06 - Cisco Foundations - How Applications Speak - TCP and UDP.txt

8/13/2019 06 - Cisco Foundations - How Applications Speak - TCP and UDP.txt

1/56

100:00:00,696 --> 00:00:03,616>> While we are nearing theend of our Cisco Foundations

200:00:03,616 --> 00:00:09,426or more specifically network foundations, as inhow devices communicate on the network today.

300:00:10,036 --> 00:00:13,516At this point, I'm going tosay we are good at layer two.

400:00:13,736 --> 00:00:15,186We understand the data link layer.

500:00:15,186 --> 00:00:18,726We understand MAC addresses, physicaladdresses burned into the network cards

600:00:18,726 --> 00:00:22,806of the different devices and how thatinteracts with layer three, the IP layer,

700:00:22,806 --> 00:00:28,106and IP addressing basics fundamental andcommunication, how the art protocol resolves,

800:00:28,106 --> 00:00:31,396I mean all of that stuff we've

talked about the previous nuggets.

900:00:31,396 --> 00:00:33,086So, now I'm going to move up to layer four.

1000:00:33,896 --> 00:00:41,716TCP and UDP, the last really network relevantlayer that we're going to focus on in here.

1100:00:41,716 --> 00:00:46,106

We're going to see where these two fit into thispuzzle of network communication and it's going

1200:00:46,106 --> 00:00:47,806to bring up a whole bunch of port numbers.

1300:00:47,806 --> 00:00:49,966So, I'll give you some common


2/56

ones that you'll want to know,

1400:00:49,966 --> 00:00:54,136not only for certification purposesif that's your direction, but also,

1500:00:54,136 --> 00:00:56,786I mean you use this all thetime in the real world.

1600:00:57,256 --> 00:01:01,346And then, we'll complete the end-to-endcommunication story where we started looking at,

1700:01:01,496 --> 00:01:05,016you know, from this host to thishost, what are all the factors that go

1800:01:05,016 --> 00:01:09,146

in to making pockets transmitsuccessfully across the wire.

1900:01:10,506 --> 00:01:14,276Oh, my goodness, I totally forgot tomention that we're going to start learning

2000:01:14,276 --> 00:01:17,926about Wireshark in this nuggetwhich-- it's awesome!

2100:01:17,956 --> 00:01:21,206You're going to really see a lot.

2200:01:21,206 --> 00:01:22,826That's what this little icon is right here.

2300:01:22,826 --> 00:01:25,786I know some of you might have heardof it before I go and, "Oh, no.

2400:01:25,816 --> 00:01:30,986Really?" This tool is amazing for helpingyou not only troubleshoot networking,

2500:01:31,576 --> 00:01:35,186network issues, but to learn networking.

26


3/56

00:01:35,186 --> 00:01:38,246I mean when you look at it,initially it's overwhelming.

2700:01:38,246 --> 00:01:39,406There's no doubt about it.

2800:01:39,666 --> 00:01:42,286But when you see just thebasics of how to use it,

2900:01:42,286 --> 00:01:45,876it's like okay, I think I can really get this.

3000:01:45,876 --> 00:01:50,406As a matter of fact, Wireshark hasalways, you know, it's always been one

3100:01:50,406 --> 00:01:52,786

of the tools I've had but I rarely use that.3200:01:52,786 --> 00:01:56,716I mean, Wireshark was like, okay,everything is down, last resort,

3300:01:56,716 --> 00:01:58,476what's going on, let's get out Wireshark.

3400:01:58,756 --> 00:01:59,576

And then I got a book.3500:01:59,576 --> 00:02:01,196I'm-- I've got in my bookshelf right here.

3600:02:01,196 --> 00:02:02,426Pull it off.

3700:02:02,426 --> 00:02:05,356It's "Wireshark Network Analysis"

by Laura Chappell.

3800:02:05,416 --> 00:02:08,276It's a big, big fat book.

3900:02:08,276 --> 00:02:10,876And just this-- it's a free utility.


4/56


5/56


6/56

00:03:43,356 --> 00:03:45,516which traffic goes to which application.

6600:03:45,886 --> 00:03:48,926Now, there are a lot of transport protocols.

6700:03:48,996 --> 00:03:53,826Again, I'll remind you, the OSImodel is a standard of standards.

6800:03:54,116 --> 00:03:58,056The transport layer is just a shell but insideof there, there's all kinds of standards

6900:03:58,056 --> 00:04:04,066like TCP is one of them, UDP isanother, ICMP is yet another,

7000:04:04,066 --> 00:04:07,866

ESP that's used for VPN connections,and things like that.

7100:04:07,866 --> 00:04:12,836Even-- you'll start seeing protocolslike OSPF and EIGRP, I mean all these--

7200:04:12,836 --> 00:04:17,326all of these kind of squeeze right intothat green box known as the transport layer.

7300:04:17,676 --> 00:04:24,596But when we're talking about programs, talkingacross the network, they primarily use one

7400:04:24,596 --> 00:04:28,836of two protocols, UDP, that'sour unreliable version.

7500:04:28,886 --> 00:04:35,136It's saying, "I hope it gets there," or

TCP, that's the "I know it got there."

7600:04:35,136 --> 00:04:36,996That's the reliable version of this.

7700:04:37,316 --> 00:04:39,606So UDP is the user datagram protocol.


7/56

7800:04:39,606 --> 00:04:41,696TCP, transmission control protocol.

7900:04:41,696 --> 00:04:42,696That's what they stand for.

8000:04:42,936 --> 00:04:45,986And that they combine together with,you know, the subprotocols below,

8100:04:45,986 --> 00:04:51,546that's why TCP/IP got it's name isit's not really that's the protocol,

8200:04:51,546 --> 00:04:52,706it's the suite of protocol.

8300:04:52,926 --> 00:04:57,826

The most common being TCP and IP combinedtogether to make network communication happen.

8400:04:57,966 --> 00:05:01,596So, first of, let's get into UDP.

8500:05:01,596 --> 00:05:05,716And I talked one more time about the OSI model,I got it in a little, little bit of this like,

86

00:05:05,716 --> 00:05:09,486why would you want to send somethingunreliable like, "I hope it gets there"?

8700:05:10,216 --> 00:05:14,416Well, the first thing to understand isthat there is a cost to reliability.

8800:05:15,046 --> 00:05:20,256In order to say, "I know it got there,"there's a lot of setup that takes place.

8900:05:20,616 --> 00:05:23,976The first thing that happens issomething known as the 3 way handshake,

9000:05:24,126 --> 00:05:28,596and I'll explain that in just amoment, but essentially the two devices


8/56

9100:05:28,596 --> 00:05:32,126that are talking together have toestablish a session between each other,

9200:05:32,126 --> 00:05:34,406make sure that, "Okay, we agree to talk, okay.

9300:05:34,406 --> 00:05:34,886That's good."

