Week #11
I started by going through the first two links provided on the assignment page (An intro to using tcpdump on the command line, and tcpdump command examples and tutorial).
First I got a list of the possible interfaces using the tcpdump -D command:
And then just any 10 packets that come through all active interfaces:
I ran all the different commands to filter through the packets as well, but found it hard to read and learn from, so thought I'd try wireshark instead.
Side note — not sure why but it makes me somewhat uncomfortable realizing how much is going on behind the scene! Like, it feels wasteful? I'm not even doing anything and theres thousands of packets going back and forth on my device. Literally a whole network of devices pinging each other and performing tasks like keeping the connection alive just in case the end user (me) might want to do something with that network at any given moment. Is that just how it is? Does it have to be that way?
I liked looking through what Wireshark has to offer — I went through the different interfaces and I was wondering how to capture the packets that go to my hosted server. Running the server.js file didn't seem to prompt a new interface in Wireshark. I tried looking at the wifi packets but filtering for my server's IP address using ip.addr == 167.71.161.19, but nothing turned up.
Then I had a broken pipe and that made two packets appear:
This makes sense, because I don't really have anything running on my server right now, but just the disconnection itself appears — SSH is what we use to interface with the virtual server and TCP is the standard / default communications protocol. We can clearly see one packet going from some IP address to my server's using SSH and then back using TCP. I looked up the other address and it turned out to be a bogon:
I was curious as to why. Bogon IP addresses are illegitimate or invalid, so does that mean that something is wrong with my setup? I did some digging and found out that these addresses are private IP addresses which is why IPInfo marked it as bogon (in the context of public routing). Moreover, apparently 10.X.X.X addresses are commonly used for internal networking between the host and the virtual machine. So now it makes perfect sense.
Another quick note / question: I left the capture running for a ~45 minutes, then saved the capture as a file — why is it such a big file? (it's 235MB) I thought it was just text. Even a lot of text shouldn't weigh that much...
Looking through that file using Wireshark — I tried sorting through the entries but there were too many of them so I changed the preferences to allow for more caching but then every attempt at sorting was really slow. Anyway, I did see a lot of packets going from that same 10.23.10.48 address to all kind of IP addresses, using all kinds of different protocols. I finally noticed this little line at the bottom of the screen after filtering for that IP only:
So I guess this probably means this IP some kind of private IP address my device is using and doesn't have anything to do with the virtual server, but rather with my device. I'm a bit confused at this point, as my IP shows up as 216.165.95.169 and not 10.23.10.48.
...Did some digging and found out this IP address belongs to my network interface (en0 — I ran ifconfig and recognized it from when I first opened Wireshark and selected 'Wi-Fi: en0"). I've learned that this is common in LAN (Local Area Network), and that the network interface needs to have its own IP address for it to be able to communicate with other devices on the same network and beyond. Still wondering why that's a different address from my public IP address — apparently that's a common technique called NAT (Network Address Translation) that allows multiple devices to share the same public IP address. So this 10(...) address is not actually visible on the public internet, and is probably reused in other devices in other private networks. When my device requests a web page, the router sends the request using my public IP (216...). When the web server sends a response, it comes back to the router's public IP, which then forwards it to the correct device (or "interface"?) inside of the private network. This not only adds an additional layer of security (devices are not directly exposed to the internet), but allows for multiple devices on the same network to share the same public IP address.
Looking at the remaining 1% (327 entries out of 323,455), I immediately notice they look very different. None of them have "normal" IP addresses as the source or destination, and there are only two protocols present — either MDNS or ARP. In class we learned about ARP — Address Resolution Protocol — "how my computer knows what other devices are on the network" — this is essentially just devices pinging each other to let each other know of their existence.
I've learned MDNS is a protocol that allows devices like printers, IoT devices and the like to discover each other when they're on the same local network. The weird string in the source field is (I've found out) a "unique local-link address assigned to a network interface". It's generated based on the interface's MAC address. It is not usable outside of the local network, but rather it's only being used by devices that share the same network.
I realize I have yet to try and actually do something while monitoring packets, and I'd really like to dive deeper but I got hung up on these basic things first and probably spent too much time reading about them. Hopefully I can get to all of it later but at the time of writing this I have to move on to other assignments.
