Pre-‐Lab 2: Single Segment IP Networks 1. Review Linux man pages for arp at www.linuxmanpages.com (in both Sections 7 and 8), the ARP RFC (RFC
826) at www.ietf.org, and Section 3.4 of the IBM Red Book. Pre-‐Lab 2 Questions: 1. Write the syntax for a wireshark command with a capture filter so that all IP datagrams with a source or
destination IP address equal to 10.0.1.12 are recorded. 2. Write the syntax for a wireshark display filter that shows IP datagrams with a destination IP address equal to
10.0.1.50 and frame sizes greater than 400 bytes. 3. Write the syntax for a wireshark display filter that shows packets containing ICMP messages with a source
or destination IP address equal to 10.0.1.12 and with frame numbers between 15 and 30. 4. Write the syntax for a wireshark display filter that shows packets containing TCP segments with a source or
destination IP address equal to 10.0.1.12 and using port 23. 5. Write a capture filter for question 4.
LAB TWO: Wireshark 2
- 2 -
LAB 2 The purpose of this lab is to acquaint yourself with wireshark in Linux and the ways in which packet reading and capturing can be useful. As you saw in Lab 1, tcpdump has functionality very similar to that of wireshark, albeit with fewer features. Although we will not explicitly talk about tcpdump from here forward, keep in mind that there are some tasks that are better suited to it than wireshark, such as monitoring traffic on a remote server– a circumstance in which using a graphical user interface (and therefore wireshark) may not be possible. NOTE: Remember to reboot the PCs and to save all of your files in /root/labdata and your floppy/usb drive. SAVE ALL FILES IN /root/labdata/<user> (where your <user> is your cat’s/email ID). All files you create should be saved to your USB or floppy drive. SUGGESTION - unless a specific name is requested, use the following name format for the files you save: [Exercise]-[Part]-[Question]-PC-<command>. For example 5-A-4-PC1-tcpdump. This will help ensure you can find the data needed for the lab report.
Network Setup FOR LAB 2 Connect the PCs according to the diagram below to a single switch (Same as in Lab 1). Note: do not use port 24 on the switches as it has been configured to behave differently from the other ports – you will find out about this in later labs.
1.1 Topology for Lab 2
The table below contains the IP address for each of the Linux PCs; these should be preconfigured:
PC IP address of eth0 PC1 10.0.1.11/24 PC2 10.0.1.12/24 PC3 10.0.1.13/24 PC4 10.0.1.14/24
LAB TWO: Wireshark 3
- 3 -
Exercise 1: Wireshark, Ping, and Telnet In this exercise you will familiarize yourself with the display and capture filters in wireshark and how they can be used to assist you in further exercises. PART A: Using Capture Filters in Wireshark In this section you will review the traffic capture capabilities of wireshark. A.1: Start wireshark on PC1 and set the same capture preferences as shown in the figure (using the Capture:Options... menu item). These should be used for all experiments. A.2: Setting a capture filter: In Filter box set a filter so that all packets that contain the IP address of PC2 are recorded. Hint: The required filter expression is the answer to question 2 in the pre-lab. A.3: Start the capture by clicking OK in the Capture Options window. A.4: In another terminal window on PC1, issue a ping to PC2 with two packets: PC1% ping –c 2 10.0.1.12
A.5: Stop the capture process, but DO NOT close wireshark. Save Data: A.6: Save the results of the capture with both the detail and summary options.
LAB TWO: Wireshark 4
- 4 -
PART B: Using Display Filters in Wireshark This section will familiarize you with display filters that can be extremely useful for seeing a specific set of data within the captured set. B.1: To set a display filter use the Filter bar at the top of the window as shown below. Click the Clear button next to the bar to clear any existing filter. Click the Filter button for help constructing a display filter. Now enter a display filter that shows all IP datagrams with a destination IP address of 10.0.1.12. To activate the display filter hit enter or click Apply. Save Data: B.4: Save the displayed data using the print summary option with the Displayed option selected. You’ll notice if you open the file that the only packets saved were the ones filtered by the display filter. Save Data: B.5: Repeat the exercise making a display filter that lists only IP datagrams with a source IP address of 10.0.1.12. PART C: Complex Display filters Here we will dive into more complex display filters that will require the use of AND (& or &&) and OR ( || ) to filter data with multiple conditions. C.1: On PC1, use wireshark and start traffic capture using the settings from Part A, but with no capture filter. C.2: Simultaneously, in two windows on PC1, run the following two commands to ping PC2 with 5 packets and start a telnet session to PC2 from PC1. For the telnet session login as root then logout with the command exit. PC1% ping –c 5 10.0.1.12 PC1% telnet 10.0.1.12
C.3: Stop the traffic capture, do not close. Save Data: For each of the following steps, save all data as Print Summary after applying the specified display filter. C.4: Display only packets that contain ICMP messages with the IP address of PC2 as either the destination or source address. HINT: Question 4 in the Pre-Lab will help. C.5: Display packets that contain TCP traffic with the IP address of PC2 either as the source or destination. Hint: Question 5 will help. C.6: Display packets that in addition to the constraints in C.5 use source port number 23.
