 So, this is a overview session as well as clarification session. What I would like to hear from you is about the lab yesterday. Is there something you would like to convey in terms of the exercise or because as I said it is difficult, people have come from different backgrounds, some no TCP dump up front, don't know at all the way the lab is designed, whatever it is. So, if there is some feedback which you can convey so that again I always emphasize feedback is very important because whatever feedback you provide I can refine the lab such that later when the main workshop is going to be organized it is easier for them to get on with the lab. So, it should be with that in mind if there is something I know that maybe I felt at the end that I should have provided an overview of each lab which I will do now on but any feedback. Again, it is like the typical classroom of 250 people, 10 percent are highly motivated, maximum 70 percent they were like just trying to do something and so experiment number 1, 2, 3 maximum of us could attempt but 4th very few attempt actually and we couldn't get the time to attempt 4th one that is what is my observation is. Okay, so as I said I mean when I designed it itself I had put it slightly like someone who knows it can definitely finish it before time, someone who is starting to learn stuff maybe it is on the bit on the higher side in fact this exercise is lesser than what I normally give as part of but that is because lot of our students are familiar with lot of the systems like Linux, similar scripting they have already have done some experience with TCP dump wire shock so for them it is easier that said yes it is when you are catering you always tend to add extra so that whoever has the time will do the extra whoever is some learning has to happen that is the final goal. In terms of the difficulty level did people find it very difficult or it is all right? There is a window operating system in our university so there was no unix or linux practice in our university so that is why there was a problem like you have given commands in unix and linux so I was not familiar with that so again the students or participants which are coming so they will also face problem because they wish or they would want that so there should be some windows implementation of this command or practice on the networking because window is more popular and the thing which they handle in their colleges more so some networking assignments or networking lab assignment on windows should be there. Okay so in that context let me ask you a question how many of you are have people I know majority of you are windows user the sigwin people use on windows extensively like you yourself sigwin you know the installation of sigwin and stuff you have done it before no okay so the well anyway I mean if linux system I thought the installation is kind of straightforward and it comes with it in windows installation of many of this like NS2 and all you I wouldn't say it is difficult but it is a little bit more involved than linux installation I thought it will make your life easy in installing the packages on linux rather than on windows but that said let me look into see if see even in windows when you are using NS2 the terminal that you open will be again a linux kind of a terminal it will be a sigwin terminal where again you have to use the cd whatever so you read because the tools are like that you cannot get away with not having because these are developed from academia they have come and linux is open source so they tend to custom fit most of them for that but that's a point is well taken let me look into it to see if something can be done on the window system as well yes questions are very good and it's a very good for to give in the puzzle for the mind and but one thing that I think it should be in Bodhi tree there must be a link for submission the assignment and there must be some grading scheme before open the solution to other it may be open in next day or further but if it has been evaluated then it can be a better approach I agree totally let me make a few other points in that context so this lab exercise we had two versions there was one version which you have not seen the original version was a very spoon feeding which I call is a spoon feeding kind of an exercise where you tell open the terminal type cd you run this command open by shark go through the trays click on the first packet look at this field what does it do or some such kind of a very spoon feeding type of version of the lab one is also there but then I felt so when you have a spoon feeding thing it makes life very easy definitely you just have to follow the instructions do it and do what I have seen with my own students like who I've done this lab is they do it they finish much faster and then later we have what is it called an evaluation of the lab where we test what is it that they understood as part of the lab and many of them just don't seem to understand why did they do the lab in the first place I mean what is the goal of the lab what is the objective of the lab then we scratched all this spoon feeding type of lab exercises and went on into this mode where you ask the students themselves to design the experiment that is when they appreciate what is it that they have done they tend to appreciate oh I because this was the goal I designed the experiment and that is what I am actually expected to watch so some of these labs have been designed with that goal in mind but when it comes to designing lab experiments on your own time is a premium in other words if you