Understanding Networks Wk 5-7: Packet Sniffing

STEP 1: Packet Sniffing With Wireshark (~5 Hours)

I used Wireshark to capture and analyze the traffic on my home network. I left it running while I worked on other projects that required me to look up a bunch of sites for help (youtube, stack overflow, random blogs, unity’s documentation site). This step was done so I could get an overview of what a typical working session looks like on my home network. After this, I exported the data (which was way too large – a total of around 1 million data points, 300 MB) as a CSV. Then I used excel to do a little data analysis.

Screenshot 2019-10-21 23.03.38

snippet of excel sheet with summary

a.) With Excel, I grouped all the protocols then got all the unique values.
There are 22 unique protocols.

  • ARP: address resolution protocol;  “is a procedure for mapping a dynamic Internet Protocol address (IP address) to a permanent physical machine address in a local area network (LAN)”
  • Browser
  • DB-LSP: Dropbox LanSync Protocol,
  • DB-lSP-DISC: Dropbox LAN Sync Discovery
  • DNS: Domain Name System; “the phonebook of the Internet; DNS translates domain names to IP addresses so browsers can load Internet resources.”
  • EAPOL: “Extensible Authentication Protocol (EAP) over LAN (EAPoL) is a network port authentication protocol “
  • H1: “is a bi-directional communications protocol used for communications among field devices and to the control system”
  • HTTP: HyperText Transfer Protocol
  • HTTP/XML
  • ICMP: “(Internet Control Message Protocol) is an error-reporting protocol network devices like routers use to generate error messages to the source IP address when network problems prevent delivery of IP packets.”
  • ICMPv6: v6 of ICMP
  • IGMPv3: “Internet Group Management Protocol (IGMP) is the protocol used by IPv4 devices to report their IP multicast group memberships to neighboring multicast devices. “
  • MDNS: “multicast DNS protocol resolves hostnames to IP addresses within small networks that do not include a local name server.”
  • NBNS: “stands for NetBIO Name Service, which is a protocol for name resolution.”
  • NTP: ” is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. “
  • OCSP: “Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate”
  • SSDP: “(SSDP) is a network protocol based on the Internet protocol suite for advertisement and discovery of network services and presence information.”
  • SSLv2: “is an obsolete version of SSL that has been deprecated since 2011 due to having security flaws.”
  • TCP: Transmission Control Protocol (explained elsewhere in blog)
  • TLSv1.2: TLSv1.2 is the newest SSL protocol version
  • TLSv1.3: rewrite of TLSv1.2.
  • UDP: User Datagram Protocol (explained elsewhere in blog)

b.) Then I filtered and organized the destinations (outbound).
There are 981 unique destinations.

The top 3 destinations are:

c.) I did the same for the source (incoming).
There are 970 unique sources.

The top 3 sources are:

d.) HTTP traffic: 

Screen Shot 2019-10-21 at 3.18.26 PM

  • Observations from HTTP Packets:
    • Total HTTP Packets: 18457
    • Of the 18457, Response Packets: 779 (4.22%); Request Packets: 17512 (94.88%)
    • Of the 779 Response Packets: 3 Client Errors, 115 Redirection, 661 Success
    • I’m noticing the info HTTP/1.1 200 comes up a lot. Found out that “200 OK” means that everything went well and I was able to connect to the server.
  • Definitions (for personal understanding)
    • HTTP found at Layer 7 of OSI model (Application)
    • When I upload data to a web server, I am creating a POST packet. This requires 3 way handshake: from client to server then back again. 
    • Burst: the maximum number of packets sent per interval of time. 
    • Burst start: the time when the maximum number of packets sent occurred.
    • GET: Used when the client is requesting a resource on the Web server.
    • HEAD: Used when the client is requesting some information about a resource but not requesting the resource.
    • POST: Used when the client is sending information or data to the server—for example, filling out an online form (i.e. Sends a large amount of complex data to the Web Server).
    • PUT: Used when the client is sending a replacement document or uploading a new document to the Web server under the request URL.

