 Let me talk about the upcoming lab. I mean you do not have to read this content I just I am putting it just more for my reference. So in the upcoming lab one of the things you are going to do is learn about a few tools. The TCP dump and Wireshark are two tools which are extremely useful not only to understand how the protocols work but also these are system administrators best friends because you use it for debugging the performance of the network. So what the TCP dump and Wireshark tools do is they monitor whatever traffic is going out of your machine as well as coming into your machine. Not only this they are also capable of monitoring what all traffic is going in the local area network as well. Beyond that is not feasible but that itself can provide lot of information. So what we are going to do in this lab is learn these tools and use these tools to understand certain concepts like multiplexing and demultiplexing as well as the protocol headers. So the relevant slides that will help you understand all this is this OSI protocol stack as well as interlayer communication. I will talk a little bit about it as we go forward. So the first thing that you are going to do in the lab is basically play around with TCP dump Wireshark. Apart from that there are a few other tools like ping, ARP, root, ifconfig, host. This is just for you I mean we will dig in more details in the other labs but for now I just want you to understand what these tools are, what does ping do, what does ARP do, what does root do, what does ifconfig do, what does host do. I do not want you to kind of dig too much in detail just to understand what their functionality is. Apart from this, so typically if this is your machine, this is your laptop and you are plugging it into your let us say this is your local area network which in turn is connected to some routers and then it kind of plugs into the internet. So this is the typical setting in most places. So before you can communicate to the outside internet there are certain things your machine should know. One is it needs to know what its IP address is. Typically you obtain this through DHCP, we would not cover DHCP yet but you need an IP address, your machine has an IP address. So how do you know what is your IP address, that is something you will learn. Apart from this before for example let us say you want to contact the website www.google.com this is a URL but you need to know what the IP address of Google is. So in order to determine what the IP address of Google is you use this DNS service. In order to use the DNS service you need to know what the DNS server is before you can communicate. This information is also stored on your laptop. So where is this information stored and how do you use it all that also you will kind of get to know. And once you assemble a packet once DNS told you this is the IP address of Google then what you are going to do is you are assembling a packet saying I want the main page of Google. So this is a packet which has some HTTP content then you add some TCP headers then you add some network headers then you add some link headers and then you are kind of pushing it out on to the LAN. Now in order to send this who do you send it to you need to know who your next hop router is. Now this information also your machine should have some place. So what you are going to do in this first lab is you are going to explore what you are going to do is you are going to look at some of these files called hostname files interfaces files resolve.con protocol files to figure out where some of this information is stored that will tell you what is happening within your machine apart from this you will also make use of the TCP dump via shark to figure out what is the traffic that is coming into your system as well as leaving your system. The rest of the tools like ping-arp root if config host will also explain some of this stuff related to this diagram. So that is the first exercise so this is just for you to learn around so if you see the exercises it is not a spoon feeding exercise in other words I am not telling do this this is what you will observe do that this is what you will observe because that does not help in learning what this is doing is it will ask you to play around and then I am going to ask you some questions. So if you have understood what the role of each of those files is and you understood what the role of each of the commanders then you should be able to answer these simple questions that are asked as part of exercise 2. Apart from this we will also look at the concept of encapsulation and demultiplexing. So let me again pull up a few slides related to that. So this slide were covered as part of the interlayer communication I mean this is a part of the concept under introduction. So I will skip all this so the point of relevance here is you may I mean I am explaining the background so that you will appreciate the lab better this is something which you should already know by now. So these application generates these messages so for example this could be a get HTTP request and then the transport layer adds a header network layer adds a header link layer adds a header physical layer also adds a header and then it goes to your next hop which could be a router which will in turn go to the next hop so on all the way to the other end and then again this thing goes on. So this is how things are so the concept of multiplexing demultiplexing. So there are two things that are happening here one is encapsulation as we have seen so what I have shown here is encapsulation this is the encapsulation and decapsulation that is happening. So