especially for someone who doesn't who don't have any background and ask them to start designing an experiment the same lab if I had given you let's say seven hours or six hours I'm sure you'll do an outstanding job of completing the assignment and so on but again everything is packed so if I give three hours maybe things are not as confusing and whatever but I mean there is a deliberation if you do it you will feel happy but maybe you know you may not learn much if I do it in this lab give a goal and ask you to do it then it'll be a challenging thing you may not finish the assignment on time but then you are learning something the point I wish to emphasize here is whatever happens this is not the ending point it's your learning has not stopped once the clock hit five the idea is you understood what the goal of the experiment is you know know what the method is redo I mean take additional time try to finish the portion relook at the assignment and go through it once more understand it well and then when you're introducing it because there is a timing constraint at this workshop for example when you're redoing it in your own college with your own students just give one I mean this had four questions or three questions just give one question in a lab let them take how much of a time they want finish it then next day you give another question whatever it takes for them to do it so that was the goal in mind when this assignment was given but that said I do understand that I mean it takes time it's not a straightforward thing because we are constrained in time I'm trying to push things that's one of the reasons I just want you to understand that's the thought process that went behind I'm Manmohan Sharma from FET Modi Institute of Technology actually a few of the software is not in store like why why shark because it is giving some error apart from that a few of the commands also we are running first time like tcp dump so we do not have any idea about what we need to analyze out of this one how we need to analyze so that is the problem we are facing at sure so that is the point noted so I will what I will do is this lab on I'm going to spend a little bit time like maybe 15 minutes explaining some of the stuff just to get you started that I will do henceforth any other thank you for you know extending this help because yesterday we are totally blank and because we don't we're not exposed to much to the Linux environment so that is what my request is that before going to the lab if you have an overview of the tools that are we're going to use for the lab and the you know the bit stuffing all all those commands or kind of headers so you know we can do it better and we can understand the concept more better that is what my request is sure yeah so anyway since you have already had the experience I'll just provide you an overview but going forward with the main workshop I will address as to how to tackle it to your remote center what you're doing maybe you will have to provide an overview session maybe I'll prepare the slides for the overview session and pass it to you and maybe you can make their lives easier okay so what we are going to do is so today's lab is a continuation of demultiplexing and we will also look into ARP so these are the two things that we are going to look at so before I get into the details let me also tell which I'm sure you have figured out by now but let me emphasize the way many of these lab exercises are to be done is you have to collect a trace in order to collect a trace one of the first things you should do is run TCP dump now TCP dump is a very sophisticated tracing tool if you just run TCP dump it collects all the packets that it sees that the host receives most of them are broadcast that it is receiving so it collects a variety I mean if you you'll see this screen scrolling very fast so a huge number of packets that you are collecting naturally there are too many packets it's not easy to evaluate you want to focus on packets of interest so for this TCP dump provides this very nice filters so you saw some of the filters like host source and destination port you can specify the type of packet whatever it is so you have to put a filter now if I want to give away what the filter is you don't really understand the appreciate the role of TCP dump but you're free to google around search for google for what filter to use whatever it is I'm saying you should put in some effort to figure out what the filter is so the typical way is open a terminal then you do TCP dump with some filters what filter to use will vary from experiment to experiment you have to figure out what these filters are so this is happening in a terminal then in another terminal you do some activity so this activity is again a function of the experiment for example in the previous lab wget was an activity that you got because using wget you are trying to download a html page from the particular server and you want to capture what are the packets exchanged as part of this wget ssh is another activity you may want to open multiple ssh connections so in today's lab when you are doing demultiplexing one of the problems you will see is you will try to open two ssh connections between the same source and the same destination and kind of figure out how does the source and the destination distinguish between these two ssh sessions so that is the problem statement and you have to design an experiment for that so for us there's a tcp dump and then activity will involve you opening the ssh dump ssh sessions and once you are done with this activity you