How Network Traffic Flows - Getting Started
Gideon T. Rasmussen - CISSP, CFSO, CFSA, SCSA
To
troubleshoot an issue, you need to know how network traffic
flows under normal circumstances. This article details what
happens when a Web browser is used to access a Web site.
Once
the Web site name is entered into a Web browser, a series
of communications occurs over various protocols. The table
below represents how the network traffic flows:
|
Line:
|
Protocol:
|
Source:
|
Destination:
|
Data:
|
|
1
|
ARP
|
10.0.1.13
|
Broadcast
|
Who has 10.0.1.1? Tell
10.0.1.13
|
|
2
|
ARP
|
10.0.1.1
|
10.0.1.13
|
10.0.1.1 is at 00:80:c8:57:d3:aa
|
|
3
|
DNS
|
10.0.1.13
|
10.0.1.1
|
|
|
4
|
DNS
|
10.0.1.1
|
10.0.1.13
|
Standard query response
CNAME cyberguard.com A 64.94.50.88
|
|
5
|
TCP
|
10.0.1.13
|
64.94.50.88
|
1939 > http [SYN]
|
|
6
|
TCP
|
64.94.50.88
|
10.0.1.13
|
http > 1939 [SYN, ACK]
|
|
7
|
TCP
|
10.0.1.13
|
64.94.50.88
|
1939 > http [ACK]
|
|
8
|
HTTP
|
10.0.1.13
|
64.94.50.88
|
GET / HTTP/1.1
|
|
9
|
HTTP
|
64.94.50.88
|
10.0.1.13
|
HTTP/1.1 200 OK
|
|
10
|
HTTP
|
64.94.50.88
|
10.0.1.13
|
HTTP Continuation
|
|
11
|
TCP
|
10.0.1.13
|
64.94.50.88
|
2577 > http [ACK] Seq=388864
Ack=37076821 Win=8241 Len=0
|
|
12
|
TCP
|
10.0.1.13
|
64.94.50.88
|
2577 > http [RST] Seq=388864
Ack=37077089 Win=0 Len=0
|
The
ARP Protocol
Before
systems can communicate, they need to know each other's
hardware addresses. The Address Resolution Protocol (ARP)
is used for this purpose. From its configuration, the workstation
knows the IP address of the DNS server.
Line
# 1
| Protocol: |
Source: |
Destination: |
Data:
|
| ARP |
10.0.1.13 |
Broadcast |
Who
has 10.0.1.1? Tell 10.0.1.13 |
The
workstation broadcasts a request to the devices on its network
asking "who has" the IP address it needs to communicate
with.
Line
# 2
| Protocol: |
Source: |
Destination: |
Data:
|
| ARP |
10.0.1.1 |
10.0.1.13 |
10.0.1.1
is at 00:80:c8:57:d3:aa |
The
remote system responds providing its hardware address. Now
that the workstation knows the hardware address of the remote
system, it can communicate with it.
The
DNS Protocol
The Domain Name System (DNS) protocol is used to resolve
system names to IP addresses. When a Web site name is entered
into a browser, the workstation needs to know the corresponding
IP address to reach the Web server hosting the site.
Line
# 3
The
workstation asks the DNS server to provide the IP address
of the Web server hosting www.cyberguard.com.
Line
# 4
| Protocol: |
Source: |
Destination: |
Data:
|
| DNS |
10.0.1.1 |
10.0.1.13 |
Standard
query response CNAME cyberguard.com A 64.94.50.88 |
The
DNS server responds with the IP address corresponding to
www.cyberguard.com.
The
TCP Protocol
The
Transmission Control Protocol (TCP) protocol is used to
transfer data. These next three lines comprise the TCP three-way
handshake:
Line
# 5
| Protocol: |
Source: |
Destination: |
Data:
|
| TCP |
10.0.1.13 |
64.94.50.88 |
1939
> http [SYN] |
The
workstation initiates the connection to the Web server (SYN).
