NET 102 - Networking Essentials II

Chapter 9, TCP/IP Applications; Chapter 10, Network Naming

Objectives:

This lesson covers two chapters, and covers several protocols and network device naming. Objectives important to this lesson:

  1. Network and Transport layer protocols
  2. Port numbers
  3. Application layer protocols
  4. DNS
  5. WINS
  6. Troubleshooting DNS and WINS problems
Concepts:
Chapter 9

The author begins the chapter by reminding us that there are many protocols in the TCP/IP suite. This chapter is about several of them. He gives us two examples of human communication, one more formal than the other. His point is that we can think of network communications as being of two similar types.The more formal kind are connection-oriented, which make sure that connections are established, messages are confirmed, and and connections are ended. This is the way Transmission Control Protocol (TCP) works. On page 226, the text describes an HTTP request making a TCP connection with a TCP three-way handshake. Note that only two participants are involved.

  • The requester sends synchronize (SYN) packet to a server.
  • The server responds with a synchronization acknowledgment (SYN ACK) message.
  • The requester sends an acknowledgement (ACK) packet, confirming the connection.

The text then describes terminating the TCP session, which could be initiated by either party in the session.

  • The device requesting to end the session sends a packet saying I'm finished, please acknowledge (FIN ACK).
  • The second device sends an acknowledge (ACK) packet.
  • The second device then sends a packet like the first one, saying I'm finished, please acknowledge (FIN ACK).
  • The first device sends an acknowledge (ACK) packet. This closes the session on both ends.

The text does not mention that this process can vary. In this discussion on the wireshark site, it is noted that a web browser might send a connection reset packet (RST) instead of completing the graceful closure dialog. Graceful, in IT typically means that something is being done formally, methodically, and with every party in the transaction aware and acknowledging what is happening.

User Datagram Protocol (UDP) is much less formal. The text describes three upper layer protocols that use UDP connectionless service:

  • DHCP - Dynamic Host Configuration Protocol uses two ports, but does not establish a connection on either of them. Remember the DORA steps?
    • The workstation sends the Discovery and Request transmissions as broadcasts on port 67.
    • The server sends its Offer and Acknowledgment messages on port 68.
    • UDP is used for all four transmissions.
  • NTP and SNTP - Network Time Protocol and Simple Network Time Protocol use UDP to do what their names imply They both use port 123 to contact a network time server.
  • TFTP - Trivial File Transport Protocol uses port 69, and should only be used for file copying inside a LAN, where we confident that packets will not be dropped.

ICMP is discussed briefly. We are told that Internet Control Message Protocol is connectionless, partly because it typically sends one packet instead of a stream of them. Remember that ICMP is used to send ping requests, and it is easy to remember the idea of one packet at a time. If that doesn't do it for you, try "one ping only".

The text moves on to port numbers on page 228, warning us that we need to know several of them to pass the Network+ test. We saw a few in the last section. A port number is stored in two bytes, so it can be as low as 0 or as high as 65,535. Like many texts, ours tells us that there are three types of port numbers, but it is not sure where to draw the lines, so there may really be only two types, called by several names:

  • well known - everyone agrees that these are numbers 0 through 1023; these are ports that are associated with a service on a server
  • registered - may be from 1024 through 49151 on a Windows system; called registered because the creator of an application (program) can ask IANA to register their use of a port number in this range
  • ephemeral, dynamic, private - the name ephemeral means temporary or short-lived; they may be from 1024 through 5000 on some operating systems, but Windows systems later than XP will use 49152 through 65535; they are used to assign a port number on the fly to an application that is sending traffic across an IP network; the application needs a port number to identify it and differentiate it from any other similar program running on the same computer, so that the server can send the requested data back to the right place

The text tells us that the combination of an IP address and a port number can be called a socket or an endpoint. This is a little pedantic, since we are already talking about devices on a TCP/IP network, and all those devices have addresses. If you want to see a list of sockets, open a command prompt window, and give it the command netstat -n.

Example of Netstat output

In the example above, note that all the local ports are above 5000, while the foreign ports are either 443 (HTTPS) or 445 (Microsoft-ds file sharing) . The text tells us to learn the netstat utility for the Network+ exam, but suggests we may want to use TCPView for everyday use. It is dynamic instead of showing us a moment in time as netstat does.

