Introduction to Analyzer and the ARP protocol



Similar documents
Computer Networks/DV2 Lab

Pre-lab and In-class Laboratory Exercise 10 (L10)

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Lab Conducting a Network Capture with Wireshark

Lab VI Capturing and monitoring the network traffic

Computer Networks/DV2 Lab

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

EE984 Laboratory Experiment 2: Protocol Analysis

8.2 The Internet Protocol

Guideline for setting up a functional VPN

Module 1: Reviewing the Suite of TCP/IP Protocols

Prestige 314 Read Me First

Hands On Activities: TCP/IP Network Monitoring and Management

Technical Support Information Belkin internal use only

Lab - Using Wireshark to View Network Traffic

Ethernet Port Quick Start Manual

Introduction to Network Security Lab 1 - Wireshark

BASIC ANALYSIS OF TCP/IP NETWORKS

Chapter 3: Review of Important Networking Concepts. Magda El Zarki Dept. of CS UC Irvine

EKT 332/4 COMPUTER NETWORK

Slide 1 Introduction cnds@napier 1 Lecture 6 (Network Layer)

Ed. 00 GWIM. Firewall Handbook

Firewall VPN Router. Quick Installation Guide M73-APO09-380

IP Network Layer. Datagram ID FLAG Fragment Offset. IP Datagrams. IP Addresses. IP Addresses. CSCE 515: Computer Network Programming TCP/IP

Modern snoop lab lite version

IP Filter/Firewall Setup

Multi-Homing Dual WAN Firewall Router

Guide to TCP/IP, Third Edition. Chapter 3: Data Link and Network Layer TCP/IP Protocols

Laboratory work 4. Application of Windows OS Built-in Networks Diagnostic Tools

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Lecture 8. IP Fundamentals

Transport and Network Layer

EINTE LAB EXERCISES LAB EXERCISE #5 - SIP PROTOCOL

Lecture Computer Networks

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

CCNA Discovery Networking for Homes and Small Businesses Student Packet Tracer Lab Manual

DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses.

Network Traffic Analysis

Dynamic Host Configuration Protocol (DHCP) 02 NAT and DHCP Tópicos Avançados de Redes

Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

Workstation ARP. Objective. Background / Preparation

Network-Oriented Software Development. Course: CSc4360/CSc6360 Instructor: Dr. Beyah Sessions: M-W, 3:00 4:40pm Lecture 2

Chapter 7 Troubleshooting

Subnetting,Supernetting, VLSM & CIDR

Packet Sniffing with Wireshark and Tcpdump

Networking Test 4 Study Guide

Lab Configuring Access Policies and DMZ Settings

Internetworking. Problem: There is more than one network (heterogeneity & scale)

SMC7004ABR Barricade Broadband Router Installation Instructions

Procedure: You can find the problem sheet on Drive D: of the lab PCs. Part 1: Router & Switch

TCP/IP Fundamentals. OSI Seven Layer Model & Seminar Outline

ICS 351: Today's plan

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Computer Networks I Laboratory Exercise 1

Solution of Exercise Sheet 5

Homework 3 TCP/IP Network Monitoring and Management

Network Layers. CSC358 - Introduction to Computer Networks

Prestige 650R-31/33 Read Me First

UIP1868P User Interface Guide

CET442L Lab #2. IP Configuration and Network Traffic Analysis Lab

WEB CONFIGURATION. Configuring and monitoring your VIP-101T from web browser. PLANET VIP-101T Web Configuration Guide

Chapter 12 Supporting Network Address Translation (NAT)

Management Software. Web Browser User s Guide AT-S106. For the AT-GS950/48 Gigabit Ethernet Smart Switch. Version Rev.

1 PC to WX64 direction connection with crossover cable or hub/switch

DEPLOYMENT GUIDE Version 1.1. DNS Traffic Management using the BIG-IP Local Traffic Manager

Zarząd (7 osób) F inanse (13 osób) M arketing (7 osób) S przedaż (16 osób) K adry (15 osób)

RARP: Reverse Address Resolution Protocol

Internet Control Protocols Reading: Chapter 3

Deploying Windows Streaming Media Servers NLB Cluster and metasan

IP Addressing A Simplified Tutorial

Objectives of Lecture. Network Architecture. Protocols. Contents

Internetworking and IP Address

Broadband Phone Gateway BPG510 Technical Users Guide

Apliware firewall. TheGreenBow IPSec VPN Client. Configuration Guide.

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Capture and analysis of the network traffic with Wireshark

The Trivial Cisco IP Phones Compromise

IP Addressing Introductory material.

Unix System Administration

Lab Configuring Access Policies and DMZ Settings

CS197U: A Hands on Introduction to Unix

Application Protocols for TCP/IP Administration

Tcpdump Lab: Wired Network Traffic Sniffing

Lab 5 Explicit Proxy Performance, Load Balancing & Redundancy

IP address format: Dotted decimal notation:

Lab Diagramming Intranet Traffic Flows

Lecture 2-ter. 2. A communication example Managing a HTTP v1.0 connection. G.Bianchi, G.Neglia, V.Mancuso

TCP/IP Basis. OSI Model

Technical Notes TN 1 - ETG FactoryCast Gateway TSX ETG 3021 / 3022 modules. How to Setup a GPRS Connection?

