CSEC 600 MS Computing Security 1st Sem Lab 6.04 and 6.05 Lab 6.04 4 Step 1 Downloading and Installing wire shark 4 step 2 Welcome to Wire shark Selecting the interface from where we can sniff 4 Step 3 ARPs and ICMPs in Wire shark and exploring Packet list , details and bytes . 4 Step 3 Selecting Packet bytes to change ASCII to as bits 4 Step 4 Using Display filter arp || icmp to filter only arp and icmp packets 4 Step 5 Pinging another machine on the same network and checking the arp , icmp entries in the Packet list . In this example pinging 172.16.11.1 from source with Ip 172.16.11.2 4 Step 6 Saving the capture Opening the saved packet capture, which pretty much looks the same as the live capture from Wireshark 4 Step 7 Arp -a and arp -d to clear the arp cache 4 step 8 displayed in the following column fields: Packet List Column Local Communication Remote Communication No. (Number) 60 55 Time 6.033439 5.039364 Source AzureWav_c7:9d:1f ec:2e:98:c7:9d:1f AzureWav_c7:9d:1f Destination Destination broadcast ff:ff:ff:ff:ff:ff: Broadcast Protocol ARP ARP Length 42 bytes 42 bytes Info Who has 192.168.1.3? Tell 192.168.1.21 Who has 192.168.1.1? Tell 192.168.1.21 4 step 9 Using the other fields in the ARP frame, fill in the following information: ARP Row Field Local Communication Remote Communication Sender MAC address ec:2e:98:c7:9d:1f ec:2e:98:c7:9d:1f Sender IP address 192.168.1.21 192.168.1.21 Target MAC address 00:00:00:00:00:00 00:00:00:00:00:00 Target IP address 192.168.1.3 192.168.1.1 Ethernet II Row Field Local Communication Remote Communication Destination Broadcast ff:ff:ff:ff:ff:ff Broadcast ff:ff:ff:ff:ff:ff Source AzureWav_c7:9d:1f ec:2e:98:c7:9d:1f AzureWav_c7:9d:1f ec:2e:98:c7:9d:1f Type ARP ARP What’s the difference between Target MAC address in the ARP section and Destination in the Ethernet header? Why is this so? In APR section the target MAC was 00:00:00:00:00:00 where as in Ethernet II section the Destination is ff:ff:ff:ff:ff:ff because when the source first looks for the destination it doesn’t know the MAC of the source yet and hence we see 0 In Arp section and it broadcasts the request to get the response from the destination so we see ff in Ethernet II section the broadcast MAC 4 Step 10 Packet List Column Local Communication Remote Communication No. (Number) 62 56 Time 6.181630 5.056103 Source AmazonTe_de:de:e5 NetGear_ec:54:3e Destination AzureWav_c7:9d:1f AzureWav_c7:9d:1f Protocol ARP ARP Length 42 bytes 42 bytes Info 192.168.1.3 is at dc:54:d7:de:de:e5 192.168.1.1 is at 6c:cd:d6:ec:54:3e Step 11 ARP reply ARP Row Field Local Communication Remote Communication Sender MAC address Dc:54:d7:de:de:e5 6c:cd:d6:ed:54:3e Sender IP address 192.168.1.3 192.168.1.1 Target MAC address ec:2e:98:c7:9d:1f ec:2e: 98:c7:9d:1f Target IP address 192.168.1.21 192.168.1.21 Ethernet II Row Field Local Communication Remote Communication Destination AzureWav_c7:9d:1f Ec:2e:98:c7:9d:1f AzureWav_c7:9d:1f Ec:2e:98:c7:9d:1f Source AmazonTe_:de:de:e5 Dc:54:d7:de:de:e5 Netgear_ec:54:3e 6c:cd:d6:ec:54:3e Type ARP ARP Step 12 frame header and the Internet Protocol Version 4 header, fill in the following information: Ethernet II Local Communication Remote Communication Destination AmazonTe_de:de:e5 Netgear_ec:54:3e Source AzureWav_c7:9d:1f AzureWav_c7:9d:1f Type IPv4 IPv4 Internet Protocol Version 4 Local Communication Remote Communication Source 192.168.1.21 192.168.1.21 Destination 192.168.1.3 142.250.80.36 Step 13. 4 Step 14 For devices, use the following: The source, the actual destination, default gateway a Local Communication Remote Communication ARP Request was sent to broadcast ARP request was sent to broadcast address looking for IP 192.168.1.3 address looking for Default gateway IP 192.168.1.1 b c d MAC address of the Broadcast NW is MAC address of the Broadcast NW is being looked in ARP request being looked in ARP request ARP request was sent to local machine ARP request was sent to local machine which initiated the ARP request which initiated the ARP request AzureWav in this case AzureWav in this case The ARP reply contained the MAC The ARP reply contains the Sender address of the destination address MAC that is MAC of the Router in this case indicating this is remote network e Local machine from where the ping was ran Source MAC of the laptop is used AzureWav in this case AzureWav in this case f g Source IP of the laptop from where the Source IP of the laptop from where the ping test was ran ping test was ran AzureWav in this case 192.168.1.21 AzureWav in this case 192.168.1.21 Destination MAC of the IP I pinged For Outgoing MC Destination MAC of MAC of 192.168.1.3 in this case Router was used Netgear_ec (6c:cd:d6:ec:54:3e) h Destination IP of the Host I pinged 192.168.1.3 Destination IP of the www.google.com was used 142.250.80.36 i For the Incoming ICMP reply source For the incoming ICMP response the MAC of the device AmazonT MAC of default gateway (router) was 192.168.1.3 was used used 192.168.1.1 default gateway MAC 6c:cd:d6:ec:54:3e j For the Incoming ICMP reply source For Incoming ICMP response the IP of IP of the device AmazonT 192.168.1.3 www.google.com was used was used k l m Destination MAC of my Laptop Destination MAC of my Laptop AzureWav was used AzureWav was used Destination IP of my Laptop Destination IP of my Laptop AzureWav 192,168.1.21 was used AzureWav 192,168.1.21 was used Router was not involved in Local To get to remote network network packet sniffing www.google.com outside local NW.