Network security

Computer Network Diagnostics Part 4

November 25, 2012 by Adrian Stolarski

In previous articles on the diagnosis of computer networks we generally learned a lot of tools available and understood how they work. Today we will be doing something much simpler, namely, we will talk about two diagnostic programs that are available almost everywhere. Today is not going to torture you too much. From my assumption this article is going to be really nice, light and pleasant. So let’s play the last two utilities.

The most useful program in the world, or simply Ping

Ping is actually the most widely used software for network diagnostics. Administrators use it all around the world and the heavens praise the author. Ping has a total of only one task, namely short IP packets sent to a designated computer, and then allows them to go back to the sender, along with the feedback, received from the customer. Hence the name of the program.

Why is Ping such a great diagnostic tool? Here is the answer to this question. It all starts with the IP protocol specification. In fact, it contains built-in messaging controls. This mechanism is called a professional Internet Control Message Protocol. According to the specifications of the protocol, one of its services is the echo service, which is hidden under the number 8. If any system supports the ICMP protocol, the ICMP message gets the number 8 entered in a header, indicating the ICMP echo, it will send the computer back query machine and place in response to the number 0, which is located in the header of the message. Then the message is called an echo reply. You have to note that ICMP is actually an integral part of the ICMP protocol. What does this mean for us?

Well, in theory, any system which implements the TCP / IP ping answer. But you can change and adjust along the way, the ICMP packet filtering firewall. But this is not a best practice. So why is it set to block the ICMP? The answer to this question is also simple. Well, ICMP echo mechanism can also be used in a very wrong way. Note that any use of the Ping, appropriate or inappropriate, and the ICMP response, always contains a bit of resources, and of course the target machine itself absorbs part of the available bandwidth. In normal, everyday life, it is not a total problem, because usually we have to deal with occasional events. They rely primarily on the fact that a user checks the operation of his network and access to the Internet. In fact, it is best to do it by using Ping on any computer, serving as the webserver.

However, more often the same program is used to see whether a host whose services you really can’t use and do not know the causes of failure, responds to the ping request. A million times worse situation is when one of the machines begins to flow without interruption thousands or millions of ICMP packets. Many companies have had problems because of this. I know of one company where I happened to work this situation was that the main server programming was very often used to respond to ICMP packets, it really required a separate device to respond to ping, because these responses really absorb a large part of the server computing power Website.

Do you remember the Ping of death yet?

If we take into account the subject matter at the portal, a much more interesting phenomenon for us, and certainly much more dangerous, is the so-called Ping of Death. It is really as old as the world kind of attack, DoS (Denial of Service), which typically uses ICMP Echo. Today, this type of attack has gone to rest, but you should know how it works.

Well, according to the specification contained in RFC 791, the maximum size of an IP packet is really only 65,535 octets. In this number the packet header size is usually also included. As already mentioned, the ICMP message is always placed inside an IP packet, and the same ICMP header is 8 octets. If the field in the IP packet header options is not used, the maximum size of the content of the ICMP message is 65507 octets. So what happens to the package of greater length than said?

Packages that are greater in length than the length of the network frames are really fragmented. What’s it all about? They are simply divided up into smaller pieces, and then transmitted to the target system in a number of network frames. When they fall in place, they begin gluing the target system content of each frame, so you can recover the original package. This whole process is called defragmentation frame and is used as what is called a field shift (offset). This field is actually contained in every piece that gets your system. It informs about the target location where the package is to be placed in a frame.

Of course, it is possible to relevant crafted pieces, we send out. Then we deal with the situation that as a result of the length of the message it is more than acceptable. In this way, of course, you can not only play with ICMP. Despite the fact that for many people it may sound very strange, the network continues to meet the systems in which an attempt to serve such ends in a fatal error. However, for most operating systems, we can’t use the ping program to generate a Ping of Death attack. This is because, in their case, the maximum packet size is limited to 65,500 octets. Also, for most of the available networks and tools for their diagnosis, you can’t use them to carry out denial of service attacks, but on the Internet, we can easily find the right programs.

The conclusions of the program ping

As in the case of using each of these tools I have, with their results of operations we should be able to draw conclusions. So, we developed a method for checking whether your computer sees the external IP addresses, and we know what it exactly is. Now we can begin to formulate appropriate conclusions. One of these arises by itself. Now, if we can send and receive an ICMP echo reply from any computer in our network, and if the same thing will succeed when using the ping on Network Gateway and we can’t go out and browse the Web, everything is guilty of any of routers that are between us and the target server, or is guilty of the same target server.

