EKT 332/4 COMPUTER NETWORK



Similar documents
6. INTRODUCTION TO THE LABORATORY: SOFTWARE TOOLS

Wireshark Tutorial. Figure 1: Packet sniffer structure

Wireshark Tutorial INTRODUCTION

Wireshark Lab: Assignment 1w (Optional)

Ethereal: Getting Started

New York University Computer Science Department Courant Institute of Mathematical Sciences

Lab 1: Packet Sniffing and Wireshark

Introduction to Network Security Lab 1 - Wireshark

Network Security: Workshop

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

Introduction to Wireshark Network Analysis

Detecting Threats in Network Security by Analyzing Network Packets using Wireshark

Snoopy. Objective: Equipment Needed. Background. Procedure. Due Date: Nov 1 Points: 25 Points

Packet Capture. Document Scope. SonicOS Enhanced Packet Capture

Lab Module 3 Network Protocol Analysis with Wireshark

Computer Networks/DV2 Lab

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Lab VI Capturing and monitoring the network traffic

DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses.

Computer Networks/DV2 Lab

Lab Conducting a Network Capture with Wireshark

4m. MONITORING OF ETHERNET/IP NETWORK TRAFFIC.

Introduction to Analyzer and the ARP protocol

Computer Networking LAB 2 HTTP

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Lab - Using Wireshark to View Network Traffic

Modern snoop lab lite version

Network Forensics Network Traffic Analysis

Network Probe User Guide

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Packet Monitor in SonicOS 5.8

Technical Support Information Belkin internal use only

Chapter 8 Monitoring and Logging

CET442L Lab #2. IP Configuration and Network Traffic Analysis Lab

Sniffer s Network Packet Analyzer. Basics

Figure 1. Wireshark Menu Bar

Configuring Network Address Translation (NAT)

A Research Study on Packet Sniffing Tool TCPDUMP

Capture and analysis of the network traffic with Wireshark

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

Configuring Security for FTP Traffic

Multi-Homing Dual WAN Firewall Router

TCP Packet Tracing Part 1

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Solution of Exercise Sheet 5

Intrusion Detection, Packet Sniffing

Pre-lab and In-class Laboratory Exercise 10 (L10)

Own your LAN with Arp Poison Routing

Packet Sniffing with Wireshark and Tcpdump

VisuSniff: A Tool For The Visualization Of Network Traffic

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Craig Pelkie Bits & Bytes Programming, Inc. craig@web400.com

EINTE LAB EXERCISES LAB EXERCISE #5 - SIP PROTOCOL

Network Security: Workshop. Dr. Anat Bremler-Barr. Assignment #2 Analyze dump files Solution Taken from

The OSI and TCP/IP Models. Lesson 2

Looking for Trouble: ICMP and IP Statistics to Watch

1. LAB SNIFFING LAB ID: 10

Packet Capture and Expert Troubleshooting with the Viavi Solutions T-BERD /MTS-6000A

Internet Control Protocols Reading: Chapter 3

Lab Organizing CCENT Objectives by OSI Layer

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Cisco Change Management: Best Practices White Paper

IP Filtering for Patton RAS Products

Network Security. Network Packet Analysis

Transformation of honeypot raw data into structured data

Macintosh Clients and Windows Print Queues

Wireshark Quick-Start Guide. Instructions on Using the Wireshark Packet Analyzer

Lab 1: Network Devices and Technologies - Capturing Network Traffic

BASIC ANALYSIS OF TCP/IP NETWORKS

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Lab Configuring Access Policies and DMZ Settings

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Owner of the content within this article is Written by Marc Grote

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Raritan Valley Community College Academic Course Outline. CISY Advanced Computer Networking

CT LANforge WiFIRE Chromebook a/b/g/n WiFi Traffic Generator with 128 Virtual STA Interfaces

Guideline for setting up a functional VPN

CCNA Discovery Networking for Homes and Small Businesses Student Packet Tracer Lab Manual

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

Microsoft Labs Online

D-Link Central WiFiManager Configuration Guide

CS197U: A Hands on Introduction to Unix

TSX ETY 110 Module 8

Troubleshooting Tools to Diagnose or Report a Problem February 23, 2012

Andover Continuum. Network Security Configuration Guide

Application-Centric Analysis Helps Maximize the Value of Wireshark

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Introduction to Passive Network Traffic Monitoring

PCoIP Infrastructure Deployment Guide. TER Issue 1

Load Balancing. Outlook Web Access. Web Mail Using Equalizer

Chapter 4 Customizing Your Network Settings

ITL Lab 5 - Performance Measurements and SNMP Monitoring 1. Purpose

HoneyBOT User Guide A Windows based honeypot solution

IBM Tivoli Network Manager 3.8

Computer Networks I Laboratory Exercise 1

Non-intrusive, complete network protocol decoding with plain mnemonics in English

Configuring the WT-4 for ftp (Infrastructure Mode)

TDP43ME NetPS. Network Printer Server. Control Center. for Ethernet Module

Transcription:

