Ethereal Exercise 1: Introduction to Ethereal

Similar documents
CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

Wireshark Tutorial INTRODUCTION

Introduction to Network Security Lab 1 - Wireshark

Lab 1: Packet Sniffing and Wireshark

Wireshark Tutorial. Figure 1: Packet sniffer structure

EKT 332/4 COMPUTER NETWORK

Packet Capture. Document Scope. SonicOS Enhanced Packet Capture

Ethereal: Getting Started

Snoopy. Objective: Equipment Needed. Background. Procedure. Due Date: Nov 1 Points: 25 Points

Lab - Using Wireshark to View Network Traffic

Wireshark Lab: Assignment 1w (Optional)

Lab VI Capturing and monitoring the network traffic

Network Security: Workshop

Capture and analysis of the network traffic with Wireshark

Lab Conducting a Network Capture with Wireshark

New York University Computer Science Department Courant Institute of Mathematical Sciences

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

The OSI and TCP/IP Models. Lesson 2

6. INTRODUCTION TO THE LABORATORY: SOFTWARE TOOLS

BASIC ANALYSIS OF TCP/IP NETWORKS

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Introduction to Analyzer and the ARP protocol

Install MS SQL Server 2012 Express Edition

Module 1: Reviewing the Suite of TCP/IP Protocols

CET442L Lab #2. IP Configuration and Network Traffic Analysis Lab

Introduction To Computer Networking

Lecture (02) Networking Model (TCP/IP) Networking Standard (OSI) (I)

Introduction to Wireshark Network Analysis

Modern snoop lab lite version

Pre-lab and In-class Laboratory Exercise 10 (L10)

PREFACE iss.01 -

Wireshark Quick-Start Guide. Instructions on Using the Wireshark Packet Analyzer

Lab Module 3 Network Protocol Analysis with Wireshark

Computer Networks/DV2 Lab

Workstation ARP. Objective. Background / Preparation

TCP Packet Tracing Part 1

USER GUIDE. Ethernet Configuration Guide (Lantronix) P/N: Rev 6

Computer Networks/DV2 Lab

Visio Enabled Solution: One-Click Switched Network Vision

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Packet Monitor in SonicOS 5.8

Figure 1. Wireshark Menu Bar

Networking Test 4 Study Guide

Designing AirPort Extreme Networks

Macintosh Clients and Windows Print Queues

Data Communication Networks and Converged Networks

Lecture 2-ter. 2. A communication example Managing a HTTP v1.0 connection. G.Bianchi, G.Neglia, V.Mancuso

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Setting up your laptop to print to the student lounge printer

EINTE LAB EXERCISES LAB EXERCISE #5 - SIP PROTOCOL

M2M Series Routers. Port Forwarding / DMZ Setup

Guideline for setting up a functional VPN

Zebra printers using CPCL, EPL and ZPL command languages.

Many home and small office networks exist for no

Lab 7.1.9b Introduction to Fluke Protocol Inspector

Protocols. Packets. What's in an IP packet

EE984 Laboratory Experiment 2: Protocol Analysis

Slide 1 Introduction cnds@napier 1 Lecture 6 (Network Layer)

COMP 3331/9331: Computer Networks and Applications. Lab Exercise 3: TCP and UDP (Solutions)

Wireshark Lab: HTTP. 1. The Basic HTTP GET/response interaction

Network Forensics Network Traffic Analysis

Network FAX Driver. Operation Guide

Easy Setup Guide for the Sony Network Camera

Laboratory Exercises V: IP Security Protocol (IPSec)

1-Port Wireless USB 2.0 Print Server Model # APSUSB201W. Quick Installation Guide. Ver. 2A

Hands-on MESH Network Exercise Workbook

Computer Networks I Laboratory Exercise 1

Chapter 4 Restricting Access From Your Network

Network Models OSI vs. TCP/IP

Smoking and any food or drinks are not permitted in the Applications Lab!

