Lab Worksheet 6 – Network Monitoring with Wireshark PDF

Preview

Summary

Lab Worksheet 6 – Network Monitoring with Wireshark by Xianhui Che (Cherry)...

Description

7COM1029 – Network System Administration Lab Worksheet 6 – Network Monitoring with Wireshark Xianhui Che (Cherry) School of Computer Science, University of Hertfordshire, [email protected]

1

Aims and Objectives

The purpose of this document is to introduce the packet sniffer Wireshark. This lab introduces the basic operation of a packet sniffer, installation, and a test run. You will use this software to identify network protocols and classify network traffic. Objectives include: • Get to know network monitoring software such as Wireshark • Understand ICMP • Understand encapsulation in layered protocols • Learn about DNS service • Understand ARP

2

Background

The basic tool for observing the messages exchanged between executing protocol entities is called a packet sniffer. As the name suggests, a packet sniffer captures data messages being sent/received from/by your computer; it will also typically store and/or display the contents of the various protocol fields in these captured messages. A packet sniffer itself is passive. It observes messages being sent and received by applications and protocols running on your computer, but never sends packets itself. Similarly, received packets are never explicitly addressed to the packet sniffer. Instead, a packet sniffer receives a copy of packets that are sent / received from/by application and protocols executing on your machine.

The figure above shows the structure of a packet sniffer. At the right of the figure are the protocols and applications (such as a web browser or ftp client) that normally run on your computer. The packet sniffer, shown within the dashed rectangle in the figure is an addition to the usual software in your computer, and consists of two parts. The packet capture library receives a copy of every link-layer frame that is sent from or received by your computer. Messages exchanged by higher layer protocols such as HTTP, FTP, TCP, UDP, DNS, or IP all are eventually encapsulated in link-layer frames that are transmitted over physical media such as an Ethernet cable. In this figure, the assumed physical media is an Ethernet, and so all upper layer protocols are eventually encapsulated within an Ethernet frame. Capturing all link-layer frames thus gives you all messages sent/received from/by all protocols and applications executing in your computer. The second component of a packet sniffer is the packet analyzer, which displays the contents of all fields within a protocol message. In order to do so, the packet analyzer must understand the structure of all messages exchanged by protocols. For example, suppose we are interested in displaying the various fields in messages exchanged by the HTTP protocol as shown in the figure. The packet analyzer understands the format of Ethernet frames, and so can identify the IP datagram within an Ethernet frame. It also understands the IP datagram format, so that it can extract the TCP segment within the IP datagram.

7COM1029 – Network System Administration, Lab Worksheet 6

2

Then, it understands the TCP segment structure, so it can extract the HTTP message contained in the TCP segment. Finally, it understands the HTTP protocol and so, for example, knows that the first bytes of an HTTP message will contain the string GET, POST, or HEAD. We will be using the Wireshark packet sniffer [http://www.wireshark.org/] for these labs, allowing us to display the contents of messages being sent/received from/by protocols at different levels of the protocol stack. (Technically speaking, Wireshark is a packet analyzer that uses a packet capture library in your computer). Wireshark is a free network protocol analyzer that runs on Windows, Linux/Unix, and Mac computers. Its an ideal packet analyzer for our labs - it is stable, has a large user base and well-documented support that includes a user-guide (http://www.wireshark.org/docs/wsug_html_ chunked/), man pages (http://www.wireshark.org/docs/man-pages/), and a detailed FAQ (http://www.wireshark.org/ faq.html), rich functionality that includes the capability to analyze hundreds of protocols, and a well-designed user interface. It operates in computers using Ethernet, Token-Ring, FDDI, serial (PPP and SLIP), 802.11 wireless LANs, and ATM connections. A typical graphical user interface of Wireshark is shown in the figure below, which has five major components.

• The command menus are standard pulldown menus located at the top of the window. Of interest to us now are the File and Capture menus. The File menu allows you to save captured packet data or open a file containing previously captured packet data, and exit the Wireshark application. The Capture menu allows you to begin packet capture. • The packet-listing window displays a one-line summary for each packet captured, including the packet number (assigned by Wireshark; this is not a packet number contained in any protocols header), the time at which the packet was captured, the packets source and destination addresses, the protocol type, and protocol-specific information contained in the packet. The packet listing can be sorted according to any of these categories by clicking on a column name. The protocol type field lists the highest level protocol that sent or received this packet, i.e., the protocol that is the source or ultimate sink for this packet. • The packet-header details window provides details about the packet selected (highlighted) in the packet listing window. (To select a packet in the packet listing window, place the cursor over the packets one-line summary in the packet listing window and click with the left mouse button.). These details include information about the Ethernet frame and IP datagram that contains this packet. The amount of Ethernet and IP-layer detail displayed can be expanded or minimized by clicking on the right-pointing or down-pointing arrowhead to the left of the Ethernet frame or IP datagram line in the packet details window. If the packet has been carried over TCP or UDP, TCP or UDP details will also be displayed, which can similarly be expanded or minimized. Finally, details about the highest level protocol that sent or received this packet are also provided. • The packet-contents window displays the entire contents of the captured frame, in both ASCII and hexadecimal format. • Towards the top of the Wireshark graphical user interface, is the packet display filter field that can be used to filter the information displayed in the packet-listing window (and hence the packet-header and packet-contents windows). In

