Chapter 3
Network Services
Adapted from slides for Computer Networking: A
Top Down Approach,
5th edition.
Jim Kurose, Keith Ross
Addison-Wesley, April 2009.
Network Services
OUTLINE
Review
 Network services

 Name services: DNS
 Configuration services: DHCP
 Email services
Network Services
Supernetting, or CIDR

Goal:
 Solve problem of routing table explosion
 Exhaustion of class B network address space

A way to aggregate multiple Internet
addresses of same class (A, B, C)
 E.g., network address 192.168.2.0/24 and
192.168.3.0/24 can be merged into
192.168.2.0/23
Often used to combine class C address
 Note: two ways to indicate length of
network part and host part of IP address

Network Services
Forwarding Ex. with Subnet Masks
• Routing Table:
SubnetNumber
SubnetMask
NextHop
128.96.170.0
255.255.254.0
Intface 0
128.96.168.0
255.255.254.0
Intface 1
128.96.166.0
255.255.254.0
R2
128.96.164.0
255.255.252.0
R3
Default
R4
D = Dest IP Address
Forwarding
For each table entry (subnetNumber, SubnetMask, NextHop)
pseudocode
If (D & SubnetMask == SubnetNumber)
if NextHop is an interface
forward datagram to the interface
else
deliver datagram to NextHop (a router)
Kernel routing table
[zhang@storm ~]$ netstat -r
Kernel IP routing table
Destination Gateway
Genmask
default
150.108.68.1 0.0.0.0
150.108.68.0 *
255.255.255.0
192.168.122.0 *
255.255.255.0
Value against which
dest IP addr is
matched
Address mask
to use
Route to use to reach
specified dest., * or all 0s
ff dest is directly connected
Network 150.108.68.0/255.255.255.0
is reachable directly through em1
Flags MSS Window
UG
0 0
U
0 0
U
0
0
irtt
0
0
0
Iface
em1
em1
virbr0
name of interface through
which the dest is reachable
U: up and running
H: route to a host (not to a network)
G: the route uses an external gateway
R, D, M:
Network Services
Newer command
[zhang@storm ~]$ ip route
default via 150.108.68.1 dev em1 proto static
150.108.68.0/24 dev em1 proto kernel scope link src 150.108.68.26 metric 1
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
Use CIDR address: IP address/length of network part
Network Services
Getting a datagram from source to dest.
forwarding table in A
misc
223.1.1.1 223.1.2.3 data
fields
Dest. Net. next router Nhops
223.1.1
223.1.2
223.1.3
Starting at A, dest. E:
 look up network address of E





in forwarding table
E on different network
 A, E not directly attached
routing table: next hop
router to E is 223.1.1.4
link layer sends datagram to
router 223.1.1.4 inside linklayer frame
datagram arrives at 223.1.1.4
continued…..
A
223.1.1.4
223.1.1.4
1
2
2
223.1.1.1
223.1.2.1
B
223.1.1.2
223.1.1.4
223.1.2.9
223.1.2.2
223.1.1.3
223.1.3.1
223.1.3.27
E
223.1.3.2
Network Services
ARP Protocol

Link layer does not understand IP address
 Need to map IP address to MAC address

ARP: Address Resolution Protocol (RFC826)
 Node sends broadcast looking for another node
• 140.192.23.1 broadcasts looking for 140.192.23.23
 Node replies with MAC address
• 140.192.23.23 replies with 00600A34AA3C
 … now IP layer can pass MAC address to Link Layer
to forward the packet (datagram) to …

Command “arp” : display ARP table kept by ARP
software on a host
 ARP Table: contains records of learned relationships.
Network Services
OUTLINE
Review
 Network services

 Name services: DNS
 Configuration services: DHCP
 Email services
Network Services
Name services
“a name indicates what we seek. An address
indicates where it is. A route indicates how
to get there.”
 Name, i.e., host name

 Variable length and mnemonic

Name service: maps user-friendly names
into router-friendly addresses, i.e., IP
address.
Network Services
A little of history
A central authority, Network Information
Center (NIC) maintains a flat table of
name-to-address bindings, named
“hosts.txt”
 To add a new host to internet,
administrator sent an email to NIC,
containing hostname/addr pair
 Every few days, NIC mailed out hosts.txt
to every administrator, who updated the
table on every host