 


 

STEP 2: Specific Activities Captured on Wireshark

After capturing hours of data (Step I), I then ran a couple of experiments to see what would show up if I performed specific internet activities such as going to streaming services, uploading files, downloading files.

a.) What would I find if I uploaded a video onto vimeo?

  • I noticed that when uploading to Vimeo (I know this because the source says: “emilys-MBP….”) the protocol is usually UDP. This makes sense because the video is a large data file so would benefit from the faster speed of UDP. However, how is it possible to ensure that my video data gets transferred reliably, since that is one of the main drawbacks of UDP? I’ve usually had good success with uploading to Vimeo and don’t have any issues with not getting my data sent. Is there a way they ensure it is transferred properly? Read on the below site that: “Although it (UDP) still has certain drawbacks that prevent it from being used in all applications, there have been great advancements in improving its stability and reliability.” Perhaps UDP file transfers are improving and that is why I rarely experience Vimeo issues?(*Reference for UDP/TCP: https://www.keycdn.com/support/udp-file-transfer)
Screenshot 2019-10-21 17.57.26.png

Screenshot of source: my network | destination: vimeo

  • When vimeo is sending to my network, the transfer is using TCP or TLSv1.2. This does make sense since vimeo isn’t sending me a large file back.
    • TLSv1.2: TLS stands for Transport Layer Security. It is a way to transfer information securely. (*Reference: https://www.appointmentplus.com/blog/top-8-things-know-about-tls-1-2/)
    • The TLSv1.2 version was required for any site by PCI (payment card industry) on  June 30, 2018. Apparently, PCI requires sites to upgrade to newer version our sites risk putting user’s data at risk. Wow, who knew?!
Screenshot 2019-10-21 17.58.05.png

Screenshot of source: vimeo | destination: my network

b.) What would I find it I downloaded something from the browser?

Then I wanted to see what packets would appear if I downloaded a file from the internet. So, I went to a course github page and downloaded that repo. I chose not to use SSH. I wonder if this would’ve made a difference?

Screenshot 2019-10-21 18.49.52.png

results from downloading a file from github

  • Most of the Protocol is with TCP. And in the info section it is often says [TCP Keep Alive]. The sources that come up consistently on github’s side are “github.map.fastly.net” and “api.github.com
    • Fastly is a CDN (Content Delivery Network) so there is no need to worry.
    • When looking into Api.github.com, I found this helpful page: https://developer.github.com/v3/. According to their site, all API access is over HTTPS. All data is sent and received as JSON. The page also mentions: “By default, all requests to https://api.github.com receive the v3 version of the REST API.” This leads me to my next question…
  • What is REST API?

c.) What would happen if I visited sites of other countries?

I was also curious what would happen if I tried to visit a website from another country like Taiwan or Iran. I first checked this taiwanese design site: https://www.oniondesign.com.tw.

Screenshot 2019-10-21 21.33.01.png

For Iran, I checked this site: http://footballitarin.com. This is what immediately came up in Wireshark.

when_visiting_iranian_site.png

what came up immediately when I went to this Iranian site

  • “eu-u.openx.net” came up a lot when I clicked. Discovered that us-U.Openx.Net is a high-risk domain. It acts as a browser hijacker infection. It can invade your system when you visit a risky web site, install unsafe freeware or open spam email attachments. That’s not good.
  • “ds.dotomi.com” came up many times as well and wanted to check it out. According to this site: https://malwaretips.com/blogs/remove-cj-dotomi-com/, if your browser is constantly redirected to this Cj.dotomi.com site, then it is possible that you have an adware program installed on your computer. It’s a malicious program that once installed in your program, your browser may get many unwanted ads or pop ups. Beware!

d.) What’s with all these different types of TCPs? Observation from these step: what is TCP Dup ACK? What does TCP Out-of-Order, TCP Keep Alive, and TCP Retransmission mean? It seems to always be colored in black when it is related to TCP, but not just a normal TCP, there is always a message in the “info” section. She helps break it down: https://www.youtube.com/watch?v=tjZ2IgiG2PU

