Home

Lab #0 - 14-740

1. PAGE 4 OF 9 LABO GETTING UP TO SPEED VERSION 1 6 2 3 Take Wireshark for a Test Run The best way to learn about any new piece of software is to try it out Do the following 5 Start up your favorite web browser which will display your selected homepage If you are using a proxy especially a host based one disable it if possible You want to examine uncached network traffic Start up the Wireshark software You will initially see a window similar to that shown above except that no packet data will be displayed in the packet listing packet header or packet contents window since Wireshark has not yet begun capturing packets To begin packet capture select the Capture pull down menu and select Options This will cause the Wireshark Capture Options window to be displayed as shown below Wireshark Capture Options O x Capture Interface NETGEAR GA302T Gigabit Adapter Microsoft s Packet Scheduler Device NPF_ 1FC4 IP address 192 168 1 46 Lintslayer header type Ethernet wY Buffer size M megabyte s Wireless Settings M Capture packets in promiscuous mode Limit each packet to je bytes Capture Filter PO Capture File s Display Options File Browse V Update list of packets in real time Use multiple files Automatic scrolling in live capture Hide capture info dialog Name Resolution MV Enable MAC name resolution Stop C
2. LABO GETTING UP TO SPEED VERSION 1 6 2 Introduction to Wireshark Objective In this lab the student shall work individually to I Learn about packet sniffers and see how they capture and analyze network traffic 2 Install Wireshark and start to learn how it works Theory Packet Sniffers Packet sniffers are a basic tool for observing the messages on a network As the name suggests a packet sniffer captures sniffs messages being sent received from by your computer it will also typically store and or display the contents of the various protocol fields in these captured messages A packet sniffer itself is passive It observes messages being sent and received by applications and protocols running on your computer but never sends packets itself Similarly received packets are never explicitly addressed to the packet sniffer Instead a packet sniffer receives a copy of packets that are sent received from by application and protocols executing on your machine application e g browser ssh client skype packet analyzer Transport TCP UDP Network IP Link Ethernet Physical CAT5 Radio packet capture pcap copy of all Ethernet frames sent recieved to from network The figure above shows the structure of a packet sniffer At the right are the protocols in this case Internet protocols and applications such as a web browser or ftp client that normally run on your c
3. e g the many different protocol types shown in the PAGE 6 OF 9 LABO GETTING UP TO SPEED VERSION 1 6 2 Protocol column in Figure 2 Even though the only action you took was to download a web page there were evidently many other protocols running on your computer that are unseen by the user as well as data sent via various protocols by other computers on your network We ll learn much more about these protocols as we progress through the text For now you should just be aware that there is often much more going on than meet s the eye 9 Type in http all protocol names are in lower case in Wireshark into the display filter specification window at the top of the main Wireshark window Then select Apply in the filter toolbar This will cause only HTTP message to be displayed in the packet listing window Add the filter ip src lt your IP address gt ip dst lt your IP address gt to filter out traffic that isn t going to or from your computer This will keep other people s traffic private and get rid of lots of HTTP exchanges from other computers that you don t care about Filters are combined with C operators For example if your IP address is 169 1 19 87 then your filter should be http amp amp ip src 169 1 19 87 ip dst 169 1 19 87 10 Select the first http message shown in the packet listing window This should be the HTTP GET Untitled Wireshark lol x message th
4. minus boxes to the left side of the A packet details gt You may have other applications and services running on your computer that use HTTP In such case you ll have to dig through them and figure out which was the first HTTP GET message 3 Recall that the HTTP GET message that is sent to the www ece cmu edu web server is contained within a TCP segment which is contained in an IP datagram which is encapsulated in an Ethernet frame If this process of encapsulation isn t quite clear yet review section 1 5 in the text PAGE 7 OF 9 LABO GETTING UP TO SPEED VERSION 1 6 2 window minimize the amount of Frame Ethernet Internet Protocol and Transmission Control Protocol information displayed Maximize the amount information displayed about the HTTP protocol Your Wireshark display should now look roughly like this figure Note in particular the minimized amount of protocol information for all protocols except HTTP and the maximized amount of protocol information for HTTP in the packet header window I 1 o use Wireshark effectively you need to learn how to filter the results so you aren t wading through too much data Wireshark uses two different filters one to filter the results that get captured and another to filter the results that are displayed Unfortunately both use different languages to specify the filter You ve already been introduced to display filters which use a C like set of operators You can also use a
