RadarURL
Skip to content
조회 수 28 추천 수 0 댓글 0
?

단축키

Prev이전 문서

Next다음 문서

크게 작게 위로 아래로 댓글로 가기 인쇄 첨부
?

단축키

Prev이전 문서

Next다음 문서

크게 작게 위로 아래로 댓글로 가기 인쇄 첨부

I already wrote an article describing the OSI model and its 3 first layers (physical, data link and network). Now I’ll talk about the layer 4: transport. While the data link layer carries the point-to-point connections and the network layer carries the routing of packets, the transport provides end-to-end communication services for applications.

4-layers.png

 

 

The transport layer provides convenient services such as connection-oriented data stream support, reliability, flow control, and multiplexing. The two main transport protocols are TCP and UDP.

A connection between two devices on the transport layer (with TCP or UDP) is done from port to port: Each network device using the protocol TCP or UDP has different “gates” where a communication can “go in or out”. For instance, the default port to access a web server to communicate with the protocol HTTP is the port number 80, the protocol FTP uses the port number 21 and the protocol SSH uses the port number 22. (N.B. HTTP, FTP and SSH are protocol from the application layer). Applications that communicate on IP networks are bound to one (or more) port(s) to send and receive data. There are 2^16 different ports available (since the field for the port in the packet is 16 bits).

The Internet Assigned Numbers Authority has divided port numbers into three ranges.

  • 0 – 1023 are used for common, well-known services.
  • 1024 – 49151 are the registered ports used for IANA-registered services.
  • 49152 – 65535 are dynamic ports that are not officially designated for any specific service, and can be used for any purpose. In effect, they are used as temporary ports primarily by clients when communicating with servers.

Transmission Control Protocol

TCP is a connection-oriented protocol. This means it first establishes an end-to-end communication session  before any data may be send. TCP is a protocol that makes sure the data has been well delivered, in the correct order. To do so, the TCP emebed in its header a checksum verifying the data is not corrupted. There is also a sequence number to assemble the packets in the original order. Packets may use different paths to reach the recipient, or a corrupted packet need to be resend. This means the recipient might get the packet in the wrong order, the sequence number make sure when reassembling, packets are in the correct order. One other interesting feature of TCP is the windows handling. The rate of data transmission between two devices is managed by a windowing system to prevent a fast sender from transmitting more data than can be supported by the receiving.

Packet structure

TCP Header
Offsets 0-15 16-31
0 Source port Destination port
32 Sequence number
64 Acknowledgment number (if ACK set)
96 Data offset Reserved N
S
C
W
R
E
C
E
U
R
G
A
C
K
P
S
H
R
S
T
S
Y
N
F
I
N
Window Size
128 Checksum Urgent pointer (if URG set)
160
Options (if Data Offset > 5,padded at end with “0” bytes if necessary)
  • Source port: It is the port used by client to sent the packet.
  • Destination port: It is the port used by the server for the communication
  • Sequence number: If the SYN flag is set, it is the initial sequence number. If it isn’t, then it is the accumulated sequence number of the first data byte of this packet for the current session.
  • Acknoledgment number: If the ACK flag is set, then it is the value of the next sequence number that the receiver is expecting.
  • Data offset: It specifies the size of the TCP header in 32-bit words.
  • Reserved: This field is reserved for a future for a potential improvement of the protocol TCP (should be set to zero).
  • Flags (NS/CWR/ECE/URG/ACK/PSH/RST/SYN/FIN): Also known as control bit, flags are notifications and gives signal the purpose of the packet. URG indicates that the Urgent pointer field is significant. ACK indicates that the Acknowledgment field is significant. All packets after the initial SYN packet sent by the client should have this flag set. RST reset the connection. SYN synchronize sequence numbers and FIN indicates no more data will be sent from sender.
  • Windows Size: It specifies the number of bytes that the receiver is currently willing to receive.
  • Checksum: The 16-bit checksum field is used for error-checking of the header and data.
  • Urgent Pointer: If the URG flag is set, then this 16-bit field is an offset from the sequence number indicating the last urgent data byte
  • Options: The length of this field is determined by the data offset field. This field is used for providing more information about the packet.
  • Padding: The TCP header padding is used to ensure that the TCP header ends and data begins on a 32 bit boundary. The padding is composed of zeros.

