Pre-­‐Lab  2:  Single  Segment  IP  Networks  1. Review Linux man pages for arp at www.linuxmanpages.com (in both Sections 7 and 8), the ARP RFC (RFC

826) at www.ietf.org, and Section 3.4 of the IBM Red Book.  Pre-­‐Lab  2  Questions:  1. Write the syntax for a wireshark command with a capture filter so that all IP datagrams with a source or

destination IP address equal to 10.0.1.12 are recorded. 2. Write the syntax for a wireshark display filter that shows IP datagrams with a destination IP address equal to

10.0.1.50 and frame sizes greater than 400 bytes. 3. Write the syntax for a wireshark display filter that shows packets containing ICMP messages with a source

or destination IP address equal to 10.0.1.12 and with frame numbers between 15 and 30. 4. Write the syntax for a wireshark display filter that shows packets containing TCP segments with a source or

destination IP address equal to 10.0.1.12 and using port 23. 5. Write a capture filter for question 4.

LAB  TWO:  Wireshark 2

- 2 -

LAB  2   The purpose of this lab is to acquaint yourself with wireshark in Linux and the ways in which packet reading and capturing can be useful. As you saw in Lab 1, tcpdump has functionality very similar to that of wireshark, albeit with fewer features. Although we will not explicitly talk about tcpdump from here forward, keep in mind that there are some tasks that are better suited to it than wireshark, such as monitoring traffic on a remote server– a circumstance in which using a graphical user interface (and therefore wireshark) may not be possible. NOTE: Remember to reboot the PCs and to save all of your files in /root/labdata and your floppy/usb drive. SAVE ALL FILES IN /root/labdata/<user> (where your <user> is your cat’s/email ID). All files you create should be saved to your USB or floppy drive. SUGGESTION - unless a specific name is requested, use the following name format for the files you save: [Exercise]-[Part]-[Question]-PC-<command>. For example 5-A-4-PC1-tcpdump. This will help ensure you can find the data needed for the lab report.

Network  Setup  FOR  LAB  2  Connect the PCs according to the diagram below to a single switch (Same as in Lab 1). Note: do not use port 24 on the switches as it has been configured to behave differently from the other ports – you will find out about this in later labs.

1.1 Topology for Lab 2

The table below contains the IP address for each of the Linux PCs; these should be preconfigured:

PC IP address of eth0 PC1 10.0.1.11/24 PC2 10.0.1.12/24 PC3 10.0.1.13/24 PC4 10.0.1.14/24

LAB  TWO:  Wireshark 3

- 3 -

Exercise  1:  Wireshark,  Ping,  and  Telnet  In this exercise you will familiarize yourself with the display and capture filters in wireshark and how they can be used to assist you in further exercises. PART  A:  Using  Capture  Filters  in  Wireshark  In this section you will review the traffic capture capabilities of wireshark. A.1: Start wireshark on PC1 and set the same capture preferences as shown in the figure (using the Capture:Options... menu item). These should be used for all experiments. A.2: Setting a capture filter: In Filter box set a filter so that all packets that contain the IP address of PC2 are recorded. Hint: The required filter expression is the answer to question 2 in the pre-lab. A.3: Start the capture by clicking OK in the Capture Options window. A.4: In another terminal window on PC1, issue a ping to PC2 with two packets: PC1% ping –c 2 10.0.1.12

A.5: Stop the capture process, but DO NOT close wireshark. Save  Data:  A.6: Save the results of the capture with both the detail and summary options.

LAB  TWO:  Wireshark 4

- 4 -

PART  B:  Using  Display  Filters  in  Wireshark  This section will familiarize you with display filters that can be extremely useful for seeing a specific set of data within the captured set. B.1: To set a display filter use the Filter bar at the top of the window as shown below. Click the Clear button next to the bar to clear any existing filter. Click the Filter button for help constructing a display filter. Now enter a display filter that shows all IP datagrams with a destination IP address of 10.0.1.12. To activate the display filter hit enter or click Apply. Save  Data:  B.4: Save the displayed data using the print summary option with the Displayed option selected. You’ll notice if you open the file that the only packets saved were the ones filtered by the display filter. Save  Data:  B.5: Repeat the exercise making a display filter that lists only IP datagrams with a source IP address of 10.0.1.12. PART  C:  Complex  Display  filters  Here we will dive into more complex display filters that will require the use of AND (& or &&) and OR ( || ) to filter data with multiple conditions. C.1: On PC1, use wireshark and start traffic capture using the settings from Part A, but with no capture filter. C.2: Simultaneously, in two windows on PC1, run the following two commands to ping PC2 with 5 packets and start a telnet session to PC2 from PC1. For the telnet session login as root then logout with the command exit. PC1% ping –c 5 10.0.1.12 PC1% telnet 10.0.1.12

C.3: Stop the traffic capture, do not close. Save  Data:  For each of the following steps, save all data as Print Summary after applying the specified display filter. C.4: Display only packets that contain ICMP messages with the IP address of PC2 as either the destination or source address. HINT: Question 4 in the Pre-Lab will help. C.5: Display packets that contain TCP traffic with the IP address of PC2 either as the source or destination. Hint: Question 5 will help. C.6: Display packets that in addition to the constraints in C.5 use source port number 23.

