10 8:04:26 PM f-392

c02DefiningNetworkswiththeOSIMod37 Page 37 12/23/10 8:04:26 PM f-392 /Users/f-392/Desktop/Nalini 23.9/ch05/Users/f-392/Desktop/Nalini 23.9/ch05

38 | Lesson 2

f. Click the ⫹ sign next to Internet Control Message Protocol to expand it and display the contents. This should display information about the ICMP packet, such as the fact that it is a reply packet, the checksum, the sequence number, and so on.

g. Click the ⫹ sign next to Internet Protocol. This will show you the version of IP used (IPv4), the size of the packet, and the source and destination IP addresses for the embedded ICMP packet. Both the ICMP and IP pieces of information correspond to the network layer of the OSI model.

h. Now click the ⫹ sign next to Ethernet. This is the network architecture used on the data link layer. This field of information tells you the source and destination MAC addresses of the computers involved in the ping transaction.

i. Now click the ⫹ sign next to Frame (there will be a frame number next to the word “Frame”). This tells you the size of the frame captured, as well as when it was captured. These are the frames of information that the Wireshark application actually captures directly from the network adapter.

Notice that the Ethernet frame is larger than the IP packet. That is because the IP packet is encapsulated into the frame. The encapsulation process started when the command prompt sent a 32-byte ping (ICMP packet). This ping was then placed inside an IP packet with a total size of 60 bytes. The additional 28 bytes are known as layer 3 overhead, broken down between 20 bytes for the header (includes the IP source and destination addresses) and 8 bytes for additional overhead information (for example, a trailer or checksum). Then, the IP packet was sent to the network adapter, where it was placed inside a frame. The frame added its own layer 2 overhead, an additional 14 bytes including the source and destination MAC address. This brought the grand total to 74 bytes—more than double what we started with.

The frame was then sent out from the other computer’s network adapter (in an effort to reply to the pinging computer) as a serial bit stream across the network medium on the physical layer.

This is what happens with every single communication, and the OSI model, particularly the communications subnetwork layers 1 through 3, helps us define what is happening behind the scenes by categorizing each step with a different layer.

Routers also reside on the network layer. Routers make connections between one or more IP networks. They are known as the gateway to another IP network, and you may utilize their IP address in the Gateway address field of a computer’s IP Properties window to allow the com- puter access to other networks. Don’t confuse this definition of a gateway with the application layer gateway that will be defined later. Routers use protocols such as Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) to direct packets to other routers and networks.

UNDERSTANDING LAYER 3 SWITCHING

Switches also reside on the network layer. A layer 3 switch differs from a layer 2 switch in that it determines paths for data using logical addressing (IP addresses) instead of physical addressing (MAC addresses). Layer 3 switches are similar to routers—it’s how a network engineer implements the switch that makes it different. Layer 3 switches forward packets, whereas layer 2 switches forward frames. Layer 3 switches are usually managed switches; the network engineer can manage them utilizing the Simple Network Management Protocol (SNMP), among other tools. This allows the network engineer to analyze all of the packets that pass through the switch, which can’t be done with a layer 2 switch. A layer 2 switch is more like an advanced version of a bridge, whereas a layer 3 switch is more like a router.

Layer 3 switches are used in busy environments in which multiple IP networks need to be connected together.

CERTIFICATION READY Can you define the differences between layer 2 and layer 3 switches?

2.1

There are many proto- col analyzers available.

Microsoft incorporates one called Network Monitor into Windows Server products.

TAKE NOTE

*

c02DefiningNetworkswiththeOSIMod38 Page 38 12/23/10 8:04:27 PM f-392

c02DefiningNetworkswiththeOSIMod38 Page 38 12/23/10 8:04:27 PM f-392 /Users/f-392/Desktop/Nalini 23.9/ch05/Users/f-392/Desktop/Nalini 23.9/ch05

Defining Networks with the OSI Model | 39

CERTIFICATION READY How do you define the upper layers of the OSI model?

3.1

In the following exercises, you will do the following:

• Define the transport layer by showing connections in the command prompt and describing ports.

• Define the session layer by logging into Web sites and other servers, as well as logging on and off of Microsoft networks and email programs.

• Define the presentation layer by showing encryption in Windows and within Web sites.

• Define the application layer by capturing web server packets and analyzing them.

Layer 4 governs the transmission of messages through the communications subnetwork. Two common TCP/IP protocols that are utilized on this layer include the Transmission Control Protocol(TCP), which is a connection-oriented protocol, and the User Datagram Protocol (UDP), which is connectionless. An example of an application that uses TCP is a web brows- er, and an example of an application that uses UDP is streaming media. When you download a web page, you don’t want to lose any packets of information because graphics would appear broken, certain text wouldn’t read correctly, and so on. By using TCP, we ensure that data gets to its final destination. If a packet is lost along the way, it will be resent until the destination computer acknowledges delivery or ends the session. But with streaming media, we are either watching or listening in real time. So, if a packet is lost, we don’t really care, because that time frame of the video or music has already passed. Once the packet is lost, we really don’t want it back. Of course, if the packet loss becomes too severe, the streaming media will become incomprehensible.

Connection-oriented (also known as CO mode) communications require that both devices or computers involved in the communication establish an end-to-end logical connection before data can be sent between the two. These connection-oriented systems are often con- sidered reliable network services. If an individual packet is not delivered in a timely manner, it is resent; this can be done because the sending computer established the connection at the beginning of the session and knows where to resend the packet.

