Network security

Computer Network Diagnostics Part 2

November 8, 2012 by Adrian Stolarski

For part 1 of this series, please click here.

Troubleshooting a computer network is really a very vast topic. In the first part of the series you learned how to create a network on the computer and what is needed to navigate the Web. You met the principle of action and programmed DHCP to set network adapters on Linux. In this article we will understand the ARP and DNS translation. By the way, I’ll show an example program to translate names, based on the DNS protocol. Everyone has got into my vehicle? You can start with? Start!

How can I go out to the wonderful world of thousands of websites?

What do we really have so far? We already have a workstation that has some information about their address, the network mask of the address of your Internet gateway, DHCP server and DNS servers. Now fire up your Web browser, enter the address of the page, press the Enter key and send the request to the selected server, and after a while we load our favorite website.

Now, let’s stop for a moment! Does the workstation really know what is the logical address of the server on which a website was placed? How to explain the URL address to the logical address? To achieve this, our workstation must use some of the name resolution services. This service returns the URL for the specified numeric address, which is the IP. For this purpose, it shall contact the DNS (Domain Name Server).

Most of the matter is in this way that the DNS server, which is typically used, is located outside of our local network. It is then that in the frame network, which carries the IP packet, which contains the UDP datagram, the output goes to the place of our network. It sounds very understandable, right? And probably for all new users it seems terrible, but it is not. Read this article and you will understand everything!

Above, speaking of the frame, we used the word goes, but it is easy to say and no one will know how it really works. So how it really is? In fact, your computer knows only the IP address of your Internet gateway, but does not know what is the physical address of the gateway. There is a layer of combining data and is addressed at the physical gate. So, your computer must be used in such a situation, the protocol that actually lets you ask for the physical address of any computer that you know the logical address. Then just use the Address Resolution Protocol, or ARP.

A request to be sent to the address of the computer hardware is called the ARP Request. However, when it comes to answering the question, we say that the computer sends an ARP reply. The hardware address is then stored in the cache of your computer. This is because there is no point in unnecessarily clogging the physical address of the computer, every time you want to communicate with your network. Note one more thing, when we query the network with ARP, we are dealing with two new frames on the network. In Linux, to see an array of ARP protocols, we need to use the command “arp”. The following describes the options to the arp command on Linux:

root [~] # arp – help


arp [-vn] [<HW>] [-i <if>] [-a] [hostname] <-Display ARP cache

arp [-v] [-i <if>]-d <host> [pub] <-Delete ARP entry

arp [-VND] [<HW>] [-i <if>] f [<filename>] <-Add entry from file

arp [-v] [<HW>] [-i <if>]-s <host> <hwaddr> [temp] <-Add entry

arp [-v] [<HW>] [-i <if>]-Ds <host> <if> [netmask <nm>] pub <-” –

-A display (all) hosts in alternative (BSD) style

-S, – set set a new ARP entry

-D, – delete delete the entry Specified

-V, – verbose be verbose

-N, – numeric do not resolve names

-I, – device specify network interface (eg eth0)

-D, – use-device read from given device <hwaddr>

-A,-p, – protocol specify protocol family

-F, – file read new entries from file or from / etc / ethers

<HW> = Use ‘-H <hw>’ to specify hardware address type. Default: ether

List of possible hardware types (which support ARP):

strip (Metricom Starmode IP) ether (Ethernet) tr (16/4 Mbps Token Ring)

tr (16/4 Mbps Token Ring (New)) ax25 (AX.25 Amp R) netrom (ampr NET / ROM)

arcnet (ARCnet) DLCI (Frame Relay DLCI) irda (IrLAP)

x25 (generic X.25)

Quick return to the DNS

Now again return to the DNS server. If the server is on your local network, before any computer that makes the connection and starts name translation, it must ask for the physical address of the DNS server. We, however, assume that our DNS server is beyond our network. What happens with the polling and what does it look like? In this case, our router receives a message addressed to each physical frame that actually contains the logical address of the DNS server, standing outside our network. The router is really a device operating in the third layer ISO / OSI model, which is why it can at any time refer to any IP packet header.

Next, the router checks to see if the packet is actually addressed to it. If it is not designed for our router, the router checks its routing table and finds its position in the network and on which interface the package is to be redirected to. Then the packet is repackaged to the appropriate frame for the interface, not necessarily because we need to communicate with the same type of network as ours. Also, data communication protocols between networks may vary. When we do that, we can safely send our package in the web and wait for a response.

