Lab 3 - ICMP Encapsulation

From SOFTICE

Contents 1 Synopsis 2 [Briefing] The OSI Model and Encapsulation 3 [Network Diagram] tcpdump 4 [Solved] Dissecting ICMP Encapsulation 5 [Exercises] 5.1 Exercise 3-1: OSI Model and Timing 6 References

Pedagogical Objectives

• Provide an example of encapsulation at OSI Model Layers 2 and 3
• Strengthen student's knowledge of ICMP (Internet Control Message Protocol)

Developed by:

• Matt Rideout

Synopsis

The core idea behind the OSI Model is that complex network architectures should be broken down into manageable modules, or layers. This lab will introduce OSI Model Layers 2 and 3, then use the ping and tcpdump applications to introduce TCP/IP's and Ethernet's implementations of these layers.

[Briefing] The OSI Model and Encapsulation

The OSI Model breaks up complex network architectures into 7 more manageable layers:

• Layer 7 - Application
• Layer 6 - Presentation
• Layer 5 - Session
• Layer 4 - Transport
• Layer 3 - Network
• Layer 2 - Data Link
• Layer 1 - Physical

Each layer communicates only with the layers directly above and below it. A Layer 2 Data Link protocol, for example, communicates with the Network Layer at Layer 3, and the Physical Layer and Layer 1, but knows nothing about layers 4-7.

The OSI Model can be applied to most network architectures. The implementation that we'll focus on in this lab is the TCP/IP suite of protocols running on top of an Ethernet based network. In TCP/IP, in order for a Layer 3 IP PDU (packet) to traverse an Ethernet network, it must first be encapsulated within Layer 2 PDU containing Ethernet's Layer 2 data. This Layer 2 PDU is known as a frame.

[Network Diagram] tcpdump

The Tcpdump Network, pictured above, will be used in this lab's exercises.

[Solved] Dissecting ICMP Encapsulation

Complete the following solved exercise, recording your findings, and the procedures used to obtain them in your log. By doing this, you may be able to obtain partial credit if you are unable to complete any of the exercises.

Note: Before disconnecting from SOFTICE, be sure to shut your virtual hosts down. This procedure is described in Exercise 1-3: Shutdown the Network. This must be done in order to conserve system resources on the SOFTICE cluster.

In this example, we are going to use tcpdump to intercept ICMP traffic.

• Start up the Tcpdump Network:

mln start -p tcpdump

• Console into the observer host and execute the tcpdump command:

tcpdump

• Console into the client client, and use ping to verify connectivity between the client and server hosts:

ping -c 5 10.0.0.1

• Console back into the observer host, and take a look at tcpdump's output. Press Ctrl-C to exit tcpdump, then record this output in your log. tcpdump's output should look similar to the following (line numbers added for clarity):

1. observer:~# tcpdump
2. device eth0 entered promiscuous mode
3. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
4. listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
5. 03:47:01.136123 arp who-has 10.0.0.1 tell 10.0.0.2
6. 03:47:01.151472 arp reply 10.0.0.1 is-at fe:fd:00:00:5c:a4
7. 03:47:01.136180 IP 10.0.0.2 > 10.0.0.1: icmp 64: echo request seq 1
8. 03:47:01.136303 IP 10.0.0.1 > 10.0.0.2: icmp 64: echo reply seq 1
9. 03:47:02.132174 IP 10.0.0.2 > 10.0.0.1: icmp 64: echo request seq 2
10. 03:47:02.132190 IP 10.0.0.1 > 10.0.0.2: icmp 64: echo reply seq 2
11. 03:47:03.140125 IP 10.0.0.2 > 10.0.0.1: icmp 64: echo request seq 3
12. 03:47:03.140289 IP 10.0.0.1 > 10.0.0.2: icmp 64: echo reply seq 3
13. 03:47:04.148161 IP 10.0.0.2 > 10.0.0.1: icmp 64: echo request seq 4
14. 03:47:04.148334 IP 10.0.0.1 > 10.0.0.2: icmp 64: echo reply seq 4
15. 03:47:05.168356 IP 10.0.0.2 > 10.0.0.1: icmp 64: echo request seq 5
16. 013:47:05.168374 IP 10.0.0.1 > 10.0.0.2: icmp 64: echo reply seq 5
17. 03:47:06.148213 arp who-has 10.0.0.2 tell 10.0.0.1
18. 03:47:06.148289 arp reply 10.0.0.2 is-at fe:fd:00:00:15:4f
19. 14 packets captured
20. 14 packets received by filter
21. 0 packets dropped by kernel
22. device eth0 left promiscuous mode

• Line 7 shows an IP PDU:

7. 03:47:01.136180 IP 10.0.0.2 > 10.0.0.1: icmp 64: echo request seq 1

• This IP packet is being sent from 10.0.0.2 to 10.0.0.1:

7. 03:47:01.136180 IP 10.0.0.2 > 10.0.0.1: icmp 64: echo request seq 1

• This IP PDU contains an ICMP packet:

7. 03:47:01.136180 IP 10.0.0.2 > 10.0.0.1: icmp 64: echo request (ping) seq 1

• This ICMP packet is an echo request (ping):

7. 03:47:01.136180 IP 10.0.0.2 > 10.0.0.1: icmp 64: echo request seq 1

• This ICMP packet is the first echo request (ping) in a sequence:

7. 03:47:01.136180 IP 10.0.0.2 > 10.0.0.1: icmp 64: echo request seq 1

• Line 8 shows 10.0.0.1's reply to 10.0.0.2's ICMP echo request (ping):

8. 03:47:01.136303 IP 10.0.0.1 > 10.0.0.2: icmp 64: echo reply seq 1

[Exercises]

Complete the following exercise, recording your findings, and the procedures used to obtain them in your log.

Note: Before disconnecting from SOFTICE, be sure to shut your virtual hosts down. This procedure is described in Exercise 1-3: Shutdown the Network. This must be done in order to conserve system resources on the SOFTICE cluster.

Exercise 3-1: OSI Model and Timing

1. Start up tcpdump on the observer host.

2. Ping the observer from the client host.

3. In your own words, describe differences in ping times. Did one of the ping times significantly deviate from the rest? Why do you think this is?

4. Select the third captured ICMP reply within a sequence. Draw a diagram, illustrating where each protocol that's involved fits into the OSI Model, along with a explanation of each protocol's intercepted data.

5. Shut your virtual hosts down using the procedure described in Exercise 1-3: Shutdown the Network.

References