terminate your tcp dump and then you use wire shark by the way when you do this tcp dump you have to save it in some the trace file in a into a file typically minus w is the option you use so wire shark you open the file and now once you open it you can go through what are the sequence of packets and again as I said your filters are very important here because you want to focus on the packets of interest you don't want to look at other packets so this is the typical setup for many of these experiments that you are going to see okay demultiplexing the first portion as I said is ssh I think given your practice in the previous lab this should not create any problems there are another next so there are overall three exercises first one is this ssh placed demultiplexing and there are two exercises on ARP people know what ARP does right I don't have to explain it but let me just make one liner so ARP is a protocol that is used to obtain the MAC address corresponding to a given IP address so if I if I for example want to find out I want to send a packet to a specific destination before I send the packet I have to send it out on the link layer I need to specify what the destination MAC addresses for which I need to find out what the MAC address corresponding to that specific IP addresses now whenever you send a packet so this exercise again there are two exercises within this as I said the first exercise is a combination of how forwarding works in conjunction with ARP so what happens here is there is the concept of hosts within the same subnet hosts in different subnets and non-existent hosts in other words these hosts are not up it's not a valid IP address okay so these are the three things that are there now hosts within a same subnet means hosts that are in the same lab they share the same subnet mask so if you look at I mean the subnet is 10.105.star.star this is the same across nsl osl nsl nx they're all part of the same subnet okay so these are all the hosts that are within the same subnet now when you're sending a packet to a host within the same subnet the MAC address will correspond to what the destination directly because it's within the same subnet but on the other hand if you're sending a packet to a host that is outside the subnet the MAC address will correspond to what the router right so this is what something you should see in practice so when you do this experiment within the same subnet you will see that the destination IP MAC combination will be the same as that of your destination whereas in the other case the destination IP will correspond to something that is outside your subnet whereas the MAC address will correspond to your next top router so this is an activity that you're going to do and when you try to ping an non-existent host what happens so again I will not reveal the surprise so you figure it out yourself so what does ARP do so here is a I so I'm telling ARP find out the MAC address corresponding to this IP address but that IP address machine is not up now what does ARP do then so that is also something you're going to figure out okay so that I will leave the other thing which we are also going to focus the third exercise is this gratuitous ARP I mentioned this again in the videos briefly so let me tell at a high level what a gratuitous ARP is so sometimes for certain functionality like for example detecting duplicate IP addresses or what for network functionality you tend to generate a gratuitous ARP gratuitous ARP is an ARP which you are generating by yourself to inform others what the what your IP versus MAC pairing is in other words no one asked for it but you are just telling them that this is my IP address this is my MAC address okay it has certain functionality you look up at the slides I don't want to go into the details so what we are going to use is we will use a tool called ARPing this is the tool that we are going to use to generate a gratuitous ARP so you should definitely look at the man pages but just to make things convenient for you I have given how to use this particular command ARPing how to this ARPing can be used to generate an ARP request as well as an ARP reply I mean by which I mean the packet that you are going to send is an ARP packet in one it's the same information it is carrying which is this is my IP address this is my MAC address but you can send it in the form of an ARP request packet or in the form of an ARP reply packet so based on this people are going to make note of the particular information so what you are going to see here is this ARP request ARP replies how do they differ and how does this gratuitous ARP work so that is what this is going to test a point again I want to mention here is I did mention something about ARP spoofing so what often this gratuitous ARP does is it is used in the context of ARP spoofing in other words what people do is I'm an attacker so what I will do is and let's say there is a victim so the victims IP address what I will announce when I do gratuitous ARP is I will announce victims IP address and give my own attackers MAC and saying I am the MAC corresponding to the victims IP address so that all packets for the victim will then come to me so this is ARP spoofing which is done based on gratuitous ARP you are not going to do spoofing in fact this ARPing command will not permit you to it's a user level thing you cannot set someone's IP address to your MAC and do it there are all this ARPing does is you can generate gracious ARP for your own IP address you cannot generate one for someone else with your MAC so as part of this exercise you are