9400:05:34,886 --> 00:05:39,346Okay. That's a little time right there anda little time to establish that session.

9500:05:39,696 --> 00:05:45,876Then every single packet that get sent orevery stream of communication that gets sent,

9600:05:45,876 --> 00:05:47,526I'm going to just write something up here.

9700:05:48,946 --> 00:05:52,796It's my reminder.

9800:05:52,936 --> 00:05:55,996[Laughs] Every stream of things thatget sent between these things has

9900:05:55,996 --> 00:05:58,816to get an acknowledgmentback saying, "I got it."

10000:05:58,946 --> 00:06:05,426Again, more overhead, more delay where somethings just may not need that sort of thing.

10100:06:05,906 --> 00:06:10,956I want to give you-- now, I gave you the

example back in the OSI model of things

10200:06:10,956 --> 00:06:15,616that do not need reliablecommunications being like voice over IP

10300:06:16,176 --> 00:06:19,326where I have an IP phone talking to an IP phone.


9/56

10400:06:19,646 --> 00:06:23,736You know, there's a stream of data going betweenthe two, if something is dropped, it's gone.

10500:06:23,736 --> 00:06:27,776There's no use in retransmitting it at alater time because it's real time traffic.

10600:06:27,976 --> 00:06:29,816Same thing with video over IP.

10700:06:30,036 --> 00:06:36,466But, there's also some other dataapplications out there that use UDP as well.

10800:06:36,666 --> 00:06:41,306I want to give you one that you useevery single day and that is DNS.

10900:06:43,056 --> 00:06:48,036DNS, the domain name service,translates names to IP addresses,

11000:06:48,036 --> 00:06:50,206because remember in the OSImodel, it's not-- we--

11100:06:50,206 --> 00:06:55,436

at this network layer, we can'tsqueeze in www.google.com.

11200:06:55,436 --> 00:06:56,796It deals with IP, the IP protocol.

11300:06:57,086 --> 00:07:01,146So, we have to have some kind ofsystem that takes these friendly names

114

00:07:01,146 --> 00:07:05,756like I put wireshark.org, I'm going to showthat to you in a moment, or cbtnuggets.com

11500:07:05,756 --> 00:07:08,836and translates it to whatIP address is really there.

116


10/56

00:07:09,176 --> 00:07:15,046DNS, at least the client version ofit that we use everyday, uses UDP.

11700:07:15,726 --> 00:07:17,576So, let's check this out.

11800:07:17,846 --> 00:07:19,866I'm going to bring up Wireshark.

11900:07:20,346 --> 00:07:22,996Now, I want to give you alittle basics of this program.

12000:07:24,216 --> 00:07:28,476Wireshark will be flat overwhelmingif you just open it up and say,

12100:07:28,476 --> 00:07:30,396

"Okay, let's see what's happening."12200:07:30,396 --> 00:07:33,316If you've never done this before, Imean people get scared, they back of.

12300:07:33,316 --> 00:07:35,516They'll like, "Aah, I don'twant to use that again."

124

00:07:35,516 --> 00:07:39,906But, let me give you the basics which willreally get you started and I tell you what,

12500:07:39,906 --> 00:07:44,546if somebody would have sat down with me in myearly days of networking and just said, "Hey,

12600:07:44,546 --> 00:07:46,756Jeremy, let's just sit down for a second.

12700:07:46,756 --> 00:07:50,266Let me give you a 5-minute tutorial ofthis tool that will change your life."

12800:07:50,546 --> 00:07:51,906You know, I would have beenlike, "Great, thanks."


11/56

12900:07:52,086 --> 00:07:56,256You know, just, you know, the fear ofit is what held me back for so long.

13000:07:56,606 --> 00:07:58,776But, this is Wireshark 1.82.

13100:07:59,096 --> 00:07:59,946It is free.

13200:07:59,946 --> 00:08:04,316You go to wireshark.org and justgo to their little download page

13300:08:04,316 --> 00:08:06,316and they'll automaticallydetect your operating system.

134

00:08:06,316 --> 00:08:07,806You can put it on there, it's good.

13500:08:07,806 --> 00:08:14,636So, once you get Wireshark installed, it's justliterally a next, next finish sort of install.

13600:08:14,816 --> 00:08:16,226This is what pops up.

137

00:08:16,466 --> 00:08:21,826Now, the key icon you want to go to isthis list available capture interfaces.

13800:08:21,826 --> 00:08:26,606And, trust me, this is a massive utility.

13900:08:27,276 --> 00:08:28,326There's a lot to it.

140

00:08:28,326 --> 00:08:31,736I just want to get you the core that willget you started in doing what you need to do.

14100:08:32,246 --> 00:08:33,256So, I click on this.

14200:08:33,336 --> 00:08:36,886


12/56

And right here, I can see theinterfaces that are on my computer.

14300:08:37,226 --> 00:08:43,246Now, I see this sun which, if you rememberI had it when I went to my control panel,

14400:08:44,196 --> 00:08:46,376and did my network status, look to my adaptor,

14500:08:46,376 --> 00:08:53,056I had this little virtual box host only that'sinstalled by the virtual box application.

14600:08:53,056 --> 00:08:54,416It's a little virtual machine thing.

14700:08:54,706 --> 00:08:57,566It's developed by Oracle,

Sun Oracle, they merge.14800:08:57,826 --> 00:09:01,506And so, that's what this little adaptor is andI can look, that's why I always go to this view.

14900:09:01,506 --> 00:09:06,506I'm like, "Okay, not much happening there"'cause if I'm looking here trying to start,

150

00:09:06,506 --> 00:09:10,396you know, pick one, you can start it from herebut if I don't, I don't know which one it is.

15100:09:10,396 --> 00:09:12,576You know, I want to see,where's the traffic happening?

15200:09:12,576 --> 00:09:13,066So, I go, "Okay."

15300:09:13,066 --> 00:09:16,286Well, it looks like this is wherethere's some communication happening,

15400:09:16,286 --> 00:09:19,386so I'm going to click checkon this and do start.


13/56

15500:09:20,056 --> 00:09:25,526What I'm going to start seeing is thecommunication that's going across the network

15600:09:25,526 --> 00:09:29,616and this is where a lot of peoplego, "Ooh, aah, what's going on?"

15700:09:29,616 --> 00:09:32,296You know, they're not too sure what to do.

15800:09:32,456 --> 00:09:37,876So, right now, this is-- not much isgoing on, 29 packets are happening.

15900:09:37,876 --> 00:09:41,076I can see Spanning Tree Protocol runningin the background, some other, you know,

16000:09:41,106 --> 00:09:45,706just normal network trafficdiscovering and communicating with things

16100:09:45,706 --> 00:09:46,836that are going on in the network.

16200:09:46,836 --> 00:09:51,896Now, as soon as I open a web browserand let me move this to the side

16300:09:51,896 --> 00:09:57,106so you can see, and let's just go to msn.com.