UNIVERSITI MALAYSIA PERLIS SCHOOL OF COMPUTER & COMMUNICATIONS ENGINEERING EKT 332/4 COMPUTER NETWORK LABORATORY MODULE LAB 2 NETWORK PROTOCOL ANALYZER (SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK)

Lab 2 : Network Protocol Analyzer (Sniffing and Identify Protocol used in Live Network) Objectives To learn some basics of Ethernet To sniff various types of packet and identify various types of protocol Background 1. Getting Started One s understanding of network protocols can often be greatly deepened by seeing protocols in action and by playing around with protocols observing the sequence of messages exchanged between two protocol entities, delving down into the details of protocol operation, and causing protocols to perform certain actions and then observing these actions and their consequences. This can be done in simulated scenarios or in a real network environment such as the Internet. In these WIRESHARK labs, we ll take the latter approach. You ll be running various network applications in different scenarios using a computer on your desk, at home, or in a lab. You ll observe the network protocols in your computer in action, interacting and exchanging messages with protocol entities executing elsewhere in the Internet. Thus, you and your computer will be an integral part of these live labs. You ll observe, and you ll learn, by doing. The basic tool for observing the messages exchanged between executing protocol entities is called a packet sniffer. As the name suggests, a packet sniffer captures ( sniffs ) messages being sent/received from/by your computer. It will also typically store and/or display the contents of the various protocol fields in these captured messages. A packet sniffer itself is passive. It observes messages being sent and received by applications and protocols running on your computer, but never sends packets itself. Similarly, received packets are never explicitly addressed to the packet sniffer. Instead, a packet sniffer receives a copy of packets that are sent/received from/by application and protocols executing on your machine. Figure 1 shows the structure of a packet sniffer. At the right of Figure 1 are the protocols (in this case, Internet protocols) and applications (such as a web browser or ftp client) that normally run on your computer. The packet sniffer, shown within the dashed rectangle in Figure 1 is an addition to the usual software in your computer, and consists of two parts. The packet capture library receives a copy of every link-layer frame that is sent from or received by your computer. 2

Messages exchanged by higher layer protocols such as HTTP, FTP, TCP, UDP, DNS, or IP all are eventually encapsulated in link-layer frames that are transmitted over physical media such as an Ethernet cable. In Figure 1, the assumed physical media is an Ethernet, and so all upper layer protocols are eventually encapsulated within an Ethernet frame. Capturing all link-layer frames thus gives you all messages sent/received from/by all protocols and applications executing in your computer. Figure 1 : Packet sniffer structure The second component of a packet sniffer is the packet analyzer, which displays the contents of all fields within a protocol message. In order to do so, the packet analyzer must understand the structure of all messages exchanged by protocols. For example, suppose we are interested in displaying the various fields in messages exchanged by the HTTP protocol in Figure 1. The packet analyzer understands the format of Ethernet frames, and so can identify the IP datagram within an Ethernet frame. It also understands the IP datagram format, so that it can extract the TCP segment within the IP datagram. Finally, it understands the TCP segment structure, so it can extract the HTTP message contained in the TCP segment. Finally, it understands the HTTP protocol and so, for example, knows that the first bytes of an HTTP message will contain the string GET, POST, or HEAD,. We will be using the Wireshark packet sniffer [http://www.wireshark.com] for these labs, allowing us to display the contents of messages being sent/received from/by protocols at different levels of the protocol stack. (Technically speaking, Wireshark (Ethereal) is a packet analyzer that uses a packet capture library in your computer). 3

2. What is Wireshark (Ethereal)? Wireshark, formerly known as Ethereal, is one of the most powerful tools in a network security analyst's toolkit. As a network packet analyzer, Wireshark can peer inside the network and examine the details of traffic at a variety of levels, ranging from connectionlevel information to the bits comprising a single packet. This flexibility and depth of inspection allows the valuable tool to analyze security events and troubleshoot network security device issues. It's also priced right: it's free! Wireshark (Ethereal) is a network packet analyzer or packet sniffer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course). In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark (Ethereal), all that has changed. Wireshark (Ethereal) is perhaps one of the best open source packet analyzers available today. i. Some intended purposes Here are some examples people uses Wireshark (Ethereal) for: network administrators use it to troubleshoot network problems network security engineers use it to examine security problems developers use it to debug protocol implementations people use it to learn network protocol internals ii. Features Live capture from many different network media Despite its name, Wireshark (Ethereal) can capture traffic from network media other than Ethernet. Which media types are supported, depends on many things like the operating system you are using. Many protocol decoders There are protocol decoders (or dissectors, as they are known in Ethereal) for a great many protocols. A comprehensive list of all protocols and protocol fields can be found at ttp://www.wireshark.com/docs/dfref/ 4

