Learning diary and answers

These are optional fields about your identity, leave empty if you want to remain anonymous:

Student name: ShuFen Cheng

Email address (prefer your @students.oamk.fi email if you have such address):
[email protected]

Save the final version of this document as PDF and submit it for peer reviews via Moodle’s
workshop tool before the deadline. Last course week is for peer reviews.

Some courses may have 5 weeks, and some may have 8 weeks of assignments. This is a generic
learning diary template. Adapt and edit the document accordingly.
link for material and questions
https://tl.oamk.fi/iot/

1
Learning diary and answers

Week 1
Assignments to learning diary (You can do these assignments in small groups. Learning
diaries are personal):
1. Define the following terms and concepts shortly:

Answer
Terms Concepts
Network bandwidth Maximum speed at which data can be transferred
through the network, usually measured in bps (bits per
second)
Network throughput The actual data transfer rate achieved, showing
efficiency relative to bandwidth.
Packet loss and jitter Packet Loss: A data packet transmitted over a network
that does not reach its destination.
bps vs Bps bps (bits per second): number of bits per second, unit of
communication speed.
Bps (Bytes per second): number of bytes per second (1
byte = 8 bits), unit of data transfer rate.

Protocol payload The part of the Protocol Data Unit (PDU) that contains
the actual data.
Protocol overhead (especially for Additional data required to control and manage data
resource-constrained IoT purposes) transfer; protocols with low overhead are important in
the IoT as resources are limited.
Spanning Tree Protocol It is used between switches to avoid loops and manage
redundant paths in the network.
Collision domain The extent to which collisions occur when multiple
devices send data simultaneously on a network.
Broadcast domain The range of the network that broadcast packets can
reach. Usually separated by routers.
SOHO network Networks for small offices and home offices. Features
a simple, low-cost design.
MAC (physical) address Unique physical address assigned to a network
interface card (NIC).
Physical layer protocol data unit (PDU) Unit of bitstream. Format of data transmitted at the
physical layer of a network.
MAC layer protocol data unit (PDU) The data units, called frames, are exchanged at the data
link layer.
Half-duplex vs Full-duplex Half-Duplex: communication system that allows data
to be transmitted or received in one direction at a time.
Full-Duplex: A communication method that allows
data to be sent and received simultaneously in both
directions.

Ethernet auto-negotiation The ability to automatically adjust the communication

speed and duplex mode between connected devices.
Hidden node problem (wireless) A problem in wireless networks where data collisions
occur due to interference between devices that cannot
communicate directly with each other.

2
Learning diary and answers

Terms Concepts
Networking physical vs logical Physical Topology: the actual physical arrangement of
topology network devices.
Logical Topology: the logical structure of how data
flows through the network.

TIA/EIA-568 and ISO/IEC_11801 TIA/EIA-568: standard setting out cabling standards

for commercial buildings.
ISO/IEC 11801: worldwide general-purpose cabling
standard.

Ethernet cabling categories. For Classification of cable performance. For example, CAT
example, CAT 6 6 is a cable capable of transmitting data at up to 10
Gbps.
8P8C (RJ45) 8P8C connector. 8-pin connector, usually referred to as
RJ45, used to terminate Ethernet cables.
Wifi AD HOC A network configuration in which devices
communicate directly with each other without access
points.
IEEE 802.11ac, 802.11ax, 802.11be IEEE 802.11ac: standard that uses the 5 GHz band to
provide fast Wi-Fi communications.

IEEE 802.11ax (Wi-Fi 6): a more efficient and faster

Wi-Fi standard. Characterised by improved
performance in congested environments.

IEEE 802.11be (Wi-Fi 7): next-generation Wi-Fi

standard, aiming for even faster and lower latency
communications.

2. Estimate how long does it take to download 3 TB file from cloud based backup service
if network download throughput is 200 Mbps for actual payload (i.e. data)?
Answer:
3TB data is 3 million megabits.
The download speed is 200Mbps.
To calculate the download time, we can use formula: Time = Total data/Speed.
Above all information, and formula, 3 m mbps/200mpbs = 15K seconds.
1 hour is 3600 seconds, 15K seconds is approximately 4.17 hours.
3. Locate the MAC address of your mobile phone, laptop wifi interface or some other
networked IT device
o How did you find it?
Answer:
There are several ways to find it:
Windows laptop (Wi-Fi interface)
Open the Start menu and type ‘cmd’ to open the command prompt.
At the command prompt, type ipconfig /all and press Enter.
In the information output, look for the section ‘Wireless LAN adapter Wi-Fi’.
The section marked ‘Physical Address’ is the MAC address. It is usually in the format
XX-XX-XX-XX-XX-XX-XX.

3
Learning diary and answers

iPhone
Open the Settings app.
Tap General, then tap Info.
The string displayed as ‘Wi-Fi address’ is the MAC address.
Android smartphones
Open the Settings app.
Tap Device Info or Device Info.
Locate the Status or Network section and check the Wi-Fi MAC address.

o List the MAC address in hex format (such as f0:1f:af:cf:d9:1a), but replace last
24 bits with zeros for your privacy
Answer:
If the MAC address f0:1f:af:cf:d9:1a is replaced by the last 24 bits with zeros to protect
privacy, the following is obtained
Modified MAC address: f0:1f:af:00:00:00
By presenting the MAC address in this format, the OUI (vendor identification part) can
be preserved while avoiding the identification of the device.

o Use OUI MAC address list(s) or lookup tools, and determine the device/chipset
vendor of that MAC address. For example, that f0:1f:af:cf:d9:1a is Dell inc.
Answer:
Using the first 24 bits (OUI) of the MAC address f0:1f:af to identify the vendor, the
manufacturer of this address is Dell Inc.
This indicates that the MAC address is assigned to a network device or chipset
manufactured by Dell; the OUI (Organizationally Unique Identifier) part can be used to
identify the manufacturer of the device.

4
Learning diary and answers

4. Describe shortly what are these network devices, functions, and services

Answer:

Item Function, role, purpose or service

Repeater It is a network device to regenerate or replicates signals from weak
point.
Purpose: It helps signals can travel longer distance without
degradation.
Hub (multiport repeater) Hub can connect to multiple Ethernet devices, and each device act
as a single network segment, It repeats the signal it receives from
one port to all other ports.
Purpose: It will create a simple local network, where
communication is sent to all devices but only the intended recipient
processes it.

Item Function, role, purpose or service

Bridge A bridge can connects two separate networks to work as a single
network.
Purpose: This is used to segment large networks into smaller to
reduce traffic and increase performance.
Access switch An access layer switch is usually a Layer 2 switch and facilitates
the connection of end node devices to the network. In generally, it
is not a high-powered switch when compared with those at the
distribution layer.

Core switch A core switch is the primary switch in a network, built to transfer
data fast. A core switch sits at the top of a network's structure. It
handles more data and offers enhanced reliability compared to
other switches. The core switch acts as the main artery of a
network.
Here you can see access switch and core switch
layers and how it working

Edge router Edge router is used at two main demarcation points, the internet
and wide area networks (WAN). WAN are networks that connect
multiple businesses or institutions but are not connected to the
internet as a whole. Edge routers are able to interface with any
network that an average router would.

5
Learning diary and answers

It prioritizes security and may deal with a significantly lower

volume of transmissions but more unique threats and complex
interactions.

Core router A core router is a high-capacity router used in the central part of
large networks. Its main role is to quickly and reliably transport
data between different parts of the network It will often prioritize
speed and minimize congestion and packet loss.

Firewall It is a network security device to avoid incoming attacks from

other place,. It also security outgoing network traffic and decide to
allow or block.
It is front line to secure your device.

Wifi AP AP aka (Access Point), wifi AP (Wireless access point) allows

other wifi devices to connect to a wired or wireless network.

Item Function, role, purpose or service

WLAN AP controller WLAN (wireless architecture) aims to meet changing network
demands. WLAN AP controller is a device to a wried network
using Wifi protocols.

From above the photo, you can A WLAN controller is a

centralized device in a wireless network that manages and
coordinates the activities of multiple access points (APs). APs are
devices that allow wireless-enabled devices to connect to a wired
network using Wi-Fi. The access point controller serves as a
central intelligence unit, providing a unified management interface
for configuring, monitoring, and controlling the various access
points within the network.
Network TAP A network tap is a system that monitors events on a local network.
A tap is typically a dedicated hardware device, which provides a
way to access the data flowing across a computer network. The
network tap has (at least) three ports: an A port, a B port, and a
monitor port.
There are many different types of TAPs. The two primary types of
network TAPs are Passive TAPs and Active TAPs.

6
Learning diary and answers

5. RFC assignments
o What are RFCs?
Answer:
Requests for Comments (RFCs) are a series of documents describing various aspects of
computer networking. These include protocols, procedures, policies, etc. RFCs are
published by the **Internet Engineering Task Force (IETF) and the Internet Society
(ISOC)**.

o How many PPP related RFC documents can you find from rfc-editor website?
Answer:
Point-to-Point Protocol has around 111 PP relate to RFC documents. The reference
website is https://www.rfc-editor.org/ . Below is the screenshot for the reference.

o What is the current status of RFC1597? What is the number for updated, more
recent RFC of same topic?
Answer:
It is the Address Allocation for Private internet. It does not specify an Internet standard
of any kind. It was superseded by RFC 1918, which is the more recent and updated
document on the same topic

o When was RFC5218 released?

Answer:
July 2008

o What is the meaning if RFC status is BCP?

Answer:
BCP stands for Best Current Practice: if the RFC status is BCP, the document provides
guidelines and recommendations that provide ‘best current practice’ for internet
technology and operations. The BCP RFC can serve as a reference for organisations and
individuals to ensure efficient and effective internet operations.

o List authors of the CoAP RFC (June 2014). What is the RFC number?
Answer:
Authors as below list and the number is RFC7252 who published in June 2014. The
authors of RFC 7252 are:
Z. Shelby
K. Hartke
C. Bormann

7
Learning diary and answers

o Twitch.tv provides IRC access to the stream chats. Which RFC defines the
original Internet Relay Chat (IRC) Protocol?
Answer:
Twitch.tv: A live streaming platform for video games, esports, and creative content,
reference website https://www.twitch.tv/
The RFC that defines the original Internet Relay Chat (IRC) Protocol used by Twitch.tv
stream chats is RFC 1459.
Twitch.tv leverage the function define in RFC1459 to enable chat with stream.

6. What is OSI model? Compare OSI model to TCP/IP model

Answer:
The OSI (Open Systems Interconnection) model, and this model developed by the
International Organization for Standardization (ISO) in 1984, is a seven-layer architecture.
Each layer specifies particular network functions focusing on internetworking standards and
serves to universally standardize data communication processes.
TCP/IP (Transmission Control Protocol/Internet Protocol) model. Developed by the
Department of Defense (DoD) in the 1970s to ensure and sustain robust, fault-tolerant
communication via the internet, the TCP/IP model consists of four layers.
Comparison
Comparison OSI TCP/IP
Layers There are 7 layers in OSI, and they TCP/IP has less than OSI, it
are: Physical Layer, Data Link has only 4 layers:
Layer, Network Layer, Transport Link Layer (Network
Layer, Interface Layer), Internet
Session Layer, Presentation Layer, Layer (Network Layer),
Application Layer Transport Layer (similar to
OSI transport layer),
Application Layer
Protocol Standards OSI uses abstract standards that are TCP/IP protocols are tied
often universally applicable closely to the internet
Useful OSI comprehensive understanding TCPIP is more aligned with
of network theory, guiding the real-world networking
design of network protocols and implementatio
architecture.

8
Learning diary and answers

Week 2
Assignments to learning diary (You can do these assignments in small groups. Learning
diaries are personal):
7. What are VLANs and IEEE 802.1q?
Answer:
Virtual Local Area Networks (VLANs) is a technology for virtually partitioning the physical
network infrastructure. This allows the creation of different network segments within the same
physical network. This can improve the network management, security and efficiency.

IEEE 802.1Q is a standard for VLAN tagging. This standard defines a method for inserting
VLAN information into Ethernet frames.

IEEE 802.1Q is a standard for adding VLAN information to Ethernet frames and is used to
efficiently manage multiple VLANs.