SYMETRIX SOLUTIONS: TECH TIP August 2015

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Configuring the WT-4 for Upload to a Computer (Infrastructure Mode)

An Introduction To The Web File Manager

Configuring the WT-4 for Upload to a Computer (Infrastructure Mode)

Network Probe User Guide

ABB solar inverters. User s manual ABB Remote monitoring portal

Packet Sniffing with Wireshark and Tcpdump

Working With Network Monitor Brian M. Posey and David Davis (WindowsNetworking.com)

Network-Oriented Software Development. Course: CSc4360/CSc6360 Instructor: Dr. Beyah Sessions: M-W, 3:00 4:40pm Lecture 2

GEVPlayer. Quick Start Guide

Networking. General networking. Networking overview. Common home network configurations. Wired network example. Wireless network examples

File Sharing. Peter Lo. CP582 Peter Lo

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Introduction to IPv6 and Benefits of IPv6

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Written examination in Computer Networks

Linux Network Security

Lab Configuring Access Policies and DMZ Settings

School of Information Technology and Engineering (SITE) CEG 4395: Computer Network Management

Protocol Data Units and Encapsulation

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

Lab - Observing DNS Resolution

Ethernet and IP A slightly less introductory networking class. Drew Saunders Networking Systems Stanford University

Implementing and Managing Security for Network Communications

Introduction to IP v6

Transcription:

Course: Semester: ELE437 Ethereal Exercise 1: Introduction to Ethereal While the ELE437 course doesn t have a lab component, many of the experiences in lab-based courses can be done as homework assignments instead. Applications such as Ethereal, which is available for Windows, MacOS, Linux/Unix, and other platforms, make it possible to capture network activity and analyze it from the physical layer up to the application layer. With Ethereal, you can also open previously recorded capture sessions and analyze the timing, addresses, protocols, and other information. Assumed Background Knowledge A basic understanding of the following items are assumed throughout this exercise. Most of them are from Chapter 1 of the Tanenbaum textbook: Protocol hierarchies, the OSI model, and the TCP/IP reference model. What the Physical, Data Link, Network, Transport, and Application layers are. What Ethernet is and what protocol layer it is at How a packet at one layer fits into a packet at a lower layer: o In the figure below, a high-layer packet at Layer N+1 is equivalent to the payload of another packet at a lower layer (Layer N). Even if the packet at Layer N+1 has a header or trailer, they will be treated as part of the payload once the data is passed down to Layer N. This makes it possible to use any number of different protocols at Layer N+1 without necessarily having Layer N know what protocol is being used at Layer N+1. o In general, the only requirement between neighboring layers is that they must have interfaces that allow them to pass data back and forth. o See Chapters 3 and later of the textbook for more details on packets. Figure 0: Simplified Packet-to-Payload Layering Relationship 1

Exercise 1 In order to become familiar with Ethereal, it s useful to step through the capture process on your own. Examining a pre-recorded capture file can also be very useful, so both will be done in this exercise. Of course, the Ethereal application needs to be installed first, so that must be done first. Part A: Downloading and Installing Ethereal The latest version of Ethereal can be downloaded for your operating system at http://www.ethereal.com/download.html. Version 0.10.14 was used for the screenshots in this document, but other versions should be very similar. Once the Ethereal installer has been downloaded, simply run it. DO NOT download the source code unless you are willing and able to compile it for your platform. If using Linux, you ll need to be root to perform Part B. Part B: Configuring Ethereal and Capturing Packets Now that Ethereal has been installed, it can be run from the Start menu (for Windows users) or by typing ethereal at a command line (for other operating systems). Once open, a window similar to the following one should appear: Figure 1: Ethereal with no capture data loaded 2