Communication

TCP uses a three-way handshake to establish a connection between two  devices (a client and a server):

  1. SYN: The client initiate the establishing of the communication by sending SYN to the server. It sets the segment’s sequence number to a random value A.
  2. SYN-ACK: In response, the server replies with a SYN-ACK. The acknowledgment number is set to one more than the received sequence number (A + 1), and the sequence number is set to another random number, B.
  3. ACK: Finally, the client sends an ACK back to the server. The sequence number is set to the received acknowledgement value (i.e. A + 1), and the acknowledgement number is set to one more than the received sequence number i.e. B + 1.

From now, the application can start to communicate and sending data via the session established. To close a connection, the endpoint that want to terminate the communication initiate the connection termination:

  1. FIN: One of the endpoint (host A) sends a FIN then wait for a ACK and a FIN from the other party (host B).
  2. ACK: The host B replies with an ACK.
  3. FIN: Then host B send a FIN.
  4. ACK:  Finally host A ends the communication with a last ACK.

tcp-com.png

 

 

User Datagram Protocol

UDP has been design for computer applications to send messages (referred to as datagrams) to other devices without requiring prior communications to set up special transmission channels or data paths. Unlike TCP, UDP uses a simple transmission model without establishing a session with the recipient. UDP doesn’t ensure reliability, ordering, or data integrit in order to provide a faster communication. Thus UDP is used for time-sensitive applications (such as real-time systems) that don’t require 100% reliable trasmission.

Communication

UDP is a message-based connectionless protocol. It means UDP doesn’t establish a dedicated end-to-end connection but it transmitting directly information in one direction from source to destination without verifying the readiness or state of the receiver.

Packet

UDP Header
Offsets 0-15 16-31
0 Source port Destination port
32 Length Checksum
64+ Data
  • Source port: It is the port used by client to sent the packet.
  • Destination port: It is the port used by the server for the communication.
  • Lenght: It is the length of the UDP header and data.
  • Checksum: It is optional. The checksum field is used for error-checking of the header and data. If a checksum is not used it should be set to the value zero.

Scapy

Now, in order to illustrate how does TCP and UDP communicate and how packets are structured, here is a demonstration with Scapy.

UDP connection with a DNS server

As example, we will create a DNS query. When you browse a website, before establishing the TCP connection to communicate with the protocol HTTP with the server, the client need to get the IP address of the URL using DNS query:

ws-dump-dns.png

 

 

We will try to do the same but with Scapy. Fortunately, Scapy has builded function to forge DNS query easily. Let’s create one:

 >>> ls()
 ...
 DNS        : DNS
 DNSQR      : DNS Question Record
 DNSRR      : DNS Resource Record
 ...

We want to create an IPv4 reverse resolution Question Record on “www.secits.be”. Let’s see what are the options:

 >>> DNSQR().show()
 ###[ DNS Question Record ]###
   qname= ''
   qtype= A
   qclass= IN

For the IPv4 reverse resolution, the qtype is A:

 >>> dnsQuery = DNSQR(qname="google.com", qtype="A")

Now we want to create the DNS packet:

 >>> dnsPacket = DNS(rd=1,qd=dnsQuery)

I will use the Google DNS (8.8.8.8) server to be sure anyone can use the same command. My IP packet then looks like this:

 >>> ipPacket = IP(dst="8.8.8.8")

DNS protocol uses the port 53:

 >>> port = random.randrange(49152, 65535)
 >>> udpPacket = UDP(sport=port, dport=53)

Let’s stack the packet and send it:

 >>> packet = ipPacket/udpPacket/dnsPacket
 >>> dnsAnswer = sr1(packet)
 >>> dnsAnswer.summary()
'IP / UDP / DNS Ans "195.144.11.44" '

Here is the IP address of google.com

Three-way handshake before a HTTP communication

As example, we will establish a session with the three-way handshake and send a HTTP GET request. When you browse a website, here is what happen:

wireshark-dump.png

 

 

We will try to do the same but with Scapy. For the tree-way handshake, you first need to create an IP packet with an destination IP address:

 >>> ipPacket = IP(dst="www.secits.be")

Now we create the TCP packet with a source port between 49152 and 65535 (see the introduction for the reason) and the destination port 80 (the HTTP port):

 >>> port = random.randrange(49152, 65535)
 >>> tcpPacket = TCP(sport=port, dport=80, flags="S")

random() is a python module that generates pseudo-random numbers. randrage() set the range of the pseudo-random number.