16400:09:57,106 --> 00:09:57,776And look at that.

16500:09:57,776 --> 00:10:02,706I mean, we went from like 29, 30, 50 andall the way up, you know, msn.com came up

16600:10:02,706 --> 00:10:06,816and now we're at packet number 1095, you know.

16700:10:07,396 --> 00:10:10,386All of these things are goingon and what just happened?


14/56

16800:10:10,596 --> 00:10:16,666We just had a ton of network communication thatcomprised 1,200 or 1,280 individual packets.

16900:10:16,666 --> 00:10:18,526So, that's where people go "Huh!

17000:10:18,526 --> 00:10:19,286It's overwhelming."

17100:10:19,286 --> 00:10:21,026How do-- you know, how do I now sift

17200:10:21,026 --> 00:10:24,796through 1,200 individual packetsto really see what's going on.

17300:10:25,636 --> 00:10:28,836

We'll, I'll explain that in just a momentbut let's look at the matter at hand.

17400:10:29,026 --> 00:10:30,906I want to talk about DNS.

17500:10:32,086 --> 00:10:37,166DNS resolves names to IPaddresses and I'm going to show you

176

00:10:37,166 --> 00:10:40,256that this is using UDP asit's protocol to do it.

17700:10:40,256 --> 00:10:42,426Now, the first thing that'shappening is I'm like "Aah!

17800:10:42,716 --> 00:10:45,416This is just-- it's too much,I want to put a filter on."

17900:10:45,706 --> 00:10:49,296Let me show you one of the handiestfilters that you will likely use.

18000:10:49,336 --> 00:10:53,636It is coming up here, you click in thislittle filter box and you'll find, I mean,


15/56

18100:10:53,636 --> 00:10:57,716you can build your own, you can click on thisand it let's you, you know, click through

18200:10:57,716 --> 00:11:02,516and kind of-- almost like that's a gooey baselike if I just want to see the UDP traffic

18300:11:02,516 --> 00:11:08,656or the TCP traffic, I can do that but I'mjust going to go in here and just say ip.addr,

18400:11:08,656 --> 00:11:14,016IP address equals 4.2.2.2, enter.

18500:11:14,016 --> 00:11:14,866Now, what is that?

18600:11:15,756 --> 00:11:18,766Actually, you know what, I'mgoing to even change that further.

18700:11:18,766 --> 00:11:22,326Let me go 4.2.2.3, enter,blanks it out completely.

18800:11:22,806 --> 00:11:28,666What that does is say, only show me

the traffic that is going to 4.2.2.3.18900:11:29,676 --> 00:11:30,706Getting that so far?

19000:11:30,706 --> 00:11:33,276So, right now, how much traffic is going there?

19100:11:33,616 --> 00:11:38,256Nothing. Because nothing is actually accessing

that IP address so my display is nice and empty.

19200:11:38,316 --> 00:11:41,686So now, I'm going to useDNS to do a little testing.

19300:11:41,976 --> 00:11:46,736I'm going to open a command prompt in


16/56

windows, start, you can browse to it,

19400:11:46,736 --> 00:11:52,226accessories all that, or just type in start runCMD and bring this to the middle of the screen.

19500:11:52,646 --> 00:11:56,766And, show you first of, when Ido IP config forward slash all,

19600:11:57,196 --> 00:12:01,066I have in my list my DNS servers,

19700:12:01,746 --> 00:12:06,226shows the primary DNS server mycomputer is using is 4.2.2.2.

19800:12:06,736 --> 00:12:09,686The secondary is 4.2.2.3.

19900:12:09,966 --> 00:12:11,426Now, how did those get there?

20000:12:11,636 --> 00:12:13,006Well, that was through DHCP.

20100:12:13,006 --> 00:12:17,646When DHCP gives me an IP address, it can alsoassign me DNS servers, the default, gateway,

20200:12:17,646 --> 00:12:20,056all that kind of stuff, and so thisis the DNS server I was assigned.

20300:12:20,056 --> 00:12:24,306Now, since this is the primary, remember when Iwas looking at Wireshark, when I set the filter

20400:12:24,306 --> 00:12:32,676

to say 4.2.2.2, oh, okay, my capture isstill going so it's getting obnoxiously big.

20500:12:32,976 --> 00:12:36,276But-- so let me-- I'm going to stop thecapture because we've got enough data.

20600:12:36,496 --> 00:12:40,246


17/56

I can see all of these little DNS queriesbut this is kind of-- it's too much.

20700:12:40,246 --> 00:12:42,996I want to do a little demonstration version,

20800:12:42,996 --> 00:12:46,866so I'm going to filter thisdown and just see 4.2.2.3.

20900:12:48,206 --> 00:12:52,396Now, I stopped the capture so nothing-- oh[laughs] I suppose I should start the capture.

21000:12:52,396 --> 00:12:54,806I was just thinking-- sonothing new is coming in.

21100:12:55,106 --> 00:12:58,136

So, I'm going to start the captureand let's say-- let's begin this.

21200:12:58,136 --> 00:13:02,226It's going to ask me, "Do youwant to delete the old capture?"

21300:13:02,226 --> 00:13:04,686Once I click save, it would say, "Hey,do you want to delete the old one?"

21400:13:04,686 --> 00:13:05,596Absolutely.

21500:13:05,596 --> 00:13:07,006I'm, you know, I don't need the old one.

21600:13:07,006 --> 00:13:12,196So, I'm looking-- I'm capturing traffic just for4.2.2.3, that's the filter of what I'm seeing.

21700:13:12,746 --> 00:13:17,166I'm going to open my command prompt andshow you a handy utility called nslookup.

21800:13:19,076 --> 00:13:25,486What this is, is a utility thatallows you too ask questions of DNS,


18/56

21900:13:26,216 --> 00:13:29,826so what it's doing is this is comingup and say, "Okay, well, right now.

22000:13:30,066 --> 00:13:33,226You can ask a question of 4.2.2.2.

22100:13:33,226 --> 00:13:33,926And, I would say, "Okay.

22200:13:33,926 --> 00:13:38,066Well, I want to see who is www.cbtnuggets.com."

22300:13:38,356 --> 00:13:43,626And, 4.2.2.2 comes back and says, "Well,actually, they have two IP addresses associated

22400:13:43,626 --> 00:13:45,426

with them, this one and this one."22500:13:45,706 --> 00:13:47,886Well, which one am I going to use.

22600:13:47,886 --> 00:13:50,386Well, the way it works is it'sgoing to do a round robin.

22700:13:50,386 --> 00:13:54,026

Maybe the first time I'm going to use thisone, the second time I'm going to use this one.

22800:13:54,316 --> 00:13:57,796And, the name is kind of givesme a little clue right here.

22900:13:57,796 --> 00:13:58,996It says, web balancer.

230

00:13:58,996 --> 00:13:59,726I'm going, "Okay."

23100:13:59,726 --> 00:14:01,966So, this is some kind of load balancing.