First, you need to find an active network interface to capture data from. Go to the Capture menu (ALT+C) and select Interfaces (I). Figure 2: Basic Capture Interface Information The window above should appear with all of the network interfaces in your system listed under the Description heading. You can find an active network interface to use for capturing by observing which interface has a steadily increasing number under the Packets heading. In this case, the Motorola USB Cable Modem is active. Once an active interface has been identified, press the Prepare button on that interface s row. The Capture Options box will then appear, as shown in Figure 3. Under Display Options, select the Update list of packets in real time checkbox. Under Capture, deselect the Capture packets in promiscuous mode checkbox. When these changes have been made, press Start to begin capturing packets. A capture summary window will appear and the main Ethereal window will begin to fill up with packet data. After you see the main Ethereal window fill up with packet data, press the Stop button in the Capture window shown in Figure 4. Please note that your capture results are likely to be very different from the precaptured data file that you ll be looking at in the next section. 3

Figure 3: Ethereal s Capture Options Dialog box Figure 4: Capture Status window in Ethereal 4

Part C: Examining a Pre-Recorded Capture File Now that you know how to perform your own capture, it s necessary to examine a pre-recorded capture file. This will make it possible to point out all of the different information that appears in Ethereal when a capture is performed so that you can knowledgably analyze your own packet captures in the future. In Figure 5 on the next page, the capture file quietcapture.cap has been opened in Ethereal. You can download this file from the ELE437 web site at http://www.ele.uri.edu/courses/ele437/sp06. This is a capture from a quiet network in which the activity involves only two computers. One of the computers is sending out packets to request services available over the network (packets using the SSDP protocol) while the other computer provides information about itself (the packet using the BROWSER protocol). Descriptions of the data in this capture will be given on the next few pages. The capture data in the main window is divided into three parts: 1) Trace List Pane (Top) In this pane, basic information about the packets captured such as the time, source IP, destination IP, and protocol are given. By clicking on the column labels at the top such as Source or Protocol, the capture data will be sorted by the selected label. This makes it easy to group all packets together that have the same source IP address, destination IP address, or use the same protocol. SSDP Protocol: Looking at the Protocol column, most of the packets are using the SSDP protocol. SSDP, which stands for Simple Service Discovery Protocol, is a protocol that allows networked computers to discover remote services and devices that are available for them to use. It also allows networked computers to announce new services and devices that they re willing and able to share. Currently, most SSDP-capable devices are printers, fax machines, and other computers on a network. However in the future it may even be possible to have an SSDP-capable coffee maker that is automatically detected by your computer and that can be easily programmed to make particular types of coffee on different days and at different times for each network client. 5

Figure 5: Captured Packets from a Quiet Network 6

BROWSER Protocol: The only other protocol in the trace list is BROWSER. This is the Microsoft Windows Browser Protocol, and in this case it is being used by the computer with IP address 192.168.0.101 to tell other computers about itself (it provides the computer name, workgroup name, OS version, etc). 2) Protocol Layer Pane (Middle) This pane shows which protocols were used for the packet currently selected in the Trace List pane. The protocol listing begins at the physical layer and then includes the data link, network, transport, and application layers in that order. In the example above, the protocol breakdown starting at the data link layer is as follows: Data Link Layer: Ethernet II Network Layer: Internet Protocol (IP) Transport Layer: User Datagram Protocol (UDP) Application Layer: Hypertext Transfer Protocol (HTTP) At each layer, the (plus sign) to the left of the protocol name can be clicked on to get more details on the packet data. For example, you can see in Figure 6 that at the physical layer the arrival time and length of the packet were recorded. These pieces of information aren t actually a part of the transmitted packet, but are recorded by Ethereal to maximize the amount of information you have about any packets received, even at a very low level. Figure 6: Physical Layer Data in the Protocol Pane To see data that was actually part of a transmitted packet you can look at the details for any of the higher-level protocols. In Figure 7, Ethereal has used the bytes of the IP header (detailed in Figure 5-53 on page 434 of the textbook) to obtain the information shown. The details at the network layer show us what version of IP was used, the length of the IP packet header, the length of the IP packet, and other important details. Of course, the source and destination IP addresses given on the summary line at the top are in the details as well. 7

