LAB 3B: NETWORK LAYER (CHECKPOINT II)

Lab 3(b): Network Layer

Objective
After completing the rst part of Lab 3 (Lab 3a: Checkpoint I), you should understand
the network structure implemented in the “Racks”. Lab 3b or Lab 3 Checkpoint II consists of
some experiments to see the results of Network Address Translation (NAT) and examine
another malicious network action by modifying some parameters in the Border Gateway
Protocol (BGP) in our simulated routers.
The questions in this lab ask for speculation, you should experiment (analyze) with Wireshark as
much as you can before answering the questions in this assignment. This means analyzing
multiple packets, streams, interactions, etc. from di erent locations (e.g., inside (private network)
and outside (public network) the NAT). Then after your deep analysis, put together a coherent
hypothesis/explanation of what you observe based on your knowledge of NAT, and report your
ideas. Make sure to use appropriate networking terminology in your descriptions. It might be
bene cial for you to also read the corresponding textbook sections regarding NAT and BGP to
help you answer these questions1.
Lab 3b or Lab 3 Checkpoint II is worth forty (40) points. For full credit, make sure to
thoroughly document your analysis (experiments) And yes, that means some more screenshots!

Procedures
1. Verify that power switch nine (9) (on the power rail behind the rack) is turned on.

1 NAT: Section 4.3.4, BGP: Section 5.4 (7th edition book)

PAGE 1 OF 11 NOVEMBER 15, 2024 VERSION 3.2


fi


fi
ff
 LAB 3B: NETWORK LAYER (CHECKPOINT II)

2. Verify that the Netgear switches inside the rack display the numbers 1, 2, 3, and 4. Note
that we have two new switches for you to observe this time (four (4) in total).

3. Turn on (Restart if it is already on) the PC by powering on switch eight (8) (on the power
rail behind the rack).
4. If power switch three (3) is ON, turn it OFF and wait for ten (10) seconds before proceeding
with the next step (Static charge can keep the device on for a second or two).
5. Turn ON switch three (3) (on the power rail behind the rack) and wait up to three (3)
minutes for the hosts emulating routers to boot and spread routing information.
6. If you have any issues during the lab, you can restart all the components in Lab 3 by
repeating steps four (4) and ve (5).
7. Login to the testbed’s PC with the following credentials:
Username: student
Password: 740Rocks$
8. Connect the Ethernet cable to your laptop and start Wireshark (yes you will need to capture
data (PCAP les) for this lab2).
9. When you are done with the lab, shut down the computer and turn o all the power switches
EXCEPT NINE (9)!

2 The data collection and analysis must be an individual e ort. Collaboration is not allowed for the second part of Lab 3 (Checkpoint II)

PAGE 2 OF 11 NOVEMBER 15, 2024 VERSION 3.2



fi
fi
ff
ff
 LAB 3B: NETWORK LAYER (CHECKPOINT II)

Network Mapping
In Checkpoint 1 (Lab 3a), you explored the network and discovered the connections between
routers and networks. In other words, you gured out the network topology implemented in the
testbeds (the “Racks”). Hopefully, you understand this information already. But, just in case, the
following gures and table describe the implemented testbed network to help you with Lab 3b.
In Lab 3a (Checkpoint I), you were not required to report on the NAT device. However, this
node will be useful for this lab. So, make sure to understand how the device is connected and
what IP addresses (and interfaces) are associated with the NAT-enabled router in the testbed for
both the private (inside) and public (outside) networks.

AS2 2.0.0.0/10

2.64.0.0/10

eth0 eth0

R4 iBGP R5
eth1
eth1

24
.0
.0
.0
/8 AS4
/8
.0.0

eth0
12.0

lo1
R8 4.0.0.0/8
AS1 eth1
eth0 eth2

lo1
1.0.0.0/8 R6 /8
.0
.0
.0
45.0.0.0/8

34
eth1 13
.0.
0.0
/8

eth0 eth1
R7
AS5
AS3 eth0
eth2

R9 5.0.0.0/8
lo1
3.0.0.0/8

eth0

10*
NAT

eth1

192.168.0.0/16

PAGE 3 OF 11 NOVEMBER 15, 2024 VERSION 3.2



fi
fi
 LAB 3B: NETWORK LAYER (CHECKPOINT II)

2.0.0.0/10 2.64.0.0/10

lo1 lo1

R1 R2

eth0 2.1 4 eth0

28 0/2
.1 3.
3.
0/ 8.2
24 12
eth0 2.
eth1
R3
eth2 eth3
4 2.
/2 12
4 .0 8.
35
.3 .
28 0/
2
eth0 2 .1 4 eth0