8. Define following terms and concepts shortly:

Answer:
Terms Concepts

ARP ARP (Address Resolution Protocol) is a protocol for

translating IP addresses into MAC addresses within
the local network. This ensures that IP packets are
sent to the appropriate network interface.
ARP spoofing ARP spoofing is an attack technique where a fake
ARP message is sent over the network, associating
the MAC address of the attacker's device with the IP
address of another device. This causes
communications to be routed through the attacker's
device.
HOP (networking) In networking, ‘HOP’ refers to the number of times
a data packet passes through a relay device such as a
router or switch in a network. Each relay point is
called a ‘HOP’.
IP TTL IP TTL (Time to Live) is a field that indicates the
maximum number of hops a packet can travel
through the network; when the TTL reaches zero, the
packet is discarded. This prevents infinite loops.
IP TOS (DSCP) IP TOS (Type of Service) is a field used to specify
packet priority and quality of service. It has now
evolved as a Differentiated Services Code Point
(DSCP) and controls traffic priority and Quality of
Service (QoS).
DHCP, DHCP relay DHCP (Dynamic Host Configuration Protocol) is a
protocol that automatically assigns IP addresses and
other configuration information to devices on a
network; DHCP relays are responsible for relaying
DHCP requests when the DHCP server is on a
different subnet.

9
Learning diary and answers

Terms Concepts
WoL (Wake-on-LAN) Wake-on-LAN (WoL) is a feature that allows
computers to wake up from sleep mode via the
network. The computer is switched on when certain
‘magic packets’ are received.
UPnP Universal Plug and Play (UPnP) is a protocol that
allows network devices to be automatically detected
and easily configured and connected. This makes it
easy to add and configure network devices.
Traceroute / Tracepath Traceroute or Tracepath is a tool that traces the
paths that packets take through a network. It
measures the response time of each hop (relay point)
on the network.
Network Address Translation (NAT) NAT (Network Address Translation) is a technology
that translates private IP addresses into public IP
addresses. This allows several internal devices to
share a single public IP address.
Tier 1 and 2 networks Tier 1 networks: large providers that make up the
global Internet backbone and exchange traffic over
interconnections.
Tier 2 networks: regional Internet service providers
that connect to Tier 1 networks and serve end-users.
Tier 3 ISP Tier 3 ISPs (Tier 3 Internet Service Providers) are
providers that offer services directly to end-users and
mainly obtain traffic from Tier 2 or Tier 1 networks.
Routing Autonomous System (AS or An AS (Autonomous System) is a collection of
ASN for BGP) networks that exchange routing information over the
Internet using the Border Gateway Protocol
(BGP).The ASN (Autonomous System Number) is a
unique number assigned to an AS.
127.0.0.1 address 127.0.0.1 is the ‘loopback address’ and refers to
your own computer. This address can be used to test
the network stack and access local services.
::1 address The::1 is an IPv6 loopback address and refers to
one's own IPv6 address; it is used for testing the
IPv6 network stack and accessing local services.
0.0.0.0/0 and ::/0 networks in the routing 0.0.0.0/0: Indicates the IPv4 default route and
table includes all IP addresses.
::/0: Indicates the IPv6 default route and contains all
IPv6 addresses.
Ranges of IPv4 multicast and IPv4 multicast address: range from 224.0.0.0 to
experimental addresses 239.255.255.255.
IPv4 experimental addresses: range from 240.0.0.0
to 255.255.255.255. These are usually reserved for
experimental or future use.

10
Learning diary and answers

9. Search some information about AS1741

o Which organisation or company advertises AS1741 with BGP?

Answer:
AS1741 is associated with Cogent Communications The organisation or company
advertising AS1741 using Border Gateway Protocol (BGP) is Cogent Communications
itself Cogent is a global Internet backbone network and uses AS1741 to route Internet
traffic through that network.

o List some public peering exchange points the AS1741 connects to?
Answer:
Amsterdam Internet Exchange (AMS-IX) in the Netherlands.
London Internet Exchange (LINX) in the UK, and DE-CIX in Frankfurt,
o To which regional internet registry (RIR) the AS1741 belongs to?
Answer:
AS1741 (Cogent Communications) belongs to ARIN (American Registry for Internet
Numbers) ARIN is a Regional Internet Registry (RIR) covering North America (United
States, Canada and the Caribbean). RIR).
o What is the contact email address/phone/web form if you would need to inform
some security or abuse issues to the owner of the AS1741?
Answer:
You can report directly to Cogent Communications using the email address or web
form.
Security: [email protected]
Abuse: [email protected]

10. What it the difference between static and dynamic routing? Use example(s)
Answer:
Static routing (Static Routing)
Static routing is a method whereby the network administrator manually configures routes.
The routes are fixed and any changes to the network require manual updates. It consumes
fewer resources and traffic flows are more predictable but becomes more difficult to manage
as the network grows in size. An example is a simple network configured directly between
two routers.

Dynamic Routing (Dynamic Routing)

Dynamic routing is a way for routers to automatically learn and update routes using routing
protocols. It automatically responds to network changes and optimises routes but is more
resource intensive and complex to configure. In large networks and ISPs, protocols such as
OSPF and BGP are used.

11
Learning diary and answers

11. Describe briefly these dynamic routing protocols

Answer:

Name Short Brief

RIP RIP is a distance-vector dynamic routing
protocol, in which routers in a network
periodically exchange routing information. The
‘distance’ of a route is measured in hops, with
a maximum hop count of 15. It is used in small
to medium-sized networks and is simple to
configure, but has limited scalability.

OSPF and IS-IS OSPF is a link-state protocol, where each

router knows the topology of the entire network
and calculates the shortest route. It has a
hierarchical area structure and is suitable for
large networks; IS-IS is also link-state, but
based on a different standard than OSPF and
operates with the OSI protocol. Both are used
for efficient routing in large networks.
BGP BGP is a path-vector dynamic routing protocol
used for routing between different ASes
(autonomous systems). It selects the best route
based on route attributes and is widely used in
the Internet backbone. It provides policy-based
routing and is suitable for connections between
large networks.

RPL (ripple) RPL is a routing protocol designed for low-

power and lossy networks. It is used between
sensor networks and IoT devices and uses a
hierarchical network structure called DODAG
(Destination-Oriented Directed Acyclic
Graph). It is energy efficient and suitable for
battery-powered devices.

12. Create a DNS request (any tool such as ping, nslookup, whatever) to resolve the IP address
of www.oamk.fi
Answer:
I key these commands to my cmd, then you will see as screen shoot

12
Learning diary and answers

o Use some IP who is lookup web service to resolve which company is hosting and
has that IP address and server? (www.oamk.fi)
Answer:
Follow the IP address, and www.oamk.fi two different typs and check at who is lookup,
you will get result.
Hosting company is Upcloud Cloud Servers

o What is the inetnum or route/network (IP address range) the www.oamk.fi's IP

address belongs to?
Answer:
Follow two search results, the www.oamk.fi belons to Oulun ammattikorkeakoulu Oy.

o What is the abuse contact email address of that network range?

Answer:
For the IP address and the abuse contact email address is [email protected], however,
the www.oamk.fi does not provide how to contact.

13
Learning diary and answers

13. Use traceroute (tracert in MS Windows command shell) to www.whitehouse.gov

o What is the internet service provider's first router IP address near you? (it's
most likely the 2nd router/hop, immediately after your home network)
Answer:
Type these at
command prompt,
here is the answer:

o How many hops (routers) are there to the www.whitehouse.gov from your
device?
Answer:
There are 6 hops to reach the destination 192.0.66.168.
o Use traceroute again, but this time to Google's public DNS server in 8.8.8.8, and
Quad9 DNS in 9.9.9.9. How far are those?
Answer
For Google's Public DNS servers 8.8.8.8 and 9.9.9.9 here are results:

There are 8 hops at DNS 8.8.8.8, and 9.9.9.9 has 6 hops.

That means 8.8.8.8 take 8 hops to reach the destination, it is longer distance, and Quad9
is same distance.

o Why traceroute does not always work, and does not show the route up to the
final destination IP, or there are timeouts for some routers (* is timeout)? For
example, IP address of education.gov.au
Answer
Traceroute may not always show the complete route due to some reasons for esample:
firewalls, rate limiting, or network configuration.

14
Learning diary and answers

Firewalls and Security is most command reason because routers and servers along the
path might block ICMP packets used by traceroute, causing timeouts or missing hops.
ICMP Rate Limiting: Some routers might limit the rate of ICMP responses or prioritize
other types of traffic, resulting in timeouts. Network Configuration: Certain network
configurations, such as NAT or complex routing setups, can affect traceroute results.
Number of Hops: The number of lines displayed in the traceroute output represents the
total number of hops (routers) between your device and the destination

o Use traceroute and DNS to estimate/guess from response DNS names, round trip
times, and with IP whois lookups, where the web server reliefweb.int is located
(continent, country or so)?
Answer:
Below are results from reliefweb.int to the command prompt. (I need to manual stop it
after many request timed out.)

-->Estimate Location of the Web Server

Continent: IP 213.248.100.236, 62.115.139.186 are belonging to Telia. So we can
estimate continent is in Europe
Country: Sweden, Finland, or Germany.
City: Likely in some major cities in Europe, Helsinki, Stockholm..,etc.

Analyze DNS Names and IP Addresses: From the traceroute results, the progression of
hops through networks such as twelve99.net suggests traversing through the network
infrastructure of Telia Company, a major network service provider, predominantly
operational in Europe.

15
Learning diary and answers

Round Trip Times: The round-trip times vary from 6 ms to 109 ms, with the longest
times occurring at hop 8. These times represent the delays experienced at various network
nodes (like routers and switches) between the origin and the destination server. These
measurements can vary depending on network congestion, the routes taken by packets, and
the configuration of intermediate routers.

14. Use Ficix statistics web page and answer:

o What is the most quiet IP traffic hour in the Ficix 1 exchange point?
Answer:
The most quiet IP traffic hour at the Ficix 1 exchange point is typically during the early
morning hours, around 03:30 to 05:00.

o Which organisations or companies are connected to Ficix 3?

Answer:
Here are a lot of organizations or companies connected to Ficix 3 Cinia Oy, DNA Oyj,
Elisa Oyj, Microsoft Oy, Netflix Streaming Services International B.V., Telia Oyj,
Verizon Finland Oy.

16
Learning diary and answers

15. List all private IPv4 networks (RFC1918)

Answer:
RFC 1918 defines three private address ranges that are not routable on the public internet, and
there are three class:
Class A: Class B: Class C:

Range 10.0.0.0/8 (10.0.0.0 to 172.16.0.0/12 (172.16.0.0 192.168.0.0/16

10.255.255.255) to 172.31.255.255) (192.168.0.0 to
192.168.255.255)

Explain This range supports a This range includes This block contains
network with 1,048,576 addresses. It 65,536 addresses,
16,777,216 private IP includes 16 contiguous encompassing all
addresses. It covers all class B network numbers addresses where the
addresses where the starting from 172.16.0.0 up first two octets are
first octet is 10. Often to 172.31.255.255. This is 192.168. It’s
used in large frequently used in medium- commonly used in
organizations due to sized networks. smaller networks
the vast number of such as home
hosts it can networks or small
accommodate. businesses.
These range are used tin combination with network address translation to facilitate
communication between a private network and the internet. Allow multiple devices to share
single public IP addresses.

16. What is the purpose of IPv4 private networks?

Answer:
Private IP addresses let devices connected to the same network communicate with one another
without connecting to the entire internet. By making it more difficult for an external host or user
to establish a connection, private IPs help bolster security within a specific network, like in your
home or office

IPv4 stands for Internet Protocol version 4. It is the underlying technology that makes it
possible for us to connect our devices to the web. Whenever a device accesses the Internet, it is
assigned a unique, numerical IP address such as 99.48.

17
Learning diary and answers

17. List and explain three or more purposes and features of the ICMP and or ICMPv6
protocol.
Answer:
The Internet Control Message Protocol (ICMP) and ICMPv6 are essential protocols used for
sending error messages and other operational information between hosts on the internet.
List ICMP and ICMPv6 purpose and features as below
key purposes ICMP: ICMPv6
and features
Error Report errors that occur during the Report errors in IPv6 packet
Reporting transmission of IP packets. Eg: if a transmission. It includes specific error
destination host is unreachable, a messages for IPv6-related issues, such
"destination host unreachable" as "packet too big," "address
message is sent back to the source unreachable," and "port unreachable."
host.
Echo It sends echo requests and receive It sends echo requests and replies,
Requests and echo replies, which are providing similar functionality for
Replies: fundamental for network IPv6 networks.
diagnostics and troubleshooting. By
sending an echo request to a
destination host and measuring the
time it takes for the reply to return,
administrators can determine
network latency, packet loss, and
other performance metrics.
Router No function for this. ICMPv6 includes specific messages
Solicitation However ICMP support network for router solicitation and
and layer management. It can help advertisement, which are essential for
Advertisement regulate the flow data. IPv6 network discovery and
configuration. Routers can send router
advertisements to announce their
presence and capabilities to other
hosts on the network, while hosts can
send router solicitations to request
information about available routers.

