COMP416 Lab (3) ARP, Ethernet

Transcription

1 COMP416 Lab (3) ARP, Ethernet

2 2 Content Investigate the ARP protocol and the Ethernet protocol. Understand the ARP spoof attack. Slides bus.html Wireshark Y:\Win32\WiresharkPortable

3 Ethernet II Frame 3

4 4 What is ARP? The ARP protocol typically maintains a cache of IP-to-Ethernet address translation pairs on your computer. You can use the arp command to view and manipulate the contents of this cache. Windows: arp -a

5 5 ARP Protocol Ethernet is 1 IPv4: 0x for request, 2 for reply

6 6 Exercise (1) Clear web cache, start packet capture and visit: Stop capture and record the packet number of 1 st HTTP GET request and response between your computer and www4.comp.polyu.edu.hk. Select the Ethernet frame containing the HTTP GET request message and expand the Ethernet II information in the packet details window. Then answer questions (1).

7 7 Questions (1) Based on previous operations, (2 marks for each) a. What is the 48-bit Ethernet address of your computer? b. What is the 48-bit destination address in the Ethernet frame? Is this the Ethernet address of www4.comp.polyu.edu.hk? Explain the reason. c. Give the hexadecimal value for the two-byte Frame type field and its meaning. d. How many bytes from the very start of the Ethernet frame does the ASCII G in GET appear in the Ethernet frame? e. What is the hexadecimal value of the CRC field in this Ethernet frame?

8 8 Questions (2) Select the Ethernet frame containing the first byte of the HTTP response message, expand the Ethernet II information, (2 marks for each) a. What is the value of the Ethernet source address? Is this the address of your computer, or of www4.comp.polyu.edu.hk? b. What is the destination address in the Ethernet frame? Is this the Ethernet address of your computer? c. Give the hexadecimal value for the two-byte Frame type field and its meaning. d. How many bytes from the very start of the Ethernet frame does the ASCII O in OK appear in the Ethernet frame? e. What is the hexadecimal value of the CRC field in this Ethernet frame?

9 9 Exercise (2) Run the arp command. Write down the contents of your computer s ARP cache. What is the meaning of each column s value? Clear the ARP cache with arp d *. Clear browser cache and capture again for Stop capture and find the first two frames in the trace containing ARP messages. Then answer the questions below.

10 10 Question (3) In the Ethernet frame containing the ARP request message (2 marks for each) a. What are the hexadecimal values for the source and destination addresses? b. Give the hexadecimal value for the two-byte Ethernet Frame type field and its meaning. c. How many bytes from the very beginning of the Ethernet frame does the ARP opcode field begin?

11 11 Question (3) (cont d) d. What is the value of the opcode field within the ARP-payload part and its meaning? e. Does the ARP message contain the IP address of the sender? f. Where in the ARP request does the question appear the Ethernet address of the machine whose corresponding IP address is being queried? (Hint: which fields in the ARP request)

12 12 Questions (4) In the Ethernet frame which contains the corresponding ARP reply: (2 marks for each) a. How many bytes from the very beginning of the Ethernet frame does the ARP opcode field begin? b. What is the value of the opcode field within the ARPpayload part of the Ethernet frame and its meaning? c. Where in the ARP message does the answer to the earlier ARP request appear the IP address of the machine having the Ethernet address whose corresponding IP address is being queried?

13 13 ARP Spoof Attack We constantly send the victim fake ARP answers. The victim makes a wrong entry in his ARP cache. Next time the victim wants to send an IP packet to the router, it will use our MAC address, therefore getting the IP packets.

14 14 Questions (5) Explain the fundamental weak point of ARP protocol that causes this attack. (5 marks) (Optional) Try to conduct a successful ARP spoof attack with your classmates, and record the whole procedures. Windows: Arpspoof Linux: arpspoof in dsniff

15 CRC In Wireshark Reply to What is the hexadecimal value of the CRC field in this Ethernet frame?

16 Frame Check Sequence (FCS) Wireshark uses FCS term to represent CRC in Ethernet packet. However, normally you could not see FCS. Because the underlying mechanisms simply don't supply it. Most OSes do not support capturing the FCS of a frame on Ethernet, and probably do not support it on most other linklayer types. Therefore, Wireshark will typically only display green fields.

17 Detailed Explanation Wireshark can only capture data that the packet capture library can capture. libpcap/winpcap can capture only the data that the OS's raw packet capture mechanism will allow it to capture. For any particular link-layer network type, unless the OS supplies the FCS of a frame as part of the frame, or can be configured to do so, Wireshark - and other programs that capture raw packets, such as tcpdump - cannot capture the FCS of a frame.

18 Response to Our Question What is the hexadecimal value of the CRC field in this Ethernet frame? You can have two choices now: Calculate CRC by yourself. Simply use the last four bytes of existing Ethernet frame to demo it. This is acceptable for your report.