B JONES  
  MSIE Internet Technologies

Assignment 3

Ethereal Capture
I requested the site bill.msie.marlboro.edu
My computer is red, and bill is black

 0.000000 192.168.1.100 -> 63.240.76.19 DNS Standard query A bill.msie.marlboro.edu
 0.100056 63.240.76.19 -> 192.168.1.100 DNS Standard query response A 216.114.150.54

The 3-way handshake establishing the connection
 0.113100 192.168.1.100 -> 216.114.150.54 TCP 52369 > http [SYN] Seq=0 Ack=0 Win=65535 Len=0 MSS=1460 WS=0 TSV=1322505183 TSER=0
 0.189121 216.114.150.54 -> 192.168.1.100 TCP http > 52369 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=1433850585 TSER=1322505183 WS=2
 0.189303 192.168.1.100 -> 216.114.150.54 TCP 52369 > http [ACK] Seq=1 Ack=1 Win=65535 Len=0 TSV=1322505183 TSER=1433850585

I am requesting the file Åg/design.htmlÅh
 0.189576 192.168.1.100 -> 216.114.150.54 HTTP GET /design.html HTTP/1.1

Here bill is acknowledging my request bytes 1 thru 512
 0.313731 216.114.150.54 -> 192.168.1.100 TCP http > 52369 [ACK] Seq=1 Ack=513 Win=6864 Len=0 TSV=1433850712 TSER=1322505183

Bill is sending the file via http 1.1 and is giving a 200 code meaning okay
 0.317163 216.114.150.54 -> 192.168.1.100 HTTP HTTP/1.1 200 OK

Bill is sending the file
 0.328012 216.114.150.54 -> 192.168.1.100 HTTP Continuation

I am acknowledging that I have recieved bytes up to # 1714 and send Ack = 1715, the byte I expect to get next
 0.407671 192.168.1.100 -> 216.114.150.54 TCP 52369 > http [ACK] Seq=513 Ack=1715 Win=65535 Len=0 TSV=1322505183 TSER=1433850712

Bill is sending bytes
 0.517786 216.114.150.54 -> 192.168.1.100 HTTP Continuation
0.518250 216.114.150.54 -> 192.168.1.100 HTTP Continuation

I am acknoledging that I have recieved up to byte #3594 and the next byte I expect to recieve is # 3695
 0.518417 192.168.1.100 -> 216.114.150.54 TCP 52369 > http [ACK] Seq=513 Ack=3695 Win=64629 Len=0 TSV=1322505184 TSER=1433850903

I request to close the connection
0.609859 192.168.1.100 -> 216.114.150.54 TCP 52369 > http [FIN, ACK] Seq=513 Ack=3695 Win=65535 Len=0 TSV=1322505184 TSER=1433850903
 0.684933 216.114.150.54 -> 192.168.1.100 TCP http > 52369 [ACK] Seq=3695 Ack=514 Win=6864 Len=0 TSV=1433851082 TSER=1322505184
 0.717553 192.168.1.100 -> 216.114.150.54 TCP 52370 > http [SYN] Seq=0 Ack=0 Win=65535 Len=0 MSS=1460 WS=0 TSV=1322505184 TSER=0

Another 3-way handshake establishing another connection.
0.729800 192.168.1.100 -> 216.114.150.54 TCP 52371 > http [SYN] Seq=0 Ack=0 Win=65535 Len=0 MSS=1460 WS=0 TSV=1322505184 TSER=0
 0.795010 216.114.150.54 -> 192.168.1.100 TCP http > 52370 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=1433851193 TSER=1322505184 WS=2
 0.795173 192.168.1.100 -> 216.114.150.54 TCP 52370 > http [ACK] Seq=1 Ack=1 Win=65535 Len=0 TSV=1322505184 TSER=1433851193

I am requesting an image
 0.795468 192.168.1.100 -> 216.114.150.54 HTTP GET /i/site-diagram.gif HTTP/1.1

Bill acknoledges my request
 0.808958 216.114.150.54 -> 192.168.1.100 TCP http > 52371 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=1433851207 TSER=1322505184 WS=2
 0.809064 192.168.1.100 -> 216.114.150.54 TCP 52371 > http [ACK] Seq=1 Ack=1 Win=65535 Len=0 TSV=1322505184 TSER=1433851207
I am requesting an image
 0.809255 192.168.1.100 -> 216.114.150.54 HTTP GET /i/screen-shot.jpg HTTP/1.1
Bill acknoledges my request
 0.886456 216.114.150.54 -> 192.168.1.100 TCP http > 52370 [ACK] Seq=1 Ack=572 Win=6936 Len=0 TSV=1433851284 TSER=1322505184