2. IP Networks, IP Hosts and IP Ports

Setup Manual and Programming Reference. RGA Ethernet Adapter. Stanford Research Systems. Revision 1.05 (11/2010)

A network monitoring tool for student training

Network Load Balancing

Follow these steps to prepare the module and evaluation board for testing.

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Introduction to Wireshark Network Analysis

Part A:Background/Preparation

Transcription:

Laboratory 6 Introduction to Analyzer and the ARP protocol Objetives Network monitoring tools are of interest when studying the behavior of network protocols, in particular TCP/IP, and for determining the performance and/or failures of a real operating network. For our own point of view, we think that this kind of tools allow students to verify and understand the fundamentals of networks in general by performing real experiments that show the functionality of protocols (encapsulation, header decoding, IP fragmentation, message sequencing, flow control, etc.), so they are an interesting complement fro practicing the theory contents of computer networks. So, in this session we are going to study one of the available several network analyzer tools: The Analyzer. This tool works with another interface called WinPCap, that has to be installed before. Both packages can be found at http://analyzer.polito.it/ Overview To start a new packet capture session, a filter specification is required in order to capture only the packets you are interested. If a filter is not specified, all packets that your network hardware is able to hear are captured. As it can be seen at figure 1, the main window shows you the main menu and several tool bars with the different actions supported. To start a capture session you can select the correspondent menu entry or the icon spot marked in figure with an arrow. Figure 1. Main Analyzer window After that action, a filter selection window appears. Check if a network adapter is selected. If not, you have to choose the network adapter that the software will use in the capture session.

Once, the network adapter is chosen, we are ready to define the desired capture filter. In this case, we will establish an ARP filter. However, several choices are presented to the user. One of them, consist of selecting a predefined filter from the panel at the right side of filter selection window. Also, you can customize your own filter, using a methodology similar to the one used in the TCPDUMP tool. At the end of this memo you can find these filter definition rules in Annex A. At the other hand, you can specify a promiscuous capturing mode. By default, the selected network adapter will capture all packets which destination matches with our hosts MAC address, broadcasts packets and packets delivered to registered multicasts groups. However, it is required to activate the promiscuous mode for capturing all packets our adapter receives, including those packets exchanged between other hosts. 2

The next step consists of launching the capture process using the user-defined filter. After stopping the capture process, the analyzer will show the list of captured packets, as shown in the figure below. Capture packet list Content of the data field in both hex and ASCII notations Header fields values Steps (1) Capturing IP Packets In our first contact with the network analyzer tool, we are going to define a capture session of our network IP traffic. Step #1: Start a capture session by selecting the menú entry File New Capture... or the following toolbar icon. Step #2: Define a capture filter that be able to get all incoming/outgoing network frames that contain an IP packet. We may choose the IP protocol at protocol filter panel 3

(at the right side of the filter selection window) or type ip in the user-defined filter text box. If we do not desire the broadcast and mutlicast traffic, we can specify it in the user-defined filter text box typing ip and not ip broadcast and not ip multicast. Step #3: Once the filter is defined, capturing process starts by pressing the OK button. Step #4: Now, we are going to produce network traffic with a web browser (Netscape, Explorer) requesting one URL to a remote web server. After the requested URL is downloaded, you should get a packet capture list as the following one: Step #5: Select the first captured frame. Your host should be sent this frame. Usually, this frame corresponds with a DNS request asking for the IP address associated with the web server name included in the URL. Step #6: Analyze Ethernet and IP headers of the first captured frame. Fill table 1.1. Table 1.1: Ethernet and IP header fields Destination MAC address Source MAC address type Version Hlen Service type Length ID flags Fragment offset TTL Protocol Header checksum Source IP address Destination IP address Options (may be null) 4

Steps & Questions ARP Command Unfortunately, the IP addresses are only virtual addresses that identify every host in Internet. They can not be used for exchanging Ethernet frames between hosts belonging to the same LAN (see the Ethernet frame header format). Notice that your network adapters are identified by an unique 48-bit length MAC address. This address must be specified in every outgoing frame to identify the source and destination hosts. So, when the IP protocol is going to send a packet, it has to encapsulate the IP packet in one frame which the appropriate source and destination MAC addresses to allow delivery in our network. The ARP (Address Resolution Protocol) offers an address translation service to IP protocol. So, it is able to obtain the MAC address associated to an IP address belonging to one host in our LAN. In this session, we propose the use of ARP command. This command allows users to inspect the ARP cache, a temporal cache buffer where the discovered MAC-IP address associations are stored in our host. Although this command also allows to users the management of this info, the own ARP protocol is the one in charge of keeping it updated and coherent. Some tasks we can do with ARP command are: Show the content of the local ARP cache (arp a) Remove one or several cache table entries (arp d IP_address or arp d*) Add cache table entry (arp s IP_address MAC_address) (2) Using the ARP command Step #1: From a Windows console window, invoke the command arp a in order to check if the ARP cache is empty. If there is at least one entry, close all Windows applications that are currently using network services and remove all entries of the cache (arp d *). Run your favourite web browser and search the following URL: http://158.42.180.64 (www.redes.upv.es web server address). Check again the contents of the ARP cache and type the information supplied by ARP command in table 2.1. Table 2.1: Content of the ARP cache IP address MAC address 5