Once both pakets created, we stack them to create the SYN TCP packet:

 >>> syn = ipPacket/tcpPacket

Then we send the SYN packet and store the SYN/ACK answer:

 >>> synack = sr1(syn)
 >>> synack.show()
 ###[ IP ]###
   version= 4L
   ihl= 5L
   tos= 0x0
   len= 44
   id= 0
   flags= DF
   frag= 0L
   ttl= 52
   proto= tcp
   chksum= 0xb760
   src= 195.144.11.44
   dst= 192.168.0.7
   options= ''
 ###[ TCP ]###
      sport= http
      dport= 52708
      seq= 3872114628
      ack= 1
      dataofs= 6L
      reserved= 0L
      flags= SA
      window= 14600
      chksum= 0x52dc
      urgptr= 0
      options= [('MSS', 1460)]
 ###[ Padding ]###
         load= '\x00\x00'

No the last part of the handshake is to send an ACK with the sequence number set to the value of the acknoledgement number of the SYN/ACK and the acknoledgement number set to the sequence number + 1 of the SYN/ACK:

 >>> ack = ipPacket/TCP(sport=port, dport=80, flags="A")
 >>> ack[TCP].seq=synack[TCP].ack
 >>> ack[TCP].ack=synack[TCP].seq+1
 >>> send(ack)

The session is now established. Let’s send a HTTP GET request and store the answers:

 >>> httpRequest = 'GET / HTTP/1.1\r\nHost: www.secits.be\r\n\r\n'
 >>> tcpData = TCP(sport=port, dport=80, flags="A")
 >>> tcpData.seq=synack[TCP].ack
 >>> tcpData.ack=synack[TCP].seq+1
 >>> httpPacket = ipPacket/tcpData/httpRequest
 >>> answers,unanswered = sr(httpPacket)

Here is a script that will run automatically all those commands:

#!/usr/bin/python

# Import scapy
from scapy.all import *

# Froge the IP packet
ipPacket = IP(dst="www.google.be")

# Generate the pseudo-random source port
port = random.randrange(49152, 65535)

# Forge the TCP packet for the SYN
tcpPacket = TCP(sport=port, dport=80, flags="S")

# Create the packet to send
syn = ipPacket/tcpPacket

# Send the packet and store the answer
synack = sr1(syn) 

# Forge the packet to send based on the answer
ack = ipPacket/TCP(sport=port, dport=80, flags="A")
ack[TCP].seq=synack[TCP].ack
ack[TCP].ack=synack[TCP].seq+1
send(ack)

# Forget the HTTP packet to send
httpRequest = 'GET / HTTP/1.1\r\nHost: www.google.be\r\n\r\n'
tcpData = TCP(sport=port, dport=80, flags="A")
tcpData.seq=synack[TCP].ack
tcpData.ack=synack[TCP].seq+1
httpPacket = ipPacket/tcpData/httpRequest
answers,unanswered = sr(httpPacket)

answers.show()

Type sudo python the-name-of-the-file.py to run the script.

You will notice that the script actually doesn’t work. I’m not sure about it (and please leave a message if I’m wrong), but it seems Scapy uses an other TCP stack than the kernel. This means whenever Scapy sends the SYN packet, the kernel is not aware of it, so when the server answer with a SYN/ACK, the kernel also get the packet and doesn’t understand why the server sent a SYN/ACK. Therefore, it send a RST TCP packet to reset the connection.

rst.png

 

 

In order to avoid this problem, I created a rule in my firewall (on my VM Ubuntu 10.10) to drop all RST packets going out.

sudo iptables -A OUTPUT -i eth0 -s 192.168.0.7 -p tcp --tcp-flags RST RST -j DROP

eth0 being the interface used for sending the packet with scapy, 192.168.0.7 being the IP of the my VM that send the packet.

Now if you try script, you will see the TCP connection is established and that HTTP GET request (nearly) works. The server is waiting for an ACK once the window reached, since it doesn’t get any ACK, it keeps resend the packets.

Well the main goal was to describe what is the layer transport and how does the two main protocols of this layer (i.e. TCP and UDP) work. The script is not finish yet, but you got an idea how scapy works and how to establish a TCP connection. I think I will create another post to improve the script an also use pfctl to avoid the RST problem on OS X.