SYN is an abbreviation for "synchronize."
Line
# 6
| Protocol: |
Source: |
Destination: |
Data:
|
| TCP |
64.94.50.88 |
10.0.1.13 |
http
> 1939 [SYN, ACK] |
The
Web server responds back indicating that it is ready for
transmission (SYN ACK). SYN ACK is an abbreviation for "synchronize
acknowledgement."
Line
# 7
| Protocol: |
Source: |
Destination: |
Data:
|
| TCP |
10.0.1.13 |
64.94.50.88 |
1939
> http [ACK] |
The
workstation sends to the Web server indicating that it is
starting to send traffic (ACK). This acknowledgement indicates
that the TCP connection is established and traffic can begin
to flow.
The
HTTP Protocol
The
Hyper Text Transfer Protocol (HTTP) is used to serve up
Web pages. You can see evidence of this from the Web site
address in your browser (e.g. http://www.cyberguard.com).
Line
# 8
| Protocol: |
Source: |
Destination: |
Data:
|
| HTTP |
10.0.1.13 |
64.94.50.88 |
GET
/ HTTP/1.1 |
The
browser opens a connection to the Web server.
Line
# 9
| Protocol: |
Source: |
Destination: |
Data:
|
| HTTP |
64.94.50.88 |
10.0.1.13 |
HTTP/1.1
200 OK |
The
Web server accepts the connection.
Line
# 10
| Protocol: |
Source: |
Destination: |
Data:
|
| HTTP |
64.94.50.88 |
10.0.1.13 |
HTTP
Continuation |
The
HTTP Continuation lines represent where the contents of
the html page are sent over. It includes text, links, etc.
Back
to the TCP Protocol
Line
# 11
| Protocol: |
Source: |
Destination: |
Data:
|
| TCP |
10.0.1.13 |
64.94.50.88 |
2577
> http [ACK] Seq=388864 Ack=37076821 Win=8241 Len=0 |
This
line is actually repeated four times. The workstation is
acknowledging the last packet.
Line
# 12 (RST)
| Protocol: |
Source: |
Destination: |
Data:
|
| TCP |
10.0.1.13 |
64.94.50.88 |
2577
> http [RST] Seq=388864 Ack=37077089 Win=0 Len=0 |
The
workstation sends a reset, effectively tearing down the
TCP connection.
Tcpdump
and Ethereal
It
is important to note that the tcpdump will provide different
details depending on where it runs on your network. In this
example, tcpdump was run on the internal interface of the
firewall with a directly connected workstation. If tcpdump
were used to monitor the same traffic flow on the external
interface, the source IP address would appear as the external
interface of the firewall, providing that Dynamic Network
Address Translation (DNAT) was in place. To observe how
proxy traffic flows, it makes sense to run tcpdump on both
the internal and external interfaces, as the proxy acts
as a middleman between the source and destination.
The
source of the table was a tcpdump file viewed through Ethereal.
The exact syntax used was: "tcpdump -vvpni dec1 -s1514 -w
/archive2/dec1.dmp host 10.0.1.13". The tcpdump command
has extensive options for recording very specific traffic
flow (i.e. source/destination, ports, and Boolean expressions).
For more information, enter "man tcpdump" on the command
line. The Windows version is Windump (http://windump.polito.it).
Ethereal
is a good tool to view tcpdump files. It is freely available
from http://www.ethereal.com.
Some
of the ports present in a tcpdump may be unfamiliar to you.
The most current list of port numbers can be found at http://www.iana.org/assignments/port-numbers
(per RFC 3232).
Network Troubleshooting
- A Complex Process Made Simple
E-mail Troubleshooting
- The Mail Must Get Through!
DNS Troubleshooting
- Everything Depends on It
Copyright © 2005 CyberGuard Corporation All Rights Reserved.
Reprinted with Permission
|