going to generate a gracious ARP for your own IP address with your own MAC okay though you can potentially do it but that's a hack we are not covering that here so this is more or less what today's lab is about hopefully this will get you started and you can evaluate what is happening through the traces any questions on this madam you told that when these two hosts are within the same subnet then when you get the MAC address of the next hop you will get the MAC address of the destination but even when these two hosts are in the same subnet the packets must be going via switch so the next hop address should be the MAC address of switch switches are transparent switches it doesn't have a MAC address they may have a MAC address for what is it called configuration of the switch so switches are transparent in that what they do is they get the packet and they have a routing thing and they're just going to send it out on that interface so more or less it goes to the if it's a broadcast packet it'll reach everyone otherwise it'll go through the you're not targeting switches transparent in that you're not targeting the packet to the switch for any evaluation it'll just look at the packets and kind of forward it in whatever that is what that is why they're called transparent switches because you're not focused you're not directing it to them but switches do have a MAC address that is more for the switches will have a MAC address as well as an IP address that is more for you to if a network management for you to log into the switch set its parameters so on so forth where the destination is specifically the switch but if you're sending a packet switches are transparent they are not going to do anything to your packet they'll just follow I want to ask that how to configure that proxy ERP in in case we don't have a direct communication with the destination we can't ask what is the MAC address so means by textbook we just tell the students that we can configure a proxy ERP but exactly where it has been configured is it configured in gateway or outer or in any server so conceptually any machine which is part of the same subnet you can configure it as a proxy AR what it is basically doing is it is acting on behalf of some other machine where it says you I mean if some for example host A wants to find out what the IP address MAC address of host C is but host C is not within the particular subnet now what you do is host B you delegate it saying that when someone asks for whatever host C you pass on your MAC address so that you get the packets corresponding to host C to B then B's responsibility is to pass it to the other any I mean you can configure it on your actual host itself so is it like a configuring an access control list in one system or all the other systems access control no this is there is a setup for it I mean I have not done proxy ARP setup myself but there are certain commands you have to so a regular desktop can also be converted such that you can convert it into it need not be I mean anything it like most routers also provide that functionality most switches also provide that functionality even a desktop provides that functionality and so there are set of commands which you used to use to convert it what is the exact command sequence I don't know but just Google it you will so is it through hyper terminal we do the configuration oh it's it's just like for example BRCTL is a bridge command just like that there will be a command to do this also but as I said I don't I mean it's a in Linux and I don't know in Windows in Linux there'll be a bunch of commands you have to execute to convert the thing so it's just a bunch of commands there is nothing else more sophisticated what is the set of commands I don't know of thank you yesterday while doing the last question fourth question the SSH we are trying to analyze the packet in the wireshark so initially like we got the ARP request packet but we are waiting for the ARP response packet initially we thought maybe the number of packets that we had actually dump was very less 40 packets then I tried to see the castable in the local machine and the castable is maintaining the MAC address already of the next machine that I'm doing SSH so maybe I thought that is why I'm not getting the response so I again clearly castable again I rerun for a quite a few minutes still it's interesting I don't know it should not be a anomaly of such such form but I had seen that the ARP request packet I get but the ARP response packet still I do not get who is generating this ARP request initially I started a phrase connection with my another machine so I can see the ARP request being pushed into the next machine the broadcast yes I can see that problem like we had been we had observed for we had run the practical many times thinking maybe something is wrong but till the end we end up getting the connection but we don't find the ARP response packet request packet we can see the details ARP request packet we could not end up finding the ARP response packet but it's probably there already as part of the ARP cache no that is what we had seen it is already maintained in the cache we deleted the cache we verified you are using your own laptop to do something no no we had seen in the services file we so we clearly cast we see we had observed it castable initially it maintained the MAC address we verified cross counter checking so whatever it is the specific thing unless I see what is happening I mean there's not something where you tell and I mean I have to sit with you need to show definitely because it's just surprising