5. 2 Download the Wireshark binary from wireshark org download html and install it Make sure to also download the Wireshark user guide Mac OS X users might want examine this guide josephhall org nqb2 index php wrshrkinstll As an alternative to using X11 Mac OS X users might consider installing the development release version 1 99 9 The Wireshark development community is working towards a 2 0 release which will use the Qt user interface library The real advantage is that you will no longer need to run an X Windows server The drawback to using a development build is of course that it is a development build and may not have full implementation and is likely to have some latent bugs Consider carefully Mac user 3 The Wireshark FAQ has a number of helpful hints and interesting tidbits of information particularly if you have trouble installing or running Wireshark 4 You may need to disable anti virus protection software McAffee I m looking at you before your own IP address will show up in captured data 2 Run Wireshark I When you run the Wireshark program the Wireshark graphical user interface will be displayed Initially no data will be displayed in the various windows 2 The Wireshark interface has five major components The command menus are standard pulldown menus located at the top of the window Of interest to us now are the File and Capture menus The File menu allows you to save captured packet data or open a fil
6. _utma 87653150 62471437 1181007382 1181007382 1181169142 2 utmz 87653150 1181007382 1 1 utr r n Gi e 0030 ff ff 77 74 00 00 47 45 54 20 2f 6e 65 77 73 2f wt GE T news packet content 040 20 48 54 54 50 2f 31 2e 31 Od Oa 48 6f 73 74 3a RTTP 1 HOST 050 20 77 77 77 2e 77 69 72 65 73 68 61 72 6b 2e 6f wew wir eshark o 060 72 67 Od Oa 55 73 65 72 2d 41 67 65 Ge 74 3a 20 rg User agent in hexadecimal 070 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e mozilla 5 0 win 080 64 6f 77 73 3b 20 55 3b 20 57 69 Ge 64 6f 77 73 dows U windows and ASCII 0090 20 4e 54 20 35 2e 31 3b 20 65 Ge 2d 55 53 3b 20 NT 5 1 en US 00a 72 76 3a 31 2e 38 2e 31 2e 34 29 20 47 65 63 6b rvil 8 i 4 Geck 00b0 6f 2f 32 30 30 37 30 35 31 35 20 46 69 72 65 66 o0 200705 15 Firef gt j File C DOCUME 1 PAULAW 1 LOCALS 1 Temphether0 a00324 453 KB 00 00 _ P 671 D 671 M 0 Drops 0 4 The packet contents window displays the entire contents of the captured frame in both ASCII and hexadecimal format 5 Towards the top of the Wireshark graphical user interface is the packet display filter field into which a protocol name or other information can be entered in order to filter the information displayed in the packet listing window and hence the packet header and packet contents windows In the example below we ll use the packet display filter field to have Wireshark hide not display packets except those that correspond to HTTP messages
7. detail than simply stating that one is temporary When might you find yourself using each List one permanent packet coloring rule you implemented successfully I hope you spent a bit of time trying a variety of rules colors etc For purposes of this question describe just one of your experiments What was the intent of the rule What was the expression you entered in the dialog Turn in your answers in a single PDF file and submit it to the Labo Assignment on Blackboard Late submissions will not be graded PAGE 9 OF 9
8. the application layer though sometimes found elsewhere to protect all network traffic you generate or receive Secondly you have the ability to act as the bad guy and capture the network traffic of other people examine it and exploit what you find You need to learn to use this tool in a responsible fashion Remember the movie quote With great power comes great responsibility We will use a filter to ensure Wireshark doesn t display trafic other than your own but this is purely a voluntary measure Please act ethically and responsibly in your use of Wireshark The second component of a packet sniffer is the packet analyzer which displays the contents of all fields within a protocol message In order to do so the packet analyzer must understand the structure of all messages exchanged by protocols For example suppose we are interested in displaying the various fields in messages exchanged by the HTTP protocol The packet analyzer understands the format of Ethernet frames and so can identify the IP datagram within an Ethernet frame It also understands the IP datagram format so that it can extract the TCP segment within the IP datagram Finally it understands the TCP segment structure so it can extract the HTTP message contained in the TCP segment Finally it understands the HTTP protocol and so for example knows that the first bytes of an HTTP message will contain the string GET POST or HEAD as shown i