LAB TWO: Wireshark 5
- 5 -
Exercise 2: Address Resolution Protocol (ARP) This exercise will help you become familiar with ARP which resolves a MAC address for a given IP address. Common Uses of ARP arp -a Displays the contents of the ARP cache arp –d IPAddress Deletes the entry with the IP address specified arp –s IPaddress MACAddress Adds a static entry to the ARP cache that is never overwritten by network events.
PART A: Experimenting with ARP A.1: On PC1 view the ARP cache with the command arp –a and delete all entries with the –d option. A.2: Start wireshark on PC1 with a capture filter set to the IP address of PC2. A.3: Issue a ping command from PC1 to PC2: PC1% ping –c 2 10.0.1.12
A.4: View the ARP cache again; note that ARP cache entries are deleted fairly quickly (about 2 minutes). SAVE DATA: A.5: Save the wireshark data using both the detail and summary options. PART B: ARP requests for a non-‐existing address Here we will see what happens when an ARP request is issued for an IP address that does not exist on the network. B.1: On PC1, start wireshark with a capture filter set to capture packets that contain the IP address of PC1. SAVE DATA: B.2: Try to establish a telnet session from PC1 to 10.0.1.10 (Note: this address does not exist on the network). Save the output (this will require redirecting stderr using the ‘>&’ redirection). PC1% telnet 10.0.1.10
SAVE DATA: B.3: After telnet fails, stop capture and observe the time interval and the frequency with which PC1 transmits ARP requests. Save the wireshark data using both the detail and summary options. Exercise 3: FTP and Telnet Experiments A major problem with FTP and Telnet is that their passwords are sent across a network as plain text, without any encryption. PART A: Snooping Passwords from FTP sessions The goal is to capture traffic from an FTP session and find the password. A.1: On PC1 start wireshark and set the capture filters to capture traffic between PC1 and PC2. The filter for this is: host 10.0.1.11 and host 10.0.1.12
A.2: Start an FTP server on PC2 using the command vsftpd, and on PC1 start an FTP session to PC2: PC1%: ftp 10.0.1.12 A.3: Log in as root and then logout using the FTP quit command.
LAB TWO: Wireshark 6
- 6 -
A.4: Stop the capture. A.5: To inspect the data payloads of a sequence of FTP packets in wireshark select a packet that contains a TCP segment in the main window. Now click Follow TCP Stream in the Analyze menu. This creates a new window that displays only the payload of the selected TCP connection. SAVE DATA: A.6: Using the Print Detail option save the packets that contain the login name and password. Hint: Use a wireshark display filter (with the frame.number value), or “Edit:Mark Frame” menu item with “Marked packets only” to show the desired packets. PART B: Snooping for telnet passwords SAVE DATA: B.1: Repeat the previous exercise using telnet instead of ftp. On PC1 connect to PC2 using telnet and save the output of the wireshark session using the detail option. B.2: Identify the packets transmitted for each character typed. You should see 3 packets for each character. REMEMBER TO COPY SAVED FILES TO YOUR USB DRIVE OR FLOPPY!
LAB TWO: Wireshark 7
- 7 -
Lab Report Exercise 1 Questions: 1.1 Include the summary data saved from Part A in your lab report. 1.2 Include the summary data saved from both pieces of Part B in your lab report. 1.3 Include the data saved from each of the display filters from Part C. Exercise 2 Questions: Use your saved data to answer the following questions: 2.1 In Part A, what is the destination MAC address of an ARP Request packet? Include a captured packet to support your answer. 2.2 In Part A, what are the different values of the Type field in the Ethernet headers that you observe? 2.3 Using the captured data from Part A, explain the process that ARP goes through to acquire a MAC address for PC2 (10.0.1.12). 2.4 In Part B, using the saved output, describe the time interval between each ARP Request issued by PC1 and the ARP retransmission policy. Include data to support your claim. 2.5: Why are ARP Request packets not encapsulated like IP packets? Explain. Exercise 3 Questions: 3.1 From Part A: Using the save output, identify the port numbers of the FTP client and FTP server. Include the relevant lines from the packets. 3.2 From Part A: Identify the login name and password, shown in plain text in the payload of the packets captured. Include the relevant FTP/IP headers in the lab report. 3.3 From Part B: Does Telnet have the same security flaws as FTP? Support your answer by showing the relevant headers from the data you captured. 3.4 Looking at the captured data explain why three packets are sent in a telnet session for each character typed. Attach a sample of your output.
Top Related