18. Try to solve these basic IP subnet calculations without checking the solutions:
If network address is 192.168.100.0, and subnet mask is 255.255.255.224, what is the
broadcast address of the network?
Answer
You can check these data from this website https://www.omnicalculator.com/other/ip-subnet

18
Learning diary and answers

After giving 192.168.100.0 and subnet mask is 255.255.255.224. We get same solution from the
link.

o If network address is 1.2.3.4, and broadcast address is 1.2.3.7, what is the subnet
mask of the network?
Answer:
This need to calculate the network address and broadcast address to get subnet mask
Network Address: 1.2.3.4
Broadcast Address: 1.2.3.7
The range includes 1.2.3.4 to 1.2.3.7, which suggests that the subnet mask allows for 4
addresses (4 - 0 = 3 + 1 = 4). The subnet mask that allows exactly four addresses in the
last octet (since only the last octet is changing) is 255.255.255.252. This subnet mask
uses the first 30 bits as network bits (since 2^2 = 4 and we need 2 bits for the host to
provide 4 addresses), so the subnet mask is 255.255.255.252.
(Check the solution from link, it is correct)

o If broadcast address is 192.168.129.255 and network mask is 255.255.254.0, what

is the network address of the network?
Answer:
This can use the website

And check the solution. It is correct

19
Learning diary and answers

19. Try to solve these IP subnetting assignments without checking the solutions and
document at least some examples/answers to the learning diary. Answers should
contain (for each subnet): Network address, broadcast address and subnet mask:
Answer:
We need each subnet and calculate the number of addresses to define number of host addresses
needed. The process as below:
A. Find the smallest power of 2: Find the smallest power of 2 that is equal to or greater than the
number of addresses required. This determines how many addresses are needed in the subnet.
B. Calculate subnet mask: Convert the number of addresses into the subnet mask. The subnet
mask determines the size of the subnet in terms of how many addresses it can hav

o Subnetting task 1:
▪ The address space available is 172.16.64.0/23. Subnet it and create 5 (A,
B, C, D and E) IPv4 subnets with following amount of hosts in each
network: A = 85, B = 45, C = 95, D = 57, E = 34.
▪ Leave some small amount of free addresses to each subnet. Avoid
unnecessary waste of IPs.
Answer:
Here are information we have on hand:
Network Address: 172.16.64.0/23/ Number of Subnets: 5/Number of Hosts per Subnet: A
= 85, B = 45, C = 95, D = 57, E = 34.
In different of network amount and host, the result of host and network:
Subnet A: Needs 85 hosts + some for network and broadcast addresses. The closest
subnet mask is /25 which supports 128 hosts (126 usable).
Subnet B: Needs 45 hosts. The closest subnet mask is /26 which supports 64 hosts (62
usable).
Subnet C: Needs 95 hosts. The closest subnet mask is /25 which supports 128 hosts (126
usable).
Subnet D: Needs 57 hosts. The closest subnet mask is /26 which supports 64 hosts (62
usable).
Subnet E: Needs 34 hosts. The closest subnet mask is /26 which supports 64 hosts (62
usable).
Base on the subnet host and network, we can get below
Host Network Broadcast Subnet Mask Assign subnets
Amount Address Address based on size
Network A 85 172.16.64.128 172.16.64.255 255.255.255.128 172.16.64.128/25

Network B 45 172.16.65.64 172.16.65.127 255.255.255.192 172.16.65.64/26

Network C 95 172.16.64.0 172.16.64.127 255.255.255.128 172.16.64.0/25

Network D 57 172.16.65.0 172.16.65.63 255.255.255.192 172.16.65.0/26

Network E 34 172.16.65.128 172.16.65.191 255.255.255.192 172.16.65.128/26

20
Learning diary and answers

o Subnetting task 2:
▪ Same as task 1, but available address space is now 192.168.0.0/25 and
networks/hosts are: A = 28, B = 10, C = 60, D = 4.
▪ Leave some small amount of free addresses to each subnet. Avoid
unnecessary waste of IPs.
Answer:
Process is like task1, since we need 4 subnets, we need to borrow 2 bits from the host
portion. Therefore, the subnet mask is 255.255.255.128 (25 + 2 = 27).
Subnet A: Needs 28 hosts. Use /27 which supports 30 usable hosts.
Subnet B: Needs 10 hosts. Use /28 which supports 14 usable hosts.
Subnet C: Needs 60 hosts. Use /26 which supports 62 usable hosts.
Subnet D: Needs 4 hosts. Use /29 which supports 6 usable hosts.
In this case, below is these host and network addresses:
Host Network Broadcast Subnet Mask Assign subnets
Amount Address Address based on size
Network A 30 192.168.0.0 192.168.0.127 255.255.255.128 192.168.0.64/27

Network B 12 192.168.0.128 192.168.0.159 255.255.255.128 192.168.0.96/28

Network C 62 192.168.0.160 192.168.0.255 255.255.255.128 192.168.0.0/26

Network D 6 192.168.1.0 192.168.1.7 255.255.255.128 192.168.0.112/29

o Subnetting task 3:
▪ IPv6 address space available: 2001:708:510::/48. Create four /64 IPv6
networks.
Answer:
The calculation for address space is (address amount)2: 642 addresses available for
subnets.
Creating four /64 subnets from a /48 is straightforward:
Network Broadcast Address Subnet Mask Usable host
Address
Subnet 1 2001:708:510:: 2001:708:510:ffff: 2001:708:510:: 2001:708:510:0001:00
ffff:ffff:ffff:ffff /64 00:0000:0000:0000 -
2001:708:510:ffff:ffff:f
fff:ffff:fffe
Subnet 2 2001:708:510:1:: 2001:708:510:1:fff 2001:708:510:: 2001:708:510:1:0001:0
f:ffff:ffff:ffff /64 000:0000:0000 -
2001:708:510:1:ffff:ffff
:ffff:fffe
Subnet 3 2001:708:510:2:: 2001:708:510:2:fff 2001:708:510:: 2001:708:510:2:0001:0
f:ffff:ffff:ffff /64 000:0000:0000 -
2001:708:510:2:ffff:ffff
:ffff:fffe
Subnet 4 2001:708:510:3:: 2001:708:510:3:fff 2001:708:510:: 2001:708:510:3:0001:0
f:ffff:ffff:ffff /64 000:0000:0000 -
2001:708:5

21
Learning diary and answers

Week 3
20. Use Linux or Windows command line telnet or any other TCP socket client application
(install Putty or any telnet client if needed) to access the TCP service in
pouta.ipt.oamk.fi listening TCP port 55555. What is the text string the server replies to
your TCP connection if you send some plain text string + newline to it?
Answer:
After install telnet at my ubuntu, and start doing the pouta.ipt.oamk.fi

Send the new line get same

21. Answer these questions:

o Explain shortly the purpose of TCP acknowledgment and sequence numbers
Answer:
TCP acknowledgments : It ensure that data is delivered reliably. When a receiver
receives a segment, it sends an acknowledgment back to the sender, indicating that the
data up to that point has been received successfully.
Sequence Numbers: Sequence numbers are used to order segments and prevent data loss
or duplication. Each segment is assigned a sequence number, and the receiver can use
these numbers to reassemble data in the correct order.

o What is the purpose of TCP SYN bit?

Answer:
SYN (synchronisation) bit: it has been used in the initial handshake process of the
connection. It will send a SYN packet to server when client wants to initiate a
connection. The server responds with a SYN-ACK packet when it is ready to establish a
connection. The client then sends an ACK packet to complete the handshake. This
synchronises the sequence numbers on both sides and establishes the connection.

o What is the purpose of TCP reset bit?

Answer:
CP reset is an abrupt closure of the session; it causes the resources allocated to the
connection to be immediately released and all other information about the connection is
erased. TCP reset is identified by the RESET flag in the TCP header set to 1.

o When TCP retransmissions occur?

Answer:
TCP retransmissions occur when a sender does not receive an acknowledgment for a
segment within a certain timeout period. This indicates that the segment may have been
lost or corrupted, and the sender will retransmit the segment until it receives an
acknowledgment.

22
Learning diary and answers

o What is flow-control? (for IP family protocols such as TCP)

Answer:
Flow control is a mechanism in TCP that regulates the rate of data transmission between
sender and receiver so that the receiver does not send an amount of data that it cannot
process. By advertising a window size, which indicates the buffer size available to the
receiver, the sender sends data within that range.

o Explain TCP connection state LISTENING

Answer:
LISTEN: The local end-point is waiting for a connection request from a remote end-
point i.e. a passive open was performed.

o Explain TCP connection state ESTABLISHED

Answer:
ESTABLISHED: The third step of the three-way connection handshake was performed.

o What is the purpose of TCP or UDP source port?

Answer:
The source port is used to identify the originating application or process. This allows the
receiving host to return responses or data to the correct source. The source port number
and source IP address identify the source of the packet.

o What is the purpose of TCP or UDP destination port?

Answer
The destination port is used to identify the receiving application or process. This ensures
that the received data is forwarded to the correct application or service. The destination
port number and destination IP address identify the receiving destination.

o What are the common well-known network service names for these TCP ports:
22, 23, 25, 80, 443, 3306?
Answer:

23
Learning diary and answers

Well-known ports hide

Port TCP UDP SCTP DCCP Description
Secure Shell (SSH),[11] secure logins, file
22 Yes Assigned Yes[12]
transfers (scp, sftp) and port forwarding
Telnet protocol—unencrypted text
23 Yes Assigned
communications[11][24]
Simple Mail Transfer
25 Yes Assigned Protocol (SMTP),[11][25] used for email
routing bet
80 Yes Yes Yes[12] Hypertext Transfer Protocol
(HTTP)[48][49] uses TCP in versions 1.x
and 2. HTTP/3 uses QUIC,[50] a
transport protocol on top of UDP.
Hypertext Transfer Protocol
Secure (HTTPS)[48][49] uses TCP in
443 Yes Yes[12] Yes versions 1.x and 2. HTTP/3 uses
QUIC,[50] a transport protocol on top of
UDP.
3306 Yes Assigned MySQL database system[11]

o What are common connection-oriented protocol features/advantages, and why

TCP is such protocol?
Answer:
Connection-Oriented Protocol offers several advantages, including reliability, error
checking, and ensuring data is received in sequence. Because the protocol acknowledges
each received data packet and retransmits lost ones, communication between devices is
much more reliable compared to connectionless protocols. Connection-Oriented
Protocol offers several advantages, including reliability, error checking, and ensuring
data is received in sequence.
Examples of Connection-Oriented Protocols include Transmission Control Protocol
(TCP) and Stream Control Transmission Protocol (SCTP). Both of these protocols are
widely used in various communication processes, such as web browsing, file transfers,
and emailing.

TCP (Transmission Control Protocol) is a connection-oriented protocol that ensures

reliable communication between two endpoints. TCP's reliability, ordering, and flow
control features make it suitable for applications that require reliable and error-free data
delivery.

o What are connectionless protocols features (or lack of), and why UDP is
connectionless protocol?
Answer:

24
Learning diary and answers

A connectionless network protocol is an

alternative type of data transmission in
which a network endpoint sends an IT
signal automatically, without
determining whether a receiver exists or
stands ready to receive it. This stands in
contrast to many conventional
connection-based data transmission
methods.

Connectionless protocols operate in this manner. One casts a datagram onto the network
with the understanding that it will be delivered on a best-effort basis to whomever it is
addressed to. In addition, we accept that there is no notification of a failure, nor can we
make assumptions about the sequence of delivery. UDP is a great example of this sort of
communication.

