-------------------------------------------- Lab 1 Answer Sheet Introduction to Ethereal/Wireshark Due in class on April 9, 2007 Applied Networks and Security (IT 263 901) Lewis 1513, Monddays, 5:45 p.m. to 9:00 p.m. April 2, 2007 to June 11, 2007 -------------------------------------------- Student Name: Requirements: You can do this lab exercise on any computer that is connected to the Internet and has Ethereal/Wireshark (Wireshark is the new project name) and a web browser installed. There are multiple PCs in the LAN Lab (room 659) available for you to do this lab. Alternately, you can do this lab from the comfort of your own home by downloading and installing Wireshark from www.wireshark.org and installing it on your local PC. You need to have administrator access to install and use this software. NOTE FOR MACINTOSH USERS: Unfortunately to install Wireshark or Ethereal for you may not be as easy. If you are not the type of person who installs applications from source code, then you probably want to find a Windows machine. The LAN Lab is probably going to be as good an option as any. However, there is a command line version tool called 'tcpdump' which effectively does the same thing. If you're up to the challenge you can try to use this tool (see the addendum below for some basic instructions), but I am not going to be forgiving if you go this route and fail to figure it out. In this lab you will: 1. Execute Ethereal/Wireshark and practice capturing network traffic 2. Examine the results from capturing traffic for a particular file download from a web server. 3. Print out and document details of this capture session Question 1: From Step 1 below, fill in the following values: a. Computer's physical address(es): b. Computer's IP address(es): c. Computer's subnet mask(s): d. Computer's default gateway(s): e. Computer's DNS server(s): Question 2: From Step 3 below, list how many total packets were captured. Question 3: From Step 3 below, fill in the following values for the packet containing the GET /~jkristof/it263/roster.html decode: a. Ethernet source address: b. Ethernet destination address: c. IP source address: d. IP destination address: e. TCP source port number: f. TCP destination port number: Question 4: Why doesn't the entire web page come in a single packet? Question 5: How many packets associated with access to this web page immediately preceed the HTTP GET message? Summarize those preceding packets and what they contain. Question 6: Attach the output from Step 4 below. ------------------------------cut here---------------------------------- ---------------- Lab Instructions ---------------- Step 1 - Determine the network interface addresses and start the capture 1. Determine the physical addresses and the IP addresses on this computer and enter them into the worksheet below. For Microsoft Windows you can use the 'ipconfig /all' command (see http://en.wikipedia.org/wiki/Ipconfig for details) at the command line to view this detail information. 2. Start up Ethereal/Winshark and click Captures->Interfaces and then click the Capture button corresponding to your active network interface. Ethereal/Wireshark will begin running in Capture Model and will open a window showing you a summary of network traffic being captured. Step 2 - Download a Web Page 1. While running in capture mode, using a browser, pull the following web page (note, be sure this is either the first time you've accessed the page, you've cleared your browser cache or you use the reload button to fetch a fresh copy): http://condor.depaul.edu/~jkristof/it263/roster.html 2. A web page containing the class roster should appear. Be sure it completely loads before continuing. 3. In Ethereal/Wireshark, click the Stop button to stop the capture. I recommend saving all the packets in the capture using a filename with the extension '.cap'. Step 3 - Verify accessing the web page was captured 1. In Ethereal/Wireshark you should see a number of packets, one per line, in the top summary pane. How many will depend primarily on what other network traffic your host was seeing or involved in at the time. 2. You should see an HTTP decoded packet somewhere in the summary pane containing "GET /~jkristof/it263/roster.html". If not, then you are not capturing packets. Be sure your browser cache is clear and that you are capturing packets on the correct interface. 3. You should see either an HTTP 200 OK message or a "TCP Segment of a reassembled PDU" message following the GET message. This should indicate you have successfully capture the packets. If you received an HTTP 304 Not Modified message, you probably need to clear your browser cache. You may need to seek further assistance from a classmate, lab assistant or instructor in order to complete this lab if you cannot get past this step. Step 4 - Examine the captured network traffic 1. Your name exist somewhere in the captured packets. If for some reason you registered for this class after the roster for this web page was generated, use the last name in the roster to perform the remainder of this step. 2. Find your name inside one of the several packets. You may have to examine the contents of the third pane, which contains the hex and ASCII packet decode for each of the packets, to find your name. 3. Be sure the packet with your name is the select one in the top pane. Now select File->Print. Select the "Selected packet only" radio button. Select the "All expanded" radio button. Print this out or save it to a file for later printing. ADDENDUM FOR MACINTOSH USERS WHO WANT TO TRY USING TCPDUMP AT YOUR OWN RISK. NOTE, THIS IS BEST FOR ADVANCED USERS. FIND A WINDOWS MACHINE AND FOLLOW THE INSTRUCTIONS ABOVE IF YOU SPEND MORE THAN A FEW MINUTES TRYING TO FIGURE THIS OUT. WARNING, THIS IS JUST A ROUGH GUIDE ON SOME BASIC COMMANDS AND NOT A FULL TUTORIAL ON HOW TO FULLY COMPLETE THIS LAB ASSIGNMENT USING THE TCPDUMP TOOL. To capture full packets and save to a file named packets.cap. Press CTRL-C to stop the capture and write the capture to the file: sudo tcpdump -s0 -w packets.cap Note, if you connected to a network using your wireless adapter, then you may need to add '-i en1' (sans the quotes) as part of the command above. To display a summary of captured packets from file packets.cap: tcpdump -r packets.cap To display fully decoded packets from file packets.cap: tcpdump -eXXvvvr packets.cap Note, you may wish to the the option '-n' to the display commands above. If the capture file is very large, this should speed up the output since it will not have to translate (lookup) the addresses to names in each of the packets. # end