that ARP request packet I could get actually but without getting seeing the response packet we could establish a connection it should not happen that way sure you show me in the lab and I'll have a look but that said all kind of weird things have start to happen in the lab that's the regular norm like we you expect you expect something but something else happens it could be due to misconfiguration it could be too many other reasons one has to kind of figure out what what it is what is the difference between destination host unreachable and request timeout two types of error occur when we try to ping some host so I saw that two types of error occurs destination host unreachable and request timeout okay so destination so again depends upon here to keep talking about it appearing on the terminal right the timeout is something which may be being printed locally it waited for the response to come within this time it timed out it did not get so it's a software mechanism where like you put like printf with some time exceeded print that the timeout has happened so that is the printout mechanism but why did a timeout happen the reason for that is that the destination host is unreachable so that the fact that you determine destination host unreachable is could be that there was some intermediate router who send an ICMP message that said that ICMP code type is that and thereby you're using it to specify it means destination host unreachable message generated by ICMP packet interfacing of that router that this network is not available yes this host is not it yeah it's not necessary that all routers will generate it in case the router does not generate it also if you are not getting a response you will conclude that the destination host is unreachable it's a it's a coding artifact I mean depends on how you coded it and suppose that if we don't have any router we are having one local area connection and if you are pinging some host within the network and suppose that this ipad this is not available on that particular switch then the error will generate that request timeout only yes there is no any kind of error destination host unreachable that is because as I said it's probably derived from the ICMP someone has given an ICMP error message that specified that the destination host is unreachable typically routers do that thank you ma'am one question from my side is that whenever we used to type a ping command at the end of the reply a field shows a TTL a TTL usually show 128 127 even 126 also 64 also 32 also so you make me correct if I my answer is right that is the field which shows the number of the hopes covered is that right no TTL field is saying what is the lifetime of this particular packet in other words if any router were to receive this packet and the time to live field has expired it can drop the package now the TTL even though it says time to live with basically a hop count what let's view it as a hop counter if I set my TTL to be 64 all it is telling is this packet can hop 64 hops after that its lifetime has expired you drop it that is what TTL means so TTL whatever value when you set TTL in your packet to be 64 you're say telling to the internet that let my packet hop for 64 after that you drop it because it's past the expire ma'am sometimes it shows 128 sometime it shows 127 yeah it is that kind of variation so see many of these things TTL fields are set by different I mean in ping implementation I mean depends upon is it the same ping implementation that is showing a TTL field of different values which I seriously doubt but from one to the other like one ping may generate TTL of x but if you're using something else trace root or whatever you will have some other TTL whatever I'm saying it's whoever is coding whatever is the default value they have set that is what will be in the TTL so if you as a coder you set one value I as a coder set as another value with three things will be different there is no standard TTL that people have to employ people are free to put whatever TTL they want typically it will be in excess of 64 in a local area network having the start topology with unmanageable switch if a sender is sending masses to the some destination whether it will employ the broadcasting or the unicasting well it depends upon what the switch has within its table switching table if it is a unmanageable switch of any configuration or any organization no it depends on that is what disease are called learnings bridges for a reason they are learning switches so if it is a hub which is not a switch it will just broadcast okay but if it is a switch switches learn so most switches of any company whatever it is the functionality of the switches that they have to learn so what they do is whenever they receive packets they make note of this packet has come with the source MAC address it has come on this interface thereby that source will be on that interface means it will be unicasting only today times I would call it forwarding it came on one link if it knows that the other end point is in this direction it will only forward on that interface and not on others so this is the learning capability of switches we have covered it in as part of the video so these are called learning bridges learning switches but if it doesn't know it's doesn't have it then it will broadcast so it it's a behavior depending on whether or not it has because whatever switches we are using today in today time in our colleges to make a local area network yeah I want to know just point that point of view yeah so it can be broadcast or unicast as you put it