Open Source Software Wireshark (Ethereal) is an open source software project, and is released under the GNU General Public Licence (GPL). You can freely use Wireshark (Ethereal) on any number of computers you like, without worrying about license keys or fees or such. In addition, all source code is freely available under the GPL. Because of that, it is very easy for people to add new protocols to Wireshark (Ethereal), either as plugins, or built into the source, and they often do! iii. What Wireshark is not Just as with any tool, Wireshark can be used for some things and not others. Here is a list of some of the things Wireshark cannot do: 1. It cannot be used to map out a network. Take a look at the NMAP tool for that functionality. 2. It does not generate network data it is a passive tool. Tools like NMAP, ping, and traceroute are examples of tools that generate network data. These tools are active. 3. It can only show detailed information about protocols it actually understands. The good news is that it understands a great many protocols. It is also extensible, so you can add protocol support for ones it doesn t understand. Otherwise you will only be able to see a hexdump of data it has captured. 4. It can only capture data as well as the OS\Interface\Interface driver supports. An example of this is capturing data over wireless networks. This does not work well (or at all) for some software and hardware combinations. 5

Practical work Before you start wireshark you must log in as root. Ask the technician for root password. You can start Wireshark by giving the command wireshark on the command line. This opens a window, which is a GUI interface to wireshark's packet capture utility as shown in figure 2. (You'll want to make this window bigger.) Figure 2 : Wireshark window To start scanning, choose Interfaces from the Capture menu. You'll see a pop-up window similar to the one below: Figure 3: Capture action window 6

If you'd like to configure advanced options -- like capturing a file, resolving MAC addresses and DNS names, or limiting the time or size of the capture -- click the Options button corresponding to the interface you wish to configure. Many of these options can help to improve the performance of Wireshark. For example, you can adjust settings to avoid nameresolution issues, as they will otherwise slow down your capture system and generate large numbers of name queries. Time and size limits can also place limitations on unattended captures. Otherwise, simply click the Start button next to the name of the interface on which you wish to capture traffic. The Wireshark screen will immediately begin filling up with traffic seen on the network interface, as shown below: Figure 4: Capture data window 7

Interpreting the results Each line in the top pane of the Wireshark window corresponds to a single packet seen on the network. The default display shows the time of the packet (relative to the initiation of the capture), the source and destination IP addresses, the protocol used and some information about the packet. You can drill down and obtain more information by clicking on a row. This causes the bottom two window panes to fill with information. The middle pane contains drill-down details on the packet selected in the top frame. The "+" icons reveal varying levels of detail about each layer of information contained within the packet. Example : I've selected a DNS response packet. I've expanded the DNS response (application layer) section of the packet to show that the original was requesting a DNS resolution for www.cnn.com, and this response is informing us that the available IP addresses include 64.236.91.21. The bottom window pane shows the contents of the packet in both hexadecimal and ASCII representations. Notice in the example above that each row is color-coded. The darker blue rows correspond to DNS traffic, the lighter blue rows are UDP SNMP traffic, and the green rows signify HTTP traffic. Wireshark includes a complex color-coding scheme (which you can customize). The default settings appear below: Figure 5: Capture data window 8

That sums up the basics of using Wireshark to capture and analyze network traffic. The best way to become an expert quickly is to get your hands dirty and start capturing network traffic. There's no doubt you'll find that it can be a helpful tool for everything from configuring firewall rules to spotting an intrusion. Remember, however, that you must always have permission from the network owner before capturing traffic on any network. Exercise 1: Click on one of the HTTP packets and examine it in detail in the middle section of the Wireshark window. You can confirm that the structure of the packet is HTTP data wrapped in a TCP segment, which is wrapped in an IP datagram, which is wrapped in an Ethernet frame. If you click one of the little triangles in front of the word "Ethernet", your view of the Ethernet header will be expanded to show the content of the header. Similarly for the "Internet Protocol," "Transmission Control Protocol," and "Hypertext Transfer Protocol" lines. If you click on any of the lines in the middle section of the window, the corresponding data in the display in the bottom third of the window will be highlighted. Based on all this, answer the following questions: Question 1: What does an Ethernet address look like, and what is the Ethernet address of your computer? Question 2: How many bytes are there in an Internet header? Question 3: What is the IP address of the server computer? How did you find this out by looking at info in the packet? Question 4: The HTTP server communicates on port 80. What port number on your computer was used for the communication? How did you find this out? Exercise 2: Now, enter "not ip" as the display filter. This lets you see non-ip packets. What protocols do you see? Describe some of the things that you can discover or guess about these protocols, just from information available in the Wireshark window. 9

Exercise 3: Close all internet browsers. Restart packet capturing. Open your terminal window. Ping the computer next to you using this command: $ ping xx.xxx.x.xxx Open your internet browser and go to http://www.wireshark.com/. Click on introduction option. Stop the capture session. Trace back all of the activities that you have done starting from you ping the computer next to you until you stop the capture session. Copy all of the activities that you have traced and paste it in notepad. Print the result and attach it with your report. Reference: i. Ethereal User's Guide V2.00 for Ethereal 0.10.5 Richard Sharpe, NS Computer Software and Services P/L Ed Warnicke, Ulf Lamping, ii. http://www.wireshark.com/ 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information