Bill is sending the file via http 1.1 and is giving a 200 code meaning okay
 0.888384 216.114.150.54 -> 192.168.1.100 HTTP HTTP/1.1 200 OK
0.899724 216.114.150.54 -> 192.168.1.100 HTTP Continuation
0.907197 216.114.150.54 -> 192.168.1.100 HTTP Continuation


Could this be out of order? I see 571 her and its after 572
 0.907295 216.114.150.54 -> 192.168.1.100 TCP http > 52371 [ACK] Seq=1 Ack=571 Win=6932 Len=0 TSV=1433851295 TSER=1322505184

Bill is sending the file via http 1.1 and is giving a 200 code meaning okay
 0.908224 216.114.150.54 -> 192.168.1.100 HTTP HTTP/1.1 200 OK
0.918225 216.114.150.54 -> 192.168.1.100 HTTP Continuation
0.925749 216.114.150.54 -> 192.168.1.100 HTTP Continuation

1.008005 192.168.1.100 -> 216.114.150.54 TCP 52370 > http [ACK] Seq=572 Ack=3150 Win=65535 Len=0 TSV=1322505185 TSER=1433851284
1.008144 192.168.1.100 -> 216.114.150.54 TCP 52371 > http [ACK] Seq=571 Ack=3151 Win=65535 Len=0 TSV=1322505185 TSER=1433851296
 1.094079 216.114.150.54 -> 192.168.1.100 HTTP Continuation
1.103002 216.114.150.54 -> 192.168.1.100 HTTP Continuation
 1.103200 192.168.1.100 -> 216.114.150.54 TCP 52370 > http [ACK] Seq=572 Ack=6046 Win=65535 Len=0 TSV=1322505185 TSER=1433851480
 1.110549 216.114.150.54 -> 192.168.1.100 HTTP Continuation
1.118523 216.114.150.54 -> 192.168.1.100 HTTP Continuation
 1.118713 192.168.1.100 -> 216.114.150.54 TCP 52370 > http [ACK] Seq=572 Ack=8942 Win=65535 Len=0 TSV=1322505185 TSER=1433851480
 1.141583 216.114.150.54 -> 192.168.1.100 HTTP Continuation
1.149223 216.114.150.54 -> 192.168.1.100 HTTP Continuation
The folowing packet looks like its out of order