9. the data that Wireshark collects merely which of the packets that have been captured are displayed Capture filters are entered in the Filter field of the Capture Options dialog box The capture language is based on tcpdump and requires a bit more protocol knowledge to use For now simply experiment with host lt ip address gt to ensure you don t capture data from other network users 14 Exit Wireshark Congratulations You ve now completed setting up an important network engineering tool and learning a bit about its operation Turn in The goal of this first lab was primarily to introduce you to Wireshark The following questions will demonstrate that you ve been able to get Wireshark up and running and have PAGE 8 OF 9 LABO GETTING UP TO SPEED VERSION 1 6 2 explored some of its capabilities Answer the following questions based on your Wireshark experimentation List up to 10 different protocols that appear in the protocol column in the unfiltered packet listing window in step 7 above As I don t have control over the data flowing over your network at the time of your lab I don t know exactly how many and what protocols those will be I do expect that you have a bunch if less than 5 please look harder Just list out those that you see but don t bother to list more than ro How long did it take from when the HTTP GET message was sent until the HTTP OK reply was received By default the value of the Ti
10. 0 UDP 0 0 0 ICMP 0 0 0 ARP 0 0 0 OSPF 0 0 0 GRE 0 0 0 NetBIOS 0 0 0 IPX 0 0 0 VINES 0 0 0 Other 0 0 0 Running 00 00 21 Stop Don t stop packet capture yet While Wireshark is running enter the URL http Avwwece cmu edu ini740 Labo labo html Those are three zeros not the letter o and have that page displayed in your browser Make sure to clear your browser cache if you have previously displayed this webpage you want to get it across the internet not from your cache In order to display this page your browser will contact the HTTP server at wwwece cmu edu and exchange HTTP messages with the server in order to download this page as discussed in section 2 2 of the text The Ethernet frames containing these HTTP messages will be captured by Wireshark After your browser has displayed the labo html page stop Wireshark packet capture by selecting stop in the Wireshark capture window This will cause the Wireshark capture window to disappear and the main Wireshark window to display all packets captured since you began packet capture The main Wireshark window should now look similar to the figure on page 3 You now have live packet data that contains all protocol messages exchanged between your computer and other network entities The HTTP message exchanges with the wwwece cmu edu web server should appear somewhere in the listing of packets captured But there will be many other types of packets displayed as well see
11. apture aftar Enable network name resolution after M a after V Enable transport name resolution ms You can use most of the default values in this window but uncheck Hide capture info dialog under Display Options The network interfaces i e the physical connections that your computer has to the network will be shown in the Interface pull down menu at the top of the Capture Options window In case your computer has more than one active network interface e g if you have both a wireless and a PAGE 5 OF 9 LABO GETTING UP TO SPEED VERSION 1 6 2 wired Ethernet connection you will need to select an interface that is being used to send and receive packets After selecting the network interface or using the default interface chosen by Wireshark click Start Packet capture will now begin all packets visible to your network interface including those being sent received from by your computer are now being captured by Wireshark Once you begin packet capture a packet capture summary window will appear This is the window that you decided not to hide in the previous step This window summarizes the number of packets of various types that are being captured and importantly contains the Stop button that will allow you to stop packet capture T Wireshark Capture from NETGEAR GA302 Fife E3 Captured Packets Total 12 gt of total SCTP 0 0 0 TCP 12 ae 100
