How Network Traffic Flows – Getting Started
Gideon T. Rasmussen - CISSP, CFSO, CFSA, SCSA

To troubleshoot an issue, you need to know how network traffic flows under normal circumstances. This article details what happens when a Web browser is used to access a Web site.

Once the Web site name is entered into a Web browser, a series of communications occurs over various protocols. The table below represents how the network traffic flows:

The ARP Protocol

Before systems can communicate, they need to know each other’s hardware addresses. The Address Resolution Protocol (ARP) is used for this purpose. From its configuration, the workstation knows the IP address of the DNS server.

Line # 1

The workstation broadcasts a request to the devices on its network asking “who has” the IP address it needs to communicate with.

Line # 2

The remote system responds providing its hardware address. Now that the workstation knows the hardware address of the remote system, it can communicate with it.

The DNS Protocol
The Domain Name System (DNS) protocol is used to resolve system names to IP addresses. When a Web site name is entered into a browser, the workstation needs to know the corresponding IP address to reach the Web server hosting the site.

Line # 3

The workstation asks the DNS server to provide the IP address of the Web server hosting www.cyberguard.com.

Line # 4

The DNS server responds with the IP address corresponding to www.cyberguard.com.

The TCP Protocol

The Transmission Control Protocol (TCP) protocol is used to transfer data. These next three lines comprise the TCP three-way handshake:

Line # 5

The workstation initiates the connection to the Web server (SYN). SYN is an abbreviation for “synchronize.”

Line # 6

The Web server responds back indicating that it is ready for transmission (SYN ACK). SYN ACK is an abbreviation for “synchronize acknowledgement.”

Line # 7

The workstation sends to the Web server indicating that it is starting to send traffic (ACK). This acknowledgement indicates that the TCP connection is established and traffic can begin to flow.

The HTTP Protocol

The Hyper Text Transfer Protocol (HTTP) is used to serve up Web pages. You can see evidence of this from the Web site address in your browser (i.e. http://www.cyberguard.com).

Line # 8

The browser opens a connection to the Web server.

Line # 9

The Web server accepts the connection.

Line # 10

The HTTP Continuation lines represent where the contents of the html page are sent over. It includes text, links, etc.

Back to the TCP Protocol

Line # 11

This line is actually repeated four times. The workstation is acknowledging the last packet.

Line # 12 (RST)

The workstation sends a reset, effectively tearing down the TCP connection.

Tcpdump and Ethereal

It is important to note that the tcpdump will provide different details depending on where it runs on your network. In this example, tcpdump was run on the internal interface of the firewall with a directly connected workstation. If tcpdump were used to monitor the same traffic flow on the external interface, the source IP address would appear as the external interface of the firewall, providing that Dynamic Network Address Translation (DNAT) was in place. To observe how proxy traffic flows, it makes sense to run tcpdump on both the internal and external interfaces, as the proxy acts as a middleman between the source and destination.

The source of the table was a tcpdump file viewed through Ethereal. The exact syntax used was: “tcpdump -vvpni dec1 -s1514 -w /archive2/dec1.dmp host 10.0.1.13”. The tcpdump command has extensive options for recording very specific traffic flow (i.e. source/destination, ports, and Boolean expressions). For more information, enter “man tcpdump” on the command line. The Windows version is Windump (http://windump.polito.it).

Ethereal is a good tool to view tcpdump files. It is freely available from http://www.ethereal.com.

Some of the ports present in a tcpdump may be unfamiliar to you. The most current list of port numbers can be found at http://www.iana.org/assignments/port-numbers (per RFC 3232).