Desarrollo del plan de acción

Transferring and having access to a 4-year degree has never been easier, more convenient, or cost effective.

St. Petersburg College allows students who have received an Associate degree (Associate in Arts or Associate in Science, depending on the program) to transfer into the Bachelor of Applied Science in Technology Management.

Free Protocol Inspector: Ethereal Objective:

You will find here instructions on how and where to download a free protocol inspector called Ethereal. It’s not real pretty but it works…and it’s free. I use it through out this book.

Step-By-Step Instructions:

1. Go to www.ethereal.com (note: only one “r” the site—figure 1-- with two “rr’s” is a magazine…you will know you are at the wrong page if you see something in

French—figure 2).

Figure 1—The “right” site. Figure 2—The “wrong site.”

2. On the left-hand side of the “Information” window click on “Download.”

3. Scroll down until you find the link for the windows operating system (see figure 3).

4. Click on the link for “local archive” (see figure 3).

Figure 3—Click on “local archive.” Figure 4—Click on Win_Pcap_3_0.exe (or most current version).

5. You need a driver library to make this work. Click on the Winpcap packet driver library link (see figure 4) and follow the instructions to save it first, then open it and install it. You may have to re-boot the machine. Make sure you get the latest or most

current version. As I am writing this I know I have a Winpcap version 3.1 beta for a different protocol inspector, so it will be changing again soon.

6. Then you just need to select ethereal-setup-0.10.5a.exe and start the “main” program downloading. Then just follow the instructions during the setup and installation.

7. To start a capture use “control+K” then select your NIC card. By default this thing likes to use MAC as an interface (yeah…no icmp with MAC).

8. Then click on “ok.” You should see the counters start for each protocol. It will look something like this:

9. Now we need to generate some traffic. We can ping the other workstation. You should see the ICMP counter increase by 8. Four icmp packets sent to destination and four returned (“echoed”) from the destination. Then click on stop. The packets that were captured will load into Ethereal. You should see something like:

Notice how we have three frames within the window. The top one shows us basic over-all information about the packets captured. When we highlight on we are asking Ethereal to show us the contents of that packet. The middle frame is more user friendly. It shows us block by block what we are looking at. The bottom frame shows us the hexadecimal composition of the actual packet.

Supplemental Labs or Challenge Activities:

1. Go to the Ethereal website and find the sample packets. Get the one on IPv6.

How does it differ from IPv4? http://www.ethereal.com/sample/

2. Go to the web and look up 2001 Senate Bill 1562 that allows any law enforcement agent to “capture” packets from the internet at any time for any purpose…no subpoena required. They say they can only look at the first 65 bytes of header and footer information but we know better. Using your protocol inspector find out how much they can really see and cannot see.

3. What exactly is the WinPcap file? Its actually really important so go out and look it up on the web.

Keep track of updates and changes at http://www.spcollege.edu/star/cisco Scroll to the bottom of the page and click on the “Lab Manual Edits.”

Pro-Cote Inc.

operations causing costly damage, injury and downtime. Pro-Cote Inc. can protect your work environment against destructive static shock with Valspar ESD Epoxy Flooring Systems.

Certified Conductive and Static Dissipative applications for every need:

• Facilities with highly sensitive electronic equipment

• Computer facilities

• Electronic manufacturing & assembly

• Facilities containing AGV lines

• Clean rooms

The Management at Pro-Cote Inc. wants to put its expertise to work for you. With over 55 years of combined experience, our goal is to be the best specialty coatings applicator company, period.

Application Experience

• Industrial floor coatings

• Manufacturing production areas

• Distribution and warehouse floors

• Loading docks and ramps

• Safety zones and work areas

• Battery charging areas

• UPS rooms

• Parking garages

Let us help with your specification needs.

“Safety Solutions”

Pro-Cote Inc. is a proud installer of Valspar Flooring Systems

www.valsparflooring.com

Free Protocol Inspector: Packetyzer Objective:

You will find here instructions on how and where to download a free protocol inspector called Packetyzer. It has a few more pretty features than Ethereal, it is based upon the Ethereal “engine” if you will…and it too is free.

Step-By-Step Instructions:

1. Open a web window and type in http://www.packetyzer.com or

http://www.networkchemistry.com/products/packetyzer/ both will work.

2. Either scroll to the bottom of the page or click on download.

3. Click on Packetyzer 2.0.0.

4. Pick a download mirror and away you go!

5. If it does not work then try:

http://voxel.dl.sourceforge.net/sourceforge/packetyzer/Packetyzer_2_0_0_Setup.exe 6. Now you just need to follow the instructions and install the software. It may

even prompt you to go get the newest winpcap file too.

