Lab 2 - Networking PDF

Preview

Summary

Department of Computing SecurityCSEC 101 Lab 2 - Networking Page 1 of 10Write Up: Using your answers, construct a report (without copying & pasting thequestions/instructions) to the myCourses dropbox for Assignment 1 in PDF format. Do copy and properly introduce all tables.Step 1 Start t...

Description

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 2 - Networking

Page 1 of 10

Write Up: Using your answers, construct a report (without copying & pasting the questions/instructions) to the myCourses dropbox for Assignment 1 in PDF format. Do copy and properly introduce all tables.

Step 1 Start the Wireshark packet sniffer, by clicking Start | All Programs | Wireshark and selecting the Wireshark program icon. Wireshark has a nice splash page giving you options to start a capture, open an existing file, or get further information online right from the opening page. Step 2 You can now start a data frame capture by selecting Capture Options right from the welcome screen menu. This brings up the Wireshark: Capture Options dialog box. Step 3 Start by checking the checkbox for the interface on which you’ll be sending traffic. Start capturing data frames that are sent or received by this machine by clicking the Start button at the bottom right of the window. Depending on the network you are attached to, you may or may not observe any capture activity until you generate network communication. Notice the Wireshark display is divided into three panes. The top section is the Packet List pane, which lists a summary of each frame captured. The middle section is the Packet Details pane, which displays details of each captured frame. The bottom section is the Packet Bytes pane, which shows hexadecimal values of captured data. The right side of the bottom section will show the ASCII values for the hex values, even if it’s not meant to be translated into ASCII. When you see a dot, it means that there is no ASCII equivalent.

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 2 - Networking

Page 2 of 10

Other times you’ll see ASCII translations that make no sense, because they weren’t meant to be translated.

Step 4 Computers and devices generate a large amount of network traffic just establishing communications. To clear away some of these packets from the view of your capture, you are going to apply a filter. In the Filter: dialog box on the toolbar, enter the following string: arp or icmp (this is case sensitive –only use lower case letters!) and click the Apply button. This will filter out all other traffic except ARP frames (ARP exists at Layer 2) or ICMP packets (ICMP exists at Layer 3) from the displayed traffic, although Wireshark will continue to capture all packets and frames. Step 5 Now, to see a concrete example of a data capture, run the ping command on your network. Open a command-line window, type ping, followed by a space, and the host name or IP address of a PC on your network. To ping a PC with the host name WindowsComputerB, for example, type ping windowscomputerb and press the ENTER key. The following text shows sample output from the ping command. C:\>ping windowscomputerb Pinging windowscomputerb [192.168.5.13] with 32 bytes of data: Reply from 192.168.5.13: bytes=32 time=110ms TTL=48 Reply from 192.168.5.13: bytes=32 time=115ms TTL=48 Reply from 192.168.5.13: bytes=32 time=107ms TTL=48 Reply from 192.168.5.13: bytes=32 time=111ms TTL=48 Ping statistics for 192.168.5.13: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss) Approximate round trip times in milli-seconds: Minimum = 107ms, Maximum = 115ms, Average = 110ms

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 2 - Networking

Page 3 of 10

What are the results of your ping operation? The ping operation is sending a request out to the destination address (ip) of the computer that you are pinging based on this request it will return replies usually around 3. Keep in mind a ping doesn’t always return a reply so sometimes it make take multiple times (3/5 chance).

Step 6 Close the command-line window by typing exit at the prompt. In Wireshark, click the Stop button (the red square, 4th from the left on the toolbar) to stop the data capture. Now it’s time to analyze the captured data for the

ping

operation you just ran. Again, depending on

the traffic on your network, you should have 10 to 12 frames of data displayed in the Wireshark viewer.

Step 7 Packet sniffers can capture hundreds of data frames in just a matter of seconds, especially if left in promiscuous mode, so applying the arp or icmp filter should help you to easily identify the 10 to 12 packets of data you want to analyze. The important information you are interested in for this Lab Exercise are the frames concerning the address resolution protocol (ARP). There should be two lines of ARP frames displaying IP addresses and the MAC addresses to which they resolve, followed by eight lines of ICMP packets showing the results of the ping. What are the results? The results are usually showing the destination Mac address and source Mac address. Also if you look closer it also shows the source port and destination port. If, when you display the capture information, there are no ARP frames displayed, it may be caused by one of two situations. First, if you have used the ping command, or have been sharing files back and forth with the target computer prior to collecting the capture data,

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 2 - Networking

Page 4 of 10

there may be entries in the ARP cache. Open a command prompt and run the following command to see all (-a stands for all) entries in the ARP cache.