The text reminds us that we communicate with a web server on port 80, and tells that we do so because the server is listening on that open port, the port it watches for incoming requests. So is it listening or watching? Neither: its a machine. Both verbs are metaphors for what the program waiting for a request is doing. This takes us to another netstat lesson. To see all the open ports on a computer, enter netstat -an. You will get the information from the -n version of the command, plus all the open ports. By the way, since we should be looking at what the netstat command can do, you should know how to ask it. Enter netstat -? to see the help file for that command. I was asked in class about using the dash as the soft switch flag instead of the forward slash. Both work, but the help file for netstat only shows the dash versions of each variation.

Note that all of the connections in the example above are in the ESTABLISHED state, even the ones for local host. In the examples in the text, other states are mentioned that tell you something about the connection.

  • A connection to port 80 that is in a CLOSE_WAIT state is making a graceful disconnect of a connection to a web server.
  • A similar example, a connection to port 80 is in a TIME_WAIT state, meaning that the connection to the web server was lost, but our browser is waiting for a timeout to expire before giving up

The text continues with more useful switches for the netstat command.

  • -ano - requests the same information as -an, but adds the process ID number of the program on your side in each connection
  • -b - may give you the name of the local program that made a connection, but will do nothing unless you have administrator permissions
  • -a - displays all connections and listening ports
  • -n - displays addresses and ports as numbers

The rest of the chapter is about various applications that run under TCP or UDP. There is a great deal of discussion, but the facts you need to know are summarized on page 252 like this:


Application TCP or UDP Port Purpose
HTTP TCP 80 web traffic
HTTPS TCP 443 SSL web traffic
Telnet TCP 23
Terminal emulator
SSH
TCP
22
Secure terminal emulator
SMTP
TCP
25
outgoing mail
POP3
TCP
110
incoming mail (deletes from server)
IMAP4
TCP
143
incoming mail (leaves original on server)
FTP
TCP
20/21 (active)
21 (passive)
file transfer
TFTP UDP
69
trivial file transfer

Assignment 1: Chapter 9

  1. Do the multiple choice questions for chapter 9.
  2. Catch up on your outstanding LabSim assignments.
Chapter 10

This chapter is mostly about two naming systems that you may find on networks, DNS and WINS.

Before there was DNS, the Internet was a lot smaller and it was possible to keep one list of host names and the IP addresses that matched them. The list was just called the hosts table, and it was updated at the Stanford Research Institute Network Information Center (SRI-NIC). This was downloaded to each network. It is the ancestor of the hosts file on most computers.

A hosts file is a list, saved as a simple text file, divided into three columns: IP address, official host name, and aliases that are also allowed for this host. In the example on page 259, we see only two columns, meaning that these hosts have one name apiece. Each line in the table describes one IP address and the host names that can be used for it by machines that read this table. This is a fine system for small networks in which changes do not happen often. Each device on the network must have its own copy of the hosts file, or must know where the hosts file is stored, and must read it to make use of host names.

  • On a Novell NetWare system, the hosts file is usually stored as SYS:ETC\HOSTS, which means it is called HOSTS, stored in the ETC directory, on the SYS volume.
  • On a UNIX system it is usually /etc/hosts
  • On a Windows workstation or server, the location varies by the version of Windows:
    • Windows 95 and 98: \Windows\HOSTS
    • Windows NT and 2000: \WINNT\SYSTEM32\DRIVERS\ETC\HOSTS
    • Windows Server 2003 and Windows XP: \WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
      Later versions of Windows have continued to keep it in this location.

Note that none of the examples uses a file extension. The hosts file itself must be an ASCII file. The # symbol marks the beginning of a remark or comment. Lines that begin with that symbol are not processed by the operating system, they are in the file for internal documentation.

The text reveals to us that every operating system that has a hosts file refers to it for an IP address before it makes a request to get an IP address from a DNS server. This is worth knowing, and essentially it provides a vulnerability that could be exploited. If you want to send traffic to your desired site instead of the real one, you could try planting addresses and host names in a device's host file.

The text turns to DNS on page 260. I have seen the acronym translated as Domain Name System and as Domain Name Service. People need help navigating the Internet. Names are much easier to remember than IP addresses, but we can't put them all in one file. Instead, they are put in a distributed database,

The information needed to find a host on the Internet is too complex and too fluid to save on any single server. DNS was invented to manage a database that is saved on lots of machines. DNS uses a hierarchy, an inverted tree-shaped structure that branches as you go down the tree.