Network Services
Today: Domain Name System

Keys:
 A hierarchical name space, rather than a flat
name space
• Similar to Unix file system
 “table” of bindings is partitioned into disjoint
pieces and distributed throughout the Internet
Network Services
Distributed, Hierarchical Database
Root DNS Servers
com DNS servers
yahoo.com
amazon.com
DNS servers DNS servers
org DNS servers
pbs.org
DNS servers
edu DNS servers
poly.edu
umass.edu
DNS serversDNS servers
client wants IP for www.amazon.com; 1st approx:



client queries a root server to find com DNS server
client queries com DNS server to get amazon.com DNS server
client queries amazon.com DNS server to get IP address for
www.amazon.com
Network Services
DNS: Root name servers


contacted by local name server that can not resolve name
root name server:
 contacts authoritative name server if name mapping not known
 gets mapping
 returns mapping to local name server
a Verisign, Dulles, VA
c Cogent, Herndon, VA (also LA)
d U Maryland College Park, MD
g US DoD Vienna, VA
h ARL Aberdeen, MD
j Verisign, ( 21 locations)
e NASA Mt View, CA
f Internet Software C. Palo Alto,
k RIPE London (also 16 other locations)
i Autonomica, Stockholm (plus
28 other locations)
m WIDE Tokyo (also Seoul,
Paris, SF)
CA (and 36 other locations)
13 root name
servers worldwide
b USC-ISI Marina del Rey, CA
l ICANN Los Angeles, CA
Network Services
Application 2-14
TLD and Authoritative Servers
Top-level domain (TLD)
servers:
 responsible for com, org,
net, edu, aero, jobs,
museums, and all toplevel country domains,
e.g.: uk, fr, ca, jp
 Network Solutions
maintains servers for
com TLD
 Educause for edu TLD
Network Services
TLD and Authoritative Servers
Authoritative DNS
servers:
 organization’s DNS
servers, providing
authoritative hostname
to IP mappings for
organization’s servers
(e.g., Web, mail).
 can be maintained by
organization or service
provider
Network Services
DNS services


hostname to IP address translation
host aliasing
 Canonical, alias names

mail server aliasing
 xxx@fordham.edu ? Which host(s) in fordham.edu
domain takes care of email forwarding, i.e., are email
server?
 Can we look up using nslookup?

load distribution
 replicated Web servers: set of IP addresses for one
canonical name
Network Services
Distributed, Hierarchical Database
Root DNS Servers
com DNS servers
yahoo.com
amazon.com
DNS servers DNS servers
org DNS servers
pbs.org
DNS servers
edu DNS servers
poly.edu
umass.edu
DNS serversDNS servers
client wants IP for www.amazon.com; 1st approx:
client queries a root server to find com DNS server
 client queries com DNS server to get amazon.com DNS server
 client queries amazon.com DNS server to get IP address for
www.amazon.com
How did client locate root server? Or resolve name of the server
that knows how to resolve names?

 Through a local name server
Network Services
Local Name Server
does not strictly belong to DNS name
server hierarchy
 each ISP (residential ISP, company,
university) has one

 also called “default name server”

when host makes DNS query, query is sent
to its local DNS server
 acts as proxy, forwards query into hierarchy

How does a host figure out what’s the local
name server?
Network Services
DNS name
resolution example


2
host at cis.poly.edu
wants IP address for
gaia.cs.umass.edu
iterated query:

root DNS server
contacted server
replies with name of
server to contact
“I don’t know this
name, but ask this
server”
3
TLD DNS server
4
5
local DNS server
dns.poly.edu
1
8
7
6
authoritative DNS server
dns.cs.umass.edu
requesting host
cis.poly.edu
gaia.cs.umass.edu
Network Services
DNS name
resolution example
recursive query:


root DNS server
2
puts burden of name
7
resolution on
contacted name
server
local DNS server
heavy load?
dns.poly.edu
1
3
6
TLD DNS server
5
4
8
authoritative DNS server
dns.cs.umass.edu
requesting host
cis.poly.edu
gaia.cs.umass.edu
Network Services
DNS: caching and updating records

once (any) name server learns mapping, it caches
mapping
 cache entries timeout (disappear) after some
time
 TLD servers typically cached in local name
servers
• Thus root name servers not often visited