as part of the lab we will look at all these different headers to see that indeed whatever message you are sending is being encapsulated in this fashion. So you will look at transport layer headers network layer headers link layer headers and you will also see how who is this passing this packet to who is your next hop. So all that information also you are going to see as part of the lab apart from that you will also see this concept of demultiplexing. So in other words that once you receive a packet from the physical layer there are many protocols at the link layer there is R there is Ethernet who do you send this packet to. So ideally sometimes we are using R you want to send the packet to this R module if you want if you are using Ethernet framing you want to send it to Ethernet. So based on the frame type you decide who to send it to once you get at the link layer depending upon whether it is an ICMP packet or an IP packet or a routing packet and you have to send it to the appropriate protocol. So then you will use some other information to kind of guide it. So here in this case you will use frame type to so you will use the protocol field to guide it to the relevant thing and similarly if you are operating here one layer above will you send the packet to TCP module or to UDP module again protocol field is going to help you send it to the right module and similarly there are many applications at the top. So who do you send it to do you send it to HTTP or do you send it to SMTP or FTP again port number plays a role here. So if it is port number 80 you will send it to HTTP if it is some other port you send it to some other thing. So this concept of demultiplexing also there is a specific exercise that is going to. So for example one exercise is on encapsulation and demultiplexing there is another exercise that also tests how do packets gets demultiplexed. So this is what you are going to learn as part of the lab. I will now show you how TCP dump and wire shark work together. So one question which lot of the coordinators had at that time when we did this workshop is why are you using both TCP dump and wire shark wire shark by itself will suffice wire shark has a very nice graphical user interface. So when you look at it it shows very cleanly what is happening TCP dump does not have a graphical user interface. So both tools you can use by themselves. So I prefer to use both TCP dump and wire shark. So the way I do it is I use TCP dump at command line to capture packets and then I capture all the packets into a file and then I open the file on wire shark and use the graphical user interface to view it. There is no reason why you should use TCP dump you could go directly with wire shark. But both are very useful tools it is good to know more than one tool apart from that I personally like the command line interface of TCP dump. Whatever filters you want to give you just give it at the command line and it will capture only those packets that pass the filter. So let me give an example. So here is the terminal. So what I am doing this is more or less a terminal that you will be using there as well. So what I am doing is I am running TCP dump so this is the command. I can specify if you have more than one interface which typically you may not have this is not needed but I am specific explicitly to capture packets on the Ethernet interface which stands for E0. So if I did something like this it is listening and as you can see it just prints lot of these packets ok. So it will capture lot of unnecessary traffic more or less any broadcast traffic that is happening on the LAN it is going to capture apart from whatever packets are coming and going on to this machine. You do not want to do that because then the trace file becomes painfully large to examine. So often so for example so what I will do is I am going to restrict that it capture packets only corresponding to for example. So what I am going to do is I am going to restrict it to capture packets corresponding to 10.105.103. This is the this 10.105.103 is the IP address of our CSE web server. So all I am saying is I am now going to contact this 10.105.103 so I am specifying capture only packets which have source IP address or destination IP address corresponding to this. So this is what I call a filter. Now when I apply this filter as you can see since no traffic is going to that particular web server you do not see any traffic being captured. Notice that whenever you use TCP dump and so let me go back. So typically in any of this exercises there is an order. You want to do some activity so basically those are in the form of commands. So for example you may want to do ping or you may want to SSH or you may want to use something called WGIT. WGIT is basically it is acting like a browser instead of a browser comes with lot of overhead. WGIT is a very simple browser type thing whatever URL you specify it will just get that particular URL. I will show you how this works. So all are these commands which are going to generate traffic. So what you should do is this is the sequence in which you should do the experiments. You should run TCP dump with the write filters. So this is the first thing you should do you should run TCP dump with write filters. So the TCP dump is now going to listen for packets then you have to execute whatever commands you want. For example if you did the commands first and then run TCP dump then I mean there is commands are the ones that are generating traffic and TCP dump has to capture the traffic. So TCP dump has to run first so that it can capture the traffic that is being generated by the commands. So