Lab 2: Using Wireshark to Monitor Network Traffic

Due: Thursday October 10th Please read completely before you begin! This lab should extend your knowledge of packet capture and analysis techniques. Review While tcpdump(http://www.tcpdump.org/) is a valuable tool with much strength, it has two serious limitations. First, it provides very little analysis. It can become very tedious to decode and interpret the output from a tcpdump session. Second, the text-based user interface can be awkward to use and is often perceived as primitive by less-experienced users. In this lab we will examine and learn to use Wireshark (http://www.wireshark.org/), a tool (one of many) that addresses these two limitations. Wireshark is freely available and runs on most versions of Linux and Microsoft Windows. It provides an intuitive GUI and will fully decode most packets. Wireshark provides both capture filtering and display filtering. It also provides some advanced features such as tracking TCP sessions. Despite the seeming advantages of Wireshark, there are several reasons why tcpdump was worth learning. First, tcpdump is often already installed on a system where Wireshark rarely is. If you are troubleshooting a production system that is down, you may not want to take the time to install Wireshark if tcpdump is already installed. tcpdump can be used in text only environments which makes it more practical to use over slow network connections. As an early, freely available tool, tcpdump has had an important influence on later tools. Its binary storage format is used by many other utilitiesutilities that can analyze data captured by tcpdump. Its packet capture libraries are used as the basis for many other tools including Wireshark. And since Wireshark uses tcpdumps packet capture libraries, it also uses tcpdumps syntax for data capture filters. A good workman uses the appropriate tool. Wireshark and tcpdump should be seen as complementary tools and, as professionals, you should learn both. Several of the difficulties presented by tcpdump remain problems with Wireshark. (These are really limitations of the technology, not of these programs.) Capturing traffic, regardless of the tools you use, raises the same legal and ethical issues. You will need to be on a shared media (e.g., hub rather than a switch port) in order to actually see traffic. On a large shared media network, the volume of traffic can be staggering. When used remotely, the packet capture activity may generate traffic that needs to be filtered out. DNS resolution will add to the traffic and slow the program down. You will need to specify the interface you want to listen to. On the other hand, you can easily do things to generate traffic. In the following lab you need to do some hand-on experiments with Wireshark to extend your traffic monitoring knowledge. Lab For each of the following steps describe your results, give the syntax of the command you used (if you used any), and, where appropriate, the output produced. Include screen captures as needed in your output. Be sure to label your results carefully and organize your results in the order of steps as given here and to answer each question in your report. Before you begin using Wireshark, youll probably want to go on the Internet and read more. You might start at http://www.wireshark.org/. Whenever it is helpful try to set display or capture filter according to source and/or destination IP addresses to get neater output. 1. 2. ping a remote computer and capture the traffic as shown in the figure above. Include the screen dump in your report. Telnet Session Monitoring: How many TELNET packets is used to carry the login and how many are used to carry the password? Why TELNET does this way? What are the Src MAC address, Dst MAC

3.

address, Src IP address, Dst IP address, TCP Src Port, and TCP Dst Port number on the outgoing packets carrying the actual password? Hint: They are all the same. SSH Session Monitoring: How many ARP packets you will see? What kind of messages do follow the TCP threeway handshake packets? What are the main functions of the initial SSH messages? Record the Session key exchange sequence; study the Diffie-Hellman algorithm by yourself. Click on those and in the packet content window, expand the SSH protocol content by clicking on the triangle icon to the left of SSH. By observing the SSH session data, can you still know the actual login or password? What are the Src MAC address, Dst MAC address, Src IP address, Dst IP address, TCP Src Port, and TCP Dst Port number on the outgoing packets carrying the Encrypted request packet? Are these fields different from those in the Telnet session? Capture 200 packets without any filtering. What are the five most common types of packets you see? What is the function of each? What is their relative frequency? Create filters for the following traffic monitoring a) b) c) d) e) f) g) h) IP traffic UDP traffic DNS traffic Traffic to or from a specific computer Traffic from but not to a specific computer Traffic to or from a specific network IP broadcast traffic IP, ARP and RARP traffic, i.e., one filter that captures all at once

4. 5.

6. 7.

Experiment with live capture and name resolution. What problems did you encounter? Explain how Follow TCP Stream feature works.