Software Developers
Showing results for 
Search instead for 
Do you mean 

Sniffing System Startup

mrohad on ‎05-08-2013 08:10 AM

We are used to having all computers, cell phones, and other devices connected to the network.  How does that connection happen? It is interesting to monitor a system from the moment it boots up until it is fully connected to the outside world, and see which protocols are involved in the process.

My laptop setup uses CentOS-5.6 starting inside VirtualBox (https://www.virtualbox.org/). To capture the packets, I use Wireshark (http://www.wireshark.org/).

The VM network adapter  is configured in Bridged mode (see the following image). This way, all the traffic goes through a physical device on the host machine - my laptop in this case.  

 

 

Note the MAC address given to the VM: 08:00:27:F2:41:7B.

Having everything set, I start recording the traffic in Wireshark, and launch CentOS.

Wireshark captures all the traffic that goes through the physical device. So I filter the traffic using the previously noted MAC address: eth.addr==08:00:27:F2:41:7B. The resulting capture file (a copy of which is attached) looks like this:

 

 

The first packet is a DHCP (Dynamic Host Configuration Protocol) request. This is how the CentOS machine asks for a new IP address. The request is sent, of course, as a broadcast (Ethernet address FF:FF:FF:FF:FF:FF; IP address 255.255.255.255), since it does not know whom to ask. The DHCP request is sent by UDP packet and uses standard port numbers: 67 for destination, and 68 for source.

Among other items, the DHCP request contains a list of parameters that the host is hoping to get in response:

 

In the second packet (as you can see in the image above) the request is repeated; UDP is not a reliable protocol, and the original request might be lost. You should appreciate the patience shown by CentOS; it waited 5.7 seconds for an answer - much longer than the response time most of us expect from any web site!

And finally an HDCP response (an offer) is received:

 

Note that it contains the IP address to be used by the host (16.60.217.217), lease time, renewal policy, and also the IP addresses of two DNS servers: 16.110.135.51/2. The host happily accepts such a generous offer.

But one piece of information is still missing: the Host Name. This was neither returned by DHCP nor configured on CentOS itself. So, in packet 14 it tries its luck with a reverse DNS query. (Fortunately, we already have the DNS server’s IP address.)

 

Note that a special format of a host name is being used: 127.127.60.16.in-addr.arpa. This is  created from the IP address of the host, but with the order of the octets reversed, and a standard in-addr.arpa suffix. Unfortunately,  , meaning the machine has no option but to use “localhost” as the Host Name.

Also note that the request was sent to the 16.110.135.52 DNS server. But how could the host know what MAC address it should put in the Ethernet frame? Packet 8 is an ARP (Address Resolution Protocol) request, asking for the MAC address of 16.60.216.1. CentOS knows that the DNS server is located in a different network subnet (based on the subnet mask), so it uses the MAC address of the router (also known from the DHCP response) to send packets to the outside world.

This overview gives you an idea how a newly booted computer finds itself in the network world. You might find it worthwhile  to look at the next packets in the capture file and figure out such queries as:

  • Why does CentOS send an IGMP request to 224.0.0.251?
  • What is the 224.0.0.251 IP address?
  • Why does it believe MDNS will achieve better results?
  • How (later in the process, while being logged in) does it look for updates on CentOS mirror sites?

A short time using Google should provide all the answers!

 

This article has been written by Michael Gopshtein

 

0 Kudos
About the Author

mrohad

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Events
Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference to learn from peers in every industry and hear from Big Data experts and thought leaders in an exciting, energy fille...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference and is the place to meet the world’s top information security talent, discuss new products and share information...
Read more
View all