The two most common transport layer protocols are TCP and UDP. While both protocols have a few things in common, like ports, they are very different in the way that they operate. In this exercise you

The two most common transport layer protocols are TCP and UDP. While both protocols have a few things in common, like ports, they are very different in the way that they operate. In this exercise you will look at the differences in the way the two protocols operate as they send both short and long messages to their destination.

Prerequisites

Before starting this lesson, you should have a basic understanding of the following terms:

TCP

UDP

Ports

Install Wireshark

Go to https://www.wireshark.org/download.html and download the appropriate version of Wireshark for your host operating system

Run the installer to install both Wireshark and the packet capture driver (winpcap for Windows)

Learning Objectives

By the end of this lesson, you will be able to:

Explain the differences between TCP and UDP

Use Wireshark to view and analyze TCP and UDP data streams

Use netcat to send messages on a network

Steps

In this section, the "host" refers to your computer. "Guest" refers to the virtual machine running inside your computer.

Initialize VMs

Create a new folder on your computer for this exercise.

Copy the Vagrantfile, bootstrap.sh, and dangerous.txt from the lab materials to the directory

Open a terminal windown and navigate to the folder.

Run > vagrant up to initialize the virtual machines for this lab.

The two machines you’ll be using here are named alice and bob.

This step may take a little bit as software is installed for this lab.

Open a second terminal and navigate to the same directory. You’ll need connections to both Alice and Bob simultaneously.

Gather information

In one terminal, connect to Alice with > vagrant ssh alice. From the other terminal, connect to Bob with > vagrant ssh bob.

To use the tshark program, you need to know the name of the interfaces you’ll be using. On each VM, run the command $ ifconfig, then look at the results of the command. The interface we’ll be using for this lab is the one with the inet addr on the 192.168.100.0 subnet. The interface name is on the left. In the screenshot below, and throughout this lab, you’ll see enp0s8. Substitute your own interface name whenever you see that value in a command.

Figure 1. Example output from ifconfig command

Determine the IP address of the enp0s8 interface of each VM. Record the IP addresses in the assignment submission, and keep them handy. You’ll need them soon.

Examining short messages in UDP

tshark is a version of Wireshark designed to run on the command line.

To install tshark on alice, you’ll need to run the command on the following line. You can examine the bootstrap.sh file to see what it does. Simply put, it fetches the latest version of the package repository for Ubuntu and installs tshark. Then it changes permissions on one file which will allow you to run tshark without being an administrator or sudo.

When presented with the dialog asking 'Should non-superusers be able to capture packets?': Select "<Yes>"

• $ sudo bash /vagrant/bootstrap.sh

Before executing any commands at this stage, review the entire section. Once you start tshark, you’ll have a limited amount of time to complete the other steps, so you want to be ready for them. It may even be wise to try running the netcat commands on each machine to make sure you understand them, then do it again with tshark running to get the packet capture.

The following is the command to run the tshark program in the background so we can complete the other commands. You should change the duration:[number] option to a number of seconds. This is how long (in seconds) tshark will run before automatically stopping and saving the capture to a file. Give yourself plenty of time, but not so long that you have to wait a long time for the program to finish its job.

-f "not broadcast and not multicast" filters all packets that are not send directly to the computer doing the capture.

-i enp0s8 tells tshark to capture packets on the enp0s8 interface, which in this case is the network interface connecting Alice and Bob. Use ifconfig or tshark -D to get a list of possible network interfaces.

The -a duration:30 option tells tshark to run for 30 seconds before automatically finishing its capture (adjust this time as necessary to give yourself enough time to finish typing all of the netcat commands before the capture quits).

The -w /vagrant/udp.pcap option tells tshark to save the output of the capture to the file /vagrant/udp.pcap.

The -Q option tells tshark to do its capture quietly, without any output to the terminal. This is important due to the next command…​

& at the end of any Linux command tells it to run in the background. This will allow us to execute other commands while the capture is running.

• $ tshark -f "not broadcast and not multicast" -i enp0s8 -a duration:30 \ -w /vagrant/udp-short.pcap -Q &

NoteThe \ in the above command is only needed because this command spans two lines. If you type it out in one line, you can omit the \ after duration:30. The backslash tells the shell that you’re going to keep typing parts of the command on the next line.

Start wireshark (with tshark on Alice)

Use netcat to set up listening on a UDP port on Alice.

The -u tells netcat we’ll be using UDP.

Finally, -l 4242 tells netcat to listen on port 4242.