Sometimes, the additional task of the router is handling NAT and PAT. Then our router also makes some modifications to the source address. The router can also serve as a screening router. Then it is part of our network and firewall must also verify that the firewall administrator has not banned the chance to release the packet to the specified address or let the network packets that come with the machine.

In theory, it looks really complicated, but for all these operations it takes only a few milliseconds. In fact, sending anything in the world is nothing but sending the package to the address indicated, located in the routing table. This is usually the next router address or the address of the next hop. To send a packet to a specified logical address, the physical address of the first frame network will be carried by the packet network. In addition, keep in mind that if it is the first packet of a certain time or the first packet in general, we will always check the physical address of the next hop, to query it about the address by ARP. I just described one of the black scenarios which we can meet.

What’s going on with our inquiry? If all goes really well, ask at the end, going for another router, reaches to our DNS server. Now, query the DNS server checks the whether the address is in its memory and that it correctly identifies it. It may happen that a DNS server that we have requested supports domain of actually asking. It may also be that someone else had just a poll of the DNS server address and DNS server still has it in its cache. If you do not find a home address, it sends a request to the server at a domain in which the address is located. Sometimes it is just that the DNS server has to actually start all the way from top to ping top-level domains such as .com or .edu.

You really will not need to go into the details of the data communication between DNS servers. This should suffice for us that after a while, the computer returns our response, which maps the symbolic address to the IP address of the server on which it is located. We can of course manually query the DNS server. For this purpose, we will use the NsLookup program. NsLookup is used among other things to correct DNS settings. In addition, NsLookup can operate in two modes, active and passive. NsLookup is one of the most useful tools of systems administrators.

What else you should know about this?

Basically, I was able to convey all the knowledge of the fundamentals of communication in the lowest layers of the network. But under normal conditions, most of the production network requires running at least two DNS servers, primary and secondary. Basically, the setup is simple and does not require excessive translations. The situation is completely different in the case of a DHCP server. Well, mostly in the case of most networks just one and only one DHCP server is placed. However, in the case of DHCP, clients on each machine must be installed in their implementation. It is also not too difficult.

In the network configuration, two services are essential for its proper operation. Usually, if there is a familiar exclamation icon for your Internet connection, we have to deal with the misconfigured DNS or DHCP services. If a problem occurs, the browser sees the web page by entering its logical address, and does not see it when entering the domain, then we are dealing mostly with a poorly configured DNS server. However, if the network should dynamically assign IP addresses, and we need to enter the IP address statically, there is something wrong with the DHCP server settings. However, if the other machines on our network are all right, but problems are only with one computer, we are dealing with a poorly configured routing table.

As you can see, if you know how something works and what are the main assumptions, we can diagnose almost all of the problems that arise in the case of computer networks.


Today you learned how data is communicated between hosts on the network. You also learned how to actually run the DNS servers and DHCP. You should also already know what it is ARP and the routing table. Slowly now the acquisition of knowledge, which in the future will make you professional Linux administrators, suggests you have to decipher the basic setup and backup DNS server and DHCP server. It is a knowledge which is probably useful to you in the future.

This article may not be dedicated to what you would want. Maybe not as exciting as hacking computer networks. But this article definitely gives one major advantage. Well, I personally believe that in order to break the security of the computer network, you need to really know that what you want to break there. In addition, it is very useful to know how something works and how it is done. This is useful as even the smallest information about how to set up and what really should be checked if something does not work.

As I mentioned above, most of the problems with computer networks, and legal or illegal connections to them, are due to lack of knowledge about the principles of operation of the services. In this case it will help even the best tutorials on hacking into computer networks. If you do not know the theoretical basis of the services or network elements, then even the best-written tutorial about security breaches in computer networks does not help us to understand the core issues. In addition, how can you explain to your administrator to the problem, if you do not know how something really works?

In the next article in this series will describe the principle of communication protocols http and https, and we will learn a few more very important diagnostic tools built into each operating system. Really, if you understood the present article, you have learned a lot. Take care, and I wish you a nice day!

Posted: November 8, 2012
Adrian Stolarski
View Profile

Adrian Stolarski is a freelance security tech blogger, specializing in Java, PHP, and JQuery. In his own words, he does the hard work of training the unemployed. Currently, he handles Evaluation Visualization for real-time systems with XWT and Eclipse RAP. If he sees that something works, he asks how it works and why it works, then sets out to make it work better. A researcher for InfoSec Institute, he currently lives in Poland, but plans to move to London.