23200:14:01,966 --> 00:14:04,746You know, maybe CBT Nuggets has


19/56

enough traffic that they say,

23300:14:04,746 --> 00:14:06,186"I don't want just one web server.

23400:14:06,186 --> 00:14:08,856I want to kind of balance thatbetween a couple web servers."

23500:14:08,856 --> 00:14:11,866I mean we see that againif I type in google.com.

23600:14:11,866 --> 00:14:13,956And, I mean, "Hello, Google."

23700:14:14,116 --> 00:14:17,026They're definitely trying tobalance that load 'cause obviously,

23800:14:17,026 --> 00:14:18,646how many people use Google everyday.

23900:14:18,736 --> 00:14:24,896So now, what I'm going to do, Iwas asking questions of 4.2.2.2.

24000:14:25,086 --> 00:14:25,976I'm going to change them.

24100:14:25,976 --> 00:14:30,366I'm going to do server equals 4.2.2.3.

24200:14:32,546 --> 00:14:35,466And so, I'm changing the-- wait a second.

24300:14:35,626 --> 00:14:38,996Server? I don't know why but equals [inaudible].

24400:14:39,326 --> 00:14:46,086Server space 4.2.2.3 which nowsets my DNS server to this address.

24500:14:46,766 --> 00:14:48,206Now, watch what happens.

246


20/56


21/56

deeper, let me go back here in my--

25900:15:47,016 --> 00:15:50,646create a second command prompt,and I do an IP config slash all,

26000:15:50,806 --> 00:16:00,256one of the things that you can do with DNSis assign computers, a default DNS suffix.

26100:16:00,796 --> 00:16:01,966Suffix, where does that go?

26200:16:02,076 --> 00:16:03,066At the end right?

26300:16:03,386 --> 00:16:08,426So, that would allow somebody, for instance if Iassign the home.local suffix, it allows somebody

26400:16:08,426 --> 00:16:12,116to say, "I want to ping," you know, maybethe server and hit enter and it's going

26500:16:12,216 --> 00:16:17,946to automatically try to ping server.home.local,maybe that's my local DNS domain that I have

26600:16:17,946 --> 00:16:19,926

for my house or something like that.26700:16:19,926 --> 00:16:24,666So immediately, when I tried to ping tag or lookup tekcert.com, it came back and it was like,

26800:16:24,666 --> 00:16:27,606"Well, I'm going to try andlook up tekcert.com.home.local."

269

00:16:27,606 --> 00:16:28,986Now, before we go on.

27000:16:29,546 --> 00:16:31,886You can even see the reply right here.

27100:16:31,886 --> 00:16:34,436It's saying, "There's no such thing.


22/56


23/56


24/56

Where-- so, layer one, layer two, layer three.

29800:18:03,796 --> 00:18:07,486IP addresses were actually coming fromthe source of this, that's my computer,

29900:18:07,796 --> 00:18:11,016destination of this, the two DNS server.

30000:18:11,446 --> 00:18:17,916And now we come to the point that startedthis entire discussion, the UDP protocol.

30100:18:18,456 --> 00:18:20,726DNS actually uses UDP.

30200:18:20,726 --> 00:18:23,706Look at it, User Datagram Protocol, UDP.

30300:18:23,706 --> 00:18:26,966This is layer one, two, three, and four.

30400:18:27,226 --> 00:18:34,716It's saying, "I'm coming from the source port,60353, going to the destination port, 53."

30500:18:35,306 --> 00:18:37,666Okay, stop right there.

30600:18:37,906 --> 00:18:44,726What that says to me is that mycomputer contacted this DNS server.

30700:18:45,826 --> 00:18:47,876[Inaudible] .72 is the last octet.

30800:18:47,876 --> 00:18:55,906This is 4.2.2.3 is that DNS server and itwent to a destination port of UDP port 53.

30900:18:56,586 --> 00:18:58,576Oh, three is a little odd there.

31000:18:58,576 --> 00:19:03,396Okay, 53, and it came froma source port of 60353.


25/56


26/56

32400:19:54,976 --> 00:19:59,356and that's actually one ofthe reasons why DNS uses UDP.

32500:20:00,306 --> 00:20:05,396This is kind of a stimulus responsesort of thing to where I'm going to say,

32600:20:05,396 --> 00:20:10,396"I want to know who tekcert-- butI'll just put tk.com really is,"

32700:20:10,576 --> 00:20:13,096and the DNS server will say,"Okay, here's your answer."

32800:20:13,346 --> 00:20:17,216Now that's all the communication thatreally goes on between them is, what's this,

32900:20:17,276 --> 00:20:19,876here's your answer, what's this, here's youranswer, what's this, here's your answer.

33000:20:20,146 --> 00:20:25,176It would just be a waste of time to say,"Okay, let's build a session between us.

33100:20:25,176 --> 00:20:27,016

You know, are you okay talking?"33200:20:27,016 --> 00:20:27,766The other one is like, "Yes.

33300:20:27,766 --> 00:20:28,426Let's build this."

33400:20:28,426 --> 00:20:30,876And I'm getting into the 3 way

handshake, you know, building a session.

33500:20:31,076 --> 00:20:36,216Okay. Now I want to know what is the name orIP address of tekcert.com and then, you know,

33600:20:36,216 --> 00:20:37,936send the acknowledgment that


27/56

you got my question.

33700:20:37,936 --> 00:20:39,146He is like, "Okay, got it.

33800:20:39,146 --> 00:20:41,306I got your question and here's the answer."

33900:20:41,306 --> 00:20:42,836It's like, good grief.

34000:20:42,836 --> 00:20:47,316Why do you need all that overhead justto get the answer of who is tekcert.com?"

34100:20:47,626 --> 00:20:51,746So, with DNS, it's geared in such a waythat you say, "Hey, who's tekcert.com?"

34200:20:52,026 --> 00:20:56,186And if your computer doesn't get an answerback, it's configured to say, "Well,

34300:20:56,256 --> 00:20:59,236I hope they got there but I don't think itgot there 'cause I didn't get an answer back.

34400:20:59,476 --> 00:21:00,486Well let me ask again."

34500:21:00,746 --> 00:21:04,636And so it will keep trying to ask becausemaybe the packet did get dropped somewhere

34600:21:04,636 --> 00:21:07,676between here in Californiaduring that communication.

34700:21:07,756 --> 00:21:11,376

So, that's the idea of those port numbers.

34800:21:11,376 --> 00:21:15,436Now let's go back to Wireshark andlook at this communication as a whole.

34900:21:15,676 --> 00:21:19,536So it's saying, "Okay, who


28/56

is tekcert.com.home.local?"

35000:21:19,786 --> 00:21:23,096This guy comes back and it's like, nosuch thing, I don't know who that is.

35100:21:23,166 --> 00:21:28,136Now notice, it's asking for anA record, a DNS that's alias,

35200:21:28,136 --> 00:21:30,876that's the normal record that people ask for.

