Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

EC310 SE12

advertisement 
EC312 Practical Exercise 25
Part 1. Your Ethernet Address
A computer is connected to a network by a Network Interface Card (NIC), also termed a network adapter. That
is, the NIC is the physical interface between a computer and the networking medium. The networking medium,
in turn, might be a wire, a fiber optic strand, or free space (in the case of wireless networks).
Each NIC is assigned a globally unique address burned into the card's Read Only Memory. All machines on an
Ethernet LAN are guaranteed to have unique addresses. No two Ethernet users anywhere in the world can have
the same global address. Addresses are 6 bytes, of which 46 bits are used for the unique address, 2 are used for
special purposes.
The NIC interfaces with the physical media, so this globally-unique address is often called the physical address.
Since physical devices are often termed hardware, a NIC’s unique address is also frequently referred to as a
hardware address. Finally, since the NIC controls access between the computer and the networking media, its
address is also termed a Media Access Control (MAC) address. Since most NICs conform to the Ethernet
standard, the NIC address is also called an Ethernet address. Thus, the NIC address goes by four different
names which are often used interchangeably:

Physical Address

Hardware Address

MAC Address

Ethernet address
In Windows, open a command prompt. (To open a command click the Start button and in the search box type
cmd and press Enter).
At the command prompt, type: getmac /v
Question 1.
Ignoring VMware virtual adapters, and Wi-Fi, what is your computers' Ethernet address?
Recall that a MAC address is 48-bits. The first 3 bytes provide the address of the NIC manufacturer (or
vendor). The Institute of Electrical and Electronics Engineers (IEEE) assigns blocks of addresses to various
manufacturers. For a listing of vendor codes, see
http://standards.ieee.org/develop/regauth/oui/oui.txt
Question 2.
What vendor manufactured your Ethernet card?
Question 3.
Ward Hall has a policy that midshipmen can only connect their original issued computers
to the USNA network. Suppose you go to Best Buy, but a new computer and connect it
to the network. Will Ward Hall be able to tell? If so, how?
Can you "spoof" your MAC address—i.e., have your computer tell the rest of the world your MAC address is
different from the actual value burned into ROM? The answer is: Yes, it is very easy to spoof your MAC
address—it requires a change to one line of the easy-to-edit Windows registry. However, you should not do this
since even a small screw-up while editing the Windows registry can irreparably damage your computer.
Bottom line, unless you are a CS major with a 4.0 QPR and ten computers (so you have a few to spare), you
should never edit the Windows registry.
1
Part 2. Using ping to Determine the Largest Possible Ethernet Frame Size
ping is a tool that can be used to determine whether our computer can reach another computer across the
Internet. From the Windows command prompt, type
ping www.espn.com
You should see something similar to:
C:> ping www.espn.com
Pinging www.espn.com [199.181.132.250] with 32
Reply from 199.181.132.250: bytes=32 time=74ms
Reply from 199.181.132.250: bytes=32 time=84ms
Reply from 199.181.132.250: bytes=32 time=76ms
Reply from 199.181.132.250: bytes=32 time=75ms
bytes of data:
TTL=233
TTL=233
TTL=233
TTL=233
Ping statistics for 199.181.132.250:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 74ms, Maximum = 84ms, Average = 77ms
ping is a probing tool that sends a packet from our computer to the designated target computer (in this case,
the computer with the name www.espn.com) and waits for a reply. The output above tells us several things:

our ping packet contains 32 bytes of data (it also happens to contain another 28 bytes of header
information).
 we conducted a total of 4 probes.
 we received replies to all four of our probes.
 the round trip time for our four probes were 74, 84, 76 and 75 milliseconds.
Looking at the ping reply above, notice that www.espn.com is also referred to as “199.181.132.250.” This
latter sequence of four numbers (separated by decimals) is, as you might already know, the computer’s IP
address. Thus, the computer named www.espn.com has IP address 199.181.132.250. We will discuss IP
addresses in the next lecture.
When we use the ping command, we, by default, ping the target host with 32 bytes of data. We can change the
size of the ping packet by using the –l option. For example, if I type
ping
-l
100
www.espn.com
I will see:
Pinging www.espn.com [199.181.132.250] with 100
Reply from 199.181.132.250: bytes=100 time=75ms
Reply from 199.181.132.250: bytes=100 time=75ms
Reply from 199.181.132.250: bytes=100 time=74ms
Reply from 199.181.132.250: bytes=100 time=74ms
Ping statistics for 199.181.132.250:
2
bytes of data:
TTL=233
TTL=233
TTL=233
TTL=233
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 74ms, Maximum = 75ms, Average = 74ms
Notice that I pinged www.espn.com with 100 bytes of data. If I had typed
ping -l 150 www. espn.com
I would have pinged with 150 bytes of data.
Hmmm... I wonder what would happen if I tried to ping www.espn.com with a very large packet. This would
mean that the computer would have to stop for a long time and deal with my request. So, the services of
www.espn.com would be then be denied to others. I might just call this an attack...hmmm...a denial of
service attack ...yea, that’s the ticket. I try to ping with a 50,000 bytes by typing:
ping
-l
50000
www.espn.com
and I see:
Pinging www.espn.com [199.181.132.250] with 50000 bytes of data:
Request
Request
Request
Request
timed
timed
timed
timed
out.
out.
out.
out.
Ping statistics for 199.181.132.250:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Gasp! My plans for world domination are foiled! The target rejected my ping packets!
Why? Well, Ethernet, which is the local area network technology used by just about everyone (including us!)
will only allow the data packet to be at most a certain size. This maximum size is called the Maximum
Transfer Unit (MTU). Well…what if we want to send a block of data bigger than Ethernet’s MTU? In
general, there is no problem with this; the large block of data is broken (i.e., fragmented) into pieces (each of
which is less than or equal to Ethernet’s MTU), and these pieces are then sent individually. The pieces
(fragments) are then put back together when they all arrive at the destination.
In general, there is no hitch, except for one wrinkle: hosts will often ignore ping packets that were fragmented.
Why, you ask? Well, in the mid 1990’s, it was discovered that if a ping packet was fragmented, it could be
forced back together at the destination in such a way that the final size of the reconstituted packet was larger
than the maximum permissible IP packet size, causing the host’s operating system to crash. This scenario was
given the somewhat unpleasant name: The Ping of Death.
The Bottom Line: You can crash someone's computer if you send them a ping that is so large that it cannot fit
in one Ethernet frame, i.e., you can crash someone's computer if you send them a ping that exceeds Ethernet's
MTU. Most operating systems are on to this behavior, and will not permit reception of a fragmented ping.
In summary, if you send a very large ping packet, it will need to be fragmented to fit inside Ethernet’s MTU,
but these fragments will then be ignored by the destination since there is no good reason someone should want
to send me a ping packet that was so big that it had to be fragmented.
3
What is Ethernet’s Maximum Transfer Unit?
What is the largest block of data that Ethernet will allow me to send without requiring fragmentation? To see,
we can use the –f option in the ping command. This option will mean that the packet will not be fragmented,
so, if the packet is bigger than Ethernet’s MTU, it won’t be sent. For example, if I type
ping
-f
-l
50000
www.espn.com
I am told that the packet needs to be fragmented, but the packet will not be fragmented because the 'don't
fragment' option (-f) has been used.
Question 4. What is the Ethernet’s MTU? Note that whatever number seems to work for ping, you
must add 28 to it, since the ping data has 28 bytes of header information tacked onto it.
Question 5. After you have completed Question 4, review the notes where we discussed the maximum
size of an Ethernet frame. Does your answer to Question 4 match what the notes say is the maximum
amount of data that can fit inside the data field of an Ethernet frame?
Part 3. Wireshark
Last August, spurred by the Snowden revelations, The Guardian published an article titled "The NSA is turning
the Internet into a total surveillance system." Others speculate that the NSA may be monitoring essentially all
Internet traffic. Concerning the NSA's surveillance of Internet traffic, security expert Brian Reid opined that
"This isn’t a wiretap, it’s a country-tap.”
Our objective today is not to examine why such surveillance is done, but rather to gain a sense of how such
surveillance is done. Toward that end, we will gain basic familiarity with a packet sniffer named Wireshark. A
packet sniffer is, in essence, a wiretap that allows you to monitor the traffic passing a particular point in a
computer network. A packet sniffer not only allows you to analyze or inspect individual packets as binary or
hexadecimal symbols, but also attempts, where possible, to convert binary packets into a human-readable
format.
Packet sniffers allow the user to determine who is communicating with whom, and what they are saying, topics
of great concern to network security specialists and the people who keep them busy.
Packet sniffing, as with most things, can be used for good purposes or for malicious purposes. A hacker can
certainly use a packet sniffer to detect who is communicating with whom, and the nature of the communication
(so-called metadata). Any unencrypted content (to include unencrypted passwords) can also be read. The NSA
uses packet sniffers to thwart terrorist plots. In June 2013 General Keith Alexander, the Director of the NSA,
testified that the NSA's surveillance programs had foiled at least 50 terrorist attacks worldwide.
Computer engineers use packet sniffers for good purposes also: A network can be analyzed to determine if there
is excessive congestion, troubleshooting of faults can be facilitated, unauthorized network users can be
detected,etc.
4
A. Getting Started
Wireshark is a packet sniffer that will capture packets and display them using a nice Graphical User Interface
(GUI). Wireshark is a passive program; it does not transmit packets onto the network. It merely analyzes what
traffic is going past your NIC.
Start up VMware Workstation and power-on your Cyber2 VM. Then launch Wireshark by selecting:
Applications > Internet > Wireshark (as root)
Launch Wireshark. You should see something similar to:
Under File, Click Open and highlight the file named packets:
And then hit Open
5
Now, after opening the file you should see something much more interesting. (If your display looks slightly
different from that shown on the next page, don’t worry. If it looks radically different, let the instructor know.)
Packet
List
Pane
Packet
Details
Pane
Packet
Bytes
Pane
This shows you all the packets that were in the file that was provided. Three pains...I mean panes...are
provided. Referring to the figure above, we see the

