Experiment III: UDP and TCP Based Network Programming Applications Ahmet Sekercioglu and Leon Seng

Objectives

In this lab, we will learn how some popular UDP and TCP based applications work, and also refresh our knowledge about TCP operations.

Experiment: UDP applications

Domain Name Service (DNS)

IPv4

Open up Wireshark and set the capture filter to port 53. Then, open up a terminal and perform a DNS lookup to www.monash.edu:
   nslookup www.monash.edu

Back on Wireshark, observe the DNS query and response:

1. What record type did we ask for in the query?

2. What is the record type returned in the DNS response?

You will notice CNAME being returned in the response. CNAME is a type of DNS record used for chaining DNS requests until an A record (containing IP address) is returned. In our example, www.monash.edu was resolved to a CNAME monash.squizedge.net, which then gets resolved to an A record containing the IP address.

IPv6

Find out what record type should we query for if we want the IPv6 address of a domain.

Once you know the IPv6 record type, try and resolve IPv6 address of www.monash.edu using the following command:
   nslookup www.monash.edu -type <IPv6 record type>

Is Monash's home page ready for IPv6?

Network Time Protocol (NTP)

First, download the Python module ntplib (original is here). Write a Python script that uses ntplib.NTPClient class to request for NTP updates from one or more NTP servers. You may use any public NTP servers that you can find online.

Once you have the script, run Wireshark and configure it to capture NTP packets over the NTP port number 123. Next, run the script you have written. You should see a NTP request and the corresponding response on Wireshark.

Now, create a new function for NTPClient based on NTPClient.request() to send out 1000 NTP requests without waiting for any response. Reset your Wireshark captures and run the script again. You should notice a discrepancy in the number of NTP packets sent vs received. Can you explain the observation? Why would we still want to use UDP?

Don't forget to show the running script to your lab demonstrator.

Experiment: TCP Applications

HyperText Transfer Protocol (HTTP)

In this section, we will be learning about HTTP flows. Write a Python script to perform a GET request to http://httpbin.org. You can consult this page for an example. Set up your Wireshark to listen for port 80, and then run your script.

Look at the packets before the HTTP GET is performed and answer the following questions

1. Which packets constitute the TCP handshake

2. Explain what you can see in the sequence and acknowledgement numbers

3. Identify a piece information pertinent to TCP's flow control mechanism in the packets. Explain the purpose of this information?

In the HTTP GET request and the 200 OK response, you will be able to look into the contents of the packets. Can you identify a serious issue posed by this behaviour for many of the websites and web applications today? Hint: What information do you have to provide when logging into a website?

HTTPS (secure) was introduced to improve some of the security flaws. Update your script to perform a GET request to https://httpbin.org, noting the change in protocol type from http to https. Next, configure Wireshark to listen on port 443, then run your script.

You should no longer see the HTTP GET request immediately after the TCP handshake. Instead, you should see an application level handshake occurring between the client (your Python script) and the server (httpbin.org). HTTPS uses TLS to secure the channel. A part of the handshake is agreeing on the encryption details. Can you identify:

1. encryption version (TLS version) that the client supports, and

2. cipher suites that the client supports, and

3. encryption version (TLS version) that was agreed upon, and

4. cipher suite that was agreed upon

Once the TLS handshake has been completed, your client should now begin transmitting data (in this case the HTTP GET requests). Are you able to find that message in the packet capture?

This experiment shows that HTTPS data is encrypted and safe from prying eyes, as long as the TLS handshake was indeed performed against legitimate server. Hence, it is always important to make sure the websites you are browsing to have valid SSL/TLS certificates. Most modern day browsers should alert you otherwise.

Despite having the data encrypted, there are still ways for others to find out which websites you are accessing:

1. Destination IP address - this can be mapped to a particular server or domain name

2. Server Name Indication in the TLS handshake exposes the domain name. Try identifying the website accessed in the packet capture intarch-lab-03.pcap

Your Report

After finishing your experiments, you will need to prepare a short (maximum two pages, 10 pt Times-Roman font) report summarizing the key points you have learned in this exercise.

Please convert your report to PDF (no other formats will be accepted), zip your report with all the Python code you have written for the experiment, and upload all as a single zip file to the unit's Moodle site before the due date (we will post the deadlines at the unit's Moodle site).

References

• [rho14] B. Rhodes and J. Goerzen, Foundations of Python Network Programming (Monash Library access).

• [sar14] M. O. F. Sarker, Python Network Programming Cookbook (Monash Library access).

• [lut13] M. Lutz and D. Ascher, Learning Python (Monash Library access).

• [dor19] P. Dordal, An Introduction to Computer Networks (free access).

• [gor09] W. Goralski, The Illustrated Network: How TCP/IP Works in a Modern Network (Monash Library access).

• [red06] IBM TCP/IP Tutorial and Technical Overview (free access after registration).