  • TCP will judge the need for retransmission based on the RTO or the retransmission timeout. If the packet never receives a packet in a given time frame, it is retransmitted. If it is constantly showing TCP retransmission that means that there was no acknowledgement received.
  • TCP Duplicate Acknowledgements means that they received order packets out of order. All TCP connections start with a initial sequence number (ISN) and each packet after that will go up by the size of its data payload. Ex: If my computer has an ISN of 1000, I send a data with 200 bytes, then my acknowledgment should be 1200. Next ISN should be 1200.
  • TCP Keep Alive: two main purposes for keepalive is to check for dead peers and to prevent disconnection due to network inactivity.
Screenshot 2019-10-21 17.55.14.png

Example of the TCP Dup ACK

 



Super basic questions just to help me understand Wireshark, packet sniffing, and this assignment:

  • What is Wireshark? What exactly is it doing?
    • Series of data are considered frames, which are considered packets
    • Wireshark can detect and decode the packets for analysis.
    • Data is converted into packets when it passes through your network interfaces. Wireshark hunts for those packets in the TCP/IP layer during transmission and keep what it finds. 


Other resources stumbled upon as I researching: 

Live Web Wk6: Midterm

Both are a work in progress, hoping to have a better “play” page soon: 

Code with socket io: https://github.com/emilylin-itp/live-web/tree/gh-pages/midterm/midterm_soundcolor_v13_wsocket

All code versions, including the mini tests I did for the oscillating sine waves + sound. ( i know i’m not using github properly, but this really helps me keep track of the different vs in a tangible way. will aim to use github better in the future): https://github.com/emilylin-itp/live-web/tree/gh-pages/midterm

Credits:

Biggest thank you to Professor Shawn for helping me squash many bugs and explaining things so well! So much appreciation.

Screenshots of Process:

a.) Preliminary research online. Found some helpful diagrams.

Screenshot 2019-10-14 01.01.22

b.) First tried to code oscillating sine waves with varying frequencies. Also included a make frequency sound on hover function. Very bare bones test.

Screenshot 2019-10-14 14.39.38

c.) rough Sketch design for the site.

Screenshot 2019-10-14 01.02.08

d.)Tried a bunch of things out with making sine waves, used the web audio api, and really tried to understand how socket io works. I worked on the html, css + js part first before doing the socket io stuff. I definitely need more time to work on the “play” page.

Questions + Answers:

  • Why does the oscillator.stop() work when I do mouseout? Read somewhere that you can not call the “start()” function for oscillators more than once? True???https://blog.szynalski.com/2014/04/web-audio-api/
    • Answer (Thank you Professor Shawn!): yes! need to create oscillator each time! also need to go through for loop to stop all elements.Screenshot 2019-10-15 12.15.49.png
      Screenshot 2019-10-15 13.01.19
  • I was trying to make the sine waves animate when user clicks. The “clearRect()” in javascript allows for animations because it redraws the background BUT it makes a white background. So I couldn’t overlap the sine waves without having the white background cover up the previously drawn one. Is there a way to get a transparent background with “clearRect()”? Or what’s a good work around?
    • Answer: have to add all sine waves into one canvas. No way of overlapping canvases with animation over it (without getting the background).
  • Trying to access a variable within a function to have as a global variable. Why won’t it work though? I added a “return” but it keeps saying it is undefined when I console.log it outside of the function.
    • Answer: didn’t have much to do with making a global var. had to do with adding a removing my click event listener. Have to remove the event listener if it is not the one clicked on. Shawn wrote the snippet below!Screenshot 2019-10-15 12.19.15.png

Bits of Research:

  • A source
  • The highest frequency that most humans can hear is 20,000 cycles per second or 20,000 Hz.
  • “Sound travels much slower than light. The audible sound spectrum consists of sounds between frequencies of 20 Hz and 20,000 Hz. These waves are very large and very slow compared to light waves. Sound waves are approximately 1,000,000,000,000 times larger than light waves.”
  • The pitch of the note A has a frequency of 440 Hz.
  • Sound and color are produced differently. Sound comes from an object that acts mechanically to produce a sound. But objects appear colored because of the interaction of white light with the object. For ex: when light hits an object, the object absorbs certain parts of the light; it absorbs all the colors but blue. The light leaving the object would then contain whatever color is left, in this case blue.