Packet List Pane: This displays a summary of each packet captured. Each line represents a packet. You
can see that the packets are numbered—Number 1, Number 2, etc. (This pane presents so-called
metadata. From metadata we can determine such things as: Who is initiating the communication? Who
is the intended recipient? What is the overall goal of the communication—is it an attempt to access a
web site? Is it an attempt to send an email? Is it a file transfer?
By clicking on a packet in this pane, you control what is displayed in the two lower panes. In the figure
above, the first line (Packet 1) is highlighted in green, and the two other panes give details about this
packet.

Packet Details Pane: Displays more details about the packet that you highlighted in the Packet List Pane.

Packet Bytes Pane: Displays gory details about the packet selected in the Packet List Pane, and
highlights the field selected on the Packet Details Pane. Whereas the top pane reveals the metadata, this
pane reveals all of the contents.
Take a moment to memorize the names of these three panes, so that when you see, for instance, “Packet Details
Pane” you don’t have to think: Which one was that again?
Okay, let’s look at the Packet List Pane (which one was that again?).
6
At the top of the Packets List Pane, starting at the left, we have number (No) column. As mentioned, each
packet that was captured is sequentially numbered by Wireshark.
Question 6. How many packets were captured?
Next over, we have the Time column. By default, this column indicates the relative time that each packet was
received, with the first packet arriving at t = 0.
Question 7. What is the number of the packet that was received 10 seconds into this trace?
Let’s look at packet 5182. Look at the Packet Details pane for this packet:
This shows the protocols used by this packet. So, for instance, we see that this packet used Ethernet, The
Internet Protocol (IP) and the Transmission Control Protocol (TCP). By clicking on the plus sign we can
expand and collapse each of the listed protocols.
The bottom pane, the Packet Byte pane, shows the data in the selected packet (in this case, packet 5182) in
hexadecimal.
Now, let’s look at the Ethernet protocol in more detail. Click the arrow next to Ethernet and you should see
this:
Question 8.
Look at the first 12 hexadecimal numbers in the Packet Bytes Pane. It reads:
00 01 02 c6 3b 6a
This is the very start of the Ethernet frame. Referring to the Ethernet frame format from
your notes, what is the meaning of these 12 hexadecimal numbers?
7
Question 9.
Look at the next 12 hexadecimal numbers in the Packet Bytes Pane. It reads:
00 04 80 74 09 00
This is the next part of the Ethernet frame. Referring to the Ethernet frame format from
your notes, what is the meaning of these 12 hexadecimal numbers?
Question 10. Do your answers for Questions 8 and 9 match the info provided in the middle pane?
Question 11. Can Wireshark be used to determine the NIC card numbers of people using the network?
Question 12. Look at the next four hexadecimal numbers in the Packet Bytes Pane. It reads:
08 00
Referring to the Ethernet frame format from your notes, what is the meaning of these 4
hexadecimal numbers?
Question 13. Go to the website: http://www.cavebear.com/archive/cavebear/Ethernet/type.html
What type of information is carried in the data field of this Ethernet frame
Look at packet number 2.
Question 14. What destination hardware address was used in this frame? What is the meaning of that
value for the destination address?
Assistant Professor Patrick Vincent
8
EC312 Practical Exercise 25
Name:
Question 1:
Question 2:
Question 3:
Question 4:
Question 5:
Question 6:
Question 7:
Question 8:
Question 9:
Question 10:
Question 11:
Question 12:
Question 13:
Question 14:
9
Related documents
Warriors of the Net Questions:
Warriors of the Net Questions:
Algebra 1 Preparing for Success Packet
Algebra 1 Preparing for Success Packet
Warriors of the net questions 1. What three things are put on the
Warriors of the net questions 1. What three things are put on the
Sportfolio Criteria - JCB Physical Education
Sportfolio Criteria - JCB Physical Education
Summer Review Packet for Students Entering Algebra 1
Summer Review Packet for Students Entering Algebra 1
Chapter-1-Packet-Number-1-Packet-Check
Chapter-1-Packet-Number-1-Packet-Check
File
File
Summer Review Packet for Students Entering Algebra 2 Honors
Summer Review Packet for Students Entering Algebra 2 Honors
Download
advertisement