 1.149602 192.168.1.100 -> 216.114.150.54 TCP 52371 > http [ACK] Seq=571 Ack=6047 Win=65535 Len=0 TSV=1322505185 TSER=1433851486
 1.157127 216.114.150.54 -> 192.168.1.100 HTTP Continuation
1.165635 216.114.150.54 -> 192.168.1.100 HTTP Continuation
 1.166025 192.168.1.100 -> 216.114.150.54 TCP 52371 > http [ACK] Seq=571 Ack=8943 Win=65535 Len=0 TSV=1322505185 TSER=1433851486
 1.201756 216.114.150.54 -> 192.168.1.100 HTTP Continuation
 1.208312 192.168.1.100 -> 216.114.150.54 TCP 52370 > http [ACK] Seq=572 Ack=10390 Win=65535 Len=0 TSV=1322505185 TSER=1433851588
 1.216212 216.114.150.54 -> 192.168.1.100 HTTP Continuation
1.229139 216.114.150.54 -> 192.168.1.100 HTTP Continuation
1.229324 216.114.150.54 -> 192.168.1.100 TCP http > 52370 [FIN, ACK] Seq=12875 Ack=572 Win=6936 Len=0 TSV=1433851588 TSER=1322505185
 1.229556 192.168.1.100 -> 216.114.150.54 TCP 52370 > http [ACK] Seq=572 Ack=12876 Win=65535 Len=0 TSV=1322505185 TSER=1433851588
1.230326 192.168.1.100 -> 216.114.150.54 TCP 52370 > http [FIN, ACK] Seq=572 Ack=12876 Win=65535 Len=0 TSV=1322505185 TSER=1433851588
 1.282900 216.114.150.54 -> 192.168.1.100 HTTP Continuation
1.291290 216.114.150.54 -> 192.168.1.100 HTTP Continuation
 1.291500 192.168.1.100 -> 216.114.150.54 TCP 52371 > http [ACK] Seq=571 Ack=11839 Win=65535 Len=0 TSV=1322505185 TSER=1433851669
 1.299357 216.114.150.54 -> 192.168.1.100 HTTP Continuation
1.307864 216.114.150.54 -> 192.168.1.100 HTTP Continuation
 1.308116 192.168.1.100 -> 216.114.150.54 TCP 52371 > http [ACK] Seq=571 Ack=14735 Win=65535 Len=0 TSV=1322505185 TSER=1433851669
 1.315875 216.114.150.54 -> 192.168.1.100 HTTP Continuation
1.323395 216.114.150.54 -> 192.168.1.100 HTTP Continuation
 1.323556 192.168.1.100 -> 216.114.150.54 TCP 52371 > http [ACK] Seq=571 Ack=17631 Win=65535 Len=0 TSV=1322505185 TSER=1433851694
 1.334288 216.114.150.54 -> 192.168.1.100 TCP http > 52370 [ACK] Seq=12876 Ack=573 Win=6936 Len=0 TSV=1433851732 TSER=1322505185
1.395491 216.114.150.54 -> 192.168.1.100 HTTP Continuation
1.403498 216.114.150.54 -> 192.168.1.100 HTTP Continuation
 1.403698 192.168.1.100 -> 216.114.150.54 TCP 52371 > http [ACK] Seq=571 Ack=20527 Win=65535 Len=0 TSV=1322505185 TSER=1433851782
 1.411629 216.114.150.54 -> 192.168.1.100 HTTP Continuation
1.419028 216.114.150.54 -> 192.168.1.100 HTTP Continuation
 1.419240 192.168.1.100 -> 216.114.150.54 TCP 52371 > http [ACK] Seq=571 Ack=23423 Win=65535 Len=0 TSV=1322505185 TSER=1433851782
 1.427092 216.114.150.54 -> 192.168.1.100 HTTP Continuation
1.435146 216.114.150.54 -> 192.168.1.100 HTTP Continuation
 1.435351 192.168.1.100 -> 216.114.150.54 TCP 52371 > http [ACK] Seq=571 Ack=26319 Win=65535 Len=0 TSV=1322505186 TSER=1433851785
 1.444186 216.114.150.54 -> 192.168.1.100 HTTP Continuation
1.452128 216.114.150.54 -> 192.168.1.100 HTTP Continuation
 1.452356 192.168.1.100 -> 216.114.150.54 TCP 52371 > http [ACK] Seq=571 Ack=29215 Win=65535 Len=0 TSV=1322505186 TSER=1433851796
 1.460141 216.114.150.54 -> 192.168.1.100 HTTP Continuation
1.491658 216.114.150.54 -> 192.168.1.100 HTTP Continuation
 1.491953 192.168.1.100 -> 216.114.150.54 TCP 52371 > http [ACK] Seq=571 Ack=32111 Win=65535 Len=0 TSV=1322505186 TSER=1433851796
 1.499730 216.114.150.54 -> 192.168.1.100 HTTP Continuation
1.507669 216.114.150.54 -> 192.168.1.100 HTTP Continuation
 1.507899 192.168.1.100 -> 216.114.150.54 TCP 52371 > http [ACK] Seq=571 Ack=35007 Win=65535 Len=0 TSV=1322505186 TSER=1433851878
 1.515737 216.114.150.54 -> 192.168.1.100 HTTP Continuation
1.523681 216.114.150.54 -> 192.168.1.100 HTTP Continuation
 1.523913 192.168.1.100 -> 216.114.150.54 TCP 52371 > http [ACK] Seq=571 Ack=37903 Win=65535 Len=0 TSV=1322505186 TSER=1433851895
1.543258 192.168.1.100 -> 216.114.150.54 TCP 52371 > http [ACK] Seq=571 Ack=40799 Win=65535 Len=0 TSV=1322505186 TSER=1433851895
1.558973 192.168.1.100 -> 216.114.150.54 TCP 52371 > http [ACK] Seq=571 Ack=43695 Win=65535 Len=0 TSV=1322505186 TSER=1433851909
1.574984 192.168.1.100 -> 216.114.150.54 TCP 52371 > http [ACK] Seq=571 Ack=46591 Win=65535 Len=0 TSV=1322505186 TSER=1433851927
1.596467 192.168.1.100 -> 216.114.150.54 TCP 52371 > http [ACK] Seq=571 Ack=49487 Win=65535 Len=0 TSV=1322505186 TSER=1433851927
 1.605727 216.114.150.54 -> 192.168.1.100 HTTP Continuation
1.606197 216.114.150.54 -> 192.168.1.100 TCP http > 52371 [FIN, ACK] Seq=51438 Ack=571 Win=6932 Len=0 TSV=1433851976 TSER=1322505186
 1.606271 192.168.1.100 -> 216.114.150.54 TCP 52371 > http [ACK] Seq=571 Ack=51439 Win=64657 Len=0 TSV=1322505186 TSER=1433851976
1.617233 192.168.1.100 -> 216.114.150.54 TCP 52371 > http [FIN, ACK] Seq=571 Ack=51439 Win=65535 Len=0 TSV=1322505186 TSER=1433851976
I think i cut some off, but the connection was closing here.