C:\>arp -a

If the following information (or similar with the IP address of your target machine) is displayed, you have an entry in the ARP cache.

Interface: 192.168.5.12 --- 0x3 Internet Address 192.168.5.12

Physical Address 00-0e-28-92-ac-b7

Once two machines have communicated, they will place entries into the ARP cache to avoid generating broadcast traffic. The entries can remain anywhere from 2 to 20 minutes depending on the operating system. In this Lab Exercise, you want to create ARP broadcast traffic to capture, so you’ll want to delete (-d stands for delete) the entries in the ARP cache. To clear the ARP cache entries, use the following command. You will need to run the command prompt in elevated mode (as administrator). When opening the command prompt, right-click cmd.exe and select Run as administrator from the dropdown menu.

C:\>arp -d

To verify the ARP cache is cleared, type arp –a once again. Your results should match the following output.

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 2 - Networking

Page 5 of 10

C:\>arp –a No ARP Entries Found

The second situation could be an incorrectly entered filter setting in Wireshark. Open Wireshark and examine both the Capture and Display filters. Confirm that the “arp or icmp” filter has been selected in the Display filter and that the “No ARP” filter has not been selected in either the Capture or Display filters. Now perform Steps 3 through 7 again to capture ARP frames in Wireshark. Step 8 Note - For the following steps, in which you will be recording information, you will be performing Steps 3-12 a second time with a remote destination. The first time you perform these steps, fill in the Local Communication column in the table below. The second time you perform these steps, fill in the Remote Communication column in the table below. In the Packet List summary pane, select the first ARP data frame listed and fill in the information displayed in the following column fields: Packet List Column Number (No.) Time Source Destination Protocol Length Info

Local Communication 528 6.595994 129.21.42.41 98.139.183.24 ICMP||ARP 74 bytes Echo (ping) request

Remote Communication 529 6.618616 98.139.183.24 129.21.42.41 ICMP||ARP 74 bytes Echo (ping) reply

Step 9 In the Packet Details pane, you’ll see a wealth of information, including the Ethernet frame that contains some of the information that you viewed in Step 9 in the Packet List pane. Clicking the small plus sign (+) at the beginning of each line expands it into a Packet

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 2 - Networking

Page 6 of 10

Details showing details. Expand the Frame (summary information from Wireshark), Ethernet II (the actual Ethernet frame), and Address Resolution Protocol (request) (ARP is encapsulated inside the Ethernet frame at Layer 2) tree listings. Look at the fields in the Address Resolution Protocol (request) section, and fill in the information displayed in the following row fields: ARP Row Field Sender MAC address Sender IP address Target MAC address Target IP address

Local Communication 44:1c:a8:e2:3f:09 129.21.42.41 00:00:0c:07:ac:01 98.139.183.24

Remote Communication 00:1d:a1:38:58:00 98.139.183.24 44:1c:a8:e2:3f:09 129.21.42.41

Now look just above the Address Resolution Protocol (request) section, and you’ll notice the Ethernet II section. This is the actual Ethernet frame. Fill in the information displayed in the following row fields: Ethernet II Row Field Destination

Local Communication Destination: All-HSRP-

Remote Communication Destination:

routers_01

HonHaiPr_e2:3f:09

Source

(00:00:0c:07:ac:01) Source: HonHaiPr_e2:3f:09

(44:1c:a8:e2:3f:09) Source: CiscoInc_38:58:00

Type

(44:1c:a8:e2:3f:09) Type: IPv4 (0x0800)

(00:1d:a1:38:58:00) Type: IPv4 (0x0800)

What’s the difference between Target MAC address in the ARP section and Destination in the Ethernet header? Why is this so? The difference between the target mac and arp section and dest in the Ethernet header is that the all of these things are linked to a router. This happen because the ip address and destination of the packet it on a different network. So in order for it to get there it goes through a router to get to the

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 2 - Networking

Page 7 of 10

next network, and so on. The replies thus come from the current router the packet it trying to get through in order to reach closer to it’s destination.