UDP is considered a connectionless protocol because it doesn't require the establishment

of a virtual circuit before any data transfer occurs. UDP is a part of the Internet Protocol
suite, referred to as UDP/IP suite. Unlike TCP, it is an unreliable and connectionless
protocol. So, there is no need to establish a connection before data transfer. The UDP
helps to establish low-latency and loss-tolerating connections over the network. The
UDP enables process-to-process communication.

o Why most services using UDP prefer max 512 byte UDP datagrams?
Answer:
The maximum safe UDP payload is 508 bytes, not 512 bytes. This is a packet size of
576 (the "minimum maximum reassembly buffer size"), minus the maximum 60-byte IP
header and the 8-byte UDP header. So 576-60-8 = 508.

o
When it is more reasonable to use UDP instead of TCP?
Answer:
Here are these two differences
Factor TCP UDP
Connection Requires an established connection No connection is needed to start
type before transmitting data and end a data transfer

Data sequence Can sequence data (send in a specific Cannot sequence or arrange data
order)
Data Can retransmit data if packets fail to No data retransmitting. Lost data
retransmission arrive can’t be retrieved
Delivery Delivery is guaranteed Delivery is not guaranteed
Check for Thorough error-checking guarantees Minimal error-checking covers
errors data arrives in its intended state the basics but may not prevent all
errors
Broadcasting Not supported Supported

25
Learning diary and answers

Speed Slow, but complete data delivery Fast, but at risk of incomplete
data delivery

Overall comparation, UDP is best suited for transferring a steady flow of live data. This
allows many users to access data easily and quickly, if not in perfect condition. So in
some online game, video chatting or conferencing, VoIP(in app voice calling) are good
to use UDP.

o What is the length of TCP header without extra options? What about UDP
header?
Answer:
Without any extra options, the TCP header is 20 bytes long. And An 8-byte header
allows only compulsory function data.

o What is TCP Nagle’s algorithm? When it should be disabled for networking

applications?
Answer:
Nagle's algorithm is a TCP optimization that makes the stack wait until all data is
acknowledged on a connection before sending more data. It is a flow control mechanism
used in TCP to reduce the number of small packets sent on the network. It works by
delaying small segments and combining them into larger segments before sending them.
This can improve network efficiency by reducing the number of packets sent and the
overhead associated with each packet.
This process, called "nagling", increases the efficiency of a network application system
by decreasing the number of packets that must be sent.

o What is Maximum Transmission Unit (MTU) and IPv4 fragmentation?

Answer:
The maximum transmission unit (MTU) is the size of the largest protocol data unit
(PDU) that can be communicated in a single network layer transaction. The MTU relates
to, but is not identical to the maximum frame size that can be transported on the data link
layer, e.g., Ethernet frame.

o What is a raw socket?

Answer:
It allows direct sending and receiving of IP packets without any protocol-specific
transport layer formatting. This gives the application more control over the network, but
it also requires more programming effort.

o What is port forwading?

Answer:
It redirect network traffic to a specific port on a different computer or device. This can
be used to make a service on a private network accessible from the internet.

26
Learning diary and answers

22. Describe these protocols or services shortly:

Protocols/services Description
IPSec A framework for securing IP communications by providing
authentication, integrity, and confidentiality. It's often used for VPNs
and secure remote access.
RTP and RTCP (Real-time Transport Protocol) and RTCP (Real-time Control Protocol):
A pair of protocols used for delivering audio and video data over IP
networks. RTP carries the media data, while RTCP provides feedback
and control information.
QUIC (IETF) QUIC (IETF): A new transport layer protocol designed to provide
faster, more reliable, and more secure connections compared to TCP. It's
used for applications like web browsing and video conferencing.
Wireguard A modern, simple, and fast VPN protocol. It's known for its small
codebase and strong security.
DoH DoH (DNS over HTTPS): A protocol for performing remote Domain
Name System (DNS) resolution via the HTTPS protocol. This aims to
increase user privacy and security by preventing eavesdropping and
manipulation of DNS data via man-in-the-middle attacks.
Round-robin Round-robin DNS: A technique of load distribution, load balancing, or
DNS fault-tolerance provisioning multiple, alternative IP addresses for a
single domain name. Round-robin DNS allows administrators to
distribute load across multiple servers or to provide redundancy in case
one of the servers fails.
LDAP LDAP (Lightweight Directory Access Protocol): A protocol used to
access and modify directory information, often used for authentication
and authorization.
Radius Radius (Remote Authentication Dial-In User Service): A networking
protocol that provides centralized Authentication, Authorization, and
Accounting (AAA) management for users who connect and use a
network service. RADIUS is commonly used by ISPs and enterprises to
manage access to the internet or internal networks, wireless networks,
and integrated email services.
Syslog A standard for message logging that allows a computer system to
forward event notification messages across IP networks to event
message collectors, also known as syslog servers. It's widely used for
computer system management and security auditing.
NTP NTP (Network Time Protocol): A protocol used to synchronize clocks
across a network.
SNMP Simple Network Management Protocol (SNMP) is an internet standard
protocol used to monitor and manage network devices connected over an
IP. SNMP is used for communication between routers, switches,
firewalls, load balancers, servers, CCTV cameras, and wireless devices.
SMTP The Simple Mail Transfer Protocol (SMTP) is a technical standard for
transmitting electronic mail (email) over a network. Like other
networking protocols, SMTP allows computers and servers to exchange
data regardless of their underlying hardware or software.
SMB/CIFS SMB stands for “Server Message Block.” It’s a file sharing protocol that
was invented by IBM and has been around since the mid-eighties. Since
it’s a protocol (an agreed upon way of communicating between systems)
and not a particular software application, if you’re troubleshooting,

27
Learning diary and answers

you’re looking for the application that is said to implement the SMB
protocol.
CIFS stands for “Common Internet File System.”
CIFS is a dialect of SMB. CIFS is a particular implementation of the
Server Message Block protocol, created by Microsoft.

23. When listing services with netstat command, what is the meaning if some network
service is LISTENING and binded to the IP address 127.0.0.1? What if the service is
LISTENING IP address 0.0.0.0?
Answer:
When using the netstat command to list network services, and it encounter services that are
listening and bound to specific IP addresses:
LISTENING on 127.0.0.1: This IP address represents the loopback interface. The service is
only accessible from within the local machine. It cannot be accessed from external devices or
networks and is therefore mainly used for security purposes. The service is only accessible from
processes running on the same machine.
LISTENING at 0.0.0.0: This IP address is a special address that represents all available
network interfaces on a system. The service is accessible on all network interfaces of the
machine. It can also be accessed from other devices in the local network and, if properly
configured, from the Internet. The service is accessible from any network interface on the
machine.

24. Why some applications are using or offer “keepalive” mechanism to maintain
established connection (for example SSH connections)?
Answer:
Keep-alive mechanisms in network connections are designed to prevent idle connections from
being terminated by network devices or firewalls. It is used in various network applications to
ensure that connections remain open and active, especially when there are periods of idleness
during a session.
When these applications use SSH, that uses keepalive messages to prevent the session from
being dropped by intermediate devices (like routers or firewalls) that might close connections
they perceive as idle.

And it can detect disconnections, without keepalives, an application might not realize that a
session has been disconnected by a network error or server crash, potentially leading to delays
in recovery and reconnection.
This helps in maintaining consistent application performance and reliability.

25. Study available options with command line command “netstat /?” (Windows) or
netstat –help (Linux, maybe MacOS). What different things you can check with netstat
command?
Answer:
Use netstat it shows: (There are more but I just screen shot part of them)

28
Learning diary and answers

Netstat-a it will show all listening port

29
Learning diary and answers

26. Do the 50 ms mystery quiz from https://mysteries.wizardzines.com/. What was the

cause of extra 50 ms delay?
Answer:

30
Learning diary and answers

Week 4
27. Use Croc to move file or files between two or more hosts/devices. Answer shortly:
o How the Croc works?
Answer:
According to GitHub profile, the Croc uses PAKE (Password Authenticated Key
Exchange) to establish a secure connection. This means it is end-to-end encryption, that
files are encrypted before being sent and only the recipient can decrypt them using a
code phrase shared by the sender. Provide relay server, when devices can not establish a
direct connection, Croc uses a rely server to facilitate the files transfer. The sender is
given a randomly generated, human-readable code phrase which they must share with
the recipient. The recipient uses this code phrase to connect with the sender and start the
file transfer.

o How the Croc moves files if both hosts are not directly visible to each other?
(for example, both are behind NATs or basic firewalls)
Answer:
Croc uses 3 ways to move files while both hosts are not directly visible:
A. Relay Server: The Croc will create temporarily server if both port are not directly
visible for each other, it coordinates the transfer encrypted data between 2 parties.
B. End to End Encrypted Data: All data encrypted by Croc from end to end (no
matter use relay server or not). The server only access encrypted data and be
transferred.
C. No local server or port forwarding setup: No need to setup local server for file
transferring. It handles the complexities of transferring files behind
NATs/firewalls without any required configuration from the user.

28. Study how NTP protocol operates and analyse this Python NTP client code. Also
available here as plain text.
o This Python script uses direct socket programming to access the NTP server.
Comment individual socket programming related code lines. Also, answer
these:
▪ What is the NTP server (DNS) hostname?
Answer:

NTP clients can use public NTP servers like pool.ntp.org, or time.nist.gov or
0.pool.ntp.org. The exact hostname would be specified in the script, usually set when
defining the server address. (Here use pool.ntp.org)
▪ What is the destination port number being used?
Answer:
According to the python code, it use port 123. This is the standard port used for NTP
traffic across the Internet.
▪ Is this Python script using TCP or UDP? How do you know?
Answer:
The python code use both, first of all, to know what is TCP and UDP.
UDP is the underlying transport layer protocol used for sending and receiving data
packets.

31
Learning diary and answers

NTP is the application-level protocol that defines the specific format and purpose of
the data exchange, allowing the program to retrieve time information from a time
server.
Here are codes for UDP:
A. Socket Creation

The socket is for the Datagram socket, and use for UDP.

B. Send and Receive Data:

From the code, sendto() and recvfrom() used in the script are typically used with
UDP sockets. sendto() sends data to a specific address, and recvfrom() receives
data from any address, both of which are characteristics of UDP's connectionless
nature:
Due to NTP is the protocol design for synchronize the clocks of computers over a
network. And it relies on UDP for data transport.
So the NTP_PACK_FORMAT, NTP_DELTA and NTP_QUERY are constants relate
to NTP protocol.
This python code uses UDP for sending NTP (Network Time Protocol) queries and
receiving responses without continuous connection which suit for quick time
synchronization task.

o Try to execute the app with Python

Answer:
After execute the app, I get the server time.

29. Do these Python programming assignments with Windows or Linux (or with MacOS if
you want and know how)
o For example, use https://realpython.com/python-sockets/ or similar site(s) for
socket programming example codes and create TCP client and TCP server
Python scripts.
Answer
Two separate files for them

32
Learning diary and answers

Server code

Client code

From the tcp client, here is the response from code

o Establish a TCP connection between your client and server Python scripts
(either as localhost traffic or between two separate hosts if you have access to
two or more Python running hosts without firewall preventing the traffic)
Answer
Run the scripts on the same machine:

o Transfer some ASCII text strings between the hosts

o
▪ TCP client connects to the server, sends some plain text string and then
disconnects
Answer

33
Learning diary and answers

When change message content, it will changed too (server and client side both).

▪ Server prints the text to the console or elsewhere

Answer:

▪ Save your source codes and work. You need scripts again during the
course week #5 (Wireshark protocol analyzer assignments)
o Use netstat or similar command line tools to check the TCP connection status
(for example the Python server script LISTENING the selected TCP port)
Answer:
Use netstat -an | find “65488”

34
Learning diary and answers

Week 5
30. Define following terms and concepts shortly:
Answer:
What is the difference between encoding and encryption?

