Tuesday, July 20, 2010

♦ Datagram vs packet meaning

Note: Today I found a meaning between "Datagram" and "Packet" where "Mr.Asesino" from website http://www.firewall.cx/ftopict-4583.html to opened a new topic ask someone on, "Smurf Forum Moderator" answer him as below


  • Basically, his general rule of thumb for this is;
    Layer 2 - Ethernet Frames
    Layer 3 - IP Packets
    Layer 4 - Segments 

But "atr2006" refer to
  • RFC 1812:


    Datagram


    The unit transmitted between a pair of internet modules. Data,
    called datagrams, from sources to destinations. The Internet
    Protocol does not provide a reliable communication facility.
    There are no acknowledgments either end-to-end or hop-by-hop.
    There is no error no retransmissions. There is no flow control.



    Fragment

    An IP datagram that represents a portion of a higher layer's
    packet that was too large to be sent in its entirety over the
    output network.



    Packet

    A packet is the unit of data passed across the interface between
    the Internet Layer and the Link Layer. It includes an IP header
    and data. A packet may be a complete IP datagram or a fragment
    of an IP datagram.



    IP Datagram

    An IP Datagram is the unit of end-to-end transmission in the
    Internet Protocol. An IP Datagram consists of an IP header
    followed by all of higher-layer data (such as TCP, UDP, ICMP,
    and the like). An IP Datagram is an IP header followed by a
    message.
    An IP Datagram is a complete IP end-to-end transmission unit.
    An IP Datagram is composed of one or more IP Fragments.


    IP Fragment

    An IP Fragment is a component of an IP Datagram. An IP Fragment
    consists of an IP header followed by all or part of the higher-
    layer of the original IP Datagram.
    One or more IP Fragments comprises a single IP Datagram.


    IP Packet

    An IP Datagram or an IP Fragment.
--------------------------------------------------------------
Posted by Malee Blue at 10:13 PM 0 comments
Labels:

Sunday, July 18, 2010

♦ Ping packet decode

             The ping command on windows 7 use ICMP packet where it is consisted  74 bytes long (capture). we use the ping command for healthy check your connection between local network or public network. this command will help you to begin troubleshoot as a tools to find out some network problem.
             Note: This below example was test with windows 7 platform Microsoft Windows Version 6.1.7600.
Directory of c:\windows\system32
   07/14/2009  08:14 AM            15,360 PING.EXE
               1 File(s)         15,360 bytes
               0 Dir(s)  294,020,849,664 bytes free
For advantage of this version it can force to show IPv4 with option [-4], IPv6 with [-6].

c:\windows> ping 192.168.0.6

Pinging 192.168.0.6 with 32 bytes of data:
Reply from 192.168.0.6: bytes=32 time<1ms TTL=128
Reply from 192.168.0.6: bytes=32 time<1ms TTL=128
Reply from 192.168.0.6: bytes=32 time<1ms TTL=128
Reply from 192.168.0.6: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.0.6:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0m

Ethernet Header (14 bytes)
IP Datagram (60 bytes)
IP Header (20 bytes)
IP data (40 bytes)
Fig.1 ICMP structure


1.Ethernet header  (14 bytes) 

0000 00 1b 11 ea 5c b4 00 12 3f b1 15 a5 08 00 45 00 ....\...?.....E.
0010 00 3c 41 d6 00 00 80 01 00 00 c0 a8 00 08 c0 a8 .<A.............
0020 00 06 00 00 40 5c 02 00 13 00 61 62 63 64 65 66 ....@\....abcdef
0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 ghijklmnopqrstuv
0040 77 61 62 63 64 65 66 67 68 69 wabcdefghi
  • MAC Destination Address (0-5, 6 bytes) - 00-1b-11-ea-5c-b4
  • MAC Source Address (6-11, 6 bytes)      - 00-12-3f-b1-15-a5
  • Ethernet Type Field (12-13, 2 bytes)        - 0x0800 (IP Datagram)


2. IP Header (20 bytes) 
0000 00 1b 11 ea 5c b4 00 12 3f b1 15 a5 08 00 45 00 ....\...?.....E.
0010 00 3c 41 d6 00 00 80 01 00 00 c0 a8 00 08 c0 a8 .<A.............
0020 00 06 00 00 40 5c 02 00 13 00 61 62 63 64 65 66 ....@\....abcdef
0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 ghijklmnopqrstuv
0040 77 61 62 63 64 65 66 67 68 69 wabcdefghi
  • IP Version (14, high nibble) - IPv4
  • IP Header Length (14, low nibble) - Five (5) 32-bit Words
  • Source IP Address (26-29, 4 bytes) - 192.168.1.8 (c0-a8-00-c0)
  • Destination IP Address (30-33, 4 bytes) - 192.168.1.6 (c0-a8-00-06)