LAB  TWO:  Wireshark 5

- 5 -

Exercise  2:  Address  Resolution  Protocol  (ARP)  This exercise will help you become familiar with ARP which resolves a MAC address for a given IP address. Common  Uses  of  ARP  arp -a Displays the contents of the ARP cache arp –d IPAddress Deletes the entry with the IP address specified arp –s IPaddress MACAddress Adds a static entry to the ARP cache that is never overwritten by network events.

PART  A:  Experimenting  with  ARP  A.1: On PC1 view the ARP cache with the command arp –a and delete all entries with the –d option. A.2: Start wireshark on PC1 with a capture filter set to the IP address of PC2. A.3: Issue a ping command from PC1 to PC2: PC1% ping –c 2 10.0.1.12

A.4: View the ARP cache again; note that ARP cache entries are deleted fairly quickly (about 2 minutes). SAVE  DATA:  A.5: Save the wireshark data using both the detail and summary options. PART  B:  ARP  requests  for  a  non-­‐existing  address  Here we will see what happens when an ARP request is issued for an IP address that does not exist on the network. B.1: On PC1, start wireshark with a capture filter set to capture packets that contain the IP address of PC1. SAVE  DATA:  B.2: Try to establish a telnet session from PC1 to 10.0.1.10 (Note: this address does not exist on the network). Save the output (this will require redirecting stderr using the ‘>&’ redirection). PC1% telnet 10.0.1.10

SAVE  DATA:  B.3: After telnet fails, stop capture and observe the time interval and the frequency with which PC1 transmits ARP requests. Save the wireshark data using both the detail and summary options. Exercise  3:  FTP  and  Telnet  Experiments  A major problem with FTP and Telnet is that their passwords are sent across a network as plain text, without any encryption. PART  A:  Snooping  Passwords  from  FTP  sessions  The goal is to capture traffic from an FTP session and find the password. A.1: On PC1 start wireshark and set the capture filters to capture traffic between PC1 and PC2. The filter for this is: host 10.0.1.11 and host 10.0.1.12

A.2: Start an FTP server on PC2 using the command vsftpd, and on PC1 start an FTP session to PC2: PC1%: ftp 10.0.1.12 A.3: Log in as root and then logout using the FTP quit command.

LAB  TWO:  Wireshark 6

- 6 -

A.4: Stop the capture. A.5: To inspect the data payloads of a sequence of FTP packets in wireshark select a packet that contains a TCP segment in the main window. Now click Follow TCP Stream in the Analyze menu. This creates a new window that displays only the payload of the selected TCP connection. SAVE  DATA:  A.6: Using the Print Detail option save the packets that contain the login name and password. Hint: Use a wireshark display filter (with the frame.number value), or “Edit:Mark Frame” menu item with “Marked packets only” to show the desired packets. PART  B:  Snooping  for  telnet  passwords   SAVE  DATA:  B.1: Repeat the previous exercise using telnet instead of ftp. On PC1 connect to PC2 using telnet and save the output of the wireshark session using the detail option. B.2: Identify the packets transmitted for each character typed. You should see 3 packets for each character. REMEMBER  TO  COPY  SAVED  FILES  TO  YOUR  USB  DRIVE  OR  FLOPPY!  

LAB  TWO:  Wireshark 7

- 7 -

Lab  Report   Exercise 1 Questions: 1.1 Include the summary data saved from Part A in your lab report. 1.2 Include the summary data saved from both pieces of Part B in your lab report. 1.3 Include the data saved from each of the display filters from Part C. Exercise 2 Questions: Use your saved data to answer the following questions: 2.1 In Part A, what is the destination MAC address of an ARP Request packet? Include a captured packet to support your answer. 2.2 In Part A, what are the different values of the Type field in the Ethernet headers that you observe? 2.3 Using the captured data from Part A, explain the process that ARP goes through to acquire a MAC address for PC2 (10.0.1.12). 2.4 In Part B, using the saved output, describe the time interval between each ARP Request issued by PC1 and the ARP retransmission policy. Include data to support your claim. 2.5: Why are ARP Request packets not encapsulated like IP packets? Explain. Exercise 3 Questions: 3.1 From Part A: Using the save output, identify the port numbers of the FTP client and FTP server. Include the relevant lines from the packets. 3.2 From Part A: Identify the login name and password, shown in plain text in the payload of the packets captured. Include the relevant FTP/IP headers in the lab report. 3.3 From Part B: Does Telnet have the same security flaws as FTP? Support your answer by showing the relevant headers from the data you captured. 3.4 Looking at the captured data explain why three packets are sent in a telnet session for each character typed. Attach a sample of your output.