Term Definition
Encoding Encoding is designed to protect the integrity and usability of
data. It converts data into a different format using a scheme that
is publicly available, such as ASCII, Unicode, URL encoding, or
Base64. The goal is often to ensure that the data can be properly
consumed by different types of systems.
HTML encoding to ensure special characters are handled
correctly in browsers.
Encoding is about representation and compatibility.
Encryption Encryption is used for securing data. It transforms data into a
format that can't be easily understood without a corresponding
decryption key or mechanism. It can protect sensitive
information from unauthorized access.
AES encryption used for securing sensitive user data in
databases, or SSL/TLS encryption used for securing data
transmitted over the internet.
Encryption is about security and confidentiality.

o List few common encryption algorithms or systems

Answer:
There are many encryption algorithms or systems, and I will list the hash function,
which I used to use at the database system to protect database data, in case some hacker
attack and get passwords from the database but it is not readable type.
a. SHA-256: A cryptographic hash function that produces a 256-bit hash value.
b. SHA-512: A cryptographic hash function that produces a 512-bit hash value.
c. MD5 (Message Digest 5): A cryptographic hash function that is no longer considered
secure due to its vulnerability to collisions.

o List few common encoding systems

Answer:
a. ASCII (American Standard Code for Information Interchange): A 7-bit character
encoding standard that represents 128 characters, and this used to apply in early
computers. (But now this system be replaced by UTF-8 and 16)
b. UTF-8 (Unicode Transformation Format - 8-bit): A variable-length character
encoding that can represent characters from almost all languages.
c. UTF-16: A variable-length character encoding that can represent characters from almost
all languages, but uses 16 bits per character.
d. Unicode: A standard for representing text characters from almost all languages. It
encompasses multiple encoding schemes, including UTF-8 and UTF-16. Unicode
supports over 100,000 characters. Unicode has the capacity to represent characters from
all writing systems around the world, including symbols, emojis, and historical scripts.
UTF-8, UTF-16, and UTF-32, where UTF-8 is the most widely used on the web.

35
Learning diary and answers

o What are plain text protocols? List some

Answer:
These are communication protocols that transmit data in a human-readable format.
These protocols are often used for simple text-based interactions and do not involve
encryption or complex formatting.
There are some examples:
Term Defination
Telnet: A remote terminal protocol that allows users to access and control
remote computers over a network. Allows users to perform remote
login to other computers on the internet or local area networks.
FTP (File Transfer A protocol used for transferring files between computers over a
Protocol) network. Used for the transfer of files between client and server on a
network.
SMTP (Simple Mail A protocol used for sending and receiving email.
Transfer Protocol)
POP3 (Post Office A protocol used for retrieving email from a mail server.
Protocol version 3)
IMAP (Internet A protocol used for accessing and managing email messages on a mail
Message Access server.
Protocol)
IRC (Internet Relay A protocol for real-time text-based communication. Enables real-time
Chat) communication via text.
HTTP (Hypertext The foundational protocol used for transferring web pages across the
Transfer Protocol) Internet. While HTTP can also transmit non-text data, it is often used
for text-based communication, such as web pages and HTML forms.
DNS (Domain Name Translates domain names into IP addresses.
System)

o Encapsulation (protocol)
Answer:
It refers to the process of wrapping data from one layer of the OSI model within a packet
at a higher layer. This allows data to be transmitted across different network types and
protocols, ensuring that it reaches its intended destination.
A web browser sending an HTTP request to a web server. The HTTP request is
encapsulated within a TCP segment, which is then encapsulated within an IP packet. The
IP packet is further encapsulated within a frame at the Data Link layer before being
transmitted over the physical network.

o JSON, XML, YAML, CSV

Answer
Term Definition
JSON (JavaScript Object It is a human readable, data-interchange format base on
Notation) JavaScript syntax. Commonly used in web applications for
client-server communication. It's lightweight and easy for
humans to read and write, as well as for machines to parse and
generate.

36
Learning diary and answers

Example as below
{
"name": "John Doe",
"age": 30,
"city": "New York"
}

Above code, user can read these data type and detail
XML(Extensible Markup A markup language that defines a set of rules for encoding
Language) documents into a format that is both human-readable and
machine-readable.
Widely used for web services, RSS feeds, and configuration
files. It supports complex data structures and can be used to
describe hierarchical data.
Sample code:

<person>
<name>John Doe</name>
<age>30</age>
<city>New York</city>
</person>

YAML (YAML Ain't A human-readable data-serialization language that aims to be

Markup Language) more concise and easier to read than XML.
Often used for configuration files in development projects and
data serialization. It’s particularly popular in the configuration of
many cloud services.
Sample code:
name: John Doe
age: 30
city: New York
CSV (Comma-Separated CSV data is formatted in plain text, with each line representing a
Values) data record. Each record consists of fields, delimited by commas.
This used in data export/import especially between applications
to handle large amount data transfer.
Sample code:

name,age,city
John Doe,30,New York
Jane Smith,25,Los Angeles

31. Install Wireshark protocol analyser and inspect your IP traffic (DNS requests, web
browsing and such) with the Wireshark:

37
Learning diary and answers

o Analyse the plain text traffic between the TCP socket Python scripts you did during the
course week #4. Note: use localhost network interface when capturing host internal
traffic (localhost/127.0.0.1)
Answer

o Try to ping 8.8.8.8 from command prompt and capture the traffic. What protocols ping
was using? What is the total header length of your ping request (all used protocol
headers combined when ping sends echo request)?
Answer

The ping command is using ICMP (Internet Control Message Protocol), which is visible in the
"Protocol" column.
Total Header Length:
• IP Header: 20 bytes

38
Learning diary and answers

• ICMP Header: 8 bytes

• Total Header Length: 20 bytes (IP) + 8 bytes (ICMP) = 28 bytes

o Capture some web browsing traffic and related DNS requests. What are those A (and
maybe AAAA requests)? Which protocol is used for DNS requests? (Note: This cannot
be done with
the web browser if your browser uses DNS over HTTPS. Most do now. Either skip this
task or disable DoH temporary in the web browser settings)
Answer

39
Learning diary and answers

32. Download this zipper pcap traffic file and inspect it with Wireshark. The IP traffic
sample is about IoT device sending base64 encoded and JSON formatted data to a
server. Answer these questions:

o What is the total size of the captured frame in bits?

Answer:
Wireshark shows 192 bytes for the frame, so multiply it by 8, and it get 1536 bits.

o What is the payload length (data) in bytes?

Answer:
The data section shows 150 bytes of payload (as seen under "Data" in Wireshark).

o What is the source IP address of device sending the traffic?

Answer
The source IP is 194.163.171.214 (as shown under "Source" in Wireshark).

o What is the destination IP address receiving the traffic?

Answer:
The destination IP is 193.167.100.28 (as shown under "Destination" in Wireshark).

40
Learning diary and answers

o What is the IP family procotol delivering the data?

Answer:
The IP protocol delivering the data is IPv4 (as shown in the "Internet Protocol Version 4" line).

o What is the source port?

Answer
The source port is 49240.

o What is the destination port?

Answer
The destination port is 8080.

o Extract the payload as printable text (use right mouse button and copy as printable text
for the data part only). Use any base64 decoder to convert the data to a plain text JSON
message. What is the content of JSON formatted data?
Answer
To get the data is at Data (150 bytes) then copy the text it show below:

65776f6749434167496d6c7563485630546d46745a53493649434a505957317249456c51494735
6c64486476636d7470626d636759323931636e4e6c49474a316448527662694973436941670a49
434169596e56306447397555484a6c63334e31636d55694f6941694d544d7a4e794973436941674
9434169646d567963326c7662694936494349784c6a49754d79494b66516f3d0a
After use base64 website to decode

41
Learning diary and answers

33. Download this zipper pcap traffic file and inspect it with Wireshark. Traffic is simple
MySQL session example from Wireshark Wiki. Answer these questions:

o What is the destination IP address receiving the traffic?

Answer
The destination IP address in the capture is 192.168.0.254.

o What is the destination TCP port?

Answer
The destination TCP port is 3306 (the default MySQL port).

o Use Wireshark's follow TCP stream feature (right mouse button) and inspect
what are the two database rows (animals) and related values which were
inserted to the foo table's animal and name columns?
Answer

42
Learning diary and answers

34. Download this zipped pcap traffic file and inspect it with Wireshark. Traffic has been
captured from host 192.168.80.32. Answer these questions:

o What is the MAC address of host 192.168.80.32?

Answer
Please see the red mark, the MAC address is 00:0E:25:95:8C:5E.

o What is the MAC address of host 192.168.80.1? Which vendor has build the ethernet
chipset of host 192.168.80.1? (use Wireshark or IEEE OUI data)
Answer

43
Learning diary and answers

The host of 192.168.80.1 MAC address is：08:00:27:f1:90:ad

The vender as below

44
Learning diary and answers

45
Learning diary and answers

o Which IP address sent ICMP echo requests to this (192.168.80.32) host? Also,
there is a repeating short message inside ICMP datagrams the host sent as
ICMP echo request payload. What is the repeated message?
Answer

o What was the web page the host 192.168.80.32 visited first (full web page
address, not just the host)? What was the web browser or HTTP user agent
string used to access that web server?
Answer
Full Web Page Address: http://www.oamk.fi/~tkorpela/
User-Agent String: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 (as an example, please
verify the exact string in Wireshark).

46
Learning diary and answers

o What is the hostname in “Host:” field of the HTTP GET request sent by
192.168.80.32?
Answer
Hostname in "Host:" Field: www.oamk.fi

o What is most likely the default DNS server (the IP address) used by the host
192.168.80.32?
Answer
The most likely default DNS server for the host 192.168.80.32 is 8.8.8.8. The secondary
DNS server is 9.9.9.9.

47
Learning diary and answers

o Use Wireshark’s file/export objects/HTTP feature to extract the ZIP file which
was downloaded from the web server 193.167.100.88. What is inside the ZIP
file?
Answer:
Download Zip file name Autumn.zip, I found a jpg file after extracting the zip (see the
photo next to ) :

48
Learning diary and answers

o Host 192.168.80.32 sent DNS requests to host 9.9.9.9. What are the requests?
Answer
The three DNS requests sent by the host 192.168.80.32 to the DNS server 9.9.9.9 are:
Request 1: www.teemukorpela.fi
Request 2: nokia.com (Type MX - Mail Exchange request)
Request 3: www.youtube.com

35. Create a new JSON file with any text editor. JSON file should contain data for at least
two houses and related IoT sensor data. Each house must have few sensors with
following information and some random data for each sensor. Something like this:
House:
- IoT sensor:
- sensor ID number
- location description
- notes about sensor
- unix epoch timestamp
- sensor values:
- value nnn
- value nnn
- value nnn

• Validate your JSON file with

validator: jsonlint.com or jsonformatter.curiousconcept.com
Answer

49
Learning diary and answers

My JSON file to https://jsonlint.com/ and it show

50
Learning diary and answers

• What is GraphQL? Also, check this traffic and parking API documentation from Oulu
(extra task uses this API)
Answer:
GraphQL is a query language for APIs and a runtime for executing those queries. It allows
clients to request exactly the data they need, making APIs more efficient and flexible compared
to REST.

The Oulu Traffic API provides real-time data via GraphQL on traffic flow, bus status, parking
available space, weather conditions, roadworks, and maintenance in the Oulu region.
The API supports queries related to traffic cameras, automatic measurement stations (LAM),
parking lots, and road weather stations. You can interact with the API through standard
GraphQL queries to retrieve data in JSON format, and it's updated frequently.

36. Install Cmder (or some other toolset where you have Curl or similar tool to make
HTTP requests from command line or application.) Use Curl to fetch XML formatted
weather data from FMI:
curl -s -L
"https://opendata.fmi.fi/wfs?request=getFeature&storedquery_id=fmi::observations::weathe
r::timevaluepair&place=oulu&timestep=100&parameters=temperature"
Inspect and validate the received XML data with www.w3schools.com/xml/xml_validator.asp
Answer:
I use Postman to do this question, put the URL at Postman and get:

Use this xml at w3school and I got

51
 Learning diary and answers

37. Decode this base64 encoded message with any tool(s) you prefer:
SGVsbG8gdGhlcmUgT2FtayBzdHVkZW50ISBBcmUgeW91IGhhdmluZyBmdW4gbm93Pz8/
Answer:
I use this website to do https://www.base64decode.org/
And here is the answer

38. Encode this string:“I love data processing challenges!” with base64 encoding.
Answer:
I use python code to do this

Result is
'SSBsb3ZlIGRhdGEgcHJvY2Vzc2luZyBjaGFsbGVuZ2VzIQ=='

Week 6
39. Describe the difference between request-response and publish-subscribe
communication models
Answer
Item Differences
request-response 1. Interaction: It is direct point to point model.
model 2. Communication Type: Synchronous (client waits for server response)
3. Number of participants: One to one.
52
 Learning diary and answers

4. Usage: Web requests (client to server), remote procedure call (RPC),

database queries.

publish-subscribe 1. Interaction: It is indirect via brokers.

communication model 2. Communication Type: Asynchronous (publishers and subscribers are
decoupled)
3. Number of participants: One to many or multi participants to multi.
4. Usage: Messaging systems, real-time updates (social media feeds),
distributed event handling

40. Try MQTT websocket demo application

o Subscribe to some existing topic(s) in HiveMQ demo service
Answer

o Publish some messages to the topic(s) you subscribed

Answer
After publishing, it will show messages while running. At messages will send responses
frequently.