• $ netcat -ul 4242

Use netcat to send a UDP message to Alice from Bob

Enter the following command at Bob’s command prompt to open a connection to Alice, substituting Alice’s IP address where indicated (remove the <>).

• $ netcat -u <Alice's enp0s8 IP Address> 4242

Once the connection has started, type a brief message (1 or 2 sentences) and hit Enter to send.

After the message is sent, hit CTRL+C on Bob to end the netcat connection. Switch over to Alice and type Ctrl+C again to stop listening. Wait for your tshark session to end (at whatever time limit you set).

Examining UDP in Wireshark

On your host computer, open up a file browser and find the directory you created for this lab. There you should find a file named udp-short.pcap. This file should contain all of the packets sent between Alice and Bob while your tshark session was running. Open that file in Wireshark.

Examining TCP

Now we will send a short message (the same short message as before) using TCP instead of UDP.

Start tshark again, changing the name of the output file to /vagrant/tcp-short.pcap. This is important, because you may want to review the UDP and TCP files to answer some of the questions in the submission.

On Alice, run $ netcat -l 4242 to start listening on port 4242

On Bob, run $ netcat <Alice’s enp0s8 ip address> 4242 to open a connection

Type your short message and hit Enter to send.

Type Ctrl-C to end your connection. This will also close netcat on Alice.

Wait for your tshark session to end.

Open tcp-short.pcap in Wireshark on your host computer and use it to answer the questions in the submission file.

Longer messages

In this section we will use netcat to send the contents of a text file as if we had typed it. This will let us see how UDP and TCP handle sending and receiving longer messages.

Open the dangerous.txt file you copied from the lab documents. It should contain the entire contents of the short story "The Most Dangerous Game" by Richard Connell. As long as it’s in the same directory as your Vagrantfile, can access it on your Linux VMs at /vagrant/dangerous.txt.

UDP

Start tshark, outputting to the file /vagrant/udp-long.pcap.

Start netcat on Alice listening for a UDP message (-u) on port 4242.

On Bob, send the contents of the dangerous.txt file over UDP with the following command:

• $ netcat -u 192.168.100.10 4242 < /vagrant/dangerous.txt

You should see the contents of the file appear in Alice’s terminal.

Press Ctrl-C on both VMs to stop netcat, then wait for your tshark session to end.

Open udp-long.pcap in Wireshark on your host.

TCP

Start tshark with the filename /vagrant/tcp-long.pcap as the output.

Start netcat on Alice listening for a TCP message on 4242.

On Bob, send the contents of dangerous.txt over TCP to Alice

Wait for your tshark session to end, then open tcp-long.pcap in Wireshark on your host.

Cleanup (Optional)

After submitting your work, you can destroy any boxes you used.

Run “$ exit” to leave the SSH session. You will be back at your regular command prompt.

Run “> vagrant destroy” to turn off the machines and delete them completely from your system. Answer "y" to confirm deletion.

Questions (Reflect on questions // Not due for the lab)

What are the IP addresses of Alice and Bob?

VM nameIP address

Alice

Bob

UDP short message

What are the source and destination ports of the UDP datagram?

What are the source and destination IP addresses of the message?

How many UDP packets did it take to send your short message (hint: only count packets captured that list UDP as the protocol)?

How many total bytes (from all packets) were required to transmit this message (add up the "length" of all UDP packets)?

How many bytes of data were sent (hint: click the packet in Wireshark and look at the "Data" section).

TCP short message

What are the source and destination IP addresses of the message?

What are the source and destination ports of the TCP datagram?

How many TCP packets did it take to send your short message (hint: only count packets captured that list TCP as the protocol)?

How many total bytes (from all packets) were required to transmit this message (add up the "length" of all TCP packets)?

How many bytes of data were sent (hint: find the message in Wireshark and look at the "Data" section).

TCP & UDP long messages

The netcat program can be used to transfer the contents of files between machines. You transferred a large file to the stdout (aka the terminal) on Alice’s computer using the netcat [ip] [port] < filename.txt syntax on Bob. If you had typed netcat -l [port] > filename.txt on Alice, that output would have gone into a file. Would TCP or UDP be better used for a file transfer like this, and why?

How many packets did UDP take to send the message? What about TCP? Can you explain why?

Critical thinking (Possible Exam Questions)

What are two important differences between TCP and UDP when sending short messages?

Why would someone choose to use TCP to send short messages (e.g. IRC for chat or SMTP for short emails)?

Name a service that uses UDP, and explain why.

Why don’t you have to close netcat manually when you use TCP to send a long file?