R4 R5

eth1 eth1
12.0.0.0/8

24.0.0.0/8

PAGE 4 OF 11 NOVEMBER 15, 2024 VERSION 3.2



 LAB 3B: NETWORK LAYER (CHECKPOINT II)

Router ID AS Protocol Interface IP address

1 2 RIP eth0 2.128.13.1/24

lo1 2.0.0.1/10

2 2 RIP eth0 2.128.23.1/24

lo1 2.64.0.1/10

3 2 RIP eth0 2.128.13.2/24

eth1 2.128.23.2/24

eth2 2.128.34.1/24

eth3 2.128.35.1/24

4 2 RIP, iBGP, eBGP eth0 2.128.34.2/24

eth1 12.0.0.2/8

5 2 RIP, iBGP, eBGP eth0 2.128.35.2/24

eth1 24.0.0.1/8

6 1 BGP eth0 12.0.0.1/8

eth1 13.0.0.1/8

lo1 1.0.0.1/8

7 3 BGP eth0 13.0.0.2/8

eth1 34.0.0.1/8

eth2 3.0.0.1/8

8 4 BGP eth0 24.0.0.2/8

eth1 34.0.0.2/8

eth2 45.0.0.1/8

lo1 4.0.0.1/8

9 5 BGP eth0 45.0.0.2/8

lo1 5.0.0.1/8

10* 3 NAT eth0 3.0.0.2/8

eth1 192.168.3.1/16

*Note: NAT Device was not required for Checkpoint I

PAGE 5 OF 11 NOVEMBER 15, 2024 VERSION 3.2



 LAB 3B: NETWORK LAYER (CHECKPOINT II)

Network Address Translation (NAT)

You should understand how a NAT device makes all the tra c from an entire "private" network
appear to originate as a single (public and unique) IP address. Most of the NAT complexity is
related to matching reply packets and sending them to the proper private host by matching IP/
Port combinations in the NAT translation table. Let's explore some of that concerning the
192.168.0.0/16 network (the “private” network) connected to Router Ten (10). In
other words, the inside network that is connected to the NAT-enabled router.

Part 1: Simple HTTP interaction and NAT

Do the following:
• If you have not done so yet, start a Packet capture on Wireshark (on your laptop computer).
• Use any browser from the Testbed’s PC Desktop to open the most "popular" video
streaming site on the network rack, the URL is:
• http://videosite.com
• Stop the data capture and save your data capture for your analysis.

Make sure to examine the tra c on both sides (private and public) of the NAT-enabled router
using Wireshark to answer all the questions in this lab.
Use your observations to answer this question:
10. (5 points) What is the NAT device doing to the packets to allow you to access the website
using HTTP? Be sure to describe the outbound and inbound HTTP tra c and speculate on
how the NAT device gathers enough information to perform the NAT translation.

Part 1I: Simultaneous connections through NAT

Before proceeding with the next steps, you will need to start Lab One (1) to use some of its
useful devices. Power ON switch one (1) (on the back of the Rack) and wait until all hosts are
active. You can verify that all hosts are active by using the user interface for Lab # 1 to verify
that “All hosts are Up!”
To understand and explore the limitations of the NAT device (router), let's do some ssh
hopping. Do the following:
• Start a packet capture on Wireshark (on your laptop).
• Open two (2) ssh connections from the command prompt in the testbed’s PC (Windows
key -> start typing “cmd” to search for it) or you can use PowerShell as well. One
connection is to the Raspberry Pi at 192.168.1.100 and the other connection is to the
Raspberry Pi at 192.168.1.101 (These Raspberry Pis have been con gured to use the
NAT-enabled router as a gateway to reach the exterior part of the network). You can use the
commands and credentials that you learned in Lab 3a (Checkpoint I) to ssh into both of
these devices.

PAGE 6 OF 11 NOVEMBER 15, 2024 VERSION 3.2



ffi
ffi
ffi
fi
 LAB 3B: NETWORK LAYER (CHECKPOINT II)

• From each of the previously opened ssh sessions, start another ssh connection to
2.64.0.1, using the following command in each opened connection:
ssh -o 'ProxyCommand nc -p 1234 %h %p' [email protected]
This command will create a local proxy so the ssh connection can be forced to use the
source port 1234. Use the same command in each ssh session that you opened before.
• Keep those ssh connections open. In each ssh session, type any command that you learned
in Lab 3a (e.g., ifconfig) to make sure the remote host is “alive”, executing the remote
instructions, and sending the results back.
• At this point, you should have two ssh connections going through the NAT (from inside to
the outside) to the same destination with the same source port number.
• Stop the data capture and save your data capture for your analysis.