In connectionless communications (CL mode), no end-to-end connection is necessary before data is sent. Every packet that is sent has the destination address located in its header. This is sufficient to move independent packets, such as in the previously mentioned streaming media. But if a packet is lost, it cannot be resent, because the sending computer never established a logical connection and doesn’t know which logical connection to use to send the failed packet.

Layer 4 also takes care of the ports that a computer uses for data transmission. Ports act as logical communications endpoints for computers. There are a total of 65,536 ports, numbering between 0 and 65,535. They are defined by the Internet Assigned Numbers Authority or IANA and divided into categories as shown in Table 2-1.

■

Defining the Upper OSI Layers

The upper OSI layers are layers 4 through 7—the transport, session, presentation, and application layers. It is this portion of the OSI model that deals with protocols such as HTTP, FTP, and mail protocols. Compression, encryption, and session creation are also classified by these layers.

THE BOTTOM LINE

c02DefiningNetworkswiththeOSIMod39 Page 39 12/23/10 8:04:27 PM f-392

c02DefiningNetworkswiththeOSIMod39 Page 39 12/23/10 8:04:27 PM f-392 /Users/f-392/Desktop/Nalini 23.9/ch05/Users/f-392/Desktop/Nalini 23.9/ch05

40 | Lesson 2

Table 2-1

IANA port categories PORT RANGE CATEGORY TYPE DESCRIPTION

0–1023 Well-known ports This range defines commonly used protocols (e.g., FTP utilizes port 21 to accept client connections).

1024–49,151 Registered ports Ports used by vendors for proprietary applications.

These must be registered with the IANA (e.g., Microsoft registered 3389 for use with the Remote Desktop Protocol).

49,152–65,535 Dynamic and These ports can be used by applications, but private ports they cannot be registered by vendors.

Port numbers correspond to specific applications; for example, port 80 is used by web browsers via the HTTP protocol. It is important to understand the difference between inbound and outbound ports:

• Inbound ports: These are used when another computer wants to connect to a service or application running on your computer. Servers primarily use inbound ports so that they can accept incoming connections and serve data. IP addresses and port num- bers are combined together, for example, a server’s IP/port 66.249.91.104:80 is the IP address 66.249.91.104 with port number 80 open in order to accept incoming web page requests.

• Outbound ports: These are used when your computer wants to connect to a service or application running on another computer. Client computers primarily use outbound ports, and these are assigned dynamically by the operating system.

There are a lot of ports and corresponding protocols you should know. Although you don’t need to know all 65,536 ports, Table 2-2 highlights some of the basic ones that you should memorize.

Table 2-2

Ports and associated protocols PORT NUMBER ASSOCIATED PROTOCOL FULL NAME

21 FTP File Transfer Protocol

22 SSH Secure Shell

23 Telnet Terminal Network

25 SMTP Simple Mail Transfer Protocol

53 DNS Domain Name System

80 HTTP Hypertext Transfer Protocol

88 Kerberos Kerberos

110 POP3 Post Office Protocol Version 3 119 NNTP Network News Transfer Protocol 137–139 NetBIOS NetBIOS Name, Datagram, and Session

Services, respectively

143 IMAP Internet Access Message Protocol

c02DefiningNetworkswiththeOSIMod40 Page 40 12/23/10 8:04:27 PM f-392

c02DefiningNetworkswiththeOSIMod40 Page 40 12/23/10 8:04:27 PM f-392 /Users/f-392/Desktop/Nalini 23.9/ch05/Users/f-392/Desktop/Nalini 23.9/ch05

Defining Networks with the OSI Model | 41

DEFINE THE TRANSPORT LAYER

GET READY. Let’s take a look at ports and the transport layer in action by performing the following steps:

1. Open a web browser and connect to www.google.com.

2. Open the command prompt and type the command netstat –an. This will display a list of all the connections to and from your computer in numeric format, as shown in Figure 2-6. Note the two Google connections. We know this is Google because the IP address for the Google Web site is 66.249.91.104. (You can test this by pinging that IP address or by entering the IP address into your web browser’s address field.) The two connections were initialized by the local computer on outbound ports 49166 and 49167. Google is accepting these connections on its web server’s inbound port 80.

You will note that the left-hand column named “Proto” has these connections marked as TCP. So, as we mentioned earlier, HTTP connections utilize TCP on the transport layer, and they are therefore connection-oriented communications.

Table 2-2 (continued)

PORT NUMBER ASSOCIATED PROTOCOL FULL NAME

161 SNMP Simple Network Management Protocol 389 LDAP Lightweight Directory Access Protocol 443 HTTPS Hypertext Transfer Protocol Secure

(uses TLS or SSL) 445 SMB Server Message Block 1701 L2TP Layer 2 Tunneling Protocol

1723 PPTP Point-to-Point Tunneling Protocol 3389 RDP Remote Desktop Protocol (Microsoft

Terminal Server)

Figure 2-6 Netstat command

Google Connections c02DefiningNetworkswiththeOSIMod41 Page 41 12/23/10 8:04:27 PM f-392

c02DefiningNetworkswiththeOSIMod41 Page 41 12/23/10 8:04:27 PM f-392 /Users/f-392/Desktop/Nalini 23.9/ch05/Users/f-392/Desktop/Nalini 23.9/ch05

42 | Lesson 2