Ethereal Exercise 1: Introduction to Ethereal

Transcription

1 Course: Semester: ELE437 Ethereal Exercise 1: Introduction to Ethereal While the ELE437 course doesn t have a lab component, many of the experiences in lab-based courses can be done as homework assignments instead. Applications such as Ethereal, which is available for Windows, MacOS, Linux/Unix, and other platforms, make it possible to capture network activity and analyze it from the physical layer up to the application layer. With Ethereal, you can also open previously recorded capture sessions and analyze the timing, addresses, protocols, and other information. Assumed Background Knowledge A basic understanding of the following items are assumed throughout this exercise. Most of them are from Chapter 1 of the Tanenbaum textbook: Protocol hierarchies, the OSI model, and the TCP/IP reference model. What the Physical, Data Link, Network, Transport, and Application layers are. What Ethernet is and what protocol layer it is at How a packet at one layer fits into a packet at a lower layer: o In the figure below, a high-layer packet at Layer N+1 is equivalent to the payload of another packet at a lower layer (Layer N). Even if the packet at Layer N+1 has a header or trailer, they will be treated as part of the payload once the data is passed down to Layer N. This makes it possible to use any number of different protocols at Layer N+1 without necessarily having Layer N know what protocol is being used at Layer N+1. o In general, the only requirement between neighboring layers is that they must have interfaces that allow them to pass data back and forth. o See Chapters 3 and later of the textbook for more details on packets. Figure 0: Simplified Packet-to-Payload Layering Relationship 1

2 Exercise 1 In order to become familiar with Ethereal, it s useful to step through the capture process on your own. Examining a pre-recorded capture file can also be very useful, so both will be done in this exercise. Of course, the Ethereal application needs to be installed first, so that must be done first. Part A: Downloading and Installing Ethereal The latest version of Ethereal can be downloaded for your operating system at Version was used for the screenshots in this document, but other versions should be very similar. Once the Ethereal installer has been downloaded, simply run it. DO NOT download the source code unless you are willing and able to compile it for your platform. If using Linux, you ll need to be root to perform Part B. Part B: Configuring Ethereal and Capturing Packets Now that Ethereal has been installed, it can be run from the Start menu (for Windows users) or by typing ethereal at a command line (for other operating systems). Once open, a window similar to the following one should appear: Figure 1: Ethereal with no capture data loaded 2

3 First, you need to find an active network interface to capture data from. Go to the Capture menu (ALT+C) and select Interfaces (I). Figure 2: Basic Capture Interface Information The window above should appear with all of the network interfaces in your system listed under the Description heading. You can find an active network interface to use for capturing by observing which interface has a steadily increasing number under the Packets heading. In this case, the Motorola USB Cable Modem is active. Once an active interface has been identified, press the Prepare button on that interface s row. The Capture Options box will then appear, as shown in Figure 3. Under Display Options, select the Update list of packets in real time checkbox. Under Capture, deselect the Capture packets in promiscuous mode checkbox. When these changes have been made, press Start to begin capturing packets. A capture summary window will appear and the main Ethereal window will begin to fill up with packet data. After you see the main Ethereal window fill up with packet data, press the Stop button in the Capture window shown in Figure 4. Please note that your capture results are likely to be very different from the precaptured data file that you ll be looking at in the next section. 3

4 Figure 3: Ethereal s Capture Options Dialog box Figure 4: Capture Status window in Ethereal 4

5 Part C: Examining a Pre-Recorded Capture File Now that you know how to perform your own capture, it s necessary to examine a pre-recorded capture file. This will make it possible to point out all of the different information that appears in Ethereal when a capture is performed so that you can knowledgably analyze your own packet captures in the future. In Figure 5 on the next page, the capture file quietcapture.cap has been opened in Ethereal. You can download this file from the ELE437 web site at This is a capture from a quiet network in which the activity involves only two computers. One of the computers is sending out packets to request services available over the network (packets using the SSDP protocol) while the other computer provides information about itself (the packet using the BROWSER protocol). Descriptions of the data in this capture will be given on the next few pages. The capture data in the main window is divided into three parts: 1) Trace List Pane (Top) In this pane, basic information about the packets captured such as the time, source IP, destination IP, and protocol are given. By clicking on the column labels at the top such as Source or Protocol, the capture data will be sorted by the selected label. This makes it easy to group all packets together that have the same source IP address, destination IP address, or use the same protocol. SSDP Protocol: Looking at the Protocol column, most of the packets are using the SSDP protocol. SSDP, which stands for Simple Service Discovery Protocol, is a protocol that allows networked computers to discover remote services and devices that are available for them to use. It also allows networked computers to announce new services and devices that they re willing and able to share. Currently, most SSDP-capable devices are printers, fax machines, and other computers on a network. However in the future it may even be possible to have an SSDP-capable coffee maker that is automatically detected by your computer and that can be easily programmed to make particular types of coffee on different days and at different times for each network client. 5