53
Learning diary and answers

41. Explain what MQTT retained messages

Answer:
MQTT (Message Queuing Telemetry Transport), is a retained message is a special type of
message that is stored by the broker and delivered to new subscribers when they subscribe to a
topic. The key feature of retained messages is that they "retain" the last published message for a
topic, making it available to new subscribers immediately upon subscription.

42. List shortly some reasons why MQTT may be better than HTTP for IP-based IoT
communication? (For example: HTTP vs. MQTT: A tale of two IoT
protocols and MQTT Vs. HTTP: Understanding the Differences)

54
Learning diary and answers

Answer
MQTT offers several advantages over HTTP for IP-based IoT communication:
1. Lightweight Protocol: MQTT is designed for low-bandwidth, high-latency, or unreliable
networks, making it ideal for IoT devices with limited resources.
2. Efficient Power Use: MQTT's minimal overhead reduces power consumption, which is
crucial for battery-powered IoT devices.
3. Publish-Subscribe Model: Unlike HTTP's request-response, MQTT uses a publish-
subscribe model, allowing efficient and real-time data distribution to multiple clients.
4. Persistent Connections: MQTT maintains persistent connections, reducing the overhead of
reconnecting repeatedly.
These features make MQTT more suitable for IoT environments compared to HTTP.

43. What is CoAP?

Answer:
Constrained Application Protocol (CoAP) is a specialized UDP-based Internet application
protocol for constrained devices, as defined in RFC 7252. It enables those constrained devices
called "nodes" to communicate with the wider Internet using similar protocols. CoAP is
designed for use between devices on the same constrained network (e.g., low-power, lossy
networks), between devices and general nodes on the Internet, and between devices on different
constrained networks both joined by an internet. CoAP is also being used via other mechanisms,
such as SMS on mobile communication networks.

CoAP is an application-layer protocol that is intended for use in resource-constrained Internet

devices, such as wireless sensor network nodes. CoAP is designed to easily translate to HTTP
for simplified integration with the web, while also meeting specialized requirements such as
multicast support, very low overhead, and simplicity

44. What is 6LoWPAN?

Answer:
IPv6 over Low-Power Wireless Personal Area Networks is a communication protocol designed
to enable small, low-power devices to connect over wireless networks and participate in the
Internet of Things (IoT). This applys to eg: smart home devices (light sensor), wearable devices
(smart watch to monitor user health, or more), weather or environment conditions, or
environment monitoring.
These devices are connected to the internet for monitor and control.

45. What is IETF ROLL?

Answer:
Routing Over Low power and Lossy networks is an Internet Engineering Task Force (IETF)
working group focused on developing routing protocols specifically designed for low-power,
lossy networks (LLNs).
Low-Power and Lossy Networks (LLNs) are networks that operate under challenging conditions
on devices, communication link are often unreliable, low-bandwidth.
IETF ROLL and RPL are widely used in Internet of Things (IoT) applications that require
reliable communication in environments with limited resources and challenging connectivity:

55
Learning diary and answers

46. Describe IETF RPL protocol?

Answer:
IETF RPL (Routing Protocol for Low-Power and Lossy Networks) is a routing protocol
designed specifically for wireless networks with low power consumption and high packet loss
rates. It's particularly suited for Internet of Things (IoT) applications where devices have limited
resources and operate in environments with unreliable connectivity.
. It creates a tree-like structure called a Destination-Oriented Directed Acyclic Graph
(DODAG) to establish routes from devices to a root node, enabling efficient data routing. RPL
supports multiple communication models (point-to-point, point-to-multipoint, and multipoint-
to-point) and is highly adaptive to network changes.

47. Why classic computer network protocols like TCP/IP, data formats such as JSON and
XML, and security systems like (PKI/HTTPS) won’t usually work at all or are not very
optimal to be used in resource limited wireless sensor networks (low power and lossy
networks)?
Answer:
The classic computer network protocols, data formats, and security systems designed for
general-purpose networks may not be optimal for resource-limited wireless sensor networks
(WSNs) due to several factors:
Overhead: TCP/IP, JSON, and XML have significant data overhead, which increases
bandwidth consumption and power usage—critical in low-power networks.
Energy consumption: TCP’s connection setup and retransmission mechanisms consume more
energy compared to lightweight protocols like UDP or CoAP.
Processing power: Parsing complex formats like JSON/XML and encryption in PKI/HTTPS
requires more processing power, which resource-constrained devices often lack.
That is why more lightweigtht protocols like CoAP(Constrained Application Protocol),
MQTT(Message Queuing Telemetry Transport), CBOR, and data-compression are better suited
for WSNS.

48. What is the MTU challenge for IPv4 and IPv6 over common wireless low power and
lossy wireless connections (Hint: Research Zigbee/IEEE 802.15.4 and Bluetooth MTU
vs IPv4 or IPv6)?
Answer:
The Maximum Transmission Unit (MTU) is the largest size of a packet that can be transmitted
over a network without fragmentation. Low-power and lossy wireless networks (LLNs), such as
those used in IoT devices, the MTU challenge arises from the need to balance data transmission
efficiency with the limitations of these networks.
Differences between IPv4 and IPv6 MTU
IPv4 default MTU is 1500 bytes which is larger than 6. IPV4 allows for fragmentation which
can increase overhead and introduce additional delay.
IPv6 MTU is 575 bytes, the smaller MTU is more suitable for LLNs. IPv6 discourages
fragmentation by using smaller MTU and mechanisms like Path MTU Discovery (PMTUD) to
determine the maximum allowable MTU along a path.

Challenges with IPv4 and IPv6 MTU in LLNs:

• Limited bandwidth: LLNs often have limited bandwidth, making it important to minimize
packet size to reduce transmission time and improve efficiency.

56
Learning diary and answers

• High packet loss: LLNs are prone to packet loss due to factors like interference, fading, and
power constraints. Fragmentation can exacerbate this problem, as lost fragments can lead to
the loss of entire packets.
• Energy consumption: Fragmentation and retransmission of fragmented packets can
consume more energy, which is critical for battery-powered devices.

49. Compare and list few HTTP/1.1, HTTP/2 and HTTP/3 differences and features
Answer:
Features Differences
HTTP1.1 Introduced: 1997
Multiplexing: Yes
Header Compression: No,
Protocol: Text-base, TCP
HTTP2 Introduced: 2015
Multiplexing: Yes
Header Compression: Yes, using HPACK
Protocol: Binary
HTTP3 Introduced: 2021
Multiplexing: Yes
Header Compression: Yes
Protocol: QUIC instead of TCP
aster recovery from packet loss due to QUIC.
In summary, HTTP/2 and HTTP/3 offer significant improvements over HTTP/1.1, including
faster performance, better efficiency, and more features.

50. Use Chrome or other Chromium based browser and it's developer tools (F12), and
access the course web page tl.oamk.fi/iot/. From the developer tools network tab, select
the main page: iot/ and check the response headers.
Answer:
o What is the connection type?
Answer:
The connection type is keep-alive

o What is the server software the web server announced?

Answer

57
Learning diary and answers

o Was any compression / encoding being used? (content-encoding)

Answer
Yes, it is gzip

o Is there X-Xss-Protection set in the response?

Answer
This website does not set in the response.

o Is there Strict-Transport-Security set in the response?

Answer
This header does not set in the response either.

51. What is Head-of-Line blocking challenge/problem?

Answer
Head-of-Line Blocking (HOL Blocking) in computer networking is a performance-limiting
phenomenon. It occurs if there is a single queue of data packets waiting to be transmitted, and
the packet at the head of the queue (line) cannot move forward due to congestion, even if other
packets behind this one could.
Buffer overflow, link congestion, flow control mechanisms can cause head of line blocking

52. What is reverse proxy. List some advantages and features

Answer:
A reverse proxy server acts as a gateway, intercepting requests from clients and forwarding
them to backend servers. It can improve performance, security, and load balancing for web
applications.
Advantages:
Load Balancing: Distributes incoming traffic across multiple backend servers to improve
performance and reliability.
Security: Hides the backend servers’ IPs and helps mitigate DDoS attacks.
Single Point of Entry: Provides a single point of entry for clients, simplifying management and
configuration.
Caching: Can cache content to improve response times.
Compression: Optimizes bandwidth by compressing responses.
Features
Load balancing algorithms: Various algorithms like round robin, least connections, least time,
and weighted round robin can be used to distribute traffic.
Caching: Can cache static content like images, CSS, and JavaScript files.
SSL termination: Can offload SSL/TLS encryption and decryption from backend servers,
improving performance and security.
Rate limiting: Can limit the number of requests a client can make within a certain time period,
preventing abuse and protecting backend servers.

58
Learning diary and answers

Web Application Firewall (WAF): Can protect against common web attacks like SQL
injection and cross-site scripting.
API gateway: Can act as an API gateway, providing features like authentication, authorization,
and rate limiting for API endpoints.

53. What is Web application firewall (WAF). List some advantages and features
Answer:
A Web Application Firewall (WAF) is a security tool that monitors and filters HTTP/HTTPS
requests to and from a web application. It helps protect web applications from various threats,
including cross-site scripting (XSS), SQL injection, and other vulnerabilities.
Advantages of WAFs:
• Protection against web attacks: WAFs can detect and block common web attacks,
preventing unauthorized access and data breaches.
• Improved security posture: WAFs can help organizations comply with security
regulations and standards.
• Reduced risk of data breaches: By preventing attacks, WAFs can reduce the risk of
sensitive data being compromised.
• Enhanced website performance: Some WAFs can improve website performance by
caching content and optimizing traffic.
Features of WAFs:
• Signature-based detection: WAFs can use signatures to detect known attack patterns.
• Anomaly detection: WAFs can identify unusual behavior that may indicate an attack.
• Rate limiting: WAFs can limit the number of requests a single IP address can make within
a certain time period, preventing denial-of-service (DoS) attacks.
• Bot management: WAFs can detect and block malicious bots that attempt to automate
attacks.
• Web application scanning: WAFs can scan web applications for vulnerabilities and
provide remediation recommendations.
• Integration with other security tools: WAFs can integrate with other security tools like
intrusion detection systems (IDS) and security information and event management (SIEM)
systems.
Types of WAFs:
• Hardware WAF: A dedicated hardware appliance that sits between the web server and the
internet.
• Software WAF: A software application that can be installed on a web server or a separate
machine.
• Cloud WAF: A WAF service provided by a cloud provider.

54. What are WebSocket?

Answer
WebSocket is a computer communications protocol, that providing a simultaneous two-way
communication channel over a single Transmission Control Protocol (TCP) connection. The
WebSocket protocol was standardized by the IETF as RFC 6455 in 2011.
The current specification allowing web applications to use this protocol is known as
WebSockets. It is a living standard maintained by the WHATWG and a successor to The
WebSocket API from the W3C.
Below image is the WebSockets key features:

59
Learning diary and answers

WebSockets can be used in Real-time chat applications,

online games, stock market data and collaborative
tools.

55. What is HTTP long polling?

Answer:
Originally web applications operate around a client/server model. In this model the client is
always the initiator of transactions, requesting data from the server. The way this model is set up
there is no way for the server to independently send data to the client without the client first
making a request. In order to overcome this wed developers implement a technique called
HTTP long polling. In long polling the client polls the server continuously requesting new
information. The server holds the request open until new data is available. Once available, the
server responds and sends the new information. When the client receives the new information, it
immediately sends another request, and the operation is repeated.

