Date post: | 03-May-2018 |
Category: |
Documents |
Upload: | hoanghuong |
View: | 259 times |
Download: | 2 times |
Introduction
We will be using the Wireshark packet sniffer [http://www.wireshark.org/] for this
lab, allowing us to display the contents of messages being sent/received from/by protocols at
different levels of the protocol stack. (Technically speaking, Wireshark is a packet analyzer
that uses a packet capture library in your computer). Wireshark is a free network protocol
analyzer that runs on Windows, Linux/Unix, and Mac computers. It’s an ideal packet ana-
lyzer for our labs - it is stable, has a large user base and well-documented support that in-
cludes a user-guide (http://www.wireshark.org/docs/wsug_html_chunked/),
man pages (http://www.wireshark.org/docs/man-pages/), and a detailed FAQ
(http://www.wireshark.org/faq.html), rich functionality that includes the capa-
bility to analyze hundreds of protocols, and a well-designed user interface. It operates in com-
puters using Ethernet, serial (PPP and SLIP), 802.11 wireless LANs, and many other link-layer
technologies (if the OS on which it’s running allows Wireshark to do so).
Figure 1 shows the structure of a packet sniffer. At the right of Figure 1 are the protocols (in
this case, Internet protocols) and applications (such as a web browser or ftp client) that normally
run on your computer. The packet sniffer, shown within the dashed rectangle in Figure 1 is an
addition to the usual software in your computer, and consists of two parts. The packet capture
library receives a copy of every link-layer frame that is sent from or received by your computer.
Messages exchanged by higher layer protocols such as HTTP, FTP, TCP, UDP, DNS, or IP all
are eventually encapsulated in link-layer frames that are transmitted over physical media such as
an Ethernet cable. In Figure 1, the assumed physical media is an Ethernet, and so all upper-layer
protocols are eventually encapsulated within an Ethernet frame. Capturing all link-layer frames
thus gives you all messages sent/received from/by all protocols and applications executing in
your computer.
2
Figure 1: Packet sniffer structure.
In this lab, we will use the Wireshark on Linux. So first, install the Wireshark and get
familiar with it. Here is a link which may help you: https://www.maketecheasier.
com/using-wireshark-ubuntu/
3
1 802.11 Wireless Network Protocol
1.1 Overview
In this lab, we’ll investigate the 802.11 wireless network protocol. For convenience, we’ll
provide a trace of captured 802.11 frames for you to analyze and assume in the questions below.
1.2 Requirement
• You should do this part personally and submit your own report.
• Print your report and submit it in class.
• Deadline: Tuesday, October 31
1.3 Getting Started
The trace file Wireshark 802 11.pcap is provided. This trace was collected using AirPcap and
Wireshark, consisting of a Linksys 802.11g combined access point/router, with two wired PCs
and one wireless host PC attached to the access point/router. Fortunately, other access points in
neighboring houses are available as well. In this trace file, we’ll see frames captured on channel
6. Since the host and AP that we are interested in are not the only devices using channel 6, we’ll
see a lot of frames that we’re not interested in for this lab, such as beacon frames advertised by
a neighbor’s AP also operating on channel 6. The wireless host activities taken in the trace file
are:
• The host is already associated with the 30 Munroe St AP when the trace begins.
• At t = 24.82, the host makes an HTTP request to http://gaia.cs.umass.edu/
wireshark-labs/alice.txt. The IP address of gaia.cs.umass.edu is 128.119.245.12.
4
• At t = 32.82, the host makes an HTTP request to http://www.cs.umass.edu,
whose IP address is 128.119.240.19.
• At t = 49.58, the host disconnects from the 30 Munroe St AP and attempts to connect
to the linksys ses 24086. This is not an open access point, and so the host is eventually
unable to connect to this AP.
• At t = 63.0 the host gives up trying to associate with the linksys ses 24086 AP, and
associates again with the 30 Munroe St access point.
Once you have downloaded the trace, you can load it into Wireshark and view the trace
using the File pull down menu, choosing Open, and then selecting the Wireshark 802 11.pcap
trace file. The resulting display should look just like Figure 2.
1.4 Beacon Frames
Recall that beacon frames are used by an 802.11 AP to advertise its existence. To answer
some of the questions below, you’ll want to look at the details of the “IEEE 802.11” frame
and subfields in the middle Wireshark window. Whenever possible, when answering a question
below, you should hand in a printout of the packet(s) within the trace that you used to answer
the question asked.
Annotate the printout1 to explain your answer. To print a packet, use File → Print , choose
selected packet only, choose packet summary line, and select the minimum amount of packet
detail that you need to answer the question.
1. What are the SSIDs of the two access points that are issuing most of the beacon frames
in this trace?1What do we mean by “annotate”? Please highlight where in the printout you’ve found the answer and add
some text (preferably with a colored pen) noting what you found in what you’ve highlight.
5
Figure 2: Wireshark window, after opening the Wireshark 802 11.pcap file.
2. What are the intervals of time between the transmissions of the beacon frames the linksys ses 24086
access point? From the 30 Munroe St. access point? (Hint: this interval of time is con-
tained in the beacon frame itself).
