5. Write a capture filter for question 4.

Transcription

1 Pre-Lab 2: Introduction into Wireshark 1. Review Linux man pages for arp at and the Address Resolution Protocol (ARP) RFC (RFC 826) at For Wireshark commands visit wiki.wireshark.org/capturefilters and for help on the questions below. Pre-Lab 2 Questions: 1. Write the syntax for a wireshark command with a capture filter so that all IP datagrams with a source or destination IP address equal to are recorded. 2. Write the syntax for a wireshark display filter that shows IP datagrams with a destination IP address equal to and frame sizes greater than 400 bytes. 3. Write the syntax for a wireshark display filter that shows packets containing ICMP messages with a source or destination IP address equal to and with frame numbers between 15 and Write the syntax for a wireshark display filter that shows packets containing TCP segments with a source or destination IP address equal to and using port Write a capture filter for question 4.

2 LAB TWO: Wireshark 2 LAB 2 The purpose of this lab is to acquaint yourself with wireshark. As you saw in Lab 1, tcpdump has functionality very similar to that of wireshark, albeit with fewer features. Although we will not explicitly talk about tcpdump from here forward, keep in mind that there are some tasks that tcpdump is better suited. NOTE: Remember to reboot the machines before using them by either using the GNOME reboot option or typing reboot in the terminal as root. If you fail to reboot, system settings will linger from the previous users session. NOTE: Please submit file whose name follows the following format: Lab[#]-Ex[#]-[part][#]- PC[#]-command Example: Lab1-Ex2-A1-PC1-ls For saving your files, review the linux lab for how to mount a USB drive; otherwise, save files to desktop and use drag and drop to copy files to/from the USB drive. Network Setup FOR LAB 2 Connect the PCs according to the diagram below to a single switch (Same as in Lab 1). Note: do not use port 24 on the switches as it has been configured to behave differently from the other ports you will find out about this in later labs. 1.1 Topology for Lab 2 The table below contains the IP address for each of the Linux PCs; these should be preconfigured: PC IP address of eth0 PC /24 PC /24 PC /24 PC /24-2 -

3 LAB TWO: Wireshark 3 Exercise 1: Wireshark, Ping, and Telnet In this exercise you will familiarize yourself with the display and capture filters in wireshark and how they can be used to assist you in further exercises. PART A: Using Capture Filters in Wireshark In this section you will review the traffic capture capabilities of wireshark. A.1: Start wireshark on PC1 and set the same capture preferences as shown in the figure (using the Capture:Options... menu item). These should be used for all experiments. A.2: Setting a capture filter: In Filter box set a filter so that all packets that contain the IP address of PC2 are recorded. A.3: Start the capture by clicking Start in the Capture Options window. A.4: In another terminal window on PC1, issue a ping to PC2 with two packets: PC1% ping c A.5: Stop the capture process, but DO NOT close wireshark. Save Data: A.6: Save the results (by using print) of the capture with only Print Summary Line checked. Save to file Lab2-Ex1- A6-PC1-Wireshark.out (Remember that you will need to provide the full path or click browse and then type the file name

4 LAB TWO: Wireshark 4 PART B: Using Display Filters in Wireshark This section will familiarize you with display filters that can be extremely useful for visualizing a specific set of data within a captured set. B.1: To set a display filter use the Filter bar at the top of the window as shown below. Click the Clear button next to the bar to clear any existing filter. Click the Filter button for help constructing a display filter. Now enter a display filter that shows all IP datagrams with a destination IP address of To activate the display filter hit enter or click Apply. Save Data: B.2: Save the displayed data using the print summary option with the Displayed (top right of Packet Range menu) option selected. You ll notice that, if you open the file used to save the data, the only packets saved were the ones filtered by the display filter. Save Data: B.3: Repeat B2, but use a display filter for ARP packets. Using print, save the output. PART C: Complex Display filters Here we will dive into more complex display filters that will require the use of AND (& or &&) and OR ( ) to filter data with multiple conditions. C.1: On PC1, use wireshark and start traffic capture using the settings from Part A, but with no capture filter. C.2: Simultaneously, in two windows on PC1, run the following two commands to ping PC2 with 5 packets and start a telnet session to PC2 from PC1. For the telnet session login as root then logout with the command exit. PC1% ping c PC1% telnet C.3: Stop the traffic capture; DO NOT close wireshark