update/notify mechanisms proposed IETF
standard
 RFC 2136
Network Services
DNS records
DNS: distributed db storing resource records (RR)
RR format: (name,
Type=A
 name is hostname
 value is IP address
Type=NS
 name is domain (e.g.,
foo.com)
 value is hostname of
authoritative name
server for this domain
value, type, ttl)
Type=CNAME
 name is alias name for some
“canonical” (the real) name
 www.ibm.com is really
servereast.backup2.ibm.com
 value is canonical name
Type=MX
 value is name of mailserver
associated with name
Network Services
Inserting records into DNS


example: new startup “Network Utopia”
register name networkuptopia.com at DNS registrar
(e.g., Network Solutions)
 provide names, IP addresses of authoritative name server
(primary and secondary)
 registrar inserts two RRs into com TLD server:
(networkutopia.com, dns1.networkutopia.com, NS)
(dns1.networkutopia.com, 212.212.212.1, A)

create authoritative server Type A record for
www.networkuptopia.com; Type MX record for
networkutopia.com
Network Services
Configuration of DNS

In Unix, BIND (Berkeley Internet Name
Domain) implement DNS
 Client side: the resolver that generates/and
send queries
 Server side: answer resolver’s question, a
daemon called “named”

Other name services:
 /etc/hosts: mapping from host name to IP
address
 NIS (network Information services)

Chapter 8,9
Network Services
OUTLINE
Review
 Network services

 Name services: DNS
 Configuration services: DHCP
 Email services
Network Services
Configuration servers
Allow network administrator to control
TCP/IP configuration from a central point
 RARP: Reverse Address Resolution Protocol

 For a host to find out its IP address from MAC
address
 Obsolete
BOOTP: replace RARP, and provide more
service
 DHCP: replace BOOTP

 Compatible with BOOTP
Network Services
DHCP overview
Uses UDP port 67 and 68
 DHCP can return more than just allocated
IP address on subnet:

 address of first-hop router for client
 name and IP address of DNS sever
 network mask (indicating network versus host
portion of address)
 A complete set of TCP/IP configuration values!

Permits automated allocation of IP
addresses
Network Services
DHCP: different address
assignment schemes

Permanent fixed addresses
 For name servers, email servers, …
Manual allocation: CIS Ethernet in RH
 Automatic allocation
 Dynamic allocation: WiFi networks of
Fordham, CIS dept.

 Server assigns an address to a DHCP client for
a limited period of time (lease).
 Client can return the lease earlier, but has to
request an extension if needed (longer than
permitted time)
Network Services
DHCP: Dynamic Host Configuration Protocol
Goal: allow host to dynamically obtain its IP address from
network server when it joins network
Can renew its lease on address in use
Allows reuse of addresses (only hold address while connected an
“on”)
Support for mobile users who want to join network (more shortly)
DHCP overview:
 host broadcasts “DHCP discover” msg [optional]
 DHCP server responds with “DHCP offer” msg
[optional]
 host requests IP address: “DHCP request” msg
 DHCP server sends address: “DHCP ack” msg
Network Services
DHCP client-server scenario
A
B
DHCP
server
223.1.1.1
223.1.1.2
223.1.1.4
223.1.2.1
223.1.2.9
223.1.2.2
223.1.1.3
223.1.3.1
223.1.3.27
223.1.3.2
E
arriving DHCP
client needs
address in this
network
Network Services
DHCP client-server scenario
DHCP server: 223.1.2.5
DHCP discover
src : 0.0.0.0, 68
dest.: 255.255.255.255,67
yiaddr: 0.0.0.0
transaction ID: 654
arriving
client
DHCP offer
DHCP request
time
src: 223.1.2.5, 67
dest: 255.255.255.255, 68
yiaddrr: 223.1.2.4
transaction ID: 654
Lifetime: 3600 secs
src: 0.0.0.0, 68
dest:: 255.255.255.255, 67
yiaddrr: 223.1.2.4
transaction ID: 655
Lifetime: 3600 secs
DHCP ACK
src: 223.1.2.5, 67
dest: 255.255.255.255, 68
yiaddrr: 223.1.2.4
transaction ID: 655
Lifetime: 3600 secs
Network Services
OUTLINE
Review
 Network services

 Name services: DNS
 Configuration services: DHCP
 Email services
Network Services
Good online resources
Share with the class your favorite links!
 TCP/IP Guide

 http://www.tcpipguide.com/free/index.htm
Network Services
Origion of telnet

During late 1960s (before PCs)
 Large computers shared by many
users
 Accessed via a physical terminal
(specially tailored to the host)
connected to that machine

Problems
 Diff. terminals for accessing
different computers
 to remotely to access a computer,
one use dedicated data circuit
connecting terminal and host
Network Services
History of telnet (2)

Solution: a more general way of allowing
any terminal to access any computer
 underlying internetwork provide mechanism for
communicating information between computers
• physical network connecting sites
• TCP/IP protocol suite connecting networks.
 an application protocol, telnet: allow a user to
establish a session to any networked computer
Network Services
Telnet?
Application layer protocol
 Software that implements client part of
the protocol.