3. IP Data (40 bytes)     Internet Control Message Protocol (ICMP) 
0000 00 1b 11 ea 5c b4 00 12 3f b1 15 a5 08 00 45 00 ....\...?.....E.
0010 00 3c 41 d6 00 00 80 01 00 00 c0 a8 00 08 c0 a8 .<A.............
0020 00 06 00 00 40 5c 02 00 13 00 61 62 63 64 65 66 ....@\....abcdef
0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 ghijklmnopqrstuv
0040 77 61 62 63 64 65 66 67 68 69 wabcdefghi
  • 00  Type: 0 (Echo (ping) reply)
  • 00   Code: 0 ()
  • 40 5c  Checksum: 0x405c [correct]
  • 02 00  Identifier: 0x0200
  • Data (32 bytes) Data: 6162636465666768696A6B6C6D6E6F707172737475767761...
  • 13 00  Sequence number: 4864 (0x1300)


Reference : this an other good example where we refered..
Posted by Malee Blue at 11:11 AM 0 comments
Labels:

Saturday, July 17, 2010

♦ Batch file command (windows 7)

#1. Simple control Loop
syntax  :  for /l %%X in (start, step, end) do command
filename : runloop.bat
@echo off
for /l %%X in (1,2,10) do echo %%X
c:\windows>runloop [Enter]
1
3
5
7
9

#2. Apply with "ping" command
@echo off
for /l %%X in (5,1,10) do call ping 192.168.0.%%X -n 1
Description: Our objective is we will ping 192.168.0.5 to 10 where for each ping command reply one time as shown as parameter " -n 1 "
Posted by Malee Blue at 12:32 PM 0 comments
Labels:

♦ nbtstat command windows 7

         Displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both the local computer and remote computers, and the NetBIOS name cache. Nbtstat allows a refresh of the NetBIOS name cache and the names registered with Windows Internet Name Service (WINS). Used without parameters, nbtstat displays help.

Syntax

nbtstat [-a RemoteName] [-A IPAddress] [-c] [-n] [-r] [-R] [-RR] [-s] [-S] [Interval]

All parameter see this :
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nbtstat.mspx?mfr=true

#1. nbtstat command at local host
     c:\windows>nbtstat -a 192.168.0.8
             or
      c:\windows>nbtstat -n
Local Area Connection:
Node IpAddress: [192.168.0.8] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    JUPITOR        <20>  UNIQUE      Registered 
    JUPITOR        <00>  UNIQUE      Registered 
    WORKGROUP      <00>  GROUP       Registered 
    WORKGROUP      <1E>  GROUP       Registered 
    WORKGROUP      <1D>  UNIQUE      Registered 
    ..__MSBROWSE__.<01>  GROUP       Registered 

    MAC Address = 00-12-3F-B1-17-A5



Fig.1 Home network topology (LAN)
above picture 192.168.0.8 is Jupitor and 192.168.0.6 is Saturn


#2. nbtstat listing remote PC on LAN

c:\windows>nbtstat -a 192.168.0.6
Local Area Connection:
Node IpAddress: [192.168.0.8] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    SATURN         <00>  UNIQUE      Registered 
    WORKGROUP      <00>  GROUP       Registered 
    SATURN         <20>  UNIQUE      Registered 
    WORKGROUP      <1e>  GROUP       Registered 

    MAC Address = 00-1B-11-EA-6C-B4

#3. nbtstat listing from NetBios remote cache

c:\windows>nbtstat -c
Local Area Connection:
Node IpAddress: [192.168.0.8] Scope Id: []

                  NetBIOS Remote Cache Name Table

        Name              Type       Host Address    Life [sec]
    ------------------------------------------------------------
    SATURN         <20>  UNIQUE          192.168.0.6         482
    SOS-NAME0710   <20>  UNIQUE          192.168.0.9         530
    DHCPPC3        <00>  UNIQUE          192.168.0.11        95

solution: There are 3 devices on LAN
               - The first one is PC named "SATURN" ip address 192.168.0.6
               - The second one is PC named "SOS-NAME0710" ip address 192.168.0.9
               - and the last on is Printer device be connectd to this network as ip address is 192.168.0.11
Posted by Malee Blue at 8:33 AM 0 comments
Labels:

Friday, July 16, 2010

♦ netsh command (windows 7)

              Netsh (network shell) is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh also provides a scripting feature that allows you to run a group of commands in batch mode against a specified computer. Netsh can also save a configuration script in a text file for archival purposes or to help you configure other servers.