Examine the ssh tra c generated in the previous experiment on both sides of the NAT (private
and public) device using Wireshark.
Use your observations to answer this question:
11. (5 points) What translations are made by the NAT device (router) to achieve both ssh
connections at the same time using the same source port number? How does it distinguish
inbound ssh tra c and determine which device to send the ssh tra c to?

Part 1II: ICMP and NAT interactions (ping)

Before proceeding to the next part, we need to learn a little bit about another very handy network
protocol, namely ICMP.
What is the Internet Control Message Protocol (ICMP)?
The Internet Control Message Protocol (ICMP) is a network layer protocol used by network
devices to diagnose network communication issues. ICMP is mainly used to determine whether
or not data is reaching its intended destination promptly. Commonly, the ICMP protocol is used
on network devices, such as routers. ICMP is crucial for error reporting and testing.
What is ICMP used for?
The primary purpose of ICMP is error reporting. When two devices connect over the Internet,
the ICMP generates errors to share with the sending device (source) if any of the data does not
get to its intended destination.
A secondary use of the ICMP protocol is to perform network diagnostics; the commonly used
terminal utilities traceroute and ping both operate using ICMP. The traceroute utility
is used to display the routing path between two Internet devices. The ping utility is a simpli ed
version of traceroute. A ping execution will test the speed of the connection between two
devices and report exactly how long it takes a packet of data to reach its destination and come
back to the sender’s device (i.e., the Round Trip Time).
How does ICMP work?
Unlike the Internet Protocol (IP), ICMP is NOT associated with a transport layer protocol
such as TCP or UDP. This makes ICMP a connectionless protocol: one device does not need to

PAGE 7 OF 11 NOVEMBER 15, 2024 VERSION 3.2



ffi
ffi
ffi
fi
 LAB 3B: NETWORK LAYER (CHECKPOINT II)

open a connection with another device before sending an ICMP message. The ICMP protocol
also does not allow for targeting a speci c port on a device.
It looks like port numbers are pretty handy in NAT. However, not all tra c has port numbers
(e.g., ICMP). What will the NAT device do if there is no port number?
Do the following to nd out:
• Start a new packet capture in Wireshark.
• Use ping to send ICMP packets from both Raspberry PIs at 192.168.1.100 and
192.168.1.101 to 2.0.0.1 (you might need to open some new ssh connections to
ping the required host (2.0.0.1) from the Raspberry PIs 192.168.1.100 and
192.168.1.101). You do recall how to control how many ping probes get sent? Ensure
pings coming from both sources, at about the same time, overlap, through the NAT device
by sending enough ping probes in each ssh connection.
• Stop the data capture and save your data capture for your analysis.

Examine the ICMP tra c generated in the previous experiment on both sides of the NAT
(private and public) device using Wireshark.
Answer the following question:
12. (5 points) What translations are made (from private to public and public to private) to the
ICMP packets? Speculate or determine how responses are sent to the correct internal
address.

Part IV: ICMP and NAT interactions (DNS query)

In the previous test, there was some relationship between the inbound tra c and outbound
tra c as both were ICMP requests and responses. Let’s try another experiment in which the
request and response are not that correlated in terms of the packets being sent and received. In
other words, let’s try one more fun NAT query using ICMP. In this experiment, we will answer
the following question: What happens if the inbound tra c has even less association with the
outbound tra c?
Do the following:
• Close up the ssh connections that you might have opened in the previous questions.
• Start a new packet capture in Wireshark.
• On the Rack’s PC, open a CMD window/prompt (not PowerShell!).
• Use the dig command to send any type of DNS request (to nd the information about any
host) using the DNS server available at 2.0.0.1.
Oops! It looks like there is NO DNS server at 2.0.0.1. Therefore, ICMP error messages
will be returned to the host trying to use this DNS query in 2.0.0.1.
• Stop the data capture and save your data capture for your analysis.

PAGE 8 OF 11 NOVEMBER 15, 2024 VERSION 3.2

ffi


ffi
fi
ffi
fi
ffi
fi
ffi
ffi
 LAB 3B: NETWORK LAYER (CHECKPOINT II)

Take a look with Wireshark regarding the request and response and answer this question:
13. (5 points) Speculate, how in the world can the NAT device match the ICMP reply, which
does not have a port number, to a UDP segment (used in the DNS query) sent from behind
the private network?

