The Gateway to Computer Science Excellence
+42 votes

An IP machine $Q$ has a path to another $IP\ machine\ H$ via three $IP\ routers \ R1, R2,$ and $R3$.


$H$ acts as an $HTTP\ server$, and $Q$ connects to $H$ via $HTTP$ and downloads a file. Session layer encryption is used, with $DES$ as the shared key encryption protocol. Consider the following four pieces of information:

$[I1]$ The $URL$ of the file downloaded by $Q$

$[I2]$ The $TCP$ port numbers at $Q$ and $H$

$[I3]$ The $IP$ addresses of $Q$ and $H$

$[I4]$ The link layer addresses of $Q$ and $H$

Which of $I1$, $I2$, $I3$, and $I4$ can an intruder learn through sniffing at $R2$ alone? 

  1. Only $I1$ and $I2$
  2. Only $I1$
  3. Only $I2$ and $I3$
  4. Only $I3$ and $I4$
in Computer Networks by Veteran
edited by | 7k views

Q1. Can intruder see the link layer addresses of R1 and R2?
Q2. Why can't intruder see the link layer addresses of Q and H ?

A1. Yes, the link layer addresses of R1 and R2 would be visible at Router R2. Since the link addresses are modified at every hop, it would be R2 and R3's addresses visible by sniffing at Router R3.

A2. Due to the above reason the link layer addresses of Q and H wouldn't be available at Router R2.
whithout DES encryption URL would be visible, right?

6 Answers

+53 votes
Best answer

[I1] intruder cant see URL because it is well encrypted by DES at session layer..
[I2] TCP PORT number available to intruder because TCP header contains source as well as destination address.

[I3] Network layer header contains Source as Well as Destination IP.
[I4] Link address unavailable because on sniffing at $R2$  intruder can see link address of $R$1, $R3$ ,only not link address of  $Q$ and $H$

Answer is C.

by Boss
edited by
Your forgot to comment on IP address.
Well I know that :) Maybe somebody might not know ! Felt like it should be there, for sake of completeness !
@digvijay, Why can't intruder be able to see link address of Q & H at R2 unlike at R1 & R3.?????
How TCP port number visible to router as it has only 3 layer; Physical, DLL, Network.

router doesnt contain transport layer, so how it is able to look into port no [email protected]
I think Sniffer uses SPAN(switched packet analyzer) to receive a copy of each packet send from one host to other at it can analyze the packet and can know upto transport layer...but since packet is encrypted at session layer ,so it can't know about data or url of host. @Rajesh Raj
Because During Journey of Packet from Q to H, PORT Number which is added by Q by Transport Layer wil not change thats why Intruder can see port number therefore I2 is true

And IP address of Source and Destination will also not change therefore i3 is also true

only mac addresses will change and URL is encrypted as mentioned by DES
@rude , @habib khan , @rajesh pradhan bro tell me "How TCP port number visible to router as it has only 3 layer; Physical, DLL, Network."
The intruder will be able to see TCP port nos. although it belongs to transport layer because TCP segment is in the payload of IP datagram
@digvijay  how can an intruder see TCP port number on router R2 ...router contains only up to network layer right ??
@Tuhin dutta TCP segment is in the payload of IP datagram that is correct but it will be uncovered on a device which has transport layer. we can only wrap off up to IP header and that doesnt contain the port number.some  body please explain it with valid reasons.
Since the IP datagram contains within the TCP segment the intruder can see the TCP port nos( bcz intruder has access to datagram) but not beyond that.Now, this is bcz from session layer onwards it is encrypted till application or message.
@ Tuhin yeah now i got it thanxxx :)
If session layer encryption is not used then sniffer can also see through URL of the file downloaded by Q??
Nice explanation.
router has data link layer then why intruder cant see link layer address please explain??
@garimanand it cant see link layer address  because dll works at hop to hop so packet contains link layer address of R1 and R2 not of Q and H.
Then layer 3 Firewall can do the filtering based on Port No?