Step 10 In the Packet List summary pane, select the very next ARP data frame listed (which should be an ARP reply to the ARP request) and fill in the information displayed in the following column fields: Packet List Column Number (No.) Time Source Destination Protocol Length Info

Local Communication 529 6.618616 98.139.183.24 129.21.42.41 ICMP||ARP 74 Echo (ping) reply

Remote Communication 528 6.595994 129.21.42.41 98.139.183.24 ICMP||ARP 74 bytes Echo (ping) request

Step 11 In the Packet Details pane, expand the Frame (summary information from Wireshark), Ethernet II (the actual Ethernet frame), and Address Resolution Protocol (reply) (ARP is encapsulated inside the Ethernet frame at Layer 2) tree listings. Look at the fields in the Address Resolution Protocol (reply) section, and fill in the information displayed in the following row fields: ARP Row Field Sender MAC address Sender IP address Target MAC address Target IP address

Local Communication 00:1d:a1:38:58:00 98.139.183.24 44:1c:a8:e2:3f:09 129.21.42.41

Remote Communication 44:1c:a8:e2:3f:09 129.21.42.41 00:00:0c:07:ac:01 98.139.183.24

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 2 - Networking

Page 8 of 10

Now look just above the Address Resolution Protocol (request) section, and you’ll notice the Ethernet II section. This is the actual Ethernet frame. Fill in the information displayed in the following row fields: Ethernet II Row Field Destination

Local Communication Destination:

Remote Communication Destination: All-HSRP-

HonHaiPr_e2:3f:09

routers_01

Source

(44:1c:a8:e2:3f:09) Source: CiscoInc_38:58:00

(00:00:0c:07:ac:01) Source: HonHaiPr_e2:3f:09

Type

(00:1d:a1:38:58:00) Type: IPv4 (0x0800)

(44:1c:a8:e2:3f:09) Type: IPv4 (0x0800)

Is there a difference again between Target MAC address in the ARP section and Destination in the Ethernet header? Why is this so? There is a difference because when it is sending packets it is communicating with the router in order to get the packet out of the network and communicate onto another.

Step 12 In the Packet List section, directly underneath the ARP request and ARP reply, you should see the 4 sets of ICMP Echo Requests and ICMP Echo Replies. In the Info section they are listed as Echo (ping) request and Echo (ping) reply.

In the Packet Details section, you’ll notice that unlike before (with the ARPs), there is now an IP header inside of the Ethernet frame. Inside the IP header is the ICMP header and the ICMP data. For now, just look at the gray section headers, without expanding the small plus signs (+). If you expanded them and they are now small minus signs (-), you’ll can click the minus

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 2 - Networking

Page 9 of 10

signs to collapse them back, or just view the gray section headers with the fields expanded.

The purpose of ARP (this exercise up until now) was to find the MAC address for the IP address that we wanted to contact. Now, while the ICMP Echo Request is selected, using the information in the Ethernet II frame header and the Internet Protocol Version 4 header, fill in the following information:

Ethernet II Source

Local Communication Source: HonHaiPr_e2:3f:09

Remote Communication Source: CiscoInc_38:58:00

Destination

(44:1c:a8:e2:3f:09) Destination: All-HSRP-

(00:1d:a1:38:58:00) Destination:

routers_01

HonHaiPr_e2:3f:09

(00:00:0c:07:ac:01)

(44:1c:a8:e2:3f:09)

Local Communication Source: 129.21.42.14 Destination: 98.139.183.24

Remote Communication Source: 98.139.183.24 Destination: 129.21.42.14

Internet Protocol Version 4

Source Destination Step 13

Now you are going to repeat Steps 3 through 12; however, this time you will use the address of a computer on a remote network. Fill in the above tables again, but this time use the Remote Communication column. If you don’t have another network with a router set up, you can ping a remote host on the Internet like www.yahoo.com or www.google.com. Compare your results to the data you captured for the ping to the machine on the local network. What are the differences?

Rochester Institute of Technology Department of Computing Security CSEC 101

Lab 2 - Networking

Page 10 of 10

The replies, instead of going directly to the computer to ping back, they go to the router on our network. Currently I actually did this lab by pinging yahoo.com so my icmp requests and replys went directly to the router. So in reality if I did the lab as an arp||icmp on a local network it actually would communicate directly with the destination ip on the network and be receiving the devices true mac address rather than the routers. Also the ping would have been much faster and more responsive considering it is on the network. The only reason I decided to ping yahoo.com is because I wasn’t using a LAN connection so basically pining anyone is fine regardless as long as you have an echo request and reply while pinging.

Submit a report with just the answers to the dropbox....