7COM1029 – Network System Administration, Lab Worksheet 6

3

the example below, well use the packet-display filter field to have Wireshark hide (not display) packets except those that correspond to HTTP messages. For more details of using display fillter, go to https://wiki.wireshark.org/ DisplayFilters.

3

Running Wireshark

Use the computer that is under your desk, log onto Linux OS and open the terminal to type: wireshark &, and you will see a window looking like this (it may not look exactly like this but similar enough):

Normally it is quite straightforward to capture live traffic – simply select a network interface and click Start. Unfortunately you have not been given the permission to do this in our beloved campus, so you will not be able to run Wireshark directly to capture live traffic. However, there is a way to go around it. Please follow these steps: 1. In the terminal window, type tcpdump -i eth0 -w /tmp/pkts. This is assuming you want to monitor the traffic of the eth0 interface. 2. Here is a silent period when you just let the network run on its own whilst the traffic file have been written to the local file /tmp/pkts. 3. Press Ctrl+c to exit. 4. In the Wireshark menu, click file then open, and choose the traffic that you just captured and you will be able to see an interface that displays all the traffic you just captured.

4

7COM1029 – Network System Administration, Lab Worksheet 6

4

Understand ICMP

Internet Control Message Protocol (ICMP) is an error reporting and diagnostic utility and is considered a required part of any IP implementation. Understanding ICMP and knowing what can possibly generate a specific type of ICMP is useful in diagnosing network problems. There are different types of ICMP messages as shown in the table below: Type

Description

0

Echo Reply

3

Destination Unreachable

4

Source Quench

5

Redirect Message

8

Echo Request

11

Time Exceeded

12

Parameter Problem

13

Timestamp Request

14

Timestamp Reply

17

Address Mask Request

18

Address Mask Reply

Echo Request & Echo Reply are mostly used ICMP messages to test IP connectivity, which is commonly known as PING.

4.1

Capture ping Traffic

Follow these steps: 1. Use netstat -r to find out where your default gateway is. 2. Start capturing traffic. 3. Type ping in the command line interface. 4. Wait for about 3 or 4 replies from the ping messages, then press Ctrl + c to stop. Do NOT close the terminal window yet. You may have something looking like this:

5. Stop capturing traffic. 6. Use Wireshark to open the captured traffic. 7. In the display filter of Wireshark, type icmp to show ICMP packets only. You should see something like this:

8. Fill in Table 1. Table 1: Traffic for ping ICMP Type Code

ICMP Type Description

ICMP Sequence 1

request

ICMP Sequence 1

reply

IP Address (From)

IP Address (To)

Transit Time

ICMP Sequence 2 ICMP Sequence 2

9. Compare Table 1 with the information you saw in the terminal window and see if they match.

TTL

7COM1029 – Network System Administration, Lab Worksheet 6

4.2

5

What is 127.0.0.1?

127.0.0.1 is the loopback Internet protocol (IP) address also referred to as the localhost. The address is used to establish an IP connection to the same machine or computer being used by the end-user. The same convention is defined for computers that support IPv6 addressing using the connotation of ::1. Whilst capturing network traffic, try ping 127.0.0.1, and then use Wireshark to analyze the captured traffic. Can you find this piece of packet stream? – You will find nothing. Why? Establishing a network connection to the 127.0.0.1 loopback address is accomplished in the same manner as establishing one with any remote computer or device on the network. The primary difference is that the connection avoids using the local network interface hardware. System administrators and application developers commonly use 127.0.0.1 to test applications.