Of course, we can also very quickly move onto a second application. Namely, it can sometimes happen that we can use the ping and trace route packets through the use of numerical addresses, and you can’t do that if you use the symbolic addresses. Then we have a signal that something wrong is happening with DNS servers. Here’s what could happen. Perhaps there was this situation that the DNS server address obtained by the DHCP server was incorrect or that the DNS server itself broke. Although in my opinion, this situation is usually not possible, because usually we have set up two DNS servers: a primary server and a backup server, and sometimes we have more configured.

Tracing route packets in the network

Sometimes it happens that we need to trace the route packets and see how the jumps are carried out in our network. To trace the full path on which our packages are sent, usually we use the tracert traceroute for Windows or Linux. The name of the program shows that it is serving, and is primarily used to monitor trace routing. So, how does the traceroute program really work?

In fact, as in the case of ping, the traceroute operation is based on one of the many mechanisms for IP. This mechanism is used to reduce the processing time of packets in the network. It is based on something called a TTL (Time to Live package). TTL information is contained in the IP packet header. This is based on an algorithm for a total of router in the network. Each of them is required to reduce the TTL by the time it took to complete its processing, and if this is not possible, it is the first of all packets with TTL, which is equal to 0, they are simply discarded. This is one of the ways by which we avoid packet processing taking forever. This can happen if an administrator sets a cyclic path routing. In addition, it also prevents storing packets at routers indefinitely. This allows the router is able to handle the packets, which for some reason can’t be delivered to the target.

In fact, this whole circus from the assignment of routing paths is to send a series of packets that are addressed to the destination host with the TTL field always the first of the packet and set to 0. The router closest to us discards the packet that we send, and sends an ICMP message to the sender, which will include information that makes it happen. In this way, the traceroute program collects information about the first of the routers on the path of the package. Each package will be sent in the next TTL increased by 1 and will be rejected by the next router on its way, and again will send an ICMP message that tells all about this fact. So the computer that sends packages all the time you come about what is really going on and allow them to fully identify the routing path. The last of the routers forward packets always two pieces of information – the first one is the information about the IP address, while the second gives the address of the next router already, which is not available.

Of course, the traceroute program has some drawbacks. For the network to function properly and to be able to access anywhere in the network, each router uses the reality of the mechanism, which is called the dynamic assignment of routes. The result is one thing. In fact, the program traceroute can’t be trusted to the end, because the result of this program could not exist in reality show route packets, so you can get something that does not actually exist.


Overall, this is the end of our discussion on the operation and testing of the lower layers of the TCP / IP through the tools available to everyone and installed in every possible operating system. In my opinion the theme is simple and does not require tremendous skill by anyone. However, at the end of this article I would like to replace the programs and services that use the standard TCP / IP.

Utilities for network protocols associated with TCP / IP stack are not limited to:

• FTP – file transfer protocol client
• TFTP – the customer trivial file transfer protocol
• Telnet – a program which is a terminal emulator
• RCP – remote copy protocol client
• rsh – remote shell
• REXEC – the program to start a process on a remote computer
• Finger – finger client services

However, the main network utilities that we discussed and protocols that use TCP / IP include:

• Ping – a program to test IP connectivity which uses ICMP
• ARP – this is a program that displays and modifies the mapping of IP addresses to physical addresses
• ifconfig – a program that displays and allows you to set the refresh rate and the current configuration of protocols
• netstat – program to display statistics and connections for TCP, UDP and IP.
• Route – displays and allows you to modify all the local routing table

And so we came to the end of the article. I hope that once again it is something that will be pleasing to you, and that it is a job well done. In mathematically finite time I promise you that we will return to the topic of network device configurations, in our case, routers and every possible configuration and protocol by which you can configure routers and routing packets in the network. Greetings from Poland.

Posted: November 25, 2012
Adrian Stolarski
View Profile

Adrian Stolarski is a freelance security tech blogger, specializing in Java, PHP, and JQuery. In his own words, he does the hard work of training the unemployed. Currently, he handles Evaluation Visualization for real-time systems with XWT and Eclipse RAP. If he sees that something works, he asks how it works and why it works, then sets out to make it work better. A researcher for InfoSec Institute, he currently lives in Poland, but plans to move to London.