Pre-Lab 2: Introduction into Wireshark
1.
Review Linux man pages for arp at http://linux.die.net/man/7/arp and http://linux.die.net/man/8/arp, the
Address Resolution Protocol (ARP) RFC (RFC 826) at www.ietf.org. For Wireshark commands visit http://
wiki.wireshark.org/CaptureFilters and http://www.wireshark.org/docs/dfref/ for help on the questions below.
Pre-Lab 2 Questions:
1.
Write the syntax for a wireshark command with a capture filter so that all IP datagrams with a source or
destination IP address equal to 10.0.1.12 are recorded.
2.
Write the syntax for a wireshark display filter that shows IP datagrams with a destination IP address equal
to 10.0.1.50 and frame sizes greater than 400 bytes.
3.
Write the syntax for a wireshark display filter that shows packets containing ICMP messages with a source
or destination IP address equal to 10.0.1.12 and with frame numbers between 15 and 30.
4.
Write the syntax for a wireshark display filter that shows packets containing TCP segments with a source or
destination IP address equal to 10.0.1.12 and using port 23.
5.
Write a capture filter for question 4.
LAB TWO: Wireshark
2
LAB 2
The purpose of this lab is to acquaint yourself with wireshark. As you saw in Lab 1, tcpdump has functionality
very similar to that of wireshark, albeit with fewer features. Although we will not explicitly talk about
tcpdump from here forward, keep in mind that there are some tasks that tcpdump is better suited.
NOTE: Remember to reboot the machines before using them by either using the GNOME reboot
option or typing ‘reboot’ in the terminal as root. If you fail to reboot, system settings will linger
from the previous users session.
NOTE: Please submit file whose name follows the following format: Lab[#]-Ex[#]-[part][#]PC[#]-command
Example:
Lab1-Ex2-A1-PC1-ls
For saving your files, review the linux lab for how to mount a USB drive; otherwise, save files to desktop and use
drag and drop to copy files to/from the USB drive.
Network Setup FOR LAB 2
Connect the PCs according to the diagram below to a single switch (Same as in Lab 1). Note: do not use port 24
on the switches as it has been configured to behave differently from the other ports – you will find out about this in
later labs.
1.1 Topology for Lab 2
The table below contains the IP address for each of the Linux PCs; these should be preconfigured:
PC
PC1
PC2
PC3
PC4
IP address of eth0
10.0.1.11/24
10.0.1.12/24
10.0.1.13/24
10.0.1.14/24
-2-
LAB TWO: Wireshark
3
Exercise 1: Wireshark, Ping, and Telnet
In this exercise you will familiarize yourself with the display and capture filters in wireshark and how they can
be used to assist you in further exercises.
PART A: Using Capture Filters in Wireshark
In this section
you will review
the traffic capture
capabilities of
wireshark.
A.1: Start
wireshark on
PC1 and set the
same capture
preferences as
shown in the
figure (using the
Capture:Options... menu item). These should be used for all experiments.
A.2: Setting a capture filter: In Filter box set a filter so that all packets that contain the IP address of PC2 are
recorded.
A.3: Start the capture by clicking Start in the Capture Options window.
A.4: In another terminal window on PC1, issue a ping to PC2 with two packets:
PC1% ping –c 2 10.0.1.12
A.5: Stop the capture process, but DO NOT close wireshark.
Save Data:
A.6: Save the results (by using print) of the capture with only Print Summary Line checked. Save to file Lab2-Ex1A6-PC1-Wireshark.out (Remember that you will need to provide the full path or click browse and then type the file
name.
-3-
LAB TWO: Wireshark
4
PART B: Using Display Filters in Wireshark
This section will familiarize you with display filters that can be extremely useful for visualizing a specific set of data
within a captured set.
B.1: To set a display filter use the Filter bar at the top of the window as shown below. Click the Clear button next to
the bar to clear any existing filter. Click the Filter button for help constructing a display filter. Now enter a display
filter that shows all IP datagrams with a destination IP address of 10.0.1.12. To activate the display filter hit enter or
click Apply.
Save Data:
B.2: Save the displayed data using the print summary option with the Displayed (top right of Packet Range menu)
option selected. You’ll notice that, if you open the file used to save the data, the only packets saved were the ones
filtered by the display filter.
Save Data:
B.3: Repeat B2, but use a display filter for ARP packets. Using print, save the output.
PART C: Complex Display filters
Here we will dive into more complex display filters that will require the use of AND (& or &&) and OR ( || ) to
filter data with multiple conditions.
C.1: On PC1, use wireshark and start traffic capture using the settings from Part A, but with no capture filter.
C.2: Simultaneously, in two windows on PC1, run the following two commands to ping PC2 with 5 packets and
start a telnet session to PC2 from PC1. For the telnet session login as root then logout with the command exit.
PC1% ping –c 5 10.0.1.12
PC1% telnet 10.0.1.12
C.3: Stop the traffic capture; DO NOT close wireshark.
-4-
LAB TWO: Wireshark
5
Save Data:
For each of the following steps, save all data as Print Summary after applying the specified display filter.
Remember to also select Displayed in the Packet Range submenu.
C.4: Display only packets that contain ICMP messages with the IP address of PC2 as either the destination or source
address.
C.5: Display packets that contain TCP traffic with the IP address of PC2 either as the source or destination.
C.6: Display packets have a source IP address of PC2 and use port number 23.