Figure 7: Network Layer Data in the Protocol Pane 3) Raw Packet Pane (Bottom) Finally, the pane at the bottom of Figure 5 contains the hexadecimal and ASCII representations of packet data in their raw forms. By selecting a particular layer line in Protocol Layer pane, all of the packet data related to that layer will be highlighted in the Raw Packet pane. For example, in Figure 8 the transport layer line for the User Datagram Protocol (UDP) has been selected in the Protocol Layer pane and the corresponding bytes are highlighted in the Raw Packet pane. Notice that the first two hex bytes, 0x07 and 0x6D form the 16-bit number 0x76D and that the decimal equivalent is 1901. This is the source port number, as shown in the selected line of the Protocol Layer pane. Similarly, the destination port is in the next two bytes, 0x07 and 0x6C. For more details on UDP and the UDP header format, see Section 6.4 of the textbook on page 524. Figure 8: Transport Layer Data in the Raw Packet Pane If you instead select the application layer line for the Hypertext Transfer Protocol (HTTP), you will notice that the meaningful information in the Raw Packet Pane is the highlighted ASCII characters. This brings up an important point: at the physical, data link, network, and transport layers most of the meaningful information will be in the form of bits and bytes representing addresses, ports, and other information in packet headers. 8

As a result, the selected ASCII characters at these layers are likely to have no meaning while the selected hex data can be interpreted more easily. At the application layer however, the highlighted ASCII characters can be very useful since web browsers, e-mail clients, and chat programs are likely to transmit and receive ASCII text. Of course, not all data at the application layer is text, and some text may be encrypted, so in some cases neither the hexadecimal nor the ASCII display in the Raw Packet Pane will provide any obviously meaningful information. In these cases, Ethereal may only be able to tell you that a TCP packet is pre Part D: Trace Summary Statistics While the Trace List, Protocol Layer, and Raw Packet panes provides varying levels of detail about a network capture, Ethereal can also provide you with a simple summary of the entire capture. You can get to the summary in Ethereal by going to the Statistics menu (ALT+S) and selecting Summary (S), as shown in Figure 9. Figure 9: Opening the Capture Summary in Ethereal Figure 10 shows the summary for the quietnetwork.cap file used in this exercise. Useful information such as the number of packets captured, the total number of bytes captured, and the average data rate are given. 9

Figure 10: Capture Summary for quietnetwork.cap Online Resources Simple Service Discovery Protocol (SSDP): http://www.upnp.org/download/draft_cai_ssdp_v1_03.txt Address Resolution Protocol (ARP): http://www.faqs.org/rfcs/rfc826.html 10

Questions Use the quietnetwork_15minutes.cap capture trace file from http://www.ele.uri.edu/courses/ele437/sp06 to answer the following questions. 1. For the capture file specified above, a. How many seconds does Ethereal report the trace to be? b. What are two different ways to determine this? 2. When this trace was captured, a capture limit of 15 minutes was specified. However, the trace length shows up as less than 15 minutes. Why? 3. How many packets appear in this trace? 4. In quietnetwork.cap we saw two types of packets: SSDP announcements from one computer and a BROWSER announcement from another PC. a. Do you see these types of packets in quietnetwork_15minutes.cap? b. If yes, what is the packet number for the first SSDP packet and the first BROWSER packet? 5. What other protocols appear in the trace, if any? Click on the heading for the Protocol column to sort the packets by protocol to make this easier. 6. In quietnetwork.cap, we saw only two different source IP addresses, 192.168.0.1 and 192.168.0.101. a. Do you see any additional source IP addresses in the quietnetwork_15minutes.cap trace? (Note: If your capture only shows the MAC address for some packets, you must examine them to find the IP address) b. If yes, give the IP address and any packet number at which is occurs. Grading - 12 points - The questions have the following point values: 1) 3 points (1 for a, 2 for b) 2) 2 points 3) 1 point 4) 3 points (1 for a, 2 for b) 5) 1 point 6) 2 points (1 for each) 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information