56. Use this tool to check few websites whether the server supports
HTTP/2: tools.keycdn.com/http2-test. Two examples: www.kaleva.fi and www.oulu.fi
Answer
It support https://www.kaleva.fi/ but not https://www.oulu.fi/fi

60
Learning diary and answers

57. Study Google Firebase documentation and advertisements. Think and list examples
how to use Firebase ecosystem with Android application(s) or with some IoT other
system?
Answer:
Firebase is a comprehensive platform that offers a wide range of tools and services for building
and growing mobile and web applications.
Android Application Real-time Database: Use Firebase Realtime Database to store and sync
data in real time across multiple clients. This is ideal for chat
applications, collaborative tools, and other applications that require real-
time updates.
Cloud Firestore and function: Store and retrieve structured data,
which is a flexible NoSQL database. This is suitable for applications
that need to store and query large amounts of data.
Function is Write serverless functions using JavaScript or Python to
handle business logic and integrate with other Firebase services. This
can be used for tasks like data processing, sending notifications, or
integrating with third-party APIs.
Authentication: Use Firebase Authentication to authenticate users with
various providers like Google, Facebook, Email/Password, or custom
authentication.
Cloud Storage: Store and serve user-generated content like images,
videos, and audio files using Cloud Storage.
Crashlytics: Monitor and debug your app's crashes and errors to
improve its stability.
Performance Monitoring: Track your app's performance metrics like
load times and error rates to identify and fix performance bottlenecks.
IoT System Remote Data Collection: Use Firebase Realtime Database or Cloud
Firestore to store and retrieve data from IoT devices.
Device Management: Use Cloud Functions to manage and control IoT
devices.
Real-time Monitoring: Use Firebase Realtime Database to monitor
sensor data from IoT devices in real time.
Notifications: Send notifications to users based on data from IoT
devices.
Integration with Cloud Services: Integrate IoT data with other cloud
services like Google Cloud Platform to perform advanced analytics or
machine learning.

The Google Firebase scalability, real-time capabilities and easy-to-integrate for android system
IoT.

58. Use hivemq.com open MQTT broker service with Python to publish MQTT messages. Use
this very basic Python MQTT publish example
o Install Paho MQTT library to your Python development environment. With pip it
should be something like this: pip3 install paho (Note: Using venv or other virtual
environment with Python is strongly recommended)
o Use web browser to connect HiveMQ websocket client interface. After connecting,
subscribe to oamkiotcourse/# channel (# is wildcard to receive all data)
Answer:

61
Learning diary and answers

Install paho at python code then trun and connected. Here just connected but no publish
any message from Python, so it wont show anything.

62
Learning diary and answers

o Modify the example Python code and publish some random data to the
oamkiotcourse (or some channel of your own). Example code and websocket client
should look something this
Answer:
After connected and subscribe oamkiotcourse/#, it will receive all messages published to
this topic. (see below)

o Analyse your Python MQTT client traffic with Wireshark (or with tcpdump if using
some Linux server). For example, this packet capture example file is from this kind
of MQTT publish message. From your Wireshark capture:
▪ What is the destination IP address?
Answer:
IP address 3.64.176.215

▪ What are the source and destination TCP ports?

Answer

63
Learning diary and answers

The source ICP port is 63225 and destination TCP port is 1883.

▪ Can you find published data as plain text from your captured traffic sample?
Answer
Yes, In the Wireshark capture, the Info column for MQTT packets shows the
published messages. The payloads such as Paho learning: question58 and Successful:
Yes, correct are visible.

64
Learning diary and answers

Week 7
59. Explain below shortly
Answer:
Term Definition

CVE (Common Common Vulnerabilities and Exposures (CVE) is a list of

Vulnerabilities and publicly disclosed information security vulnerabilities and
Exposures) exposures.
CVE was launched in 1999 by the MITRE corporation to
identify and categorize vulnerabilities in software and
firmware.
CVSS (Common A standardized framework for assessing the severity of
Vulnerability Scoring System) vulnerabilities.
Asymmetric encryption Uses a pair of keys (public and private) for encryption and
decryption.
Symmetric encryption Uses a single key for both encryption and decryption.

Disassembler A tool that translates machine code into human-readable

assembly code.
Overflow vulnerability Occurs when a program writes more data than a buffer can
handle.
Occurs when the outcome of a program depends on the
Race condition vulnerability timing of events, and an attacker can exploit this to execute
unintended code.
There are three different contents
ASLR (Address Space Layout Randomization):
Randomizes the memory layout of a program to make it
harder for attackers to exploit vulnerabilities.
DEP (Data Execution Prevention): Prevents the execution
ASLR/DEP/NX of code from non-executable memory regions.
NX (No-Execute): Similar to DEP, but a hardware-based
protection mechanism.
A free and open-source software reverse engineering
Ghidra framework developed by the NSA.
RCE vulnerability (Remote A vulnerability that allows an attacker to execute arbitrary
Code Execution) code on a remote system.
Gaining elevated privileges on a local machine by exploiting
Local privilege escalation vulnerabilities.
A zero-day vulnerability is a vulnerability in a system or
Zero-day vulnerability device that has been disclosed but is not yet patched. An
exploit that attacks a zero-day vulnerability is called a zero-
day exploit.
Some people believe that if you don’t click on dangerous
Zero-click exploit links, open suspicious files, or install programs from
untrusted sources, you don’t have to worry about malware
infections. Unfortunately, this isn’t entirely true. There are
so-called zero-click exploits that don’t require any actions of
the targeted user.

65
Learning diary and answers

An attack that involves injecting malicious SQL code into a

web application to manipulate data or gain unauthorized
SQL injection access.
Command injection Allows an attacker to execute arbitrary commands on a host
vulnerability system.
It is a web security vulnerability that allows an attacker to
compromise the interactions that users have with a
Cross-site scripting (XSS) vulnerable application.
Information disclosure The act of making confidential or sensitive information
public without the consent of the owner. This can be
intentional or unintentional and can lead to identity theft,
fraud, or even reputational damage
Deobfuscation is the process of removing obfuscation from
computer code, making it accessible to humans. In software
Code deobfuscation / development, obfuscation purposefully conceals or distorts
obfuscation parts of the code to make the program difficult to detect,
tamper with, or reverse engineer.
Code Obfuscation is the process of modifying an executable
so that it is no longer useful to a hacker but remains fully
functional. While the process may modify actual method
instructions or metadata, it does not alter the output of the
program.

Open Source Intelligence (OSINT) is the practice of

OSINT (Open Source gathering, analyzing, and disseminating information from
Intelligence) publicly available sources to address specific intelligence
requirements. Of all the threat intelligence subtypes, open
source intelligence (OSINT) is perhaps the most widely
used, which makes sense
Data exfiltration typically involves a cyber criminal stealing
data from personal or corporate devices, such as computers
Data exfiltration and mobile phones, through various cyberattack methods. A
common data exfiltration definition is the theft or
unauthorized removal or movement of any data from a
device.
Lateral movement refers to a group of methods cyber
criminals use to explore an infected network to find
Lateral movement vulnerabilities, escalate access privileges, and reach their
ultimate target. It is called lateral movement because of the
way the hacker moves sideways from device to application
and so forth.
Command & Control A command and control skill allows users to control IoT
devices from an assistant. In a single conversation, Watson

66
Learning diary and answers

Assistant Solutions can route user utterances between

different skills. For example, a user might say "turn off the
light" and then ask "what time is sunrise tomorrow".
Social engineering is a form of fraud that uses human
Social engineering interaction to obtain sensitive information such as
usernames, passwords, and credit card details. It’s an
extremely common form of hacking and one that businesses
need to be aware of when implementing IoT solutions.
Social engineering is essentially tricking people into
providing sensitive information or performing actions that
they normally wouldn’t.
An intrusion detection system (IDS) is a network
security tool that monitors network traffic and devices for
IDS/NIDS known malicious activity, suspicious activity or security
policy violations.

The NIDS monitors all traffic flowing to and from devices

on the network, making determinations based on packet
contents and metadata. A host-based IDS monitors the
computer infrastructure on which it is installed.
Supports security information and event
SIEM management (SIEM) logging, which allows you to send
information about discovered devices, security alerts, and
device vulnerabilities to your SIEM server for further action.

60. Explain Microsoft’s STRIDE threat model shortly (see the old software vulnerability
slides)
Answer
Microsoft's STRIDE threat model categorizes different types of security threats. It's a
valuable tool for identifying potential vulnerabilities in software systems. It helps security
professionals identify potential threats during the system design and development phases.
STRIDE stands for six categories of security threats:
Threat Desired Threat Definition
property
S-Spoofing Authenticity Definition: Pretending to be something or someone other
than yourself.
Example: An attacker uses a stolen username and password
to access a system.
T-Tampering Integrity Definition: Modifying something on disk, network, memory,
or elsewhere.
Example: An attacker alters the contents of a file or
manipulates data in transit.
R-Repudiation Non- Definition: Claiming that you didn't do something or were
repudiability not responsible; can be honest or false.
Example: A user denies that they made a transaction or sent
a request because there are insufficient logs or evidence to
prove the action.

67
Learning diary and answers

I-Information Confidentiality Definition: Someone obtaining information they are not

disclosure authorized to access.
Example: Hacker intercepts unencrypted data, such as credit
card numbers or personal information.
D-Denial of Availability Definition: Exhausting resources needed to provide service.
service Example: Hacker floods a web server with requests, causing
it to crash or become unavailable to legitimate users. It is
very common attacker.
E-Elevation of Authorization Definition: Allowing someone to do something they are not
privilege authorized to do.
Example: A normal user exploits a vulnerability to gain
administrative control over the system.

61. Explain Microsoft’s DREAD risk model shortly (see the old software vulnerability
slides)
Answer:
Microsoft’s DREAD is part of a system for risk-assessing computer security threats that was
formerly used at Microsoft. It provides a mnemonic for risk rating security threats using five
categories. It evaluates and quantifies the risks associated with security vulnerabilities. It
provides a structured way to assess the impact of a threat on a system.
More damages or loss and the rating is more high.
Risk Risk Definition
Assessing
D-Damage Definition: How much damage can the threat cause if it is exploited? How
potential bad the attack be?
Example: What kind of sensitive data, financial loss or critical system issue
will happen?
R-Reproducibility Definition: How easy is it to reproduce or exploit the attack?
Example: An attacker alters the contents of a file or manipulates data in
transit.
E-Exploitability Definition: How much work is it to launch the attack? How esay to do?
Example: A user denies that they made a transaction or sent a request
because there are insufficient logs or evidence to prove the action.
A-Affected users Definition: how many people will be impacted?
Example: Hacker intercepts unencrypted data, such as credit card numbers
or personal information.
D-Discoverability Definition: How easy is it to discover the threat or attack?
Example: Hacker floods a web server with requests, causing it to crash or
become unavailable to legitimate users. It is very common attacker.

68
Learning diary and answers

62. Check some CVEs of widely used applications from https://www.cvedetails.com/ and
answer:
o Describe what is the CVE scoring system
Answer
CVE (Common Vulnerabilities and Exposures) is a glossary that classifies
vulnerabilities. The glossary analyzes vulnerabilities and then uses the Common
Vulnerability Scoring System (CVSS) to evaluate the threat level of a vulnerability. A
CVE score is often used for prioritizing the security of vulnerabilities. The scoring helps
organizations prioritize their responses to vulnerabilities based on their impact and
exploitability.
Break down the CVSS scoring system as below
Note: The CVSS standard is used by many
reputable organizations, including NVD,
IBM, and Oracle. If you want to see how
CVSS is calculated, or convert the scores
assigned by organizations that do not use
CVSS, you can use the NVD calculator.

o When was the last time when Exim (MTA, mail transfer agent, more modern
version of the application, not the Cambridge version) had a critical
vulnerability? What is the CVE number?
Answer:
The latest critical vulnerability found in Exim is CVE-2024-39929, which affects
versions up to 4.97.1. This vulnerability allows remote attackers to bypass a protection
mechanism by misinterpreting a multiline RFC 2231 header filename. This could
potentially allow executable attachments to be delivered to user mailboxes, bypassing
the $mime_filename extension-blocking protection mechanism.
If exploited, it could enable attackers to deliver harmful executable attachments that
users might unwittingly download and execute.
According to the Attack Surface Management firm Censys, 4,830,719 of the 6,540,044
public-facing SMTP mail servers run Exim. As of July 12, 2024, over 1.5 million Exim
servers are using versions vulnerable to CVE-2024-39929 (4.97.1 or earlier). The United
States, Russia, and Canada host the majority of these exposed servers.

o Describe CVE-2016-6210 vulnerability shortly. Optional: How can you prevent

such attack / vulnerability?
Answer
Sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password
hashing, uses BLOWFISH hashing on a static password when the username does not
exist, which allows remote attackers to enumerate users by leveraging the timing
difference between responses when a large password is provided.
This allows hacker remote to discover valid usernames on the server which it should not
provide direct access to the system.