based on whether or not it learned about that entry or not learning is a function of who is sending traffic so it's not like an automated learning only if that other guy sends the traffic it can learn if it learned it'll send it in a more efficient fashion so if it learning that it will not broadcast yeah if it learned it won't broadcast thank you my question is regarding the switching only so we say the switch create the table right switching table so they create the table only when a request is sent any traffic passes through it passes through it so why don't we use the graduate gratuitous mode you do whenever the when the node us nodes are connected they should propagate their mac address and the table that is the purpose of one of the purposes of gratchez gratchez art so when you are booted up right you send one gratchez art so that the switch will know that you are on that particular interface so that it makes efficient switching so that's one of the purposes of gratchez so gratuitous app is working on the switch no host is sending a host once it boots up is sending a gratchez art telling everyone see this is my ip address this is my mac address now this packet because it's coming for the first time will probably get flooded across all the switches but as each of the switches that is there interconnected will note that this mac address is in this direction and they'll make an entry of it in the in the learning table so next time some packet comes for it it knows in which interface it should send rather than flood again okay yeah so that's one of the purposes of gratchez the ip duplicate ip detection also is one of the other purposes so it's a there are many purposes of gratchez arts one more question regarding the tcp dump yesterday we work with the command tcp dump then we took up the traces then we imported that thing into the wire shark so don't wire shark has a utility where we can capture the live traffic yes it does so you can do that also but again this is a personal preference you are comfortable with it so what i like about tcp dump is the command line use of filters in wire shark it's it's not like you run the trace and the filtering maybe as a someone who is very familiar with wire shark and use whatever filters i find their filters a little bit tedious to configure so tcp dump what i like about it is just a command line thing you specify all the filters you dump it into a file but i like the gi aspect of wire shark where you can pop up you can examine everything tcp dump also you can you don't need wire shark to evaluate you can read the trace file on using tcp dump itself but it's not a user friendly reading of the thing so i guess a high level point is you can do whatever you're doing with tcp dump alone you can do whatever you're doing with wire shark alone the reason i use a combination is i like tcp dump's filter features to quickly wire shark also provides filters i'm not denying that it's just convenient for me to type in at a command line whatever filters i want capture the trace and then use the gi capability of wire shark to evaluate it's a personal preference which many people like who work in networks have this preference i thought it's there's a reason for why many people like it so i imposed it on you also but you are free to do whatever whatever works for you we heard of something called layer three switches called mpls switches is it these switches operate on multi-frequency bands for every flow that goes through the switch you're talking about mpls layer three switches right layer three switches layer three switches are kind of like either routers or some of this mpls we call mpls multi-protocol level switching concept is it these switches user different frequency bands for every flow that goes through the switch different frequency processing and different frequency bands means signals goes through in different frequency bands by frequency band you're talking about the link layer the physical switch inside the switch i'm talking about for example port a on the one side coming what do you mean by frequency at a switch i did not understand this is another multiple signals we can send two data flows at the same time parallely for example collision to avoid collision for example in case of a local data network in a segment okay if you're a bridge transfers in a packet in a frame and no other packets can be transferred i think some of the things you're talking about is about the switching again i i don't have much experience with them but there are this cut through switches and combining with optical something where what they do is whatever comes you kind of switch it at the optical links have this very huge bandwidth the spectrum kind of a thing so when you cut you kind of cut it and send it on the so the switching so basically you're avoid so all this is so router typically in the internet is like where you have to evaluate the header whatever and you are always trying to increase or decrease the processing delay at a router so some of the switch architectures are designed especially in conjunction with the optical fiber to avoid some of these things so that you do kind of when you get a thing this is that switching that is being done where you switch from this to the outgoing outgoing link is defined by a frequency band so whatever comes you that has to go on that frequency band so you do that conversion and push it forward so that is dependent on the switch architecture yes there are switches like that okay so lab i think i mean i'm happy to take more questions you have with respect to the lab