6 Figure 5: Captured Packets from a Quiet Network 6

7 BROWSER Protocol: The only other protocol in the trace list is BROWSER. This is the Microsoft Windows Browser Protocol, and in this case it is being used by the computer with IP address to tell other computers about itself (it provides the computer name, workgroup name, OS version, etc). 2) Protocol Layer Pane (Middle) This pane shows which protocols were used for the packet currently selected in the Trace List pane. The protocol listing begins at the physical layer and then includes the data link, network, transport, and application layers in that order. In the example above, the protocol breakdown starting at the data link layer is as follows: Data Link Layer: Ethernet II Network Layer: Internet Protocol (IP) Transport Layer: User Datagram Protocol (UDP) Application Layer: Hypertext Transfer Protocol (HTTP) At each layer, the (plus sign) to the left of the protocol name can be clicked on to get more details on the packet data. For example, you can see in Figure 6 that at the physical layer the arrival time and length of the packet were recorded. These pieces of information aren t actually a part of the transmitted packet, but are recorded by Ethereal to maximize the amount of information you have about any packets received, even at a very low level. Figure 6: Physical Layer Data in the Protocol Pane To see data that was actually part of a transmitted packet you can look at the details for any of the higher-level protocols. In Figure 7, Ethereal has used the bytes of the IP header (detailed in Figure 5-53 on page 434 of the textbook) to obtain the information shown. The details at the network layer show us what version of IP was used, the length of the IP packet header, the length of the IP packet, and other important details. Of course, the source and destination IP addresses given on the summary line at the top are in the details as well. 7

8 Figure 7: Network Layer Data in the Protocol Pane 3) Raw Packet Pane (Bottom) Finally, the pane at the bottom of Figure 5 contains the hexadecimal and ASCII representations of packet data in their raw forms. By selecting a particular layer line in Protocol Layer pane, all of the packet data related to that layer will be highlighted in the Raw Packet pane. For example, in Figure 8 the transport layer line for the User Datagram Protocol (UDP) has been selected in the Protocol Layer pane and the corresponding bytes are highlighted in the Raw Packet pane. Notice that the first two hex bytes, 0x07 and 0x6D form the 16-bit number 0x76D and that the decimal equivalent is This is the source port number, as shown in the selected line of the Protocol Layer pane. Similarly, the destination port is in the next two bytes, 0x07 and 0x6C. For more details on UDP and the UDP header format, see Section 6.4 of the textbook on page 524. Figure 8: Transport Layer Data in the Raw Packet Pane If you instead select the application layer line for the Hypertext Transfer Protocol (HTTP), you will notice that the meaningful information in the Raw Packet Pane is the highlighted ASCII characters. This brings up an important point: at the physical, data link, network, and transport layers most of the meaningful information will be in the form of bits and bytes representing addresses, ports, and other information in packet headers. 8

9 As a result, the selected ASCII characters at these layers are likely to have no meaning while the selected hex data can be interpreted more easily. At the application layer however, the highlighted ASCII characters can be very useful since web browsers, clients, and chat programs are likely to transmit and receive ASCII text. Of course, not all data at the application layer is text, and some text may be encrypted, so in some cases neither the hexadecimal nor the ASCII display in the Raw Packet Pane will provide any obviously meaningful information. In these cases, Ethereal may only be able to tell you that a TCP packet is pre Part D: Trace Summary Statistics While the Trace List, Protocol Layer, and Raw Packet panes provides varying levels of detail about a network capture, Ethereal can also provide you with a simple summary of the entire capture. You can get to the summary in Ethereal by going to the Statistics menu (ALT+S) and selecting Summary (S), as shown in Figure 9. Figure 9: Opening the Capture Summary in Ethereal Figure 10 shows the summary for the quietnetwork.cap file used in this exercise. Useful information such as the number of packets captured, the total number of bytes captured, and the average data rate are given. 9

10 Figure 10: Capture Summary for quietnetwork.cap Online Resources Simple Service Discovery Protocol (SSDP): Address Resolution Protocol (ARP): 10

11 Questions Use the quietnetwork_15minutes.cap capture trace file from to answer the following questions. 1. For the capture file specified above, a. How many seconds does Ethereal report the trace to be? b. What are two different ways to determine this? 2. When this trace was captured, a capture limit of 15 minutes was specified. However, the trace length shows up as less than 15 minutes. Why? 3. How many packets appear in this trace? 4. In quietnetwork.cap we saw two types of packets: SSDP announcements from one computer and a BROWSER announcement from another PC. a. Do you see these types of packets in quietnetwork_15minutes.cap? b. If yes, what is the packet number for the first SSDP packet and the first BROWSER packet? 5. What other protocols appear in the trace, if any? Click on the heading for the Protocol column to sort the packets by protocol to make this easier. 6. In quietnetwork.cap, we saw only two different source IP addresses, and a. Do you see any additional source IP addresses in the quietnetwork_15minutes.cap trace? (Note: If your capture only shows the MAC address for some packets, you must examine them to find the IP address) b. If yes, give the IP address and any packet number at which is occurs. Grading - 12 points - The questions have the following point values: 1) 3 points (1 for a, 2 for b) 2) 2 points 3) 1 point 4) 3 points (1 for a, 2 for b) 5) 1 point 6) 2 points (1 for each) 11