35300:21:31,116 --> 00:21:32,626So, it's like, no such thing.

35400:21:32,626 --> 00:21:35,246So it comes and say, "Okay, well let's try this.

35500:21:35,446 --> 00:21:38,246I would like an AAAA record."

35600:21:38,246 --> 00:21:41,096He's saying, "If I'm lookingfor this kind of record

35700:21:41,096 --> 00:21:44,216for tekcert.com.home.local,do you know who that is now?"

35800:21:44,406 --> 00:21:46,376And he's like, "No, still no such name."

35900:21:47,056 --> 00:21:49,596So okay, what's the difference here versus here?

36000:21:50,016 --> 00:21:56,736Well, this is looking for the IPv4address of tekcert.com.home.local.

36100:21:56,736 --> 00:22:00,046AAAA record is actually an IPv6 address.

36200:22:00,116 --> 00:22:02,146So it's saying, "Okay, that didn't go so well.

363


29/56

00:22:02,336 --> 00:22:07,956Maybe he's on TCP/IP version 6 becausesince Windows XP Service Pack 3,

36400:22:08,246 --> 00:22:11,806all the Windows operatingsystems have had IPv6 enabled

36500:22:11,806 --> 00:22:13,526by default so they-- they're balance today.

36600:22:13,526 --> 00:22:14,796He's like, "No, still no such thing."

36700:22:14,796 --> 00:22:22,536So then he comes back and he's like, "Okay, wellthen, do you have an IP address for tekcert.com?

36800:22:22,666 --> 00:22:23,856

How about just tekcert.com?"36900:22:23,856 --> 00:22:26,316He comes back and he goes, "Actually, I do."

37000:22:26,316 --> 00:22:29,936And we can expand that out and we canfind out, "Oh well, here is the query,

37100:22:29,936 --> 00:22:31,916

tekcert.com and here is the answer.37200:22:32,216 --> 00:22:35,636Tekcert.com came back and this isthe IP address that I received."

37300:22:36,496 --> 00:22:41,706Wow, do you see how thiscan be really, really handy?

374

00:22:41,756 --> 00:22:43,176If, I mean, think about it.

37500:22:43,176 --> 00:22:47,346Let's say we're sitting here andyou type in, you know, whatever.

37600:22:47,346 --> 00:22:50,096


30/56

You know, you're looking something up andit comes back and he's like no response

37700:22:50,096 --> 00:22:53,636or request timed out or, youknow, something like that.

37800:22:53,636 --> 00:22:56,206And let's just put Bob.com.

37900:22:56,236 --> 00:22:57,366And, you know, it fills that.

38000:22:57,366 --> 00:23:00,806We've got all, you know, tries againBob.com and we get this answer back.

38100:23:01,086 --> 00:23:04,256But what, you know, what if

it never got the answer back?38200:23:04,256 --> 00:23:07,416It just said, you know, requesttimed out, request timed out.

38300:23:07,416 --> 00:23:08,976And you're like, "What's going on?"

38400:23:09,426 --> 00:23:12,766

I mean, without this tool in thebackground, you have no idea.

38500:23:12,856 --> 00:23:16,216I mean, this tool is what-- oh,it's looking for Bob.com.home.local,

38600:23:16,216 --> 00:23:18,036it's not supposed to do that,why is it doing that?

38700:23:18,036 --> 00:23:20,456So that's why Wireshark is really handy.

38800:23:20,456 --> 00:23:22,906So, bring that back around.

38900:23:23,196 --> 00:23:25,266


31/56

That's the basics of Wireshark.

39000:23:25,266 --> 00:23:29,106Again, without this filter, it'sgoing to be just plain overwhelming,

39100:23:29,106 --> 00:23:34,676but if you can filter it down and startto really look and analyze these packets,

39200:23:35,046 --> 00:23:36,786you can get quite a bit out of it.

39300:23:38,006 --> 00:23:42,886So let me clear off this slate and get backto the topic at hand which is TCP and UDP.

39400:23:42,886 --> 00:23:45,866TCP I think we've got, it's just--

it's a wing it protocol, all right?39500:23:45,866 --> 00:23:49,476You kind of chop the packet, you hope it getsthere and if a response comes back, great.

39600:23:49,656 --> 00:23:51,146You know, that's how it works.

39700:23:51,566 --> 00:23:54,636

TCP is the, "I know it got there" protocol.39800:23:55,146 --> 00:24:00,446The way that it does that is by using initiallya 3 way handshake to establish the session

39900:24:00,916 --> 00:24:05,066and then it uses acknowledgments to makesure that every single packet was received.

400

00:24:05,386 --> 00:24:10,016Now, let me break that down into thefundamentals of how this protocol really works.

40100:24:10,456 --> 00:24:14,476When I have a computer here,and I say, "I want to go to--

402


32/56

00:24:14,476 --> 00:24:21,406let's just say I want to surf theweb and go to cbtnuggets.com."

40300:24:21,596 --> 00:24:22,906That will be our example.

40400:24:24,356 --> 00:24:28,436HTTP is a TCP-based protocol.

40500:24:28,826 --> 00:24:32,816It uses-- it says, "I want to havereliability otherwise web pages might show up."

40600:24:32,816 --> 00:24:37,086You know, things missing off of themand all that now, and that may happen

40700:24:37,086 --> 00:24:40,746

but it's not TCPs fault, it's--somebody made a bad web page.

40800:24:41,076 --> 00:24:44,746But TCP make sure that all of yourtraffic gets between these two.

40900:24:45,116 --> 00:24:47,676Now, when this guy starts, here's how it works.

410

00:24:48,636 --> 00:24:54,956He will send-- when he realize, okay, I've gotthe IP address 'cause I looked it up via DNS.

41100:24:54,956 --> 00:25:02,146The IP address of CBT Nuggets, let's just usesome reality here, cbtnuggets.com., there we go.

41200:25:02,146 --> 00:25:03,556Is-- let's just grab this first one,

41300:25:03,556 --> 00:25:10,08618472 so I'll just go 1184.72 dot dotdot, you know, that's the IP address.

41400:25:10,086 --> 00:25:17,726He's going to send the very first packetwill be what's called a SYN packet saying,


33/56

41500:25:18,056 --> 00:25:21,766"Hey CBT Nuggets, I would liketo start a discussion with you."

41600:25:22,606 --> 00:25:26,706Are you-- essentially, let me put inplain English and then I'll get technical.

41700:25:26,886 --> 00:25:27,766"Are you okay with that?"

41800:25:28,236 --> 00:25:32,106CBT Nuggets says, "Yes, I am okay with that."

41900:25:32,266 --> 00:25:39,986SYN ACK. That means, I'm sending asynchronization bit, if you will.

420

00:25:39,986 --> 00:25:42,366I'm saying, yes, I wouldlike to start talking to you,

42100:25:42,366 --> 00:25:45,356which is what these do, andI'm acknowledging yours.