 Telnet client applications are available for
virtually all computer platforms
 On erdos, command “telnet”
 On your PC, command “telnet” …
Network Services
To telnet?

To telnet means to establish a connection
to a device using Telnet protocol via telnet
program
 "To change your password, telnet to the server,
login and run passwd command“
 Most often, a user telnet to a Unix-like server
system or a network device (such as a router)
and obtain a login prompt to a command line
text interface
Network Services
telnet protocol (app. layer), RFC
854

Support a bidirectional interactive,
text-oriented communication
 data is interspersed with control
information in a data connection over TCP
• Recall TCP: reliable, in order delivery, connectionoriented; flow control; congestion control
 Session oriented: communication of data and
commands between client and server over a
prolonged period of time
Network Services
Telnet: overall function
client/server paradigm
 telnet client: a program that acts as an
interface to user

 process keystrokes and user commands
 present output from remote machine

telnet server: a program running on
a remote computer that has been set up to
allow remote sessions
Network Services
telnet: how does it work?
Server listens for connections on TCP
port number 23
 a client initiates a TCP connection to
server

 set up a TCP connection using TCP three-way
handshake.
 TCP connection is maintained for duration of
Telnet session

server support multiple simultaneous
sessions with different users,
differentiating them using IP address and
port number of client.
Network Services
telnet: how does it work?

client and server software provide user an
interface to remote host.
 For client: telnet session appears same as
sitting down at a terminal directly connected to
remote host.
 Server begin user’s session with a login prompt
to ask for a user name and password.
 Client will accept this information from the
user and send it to the server.
• user will be logged in and can use host in whatever
manner his or her account authorizes.
Network Services
telnet usage: remote login

So far: telnet provided access to
a command-line interface on a remote host
 Most network equipment and operating
systems with a TCP/IP stack support a Telnet
service for remote configuration

Due to security issues, its use for this
purpose has waned in favor of SSH.
 Demo of PuTTY
Network Services
telnet usage: others
a host of other TCP/IP protocols uses
telnet to exchange message
 Therefore, telnet client can be used

 to connect to servers of such protocols,
including SMTP, HTTP, POP

useful for diagnostic purposes!
Network Services
Telnet as a diagnostic tool

telnet to access other application servers
 Specify port number corresponding to the
service
• telnet www.someserversomewhere.org 80
 You will not receive a login prompt, but instead
the server will wait for you to send an HTTP
Request message, as if you were a Web
browser.
 If you enter a valid request, the server will
send you an HTTP Response message.
Network Services
Electronic Mail
outgoing
message queue
user mailbox
Three major components:



user agents
mail servers
simple mail transfer
protocol: SMTP
user
agent
mail
server
User Agent
SMTP
 a.k.a. “mail reader”
 composing, editing, reading
mail
mail messages
server
 e.g., Outlook, elm, Mozilla
Thunderbird, iPhone mail
client
user
 outgoing, incoming messages
agent
stored on server
SMTP
SMTP
user
agent
mail
server
user
agent
user
agent
user
agent
Network Services
Electronic Mail: mail servers
user
agent
Mail Servers

mailbox contains incoming
messages for user
 Often maintained as a file


message queue of outgoing
(to be sent) mail messages
SMTP protocol between mail
servers to send email
messages
 client: sending mail
server
 “server”: receiving mail
server
mail
server
SMTP
SMTP
mail
server
user
agent
SMTP
user
agent
mail
server
user
agent
user
agent
user
agent
Network Services
Electronic Mail: SMTP [RFC 2821]





