The document outlines key networking concepts, including the OSI model and the roles of the application, network, and data link layers. It details how data packets navigate through various network layers, the significance of IP addressing (both public and private), and the DHCP process for dynamic IP assignment. Additionally, it provides an overview of Linux command-line tools for network configuration and management.

1. Packet Traveling
preCloud
Feb 21, 2020
“Iman darabi” <iman.darabi@gmail.com>

2. Materials
● OSI model
● The Network Layer
● The Datalink Layer
● Linux network command-line tools
● Network security

3. 15min
● OSI model
● Concepts of packet travel
45min
● The Network Layer
45min
● The Datalink Layer
60 mins
● Linux network
command-line tools
40 mins
● Network security

4. Networking

6. 1. Directly interacts with data from user
2. Softwares like web browsers rely on the
application layer to initiate communications.
3. Softwares work with protocols like HTTP and
SMTP to transfer data over network.
Ref: http://cloudflare.com
7 ->

7. 1. Prepare data so that it can be used by the
application layer
2. Encryption and compression for example.
Ref: http://cloudflare.com
6 ->

8. 1. The time between when the communication
is opened and closed is known as the session.
2. Synchronization - add check points (
synchronization points ) into stream of data.
Ref: http://cloudflare.com
5 ->

9. 1. Reassembling the segments into data the
session layer can consume.
2. Flow control and error control for
inter-network communication.
Ref: http://cloudflare.com
4 ->

10. 1. Faciliating data transfer between two diffrent
networks.
Ref: http://cloudflare.com
3 ->

11. 1. Facilitate data transfer between two devices
on the SAME network.
2. Flow control and error control in
intra-network communication.
Ref: http://cloudflare.com
2 ->

12. 1. This layer is :
101110101011101010110101011111100001
0101101010101010101 ;)
Ref: http://cloudflare.com
1 ->

14. TCP/IP layers:

15. LAN Protocols
Data and Computer Communications (William
Stallings)

16. The Network Layer (2)

17. Internet Protocol
● IP addresses were assigned to computers and routers ( computer ~ node ).
● Every IP address belongs to a specific network.
● Routers are used to connect networks.
● Public IP address, allow device to direct access over the Internet (5.9.201.150).
● Private IP address, is the address space allocated by InterNIC to allow organizations to create their
own private network.
○ 10.0.0.0/8 ( a single Class A network)
○ 172.16.0.0/12 (16 Class B networks)
○ 192.168.0.0/16 (256 Class C networks)
● private nodes cannot directly communicate with public networks, but require Network Address
Translation at a routing gateway for this purpose.

18. Network Address

19. Network Masks
● The subnet mask defines which part of the network address indicates the network and which part
indicates the node.
● Example:
○ Address: 192.168.10.100 11000000.10101000.00001010 .01100100
○ Netmask: 255.255.255.0 = 24 11111111.11111111.11111111 .00000000
○ Network: 192.168.10.0/24 11000000.10101000.00001010 .00000000 (Class C)
○ Broadcast: 192.168.10.255 11000000.10101000.00001010 .11111111
○ HostMin: 192.168.10.1 11000000.10101000.00001010 .00000001
○ HostMax: 192.168.10.254 11000000.10101000.00001010 .11111110

20. Managing Network Addresses and Interfaces
● Fixed IP addresses:
○ Useful for servers that always need to be available
at the same IP address.
● Dynamically assigned IP addresses:
○ Useful for end-users devices, and for instances in
a cloud environment.
○ To dynamically assign IP addresses, a Dynamic
Host Configuration Protocol (DHCP) server is
usually used.
● Automatic Private IP Addressing
○ This feature allows a networked device to
self-assign an IP address from the 169.254.0.0/16
network (The IP address is not routable).

21. Validating Network Configuration
1. IP address and subnet mask
a. Use ip addr to configure and monitor network addresses
2. Routing
a. Use ip route to configure and monitor routing information
3. Availability of ports and services
a. Use ip link to configure and monitor network link state
4. Examples:
a. $ ip addr show (or $ip a)
b. $ ip link show
c. $ ip route show

22. Ip Assignment
Not persistent
1. Use /etc/network/interfaces (ifupdown)
2. Nmcli (desktop)
3. Netplan
$ Ip addr add 192.168.50.5 dev eth0
$ ifconfig eth0 192.168.50.5 up (Although net-tools
is depricated)
persistent

23. Dynamic Host Configuration Protocol
● First let's talk about Data link layer (2).

24. The DataLink Layer (1)

25. DataLink
● Layer 2
● Responsible for transferring data between
two devices on the same network segment
● Is responsible for sensing channel - Carrier
Sense Multiple Access (CSMA)
● Detects or avoids collisions - Collision
Detection (CD) or Avoidance (CA)

26. Frame Transmission on a Bus LAN Star Topology

27. Bridge Operation
● Bridge attaches to both LANs
● Read all frames transmitted on A and accept
those addressed to any station on B.
● Using the medium access control protocol for
B, retransmit each frame on B.

