Networkustaad

Saturday, 26 May 2018

Application Layer

The application layer is the topmost layer of the OSI Model. As shown in the figure below, the upper three layers of the OSI model (application, presentation, and session) define functions of the single TCP/IP application layer. The application layer enables the human or software to get access to the network. It serves as the source and destination of communications across data networks. The application layer applications, services, and protocols enable humans to interact with the data network in a way that is useful. The applications are computer software programs with which the user interacts and start the data transfer process at the request. The services are programs which run in the background and give the link between the application layer and the lower layers.

The Protocols give a structure of rules that make sure services running on a particular device can send and receive data from a range of different network devices. Data Packet delivery over the network should be requested by the client from a server. If there is a P2P network, the client/server affiliation is established according to which is the source device and which the destination device is at that time of establishes. The conversions are exchanged between the application layer services at both end devices in accordance with the terms of protocol to establish and utilize these relations.

TCP/IP Application Layer Protocols

The Application Layer contains a protocol that is usually required by end users. The HTTP (hypertext transfer protocol) is one of the widely used application protocol, which supports the delivery of web pages to end devices. The HTTP is the base for the World Wide Web. When a browser requests a web page, the protocol sends the name of the required page to the server. The server then sends the requested page to a client.

SMTP (simple mail transfer protocol), IMAP(Internet messaging access protocol), and POP (post office protocol) maintain sending and receiving email. SMB(server message block), FTP (file transfer protocol) and TFTP(trivial file transfer protocol) allow clients to share files. P2P applications make it easier to share media in a distributed fashion. DNS (domain name system) resolves the IP address and name address for better human understanding. Clouds are remote locations that host application and store data so that end users do not need as many local resources, and the users can effortlessly access content from a different location. The TCP/IP application protocols identify the format and control information required for many general Internet communication functions. Both source and destination devices are used by the application layer protocols during a communication session. The application layer enables hosts to work and play over the Internet.

Presentation and Session Layer

The Presentation Layer

There is three main function of the presentation layer.

Translation: Before being transmitted, formatting, or presenting, data at the source device into a compatible form for reception by the destination device. All data should be changed to bit streams. This layer is responsible for interoperability between encoding methods as different computers use different encoding methods. It translates data between the formats the network requires and the format of the computer.

Encryption: It carries Encrypting data for transmission and decrypting data at the receiver end.

Compression: This layer carries out data compression in a way that can be decompressed by the destination device. The role of compression is to decrease the number of bits to be transmitted. It is important in transmitting a big file.

The presentation layer formats data for the application layer, and it sets principles for file formats. Some well-known standards for video and graphics format are QuickTime, Motion Picture Experts Group (MPEG), Portable Network Graphics (PNG) format, Graphics Interchange Format (GIF) and Joint Photographic Experts Group (JPEG).

The Session Layer

The functions of the session layer are to create and maintain session between the source and the destination applications. This layer handles the following.

Dialog Control: The session layer allows two hosts to start communicating each other in half-duplex or full-duplex mode.

Token Management: The session layer prevents two hosts from attempting the same critical operation at the same time.

Synchronization: The session layer allows a process to add checkpoints which are measured as synchronization points into the stream of data.

Thursday, 24 May 2018

UDP (User Datagram Protocol)

UDP (User Datagram Protocol) is an optional communications protocol to Transmission Control Protocol used mostly for establishing low-latency and loss tolerating connections between applications on the Internet. Both UDP and TCP are working together with IP and are sometimes referred to as UDP/IP or TCP/IP. Both protocols send short packets of data, called datagram.

UDP(User Datagram Protocol) Low Overhead vs Reliability

UDP(User Datagram Protocol) is a protocol that provides the basic transport layer functions. It sends the packets, with much lower bandwidth overhead and latency than TCP. UDP is not a connection-oriented protocol so it does not offer the sophisticated retransmission, flow control and sequencing mechanism for lost and out of order packets. So UDP is not providing a reliability like TCP. But this does not mean that application that uses UDP are forever unreliable and substandard. It only means that these functions are not provided by the transport layer protocol and must be implemented in a different place if required.

user datagram protocol

Because of low overhead, UDP is the best protocol for network applications in which apparent latency is critical such as gaming, voice and video communications, which can bear some data loss without badly disturbing apparent quality. Like TCP, UDP does not establish a connection before sending data, it just starts sending data whenever required.

UDP Datagram Reassembly

UDP datagrams are received to the destination using different routes and therefore these datagrams arrive in the wrong order. The UDP does not follow sequence numbers just like TCP. It has no mechanism to reorder the datagrams into their transmission order.

