cmd commands

Using tools to analyse data flow

Practical Exercise

We will look at three simple practical exercises you can do right now from your PC. These involve ARP, ping, and traceroute.

For these exercises we will stick to the Windows environment, however equivalent commands are available in Linux. Each exercise is carried out from the windows command prompt, “cmd.exe”, which can be found from the Windows start menu. Each of the functions we will use are normally part of a standard Windows installation.

ARP table

Address Resolution Protocol (ARP) is used to map a particular IP address to a MAC address, so that packets can be transmitted across a LAN. Your PC has a local ARP table that it uses to keep track of IP-MAC pairs. Let’s have a look at it.

To view your ARP table, at the command prompt type: arp -a

You should see something similar to this:

Arp Image

The table shows columns for IP address, MAC address, and whether the address is statically or dynamically allocated (using Dynamic Host Configuration Protocol (DHCP)).

What you see will depend greatly on your local network environment. In the example the PC has two network interfaces, one for its LAN (starting 10.101…), and one for a VirtualBox interface (192.168…).

In this example the LAN has around other 30 hosts. Your ARP table may have comparatively few entries if it is your home network.

Question: What are the IP addresses starting 224.0… used for? Search Google to find out about these addresses.

Ping

The ICMP protocol can be used to determine whether another machine is alive by sending it a “ping”, which is an ICMP Echo message.

The IP address 8.8.8.8 is owned by Google and it hosts one of Google’s public DNS servers. Let’s try pinging the server to see if it responds.

At the command prompt type: ping 8.8.8.8

You should see something similar to this:

Ping Image

The ping command by default sends out four ICMP Echo messages on Windows. In Linux you should add the option “-c 4” to limit the count to four packets.

In this example four ICMP Echo Reply messages were received, telling us there is a host at 8.8.8.8. We also see the time taken to get each response. Pings are also a good way to learn about network latencies.

If you do not see any responses it is likely that your network is filtering certain ICMP packets. This is common in corporate networks to mitigate abuse of ICMP by attackers!

Traceroute

The traceroute tool attempts to trace the route of an IP packet to a specified host by sending probe packets with small time-to-live (TTL) values.

Let’s use traceroute to discover each of the hops (routers) that a packet will pass through on the way to the Google DNS server at IP address 8.8.8.8.

At the command prompt type: tracert 8.8.8.8

You should see something similar to this:

Traceroute Image

In this case there are 11 hops to the host at 8.8.8.8., and we can see the IP address of each hop on the way.

Note that some of these belong to the private IPv4 address spaces. For more information see: https://en.wikipedia.org/wiki/Private_network

Depending on your network configuration you may be unable to successfully complete a traceroute. If there is a network firewall between your PC and 8.8.8.8, the firewall may well be configured to filter packets with low TTL value to prevent network reconnaissance.

A full manual for Windows is available here “tracert”

The Linux equivalent is simply called “traceroute”.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s