5 LAB TWO: Wireshark 5 Save Data: For each of the following steps, save all data as Print Summary after applying the specified display filter. Remember to also select Displayed in the Packet Range submenu. C.4: Display only packets that contain ICMP messages with the IP address of PC2 as either the destination or source address. C.5: Display packets that contain TCP traffic with the IP address of PC2 either as the source or destination. C.6: Display packets have a source IP address of PC2 and use port number 23. Exercise 2: Address Resolution Protocol (ARP) This exercise will help you become familiar with ARP (Address Resolution Protocol). ARP resolves, the MAC address for a given IP address. Common Uses of ARP arp -a Displays the contents of the ARP cache arp d IPAddress Deletes the entry with the IP address specified arp s IPaddress MACAddress Adds a static entry to the ARP cache that is never overwritten by network events. PART A: Experimenting with ARP A.1: On PC1 view the ARP cache with the command arp a and delete all entries with the d option. A.2: Start wireshark on PC1 with a capture filter set to the IP address of PC2. A.3: Issue a ping command from PC1 to PC2: PC1% ping c A.4: View the ARP cache again. The ARP cache entry is removed after 2 minutes. Make sure that if you do not see anything appear in the ARP cache to rerun part A.1 A.4 within 2 minutes. A.5: Save the wireshark data of only the ARP packets with details and summary options selected. PART B: ARP requests for a non-existing address Here we will see what happens when an ARP request is issued for an IP address that does not exist on the network. B.1: On PC1, start wireshark with a capture filter set to capture packets that contain the IP address of PC1. B.2: Try to establish a telnet session from PC1 to Save the output (this will require redirecting stderr to stdout, and then stdout to a file using the >& redirection which we can then pipe to tee so that you can also view the output). PC1% telnet >& >(tee /root/desktop/lab2-ex2-b2-pc1-telnet.out) B.3: After telnet fails, stop capture and observe the time interval and the frequency with which PC1 transmits ARP requests. Save the wireshark data having only the print summary line checked

6 LAB TWO: Wireshark 6 BEFORE MOVING ON: Make sure that you have the data you need to be able to answer the following question. Most questions require you to substantiate your answers with data collected in the exercises above. 2.1 In Part A, what is the destination MAC address of an ARP Request packet? Include a captured packet to support your answer. 2.2: How does ARP work? If possible, relate ARP to the link-layer and what affect it has on network layer communication. Include 2 packets to support your statement. 2.3: Why are ARP Request packets not encapsulated like IP packets? Explain. Exercise 3: FTP and Telnet Experiments A major problem with FTP and Telnet is that their passwords are sent across a network as plain text, without any encryption. PART A: Snooping Passwords from FTP sessions The goal is to capture traffic from an FTP session and find the password. A.1: On PC1 start wireshark and set the capture filters to capture traffic between PC1 and PC2. The filter for this is: host and host A.2: Start an FTP server on PC2 using the command vsftpd, and on PC1 start an FTP session to PC2: PC1%: ftp A.3: Log in as root and password cmpe150 and then logout using the FTP quit command. A.4: Stop the capture. A.5: To inspect the data payloads of a sequence of FTP packets in wireshark select a packet that contains a TCP segment in the main window. Now click Follow TCP Stream in the Analyze menu. This creates a new window that displays only the payload of the selected TCP connection. This will be helpful in future labs, but for now, we do not need to use this. Close the window. A.6: Save only the packets that contain the login name and password. You will need to save with Packet Details checked with All Collapsed enabled. PART B: Snooping for telnet passwords B.1: Repeat the previous exercise using telnet instead of ftp. On PC1 connect to PC2 using telnet and save the output of the wireshark session with detailed option selected. B.2: While using telnet, type the command echo hello world. Save the output for answering the report. BEFORE MOVING ON: Make sure that you have the data you need to be able to answer the following question: 3.1 From Part A: Using the save output, identify the port numbers of the FTP client and FTP server. Include the relevant lines from the packets. 3.2 From Part A: Identify the login name and password, shown in plain text in the payload of the packets captured. Include the relevant FTP/IP headers in the lab report. 3.3 From Part B: Does Telnet have the same security flaws as FTP? Support your answer by showing the relevant headers from the data you captured

7 LAB TWO: Wireshark Looking at the captured data explain what happened when you entered echo hello world. Explain why there are multiple packets being sent for each character

8 LAB TWO: Wireshark 8 Lab Report Exercise 2 Questions: Use your saved data to answer the following questions: 2.1 In Part A, what is the destination MAC address of an ARP Request packet? Include a captured packet to support your answer. 2.2: How does ARP work? If possible, relate ARP to the link-layer and what affect it has on network layer communication. Include 2 packets to support your statement. 2.3: Why are ARP Request packets not encapsulated like IP packets? Explain. Exercise 3 Questions: 3.1 From Part A: Using the save output, identify the port numbers of the FTP client and FTP server. Include the relevant lines from the packets. 3.2 From Part A: Identify the login name and password, shown in plain text in the payload of the packets captured. Include the relevant FTP/IP headers in the lab report. 3.3 From Part B: Does Telnet have the same security flaws as FTP? Support your answer by showing the relevant headers from the data you captured. 3.4 Looking at the captured data explain what happened when you entered echo hello world. Explain why there are multiple packets being sent for each character