Resources for Web Audio API: 

Resources for JS, Canvas & Animation: 

Resources for Start + Stop Web Audio API Oscillator on Hover (had issues with this):

Resources for Mouse Movement:

Resources for my CSS Wave Animation (Homepage):

Resources for Socket io:

Live Web Wk5: Midterm Concept

Objective: My goal is to visualize the phenomenon of color and pitch frequency. Since both pitch and color use frequencyI aim to show the correlation between the two.

Interaction:
a.) On the “learn” page, when a person clicks/hovers over a section of color, the wavelength of the color will show up and the associated pitch will also be played. For example, if the person hovers over the red section, the pitch played will be lower because red has a lower frequency. This also means a longer wavelength.

b.) There will be another “playground/drawing” page where people click to create wavelength lines. When the person selects a color, the person will be able click to draw that color’s wavelength. The associated pitch will also play.

191009_liveweb_midterm_concept

Understanding Networks All Wk: Reading Notes

Understanding Networks Wk5: Explanatory Article Idea

For my explanatory article topic idea, I would like to research the generation of mobile network technologies, from the first generation developed by Bell system to our current carriers, Verizon, AT&T, Sprint.

Some topics I am hoping to cover with this:

  • What is 5G and how does it work? Millimeter waves, massive MIMO, full duplex, beam forming, and small cells are some of the technologies that enable 5G networks. But what do they do and how do they work together?
  • The generations of mobile networks: understanding the differences between 1G through 5G
  • Cellular frequency: It would be interesting to see what frequency band each of these generations are covering and why we need higher frequency.
  • IP/TCP for Data Communication in Phones: 3G and 4G rely on IP networks. Does this change anything for the hardware of the phone? How has this made a difference in the hardware of phones?

Rough notes and outline based on some readings: https://docs.google.com/document/d/1_31o73Qx1UtwMeuC2sxrYzyWTL0C5DIePgknnjVH6C4/edit?usp=sharing

Another idea: Energy of data centers (still need to research more on this though!)

Live Web Wk 5: WebRTC – Peer Garden!

Try it out: https://el3015.itp.io:8085/main.html

Code here: https://github.com/emilylin-itp/live-web/tree/gh-pages/wk5/wk5_peergarden

For this assignment, I focused mostly on just trying to understand how peer js and socket.io could work together. The functions I wanted to achieve were: a.) show my/users’ personal peer id, b.) be able to send the peer id of the other user via socket when the user “joins” the garden, c.) display the video stream to other user.

There are some logical mistakes in what I ended up with though. First of all, if you are the last person to join you would not see any one else’s live stream. There needs to be a way that once you join the garden you can see everyone who is in there. Not sure how I would do this exactly, but something to look into. Treated this more as socket + peerjs practice then as a project that is conceptually sound.

Questions:

  • If Peer to Peer/Web RTC is in between UDP + TCP, then what is an example of a a communication/app that is using completely UDP?
  • Followed along with the class screencast but stumbled at around 33:00 in. I got a different error message: “Error: Could not get an ID from the server. If you passed in a `path` to your self-hosted PeerServer, you’ll also need to pass in that same path when creating a new Peer.” But in my terminal I received this “id?ts = 157……” The id looks different from the screencast’s (mine only has numbers). Why?Screenshot 2019-10-06 19.35.49.png
  • Having issues with getting this “run your own peer server” to work: https://itp.nyu.edu/~sve204/liveweb_fall2019/peerserver.html
  • Why can’t I appendChild for my video into a div?
  • Why won’t the setAttribute or className(‘class name’) work on my video in the client side js?
  • Why won’t this add the class ‘ovideoStyle’?
    document.gvideoContainer.appendChild(ovideoElement, 'ovideoStyle');

References mentioned in class: 

Helpful resources: