Understanding how your Network works

I'm sure most people working with computers are already familiar with such commands as ipconfig, ipconfig /all, netstat, ping and tracert, etc...
but how do you take this information that you've aquired and use it to better understand how things work?

For instance, I do a netstat -n and I just see a bunch of ip addresses and port numbers. I do a tracert on an address and it gives me a bunch of names for various devices that the echo request packet passes through on its trip.

What's with all the 127.0.0.1:1040, 127.0.0.1:1024, etc...addresses?

When I'm in a office network I get IP addresses that looks like...192.168.1.22, but that just means that NAT is being used, right?

@_@ where do you begin when piecing everything together? There's only so much I can do with firewalls and anti-malware software, I'd like to be able to provide better security for the networks I come in contact with in my daily life. Please provide this seedling with some knowledge that he can go on.

-KG

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

seuss_ssues

the 127.0.0.1:port number
are the ports that are open on your local machine

edited:open or in use

keatron

KGhaleon wrote:

I'm sure most people working with computers are already familiar with such commands as ipconfig, ipconfig /all, netstat, ping and tracert, etc...
but how do you take this information that you've aquired and use it to better understand how things work?

For instance, I do a netstat -n and I just see a bunch of ip addresses and port numbers. I do a tracert on an address and it gives me a bunch of names for various devices that the echo request packet passes through on its trip.

What's with all the 127.0.0.1:1040, 127.0.0.1:1024, etc...addresses?

When I'm in a office network I get IP addresses that looks like...192.168.1.22, but that just means that NAT is being used, right?

@_@ where do you begin when piecing everything together? There's only so much I can do with firewalls and anti-malware software, I'd like to be able to provide better security for the networks I come in contact with in my daily life. Please provide this seedling with some knowledge that he can go on.

-KG

I think I understand what you are asking, and to that I would say start reading the Network+ technotes here. Also don't forget about google. For example you can do a search for "tracert command output" and you should get plenty of hits back. Trace route is a command you'll use frequently (along with ping and the likes) if you're ever involved in any networking support or troubleshooting. I can give you a general description of how these are used. Start with a ping 216.109.112.135 (yahoo) to see if communication can be established to an outside address. You should get something that looks like this...

Reply from 216.109.112.135: bytes=32 time=200ms TTL=46
Reply from 216.109.112.135: bytes=32 time=222ms TTL=46
Reply from 216.109.112.135: bytes=32 time=209ms TTL=46
Reply from 216.109.112.135: bytes=32 time=212ms TTL=46

This is telling you that your computer sent 32 byte packets to the address you typed after ping. It also tells you that the first trip took 200 milliseconds, the second trip took 222 milliseconds and so on.

Next go ahead and type tracert 216.109.112.135. The result should be something like this......

Tracing route to w2.rc.vip.dcn.yahoo.com [216.109.112.135]
over a maximum of 30 hops:

1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 277 ms 196 ms 182 ms 68.28.147.97
7 217 ms 160 ms 213 ms 68.28.147.17
8 193 ms 219 ms 171 ms sl-gw32-chi-0-1.sprintlink.net [144.223.73.209

9 197 ms 369 ms 197 ms sl-bb21-chi-4-2.sprintlink.net [144.232.26.33]
10 175 ms 214 ms 213 ms sl-bb20-chi-14-0.sprintlink.net [144.232.26.1]
11 201 ms 211 ms 210 ms sl-st20-chi-12-0.sprintlink.net [144.232.8.219

12 212 ms 315 ms 216 ms sl-teleg-5-0.sprintlink.net [144.223.241.62]
13 718 ms 251 ms 240 ms if-0-1.core1.CT8-Chicago.teleglobe.net [66.110
7.9]
14 238 ms 211 ms 259 ms if-4-0.core3.CQW-Chicago.teleglobe.net [66.110
7.78]
15 192 ms 270 ms 267 ms if-1-0.core3.NQT-NewYork.teleglobe.net [216.6.
.2]
16 223 ms 213 ms 258 ms if-1-0.core2.AEQ-Ashburn.teleglobe.net [209.58
7.57]
17 224 ms 216 ms 251 ms if-6-0.core1.AEQ-Ashburn.Teleglobe.net [207.45
23.113]
18 295 ms 267 ms 259 ms ix-14-2.core1.AEQ-Ashburn.teleglobe.net [63.24
149.110]
19 216 ms 251 ms 225 ms ae1.p420.msr2.dcn.yahoo.com [216.115.96.185]
20 242 ms 224 ms 214 ms ge5-2.bas1-m.dcn.yahoo.com [216.109.120.151]
21 225 ms 263 ms 217 ms w2.rc.vip.dcn.yahoo.com [216.109.112.135]

The first column is the hop number, which is the Time-To-Live (TTL) value set in the packet.

Each of the next three columns contains the round-trip times in milliseconds for an attempt to reach the destination with the TTL value.

The fourth column is the host name (if it was resolved) and IP address of the responding system.

In the results you will see the comment, "over a maximum of 30 hops". All this means is that the diameter of the Internet is roughly 30 hops and, therefore, many trace routes will only go that far out in trying to reach a destination.

An asterisk, "*", followed by the words "request timed out" is not out of the ordinary. If the tracert had stopped here and continued to respond with "request timed out", then it might have been indicative of a problem. In the above example, the first "request timed out" is where the interface between our network and the rest of the Internet lies. The asterisk "*" is a normal consequence of different security implementations on that junction.

Generally, a response time of less than 500 milliseconds is considered acceptable.

If you look at hops 6 and 7, these are internal to sprints network. These hops will not resolve to a domain name.

Go through this exercise and try different IP addresses. To get the ip address of a popular site, just type for example; ping cnn.com. This will give you ip address of cnn.com. Often times, and more commonly now than ever, network admins and security personnel are configuring their devices not to respond to ICMP requests (which is what ping and tracert really is). Again this explains some of the request timed out messages you might get.

When you get really confortable with this, download ethereal and you can really start to break down packets and communications and get a good idea of what's going on in your network. Also, as you grasp a solid understanding of these tools and concepts, get yourself a copy of Richard Stevens' book TCP/IP Illustrated. It's not that new of a book, but it's still the best I've found as far as breaking down packets and tcp/ip communications.

Good luck.

Keatron

rossonieri#1

in addition :

What's with all the 127.0.0.1:1040, 127.0.0.1:1024, etc...addresses?

that is IPC - interprocess communication when your machine talks to it self, in short : the client and the server reside on the same machine.

if you find romething like 192.168.1.1:80 192.168.1.254:8080 then it will be RPC / remote procedure call - the client and the server reside on different machine.

KGhaleon

That makes more sense, though I already know how ping and tracert work. I'm just curious, because from my perspective I'm just staring at lots of IP addresses and packet data. I'll check out ethereal and see what I can learn from this application.

I have access to a lot of different networks and I see all sorts of IP addresses, so it's easy to get lost in all of it. When I'm in an office and private addresses are being used on the machines, is there a way to find out what the addresses are being mapped to...IP-wise?

I just received an internship position this morning, so I am looking forward to learning under my office administrator.