5.2k views

An IP machine $Q$ has a path to another $IP\ machine\ H$ via three $IP\ routers \ R1, R2,$ and $R3$.

$Q-R1-R2-R3-H$

$H$ acts as an $HTTP\ server$, and $Q$ connects to $H$ via $HTTP$ and downloads a file. Session layer encryption is used, with $DES$ as the shared key encryption protocol. Consider the following four pieces of information:

$[I1]$ The $URL$ of the file downloaded by $Q$

$[I2]$ The $TCP$ port numbers at $Q$ and $H$

$[I3]$ The $IP$ addresses of $Q$ and $H$

$[I4]$ The link layer addresses of $Q$ and $H$

Which of $I1$, $I2$, $I3$, and $I4$ can an intruder learn through sniffing at $R2$ alone?

1. Only $I1$ and $I2$
2. Only $I1$
3. Only $I2$ and $I3$
4. Only $I3$ and $I4$
edited | 5.2k views
0

Q1. Can intruder see the link layer addresses of R1 and R2?
Q2. Why can't intruder see the link layer addresses of Q and H ?

+4
A1. Yes, the link layer addresses of R1 and R2 would be visible at Router R2. Since the link addresses are modified at every hop, it would be R2 and R3's addresses visible by sniffing at Router R3.

A2. Due to the above reason the link layer addresses of Q and H wouldn't be available at Router R2.
+2
whithout DES encryption URL would be visible, right?

[I1] intruder cant see URL because it is well encrypted by DES at session layer..
[I2] TCP PORT number available to intruder because TCP header contains source as well as destination address.

[I3] Network layer header contains Source as Well as Destination IP.
[I4] Link address unavailable because on sniffing at $R2$  intruder can see link address of $R$1, $R3$ ,only not link address of  $Q$ and $H$

answered by Veteran (59.9k points)
edited
+2
Your forgot to comment on IP address.
+27
Well I know that :) Maybe somebody might not know ! Felt like it should be there, for sake of completeness !
0
@digvijay, Why can't intruder be able to see link address of Q & H at R2 unlike at R1 & R3.?????
+7
How TCP port number visible to router as it has only 3 layer; Physical, DLL, Network.

Clarify.
0
router doesnt contain transport layer, so how it is able to look into port no [email protected]
+6
I think Sniffer uses SPAN(switched packet analyzer) to receive a copy of each packet send from one host to other at router.......so it can analyze the packet and can know upto transport layer...but since packet is encrypted at session layer ,so it can't know about data or url of host. @Rajesh Raj
+2
Because During Journey of Packet from Q to H, PORT Number which is added by Q by Transport Layer wil not change thats why Intruder can see port number therefore I2 is true

And IP address of Source and Destination will also not change therefore i3 is also true

only mac addresses will change and URL is encrypted as mentioned by DES
0
@rude , @habib khan , @rajesh pradhan bro tell me "How TCP port number visible to router as it has only 3 layer; Physical, DLL, Network."
+5
The intruder will be able to see TCP port nos. although it belongs to transport layer because TCP segment is in the payload of IP datagram
0
@digvijay  how can an intruder see TCP port number on router R2 ...router contains only up to network layer right ??
+1
@Tuhin dutta TCP segment is in the payload of IP datagram that is correct but it will be uncovered on a device which has transport layer. we can only wrap off up to IP header and that doesnt contain the port number.some  body please explain it with valid reasons.
+6
Since the IP datagram contains within the TCP segment the intruder can see the TCP port nos( bcz intruder has access to datagram) but not beyond that.Now, this is bcz from session layer onwards it is encrypted till application or message.
+2
@ Tuhin yeah now i got it thanxxx :)
+1
If session layer encryption is not used then sniffer can also see through URL of the file downloaded by Q??
0
Nice explanation.
0
router has data link layer then why intruder cant see link layer address please explain??
+3
@garimanand it cant see link layer address  because dll works at hop to hop so packet contains link layer address of R1 and R2 not of Q and H.
0
Then layer 3 Firewall can do the filtering based on Port No?
0
@akash kanse are u nuts??
I1 is encrypted by DES at the Session layer so intruder can't see that.

I2 is a part of TCP header(below Session layer), so it is not encrypted. Obv., the intruder can see that.

I3 is a part of the IP header(below TCP layer), so again, it is not encrypted and the intruder can see that as well.

I4 is not a part of the DLL header(below the IP layer), since the DLL always contains the Mac Addresses of the immediate sender(previous hop-R1) and the immediate destination(next hop-R3), so the intruder cannot see I4.

So, answer - (C)
answered by Active (3.4k points)
+1
Router works at network layer. So how is it possible for someone to see TCP port numbers at the routers. As router doesn't have any visibility of Transport layer. Please explain
+2
According to me ,
Router can't learn.
But attacker can learn bcoz attacker is sniffing.
An Intruder can’t learn [I1] through sniffing at R2 because
URLs and Download are functioned at Application layer of OSI Model.

An Intruder can learn [I2] through sniffing at R2 because
Port Numbers are encapsulated in the payload field of IP Datagram.

An Intruder can learn [I3] through sniffing at R2 because IP
Addresses and Routers are functioned at network layer of OSI Model.

An Intruder can’t learn [I4] through sniffing at R2 because
it is related to Data Link Layer of OSI Model.
answered by Loyal (9.3k points)
Router works at network layer. So it has only three layers.(physical,datalink,network). since the intruder is sniffing at R2 so intruder can only see the ip address of Q and H becoz the source and destination ip address can't change.
answered by Active (4.6k points)
0
someone  pls clarify answer if its C or only I3
answered by (39 points)
0
hey can you please explain your ans ?
+10
I don't know the exact reason I'm making a guess here.. Please tell me whether my guess is correct or not for the reason...

Encryption happens at session also it is clearly mentioned..

So from session layer and above session layer intruder can not analyze the data and get information from it...

I1: He can not make URL, since URL is of application layer information because he can't make url from packet snifing because packet is well encrypted..!!

I2: TCP port can be made through packet sniffing because this information comes below session layer, so it was not encrypted..

I3: same reason as that of I2

let me know if I m wrong!!
+3
No, its not that like the layer above session are only encrypted and so the URL remains safe.

Actually, its the general SSL encryption to wrap HTML. (See http://security.stackexchange.com/questions/19681/where-does-ssl-encryption-take-place) . And in actual SSL encryption happens in session layer ( that's why the name => sessiin layer encryption). And all this is basically done for securing iur data.

Now, in given question all data exchanged should be secured (and so does the URL). And as you MUST not violate your basic objective of "communication of machines" , you will always require port nos, ip addreses and MAC(dll) addresses, so you cant encrypt these. But, as MAC address is only exposed from Link-to-Link fashion, one can never find Mac id of Q and H by sniffing at R2 alone.
dyrgdj
answered by (39 points)

1
2