Part V: Port Forwarding

In class, we mentioned one drawback to NAT in that the NAT table only gets updated when a
packet is sent from inside the private network. We mentioned the idea of Port forwarding
as a way to pre-populate the NAT table so that external sources can initiate a connection with
devices inside the private network.
There is a Raspberry Pi somewhere in the network that is eagerly trying to send an image to the
Rack’s computer. You probably saw multiple TCP SYN segments being sent every ve (5)
seconds without any success in your multiple data captures for the previous questions!
Let's start up a server to receive that image inside our internal network. In particular, a server to
receive the image in the Rack’s PC. Do the following:
• On the Rack’s PC, locate a small Python script in the folder C:\Users\Public\Public
Documents\Lab 3\ named recv_img.py. If you are in the folder that contains the script
and hold shift while right-clicking, you can open a PowerShell tab in that folder. Use
PowerShell to run:
python recv_img.py
Now, the PC is listening for a TCP connection on port 5555 and the eager Raspberry Pi is
trying to create a TCP connection to 5555, but they cannot seem to nd each other (the
reason should be obvious by now).
You need to perform one last action (on another node on the network) to set up the Port
Forwarding before the connection can be established between the Client and the Server.
• Use the following command to enable Port Forwarding. It adds a rule in the NAT
Translation Table to translate packets coming in an INTERFACE with a particular PORT
NUMBER to a PRIVATE IP willing to accept the incoming connections (from outside the
private network)3.
sudo iptables -t nat -A PREROUTING -i <Interface> -p tcp --dport
<Port Number> -j DNAT --to-destination <Private IP Address>

Answer the following question:

14. (10 points) Think about the network diagram, on what network host and with what values
should you run this command to establish a connection and allow the image to be received
by the host (the Rack’s PC) in the internal network? Attach a screenshot of the translated

3Give the application about ve (5) seconds to receive the image (if the command was correctly introduced in the right node/computer on the
network).

PAGE 9 OF 11 NOVEMBER 15, 2024 VERSION 3.2



fi
fi
fi
 LAB 3B: NETWORK LAYER (CHECKPOINT II)

connection. (Hint: Only one host in the entire network will let you run this command4
without asking for a password for sudo). Make sure that the Python script can receive the
image correctly once you have made the correct con gurations. Attach a screenshot of the
received image. Explain what the command is doing and how the network translations will
be executed so the image can be received.

Part VI: BGP Black Holes

Let's turn our attention to one last concept: Border Gateway Protocol (BGP)
miscon gurations. Imagine you are a careless network administrator who accidentally takes
down a popular video site. The video site you loaded earlier (videosite.com) is located at
5.0.0.1. From the network diagram, we can see that the 5.0.0.0 network is quite a few
hops away from 1.0.0.0. Do the following:

• ssh into the [email protected]

• Open a telnet session with the BGP daemon (telnet localhost 2605).
• After entering the password (zebra), type en and enter the same password again.
• Type configure terminal to set the router to con guration mode.
• Type router bgp 1 to open the AS1 BGP session on the router (Entering dangerous
territory!)
• Now all we need to do to change everyone’s routing table is type network 5.0.0.0/8

That’s it! Now AS1 will advertise a route to the 5.0.0.0 network with one (1) hop, which is
NOT true as you can see from the network diagram.

Use the browser5 (or the Lab 1 application) to open http://videosite.com from the
Rack’s PC. For the next question, you will need to use the analytical skills you learned in Lab 3a
(Checkpoint I) regarding getting into di erent routers and analyzing their corresponding
forwarding tables (but now you have a good understanding of the network topology).

Answer the following question:

15. (10 points) Using the names/numbers shown in this handout (e.g., Router 1 (R1),
Router 2 (R2), Router 3 (R3), etc.), List all BGP routers whose forwarding table
got damaged by the fake message (i.e., now use the incorrect route to 5.0.0.0/8) with a
short description of why and how you know. What BGP routers do not use the incorrect
route to 5.0.0.0/8?

4 If you are executing this command in the incorrect node, it will ask you for a password to execute sudo

5If you use the same browser as before, the browser might have cached the webpage and still display it. Make sure to clear the cache to obtain the
correct response, or use a di erent browser.

PAGE 10 OF 11 NOVEMBER 15, 2024 VERSION 3.2


fi

ff
ff
fi
fi
 LAB 3B: NETWORK LAYER (CHECKPOINT II)

Turn-in
Write a report of your interactions and answer the questions. Make sure to include enough
details to ensure we understand that you understand what is going on. For instance,
screenshots should probably be annotated to show where a number came from -- do not
assume that because you know how to read a Wireshark screen we know that you know it.
Our graders will not make that assumption. So, prove it to us by describing/annotating
every value you nd.
Turn in your answers in a single PDF le and submit it to the Lab3 Checkpoint 2
“Assignment” on Gradescope.
Mark the pages according to the question. Students who fail to mark a question
correctly will lose all the points for that question.

PAGE 11 OF 11 NOVEMBER 15, 2024 VERSION 3.2



fi
fi