So, the UDP reassembles the data in the same order that it was received and forwards it to the application. If the sequence is important to the application; the application should identify the right sequence number and determine how the data should be processed.

UDP(User Datagram Protocol) Server Processes and Requests

UDP-based server applications are also assigned well-known or registered port numbers just like TCP When these applications and processes are running on a server; they accept the data matched with the assigned port number. When UDP receives a datagram destined for one of these ports; it forwards the application data to the proper application based on its port number.

UDP(User Datagram Protocol) Client Processes

Communication between client and server will be initiated by a client application requesting a server process. The UDP client process selects a port number from the range of port numbers randomly. The destination port on the server is generally the well-known or registered port number assigned to the server process.

Once the client selects the source and destination ports; this selected pair of ports is used in the header of all datagrams. For returning the data from server to the client, the destination and source port in the datagram header are reversed.

Monday, 21 May 2018

TCP Flow Control - Window Size and Acknowledgment

TCP is the protocol that guarantees a reliable communication channel over an unreliable network. When someone sends data from a host to another, packets can be lost, they can arrive at the receiving host out of order, the network can be congested or the receiver node can be overloaded. When we are sending some application data, we usually don’t need to deal with this complexity, we just write data to a socket and TCP makes sure the packets are delivered correctly to the receiver node. The TCP provides important service which is called TCP Flow Control.

The quantity of data that the destination host can receive and process reliably. TCP flow control is the service which maintains the reliability of TCP transmission by adjusting the rate of data flow between the source host and destination host for an established session. To achieve this, the TCP header includes a 16-bit field called the window size.

The figure below illustrates an example of window size and its acknowledgments. The window size is the number of bytes that the destination device of a TCP session can accept and process a single time. In this example, host B’s initial window size for the TCP session is 1,000 bytes. Starting with the first byte, byte number 1; the final byte PC A can send without receiving acknowledgments is byte 1,000. This is known as PC A’s send window. The window size is included in every TCP segment so the receiver can adjust the window size at any time depending on buffer availability.

The figure illustrates, the source is transmitting 1,500 bytes of data within each TCP segment. This is known as the MSS (Maximum Segment Size).

The primary window size is settled upon when the TCP session is established during the three-way handshake. The source host must bound the number of bytes sent to the destination host based on the destination’s window size.

Only after the source host receives an acknowledgment that the all the bytes have been received at the destination host, can it continue sending more data for the session. Usually, the destination host will not wait for all the bytes for its window size to be received before replying with an acknowledgment. As the bytes are received and processed; the destination host will send acknowledgments to inform the source host that it can continue to send additional bytes.

Usually, host B will not wait until all 4,500 bytes have been received before sending an acknowledgment. This means host A can correct its send window as it receives acknowledgments from host B. As shown in the figure below, when host A receives an acknowledgment with the acknowledgment number 3,001, host A’s send window will increment another 4,500 bytes (the size of host B’s current window size) to 7,500. host A can now continue to send up to another 4,500 bytes to host B as long as it does not send past its new send window at 7,500. The process of the destination host sending acknowledgments as it processes bytes received and the continual adjustment of the source’s send window is known as sliding windows.

If the availability of the destination’s buffer space decreases; it may reduce its window size to inform the source to reduce the number of bytes it should send without receiving an acknowledgment. The window size determines the number of bytes that can be sent before expecting an acknowledgment. The acknowledgment number is the number of the next expected byte.

TCP Flow Control - Congestion Avoidance

When congestion occurs on a network, it results in packets being discarded by the overloaded router. When packets containing TCP segments don’t reach their destination, they are left unacknowledged. By determining the rate at which TCP segments are sent but not acknowledged; the source host can suppose a certain level of network congestion.

One of the main principles for congestion control is avoidance. TCP tries to sense symbols of congestion earlier than it happens and to reduce or increase the load into the network accordingly. The option of waiting for congestion and then reacting is not as good as because once a network saturates; it does so at an exponential growth rate and decreases on the whole throughput enormously. It takes a long time for the queues to consume, and then all senders host again repeat this phase. By taking a practical congestion avoidance approach; the pipe is kept as full as possible without the threat of network saturation. The key is for the sender host to recognize the state of the network and client and to control the amount of traffic injected into the system.

Whenever there is congestion, retransmission of lost segments from the source will take place. If the retransmission is not properly controlled, the extra retransmission of the TCP segments can make the congestion even worse. Not only are new packets with TCP segments introduced into the network; but the feedback effect of the retransmitted TCP segments that were lost will also add to the congestion. To avoid and control congestion, TCP employs several congestion management mechanisms, timers, and algorithms.

If the source host determines that the TCP segments are either not being acknowledged or not acknowledged in a timely. Then it can reduce the number of bytes it sends before receiving an acknowledgment. Note that it is the source host that is decreasing the number of unacknowledged bytes it sends and not the window size determined by the destination. The figure below illustrates the TCP congestion control. The acknowledgment number is for next expected byte not for the segment.

Sunday, 20 May 2018

TCP Reliability - The Segment Ordered Delivery

Transmission Control Protocol accepts data from a stream, divides it into small chunks, and adds a TCP header creating a TCP segment. The TCP segment is then encapsulated into an Internet Protocol datagram (IP datagram) and exchanged with peers.

These TCP segments possibly will arrive at their destination out of order. For the original message to be understood by the receiver; the data in these out of order segments are reassembled into the original order. Sequence numbers are assigned in the header of each segment to get this goal. The sequence number represents the first data byte of the TCP segment.

During the established session, the first sequence number (ISN) is set. This ISN represents the opening value of the bytes for this session that is transmitted to the receiving side application. As data is transmitted during the established session, the sequence number is incremented by the number of bytes that have been transmitted. This data byte tracking enables every segment to be individually identified and acknowledged. Missing segments can then be identified and then reported. The ISN is effectively a random number. This is to avoid certain types of malicious attacks. For simplicity, we will use an ISN of 1 for the examples. sequence numbers indicate how to reassemble and reorder received segments, as shown in the figure.

The receiving TCP process places the data from a segment into a receiving buffer. Segments are placed in the proper sequence order and passed to the application layer when reassembled. Any segments that arrive with sequence numbers that are out of order are seized for later processing. in that case, when the segments with the missing bytes reach the destination, these segments are processed in proper order.

TCP Three-way Handshake

The TCP three-way handshake also called the TCP-handshake. Three message handshake and/or SYN SYN-ACK ACK is the method used by TCP set up a TCP/IP connection over an IP based network. TCP's three-way handshaking is often referred to as SYN, SYN-ACK, ACK technique because there are three messages transmitted by TCP to negotiate and start a TCP session between two hosts.

Hosts on the network follow each data segment within a session and exchange information about what data is received using the information in the TCP header. TCP is a full-duplex protocol, where each connection represents two one-way communication streams or sessions. To establish the connection, the hosts perform a TCP three-way handshake. Control bits in the TCP header indicate the progress and status of the connection.

The TCP handshaking mechanism is designed that two hosts attempting to communicate can negotiate the parameters of the. TCP socket connection before transmitting data. This 3-way handshake process is also designed so that both ends can initiate and negotiate separate TCP socket connections at the same time. Being able to negotiate multiple TCP socket connections in both directions at the same time allows a single physical network interface, such as Ethernet, to be multiplexed to transfer multiple streams of TCP data simultaneously.

The step of the TCP three-way handshake

Establishes that the destination device is present on the network; Host A sends a TCP SYNchronize packet to Host B

Verifies that the destination device has an active service and is accepting requests on the destination port number that the initiating Host intends to use. Host B receives A's SYN and then Host B sends a SYNchronize-ACKnowledgement

Informs the destination device that the source Host intends to establish a communication session on that port number; Host A receives host B's SYN-ACK and then Host A sends ACKnowledge

Host B receives Host A’s ACK. And then TCP socket connection is ESTABLISHED.

The figure illustrates the step of the three-way handshake.

After the data sending is completed, the sessions are closed, and the connection is terminated. The connection and session mechanisms enable TCP’s reliability function. Here, another 3-way communication is performed to tear down the TCP socket connection. This setup and teardown of a TCP socket connection is part of what qualifies TCP a reliable protocol. TCP also acknowledges that data is successfully received and guarantees the data is reassembled in the correct order.

Monday, 14 May 2018

TCP Server Processes

All application processes running on the server are configured to use a different port number. The port can be configured by default or manually, by a network administrator. On the same server cannot have two services assigned the same port number within the same transport layer services. For example, a host running FTP server and a web server cannot have both configured to use the same port (for example, TCP port 80 for both or port 21 FTP server port for both).

An active server application assigned a specific port, mean that port is considered to be open, which means that the transport layer accepts and processes segments addressed to that specific port number. Every incoming client request addressed to the correct socket is accepted, and the data is passed to the application on the server. There may be many ports open at the same time on a server, one for each active server application.

TCP Connection Establishment

Shake Hands! When two persons meet each other, they often welcome each other by shaking hands. This act of hands shake is understood by both as a sign for a friendly welcoming. Connections on the network are similar to the handshaking.

A TCP connection between host and server or between two hosts is established in three steps:

Step 1 - The initiating client send requests a client-to-server communication session with the server.

Step 2 – After receiving the request the server acknowledges the client-to-server communication session and requests a server-to-client communication session.

Step 3 – Then the initiating client acknowledges the server-to-client communication session.

[caption id="attachment_7930" align="alignnone" width="569"]

TCP Connection Establishment[/caption]

In the figure, you can see the TCP connection establishment.

TCP Session Termination

For connection closing, the FIN control flag must be set in the segment header. To end each one-way TCP session, a two-way handshake, with a FIN segment and an Acknowledgment (ACK) segment, is used. So, to terminate a single TCP conversation, four exchanges are required to end both sessions.

Step 1 - When the Host-A Send All data and no more data remain to send in the stream, it sends a segment with the FIN flag set to Host-B.

Step 2 - The Host-B sends an ACK to acknowledge the receipt of the FIN to finish the session from Host- A to Host-B.

Step 3 - The Host-B sends a FIN to the Host-A to finish the Host-B to Host-A session.

Step 4 - The Host-A responds with an ACK to acknowledge the FIN from the Host-B.

When all segments have been acknowledged, the session is closed.

The Figure below illustrates the TCP session termination process.

[caption id="attachment_7931" align="alignleft" width="504"]

TCP Session Termination[/caption]

Tuesday, 8 May 2018

The netstat Command

Unexplained TCP connections can create a major security risk. They can show that something or someone is connected to the local host. Sometimes it is necessary to know which active TCP connections are open and running on a networked host. Netstat is a useful network tool for checking and verifying those connections.

The netstat command can show particulars about individual network connections, overall and protocol-specific networking statistics, all listening ports, along with incoming and outgoing network connections and much more, all of which could help troubleshoot certain kinds of networking issues. By default, the netstat command will try to resolve IP addresses to domain names and port numbers to well-known applications.

There are various ways that a system administrator might use the assortment of switches with netstat command. I will give you a complete detail in this article.

Open the Command Prompt and execute the netstat command alone to show a comparatively simple list of all active TCP connections which, for each one, will show the local IP address, the foreign IP address, along with their relevant port numbers, as well as the TCP state.

Netstat Command Syntax

netstat [-a] [-b] [-e] [-f] [-n] [-o] [-p protocol] [-r] [-s] [-t] [-x] [-y] [time_interval] [/?]

Switches for Netstat command
Switch	Description
-a	The -a switch displays all active TCP connections and the TCP and UDP ports on which the computer is listening.
-b	The -b switch displays the executable concerned in creating each connection or listening port. This switch is added in XP SP2.
-e	The -e switch displays Ethernet statistics, such as the data includes the number of bytes and packet sent and received including unicast packets, non-unicast packets, discards, errors, and unknown protocols since the connection was established.
-f	The -f switch will force the netstat command to display the (FQDN ) Fully Qualified Domain Name for each foreign host IP addresses when possible.
-n	The -n switch could significantly decrease the time it takes for netstat to fully execute. The switch will show active TCP connections, but, addresses and port numbers are expressed numerically.
-o	This switch displays active TCP connections and includes the process ID (PID) for all connections. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p.
-p proto	Using the -p switch to show connections or statistics only for a particular protocol. You can’t define more than one protocol at once, nor can you execute netstat with -p switch without defining a protocol. proto may be any of TCP, UDP, TCPv6, or UDPv6. If you use -s with -p to view statistics by protocol, you can use icmp, IP, icmpv6, or ipv6 in addition to the first four I mentioned.
-r	The -r switch displays the contents of the IP routing table. This is equivalent to the route print command.
-s	The -s switch displays statistics per-protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If the IPv6 is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. The -p parameter can be used to specify a set of protocols, but be sure to use -s before -p protocol when using the switches together.
-t	Using -t switch will show the current TCP pipe offload state in place of the typically displayed TCP state.
[interval]	An integer used to display results multiple times with a specified number of seconds between displays. Continues until stopped by command ctrl+c. The default setting is to display once.
/?	? is Used to show details about the netstat command's several options.

Netstat Command Examples

netstat -f

This is the example of a netstat with -f switch. I execute netstat to show all active TCP connections. but, I do want to see the computers I'm connected to in FQDN format [-f] instead of a simple IP address.

Here's an example of what you might see:

C:\User\Muhammad>netstat -f

Active Connections

Proto Local Address Foreign Address State

TCP 127.0.0.1:49216 Muhammad-PC:49328 ESTABLISHED

TCP 127.0.0.1:49328 Muhammad-PC:49216 ESTABLISHED

TCP 192.168.58.101:49273 .:https CLOSE_WAIT

TCP 192.168.58.101:49322 wo-in-f188.1e100.net:5228 ESTABLISHED

TCP 192.168.58.101:49726 51.143.22.239:http SYN_SENT

TCP 192.168.58.101:49727 xx-fbcdn-shv-02-sin6.fbcdn.net:https ESTABLISHED

TCP 192.168.58.101:49728 edge-star-mini-shv-02-sin6.facebook.com:https ESTABLISHED

TCP 192.168.58.101:49729 edge-star-mini-shv-02-sin6.facebook.com:https TIME_WAIT

TCP 192.168.58.101:49730 182.176.35.18:https TIME_WAIT

TCP 192.168.58.101:49731 182.176.35.18:https ESTABLISHED

TCP 192.168.58.101:49736 xx-fbcdn-shv-02-sin6.fbcdn.net:https TIME_WAIT

TCP 192.168.58.101:49737 182.176.35.17:https ESTABLISHED

TCP 192.168.58.101:49739 18.55.c0ad.ip4.static.sl-reverse.com:https ESTABLISHED

TCP 192.168.58.101:49740 18.55.c0ad.ip4.static.sl-reverse.com:https ESTABLISHED

TCP 192.168.58.101:49741 edge-star-shv-02-sin6.facebook.com:https SYN_SENT

TCP 192.168.58.101:49742 edge-star-shv-02-sin6.facebook.com:https ESTABLISHED

The command shows that there are 16 active TCP connections at the time of execution. The only protocol (in the Proto column) listed is TCP, if udp is required then you can use -a switch with n switch to reduce the execution time.

netstat -an

C:\User\Muhammad> netstat -an

Active Connections

Proto Local Address Foreign Address State

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING

TCP 127.0.0.1:49158 0.0.0.0:0 LISTENING

TCP 127.0.0.1:49158 127.0.0.1:49214 ESTABLISHED

TCP 192.168.58.103:49695 178.255.83.1:80 TIME_WAIT

TCP 192.168.58.103:49696 23.46.123.27:80 ESTABLISHED

TCP 192.168.58.103:49697 178.255.83.1:80 TIME_WAIT

TCP 192.168.58.103:49708 93.184.220.29:80 ESTABLISHED

TCP 192.168.58.103:49730 50.97.63.217:443 CLOSE_WAIT

TCP 192.168.58.103:49731 50.97.63.217:443 ESTABLISHED

TCP 192.168.58.103:49732 216.58.208.68:80 ESTABLISHED

TCP 192.168.58.103:49733 216.58.208.68:80 TIME_WAIT

TCP 192.168.58.103:49741 52.20.224.89:443 ESTABLISHED

TCP 192.168.58.103:49742 52.20.224.89:443 TIME_WAIT

TCP 192.168.58.103:49757 192.169.80.98:80 TIME_WAIT

TCP 192.168.58.103:49758 192.169.80.98:80 ESTABLISHED

TCP 192.168.58.103:49759 172.217.19.34:80 TIME_WAIT

TCP 192.168.58.103:49760 172.217.19.34:80 ESTABLISHED

TCP 192.168.58.103:49763 35.187.117.15:80 TIME_WAIT

TCP 192.168.58.103:49838 52.221.160.235:443 ESTABLISHED

TCP 192.168.58.103:49839 52.221.160.235:443 ESTABLISHED

TCP [::]:135 [::]:0 LISTENING

TCP [::]:445 [::]:0 LISTENING

UDP [::1]:62889 *:*

UDP [fe80::71dd:e26c:b955:52be%12]:546 *:*

UDP [fe80::71dd:e26c:b955:52be%12]:1900 *:*

The information above that is displayed in the result of the netstat –an command including protocol, the local address and port number, the foreign address and port number, and the connection status. An explanation of the different connection states is given below:

State	Description
LISTENING	This status shows that the server is ready to accept a connection
CLOSED	Closed status shows that the server has received an ACK signal from the client and the connection is closed now.
CLOSE_WAIT	This status shows that the server has received the first FIN from the client and the connection is in the process of being closed
ESTABLISHED	This status means that the server received the SYN signal from the client and the session is now established.
FIN_WAIT_1	This status means that the connection is still active but not currently in use.
FIN_WAIT_2	This status Indicates that the client now received acknowledgment of the first FIN signal from the server.
LAST_ACK	This status shows that the server is in the process of sending its own FIN
SYN_SEND	This means that this particular connection is open and active
SYN_RECEIVED	The status means that the server just received an SYN signal from the client
TIME_WAIT	This status means that the client recognizes the connection as still active but not currently being used