#1.  show all network configuration.

c:\windows>netsh interface ip show config 

Configuration for interface "Local Area Connection"
    DHCP enabled:                         Yes
    IP Address:                           192.168.0.8
    Subnet Prefix:                        192.168.0.0/24 (mask 255.255.255.0)
    Default Gateway:                      192.168.0.1
    Gateway Metric:                       0
    InterfaceMetric:                      20
    DNS servers configured through DHCP:  192.168.0.1
    Register with which suffix:           Primary only
    WINS servers configured through DHCP: None

Configuration for interface "Loopback Pseudo-Interface 1"
    DHCP enabled:                         No
    IP Address:                           127.0.0.1
    Subnet Prefix:                        127.0.0.0/8 (mask 255.0.0.0)
    InterfaceMetric:                      50
    Statically Configured DNS Servers:    None
    Register with which suffix:           Primary only
    Statically Configured WINS Servers:   None
#2. show firewall configuration on your PC.

c:\windows>netsh firewall show state

Firewall status:
-------------------------------------------------------------------
Profile                           = Standard
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable
Group policy version              = Windows Firewall
Remote admin mode                 = Disable

Ports currently open on all network interfaces:
Port   Protocol  Version  Program
-------------------------------------------------------------------
No ports are currently open on all network interfaces.

IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .

#3. netsh helper

  c:\windows>netsh show helper
Helper GUID                             DLL Filename   Command
--------------------------------------  ------------   -------
{02BC1F81-D927-4EC5-8CBC-8DD65E3E38E8}  AUTHFWCFG.DLL  advfirewall
{FB10CBCA-5430-46CE-B732-079B4E23BE24}  AUTHFWCFG.DLL   consec
{35342B49-83B4-4FCC-A90D-278533D5BEA2}  AUTHFWCFG.DLL   firewall
{4BD827F7-1E83-462D-B893-F33A80C5DE1D}  AUTHFWCFG.DLL   mainmode
{4D0FEFCB-8C3E-4CDE-B39B-325933727297}  AUTHFWCFG.DLL   monitor
{A31CB05A-1213-4F4E-B420-0EE908B896CB}  PEERDISTSH.DLL  branchcache
{555EA58E-72B1-4F0A-9055-779D0F5400B2}  PEERDISTSH.DLL  smb
{00770721-44EA-11D5-93BA-00B0D022DD1F}  HNETMON.DLL     bridge
{6DC31EC5-3583-4901-9E28-37C28113656A}  DHCPCMONITOR.DLL  dhcpclient
{8A6D23B3-0AF2-4101-BC6E-8114B325FE17}  NETIOHLP.DLL    dnsclient
{8B3A0D7F-1F30-4402-B753-C4B2C7607C97}  FWCFG.DLL     firewall
{44F3288B-DBFF-4B31-A86E-633F50D706B3}  NSHHTTP.DLL    http
{0705ECA1-7AAC-11D2-89DC-006008B0E5B9}  IFMON.DLL       interface
{1C151866-F35B-4780-8CD2-E1924E9F03E1}  NETIOHLP.DLL    6to4
{97C192DB-A774-43E6-BE78-1FABD795EEAB}  NETIOHLP.DLL    httpstunnel
{725588AC-7A11-4220-A121-C92C915E8B73}  NETIOHLP.DLL    ipv4
{500F32FD-7064-476B-8FD6-2171EA46428F}  NETIOHLP.DLL    ipv6
.......
.......
....... (more)
#4. Dispaly/Gathering info.
Data GatheringCollapse this tableExpand this tableCommand Description 

show allowedprogram Displays the allowed programs. 
show config  ,Displays the detailed local configuration information. 
show currentprofile ,Displays the current profile. 
show icmpsetting ,Displays the ICMP settings. 
show logging ,Displays the logging settings. 
show opmode ,Displays the operational mode. 
show portopening ,Displays the excepted ports. 
show service ,Displays the services. 
show state ,Displays the current state information. 
show notifications ,Displays the current settings for notifications.
example:
    > netsh firewall show allowedprogram
    > netsh firewall show config
    > netsh firewall show logging
Posted by Malee Blue at 2:08 PM 0 comments
Labels:

Thursday, July 15, 2010

♦ How to get mac from remote

#1. Use apr command find a MAC Address remote PC.
c:\windows> arp -a 192.168.0.6
Interface: 192.168.0.8 --- 0xc
  Internet Address      Physical Address      Type
  192.168.0.6           00-1b-11-ea-5c-b4     dynamic

Resolution:
  • The MAC Address is a unique number of Network interface card (NIC).
  • Size 6 byte (48 bits) and in The first three octets (in transmission order) identify the organization that issued the NIC.
  • "arp" command is Address Resolution Protocol (ARP) performs IP address-to-media access control address .
  • if you want to know your MAC Address you can use this command "ipconfig -all"
  • if you want to check the Format of MAC here it is web link to http://www.techzoom.net/tools/check-mac.en