3. What (in hexadecimal notation) is the source MAC address on the beacon frame from 30
Munroe St? Recall from Figure 6.13 in the text that the source, destination, and BSS are
three addresses used in an 802.11 frame. For a detailed discussion of the 802.11 frame
structure, see section 7 in the IEEE 802.11 standards document (cited above).
4. What (in hexadecimal notation) is the destination MAC address on the beacon frame from
6
30 Munroe St?
5. What (in hexadecimal notation) is the MAC BSS id on the beacon frame from 30 Munroe
St?
6. The beacon frames from the 30 Munroe St access point advertise that the access point can
support four data rates and eight additional “extended supported rates.” What are these
rates?
1.5 Data Transfer
Since the trace starts with the host already associated with the AP, let first look at data transfer
over an 802.11 association before looking at AP association/disassociation. Recall that in this
trace, at t = 24.82, the host makes an HTTP request to http://gaia.cs.umass.edu/
wireshark-labs/alice.txt. The IP address of gaia.cs.umass.edu is 128.119.245.12.
Then, at t = 32.82, the host makes an HTTP request to http://www.cs.umass.edu.
1. Find the 802.11 frame containing the SYN TCP segment for this first TCP session (that
downloads alice.txt). What are three MAC address fields in the 802.11 frame? Which
MAC address in this frame corresponds to the wireless host (give the hexadecimal repre-
sentation of the MAC address for the host)? To the access point? To the first-hop router?
What is the IP address of the wireless host sending this TCP segment? What is the desti-
nation IP address? Does this destination IP address correspond to the host, access point,
first-hop router, or some other network-attached device? Explain.
2. Find the 802.11 frame containing the SYNACK segment for this TCP session. What
are three MAC address fields in the 802.11 frame? Which MAC address in this frame
corresponds to the host? To the access point? To the first-hop router? Does the sender
7
MAC address in the frame correspond to the IP address of the device that sent the TCP
segment encapsulated within this datagram?
1.6 Association/Disassociation
Recall that a host must first associate with an access point before sending data. Association
in 802.11 is performed using the ASSOCIATE REQUEST frame (sent from host to AP, with a
frame type 0 and subtype 0) and the ASSOCIATE RESPONSE frame (sent by the AP to a host
with a frame type 0 and subtype of 1, in response to a received ASSOCIATE REQUEST). For
a detailed explanation of each field in the 802.11 frame, see page 34 (Section 7) of the 802.11
spec at http://gaia.cs.umass.edu/wireshark-labs/802.11-1999.pdf.
1. What two actions are taken (i.e., frames are sent) by the host in the trace just after t = 49,
to end the association with the 30 Munroe St AP that was initially in place when trace
collection began? (Hint: one is an IP-layer action, and one is an 802.11-layer action).
Looking at the 802.11 specification, is there another frame that you might have expected
to see, but don’t see here?
2. Examine the trace file and look for AUTHENICATION frames sent from the host to an AP
and vice versa. How many AUTHENTICATION messages are sent from the wireless host
to the linksys ses 24086 AP (which has a MAC address of Cisco Li f5:ba:bb) starting at
around t = 49?
3. Does the host want the authentication to require a key or be open?
4. Do you see a reply AUTHENTICATION from the linksys ses 24086 AP in the trace?
5. Now let’s consider what happens as the host gives up trying to associate with the linksys ses 24086
AP and now tries to associate with the 30 Munroe St AP. Look for AUTHENICATION
8
frames sent from the host to and AP and vice versa. At what times are there an AU-
THENTICATION frame from the host to the 30 Munroe St. AP, and when is there a reply
AUTHENTICATION sent from that AP to the host in reply? (Note that you can use the
filter expression ”wlan.fc.subtype == 11 and wlan.fc.type == 0 and wlan.addr ==
IntelCor d1 : b6 : 4f” to display only the AUTHENTICATION frames in this trace for
this wireless host.)
6. An ASSOCIATE REQUEST from host to AP, and a corresponding ASSOCIATE RE-
SPONSE frame from AP to host are used for the host to associated with an AP. At what
time is there an ASSOCIATE REQUEST from host to the 30 Munroe St AP? When is the
corresponding ASSOCIATE REPLY sent? (Note that you can use the filter expression
”wlan.fc.subtype < 2 and wlan.fc.type == 0 and wlan.addr == IntelCor d1 : b6 :
4f” to display only the ASSOCIATE REQUEST and ASSOCIATE RESPONSE frames
for this trace.)
7. What transmission rates is the host willing to use? The AP? To answer this question,
you will need to look into the parameters fields of the 802.11 wireless LAN management
frame.
1.7 Other Frame Types
Our trace contains a number of PROBE REQUEST and PROBE RESPONSE frames.
1. What are the sender, receiver and BSS ID MAC addresses in these frames? What is the
purpose of these two types of frames? (To answer this last question, you’ll need to dig
into the online references cited earlier in this lab).