12. at was CE es wen Ge ceure mse Sat sent from your TEREE E E aaao computer to the on Expression Cear Apply www mo e Paaa of ece cmu edu 4 0 046413 192 168 1 46 128 119 245 12 HTTP GET wireshar abs INTRO wireshark T1 HTTP server m When you select 4 4 Frame 4 974 bytes on wire 974 bytes captured the HTTP GET Ethernet II Src Netgear_61 8e 6d 00 09 5b 61 8e 6d Dst westellT_9F 92 b9 COO 0f db 9f 92 b9 Internet Protocol Src 192 168 1 46 192 168 1 46 DSt 128 119 245 12 128 119 245 12 E Hypertext Transfer Protocol GET wireshark labs INTRO wireshark filel htm HTTP 1L 1 r n Host gajia cs umass edu r n message the Ethernet frame IP d TCP User Agent Mozi11a 5 0 Cwindows U windows NT 5 1 en US rv l 8 1 4 Gecko 20070515 Firefox 2 0 0 atagram Accept text xml application xml application xhtml xm1 text html q 0 9 text plain q 0 8 image png Accept Language en us en q 0 5 r n segment and Accept Encoding gzip deflate r n Accept Charset I50 8859 1 utf 8 q 0 7 3 q 0 7 r n HTTP message Keep Alive 300 r n Connection keep alive r n header Cookie MintUnique 1 __utmz 198765611 1176212581 8 2 utmccn Creferral utmcsr cs umass edu utmcect c If Modified since Thu 07 Jun 2007 13 44 01 GMT r n 1 1 1 If None Match d6c69 50 1b716a40 r n information will Cache Control max age 0 r n r n be displayed in the packet header window By clicking plus and
13. e containing previously captured packet data and exit the Wireshark application The Capture menu allows you to begin packet capture 2 The packet listing window displays a one line summary for each packet captured including the packet number assigned by Wireshark this is not a packet number contained in any protocol s header the time at which the packet was captured the packet s source and destination addresses the protocol type and protocol specific information contained in the packet The packet listing can be sorted according to any of these categories by clicking on a column name The protocol type field lists the highest level protocol that sent or received this packet i e the protocol that is the source or ultimate sink for this packet 3 The packet header details window provides details about the packet selected highlighted in the packet listing window To select a packet in the packet listing PAGE 3 OF 9 LABO GETTING UP TO SPEED VERSION 1 6 2 window place the cursor over the packet s one line summary in the packet listing window and click with the left mouse button These details include information about the Ethernet frame assuming the packet was sent receiverd over an Ethernet interface and IP datagram that contains this packet The amount of Ethernet and P layer detail displayed can be expanded or minimized by clicking on the plus or minus boxes to the left of the Ethernet frame or IP datagram line in th
14. e packet details window If the packet has been carried over TCP or UDP TCP or UDP details will also be displayed which can similarly be expanded or minimized Finally details about the highest level protocol that sent or received this packet are also provided command Untitled Wireshark FA x file Edt yew Go Capture Analyze Statistics Help menus gaada onsa BeveweFse Ole aagaya erer a is e By display filter fre ome swe oeren roca Wo specification listing of captured packets 4 Frame 4 710 bytes on wire 710 bytes captured 4 Ethernet II Src Netgear_61 8e 6d 00 09 5b 61 8e 6d Ost westellT_9f 92 b9 00 0f db 9f 92 b9 Internet Protocol Src 192 168 1 46 192 168 1 46 Ost 128 121 50 122 128 121 50 122 Transmission Control Protocol Src Port 1163 1163 Ost Port http 80 Seq 1 Ack 1 Len 656 Hypertext Transfer Protocol GET news HTTP 1 1 r n Host www wireshark org r n User Agent Mozilla 5 0 Cwindows U windows NT 5 1 en US rv 1 8 1 4 Gecko 20070515 Firefox 2 0 0 4 Accept text xml application xml application xhtml4 lt ml text html q 0 9 text plain qg 0 8 image pna a Accept Language en us en q 0 5 r n details of Accept Encoding gzip deflate r n Accept Charset 150 8859 1 utf 8 q 0 7 q 0 7 r n selected Keep Alive 300 r n Connection keep alive r n packet Referer http www wireshark org fag html r n header cookie
15. me column in the packet listing window is the amount of time in seconds since Wireshark tracing began To display the Time field in time of day format select the Wireshark View pull down menu then select Time Display Format then select Time of day Describe where you got the data to answer this question What is the Internet address IP address of www ece cmu edu What is the Internet address of your computer This might be a private address if you are behind a NAT device No worries we ll learn about that later Describe where you got the data to answer this question How many packets did you capture total of all protocols not just HTTP Now use display filters to determine how many packets contain your ip address hint Use ip addr instead of the clumsy ip src or ip dst format I taught you in Step 8 What is this filter you used Now reverse the filter to determine how many packets don t contain your ip address See any problems here If not you ve already figured out the point of this question so explain how you did so If so how can this problem be fixed What are the appropriate display filters to use How does Wireshark warn you of such a problem This is an important detail to remember about Wireshark Please ensure you ve discussed the problem well enough so that the grader can ensure you explored it thoroughly Explain the difference between the temporary and permanent packet coloring facilities in Wireshark in more