28. Broadcast Domain
● Unicast addressing:
○ X send frame to Y
○ X send frame to Z
● Broadcast addressing:
○ X send frame to FF:FF:FF:FF:FF:FF address !
● The total collection of devices that receive
● broadcast frames from each other is referred
to as a broadcast domain
● In many situations, a broadcast frame is used
for a purpose, such as network management
or the transmission of some type of alert

29. Two Physical LAN

30. Two Virtual LAN

31. Virtual LAN (VLAN)
● VLAN is a logical subgroup within a LAN
● It is created by software rather than by
physically moving and separating devices.
● The VLAN logic is implemented in LAN
switches and functions at the MAC layer

32. Trunk
● allow traffic for multiple VLANs to travel over
a single connection
● One of the VLANs traveling over an 802.1Q
trunk is called a native VLAN .
● to distinguish other VLANs from one another,
the remaining VLANs are tagged.
●

33. Dynamic Host Configuration Protocol
● how does a network device receive its initial IP address assignment?
● One option is to manually configure an IP address on a device.
○ Automation is critical in cloud computing, and manual configuration is time consuming and error prone.
● The most common approach for this auto assignment of IP addresses is Dynamic Host Configuration
Protocol (DHCP).
● DHCP can assign a wide variety of other IP parameters, such as a subnet mask, a default gateway and
IP address of a DNS server.

34. D.O.R.A
DHCPDISCOVER
● When DHCP client initially boots, it has no IP
address… .
● DHCP client send broadcast message to
discover DHCP server

35. D.O.R.A
DHCPOFFER
● When a DHCP server receives a
DHCPDISCOVER message, it can respond with
a unicast DHCPOFFER message.
● DHCPDISCOVER message is sent as a
broadcast, more than one DHCP server might
respond to this discover request.
● the client typically selects the server that sent
the first DHCPOFFER response received by
the client.

36. D.O.R.A
DHCPREQUEST
● The DHCP client communicates with this
selected server by sending a unicast
DHCPREQUEST message asking the DHCP
server to provide IP configuration
parameters.

37. D.O.R.A
DHCPACK
● The DHCP server responds to the client with a
unicast DHCPACK message.
● This DHCPACK message contains a collection
of IP configuration parameters.

38. DHCP Relay
Without DHCP relay agent

39. DHCP Relay
With DHCP relay agent

40. How Packets Move Through a Network

41. Linux network command-line
tools

42. Linux network command
ip - show / manipulate routing, network devices, interfaces and tunnels
● ip address - configure/monitor network addresses
○ $ ip address show <interface>
○ # ip addr add 192.168.50.5 dev ens160
○ # ip addr del 192.168.50.5/24 dev ens160
● ip link - configure/monitor network link state
○ $ ip link show
○ # ip link set eth1 up
○ # ip link set eth1 down
● ip route - configure/monitor routing information
○ $ ip route show
○ # ip route add 10.10.20.0/24 via
192.168.50.100 dev eth0 “static route”
○ # ip route del 10.10.20.0/24
○ # ip route add default via 192.168.50.1

43. Linux network command
ping - send ICMP ECHO_REQUEST to network hosts
● $ ping 8.8.8.8
● $ ping 8.8.8.8 -c 4 “Stop after sending count ECHO_REQUEST packets.”
● $ ping -t 2 google.com “Time To Live”
○ PING google.com (172.217.18.14) 56(84) bytes of data.
○ From 172.31.13.5 (172.31.13.5) icmp_seq=1 Time to live exceeded
● $ ping google.com
○ PING google.com (172.217.18.14) 56(84) bytes of data.
○ 64 bytes from fra15s28-in-f14.1e100.net (172.217.18.14): icmp_seq=1 ttl=43 time=121 ms

44. Time To Live

46. Linux network command
traceroute - print the route packets trace to network host
● $ ping -t 1 google.com
○ … Time to live exceeded
● $ ping -t 2 google.com
● $ ping -t 3 google.com
● $ ping -t 4 google.com
● …
● $ ping -t 25 google.com
○ PING google.com (172.217.18.14) 56(84) bytes of data.
○ 64 bytes from fra02s19-in-f14.1e100.net (172.217.18.14): icmp_seq=1 ttl=43 time=123 ms

47. Linux network command
traceroute - print the route packets trace to network host
● traceroute google.com
○ traceroute to google.com (172.217.18.14), 30 hops max, 60 byte packets
○ 1 _gateway (172.16.22.1) 1.065 ms 1.255 ms 1.425 ms
○ 2 172.31.13.5 (172.3.3.5) 1.934 ms 2.270 ms 2.633 ms
○ ...
○ 10 * * *
○ 11 * * *
○ 12 * * *
○ 13 10.201.177.133 (10.201.177.133) 13.441 ms 13.442 ms 13.402 ms
○ ...
○ 19 108.170.240.56 (108.170.240.56) 52.736 ms 108.170.246.118 (108.170.246.118) 52.992 ms 108.170.240.55 (108.170.240.55)
53.057 ms
○ 20 216.239.54.211 (216.239.54.211) 132.193 ms 132.141 ms 216.239.56.13 (216.239.56.13) 130.140 ms
○ 21 72.14.233.132 (72.14.233.132) 122.384 ms 72.14.235.14 (72.14.235.14) 125.581 ms 125.489 ms
○ 22 72.14.239.166 (72.14.239.166) 126.233 ms 108.170.228.254 (108.170.228.254) 137.870 ms 137.551 ms
○ 23 108.170.251.129 (108.170.251.129) 122.273 ms 123.187 ms 123.335 ms
○ 24 74.125.37.125 (74.125.37.125) 124.512 ms 74.125.37.99 (74.125.37.99) 122.331 ms 122.317 ms
○ 25 fra15s28-in-f14.1e100.net (172.217.18.14) 124.916 ms 125.164 ms 124.830 ms

48. Linux network command
traceroute - print the route packets trace to network host
● traceroute google.com
○ traceroute to google.com (172.217.18.14), 30 hops max, 60 byte packets
○ 1 _gateway (172.16.22.1) 1.065 ms 1.255 ms 1.425 ms
○ 2 172.31.13.5 (172.3.3.5) 1.934 ms 2.270 ms 2.633 ms
○ ...
○ 10 * * *
○ 11 * * *
○ 12 * * *
○ 13 10.201.177.133 (10.201.177.133) 13.441 ms 13.442 ms 13.402 ms
○ ...
○ 19 108.170.240.56 (108.170.240.56) 52.736 ms 108.170.246.118 (108.170.246.118) 52.992 ms 108.170.240.55 (108.170.240.55)
53.057 ms
○ 20 216.239.54.211 (216.239.54.211) 132.193 ms 132.141 ms 216.239.56.13 (216.239.56.13) 130.140 ms
○ 21 72.14.233.132 (72.14.233.132) 122.384 ms 72.14.235.14 (72.14.235.14) 125.581 ms 125.489 ms
○ 22 72.14.239.166 (72.14.239.166) 126.233 ms 108.170.228.254 (108.170.228.254) 137.870 ms 137.551 ms
○ 23 108.170.251.129 (108.170.251.129) 122.273 ms 123.187 ms 123.335 ms
○ 24 74.125.37.125 (74.125.37.125) 124.512 ms 74.125.37.99 (74.125.37.99) 122.331 ms 122.317 ms
○ 25 fra15s28-in-f14.1e100.net (172.217.18.14) 124.916 ms 125.164 ms 124.830 ms

49. Linux network command
arp - manipulate the system ARP cache
● $ arp -a
○ ? (172.16.10.44) at 08:01:27:62:9a:8f [ether] on enp0s25
○ ? (172.16.10.40) at 1c:1b:0d:49:e6:4 [ether] on enp0s25
● $ arp -d 192.168.10.11 “delete a ARP table entry”
● ip -s -s neigh flush all “clear the arp cache”
○ 172.16.10.44 dev enp0s25 lladdr 08:00:23:62:9a:8f used 460/456/412 probes 1 STALE
○ 172.16.10.40 dev enp0s25 lladdr 10:8b:0d:39:e6:a4 used 44420/44418/44378 probes 1 STALE

50. Linux network command
netstat - Print network connections, routing tables, interface
statistics
● $ netstat -a | more “ Show listening and non-listening sockets.”
● $ netstat -at “ List all TCP ports”
● $ netstat -au “List all UDP ports”
● $ netstat -l “List only the listening ports”
● $ netstat -lt “List only listening TCP ports”
● $ netstat -lu “List only listening UDP ports”
● $ netstat -i “List network interfaces”
● $ netstat -ie “did you miss ifconfig ;) “
● $ netstat -r “host’s IP routing table ”

51. Linux network command
netstat -
● Which process is using a particular port:
○ # netstat -an | grep “:80”
● The port on which a program is running:
○ # netstat -ap | grep ssh
● Netstat retrieves information about the networking
subsystem from the /proc/net file system.
● /proc/net/dev “device information”
● /proc/net/tcp “TCP socket information”
● /proc/net/unix “Unix domain socket information”

52. Linux network command
tcpdump - prints out a description of the contents of packets on
a network interface (A Network Sniffer Tool)
● # tcpdump -i eth0
● # tcpdump -w myfile.pcap -i eth0 “Capture and Save Packets in a File”
● # tcpdump -r myfile.pcap -i eth0 “Read Captured Packets File”
● # tcpdump -n -i eth0 “Capture IP address Packets”
● # tcpdump -i eth0 tcp “Capture TCP Packets”
● # tcpdump -i eth0 port 22 “Capture from Specific Port”
● # tcpdump -i eth0 src/dst 1.2.3.4 “Capture from source/destination IP”
● # tcpdump -i eth0 src 1.2.3.4 and port not 22 “Do not capture specific port”
●

53. Linux network command
nmap - Network exploration tool and security / port scanner
● Basic Scan {ip, host}
○ $ nmap google.com
○ $ nmap 8.8.8.8
● Scan specific/entire ports
○ $ nmap -p 1-65535 localhost
○ $ nmap -p 1-1000 google.com
○ $ nmap -p 80,443 google.com
● Scan IP ranges
○ $ nmap -p 80 8.8.8.0/28
○ $ nmap -p 80 8.8.8.1-100
● Scan most polular ports
○ $ nmap --top-ports 5 8.8.8.8
● Disable DNS name resolution
○ Nmap -p 80 -n 8.8.8.8
● Scan TCP or UDP protocols
○ $ nmap -sT google.com
○ # nmap -sU google.com
● Detect service/daemon versions
○ Nmap -sV localhost

54. What does that command-line mean?
1. Google it.
2. Manual pages
3. http://explainshell.com →>

55. Network security
Packet Filtering with iptables

56. Iptable Concepts
TABLES
1. Filter:Role is packet filtering
a. default & main table
2. NAT: Role is Netwrok Address
Translation
3. Mangle: Role is Modify IP
Headers
CHAINS
Iptables places rules into
predefined chains
1. Pre-routing
2. Input
3. Forward
4. Output
5. Post-routing
RULES
● User defined commands
to manipulate network
traffic:
● For example:
○ Iptables -A INPUT -s
15.1.1.2 -j DROP

57. Iptables Structure

58. Iptables Process Flow

59. Targets and Jumps
● ACCEPT: allowed. Stops further processing
● DROP: Drops. Stop further Processing
● REJECT: like the DROP target, but will also return an error mesage to the host sending the packet
● LOG: Logs to syslog, Continue Procesing next rule
● ...

60. General iptables command switch
● -t <table> : {filter, nat, mangle}
● -j <target>: choose the actions {ACCEPT, DROP … }
● -F : delete all the rules of the chain
● -p <protocol-type>: {tcp, udp, icmp}
● -s <ip-address>: source ip address
● -d <ip-address>: destination ip address
● -i <interface-name>: input interface
● -o <interface-name>: output interface

61. Iptables -t[table] -OPTIONS[CHAIN] [matching component] [Action component]
Filter
NAT
Mangle
INPUT, FORWARD,
OUTPUT
Pre-routing,
post-routing, output
Pre-routing,
post-routing, forward,
output, input
Options:
A:append, I:insert,
D:delete, L:list, F:
flush, -P: policy
p - Protocol
s - Source IP
d - Dest IP
i - IN Interface
o - OUT Interface
ACCEPT
DROP
REJECT
LOG

62. Writing a Simple Rule Set
Stateful Packet Inspection (SPI)
Allow all outgoing connections but block all unwanted incoming connections
1. # iptables -P INPUT ACCEPT
2. # iptables -F
3. # iptables -A INPUT -i lo -j ACCEPT
4. # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
5. # iptables -A INPUT -p tcp --dport 22 -j ACCEPT
6. # iptables -P INPUT DROP
7. # iptables -P FORWARD DROP
8. # iptables -P OUTPUT ACCEPT
9. # iptables -L -v

63. 1. If connecting remotely we must first temporarily set the default policy on the INPUT chain to ACCEPT
otherwise once we flush the current rules we will be locked out of our server.
2. We used the -F switch to flush all existing rules so we start with a clean state from which to add new
rules.
3. Append (-A) to INPUT chain the Acceptance of incoming packet to the loopback interface
4. The state module (-m state) determine if packet is ESTABLISHED or RELATED. ESTABLISHED and
RELATED refers to incoming packets that are part of an already established connection or related to
and already established connection. (what if we added NEW too ;) )
5. Here we add a rule allowing SSH connections over tcp port 22.
6. The -P switch sets the default policy on the specified chain.
7. we've set the default policy on the FORWARD chain to DROP as we're not using our computer as a
router so there should not be any packets passing through our computer.
8. set the default policy on the OUTPUT chain to ACCEPT as we want to allow all outgoing traffic (as we
trust our users).
9. Finally, we can list (-L) the rules we've just added to check they've been loaded correctly.

64. End of first session
Q&A