69
Learning diary and answers

To prevent this, a lot of developer and companies fixed it, however to prevent in the
future, upgrade OpenSSH regularly, use stronger authentication methods.

o Describe CVE-2019-15846 vulnerability shortly.

Answer:
CVE-2019-15846 is a critical vulnerability affecting Exim versions 4.92 to 4.92.2.
The vulnerability is exploitable by sending a SNI ending in a backslash-null sequence
during the initial TLS handshake. The exploit exists as a POC.

It allows a remote attacker to execute arbitrary commands on the affected server through
a specially crafted Server Name Indication (SNI) string in the TLS handshake. This
vulnerability exists due to improper validation of SNI data during the TLS negotiation
process
The vulnerability can be exploited without authentication, meaning that an attacker does
not need to have any prior access to the server. The attacker just needs to send a
specially crafted SNI string to the vulnerable Exim server during the TLS handshake.

o Describe CWE-208 from https://cwe.mitre.org/data/archive.html (download

most recent PDF)
Answer
CWE-208: Observable Timing Discrepancy
Two separate operations in a product require different amounts of time to complete, in a
way that is observable to an actor and reveals security-relevant information about the
state of the product, such as whether a particular operation was successful or not.

In security-relevant contexts, even small variations in timing can be exploited by

attackers to indirectly infer certain details about the product's internal operations. For
example, in some cryptographic algorithms, attackers can use timing differences to infer
certain properties about a private key, making the key easier to guess. Timing
discrepancies effectively form a timing side channel.

63. Study D-Link DNS-320 ShareCenter write-up in the ExploitDB

o What kind of software exploit is that?
Answer
The D-Link DNS-320 ShareCenter vulnerability is a backdoor access exploit.

The vulnerability is due to insufficient sanitizing of user-supplied inputs in the

application. A remote attacker may be able to exploit this to execute arbitrary commands
within the context of the application, via a crafted HTTP request. It impacted system
compromise and remote attackers can get system control.
It affected D-Link DNS-320 products which use firmware version v2.05b10 and prior.

o Try to explain shortly (summarise) from the write-up, how the attacker can
elevate access to become root (administrator) user?
Answer:
As above description, it is a backdoor access exploit. The D-Link DNS-320 Share
Center has a backdoor access exploit. It allows attackers to gain unauthorized
administrative access to the device.
How Attacker Works:

70
Learning diary and answers

Backdoor Credentials: The firmware contains hardcoded backdoor credentials. If an

attacker uses the username mydlinkBRionyg and the password abc12345cba, they can
log in as an administrator.
Command Injection: After getting access, the attacker can exploit a command injection
flaw by manipulating the cmd parameter in HTTP requests.
For example, by sending a specific request to the vulnerable CGI scripts, the attacker can
execute arbitrary commands on the device.
Elevating to Root Access: The exploit allows the attacker to go beyond simple admin
access and gain root shell access, enabling full control over the device.

64. Read this short article about cracking SIM cards and answer these questions:
o What is “side-channel attack”?
Answer:
A side-channel attack is a type of security exploit that aims to gather information from
a system through indirect means rather than by directly breaking into it. Instead of
attacking the algorithm itself, a side-channel attack exploits the physical or observable
characteristics of a system, such as its power consumption, timing, electromagnetic
emissions, or even sound.
This article is about SIM card side channel attack, which is related to crack SIM cards
by exploiting the physical properties of the card during cryptographic operations. In the
case of SIM card attacks, attackers leveraged power analysis and timing analysis to
extract secret keys used in the SIM’s authentication process.

o How side-channel attack was used to crack SIM cards?

Answer:
From the Jiao Tong University research, these researchers used side-channel techniques
to exploit the AES-128 encryption used in 3G and 4G SIM cards. Although AES-128 is
mathematically robust against direct attacks, the researchers were able to crack the
encryption by:
Tracking Power Levels: Using an oscilloscope, they monitored the power consumption
of the SIM card during cryptographic operations.
Analyzing Data Traffic: The team used an MP300-SC2 protocol analyzer to monitor
data traffic and correlated this with the power levels observed.
Correlation with SIM Card Operations: The information gathered was analyzed using
a SIM card reader and a standard PC, which allowed them to correlate the power
consumption patterns with specific operations performed by the SIM card.

65. Browse this public penetration test report and news article and answer these
questions:
o Penetration test report has header security through obscurity (next to the item
171 and onwards). What does it mean?
Answer
Security through obscurity refers to relying on the secrecy of the implementation or the
internal details of a system as the primary method of providing security. This approach
is generally criticized because it suggests that the security of a system depends on
keeping its internal workings hidden. If the underlying details are discovered or guessed,
the security is compromised. Instead of relying solely on obscurity, robust security
designs should incorporate multiple layers of defenses and not depend on the secrecy of
the system's architecture or code.

71
Learning diary and answers

At the item 171, which is noted that lack of anti-debug mechanism the use of off-the-
shelf components made the Merlin@home device easier to reverse engineer and identify
vulnerabilities. This suggests that relying solely on obscurity (e.g., using off-the-shelf
components without additional security measures) is not a strong security practice.

o Penetration test report items 114 - 141 describe remote attack and
vulnerability. What kind of problem is it?
Answer:
The problem described is a remote attack that affects the Merlin@Home system. These
vulnerabilities allow attackers to execute various harmful actions remotely, such as
disabling therapy or draining device batteries. This can be life-threatening because it
compromises the functionality of cardiac devices, making it possible to stop therapeutic
care or deplete batteries rapidly, thus endangering the patient's health.

66. Read this news article about garage door security vulnerability and answer:
o What information security and privacy issues were found and listed in the
article?
Answer:
Universal Password: All devices use the same universal passwords which makes it easy
for attackers or unauthorized users to get access to devices.
Privacy breaches: Sensitive information like email addresses and device IDs was
exposed.
Unencrypted User Data: The system broadcasts unencrypted information such as email
addresses, device IDs, and commands.
Replay Attacks: Commands can be replayed to control devices remotely.

o What was the main issue and vulnerability with MQTT

configuration/architecture?
Answer:
Universal password: The primary issue was the use of a universal password for all
devices. This made it easy for attackers to access and control multiple devices with a
single password.
Lack of proper authentication: The MQTT configuration lacked robust authentication
mechanisms, allowing unauthorized users to easily connect and send commands.

o Read the CVE-2023-1748 (it's about this vulnerability). How much (i.e. how
bad) is the base CVSS score? What is the CWE code for this kind of
vulnerability?
Answer:
The CSVV score is 9.3, which is very severity and very high score.
CWE code is related to CWE-798, and it refers to the use of hard-code credentials.
The listed versions of Nexx Smart Home devices use hard-coded credentials. An
attacker with unauthenticated access to the Nexx Home mobile application or the
affected firmware could view the credentials and access the MQ Telemetry Server
(MQTT) server and the ability to remotely control garage doors or smart plugs for any
customer.

67. Browse this “Secure development - towards approval” PDF document from National
Cyber Security Centre Finland and answer from TESTING AND VERIFICATION
chapter:

72
Learning diary and answers

o What is unit testing?

Answer:
Unit testing: As developers are expected to run the tests themselves, fixing bugs that are
found should be fast and cheap. Code reviews are a great place to check that unit tests
have been developed for most code.
It is often automated and conducted using specific cases which target particular
functions or methods to ensure their working correct.

o What is component testing?

Answer:
Testing is executed in an isolated environment, perhaps with other simulated
components representing the whole system. Testing time will be long and executed
every day or night.
Most of the time it involves multiple related units and requires stubs or mocks for other
parts of the system, Testing can verify the functionality of a component independently
from the rest of the system.

o What is system testing?

Answer
System testing is the testing of the complete integrated system to evaluate its compliance
with the specified requirements. It is done after integration testing and ensures that the
system works as a whole. This type of testing checks end-to-end workflows and
interactions among all integrated components.

o What is acceptance testing?

Answer:
This test is run by an independent testing team, a customer, or a third party. This test is
the final level of testing which determines whether the software commits to the business
requirements and is ready for delivery. It is usually done by end-users or clients and
involves validating the software against predefined criteria. It is also known as user
acceptance testing (UAT).
The acceptance tests, which may prove to be very expensive and time-consuming.

o What is static testing?

Answer:
This test is without running the products however, it will involve examining the code,
and inspecting various artefacts, such as source code and binaries, checking
requirements and design the documents without executing the program.
It is primarily used to find defects early in the development process and includes
reviews, walkthroughs, and inspections.
o What is dynamic testing?
Answer:
Dynamic testing refers to analyzing code’s dynamic behaviors in the software. In this
type of testing, you have to give input and get output as per the expectation through
executing a test case. You can run the test cases manually or through an automation
process, and the software code must be compiled and run for this.
The main purpose of dynamic testing is to validate the software and ensure it works
properly without any faults after the installation. In a snapshot, you can say that dynamic
testing assures the overall functionality and performance of the application. Also, it
should be stable and consistent.

73
Learning diary and answers

o What is fuzzing?
Answer:
Fuzz testing or fuzzing is an automated software testing
method that injects invalid, malformed, or unexpected
inputs into a system to reveal software defects and
vulnerabilities.
It can be done without accessing the source code, but it
can reveal problems.

68. Browse this “Instructions – Supply chain attack” PDF document from National Cyber
Security Centre Finland and research/answer:
o What is supply chain attack?
Answer:
Supply chain attack is a type of cyberattack that targets third-party vendors or suppliers
in order to compromise a larger organization. These attacks target weak points in the
supply chain, often involving software vendors, hardware manufacturers and third-party
services.
o What is 3-2-1 backup rule?
o
Answer
The 3-2-1 backup rule is a strategy for keeping data safe. It advises that keep three
copies of data on two different media with one copy off-site.
• Three copies of your data: Your three copies include your original or production
data plus two more copies.
• On two different media: You should store your data on two different forms of media.
This means something different today than it did in the late 2000s. I’ll talk a little
more about this in a bit.
• One copy off-site: You should keep one copy of your data off-site in a remote
location, ideally more than a few miles away from your other two copies.

o What is network segmentation and how/why it improve information security?

Answer
Network segmentation is when different parts of a computer network, or network zones,
are separated by devices like firewalls, switches and routers. Network segmentation is a
discipline and a framework that can be applied in the data center and on-premises at an
organization's facilities.
Furthermore, segmentation provides a logical way to isolate an active attack before it
spreads across the network. For example, segmentation ensures malware in one segment
does not affect systems in another. Creating segments limits how far an attack can
spread and reduces the attack surface to an absolute minimum.

74
Learning diary and answers

69. Check some recent vulnerabilities being exploited in the wild from cisa.gov. Select one,
summarise the problem, and search and study some news articles about the
vulnerability.
Answer
I pick up CVE-2021-42013. It affects the Apache HTTP server and a remote code execution
vulnerability cause by a path traversal flaw.

An attacker could use a path traversal attack to map URLs to files outside the directories
configured by Alias-like directives. If files outside of these directories are not protected by the
usual default configuration "require all denied", these requests can succeed. If CGI scripts are
also enabled for these aliased paths, this could allow for remote code execution. This issue only
affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.
This attack is valuable because it allows remote attackers to bypass security mechanisms and
gain unauthorized access to sensitive files. If left unpatched, this could lead to full system
compromise.
It impacted some server users if they used Apache HTTP Server versions 2.4.49 or 2.4.50.
Weakness Enumeration
The weakness enumeration for this vulnerability is categorized as CWE-22, which involves
improper limitation of a pathname to a restricted directory, also known as path traversal.

To mitigate the risk, users of affected Apache HTTP Server versions should immediately update
to version 2.4.51 or later, which provides the complete fix. Additionally, ensuring that the
default security configuration ("require all denied") is enforced can prevent exploitation of files
outside the allowed directories.

Solutions
1. Update Apache HTTP Server to version 2.4.51, which has fixed the vulnerability.
2. Ensure that files outside designated directories are protected by the default configuration
"require all denied.".
3. Regularly monitor security advisories and updates from Apache and other relevant sources
to stay informed about potential threats.

75