16. more English like term to describe the same operators For instance the filter you used earlier http amp amp ip sre 169 1 19 87 ip dst 169 1 19 87 can also be specified as http and ip sre eq 169 1 19 87 or ip dst eq 169 1 19 87 Another powerful operator you should know about is contains which you might have guessed does a substring match The actual values being combined can come from any of the protocols and any of the protocol fields that Wireshark knows about called dissector in Wireshark lingo So you might search for HTTP traffic from Macintosh computers with http user_ agent contains AppleWebKit Take a look at the Wireshark User Manual section 6 3 6 5 for more details about Display filters 12 The display filter language is also used to define rules that Wireshark uses to assign colors to particular packets in the user interface Take a look in Chapter 10 3 of the Wireshark User Guide to learn about coloring rules Using the captured packets practice temporary color changes by selecting a packet and then pressing lt ctrl gt 1 lt ctrl gt 2 etc Also examine the coloring rules dialog and experiment with defining permanent coloring rules you might want to export the default set of coloring rules before messing around with them 13 Capture filters are also quite useful They let you restrict the amount of data you collect in the first place Whereas display filters don t actually change the contents of
17. n Figure 2 8 in the text We will be using the Wireshark packet sniffer wireshark org for these labs allowing us to display the contents of messages being sent received from by protocols at different levels of the protocol stack Technically speaking Wireshark is a packet analyzer that uses a packet capture library in your computer Wireshark is a free network protocol analyzer that runs on Windows Linux Unix and Mac computers It s an ideal packet analyzer for our labs it is stable has a large user base and well documented support that includes a user guide wireshark org docs wsug_html_ chunked man pages wireshark org docs man pages and a detailed FAQ wireshark org fag html rich functionality that includes the capability to analyze hundreds of protocols and a well designed user interface It operates in computers using Ethernet Token Ring FDDI serial PPP and SLIP 802 11 wireless LANs and ATM connections if the OS on which it s running allows Wireshark to do so PAGE 2 OF 9 LABO GETTING UP TO SPEED VERSION 1 6 2 Procedures l Get Wireshark I In order to run Wireshark you will need to have access to a computer that supports both Wireshark and the libpcap or WinPCap packet capture library The libpcap software will be installed for you if it is not installed within your operating system when you install Wireshark See wireshark org download html for a list of supported operating systems and download sites
18. omputer The packet sniffer shown within the dashed rectangle is an addition to the usual software in your computer and consists of two parts The packet Substantial amounts of this lab instruction manual are borrowed from Wireshark Lab Getting Started by Kurose and Ross PAGE OF 9 LABO GETTING UP TO SPEED VERSION 1 6 2 capture library receives a copy of every link layer frame that is sent from or received by your computer Recall from the discussion from section 1 5 in the text Figure 1 202 that messages exchanged by higher layer protocols such as HTTP FTP TCP UDP DNS or IP all are eventually encapsulated in link layer frames that are transmitted over physical media such as an Ethernet cable In the figure the assumed physical media is an Ethernet and so all upper layer protocols are eventually encapsulated within an Ethernet frame Capturing all link layer frames thus gives you all messages sent received from by all protocols and applications executing in your computer The existence of the packet capture box in this figure should give you cause to pause and think particularly down two trains of thought Firstly it shows that any packet in a shared medium Ethernet Wi Fi etc can be captured and examined without notification of the sender or receiver You cannot rely on common link layer protocols to protect your secrets or your privacy online At a minimum you should be using encryption protocols generally buried in

Lab #0 - 14-740

Contents

Download Pdf Manuals

Related Search

Related Contents