  • The DNS tree starts at what is called the root-level domain.
  • All root-level domain servers know how to get to all top-level domain servers. Top-level domain servers are the authorities of their domains, like .com, .net, and .org, as well as .ca, .au, .ch, and all the other top-level domains. Servers at this level can be called primary or master servers.
  • In its domain, each top-level server knows the addresses of each second-level domain server, such as microsoft.com. These are the registered domain servers. Registered domains can include subdomains, so they are included in this level as well. Servers at this level can be called secondary or slave servers.

The text spends several paragraphs getting around to telling you that a domain name can include a host name. Remember that a domain name refers to a hierarchical structure, and as we read from left to right, we are naming layers of the structure as we go toward the root of the DNS hierarchy. Be aware that a domain name that specifies all the layers from a device up to the DNS root is a fully qualified domain name.

DNS is a distributed database system, which means that many servers each hold part of the DNS system. What the system does is provide translation from Domain Names (names of web sites, for instance) to IP addresses. If I tell you to check out the information at server 64.236.16.84 this week, will you remember that address? Thanks to DNS, you don't have to remember the numbers. Its URL (Uniform Resource Locator) name is www.cnn.com. You can enter either the address or the name in the address line of a browser. Either will take you to the same web site.

Back to the distributed idea. The Internet is divided into Domains. Baker College, for example, has been assigned a subdomain (called Baker) in the edu domain, which is for colleges that offer 4-year degrees and more. edu is a top-level domain. A domain name is limited to 255 characters, and each label in it (the parts separated by dots) is limited to 63 characters.

Your book wants you to be familiar with several top-level domains:

com Commercial entities
edu Educational institutions
gov Agencies of the U.S. Federal government
mil US Military
net Computers of network providers
org Miscellaneous: for organizations that do not fit anywhere else
biz Businesses. This is essentially an alternative to .com
name Personal URLs. A person can apply for a subdomain for their own name.
pro Professional organizations.
au Australia
ca Canada
de Germany (Deutschland)
uk United Kingdom

Most countries have two letter domain names. Some, like Germany, are not intuitive until you remember what the country is called in the language spoken there.

The DNS hierarchy is meant to be subdivided. Domains are divided into subdomains. A subdomain may be a zone that a company administers. This zone is subdivided into other, smaller zones that are administered by divisions of the company. A DNS server consults higher and higher level authorities, which consult zone authorities under them to resolve a DNS request. The machine asking the server for the translation of a host name to an IP address is called a DNS resolver. This seems odd, since the machine making the request provides no part of the name resolution, but it is the one called the resolver.

On page 272, the text start a discussion of what a DNS server looks like on a Windows Server. Note the three folders shown in the image on that page:

  • Cached Lookups - when a DNS server learns the address associated with a domain name, it saves the information here. You can set a time limit on how long an entry is kept, which is a good idea if you expect IP addresses to change.
  • Forward Lookup Zones - holds IP address-and-name pairs that this server is responsible for; for each domain for which this server is authoritative, there will be a folder, and those folders hold several kinds of records:
    • A - address records, used to search for a name and look up the IPv4 address
    • CNAME - holds alias records, used to look up the actual name (canonical name) of a device by searching for an alias
    • NS - holds addresses of Name Servers for the domain in question
    • MX - these records hold the addresses of mail servers for the domain
    • AAAA - holds IPv6 addresses (an A record holds four-byte addresses, an AAAA record holds sixteen-byte addresses)
  • Reverse Lookup Zones - are for looking up domain names for known IP addresses
    • PTR - pointer records hold the addresses of devices and their canonical names

The text has a long discussion about Microsoft complications to DNS, which does not appear to be covered in the LabSim material, so we will move ahead to page 282, to discuss WINS, Windows Internet Name Service.

As you may gather from the text, Microsoft has created competing software not so much to match as to provide an alternative system for everything we have discussed so far. Their version of the HOSTS file is called the LMHOSTS file. It holds IP addresses, like the HOSTS file, but the names in it are NetBIOS names, not domain names.

The text gracefully explains the functions of a system that uses NetBIOS and WINS, but it is a rather dated discussion, hinging on using workstations running Windows 95 or 98, which should be way obsolete at this time. In a marginal note on page 284, the text points out that the same interface we have been using to configure IP settings has a tab for WINS that can be used for that kind of configuration.

One of the confusing things about WINS is its nbtstat utility whose name closely resembles netstat. Remember that NetBIOS is part of the WINS system and nbtstat begins with nb.

The chapter ends with some general advice about troubleshooting TCP/IP problems which you should read for any ideas you have not heard yet.

Assignment 2: Chapter 10

  1. Chapter 10 multiple choice questions, 1 - 15.
  2. Lab Project 10.1 on page 293. All twelve items.