Step #2: Remove the entries in the ARP cache table (or wait around 2 minutes :-) and repeat the same operations than step #1 searching the URL: http://www.uji.es. Fill table 2.2 with the current contents of ARP cache. Table 2.2: Content of the ARP cache IP address MAC address Question 2.1 Which host is the owner of the MAC address stored in the ARP cache?. Do you think that this address corresponds to www.uji.es host?. Why? Step #3: Now, we proceed with the Analyzer to observe the ARP protocol in action. So we will launch: (a) A console window to inspect ARP cache through arp command and execute ping commands to inject IP packets into the network. (b) The Analyzer to capture the incoming and outgoing traffic. First of all, we will prepare the Analyzer for capturing packets as we did before. Now, we are going to capture all ARP packets. Then, in the console window we empty the ARP cache with command: arp d *. Once the ARP cache is empty, we start the packet capture. From the console window, we call ping command: ping zoltar.redes.upv.es. We will explain ping command in the next lab session. For our purpose, ping command sends several IP packets to the specified remote host. When ping command is over, inspect the contents of ARP cache with the following command arp a and stops the capturing process. Fill table 3.1 with the contents of ARP cache. 6

Table 3.1: Content of the ARP cache # IP Address MAC Address 1 2 3 Check the captured packets in the Analyzer. In the best case, there will be only two packets: An ARP REQUEST and the corresponding ARP RESPONSE. However, it is common that other ARP REQUEST be present in the capture. For our purpose, we will omit these packets. Fill following tables from the data included in the ARP REQUEST packet: Table 3.2: Frame Header Destination MAC address Source MAC address type Table 3.3: ARP REQUEST message Hardware Type Protocol MAC address length Protocol address length Operation Code Source MAC Address Source IP Address Target MAC Address Target IP Address Do the same with the contents of the ARP RESPONSE packet. Table 3.4: Frame Header Destination MAC address Source MAC address type 7

Table 3.5: ARP REQUEST message Hardware Type Protocol MAC address length Protocol address length Operation Code Source MAC Address Source IP Address Target MAC Address Target IP Address Question 3.1 Which ARP cache entry of Table 3.1 was produced by these ARP packets? Question 3.2 If there are other cache entries in Table 3.1, Which captured packets are they related to? Question 3.3 Which ARP cache entry in Table 3.1 would be removed first? Why? 8

Step #4: Check the number of ARP packets received at your PC. Run the Network Analyzer and select the menu entry statistics New Real Time monitor. Set the arp filter. In the statistics settings choose the option show traffic packets in order to track the number of ARP packets. The rest of settings will be the default ones. Then, select the line-style for plotting the statistic results and start the monitoring session. Look at the statistics monitor window during five minutes (approx.) and take note of the maximum ARP packet arrival rate (ARP packets/second). ARP packets/second 9

Annex A: Filter Definition Analyzer and Ethereal employ the same filter definition syntax than the tcpdump UNIX command. The following description was extracted from the manual page of tcpdump command. A capture filter consist of one set of primitives connected with logical operators and/or optionally preceded by not. [not] primitive [and or [not] primitive...] Example 1. Capture telnet traffic (port 23) from/to hosts 10.0.0.5. tcp port 23 and host 10.0.0.5 Ejemplo 2. Capture telnet traffic that was not deliverd nor created by host 10.0.0.5. tcp port 23 and not host 10.0.0.5 Some defined primitives: [src dst] host <host> True if the IPv4/v6 destination field of the packet is host, which may be either an address or a name. If src and dst are not specified, then all packets delivered or created by host, respectively. ether [src dst] host <ehost> The same as the one above but using MAC addresses. gateway host <host> True if the packet used host as a gateway. I.e., the ethernet source or destination address was host but neither the IP source or the IP destination was host. [src dst] net <net> [{mask <mask>} {len <len>}] This expression filters packets by network address, net mask or the CIDR prefix when different from our own netid. [tcp udp] [src dst] port <port> It filters packets by using TCP and/or UDP ports. less greater <length> It filters packets which length be less or greater than length value. ip ether proto <protocol> Filtering packets by protocol ID at Ethernet or IP level. ether ip broadcast multicast It filters the Ethernet or IP broadcast and multicast packets. 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information