7. Now you should see an icon on your desktop (unless you told it not to put one there). Click on it and you will see the main window:

Stop—start

9. One difference from Ethereal is the packets show up in more detail while they are being collected. Go ahead and have some fun…send out some icmp packets and you can look at them later. After a bit you can hit the stop button and more thoroughly analyze the packets. Here is one of my samples:

10. Ok…a bit similar to Ethereal except on the bottom we see some little tabs.

These are the pretty things. Click on the protocols tab. You will get a bar chart view of the protocols in use.

11. You can see all of the same features, things in hex, summaries, and packet structures. Which one do I think is better? The one that works best for you.

12. You can still sort in ascending or descending order by clicking on summary.

This sorted my protocols alphabetically. You can quickly see all ARP packets grouped together here. Notice how I have highlighted the target MAC address in the left pane and the corresponding hex information is also highlighted in the lower right panel. We’ll talk about this a bit more in the next lab.

Ethernet Packet Structures Objective:

To learn about the structure of Ethernet packets.

Background:

So far we have been talking about networking and packets passing over the network. In this lab we will look at the precise structure of packets. Later when we use protocol inspectors you will be able to understand the information better.

Ethernet

Ethernet generally refers to a standard developed by a consortium of the Digital Equipment Corporation (DEC), Intel, and Xerox. It is one of the most widely used encapsulation standards in use for networking today. There have been many versions and revisions to it over the past twenty years. So trying to “nail-down” the exact structure of an Ethernet packet is as easy as nailing jello to the wall. Simply put, you need to be more specific about which Ethernet packet structure you want to examine. There have many different types of Ethernet, or “flavors” if you will, and we will look at the two most common ones: the “generic Ethernet” and “Ethernet SNAP.” Basically our two Ethernet packet structures are the same except the SNAP packet uses part of the data field for LLC sub-layer and SNAP information. In either case the minimum/maximum size of our Ethernet packet is 64-1518 bytes. If the information in the data field will be smaller than the minimum size allowed then it will be “padded” with contiguous zeros to fill the data field up to the minimum size.

802.2/802.3 Ethernet (RFC 894)

Preamble SOF DA SA Type Data FCS

Figure 1—Generic Ethernet packet structure.

This “Standard for the Transmission of IP Datagrams Over Ethernet Networks” was written by Charles Hornig in 1984 (ftp://ftp.isi.edu/in-notes/rfc894.txt ).

Stripped by the NIC:

The preamble can vary in length. The preamble basically is used to help set up the transmission and reception of the information through synchronization. The actual amounts of bits have varied over the years but the principle is still the same: a series of alternating zeroes and ones encompass the preamble. Some of these can be lost during transmission but that is ok. The incoming stream of bits “establishes” that the reception of a packet has started. Most agree on 62 bits. (In hex: 1555555555555 In binary:

010101010101010101010101010101010101010101010101010101010101010101010101 0101010101). You will not see this with a protocol sniffer because it is stripped and dumped. What? You don’t believe me? Good, never believe what you read…go out and

test it for yourself! Here I have the packet shown with frame header information

highlighted in the left panel. Notice how the corresponding information does NOT show up in the hexadecimal panel on the lower right. Very interesting, indeed.

The Start of Frame Delimiter (SOF) further helps to set up the transmission and reception of the information and synchronization. This is only a 2-bit portion with just two one’s. No matter how many zeros and one’s come before the SOF the NIC does nothing until it gets to the one-one (SOF). This information is stripped by the NIC and the NIC can “do its work” on the rest of the packet. (In hex: 3 In binary: 11) You will not see this with a protocol sniffer because it is stripped and dumped.

For example: 0101010101010101010101010101010101010 11 Preamble SOF

The Source Address (SA) is the physical address (MAC) of the networking device sending the information. This is 48 bits in hexadecimal.

The Type indicates what types of request will follow. This will be given in hexadecimal.

This field is usually 2 bytes. A 0800 in the type field indicates an IP datagram will follow. A 0806 in the type field indicates an ARP request will follow. A 0835 in the type field indicates a RARP request will follow. Let’s “see” this from an ARP packet I captured on my network using Packetyzer. I highlighted the ARP type in the left pane.