this you will do and then after you execute the commands and you get out of it then you start to analyze whatever is the trace file for which in our case we are going to use wire shark. So this is the sequence of steps that we are going to follow. So given that let us again go back to the thing. So what I am going to do is I am going to run TCP dump with this particular host. So it is kind of listening on that and then see as you can see it is still listening let me pull the other. So this is another terminal so I know there was lot of confusion let me repeat. So there is one terminal where I am running TCP dump which is listening for traffic that has source or destination as 10.105.103 that is our web server. So I will just ping. So when I ping it is going to send some packets as you can see you can see these ping packets as part of the TCP dump. So crea.it.itb.ac.in is the name of my machine and beam.csc.itb.ac.in is the name of the WW web server. So as you can see you saw a bunch of ping packets. Typically I do not want it to go there because it will scroll very fast I would like it to be saved in a file so for which I will use minus w option and I am going to say this is trial.pcap that is the name of the file I am going to give it. So again I am doing the same thing so again I am kind of pinging as you can see you cannot see anymore because it is writing into that file. I can generate some more traffic so for example let me say I want I am just getting this particular web page so as you can see it sent the HTTP request I got the 200 ok which is the HTTP reply and then whatever information this index.html file it has saved ok. So this is what wget is doing so there is some traffic that has happened as part of wget. So this is how you run some commands to generate traffic and then I am going to close this so as you can see it captured 38 packets as part of TCP dump. Now what I am going to do is I am going to open this file here so let me get that file from my and I am going to open it in wire shark. So this is a wire shark which provides a very nice user interface. So as you saw to begin with we did a ping so you can see lot of ICMP messages so it specifies that what time this is a relative time it sequence number also it kind of relatively over time this is the first packet I received second packet I received these are the times at which I received the packet this is the source this is the destination what is the protocol type what is the length of the packet so on is captured here. So if you select one specific packet so for example if I select the 5th packet it is going to give information about the 5th packet here. So for example this is the link layer this is the link layer header so as you can see now you can start to see MAC information this is the destination MAC this is the source MAC this is the IP layer header as you can see source is this IP address this is the destination IP address you could also see the ICMP headers. So this is with respect to ICMP now as you can see there is a this is the W get portion of it this is the famous TCP handshake SIN, SINAC and AC as you can see there is a TCP connection established this does not have any HTTP load but if I click on this you will see that there is a HTTP packet as well so that says get it is asked to get this particular URL. I mean this is just for your information there is lot of TCP packets that have transferred all of this you will dig in deep and understand it in detail. One thing let me also mention in Wireshark what you see here in this blue portion is the specific bytes associated with this so for example if I were to select this this is a port number so the port number is a 387 so it does not match 41863 or wondering what is it this is in hexadecimal so if you convert it it will match that particular port number. So whatever information is in here so for example if I select this portion this is the this is the MAC address in hexadecimal so it directly matches so this is the this is a basically more or less the content of your packet in hexadecimal so you can select individual fields and figure out where what is I will let you anyway dig in deep with respect to Wireshark as you do the exercises so more or less this is the lab overview. So I can take a few quick questions no more than 2-3 and we will break for T at 1130 you are supposed to assemble in your labs and get started so we will also be available here to help you with any issues so any questions. Hello ma'am sometime when you are going to use TCP dump command it is not working in our machine but when I am working pseudo before that one then that is working yeah yeah so TCP dump requires root permissions for you to because you are monitoring the traffic TCP dump requires root permissions but in the scripts we have provided to the coordinators we have also given how to change the permission such that you can run TCP dump not as a root that information is there under BodhiTree.csc under references there is that entire directory we have shared with you there are some scripts to change the permissions of TCP dump so if you run that you will be able to run TCP dump as a user as well but in case it's not working out for whatever yeah the setup should have happened before. Ok ma'am thank you. Ma'am I have two questions the question number one is that with the help of white network method data transformation is easy if it's possible to add encryption for transformation of electronic data with the help of Wireshark or NS2 Wireshark and TCP dumps are dump things all they are doing is whatever traffic is going out and into your system they are just