I hope you enjoyed, feel free to leave a feedback

 

출처 : https://toschprod.wordpress.com/2012/01/30/osi-model-layer-4-transport/

?

공부 게시판

공부에 도움되는 글을 올려주세요.

List of Articles
번호 분류 제목 글쓴이 날짜 조회 수
공지 [공지] 공부 게시판 입니다. 처누 2003.08.17 828687
2457 생활 되다 vs 돼다 JaeSoo 2017.12.14 8
2456 유닉스/리눅스 당장 firewall과 SELinux에 대해 설정하는 법을 모르니 최초 CentOS를 스터디할 땐 이 두 가지는 꺼버리자. JaeSoo 2017.12.02 24
2455 모바일 스마트폰 용량 부족 해결! SD카드를 내부저장소로 바꾸기 file JaeSoo 2017.11.14 47
2454 보안 Tear Drop 공격 JaeSoo 2017.11.14 56
2453 보안 Smurf 공격이란? JaeSoo 2017.11.14 58
2452 보안 DoS (Denial of Service) 공격이란? file JaeSoo 2017.11.14 60
2451 보안 DDos 공격 - LAND ATTACK이란 뭘까? file JaeSoo 2017.11.14 59
2450 네트워크 RIP (Routing Information Protocol), OSPF (Open Shortest Path First) JaeSoo 2017.11.14 38
2449 네트워크 STP (스패닝 트리 프로토콜) file JaeSoo 2017.11.14 38
2448 네트워크 [스위치] 스패닝 트리 ( STP - Spanning Tree Protocol ) file JaeSoo 2017.11.10 6
2447 네트워크 STP(Spanning-Tree Protocol) 동작원리 file JaeSoo 2017.11.08 8
2446 네트워크 [Windows NT] netstat 명령어를 이용한 라우팅 테이블 확인 file JaeSoo 2017.11.08 7
2445 네트워크 원격 액세스 인증 프로토콜 (EAP, MS-CHAP v2, CHAP, PAP) JaeSoo 2017.11.03 22
2444 보안 워드라이빙(WarDriving)과 해킹 file JaeSoo 2017.11.03 24
» 네트워크 OSI model – Layer 4: Transport (TCP and UDP with Scapy) file JaeSoo 2017.11.03 28
2442 네트워크 TCP flag(URG, ACK, PSH, RST, SYN, FIN) JaeSoo 2017.11.03 33
2441 네트워크 OSI 7 Layer 개요 JaeSoo 2017.10.30 35
2440 유닉스/리눅스 Linux syslog-ng를 이용하여 로그서버 구축 JaeSoo 2017.10.27 39
2439 유닉스/리눅스 [UNIX / Linux] 특수 권한(setuid, setgid, sticky bit) file JaeSoo 2017.10.24 35
2438 유닉스/리눅스 [unix 시스템 기초] 리눅스 의 기초 이론인 TTY와 PTS, PTY에 대해서 알아보자 JaeSoo 2017.10.18 46
Board Pagination Prev 1 2 3 4 5 6 7 8 9 10 ... 123 Next
/ 123

 

■ 즐겨찾기 - 가족
JAESOO's HOMEPAGE YOUNGAE's HOMEPAGE 장여은 홈페이지 장여희 홈페이지 장여원 홈페이지

■ 즐겨찾기 - 업무
알리카페 홀릭 숭실대 컴퓨터 통신연구실 (서창진) 말레이시아 KL Sentral 한국인 GuestHouse

■ 즐겨찾기 - 취미
어드민아이디 유에코 사랑회 아스가르드 좋은사람/나쁜사람 JServer.kr 제이서버 메타블로그 재수 티스토리

■ 즐겨찾기 - 강의, 커뮤니티
재수 강의 홈페이지 한소리 VTMODE.COM 숭실대 인공지능학과 숭실대 통신연구실


PageViews   Today : 962   Yesterday : 1,895   Total : 60,499,635  /  Counter Status   Today : 200   Yesterday : 465   Total : 3,100,807
Site Info   Member : 1,388  /  Total documents : 7,074   New documents : 0  /  Total comments : 503

design by by JAESOO.com

sketchbook5, 스케치북5

sketchbook5, 스케치북5

나눔글꼴 설치 안내


이 PC에는 나눔글꼴이 설치되어 있지 않습니다.

이 사이트를 나눔글꼴로 보기 위해서는
나눔글꼴을 설치해야 합니다.

설치 취소