9
2 Traceroute
2.1 Overview
The Internet is a large and complex aggregation of network hardware, connected together by
gateways. Tracking the route one’s packets follow (or finding the miscreant gateway that’s
discarding your packets) can be difficult. Traceroute utilizes the IP protocol ‘time to live’ field
and attempts to elicit an ICMP TIME EXCEEDED response from each gateway along the path
to some host.
In this part, we aim to understand how traceroute works using wireshark. Note that for win-
dows, another command called tracert plays the same role as traceroute with some difference
in the implementation, so you are required to do this lab on your linux machine.
2.2 Requirement
• You should do this part personally and submit your own report.
• Print your report and submit it in class.
• The annotate and other requirements of the report are the same as those in the first section.
• Deadline: Tuesday, October 31
2.3 Step One
Type the command: traceroute -I baidu.com. Use wireshark packet sniffer result to explain what
has been shown in the terminal. Basically, you need to clarify the questions below:
1. What types of packets have been involved in the process?
2. What’s the source address and destination address of each type of packet?
3. How does the client know the IP of each hop?
10
4. What does “*” shown in the terminal (if so) mean?
5. Search relevant information to explain what may cause “***” in the some of the hops.
2.4 Step Two
Type the command: traceroute baidu.com. Use wireshark packet sniffer result to explain what
has been shown in the terminal. Basically, you need to clarify the questions below:
1. What types of packets have been involved in the process?
2. What’s the source address and destination address of each type of packet?
3. How does the client know the IP of each hop?
4. What does “*” shown in the terminal (if so) mean?
5. Search relevant information to explain what may cause “***” in the some of the hops.
6. Compare step one and step two, explain what may cause the different results of two
commands.
11
3 TCP Analysis
3.1 Overview
The objective is to see the details of TCP (Transmission Control Protocol). TCP is the main
transport layer protocol used in the Internet. There are various TCP congestion control algo-
rithms designed for different scenarios or from different perspective to improve TCP perfor-
mance. In this part, you are required to learn three different TCP CC algorithms: RENO, CU-
BIC, and BBR. We are going to do some interesting experiments together and you are required
to analyze wireshark trace we collect.
3.2 Requirement
• You should do this part personally and submit your own report.
• Print your report and submit it in class.
• The annotate and other requirements of the report are the same as those in the first section.
• Deadline: Tuesday, October 31
3.3 RENO
TCP Reno implements an algorithm called Fast recovery. A fast retransmit is sent, half of the
current CWND is saved as SSThresh and as new CWND, thus skipping slow start and going
directly to Congestion Avoidance algorithm.
3.4 CUBIC
Used by default in Linux kernels 2.6.19 and above, TCP CUBIC attempts to solve the prob-
lem of efficient TCP transport when bandwidth-delay product is large. CUBIC allows very fast
window expansion; however, it also makes attempts to slow the growth of cwnd sharply as
12
cwnd approaches the current network ceiling, and to treat other TCP connections fairly. It still
uses packet loss as the only indicator to adjust its cwnd. Similar to TCP Reno, such loss-based
congestion control algorithm lies in a hypothesis that packet losses are caused by “conges-
tion”. Under networking environment with high loss rate, such loss-based congestion control
misinterperts loss as a signal of network congestion, reduces congestion window, and leads to
low throughput. Furthermore, when bottleneck buffers are large, loss-based congestion control
tends to keep them full, causing bufferbloat.
3.5 BBR
TCP BBR has been accepted as an alternative in Linux kernel 4.9 and above. Since the inherent
problem of loss-based congestion control is inevitable, it changes ideas to actively probing
bottleneck bandwidth and RTT constantly instead of passively responsing to packet loss. More
specifically, TCP BBR continues estimating two significant physical constraints of a TCP link,
namely BtlBw (bottleneck bandwidth) and RTprop (round-trip propagation time) to adjust its
congestion control window. To attain both constraints accurately, it will slightly change the
transmission pattern at a fixed period and meanwhile probe bandwidth and RTT constantly.
Then it will calculate (estimated values of) BtlBw and RTprop by bandwidth sequence and
RTT sequence, respectively. At the same time, BBR controls TCP transmission by both making
the transmission speed less than pacing gain(t) ·BtlBw and preventing the amount of data in
flight (data sent but not yet acknowledged) from exceeding cwnd gain(t) · BtlBw · RTprop,
where pacing gain(t) and cwnd gain(t) are functions of the time t, depending on the detail of
BBR algorithm.
13
3.6 Experiemnt and Analyze
In this part, we will first utilize class breaks to do some experiments: all of you make TCP con-
nection simultanerously to the same server, aiming to create congestion. We will use wireshark
to collect trace from server and you can collect your own trace from your laptop. Then you
use the two traces to analyze diffrent TCP congestion control algorithm, compare them, and
demonstrate your findings. We will provide you with scripts to connect to the server, these will
be settled later.
The metrics you analyze could include but not limited to:
• Throughput
• Packet loss rate
• Round trip time
• Out-of-order Delay
• Bytes in flight
• RTO
Tips: Since the DDL is right after lecture on transport layer, you may prepare relevant knowl-
edge as early as possible.
14