Exercise 2: Address Resolution Protocol (ARP)
This exercise will help you become familiar with ARP (Address Resolution Protocol). ARP “resolves”, the MAC
address for a given IP address.
Common Uses of ARP
arp -a
Displays the contents of the ARP cache
arp –d IPAddress
Deletes the entry with the IP address specified
arp –s IPaddress MACAddress
Adds a static entry to the ARP cache that is never overwritten by network events.
PART A: Experimenting with ARP
A.1: On PC1 view the ARP cache with the command arp
–a
and delete all entries with the –d option.
A.2: Start wireshark on PC1 with a capture filter set to the IP address of PC2.
A.3: Issue a ping command from PC1 to PC2:
PC1% ping –c 2 10.0.1.12
A.4: View the ARP cache again. The ARP cache entry is removed after 2 minutes. Make sure that if you do not see
anything appear in the ARP cache to rerun part A.1 – A.4 within 2 minutes.
SAVE DATA:
A.5: Save the wireshark data of only the ARP packets with details and summary options selected.
PART B: ARP requests for a non-existing address
Here we will see what happens when an ARP request is issued for an IP address that does not exist on the network.
B.1: On PC1, start wireshark with a capture filter set to capture packets that contain the IP address of PC1.
SAVE DATA:
B.2: Try to establish a telnet session from PC1 to 10.0.1.10 .
Save the output (this will require redirecting stderr to stdout, and then stdout to a file using the ‘>&’ redirection
which we can then pipe to tee so that you can also view the output).
PC1% telnet 10.0.1.10 >& >(tee /root/Desktop/Lab2-Ex2-B2-PC1-telnet.out)
SAVE DATA:
B.3: After telnet fails, stop capture and observe the time interval and the frequency with which PC1 transmits ARP
requests. Save the wireshark data having only the print summary line checked.
-5-
LAB TWO: Wireshark
6
BEFORE MOVING ON: Make sure that you have the data you need to be able to answer the following question.
Most questions require you to substantiate your answers with data collected in the exercises above.
2.1 In Part A, what is the destination MAC address of an ARP Request packet? Include a captured packet to support
your answer.
2.2: How does ARP work? If possible, relate ARP to the link-layer and what affect it has on network layer
communication. Include 2 packets to support your statement.
2.3: Why are ARP Request packets not encapsulated like IP packets? Explain.
Exercise 3: FTP and Telnet Experiments
A major problem with FTP and Telnet is that their passwords are sent across a network as plain text, without any
encryption.
PART A: Snooping Passwords from FTP sessions
The goal is to capture traffic from an FTP session and find the password.
A.1: On PC1 start wireshark and set the capture filters to capture traffic between PC1 and PC2. The filter for this
is:
host 10.0.1.11 and host 10.0.1.12
A.2: Start an FTP server on PC2 using the command vsftpd, and on PC1 start an FTP session to PC2:
PC1%: ftp 10.0.1.12
A.3: Log in as root and password cmpe150 and then logout using the FTP quit command.
A.4: Stop the capture.
A.5: To inspect the data payloads of a sequence of FTP packets in wireshark select a packet that contains a TCP
segment in the main window. Now click Follow TCP Stream in the Analyze menu. This creates a new window that
displays only the payload of the selected TCP connection. This will be helpful in future labs, but for now, we do not
need to use this. Close the window.
SAVE DATA:
A.6: Save only the packets that contain the login name and password. You will need to save with Packet Details
checked with All Collapsed enabled.
PART B: Snooping for telnet passwords
SAVE DATA:
B.1: Repeat the previous exercise using telnet instead of ftp. On PC1 connect to PC2 using telnet and save the
output of the wireshark session with detailed option selected.
B.2: While using telnet, type the command echo “hello world”. Save the output for answering the report.
BEFORE MOVING ON: Make sure that you have the data you need to be able to answer the following question:
3.1 From Part A: Using the save output, identify the port numbers of the FTP client and FTP server. Include the
relevant lines from the packets.
3.2 From Part A: Identify the login name and password, shown in plain text in the payload of the packets captured.
Include the relevant FTP/IP headers in the lab report.
3.3 From Part B: Does Telnet have the same security flaws as FTP? Support your answer by showing the relevant
headers from the data you captured.
-6-
LAB TWO: Wireshark
7
3.4 Looking at the captured data explain what happened when you entered echo “hello world”. Explain why there
are multiple packets being sent for each character.
-7-
LAB TWO: Wireshark
8
Lab Report
Exercise 2 Questions:
Use your saved data to answer the following questions:
2.1 In Part A, what is the destination MAC address of an ARP Request packet? Include a captured packet to support
your answer.
2.2: How does ARP work? If possible, relate ARP to the link-layer and what affect it has on network layer
communication. Include 2 packets to support your statement.
2.3: Why are ARP Request packets not encapsulated like IP packets? Explain.
Exercise 3 Questions:
3.1 From Part A: Using the save output, identify the port numbers of the FTP client and FTP server. Include the
relevant lines from the packets.
3.2 From Part A: Identify the login name and password, shown in plain text in the payload of the packets captured.
Include the relevant FTP/IP headers in the lab report.
3.3 From Part B: Does Telnet have the same security flaws as FTP? Support your answer by showing the relevant
headers from the data you captured.
3.4 Looking at the captured data explain what happened when you entered echo “hello world”. Explain why there
are multiple packets being sent for each character.
-8-