uses TCP to reliably transfer email message from client
to server, port 25
direct transfer: sending server to receiving server
three phases of transfer
 handshaking (greeting): HELO
 transfer of messages: DATA
 Closure: QUIT
command/response interaction
 commands: ASCII text
 response: status code and phrase
messages must be in 7-bit ASCII
Network Services
Scenario: Alice sends message to Bob
1) Alice uses UA to compose
message and “to”
bob@someschool.edu
2) Alice’s UA sends message
to her mail server; message
placed in message queue
3) Client side of SMTP opens
TCP connection with Bob’s
mail server
1
user
agent
2
mail
server
3
4) SMTP client sends Alice’s
message over the TCP
connection
5) Bob’s mail server places the
message in Bob’s mailbox
6) Bob invokes his user agent
to read message
mail
server
4
5
6
user
agent
Network Services
Sample SMTP interaction
S:
C:
S:
C:
S:
C:
S:
C:
S:
C:
C:
C:
S:
C:
S:
220 hamburger.edu
HELO crepes.fr
250 Hello crepes.fr, pleased to meet you
MAIL FROM: <alice@crepes.fr>
250 alice@crepes.fr... Sender ok
RCPT TO: <bob@hamburger.edu>
250 bob@hamburger.edu ... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
Do you like ketchup?
How about pickles?
.
250 Message accepted for delivery
QUIT
221 hamburger.edu closing connection
End of date (email body)
Network Services
Try SMTP interaction for yourself:
telnet servername 25
 see 220 reply from server
 enter HELO, MAIL FROM, RCPT TO, DATA, QUIT
commands
above lets you send email without using email client
(reader)

Network Services
Mail message format


SMTP: protocol for exchanging email
msgs
RFC 822: standard for text message
format:
header
 header lines, e.g.,
•
•
•
•
To:
From:
Subject:
different from SMTP commands!
body
 body
• the “message”, ASCII characters only

MIME: Multiple Purpose Internet
Mail Extensions
 Carrying data of various forms: text,
application (binary data), image, video,
audio, messaeg, …
 Multiple objects within an email
Network Services
blank
line
Mail access protocols
user
agent
SMTP
SMTP
sender’s mail
server


access
protocol
user
agent
receiver’s mail
server
SMTP: delivery/storage to receiver’s server
mail access protocol: retrieval from server
 POP: Post Office Protocol [RFC 1939]
• authorization (agent <-->server) and download
 IMAP: Internet Mail Access Protocol [RFC 1730]
• more features (more complex)
• manipulation of stored msgs on server
 HTTP: gmail, Hotmail, Yahoo! Mail, etc.
Network Services
POP3 protocol
authorization phase


client commands:
 user: declare username
 pass: password
server responses
 +OK
 -ERR
transaction phase, client:




list: list message numbers
retr: retrieve message by
number
dele: delete
quit
S:
C:
S:
C:
S:
+OK POP3 server ready
user bob
+OK
pass hungry
+OK user successfully logged
C:
S:
S:
S:
C:
S:
S:
C:
C:
S:
S:
C:
C:
S:
list
1 498
2 912
.
retr 1
<message 1 contents>
.
dele 1
retr 2
<message 1 contents>
.
dele 2
quit
+OK POP3 server signing off
Network Services
on
POP3 (more) and IMAP
more about POP3
 previous example uses
“download and delete”
mode.
 Bob cannot re-read email if he changes
client
 “download-and-keep”:
copies of messages on
different clients
 POP3 is stateless
across sessions
IMAP
 keeps all messages in
one place: at server
 allows user to organize
messages in folders
 keeps user state
across sessions:
 names of folders and
mappings between
message IDs and folder
name
Network Services
OUTLINE
Review
 Network services

 Name services: DNS
 Configuration services: DHCP
 Email services
Network Services
Protocol Analysis

Protocol: defines rules of exchange between a pair
(or more) machines over a communication network
 HTTP (Hypertext Transfer Protocol)
• Defines how web pages are fetched and sent across a
network
 TCP (Transmission Control Protocol)
• Provides reliable, in-order delivery of a stream of bytes




57
Verify correctness
Debug/detect incorrect behavior
Analyze performance
Gain deeper understanding of existing protocols
by “seeing” how they behave in actual use
Analysis Methods

Instrument the code
 Difficult task, even for experienced network
programmers
 Tedious and time consuming

Use available tools
 tcpdump / tshark
 Wireshark
 ipsumdump

Write your own tool
 libpcap
58
Wireshark System Overview
59
Tools overview

Tcpdump
 Unix-based command-line tool used to intercept
packets
 Reads “live traffic” from interface specified
using -i option …
 … or from a previously recorded trace file
specified using -r option
• Created when capturing live traffic using -w option
Tshark: tcpdump-like capture program that
comes w/ Wireshark
 Wireshark: GUI for displaying
tcpdump/tshark packet traces