NMAP

Here is nmap option that allows me to see what lives at each ip address.
Badi-Jones-Computer:~ jones$ host www.umass.edu
www.umass.edu has address 128.119.101.5
Badi-Jones-Computer:~ jones$ nmap -sL 128.119.101.0/24

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host  (128.119.101.0) not scanned
Host  (128.119.101.1) not scanned
Host  (128.119.101.2) not scanned
Host  (128.119.101.3) not scanned
Host  (128.119.101.4) not scanned
Host www.umass.edu (128.119.101.5) not scanned
Host  (128.119.101.6) not scanned
Host csswebvip.oit.umass.edu (128.119.101.7) not scanned
Host  (128.119.101.8) not scanned
Host  (128.119.101.9) not scanned
Host webtest3.oit.umass.edu (128.119.101.10) not scanned
Host umweb2.oit.umass.edu (128.119.101.11) not scanned
Host umweb1.oit.umass.edu (128.119.101.12) not scanned
Host  (128.119.101.13) not scanned
Host  (128.119.101.14) not scanned

Host  (128.119.101.32) not scanned
Host  (128.119.101.33) not scanned
Host mailman-css.oit.umass.edu (128.119.101.34) not scanned
Host regulus.oit.umass.edu (128.119.101.35) not scanned
Host neihart.oit.umass.edu (128.119.101.36) not scanned
Host race1.oit.umass.edu (128.119.101.37) not scanned
Host race2.oit.umass.edu (128.119.101.38) not scanned
Host race3.oit.umass.edu (128.119.101.39) not scanned
Host race4.oit.umass.edu (128.119.101.40) not scanned
Host race5.oit.umass.edu (128.119.101.41) not scanned
Host race.oit.umass.edu (128.119.101.42) not scanned
Host  (128.119.101.43) not scanned
Host  (128.119.101.44) not scanned

Host  (128.119.101.127) not scanned
Host  (128.119.101.128) not scanned
Host mor1-rt-n124a-1.gw.umass.edu (128.119.101.129) not scanned
Host  (128.119.101.130) not scanned

Host  (128.119.101.136) not scanned
Host tsrv.sportstudy.umass.edu (128.119.101.137) not scanned
Host office-prn1.sportstudy.umass.edu (128.119.101.138) not scanned
Host office-prn2.sportstudy.umass.edu (128.119.101.139) not scanned
Host lab-prn.sportstudy.umass.edu (128.119.101.140) not scanned
Host  (128.119.101.141) not scanned

Host skin-254.dhcp.umass.edu (128.119.101.254) not scanned
Host  (128.119.101.255) not scanned

This option allows me to look at each port of a particular server. 
Badi-Jones-Computer:~ jones$ sudo nmap -sS -O 18.79.1.177
Password:

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on hplaserjet6p.mit.edu (18.79.1.177):
(The 1592 ports scanned but not shown below are in state: closed)
Port       State       Service
23/tcp     open        telnet                  
135/tcp    filtered    loc-srv                 
136/tcp    filtered    profile                 
137/tcp    filtered    netbios-ns              
138/tcp    filtered    netbios-dgm             
139/tcp    filtered    netbios-ssn             
445/tcp    filtered    microsoft-ds            
515/tcp    open        printer                 
9100/tcp   open        jetdirect               
No exact OS matches for host (If you know what OS is running on it, 
see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=3.00%P=powerpc-apple-darwin7.5.0%D=11/12%Time=4194688E%O=23%C=1)
TSeq(Class=TD%gcd=4%SI=0%IPID=I%TS=U)
T1(Resp=Y%DF=N%W=860%ACK=S++%Flags=AS%Ops=M)
T2(Resp=N)
T3(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T4(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T7(Resp=N)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=0%UCK=F%ULEN=134%DAT=E)



Nmap run completed -- 1 IP address (1 host up) scanned in 43 seconds