#2. Use "nbtstat" command find MAC Address remote PC.

c:\windows>nbtstat -a 192.168.0.9

Local Area Connection:
Node IpAddress: [192.168.0.8] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    SOS-NAME0710   <00>  UNIQUE      Registered 
    SOS-NAME0710   <20>  UNIQUE      Registered 
    SOS            <00>  GROUP       Registered 
    SOS            <1E>  GROUP       Registered 
    SOS            <1D>  UNIQUE      Registered 
    ..__MSBROWSE__.<01>  GROUP       Registered 

    MAC Address = 00-1C-26-CB-2A-85
Solution: Our pc is 192.168.0.8 then enter command "nbtstat -a 192.168.0.9" and press [Enter] so where 192.168.0.9 is target we would like to know its MAC Address. In addition you will get the name of target pc as "SOS-NAME0710"
Posted by Malee Blue at 6:28 PM 0 comments
Labels:

♦ netstat command on windows 7

             Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used without parameters, netstat displays active TCP connections..

Syntax


netstat [-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval]
-a : Displays all active TCP connections.
-e : Displays Ethernet statistics.
-n : Displays addresses and port numbers.
-o : Displays process ID (PID) for each connection.
-p : Shows connections for the protocol specified by Protocol (TCP,UDP,ICMP).
-s : Displays statistics by protocol.
-r : Displays the contents of the IP routing table. This is equivalent to the route print command.
/? : Displays help at the command prompt.

c:\windows>netstat
Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    192.168.0.8:49290      hx-in-f191:http        ESTABLISHED
  TCP    192.168.0.8:49291      tx-in-f100:http        ESTABLISHED
  TCP    192.168.0.8:49292      ni-in-f104:http        ESTABLISHED

c:\windows>netstat -a
Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:80             jupitor:0              LISTENING
  TCP    0.0.0.0:135            jupitor:0              LISTENING
  TCP    0.0.0.0:445            jupitor:0              LISTENING
  TCP    0.0.0.0:554            jupitor:0              LISTENING
  TCP    192.168.0.8:49290      hx-in-f191:http        ESTABLISHED
  TCP    [::]:135               jupitor:0              LISTENING
  TCP    [::]:445               jupitor:0              LISTENING
  TCP    [::]:554               jupitor:0              LISTENING
  TCP    [::]:2869              jupitor:0              LISTENING
  UDP    0.0.0.0:3544           *:*                    
  UDP    0.0.0.0:3702           *:*                    
  UDP    0.0.0.0:3702           *:*


c:\windows> netstat -ao
ctive Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:80             jupitor:0              LISTENING       1516
  TCP    0.0.0.0:135            jupitor:0              LISTENING       740
  TCP    0.0.0.0:445            jupitor:0              LISTENING       4
  TCP    0.0.0.0:554            jupitor:0              LISTENING       3200
  TCP    0.0.0.0:2869           jupitor:0              LISTENING       4
  TCP    0.0.0.0:3306           jupitor:0              LISTENING       1672
  TCP    192.168.0.8:139        jupitor:0              LISTENING       4
  TCP    192.168.0.8:49290      hx-in-f191:http        ESTABLISHED     4460

c:\windows> netstat -pa TCP
Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:80             jupitor:0              LISTENING
  TCP    0.0.0.0:135            jupitor:0              LISTENING
  TCP    0.0.0.0:445            jupitor:0              LISTENING
  TCP    0.0.0.0:554            jupitor:0              LISTENING
  TCP    0.0.0.0:2869           jupitor:0              LISTENING
  TCP    192.168.0.8:139        jupitor:0              LISTENING

c:\windows>netstat -pa UDP
Active Connections

  Proto  Local Address          Foreign Address        State
  UDP    0.0.0.0:3544           *:*                    
  UDP    127.0.0.1:1900         *:*                    
  UDP    127.0.0.1:52128        *:*                    
  UDP    127.0.0.1:59552        *:*                    
  UDP    127.0.0.1:59792        *:*                    
  UDP    192.168.0.8:137        *:*                    
  UDP    192.168.0.8:138        *:*                    
  UDP    192.168.0.8:1900       *:*                    
  UDP    192.168.0.8:54193      *:*                    
  UDP    192.168.0.8:59551      *:*
c:\windows>netstat -an | find /i "listening"
TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:554            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2869           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3306           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING

c:\windows>netstat -an | find /i "established"
TCP    192.168.0.8:445        192.168.0.6:1085       ESTABLISHED
Posted by Malee Blue at 5:22 PM 0 comments
Labels:
Subscribe to: Posts (Atom)