Current type codes can be found at http://www.iana.org/numbers.html# or http://www.cavebear.com/CaveBear/Ethernet/type.html

Type code For:

@ 0000-05DC IEEE802.3 Length Field (0.:1500.) + 0101-01FF Experimental

+* 0800 Internet Protocol (IP)

+* 0806 Address Resolution Protocol (ARP) (for IP and for CHAOS) 0BAD Banyan Systems

+ 6010-6014 3Com Corporation 7034 Cabletron

8037 IPX

+ 8060 Little Machines + 8068 General Dynamics + 8069 AT&T

+ 809B EtherTalk (AppleTalk over Ethernet) + 80E0-80E3 Allen-Bradley

+ 80F3 AppleTalk Address Resolution Protocol (AARP) + 8138 Novell, Inc.

86DD IP version 6

AAAA DECNET? Used by VAX 6220 DEBNI

The Data is what it sounds like…it’s the “meat” of the information transmitted. For

“generic” Ethernet this can be as small as 46 bytes and up to 1500 bytes. The first part of the data field contains the IP header information. See the discussion below on the

composition of the data field for both types of Ethernet packets.

The Frame Check Sequence (FCS) is the CRC information for error control. This is 4 bytes in hexadecimal. There are many different error control calculations. (Is it a coincidence there are many flavors of Jello © too?) I described one in an earlier lab using unique prime numbers. Another FCS calculation is called “AUTODIN II.” It is calculated using this formula:

(X³² + X²⁶ + X²³ + X²² + X¹⁶ + X¹² + X¹¹ + X¹⁰ + X⁸ + X⁷ + X⁵ + X⁴ + X² + X¹ +1) 802.2/802.3 Ethernet (RFC 1042)

802.3 MAC Information 802.2 Info

Preamble SOF DA SA Length LLC SNAP Data FCS

Figure 2—Ethernet SNAP packet structure.

The “Standard for the Transmission of IP Datagrams Over IEEE 802 Networks” was written by Postel and Reynolds in 1988 (ftp://ftp.isi.edu/in-notes/rfc1042.txt ). This is more commonly used today.

Stripped by the NIC:

The preamble can vary in length. The preamble basically is used to help set up the transmission and reception of the information through synchronization. The actual amounts of bits has varied over the years but the principle is still the same: a series of alternating zeroes and ones encompass the preamble. Some of these can be lost during transmission but that is ok. The incoming stream of bits “establishes” that the reception of a packet has started. Most agree on 62 bits. (In hex: 1555555555555 In binary:

010101010101010101010101010101010101010101010101010101010101010101010101 0101010101). You will not see this with a protocol sniffer because it is stripped and dumped.

The Destination Address (DA) is the physical address (MAC) of the networking device the information is going to be sent to. This is 48 bits in hexadecimal. This will be the first “bits” of information you will see with a protocol inspector.

The Source Address (SA) is the physical address (MAC) of the networking device sending the information. This is 48 bits in hexadecimal.

The Length indicates how much information will follow (but not including the CRC information).

802.2 LLC 802.2 SNAP DSAP SSAP con Org Type

The 802.2 LLC packet is composed of three fields:

The Destination Service Access Point (DSAP) field determines what protocol this is coming from (Novell/IP etc). The DSAP field is usually set to 0xaa for

Ethernet. This is 1 byte.

The Source Service Access Point (SSAP) field determines what protocol this is going to (Novell/IP etc). The DSAP field is usually set to 0xaa for Ethernet. This is 1 byte.

The Control (con) is 1 byte long and is usually set to a hexadecimal 03 for Ethernet.

The 802.2 SNAP packet is composed of two fields:

The Organization Code (Org) is 3 bytes that are all usually set to zeros. In hexadecimal that would be 000000.

The Type indicates what types of request will follow. This will be given in hexadecimal. This field is usually 2 bytes. A 0800 in the type field indicates an IP datagram will follow. A 0806 in the type field indicates an ARP request will follow. A 0835 in the type field indicates a RARP request will follow. Current type codes can be found at http://www.iana.org/numbers.html#

The Data is what it sounds like…it’s the “meat” of the information transmitted. For

“generic” Ethernet this can be as small as 46 bytes and up to 1500 bytes. The first part of the data field contains the LLC information, then the SNAP information and finally the IP header information. See the discussion below on the composition of the data field for both types of Ethernet packets.

The Frame Check Sequence (FCS) is the CRC information for error control. This is 4 bytes in hexadecimal. There are many different error control calculations. (Is it a coincidence there are many flavors of jello too?) I described one in an earlier lab using unique prime numbers.

In document ESCUELA DE EDUCACIÓN SUPERIOR PEDAGÓGICA PÚBLICA MONTERRICO (página 50-58)