60
Cheat Sheet – Commonly Used
tshark Options

-w <filename> Write raw packets to
specified file instead of parsing and
printing them out.
 save a packet capture session and run multiple
filters against it later

-r <filename> Read packets from
specified file instead of live capture.
 The file should have been created with –w
option
61
tshark example
62
Output from Tshark
1190003744.940437 61.184.241.230 -> 128.32.48.169
SSH Encrypted request packet len=48
1190003744.940916 128.32.48.169 -> 61.184.241.230
SSH Encrypted response packet len=48
1190003744.955764 61.184.241.230 -> 128.32.48.169
TCP 6943 > ssh [ACK] Seq=48 Ack=48 Win=65514
Len=0 TSV=445871583 TSER=632535493
1190003745.035678 61.184.241.230 -> 128.32.48.169
SSH Encrypted request packet len=48
1190003745.036004 128.32.48.169 -> 61.184.241.230
SSH Encrypted response packet len=48
1190003745.050970 61.184.241.230 -> 128.32.48.169
TCP 6943 > ssh [ACK] Seq=96 Ack=96 Win=65514
Len=0 TSV=445871583 TSER=632535502
63
Filters

1.
Use filters to capture only packets of
interest to us
Capture only udp packets
•
tshark “udp”
Capture only tcp packets
2.
•
tshark “tcp”
64
Filters: example
Capture only UDP packets with destination
port 53 (DNS requests)
1.
•
tshark “udp dst port 53”
Capture only UDP packets with source port
53 (DNS replies)
2.
•
tshark “udp src port 53”
Capture only UDP packets with source or
destination port 53 (DNS requests and
replies)
3.
•
tshark “udp port 53”
65
Filters: example
Capture only packets destined to
storm.cis.fordham.edu
1.
•
tshark “dst host storm.cis.fordham.edu”
Capture both DNS packets and TCP
packets to/from quasar.cs.berkeley.edu
2.
•
tshark “(tcp and host storm.cis.fordham.edu)
or udp port 53”
66
Cheat Sheet – Writing Filters
(1)

Specifying the hosts we are interested in
 “dst host <name/IP>”
 “src host <name/IP>”
 “host <name/IP>” (either source or destination
is name/IP)

Specifying the ports we are interested in




“dst port <number>”
“src port <number>”
“port <number>”
Makes sense only for TCP and UDP packets
67
Cheat Sheet – Writing Filters
(2)

Specifying ICMP packets
 “icmp”

Specifying UDP packets
 “udp”

Specifying TCP packets
 “tcp”
68
Cheat Sheet – Writing Filters
(2)

Combining filters
 and (&&)
 or (||)
 not (!)

Example:
 All tcp packets which are not from or to host
storm.cis.fordham.edu
tcpdump “tcp and ! host quasar.cs.berkeley.edu”
 Lots of examples in the EXAMPLES section of
the man page
69
Security/Privacy Issues
 Tcpdump/tshark/wireshark
allow you to
monitor other people’s traffic
 WARNING: Do NOT use these to violate
privacy or security
 Use
filtering to restrict packet analysis
 tshark –p //Don’t capture in promiscous mode
 tcpdump –s 0 –w all_pkts.trace tcp port 7788
70
Other Useful Tools

IPsumdump
 Handy “Swiss army knife” for displaying in
ASCII fields of interest in packet trace files
 summarizes TCP/IP dump files into a selfdescribing ASCII format easily readable by
humans and programs.
71
Wireshark Interface
72
(online tutorial)
Wireshark display filter expr

One can build quite complex filter
expressions
 compare values in packets as well as combine
expressions into more specific expressions
 For examples see: Wireshark Wiki Display
Filter http://wiki.wireshark.org/DisplayFilters.

Display filter fields
 Every field in packet details pane can be used
as a filter string
• filter string: tcp will show all packets containing tcp
protocol
Network Services
Comparison operator
ip.src==10.0.0.5
 ip.src!=10.0.0.5
 frame.len > 10
 frame.len < 128
 frame.len ge 0x100
 frame.len <= 0x20

Network Services
Logic operations
ip.src==10.0.0.5 and tcp.flags.fin
 ip.scr==10.0.0.5 or ip.src==192.1.1.1
 tr.dst[0:3] == 0.6.29 xor tr.src[0:3] ==
0.6.29
 not llc

Network Services
Enter filter using dialog
Network Services
Exercises
Network Services