making a copy of it so if you I had mentioned that so this is your machine this is the protocol stack let's say in your machine you have phi link so on so whatever packet comes it has to go up the protocol stack right so this is the network layer so on so forth all TCP dump is doing is it is sitting somewhere here and is making a copy of whatever packet you are getting and dumping it into a file and you are evaluating that particular thing too so it is not it's a very passive device all it is doing is copying the packets that you are getting into the machine and similarly when it is going out again it will make a copy of the packet and write it to a file that is basically what TCP dump is doing any additional functionality you want to implement as part of the protocol stack you actually have to if you are doing it at the application layer you have to write the code at the application layer if you are do want to do it it's a network layer or link layer then you have to do kernel programming to implement that particular functionality NS2 by the way is just a simulation tool so if you want to implement you are just implementing a module in NS2 that does that particular functionality thank you ma'am I will last question is it possible to apply three tire structure of sharing security key with the help of encryption in white network and authentication is controlled by okay let me so let me interrupt right away so when you're asking questions please ask questions relevant to the lab now because all these other questions I don't I mean I will answer them but we will do it in the clarification session and not now the lab is going to start soon so any questions you have with respect to the lab ask me now not general questions thank you ma'am actually I had a question regarding Varshakmanam whether Varshak is an open source it is freely available you just have to I mean I died there was no Varshak on this mission I just downloaded it and ran it it just ran out of it's a freely available Varshak the source code of it I I don't I very likely it is open source but I'm saying it's a freely available tool you just need to download it off the web and install it and it will work it takes one minute that's it actually can we use Varshak for capturing the packets not only to analyze you can use Varshak yes you can do that yeah so as you can see this is Varshak so let me want is probably too small but like I've just opened Varshak there is something called capture here and there are interfaces so you can select for example this has a Wi-Fi interface I can select that interface and say start then it will start capturing packets on the Wi-Fi interface as you can see lot of in packets are being captured and you can stop it that's okay I was in we will try to fix it but for now I am just showing you at a very high level what is happening you can open Varshak there is something called capture at the top click on it select the interface and it'll capture ma'am there was a line when you were making us understand that zero packets for drop by the kernel now what is that concept behind that zero packets were dropped by the kernel so sometimes you may be your buffers within the link layer or whatever may not be enough in other words your for example you connect to a 10 gbps link and your processor it's like some 1980s machine right it cannot cope with the speed at which packets are coming so it may drop some packets because it doesn't have enough buffer for them so in case there are packets dropped because of that it will indicate it there that or even when you are making it's more to do with the processor whether it's it Varshak or TCP dump was able to make a copy properly or not ma'am and one more question I can be used when to operating system while doing a lab experiments Ubuntu operating system for if you're doing a lab experiment yeah yeah I mean I had shared Ubuntu only to all the workshop coordinators yes ma'am I have a question related to computer network which address belongs to different family there are four address actually given Mac address and IP address physical address and hardware address so I have a I'm let it in this please let me clarify that how which one is different and how okay so typically the physical address the Mac address and the hardware address all refer to the Mac address itself IP so they're basically two addresses IP address and the Mac address often the Mac address is also called the hardware address because it comes with the Ethernet card and the same thing physical address also we refer it in that fashion so physical hardware and Mac are the same IP address is different I can hear you good morning ma'am please explain W get that come on the you explain that no okay the W get is a dump browser you can view it as like that so typically in a browser at the top you specify the URL right http colon slash slash www.google.com so what W get is doing is basically it's a dump version which is sending that get request on your behalf and getting the reply and saving it into I mean if you are getting index.html it'll just save that index.html it's basically a dump browser browsers these days are very sophisticated they have lot of plugins they do a lot of additional stuff W get does nothing like that it's a very clean simple tool with just whatever URL it will just fetch it and typically over command line it is very useful like for example if I am remotely logging into some place and I want to download a web page but I don't want to pop up a browser because of whatever SSH issues then W get is a good tool thank you ma'am yeah so in the interest of time I think we should break