42200:25:45,356 --> 00:25:49,116I'm saying, "I got yours" that's theacknowledgment "And here's mine."

42300:25:49,636 --> 00:25:53,136So, this guy replies back with one final ACK.

42400:25:53,206 --> 00:25:55,486What do you think that's there for?

42500:25:57,506 --> 00:25:58,036I got that.

42600:25:58,536 --> 00:26:00,816I got the SYN message from you.

42700:26:00,816 --> 00:26:06,116So I'm acknowledging that we're good andthat is what they call a TCP 3 way handshake.

428


34/56

00:26:06,116 --> 00:26:11,126Every single time you start a session,it's going to do that with the destination.

42900:26:11,336 --> 00:26:14,036A matter of fact let's--I am all about Wireshark.

43000:26:14,036 --> 00:26:15,506Let's prove it to ourselves, right?

43100:26:15,756 --> 00:26:18,986Let's stop this capture, I'mjust going to close this guy.

43200:26:19,576 --> 00:26:20,766Continue without saving.

43300:26:20,766 --> 00:26:24,696

Okay. Let's clear the filter offand let's just start to capture.

43400:26:24,696 --> 00:26:28,756We'll just go to one website so it shouldbe pretty easy to pull out, click on start.

43500:26:29,286 --> 00:26:33,726I'm going to go to cbtnuggets.com.

436

00:26:35,136 --> 00:26:37,096Enter, boom, stop the capture.

43700:26:37,316 --> 00:26:42,116I got a whole bunch of data, 400 some packetsthat were sent to generate CBT Nuggets website.

43800:26:42,346 --> 00:26:45,306Let's go all the way back to thebeginning up here where it all happened.

43900:26:45,596 --> 00:26:52,956Notice that right here my-- now, now you mightsay, "Well I don't see any DNS, you know,

44000:26:53,036 --> 00:26:58,246question for who is cbtnuggets.com, I see, youknow, Wireshark weaseled its way in there."


35/56

44100:26:58,546 --> 00:27:02,796But, you know, what's happened ismy computer cached the DNS response.

44200:27:02,796 --> 00:27:06,506It remembers who CBT Nuggets isbecause I've gone there before.

44300:27:06,506 --> 00:27:09,296Now, those caches will eventuallytime out but they'll get there.

44400:27:09,526 --> 00:27:10,326Now, look right here.

44500:27:10,326 --> 00:27:13,636So, we have Google, we're talkingto Google and you might say, "Well,

44600:27:13,966 --> 00:27:15,526what's all this stuff happening?"

44700:27:15,776 --> 00:27:19,336Well, whenever you type, you know, I'm usingGoogle Chrome and I don't know if you've notice

44800:27:19,336 --> 00:27:23,966but when you start typing you're like,Jeremy, it's starting to, you know,

44900:27:23,966 --> 00:27:27,076figure out who will the, you know, who is--

45000:27:27,076 --> 00:27:30,356it's filling in all of thisdata, so we're able to see.

45100:27:30,606 --> 00:27:32,246You know, oh, okay it's filling this in.

45200:27:32,246 --> 00:27:34,426So every single time, Googleis going, "Okay, well,

45300:27:34,706 --> 00:27:38,416let's find out who JeremyCioara is and you click on it.


36/56

45400:27:38,706 --> 00:27:41,226That's-- it's kind of weird[laughs], I'm looking myself up.

45500:27:41,466 --> 00:27:43,146But, you know, who is Jeremy Cioara?

45600:27:43,146 --> 00:27:47,136It's constantly going back and forth with Googlesaying, "Okay, he typed an I, he typed an O,

45700:27:47,136 --> 00:27:48,906he typed an A, you know,as it fills out the names.

45800:27:48,906 --> 00:27:51,186So that's what this little shindig was.

45900:27:51,186 --> 00:27:52,726Now, here's the meat of it.

46000:27:52,726 --> 00:27:59,746I come down right and I see, okay this is aTCP-based message, three of them to be exact.

46100:28:00,086 --> 00:28:08,486Notice, SYN, SYN ACK, ACK, 3 way handshake,SYN, SYN ACK, ACK, SYN, SYN ACK, ACK.

46200:28:08,486 --> 00:28:12,286Now, I want to go down a littlefurther because I'm noticing here--

46300:28:12,286 --> 00:28:13,476notice the source and destination.

46400:28:13,476 --> 00:28:15,516It came from this server

going to this one, right?

46500:28:15,626 --> 00:28:19,956SYN, SYN ACK, ACK and I go down a little bitmore and all of a sudden, I see another one.

46600:28:20,276 --> 00:28:23,176It's like, wait second, SYN, SYN ACK, ACK.


37/56

46700:28:23,726 --> 00:28:25,546And so there's more than one.

46800:28:25,816 --> 00:28:28,416I go down and all of a sudden, I seeit looking up all the stuff, it's like,

46900:28:28,626 --> 00:28:32,706"I'm looking up some analytics, I'mlooking up cloudfront.net, Facebook.com."

47000:28:32,706 --> 00:28:34,136What on earth is going on?

47100:28:34,316 --> 00:28:37,446And all of a sudden I see all these-- okay,SYN within, SYN within, SYN within, SYN within.

47200:28:37,526 --> 00:28:40,476All of these are SYNs and then Istarted, you know, look at these SYNs.

47300:28:40,476 --> 00:28:43,616It's starting all of the sessionswith all these different servers

47400:28:43,726 --> 00:28:46,506and then they all start coming back,

SYN ACK, SYN ACK, SYN ACK, SYN ACK.47500:28:46,506 --> 00:28:50,266And then, you know, it's kind of like thatwe get this big merge of ACK, ACK, ACK.

47600:28:50,266 --> 00:28:52,496You know, it's kind of a--what on earth is going on?

477

00:28:52,496 --> 00:28:56,036I just went to CBT Nuggets and all of a sudden,I've got all of these sessions starting.

47800:28:56,296 --> 00:29:00,396Well, you remember, I think that Italked about this in the previous Nugget

479


38/56

00:29:00,396 --> 00:29:03,326but this web page is a framework of web pages.

48000:29:03,486 --> 00:29:06,706When you come here, there's somethingon here that deals with Facebook.

48100:29:06,706 --> 00:29:07,476Ahh, there we go.

48200:29:07,786 --> 00:29:10,306They've got a little follow us onFacebook link, maybe that's it.

48300:29:10,306 --> 00:29:12,376And they've got a littlelink to Twitter or something

48400:29:12,376 --> 00:29:14,316

that it pulled from Twitter and built this.48500:29:14,316 --> 00:29:16,876So this web page is dynamic,it's always changing,

48600:29:16,876 --> 00:29:18,456it's pulling from all these different servers.

48700:29:18,456 --> 00:29:24,666

So when I come to cbtnuggets.com, I'm actually,you know, these pictures, these videos,

48800:29:24,666 --> 00:29:29,256everything is pulling from all these differentservers, so that's why I see just getting shot

48900:29:29,256 --> 00:29:32,516into this world of SYN and SYNACKs but just get back to the base

49000:29:32,516 --> 00:29:34,426of it all, that's where it started.

49100:29:34,626 --> 00:29:36,426SYN, SYN ACK, ACK.

49200:29:37,056 --> 00:29:39,266


39/56


40/56

copying time estimate window andit initially starts off and it's

50600:30:25,906 --> 00:30:30,556like your time estimate is two daysfive hours, and you're like, "What,

50700:30:30,556 --> 00:30:31,836you know, well that's not right!"

50800:30:31,836 --> 00:30:33,246And then Windows is like, "No, no, no, no, no.

50900:30:33,246 --> 00:30:34,256Just kidding, let me back of.

51000:30:34,486 --> 00:30:37,986Actually, it's going to be one day three hours."

51100:30:37,986 --> 00:30:38,956And you're like, "What?"

51200:30:38,956 --> 00:30:42,066You know, and then, no, no, no, no, haveyou-- you know what I'm talking about?

51300:30:42,066 --> 00:30:45,776And [inaudible] says like, "No, just kiddingyour time estimate is really 32 minutes."

51400:30:45,776 --> 00:30:48,596And you're like, "Okay, that'sa little more of a result."

51500:30:48,596 --> 00:30:51,966And then, I mean, it takes like 30seconds before it's final like, okay,

51600:30:51,966 --> 00:30:54,146

really it's going to take 10minutes to copy that file.

51700:30:54,586 --> 00:30:59,256[Laughs] Okay, it's like, okay what happenedbetween Windows popping up and saying it's two

51800:30:59,256 --> 00:31:03,066


41/56


42/56


43/56

If I can send four packets at a timethen I bet you that I can get this done

54500:32:32,716 --> 00:32:34,176in like a day and a half, right."

54600:32:34,176 --> 00:32:37,586It reduces it dramatically becausewe're being much more efficient.

54700:32:37,586 --> 00:32:41,146So, what's happening over that,you know, first 30 seconds

54800:32:41,146 --> 00:32:44,836or so of that file transfer is it justkeeps trying to send more and more and more

54900:32:44,836 --> 00:32:45,736

and more and more and more and more.55000:32:45,736 --> 00:32:46,206It's like, "Okay.

55100:32:46,206 --> 00:32:49,946I'm going to try and sendyou 100 packets at a time."

55200:32:49,996 --> 00:32:54,826

Sends them a 100 of these 1,500-bytepackets, ACK, I got all 100 of them.

55300:32:54,826 --> 00:32:55,416Does that make sense?

55400:32:55,416 --> 00:33:01,706So, that's the concept known as TCP windowsizes or some people call it sliding windows

555

00:33:01,706 --> 00:33:04,086because the windows startssmall, it slides bigger.

55600:33:04,336 --> 00:33:09,716But if there's drafts, like let's say, Isend a 100 packets and I lost two of them,

557


44/56

00:33:09,786 --> 00:33:13,476then my computer is going to go, "Whoa, whoa,whoa, whoa, whoa," you know, we're loosing data,

55800:33:13,476 --> 00:33:16,576I've got to pull back and only send a smaller,

55900:33:16,576 --> 00:33:19,926so the window size slides smallerand you see the copy time go up.

56000:33:20,106 --> 00:33:26,136So, that is the essence of how computersknow how much they're able to send

56100:33:26,136 --> 00:33:30,046or how much bandwidth they can consume andthey're going to try and consume all of it.

562

00:33:30,516 --> 00:33:34,656And computers are bandwidth hungry monsters,they will try and consume all of the bandwidth

56300:33:34,656 --> 00:33:37,986that they can on the way to that serveruntil they finally start dropping packets.

56400:33:37,986 --> 00:33:41,126And they go, "Okay, that's how much Ican send it once before I, you know,

56500:33:41,226 --> 00:33:43,676I've reached the congestionpoint of the network."

56600:33:43,726 --> 00:33:48,796So, how do-- what-- how did this, this Window--

56700:33:48,796 --> 00:33:54,336Windowing concept and sending more than

one packet at a time fit into this and it--

56800:33:54,336 --> 00:33:56,466where we started with this 3 way handshake.

56900:33:57,046 --> 00:34:02,596Well, when we do a 3 way handshake, whatwe're really exchanging is sequence numbers


45/56

57000:34:02,596 --> 00:34:08,716of my packet numbers are going to start hereand then keep incrementing as I send you data.

57100:34:09,186 --> 00:34:11,906So, let's look back at Wireshark,get some examples of this.

57200:34:11,906 --> 00:34:14,786So, right here, we've got our 3 way handshake.

57300:34:14,786 --> 00:34:16,576We've got SYN, SYN ACK, ACK.

57400:34:16,576 --> 00:34:17,996So that's the very first one that we do.

575

00:34:17,996 --> 00:34:19,516So let's break this open.

57600:34:19,876 --> 00:34:25,816We'll look at the TCP data and it says, "Oh,this guy is a flag, it's a SYN" but I want you--

57700:34:25,816 --> 00:34:29,236and you can, I mean, you can dig deep andsay, "Oh, okay, well it's actually this bit,"

57800:34:29,236 --> 00:34:32,246and that, I mean, yeah, fornow, it's a SYN, right?

57900:34:32,576 --> 00:34:35,196But if you look three above that, it says, "Hey,

58000:34:35,406 --> 00:34:38,436we're going to be startingfrom sequence number zero."

58100:34:38,856 --> 00:34:41,926That's it, that's was-- so I'm goingto-- that's my beginning where--

58200:34:41,926 --> 00:34:44,286that's where my counter begins essentially.


46/56


47/56

59600:35:28,096 --> 00:35:32,806And what that says to the computer is, "I'vereceived your zero and the next sequence

59700:35:32,806 --> 00:35:35,146that I'm expecting from you is one."

59800:35:35,786 --> 00:35:36,896Does that make sense?

59900:35:36,896 --> 00:35:40,446And then, and then, and then, I'm like[laughs], "Oh, oh, oh, and then look at this."

60000:35:40,446 --> 00:35:43,066And then, when I click it onhere, it goes, "Okay, great.

60100:35:43,216 --> 00:35:45,806I'm going to send an ACK back of one as well."

60200:35:46,926 --> 00:35:50,386So, what we've done is we say, "Okay,I started with sequence number zero.

60300:35:50,616 --> 00:35:51,376Is that good?"

60400:35:51,376 --> 00:35:52,506And he goes, "Absolutely.

60500:35:52,506 --> 00:35:54,166I'm going to start from sequence number zero

60600:35:54,166 --> 00:35:57,506and I'm acknowledging your sequencenumber zero by giving you an ACK of one."

60700:35:57,806 --> 00:36:01,056Then I come back and say, "Okay,ACK of one because I'm a--

60800:36:01,056 --> 00:36:02,786I don't know why I put it aligned to that,

609


48/56

00:36:02,786 --> 00:36:04,656because I'm acknowledgingyour sequence number zero

61000:36:04,656 --> 00:36:07,056that you gave me and now let's start talking."

61100:36:07,676 --> 00:36:08,636Isn't there a lot?

61200:36:08,636 --> 00:36:09,476That's a lot-- whoa.

61300:36:09,716 --> 00:36:12,976That's a lot to just say,"Okay, let's now start talking."

61400:36:12,976 --> 00:36:15,886But then, when you start getting it

to the data, let's see if I can dig61500:36:15,886 --> 00:36:19,956and then find some good data transfer here.

61600:36:20,046 --> 00:36:24,406I got your standard encryptedpackets going through there.

61700:36:24,406 --> 00:36:31,776

It's so [laughs], it's funny because going toCBT Nuggets home page, there's so much pointers

61800:36:31,776 --> 00:36:34,586on there that-- and there'sencrypted data, HTTPS,

61900:36:34,586 --> 00:36:36,176you know, stuff flying all over the place.

620

00:36:36,586 --> 00:36:38,466But right here and that's, I'll describe this.

62100:36:39,576 --> 00:36:43,356Right in the middle of this, this isactually using TLS which is encrypted data.

62200:36:43,656 --> 00:36:47,336


49/56


50/56

63600:37:21,856 --> 00:37:24,716It's all encrypted mosh goingto CBT Nuggets website,

63700:37:24,986 --> 00:37:28,046but all of that stuff has sequence numbers.

63800:37:28,366 --> 00:37:32,266So, essentially, let me boil it back down onthe slide 'cause it's a little less complex

63900:37:32,266 --> 00:37:33,486and busting that Wireshark.

64000:37:33,746 --> 00:37:38,556I've got, you know, let's say three1,500-byte packets to send, right?

641

00:37:38,556 --> 00:37:44,696So let's say I started with SYN zero, I sendthree 1,500-byte packets to the other side,

64200:37:45,576 --> 00:37:50,646and it will come through and, you know,first one will say, "Hey, I'm some data.

64300:37:50,886 --> 00:37:53,066I'm sequence number 1,500.

64400:37:53,066 --> 00:37:55,786The second one will come through and say, "Okay.

64500:37:55,786 --> 00:37:58,006Well, I'm sequence number 3,000."

64600:38:00,136 --> 00:38:04,696And third one comes through and you see wherethis is going, "I'm sequence number 4,500."

64700:38:04,696 --> 00:38:08,596The sequence numbers are-- they areessentially a mathematical addition

64800:38:08,596 --> 00:38:10,796of all of the data that's being sent.

649


51/56

00:38:10,796 --> 00:38:13,266In that way when this-- thesetwo get dropped, you know,

65000:38:13,266 --> 00:38:15,496maybe this one made it through,these two were dropped.

65100:38:15,656 --> 00:38:18,206All of a sudden this guygoes, "Whoa, wait a sec.

65200:38:19,016 --> 00:38:28,046I missed sequence numbers, you know, we'llsay 4,000 through 6593 or whatever, you know,

65300:38:28,046 --> 00:38:29,186whatever those sequence numbers are."

654

00:38:29,436 --> 00:38:32,286So, he's going to be like,"Whoa, I did not receive those."

65500:38:32,286 --> 00:38:35,046He goes, "Oh, well let me resendthose sequence numbers to you."

65600:38:35,046 --> 00:38:41,006That-- this is how TCP keeps itall working is by, you know, again,

65700:38:41,006 --> 00:38:42,536those acknowledgments coming back.

65800:38:42,756 --> 00:38:44,956If you received them all,he'll send acknowledgment

65900:38:44,956 --> 00:38:46,696for one plus, whatever the last sequence.

66000:38:46,696 --> 00:38:49,876So let's say, the last sequencenumber to get in was 4,500.

66100:38:50,076 --> 00:38:56,656He's going to send an acknowledgment for 4501--1 and then the transmission continues on.


52/56

66200:38:56,796 --> 00:39:00,916[Laughs] It's like, right there, I tookbreath and I took a step back and I'm like,

66300:39:01,196 --> 00:39:03,676"How do you see anything on the screen anymore."

66400:39:03,806 --> 00:39:06,206It builds on itself so hopefully you've--

66500:39:06,346 --> 00:39:11,016you didn't look away throughout 'cause otherwiseit's just a mess of lines going back and forth.

66600:39:11,376 --> 00:39:16,776But, wow, I mean, if you take that and putit all together and you are on your way--

66700:39:16,846 --> 00:39:21,916well on your way to becoming a networkNinja, not only understanding how TCP works,

66800:39:21,916 --> 00:39:25,796the 3 way handshake, the acknowledgment,back and forth process, but also now,

66900:39:25,796 --> 00:39:28,666starting to look inside of

Wireshark and been like, "Oh, oh, oh,67000:39:28,826 --> 00:39:30,766I see the 3 way handshake right there.

67100:39:30,766 --> 00:39:31,286I get it."

67200:39:31,286 --> 00:39:34,906You know, and then I started seeing that, I get

referred to all these other servers, you know,

67300:39:34,906 --> 00:39:36,776because there're the DNS queries.

67400:39:36,776 --> 00:39:40,476And then, I started sessions with all those,that's all these SYN packets, I mean, wow!


53/56


54/56


55/56

70100:41:14,426 --> 00:41:17,876[Laughs] That it's and it's just someguy and he's been around for a long time.

70200:41:18,066 --> 00:41:20,786The last page you cre-- the guy whocreated a website that just says,

70300:41:20,786 --> 00:41:22,556"You have reached the last page of the internet.

70400:41:22,866 --> 00:41:23,936Hope you enjoyed your browsing.

70500:41:24,316 --> 00:41:25,816Go outside."

706

00:41:25,816 --> 00:41:30,106So, beautifully, simple web page towhere we won't get the confusion behind.

70700:41:30,296 --> 00:41:35,336And won't say confusion but the complexitybehind going to big websites like CBT Nuggets

70800:41:35,336 --> 00:41:38,096and seeing 50 different serverspopped into our conversation.

70900:41:38,096 --> 00:41:39,626So grab Wireshark.

71000:41:40,016 --> 00:41:42,996I want you to capture the DNS lookup.

71100:41:42,996 --> 00:41:45,456Create a filter, find outwhat your DNS server is.

71200:41:45,616 --> 00:41:50,336Create a filter that allows you to see theDNS lookup and then one that allows you

71300:41:50,336 --> 00:41:56,256to see the communication between you andthat last page of the internet web server.


56/56

Documents

06 - Cisco Foundations - How Applications Speak - TCP and UDP.txt