4.3

Capture traceroute Traffic

TTL stands for Time To Live. When a TCP packet is sent, its TTL is set, which is the number of routers (hops) it can pass through before the packet is discarded. As the packet passes through a router the TTL is decremented until, when the TTL reaches zero, the packet is destroyed and an ICMP “time exceeded” message is returned. The return message’s TTL is set by the terminating router when it creates the packet, and decremented normally. traceroute works by setting the TTL for a packet to 1, sending it towards the requested destination host, and listening for the reply. When the initiating machine receives a “time exceeded” response, it examines the packet to determine where the packet came from - this identifies the machine one hop away. Then the tracing machine generates a new packet with TTL 2, and uses the response to determine the machine 2 hops away, and so on. In summary, the traceroute program sends the first packet with TTL=1, the second packet with TTL=2, and so on. Routers will decrement a packets TTL value as the packet passes through. When the router sends a time-out ICMP error packet back to the source, the source node will therefore know where the router is located. Follow these steps to discover how traceroute works: 1. Start capturing traffic. 2. Type traceroute google.com 3. Stop capturing traffic. Do NOT close the terminal window yet. You probably will see something that is similar to this in the command window:

From this figure you can see that for each TTL value, the source program sends three probe packets. Traceroute displays the round-trip-time (RTTs) for each of the probe packets, as well as the IP address (and possibly the name) of the router that returned the ICMP TTL-exceeded message. 4. Use Wireshark to open the captured traffic file. Type icmp in the display filter. You should be able to see a list of traceroute packets in the window, similar to this:

7COM1029 – Network System Administration, Lab Worksheet 6

In case your packets are not displayed in the sequential order, click No to sort it (on top of the first column).

6

7COM1029 – Network System Administration, Lab Worksheet 6

5

7

Capture Web Traffic

Use the technique explained in the previous worksheet to capture a period of traffic, during which you should open a web browser and type http://netlab.cs.herts.ac.uk/pub/ in the address field then press Enter. Then use Wireshark to open the captured traffic file.

6

Analyzing HTTP Packets

Since we are fetching a web page, we know that the protocol layers being used are as shown below. That is, HTTP is the application layer web protocol used to fetch URLs. Like many Internet applications, it runs on top of the TCP/IP transport and network layer protocols. The link and physical layer protocols depend on your network, but are typically combined in the form of Ethernet if your computer is wired, or 802.11 if your computer is wireless.

In the display filter field of Wireshark window, type http, and you may see a list of http-related packets. Click on any one of these and read the packet details field: • The first Wireshark block is Frame. This is not a protocol, it is a record that describes overall information about the packet, including when it was captured and how many bits long it is. • The second block is Ethernet. It has all the information about the Ethernet frame. • Then come IP, TCP, and HTTP, which are just as we wanted. Note that the order is from the bottom of the protocol stack upwards. This is because as packets are passed down the stack, the header information of the lower layer protocol is added to the front of the information from the higher layer protocol. That is, the lower layer protocols come first in the packet on the wire. Packet encapsulation topic is covered in the first network lecture “Computer Network Architecture” of this module. Based on the information you have in hands, you should be able to sketch this packet format. A brief sketch can look like the figure as shown below, and as a matter of fact you can grab any accurate header details as you like – they are all shown in Wireshark!

7COM1029 – Network System Administration, Lab Worksheet 6

7

8

Analyzing DNS Packets

Type dns in the Filter field, and you will see a list of packets that are relevant to DNS. See if you can find an entry looking something like this: 362 8.811783000 147.197.19.170 147.197.215.16 DNS 81 Standard query 0x225a A netlab.cs.herts.ac.uk The keyword to look for is “Standard query.... netlab.cs.herts.ac.uk”. Read this packet and sketch it in the table below: Table 2: Sketch this DNS packet format in the box below You can follow the example above as shown in section 6, or you can add more details if you like.

Highlight this packet and then right click Follow UDP Stream on the pop out menu. You will then see a new window being opened called Follow UDP Stream. You do not need to examine this window at this stage, so you can close that window. However you must have noticed there are only two packets remaining in the main Wireshark window – these are the two packets that you will examine next. They should look something like this:

These two packets represent one cycle of DNS correspondence – a query and a response. Now please observe the packet detail field of these two captured packets and fill in the following table: In the terminal window, type cat /etc/resolv.conf to find out where your default DNS server is. Put it down here and see which IP address it matches from Table 3. IP Address of your DNS server:

9

7COM1029 – Network System Administration, Lab Worksheet 6 Table 3: DNS Query and Response Query Packet

What is the query?

Which port is UDP using to transmit this query?

Source port: Destination port:

Length of the UDP part of the packet

Length of IP header

Total length of the IP header and IP’s data payload

Sender IP Address

Receiver IP Address

Has this packet been fragmented in the IP level?

The current TTL value

Identify the MAC address of your computer from this packet What is the answer to the query? Response Packet

Sender IP Address

Receiver IP Address

8

Analyzing ARP Traffic

Type arp in the Filter field, and you will see a list of ARP packets. Highlight one packet and illustrate its content below. Table 4: Sketch an ARP packet format in the box below You can follow the example above as shown in section 6, or you can add more details if you like.

Also answer this question: How are the ARP packets being transmitted through the local network? (Please circle the correct answer) (A). Unicast (B). Broadcast (C). Multicast (D). Anycast...