@Digvijay Pandey @Milicevic3306 @Rajesh Raj @parthbkgadoya @rajan @bharti @aman.anand @Arjun @srestha

How can I2 be true? If it is possible to get Port numbers by reading the IP Datagram Payload, then by reading Frame Payload at Data Link Layer, we can even get the IP Address. 


@ayushsomani yes, we are infact getting IP address too. I3 is also correct.


@akshay7797 Then why we use Routers? We could have used Switches/Bridges coz they have DLL.



Here session layer encryption is used. So, intruder can see every layer which is below session layer.

Now, Why I4 will be false?

Because, In DLL we do hop to hop connection. So, intruder can see DLL address of R1 and R3 only.


@srestha It is coz of Sniffing

Can somebody tell me that how TCP port number is in IP datagram?
+28 votes
I1 is encrypted by DES at the Session layer so intruder can't see that.

I2 is a part of TCP header(below Session layer), so it is not encrypted. Obv., the intruder can see that.

I3 is a part of the IP header(below TCP layer), so again, it is not encrypted and the intruder can see that as well.

I4 is not a part of the DLL header(below the IP layer), since the DLL always contains the Mac Addresses of the immediate sender(previous hop-R1) and the immediate destination(next hop-R3), so the intruder cannot see I4.

So, answer - (C)
by Active
Router works at network layer. So how is it possible for someone to see TCP port numbers at the routers. As router doesn't have any visibility of Transport layer. Please explain
According to me ,
Router can't learn.
But attacker can learn bcoz attacker is sniffing.
TCP segment's port number would get included in the IP packet's payload, that's how.
+9 votes
An Intruder can’t learn [I1] through sniffing at R2 because 
URLs and Download are functioned at Application layer of OSI Model.

An Intruder can learn [I2] through sniffing at R2 because
Port Numbers are encapsulated in the payload field of IP Datagram.

An Intruder can learn [I3] through sniffing at R2 because IP 
Addresses and Routers are functioned at network layer of OSI Model.

An Intruder can’t learn [I4] through sniffing at R2 because 
it is related to Data Link Layer of OSI Model.
by Loyal
+3 votes
Router works at network layer. So it has only three layers.(physical,datalink,network). since the intruder is sniffing at R2 so intruder can only see the ip address of Q and H becoz the source and destination ip address can't change.
by Active
someone  pls clarify answer if its C or only I3
+2 votes
Answer : C
hey can you please explain your ans ?
I don't know the exact reason I'm making a guess here.. Please tell me whether my guess is correct or not for the reason...

Encryption happens at session also it is clearly mentioned..

So from session layer and above session layer intruder can not analyze the data and get information from it...

I1: He can not make URL, since URL is of application layer information because he can't make url from packet snifing because packet is well encrypted..!!

I2: TCP port can be made through packet sniffing because this information comes below session layer, so it was not encrypted..

I3: same reason as that of I2

I4: Only from R2 he can not make link layer of address of Q and H.. because it is a point to point address.. when a packet comes, it has link address of R1 and R2.. when a packet goes from this router it has address of R2 and R3..Link address keep on changing from one router to another but not IP and TCP port.. So he can't make link address of Q and H, by having access to R2 only.

let me know if I m wrong!!
No, its not that like the layer above session are only encrypted and so the URL remains safe.

Actually, its the general SSL encryption to wrap HTML. (See . And in actual SSL encryption happens in session layer ( that's why the name => sessiin layer encryption). And all this is basically done for securing iur data.

Now, in given question all data exchanged should be secured (and so does the URL). And as you MUST not violate your basic objective of "communication of machines" , you will always require port nos, ip addreses and MAC(dll) addresses, so you cant encrypt these. But, as MAC address is only exposed from Link-to-Link fashion, one can never find Mac id of Q and H by sniffing at R2 alone.
0 votes
Please Remove such unnecessary word
Very helpful, thanks!

Related questions

Quick search syntax
tags tag:apple
author user:martin
title title:apple
content content:apple
exclude -tag:apple
force match +apple
views views:100
score score:10
answers answers:2
is accepted isaccepted:true
is closed isclosed:true
52,215 questions
60,009 answers
94,696 users